12013-10-13 Anders Carlsson <andersca@apple.com> 2 3 Try to fix the Lion build. 4 5 * Configurations/JavaScriptCore.xcconfig: 6 72013-10-12 Alexey Proskuryakov <ap@apple.com> 8 9 Add a feature define for SubtleCrypto 10 https://bugs.webkit.org/show_bug.cgi?id=122683 11 12 Reviewed by Anders Carlsson. 13 14 * Configurations/FeatureDefines.xcconfig: 15 162013-10-12 Julien Brianceau <jbriance@cisco.com> 17 18 Fix potential register trampling in JIT since r157313. 19 https://bugs.webkit.org/show_bug.cgi?id=122691 20 21 Reviewed by Michael Saboff. 22 23 * jit/CCallHelpers.h: 24 (JSC::CCallHelpers::setupArgumentsWithExecState): 25 262013-10-12 Julien Brianceau <jbriance@cisco.com> 27 28 [sh4] Add missing spaces in JITStubsSH4.h 29 https://bugs.webkit.org/show_bug.cgi?id=122690 30 31 Reviewed by Andreas Kling. 32 33 * jit/JITStubsSH4.h: Space between string concatenation is mandatory with C++11 34 352013-10-12 Julien Brianceau <jbriance@cisco.com> 36 37 [sh4] Add missing test32 implementation in macro assembler. 38 https://bugs.webkit.org/show_bug.cgi?id=122689 39 40 Reviewed by Andreas Kling. 41 42 * assembler/MacroAssemblerSH4.h: 43 (JSC::MacroAssemblerSH4::test32): 44 452013-10-11 Darin Adler <darin@apple.com> 46 47 Change most call sites to call ICU directly instead of through WTF::Unicode 48 https://bugs.webkit.org/show_bug.cgi?id=122635 49 50 Reviewed by Alexey Proskuryakov. 51 52 * parser/Lexer.cpp: 53 (JSC::isNonLatin1IdentStart): Take a UChar since that's what the only caller wants to pass. 54 Use U_GET_GC_MASK instead of WTF::Unicode::category. 55 (JSC::isNonLatin1IdentPart): Ditto. 56 57 * parser/Lexer.h: 58 (JSC::Lexer::isWhiteSpace): Use u_charType instead of WTF::Unicode::isSeparatorSpace. 59 60 * runtime/JSFunction.cpp: Removed "using namespace" for WTF::Unicode, this will no longer 61 compile since this doesn't include anything that defines that namespace. 62 63 * runtime/JSGlobalObjectFunctions.cpp: 64 (JSC::isStrWhiteSpace): Use u_charType instead of WTF::Unicode::isSeparatorSpace. 65 66 * yarr/YarrInterpreter.cpp: 67 (JSC::Yarr::ByteCompiler::atomPatternCharacter): Use u_tolower and u_toupper instead of 68 Unicode::toLower and Unicode::toUpper. Also added some assertions since this code assumes 69 it can convert any UChar to lowercase or uppercase in another UChar, with no risk of needing 70 a UChar32 for the result. I guess that's probably true, but it would be good to know in a 71 debug build if not. 72 732013-10-11 Nadav Rotem <nrotem@apple.com> 74 75 DFG: Add JIT support for LogicalNot(String/StringIdent) 76 https://bugs.webkit.org/show_bug.cgi?id=122627 77 78 Reviewed by Filip Pizlo. 79 80 * dfg/DFGAbstractInterpreterInlines.h: 81 (JSC::DFG::::executeEffects): 82 * dfg/DFGFixupPhase.cpp: 83 (JSC::DFG::FixupPhase::fixupNode): 84 * dfg/DFGSpeculativeJIT.cpp: 85 (JSC::DFG::SpeculativeJIT::compileStringZeroLength): 86 * dfg/DFGSpeculativeJIT.h: 87 * dfg/DFGSpeculativeJIT32_64.cpp: 88 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 89 * dfg/DFGSpeculativeJIT64.cpp: 90 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 91 922013-10-11 Filip Pizlo <fpizlo@apple.com> 93 94 sunspider-1.0/math-spectral-norm.js.dfg-eager occasionally fails with Trap 5 (i.e int $3) 95 https://bugs.webkit.org/show_bug.cgi?id=122462 96 97 Reviewed by Mark Hahnenberg. 98 99 This fixes two bugs, both of which led to GetByVal on Int32 trapping because the 100 array no longer had Int32 shape but the check wasn't executed: 101 102 1) We weren't snapshotting the structures of mustHandleValues. This led to an awesome 103 race where if a mustHandleValue JSValue's structure changed on the main thread 104 between runs of the AI, the AI would contradict each other and things would just 105 get corrupted in funny ways. 106 107 2) The constant folder has a long standing bug! It will fold a node to a constant if 108 the AI proved it to be a constant. But it's possible that the original node also 109 proved things about the constant's structure. In that case "folding" to a 110 JSConstant actually loses information since JSConstant doesn't guarantee anything 111 about a constant's structure. There are various things we could do here to ensure 112 that a folded constant's structure doesn't change, and that if it does, we 113 deoptimize the code. But for now we can just make this sound by disabling folding 114 in this pathological case. 115 116 * dfg/DFGConstantFoldingPhase.cpp: 117 (JSC::DFG::ConstantFoldingPhase::foldConstants): 118 * dfg/DFGGraph.cpp: 119 (JSC::DFG::Graph::Graph): 120 * dfg/DFGGraph.h: 121 * dfg/DFGInPlaceAbstractState.cpp: 122 (JSC::DFG::InPlaceAbstractState::initialize): 123 1242013-10-11 Filip Pizlo <fpizlo@apple.com> 125 126 Fix handling of indirect stackmap locations in FTL OSR exit 127 https://bugs.webkit.org/show_bug.cgi?id=122666 128 129 Reviewed by Mark Hahnenberg. 130 131 With this change, the llvm.webkit.stackmap-based OSR exit only fails one test, down from 132 five tests previously. 133 134 * ftl/FTLLocation.cpp: 135 (JSC::FTL::Location::gpr): It's OK to call this method when kind() == Indirect, so asserting that isGPR() is wrong; change to assert that involvesGPR(). 136 (JSC::FTL::Location::restoreInto): Stack-related registers aren't saved to the scratch buffer, so use them directly. 137 * ftl/FTLLocation.h: Add comment about requirements for stack layout. 138 * ftl/FTLOSRExitCompiler.cpp: 139 (JSC::FTL::compileStubWithOSRExitStackmap): Make enough room on the stack so that saveAllRegisters() has a scratchpad to save things to. Without this, saveAllRegisters() may clobber a spilled value. 140 1412013-10-11 Commit Queue <commit-queue@webkit.org> 142 143 Unreviewed, rolling out r157307. 144 http://trac.webkit.org/changeset/157307 145 https://bugs.webkit.org/show_bug.cgi?id=122671 146 147 Many assertion failures (Requested by ap on #webkit). 148 149 * jit/ThunkGenerators.cpp: 150 (JSC::arrayIteratorNextThunkGenerator): 151 * jit/ThunkGenerators.h: 152 * runtime/ArrayIteratorPrototype.cpp: 153 (JSC::ArrayIteratorPrototype::finishCreation): 154 (JSC::createIteratorResult): 155 (JSC::arrayIteratorPrototypeNext): 156 * runtime/Intrinsic.h: 157 * runtime/JSArrayIterator.cpp: 158 (JSC::JSArrayIterator::finishCreation): 159 * runtime/VM.cpp: 160 (JSC::thunkGeneratorForIntrinsic): 161 1622013-10-11 Mark Lam <mark.lam@apple.com> 163 164 Transition op_new_* JITStubs to JIT operations. 165 https://bugs.webkit.org/show_bug.cgi?id=122460. 166 167 Reviewed by Michael Saboff. 168 169 Also: 170 - Removed the redundant operationNewFunctionExpression(). It is identical to 171 operationNewFunctionNoCheck(). 172 - Sorted JIT operation signature keys in the comment in JITOperations.h. 173 - Removed the unused returnValue2Register definition for X86_64. 174 175 * dfg/DFGOperations.cpp: 176 * dfg/DFGOperations.h: 177 * dfg/DFGSpeculativeJIT.cpp: 178 (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): 179 * jit/CCallHelpers.h: 180 (JSC::CCallHelpers::setupArgumentsWithExecState): 181 * jit/JIT.h: 182 * jit/JITInlines.h: 183 (JSC::JIT::callOperation): 184 * jit/JITOpcodes.cpp: 185 (JSC::JIT::emitSlow_op_new_object): 186 (JSC::JIT::emit_op_new_func): 187 (JSC::JIT::emit_op_new_func_exp): 188 (JSC::JIT::emit_op_new_array): 189 (JSC::JIT::emit_op_new_array_with_size): 190 (JSC::JIT::emit_op_new_array_buffer): 191 * jit/JITOpcodes32_64.cpp: 192 (JSC::JIT::emitSlow_op_new_object): 193 * jit/JITOperations.cpp: 194 * jit/JITOperations.h: 195 * jit/JITStubs.cpp: 196 * jit/JITStubs.h: 197 * jit/JSInterfaceJIT.h: 198 1992013-10-11 Oliver Hunt <oliver@apple.com> 200 201 Separate out array iteration intrinsics 202 https://bugs.webkit.org/show_bug.cgi?id=122656 203 204 Reviewed by Michael Saboff. 205 206 Separate out the intrinsics for key and values iteration 207 of arrays. 208 209 This requires moving moving array iteration into the iterator 210 instance, rather than the prototype, but this is essentially 211 unobservable so we'll live with it for now. 212 213 * jit/ThunkGenerators.cpp: 214 (JSC::arrayIteratorNextThunkGenerator): 215 (JSC::arrayIteratorNextKeyThunkGenerator): 216 (JSC::arrayIteratorNextValueThunkGenerator): 217 * jit/ThunkGenerators.h: 218 * runtime/ArrayIteratorPrototype.cpp: 219 (JSC::ArrayIteratorPrototype::finishCreation): 220 * runtime/Intrinsic.h: 221 * runtime/JSArrayIterator.cpp: 222 (JSC::JSArrayIterator::finishCreation): 223 (JSC::createIteratorResult): 224 (JSC::arrayIteratorNext): 225 (JSC::arrayIteratorNextKey): 226 (JSC::arrayIteratorNextValue): 227 (JSC::arrayIteratorNextGeneric): 228 * runtime/VM.cpp: 229 (JSC::thunkGeneratorForIntrinsic): 230 2312013-10-11 Andreas Kling <akling@apple.com> 232 233 Pass VM instead of ExecState to JSGenericTypedArrayViewPrototype. 234 <https://webkit.org/b/122632> 235 236 Reviewed by Sam Weinig. 237 238 This code was only using the ExecState to find the VM. 239 2402013-10-11 Julien Brianceau <jbriance@cisco.com> 241 242 [sh4] Fix build after r157209. 243 https://bugs.webkit.org/show_bug.cgi?id=122643 244 245 Reviewed by Ryosuke Niwa. 246 247 * assembler/MacroAssemblerSH4.h: Add framePointerRegister declaration. 248 * assembler/SH4Assembler.h: Add firstRegister() declaration. 249 (JSC::SH4Assembler::firstRegister): 250 2512013-10-10 Filip Pizlo <fpizlo@apple.com> 252 253 FTL shouldn't pass i1's into llvm.webkit.stackmap's 254 https://bugs.webkit.org/show_bug.cgi?id=122629 255 <rdar://problem/15203037> 256 257 Reviewed by Sam Weinig and Nadav Rotem. 258 259 LLVM's stackmap support requires that we only pass operands with legal types (i.e. types 260 that are hardware-representable). i1, which the FTL previously used for Booleans, is not 261 legal. 262 263 We have two options: either add support in LLVM to legalize stackmap operands, or add 264 support to the FTL to legalize stackmap operands. It's easier to fix this in FTL, and 265 that's what this patch does. 266 267 * ftl/FTLLowerDFGToLLVM.cpp: 268 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 269 2702013-10-09 Oliver Hunt <oliver@apple.com> 271 272 Further improve ArrayIterator performance 273 https://bugs.webkit.org/show_bug.cgi?id=122575 274 275 Reviewed by Mark Hahnenberg. 276 277 Add an assembly thunk for ArrayIterator.@@next so that we 278 can avoid marshalling costs when iterating arrays. 279 280 * jit/SpecializedThunkJIT.h: 281 (JSC::SpecializedThunkJIT::SpecializedThunkJIT): 282 (JSC::SpecializedThunkJIT::loadSpecificClassArgument): 283 * jit/ThunkGenerators.cpp: 284 (JSC::arrayIteratorNextThunkGenerator): 285 * jit/ThunkGenerators.h: 286 * runtime/ArrayIteratorPrototype.cpp: 287 (JSC::ArrayIteratorPrototype::finishCreation): 288 * runtime/Intrinsic.h: 289 * runtime/JSArrayIterator.h: 290 (JSC::JSArrayIterator::offsetOfIterationKind): 291 (JSC::JSArrayIterator::offsetOfIteratedObject): 292 (JSC::JSArrayIterator::offsetOfNextIndex): 293 * runtime/JSCJSValue.h: 294 (JSC::JSValue::offsetOfPayload): 295 * runtime/JSGlobalObject.cpp: 296 (JSC::JSGlobalObject::reset): 297 * runtime/JSGlobalObject.h: 298 (JSC::JSGlobalObject::iteratorResultStructureOffset): 299 * runtime/VM.cpp: 300 (JSC::thunkGeneratorForIntrinsic): 301 3022013-10-10 Michael Saboff <msaboff@apple.com> 303 304 transition cti_op_* methods returning int to JIT operations. 305 https://bugs.webkit.org/show_bug.cgi?id=122563 306 307 Reviewed by Oliver Hunt. 308 309 Moved serveral operationCompare* functions from DFGOperations to JITOperations as well as changing 310 dfgConvertJSValueToBoolean to operationConvertJSValueToBoolean so that they can be shared with the baseline JIT. 311 Added JITOperation operationHasProperty(). Added needed callOperation helpers and transitioned baseline JIT code 312 to use the new operations. 313 314 * dfg/DFGOperations.cpp: 315 * dfg/DFGOperations.h: 316 * dfg/DFGSpeculativeJIT32_64.cpp: 317 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 318 (JSC::DFG::SpeculativeJIT::emitBranch): 319 * dfg/DFGSpeculativeJIT64.cpp: 320 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 321 (JSC::DFG::SpeculativeJIT::emitBranch): 322 * jit/JIT.h: 323 * jit/JITArithmetic.cpp: 324 (JSC::JIT::emitSlow_op_jless): 325 (JSC::JIT::emitSlow_op_jlesseq): 326 (JSC::JIT::emitSlow_op_jgreater): 327 (JSC::JIT::emitSlow_op_jgreatereq): 328 (JSC::JIT::emitSlow_op_jnless): 329 (JSC::JIT::emitSlow_op_jnlesseq): 330 (JSC::JIT::emitSlow_op_jngreater): 331 (JSC::JIT::emitSlow_op_jngreatereq): 332 (JSC::JIT::emit_compareAndJumpSlow): 333 * jit/JITArithmetic32_64.cpp: 334 (JSC::JIT::emit_compareAndJumpSlow): 335 * jit/JITInlines.h: 336 (JSC::JIT::callOperation): 337 * jit/JITOpcodes.cpp: 338 (JSC::JIT::emit_op_next_pname): 339 (JSC::JIT::emitSlow_op_jfalse): 340 (JSC::JIT::emitSlow_op_jtrue): 341 (JSC::JIT::emitSlow_op_eq): 342 (JSC::JIT::emitSlow_op_neq): 343 * jit/JITOpcodes32_64.cpp: 344 (JSC::JIT::emitSlow_op_jfalse): 345 (JSC::JIT::emitSlow_op_jtrue): 346 (JSC::JIT::emitSlow_op_eq): 347 (JSC::JIT::emitSlow_op_neq): 348 (JSC::JIT::emit_op_next_pname): 349 * jit/JITOperations.cpp: 350 * jit/JITOperations.h: 351 * jit/JITStubs.cpp: 352 * jit/JITStubs.h: 353 3542013-10-10 Filip Pizlo <fpizlo@apple.com> 355 356 OSR exit using llvm.webkit.stackmap should pass more tests 357 https://bugs.webkit.org/show_bug.cgi?id=122518 358 359 Reviewed by Mark Hahnenberg. 360 361 - Make the X86Assembler capable of dealing with all XMM registers. 362 363 - Make the StackMaps code on WebKit's side capable of dealing with XMM registers. 364 365 - Factor out most of the smarts of StackMaps::Location into a self-contained object. 366 Previously you needed both StackMaps::Location and a StackMaps reference to do most 367 things since the Location might have referred to a constant. Now you can just get a 368 self-contained Location object. 369 370 - Fix a bug where OSR exit generation thunk generator was assuming that the call frame 371 register is already in argumentGPR0. In the future, the call frame will just be the 372 machine FP and we won't have to do anything special. But for now the "call frame" is 373 just a normal value in LLVM IR and may end up in any register. Make the OSR exit 374 generation thunk generator polymorphic over the call frame argument's Location. 375 376 - Move the stuff that depends on the polymorphic OSR exit generation thunk generator 377 into the finalizer, since generating and linking one of those thunks requires a cache 378 flush and we need to do that on the main thread. 379 380 * JavaScriptCore.xcodeproj/project.pbxproj: 381 * assembler/ARMv7Assembler.h: 382 (JSC::ARMv7Assembler::firstRegister): 383 (JSC::ARMv7Assembler::lastRegister): 384 (JSC::ARMv7Assembler::firstFPRegister): 385 (JSC::ARMv7Assembler::lastFPRegister): 386 * assembler/AbstractMacroAssembler.h: 387 (JSC::AbstractMacroAssembler::firstFPRegister): 388 (JSC::AbstractMacroAssembler::lastFPRegister): 389 * assembler/MacroAssembler.h: 390 (JSC::MacroAssembler::nextFPRegister): 391 * assembler/MacroAssemblerARMv7.h: 392 * assembler/MacroAssemblerX86Common.h: 393 * assembler/X86Assembler.h: 394 (JSC::X86Assembler::firstFPRegister): 395 (JSC::X86Assembler::lastFPRegister): 396 * dfg/DFGDriver.cpp: 397 (JSC::DFG::compileImpl): 398 * ftl/FTLCompile.cpp: 399 (JSC::FTL::fixFunctionBasedOnStackMaps): 400 * ftl/FTLExitThunkGenerator.cpp: 401 (JSC::FTL::ExitThunkGenerator::emitThunk): 402 (JSC::FTL::ExitThunkGenerator::emitThunks): 403 * ftl/FTLJITFinalizer.cpp: 404 (JSC::FTL::JITFinalizer::finalizeFunction): 405 * ftl/FTLJITFinalizer.h: 406 * ftl/FTLLink.cpp: 407 (JSC::FTL::link): 408 * ftl/FTLLocation.cpp: Added. 409 (JSC::FTL::Location::forStackmaps): 410 (JSC::FTL::Location::dump): 411 (JSC::FTL::Location::involvesGPR): 412 (JSC::FTL::Location::isGPR): 413 (JSC::FTL::Location::gpr): 414 (JSC::FTL::Location::isFPR): 415 (JSC::FTL::Location::fpr): 416 (JSC::FTL::Location::restoreInto): 417 (WTF::printInternal): 418 * ftl/FTLLocation.h: Added. 419 (JSC::FTL::Location::Location): 420 (JSC::FTL::Location::forRegister): 421 (JSC::FTL::Location::forIndirect): 422 (JSC::FTL::Location::forConstant): 423 (JSC::FTL::Location::kind): 424 (JSC::FTL::Location::hasDwarfRegNum): 425 (JSC::FTL::Location::dwarfRegNum): 426 (JSC::FTL::Location::hasOffset): 427 (JSC::FTL::Location::offset): 428 (JSC::FTL::Location::hasConstant): 429 (JSC::FTL::Location::constant): 430 (JSC::FTL::Location::operator!): 431 (JSC::FTL::Location::isHashTableDeletedValue): 432 (JSC::FTL::Location::operator==): 433 (JSC::FTL::Location::hash): 434 (JSC::FTL::LocationHash::hash): 435 (JSC::FTL::LocationHash::equal): 436 * ftl/FTLLowerDFGToLLVM.cpp: 437 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 438 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks): 439 * ftl/FTLSaveRestore.cpp: 440 (JSC::FTL::bytesForFPRs): 441 (JSC::FTL::requiredScratchMemorySizeInBytes): 442 (JSC::FTL::offsetOfFPR): 443 (JSC::FTL::saveAllRegisters): 444 (JSC::FTL::restoreAllRegisters): 445 * ftl/FTLSaveRestore.h: 446 * ftl/FTLStackMaps.cpp: 447 (JSC::FTL::StackMaps::Location::restoreInto): 448 * ftl/FTLStackMaps.h: 449 * ftl/FTLState.h: 450 * ftl/FTLThunks.cpp: 451 (JSC::FTL::osrExitGenerationWithoutStackMapThunkGenerator): 452 (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator): 453 * ftl/FTLThunks.h: 454 (JSC::FTL::generateIfNecessary): 455 (JSC::FTL::Thunks::getOSRExitGenerationThunk): 456 * runtime/VM.cpp: 457 (JSC::VM::VM): 458 * runtime/VM.h: 459 4602013-10-09 Filip Pizlo <fpizlo@apple.com> 461 462 FTL: Soft-link LLVM as a workaround for LLVM's static initializers and exit-time destructors 463 https://bugs.webkit.org/show_bug.cgi?id=122566 464 465 Reviewed by Mark Rowe. 466 467 The JSC project now builds a libllvmForJSC.dylib. If FTL is enabled, this 468 gets copied into JavaScriptCore.framework/Versions/A/Libraries. JSC will 469 load the dylib by finding it using NSBundle APIs and then doing dlopen(). 470 That will only happen lazily, when something happens that requires LLVM. 471 472 This mostly takes care of LLVM static initialization overhead by deferring 473 it until it's really needed. 474 475 This takes care of LLVM's exit-time destructors because inside 476 libllvmForJSC.dylib, we override __cxa_atexit. 477 478 * Configurations/JavaScriptCore.xcconfig: 479 * Configurations/LLVMForJSC.xcconfig: Added. 480 * JavaScriptCore.xcodeproj/project.pbxproj: 481 * dfg/DFGPlan.cpp: 482 (JSC::DFG::Plan::compileInThreadImpl): 483 * disassembler/LLVMDisassembler.cpp: 484 (JSC::tryToDisassembleWithLLVM): 485 * ftl/FTLAbbreviatedTypes.h: 486 * ftl/FTLAbbreviations.h: 487 (JSC::FTL::voidType): 488 (JSC::FTL::int1Type): 489 (JSC::FTL::int8Type): 490 (JSC::FTL::int16Type): 491 (JSC::FTL::int32Type): 492 (JSC::FTL::int64Type): 493 (JSC::FTL::intPtrType): 494 (JSC::FTL::floatType): 495 (JSC::FTL::doubleType): 496 (JSC::FTL::pointerType): 497 (JSC::FTL::structType): 498 (JSC::FTL::functionType): 499 (JSC::FTL::typeOf): 500 (JSC::FTL::mdKindID): 501 (JSC::FTL::mdString): 502 (JSC::FTL::mdNode): 503 (JSC::FTL::setMetadata): 504 (JSC::FTL::addFunction): 505 (JSC::FTL::setLinkage): 506 (JSC::FTL::setFunctionCallingConv): 507 (JSC::FTL::getParam): 508 (JSC::FTL::constInt): 509 (JSC::FTL::constReal): 510 (JSC::FTL::constIntToPtr): 511 (JSC::FTL::constBitCast): 512 (JSC::FTL::appendBasicBlock): 513 (JSC::FTL::insertBasicBlock): 514 (JSC::FTL::buildPhi): 515 (JSC::FTL::addIncoming): 516 (JSC::FTL::buildAlloca): 517 (JSC::FTL::buildAdd): 518 (JSC::FTL::buildSub): 519 (JSC::FTL::buildMul): 520 (JSC::FTL::buildDiv): 521 (JSC::FTL::buildRem): 522 (JSC::FTL::buildNeg): 523 (JSC::FTL::buildFAdd): 524 (JSC::FTL::buildFSub): 525 (JSC::FTL::buildFMul): 526 (JSC::FTL::buildFDiv): 527 (JSC::FTL::buildFRem): 528 (JSC::FTL::buildFNeg): 529 (JSC::FTL::buildAnd): 530 (JSC::FTL::buildOr): 531 (JSC::FTL::buildXor): 532 (JSC::FTL::buildShl): 533 (JSC::FTL::buildAShr): 534 (JSC::FTL::buildLShr): 535 (JSC::FTL::buildNot): 536 (JSC::FTL::buildLoad): 537 (JSC::FTL::buildStore): 538 (JSC::FTL::buildSExt): 539 (JSC::FTL::buildZExt): 540 (JSC::FTL::buildFPToSI): 541 (JSC::FTL::buildFPToUI): 542 (JSC::FTL::buildSIToFP): 543 (JSC::FTL::buildUIToFP): 544 (JSC::FTL::buildIntCast): 545 (JSC::FTL::buildFPCast): 546 (JSC::FTL::buildIntToPtr): 547 (JSC::FTL::buildPtrToInt): 548 (JSC::FTL::buildBitCast): 549 (JSC::FTL::buildICmp): 550 (JSC::FTL::buildFCmp): 551 (JSC::FTL::buildCall): 552 (JSC::FTL::setTailCall): 553 (JSC::FTL::buildExtractValue): 554 (JSC::FTL::buildSelect): 555 (JSC::FTL::buildBr): 556 (JSC::FTL::buildCondBr): 557 (JSC::FTL::buildSwitch): 558 (JSC::FTL::addCase): 559 (JSC::FTL::buildRet): 560 (JSC::FTL::buildUnreachable): 561 (JSC::FTL::dumpModule): 562 (JSC::FTL::verifyModule): 563 * ftl/FTLCompile.cpp: 564 (JSC::FTL::compile): 565 * ftl/FTLFail.cpp: 566 (JSC::FTL::fail): 567 * ftl/FTLJITCode.h: 568 * ftl/FTLJITFinalizer.h: 569 * ftl/FTLLink.cpp: 570 * ftl/FTLLowerDFGToLLVM.cpp: 571 (JSC::FTL::LowerDFGToLLVM::lower): 572 * ftl/FTLOutput.cpp: 573 (JSC::FTL::Output::Output): 574 (JSC::FTL::Output::~Output): 575 * ftl/FTLOutput.h: 576 (JSC::FTL::Output::appendTo): 577 * ftl/FTLState.cpp: 578 (JSC::FTL::State::State): 579 (JSC::FTL::State::~State): 580 * ftl/WebKitLLVMLibraryAnchor.cpp: Removed. 581 * jsc.cpp: 582 (jscmain): 583 * llvm: Added. 584 * llvm/InitializeLLVM.cpp: Added. 585 (JSC::initializeLLVM): 586 * llvm/InitializeLLVM.h: Added. 587 * llvm/InitializeLLVMMac.mm: Added. 588 (JSC::initializeLLVMImpl): 589 * llvm/InitializeLLVMPOSIX.cpp: Added. 590 (JSC::initializeLLVMPOSIX): 591 * llvm/InitializeLLVMPOSIX.h: Added. 592 * llvm/LLVMAPI.cpp: Added. 593 * llvm/LLVMAPI.h: Added. 594 * llvm/LLVMAPIFunctions.h: Added. 595 * llvm/LLVMHeaders.h: Added. 596 * llvm/library: Added. 597 * llvm/library/LLVMAnchor.cpp: Added. 598 * llvm/library/LLVMExports.cpp: Added. 599 (initializeAndGetJSCLLVMAPI): 600 * llvm/library/LLVMOverrides.cpp: Added. 601 (__cxa_atexit): 602 * llvm/library/config_llvm.h: Added. 603 * runtime/InitializeThreading.cpp: 604 (JSC::initializeThreadingOnce): 605 * runtime/Options.h: 606 6072013-10-10 Mark Hahnenberg <mhahnenberg@apple.com> 608 609 currentThis and currentArguments crash if called from outside a callback 610 https://bugs.webkit.org/show_bug.cgi?id=122620 611 612 Reviewed by Filip Pizlo. 613 614 The documentation for these methods claims that they will return nil if called 615 from somewhere other than an API callback, but currently they both crash. 616 617 * API/JSContext.mm: 618 (+[JSContext currentThis]): 619 (+[JSContext currentArguments]): 620 * API/tests/testapi.mm: 621 6222013-10-10 Filip Pizlo <fpizlo@apple.com> 623 624 Minor clean-ups in the JSC Xcode project. 625 626 Rubber stamped by Mark Rowe. 627 628 - When we copy the jsc binary into the framework, 629 $(BUILT_PRODUCTS_DIR)/JavaScriptCore.framework/Resources/jsc is the *output* file not 630 the input file. The input file is $(BUILT_PRODUCTS_DIR)/jsc. 631 632 - Correct capitalization of "JavaScriptcore.framework" in a comment in a shell script in 633 the project. 634 635 Roll back in after confirming that Mark's fixes make this work right. 636 637 * JavaScriptCore.xcodeproj/project.pbxproj: 638 6392013-10-10 Mark Hahnenberg <mhahnenberg@apple.com> 640 641 CallbackData unnecessarily caches the JSValue for currentThis 642 https://bugs.webkit.org/show_bug.cgi?id=122616 643 644 Reviewed by Oliver Hunt. 645 646 CallbackData implements its own version of caching the JSValue* for the JSValueRef it stores. 647 +[JSValue valueWithJSValueRef:inContext:] already does caching, thus obviating the need for 648 CallbackData to do its own caching. 649 650 * API/JSContext.mm: 651 (+[JSContext currentThis]): 652 (-[JSContext beginCallbackWithData:thisValue:argumentCount:arguments:]): 653 (-[JSContext endCallbackWithData:]): 654 * API/JSContextInternal.h: 655 6562013-10-10 Filip Pizlo <fpizlo@apple.com> 657 658 Unreviewed, roll out r157193. It broke some builds. 659 660 * JavaScriptCore.xcodeproj/project.pbxproj: 661 6622013-10-10 Mark Rowe <mrowe@apple.com> 663 664 <rdar://problem/13341666> WebKit should always build against an SDK. 665 666 Have all projects default to building against the OS X Internal SDK for the Production 667 configuration. For the Debug and Release configurations, look for UseInternalSDK.xcconfig 668 to determine whether the OS X Internal SDK should be used. If not, use the normal OS X SDK. 669 670 Reviewed by Dan Bernstein. 671 672 * Configurations/Base.xcconfig: 673 * Configurations/DebugRelease.xcconfig: 674 6752013-10-10 Mark Rowe <mrowe@apple.com> 676 677 <rdar://problem/13871507> JavaScriptCore fails to build with C++ 98 conformance changes 678 679 Reviewed by Andreas Kling. 680 681 * heap/VTableSpectrum.cpp: 682 (JSC::VTableSpectrum::dump): strrchr returns a const char* when passed one. 683 Update the type of the local variable to accommodate that. 684 6852013-10-10 Mark Hahnenberg <mhahnenberg@apple.com> 686 687 Objective-C API: blocks aren't callable via 'new' 688 https://bugs.webkit.org/show_bug.cgi?id=122561 689 690 Reviewed by Oliver Hunt. 691 692 Currently the only way for clients to vend new native objects to JavaScript code 693 is via factory methods in the form of exported class methods or blocks. Blocks can 694 be called like normal functions from JavaScript code, but they cannot be invoked 695 with 'new'. This would give a simple way for clients to expose constructor-like 696 behavior to their JavaScript code. 697 698 This patch adds the ability for blocks to be invoked as if they were a constructor. 699 Blocks invoked as constructors are required to return an object. If the block doesn't 700 return an object then an error is thrown. The 'this' object is not provided to the 701 block and must be created within the block itself. 702 703 This patch also unifies the native 'construct' callback used in both the C and Obj-C 704 APIs under the APICallbackFunction struct, similar to how we unified the 'call' callback 705 between ObjCCallbackFunction and JSCallbackFunction before. 706 707 This patch also adds tests to make sure that different blocks generate objects that 708 correctly behave when queried with instanceof. It also makes sure that the correct 709 JS exception is thrown when a block fails to return an object. 710 711 * API/APICallbackFunction.h: 712 (JSC::APICallbackFunction::call): 713 (JSC::APICallbackFunction::construct): 714 * API/JSCallbackConstructor.cpp: 715 (JSC::JSCallbackConstructor::getConstructData): 716 * API/JSCallbackConstructor.h: 717 (JSC::JSCallbackConstructor::constructCallback): 718 * API/JSCallbackFunction.h: 719 (JSC::JSCallbackFunction::functionCallback): 720 * API/ObjCCallbackFunction.h: 721 (JSC::ObjCCallbackFunction::functionCallback): 722 (JSC::ObjCCallbackFunction::constructCallback): 723 * API/ObjCCallbackFunction.mm: 724 (JSC::objCCallbackFunctionCallAsConstructor): 725 (JSC::ObjCCallbackFunction::ObjCCallbackFunction): 726 (JSC::ObjCCallbackFunction::create): 727 (JSC::ObjCCallbackFunction::getConstructData): 728 * API/tests/testapi.mm: 729 7302013-10-08 Filip Pizlo <fpizlo@apple.com> 731 732 FTL should be able to do simple OSR exits using llvm.webkit.stackmap 733 https://bugs.webkit.org/show_bug.cgi?id=122538 734 735 Reviewed by Oliver Hunt. 736 737 This gives the FTL the ability to OSR exit using the llvm.webkit.stackmap intrinsic. 738 739 - The FTL compiles all OSR exit calls as calls to llvm.webkit.stackmap with a unique 740 ID, passing a requested size that is big enough for own jump replacement. 741 742 - After LLVM compilation, we parse the new LLVM stackmap section. 743 744 - For all llvm.webkit.stackmaps that we used for OSR exits, we do a jumpReplacement, 745 which targets exit thunks that we generate. 746 747 - If an exit thunk fires, it causes JSC to compile an exit off-ramp that uses a 748 combination of the JSC-internal OSR exit accounting (FTL::ExitValue and friends) and 749 LLVM stackmap's accounting of where data actually ended up (register, indirect, 750 constant) to reconstruct bytecode state. 751 752 This still has shortcomings; for example it cannot handle XMM or YMM registers. Handling 753 YMM registers will require adding some basic YMM support to our assemblers - really we 754 just need the ability to move a YMM's value into a GPR. 755 756 This patch preserves all of the old, intrinsic-less, FTL OSR exit support. Hence it 757 manages to pass all existing FTL tests even despite its incompleteness. I think that's 758 the right way to go since this is already a big patch, and anyway it would be great to 759 keep the intrinsic-less FTL OSR exit support so long as the LLVM side of this hasn't 760 landed. 761 762 * JavaScriptCore.xcodeproj/project.pbxproj: 763 * assembler/AbstractMacroAssembler.h: 764 (JSC::AbstractMacroAssembler::firstRegister): 765 (JSC::AbstractMacroAssembler::lastRegister): 766 * assembler/MacroAssembler.h: 767 (JSC::MacroAssembler::isStackRelated): 768 (JSC::MacroAssembler::firstRealRegister): 769 (JSC::MacroAssembler::nextRegister): 770 (JSC::MacroAssembler::secondRealRegister): 771 * assembler/MacroAssemblerX86Common.h: 772 * assembler/X86Assembler.h: 773 (JSC::X86Assembler::firstRegister): 774 (JSC::X86Assembler::lastRegister): 775 * dfg/DFGPlan.cpp: 776 (JSC::DFG::Plan::compileInThreadImpl): 777 * ftl/FTLCArgumentGetter.cpp: 778 (JSC::FTL::CArgumentGetter::loadNextAndBox): 779 * ftl/FTLCArgumentGetter.h: 780 (JSC::FTL::CArgumentGetter::loadNextDoubleIntoGPR): 781 * ftl/FTLCompile.cpp: 782 (JSC::FTL::mmAllocateCodeSection): 783 (JSC::FTL::mmAllocateDataSection): 784 (JSC::FTL::dumpDataSection): 785 (JSC::FTL::fixFunctionBasedOnStackMaps): 786 (JSC::FTL::compile): 787 * ftl/FTLExitThunkGenerator.cpp: 788 (JSC::FTL::ExitThunkGenerator::emitThunk): 789 (JSC::FTL::ExitThunkGenerator::emitThunks): 790 * ftl/FTLExitThunkGenerator.h: 791 * ftl/FTLExitValue.h: 792 (JSC::FTL::ExitValue::isInJSStackSomehow): 793 (JSC::FTL::ExitValue::valueFormat): 794 * ftl/FTLFail.cpp: 795 (JSC::FTL::fail): 796 * ftl/FTLIntrinsicRepository.h: 797 * ftl/FTLJITCode.h: 798 * ftl/FTLLowerDFGToLLVM.cpp: 799 (JSC::FTL::generateExitThunks): 800 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 801 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 802 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 803 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks): 804 * ftl/FTLOSRExit.h: 805 * ftl/FTLOSRExitCompilationInfo.h: 806 (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo): 807 * ftl/FTLOSRExitCompiler.cpp: 808 (JSC::FTL::compileStubWithOSRExitStackmap): 809 (JSC::FTL::compileStubWithoutOSRExitStackmap): 810 (JSC::FTL::compileFTLOSRExit): 811 * ftl/FTLSaveRestore.cpp: Added. 812 (JSC::FTL::bytesForGPRs): 813 (JSC::FTL::requiredScratchMemorySizeInBytes): 814 (JSC::FTL::offsetOfGPR): 815 (JSC::FTL::saveAllRegisters): 816 (JSC::FTL::restoreAllRegisters): 817 * ftl/FTLSaveRestore.h: Added. 818 * ftl/FTLStackMaps.cpp: Added. 819 (JSC::FTL::readObject): 820 (JSC::FTL::StackMaps::Constant::parse): 821 (JSC::FTL::StackMaps::Constant::dump): 822 (JSC::FTL::StackMaps::Location::parse): 823 (JSC::FTL::StackMaps::Location::dump): 824 (JSC::FTL::StackMaps::Location::involvesGPR): 825 (JSC::FTL::StackMaps::Location::isGPR): 826 (JSC::FTL::StackMaps::Location::gpr): 827 (JSC::FTL::StackMaps::Location::restoreInto): 828 (JSC::FTL::StackMaps::Record::parse): 829 (JSC::FTL::StackMaps::Record::dump): 830 (JSC::FTL::StackMaps::parse): 831 (JSC::FTL::StackMaps::dump): 832 (JSC::FTL::StackMaps::dumpMultiline): 833 (JSC::FTL::StackMaps::getRecordMap): 834 (WTF::printInternal): 835 * ftl/FTLStackMaps.h: Added. 836 * ftl/FTLState.h: 837 * ftl/FTLThunks.cpp: 838 (JSC::FTL::osrExitGenerationThunkGenerator): 839 * ftl/FTLValueFormat.cpp: 840 (JSC::FTL::reboxAccordingToFormat): 841 * ftl/FTLValueFormat.h: 842 * runtime/DataView.cpp: 843 (JSC::DataView::create): 844 * runtime/DataView.h: 845 (JSC::DataView::read): 846 * runtime/Options.h: 847 8482013-10-09 Filip Pizlo <fpizlo@apple.com> 849 850 Minor clean-ups in the JSC Xcode project. 851 852 Rubber stamped by Mark Rowe. 853 854 - When we copy the jsc binary into the framework, 855 $(BUILT_PRODUCTS_DIR)/JavaScriptCore.framework/Resources/jsc is the *output* file not 856 the input file. The input file is $(BUILT_PRODUCTS_DIR)/jsc. 857 858 - Correct capitalization of "JavaScriptcore.framework" in a comment in a shell script in 859 the project. 860 861 * JavaScriptCore.xcodeproj/project.pbxproj: 862 8632013-10-09 Julien Brianceau <jbriance@cisco.com> 864 865 [arm] Inverted src and dest FP registers in DFG speculative JIT when using hardfp. 866 https://bugs.webkit.org/show_bug.cgi?id=122555 867 868 Reviewed by Michael Saboff. 869 870 * dfg/DFGSpeculativeJIT.h: 871 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult): 872 (JSC::DFG::SpeculativeJIT::appendCallSetResult): 873 8742013-10-08 Michael Saboff <msaboff@apple.com> 875 876 Transition call and construct JITStubs to CCallHelper functions 877 https://bugs.webkit.org/show_bug.cgi?id=122453 878 879 Reviewed by Geoffrey Garen. 880 881 Transitioned cti_op_call_eval to operationCallEval. Migrated baseline JIT to use the same 882 call thunks as the DFG. Eliminated all of the "oldStyle" thunks and related functions. 883 884 * bytecode/CallLinkInfo.cpp: 885 (JSC::CallLinkInfo::unlink): 886 * jit/JIT.cpp: 887 (JSC::JIT::linkFor): 888 (JSC::JIT::linkSlowCall): 889 * jit/JIT.h: 890 * jit/JITCall.cpp: 891 (JSC::JIT::compileCallEval): 892 (JSC::JIT::compileCallEvalSlowCase): 893 (JSC::JIT::compileOpCallSlowCase): 894 (JSC::JIT::privateCompileClosureCall): 895 * jit/JITCall32_64.cpp: 896 (JSC::JIT::compileCallEval): 897 (JSC::JIT::compileCallEvalSlowCase): 898 (JSC::JIT::compileOpCallSlowCase): 899 (JSC::JIT::privateCompileClosureCall): 900 * jit/JITInlines.h: 901 (JSC::JIT::callOperationWithCallFrameRollbackOnException): 902 * jit/JITOperations.cpp: 903 * jit/JITOperations.h: 904 * jit/JITStubs.cpp: 905 * jit/JITStubs.h: 906 * jit/ThunkGenerators.cpp: 907 * jit/ThunkGenerators.h: 908 9092013-10-09 Julien Brianceau <jbriance@cisco.com> 910 911 [sh4] Fix lots of unused parameter warnings. 912 https://bugs.webkit.org/show_bug.cgi?id=122545 913 914 Reviewed by Csaba Osztrogonác. 915 916 * assembler/MacroAssemblerSH4.h: 917 (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch): 918 * assembler/SH4Assembler.h: 919 (JSC::SH4Assembler::andlImm8r): 920 (JSC::SH4Assembler::orlImm8r): 921 (JSC::SH4Assembler::xorlImm8r): 922 (JSC::SH4Assembler::cmpEqImmR0): 923 (JSC::SH4Assembler::testlImm8r): 924 (JSC::SH4Assembler::movwPCReg): 925 (JSC::SH4Assembler::movwMemReg): 926 (JSC::SH4Assembler::movbMemReg): 927 (JSC::SH4Assembler::printInstr): 928 (JSC::SH4Assembler::printBlockInstr): 929 9302013-10-09 Julien Brianceau <jbriance@cisco.com> 931 932 [sh4] Add sh4 support when building with CMake. 933 https://bugs.webkit.org/show_bug.cgi?id=122542 934 935 Reviewed by Csaba Osztrogonác. 936 937 * CMakeLists.txt: 938 9392013-10-08 Oliver Hunt <oliver@apple.com> 940 941 Convert for-of iteration to in-band signalling so we can trivially avoid unnecessary object allocation 942 https://bugs.webkit.org/show_bug.cgi?id=122532 943 944 Reviewed by Michael Saboff. 945 946 Switch for-of enumeration to use in band signalling to determine the end 947 of iteration. This allows us to trivially remove an otherwise unnecessary 948 object allocation, and paves the way for optimised thunks in future. 949 950 We can re-add explicit .next() functions in future that would marshall 951 the true iteration functions, but for now we'll ignore them. 952 953 This results in a huge improvement in the performance of for-of (in the order 954 of 2x) but there's still a long way to go in order to get the performance to 955 a satisfactory level. 956 957 * bytecompiler/NodesCodegen.cpp: 958 (JSC::ForOfNode::emitBytecode): 959 * runtime/ArrayIteratorPrototype.cpp: 960 (JSC::ArrayIteratorPrototype::finishCreation): 961 (JSC::createIteratorResult): 962 * runtime/CommonIdentifiers.cpp: 963 (JSC::CommonIdentifiers::CommonIdentifiers): 964 * runtime/CommonIdentifiers.h: 965 * runtime/Identifier.cpp: 966 (JSC::Identifier::addSlowCase): 967 * runtime/JSObject.h: 968 (JSC::JSFinalObject::create): 969 * runtime/VM.cpp: 970 (JSC::VM::VM): 971 * runtime/VM.h: 972 9732013-10-08 Alex Christensen <achristensen@webkit.org> 974 975 Fixed compile errors while compiling without the JIT enabled. 976 https://bugs.webkit.org/show_bug.cgi?id=122530 977 978 Reviewed by Brent Fulgham. 979 980 * jit/JITOperations.cpp: 981 Protected with #if ENABLE(JIT) like the rest of the JIT source. 982 9832013-10-07 Mark Hahnenberg <mhahnenberg@apple.com> 984 985 JSManagedValue should be able to store non-object JSValues 986 https://bugs.webkit.org/show_bug.cgi?id=122351 987 988 Reviewed by Oliver Hunt. 989 990 We decided not to support this because we thought it didn't make sense to have a 991 "weak" JSValue that wasn't an object. 992 993 Our general thought process was if you have a JSObject-ObjC object pair (i.e. an 994 Obj-C object that you exported to JavaScript-land), it makes more sense to store 995 a non-object JSValue on the JavaScript-land version of the object rather than as 996 an ivar in the Objective-C object. 997 998 In retrospect, this may not have been a good decision at least w.r.t. consistency 999 in client code. If you're storing a bag of JSValues off an Obj-C object, you'd 1000 like to store all of them either in ObjC-land or JavaScript-land, but doing some 1001 in one and some in the other doesn't sound too good. Also, what if the object you 1002 want to hang these values off of doesn't have a corresponding object in JavaScript- 1003 land in which to store them? 1004 1005 The solution is to fix JSManagedValue to be able to reference non-object JSValues. 1006 Right now, all JSManagedValues contain a Weak<JSObject>. We'll change this so that 1007 they can contain either a non-cell JSValue or a JSObject*, along with a weak 1008 reference to the JSGlobalObject for reconstructing a JSValue later on. 1009 1010 * API/JSManagedValue.mm: 1011 (PrimitiveOrObject::PrimitiveOrObject): 1012 (PrimitiveOrObject::~PrimitiveOrObject): 1013 (PrimitiveOrObject::clear): 1014 (PrimitiveOrObject::isClear): 1015 (PrimitiveOrObject::isSet): 1016 (PrimitiveOrObject::isPrimitive): 1017 (PrimitiveOrObject::isObject): 1018 (PrimitiveOrObject::setPrimitive): 1019 (PrimitiveOrObject::setObject): 1020 (PrimitiveOrObject::object): 1021 (PrimitiveOrObject::primitive): 1022 (-[JSManagedValue initWithValue:]): 1023 (-[JSManagedValue value]): 1024 (-[JSManagedValue disconnectValue]): 1025 10262013-10-08 Robert Plociennik <r.plociennik@samsung.com> 1027 1028 JavaScriptCore fails to build 1029 https://bugs.webkit.org/show_bug.cgi?id=122440 1030 1031 Reviewed by Darin Adler. 1032 1033 Compilation fails in debug due to 'comparison of unsigned expression >= 0 is 1034 always true'. 1035 1036 * debugger/DebuggerCallFrame.cpp: 1037 (JSC::DebuggerCallFrame::positionForCallFrame): Removed the offending ASSERTS. 1038 10392013-10-07 Andreas Kling <akling@apple.com> 1040 1041 Pass VM instead of ExecState to JSNotAnObject constructor. 1042 <https://webkit.org/b/122474> 1043 1044 Reviewed by Sam Weinig. 1045 1046 JSNotAnObject was only using the ExecState to find the VM. 1047 10482013-10-07 Filip Pizlo <fpizlo@apple.com> 1049 1050 FTL memory allocator should be able to allocate data sections in non-executable memory 1051 https://bugs.webkit.org/show_bug.cgi?id=116189 1052 1053 Reviewed by Sam Weinig. 1054 1055 Use a RefCountedArray<int64_t> for data sections. This works out great because 1056 RefCountedArray<> knows its own size and because the reference counting makes passing 1057 it around very easy (you don't have to stress out about ownership). 1058 1059 * ftl/FTLCompile.cpp: 1060 (JSC::FTL::mmAllocateDataSection): 1061 (JSC::FTL::compile): 1062 * ftl/FTLJITCode.cpp: 1063 (JSC::FTL::JITCode::addDataSection): 1064 * ftl/FTLJITCode.h: 1065 (JSC::FTL::JITCode::dataSections): 1066 10672013-10-07 Roger Fong <roger_fong@apple.com> 1068 1069 Modify JavascriptCore makefile for x64 build. 1070 https://bugs.webkit.org/show_bug.cgi?id=122467. 1071 <rdar://problem/15169174>. 1072 1073 Reviewed by Brent Fulgham. 1074 1075 * JavaScriptCore.vcxproj/JavaScriptCore.make: 1076 10772013-10-07 Nadav Rotem <nrotem@apple.com> 1078 1079 FTL: Optimize IsString(@2<String>) -> JSConst(true) + Phantom() 1080 https://bugs.webkit.org/show_bug.cgi?id=122363 1081 1082 Reviewed by Filip Pizlo. 1083 1084 * dfg/DFGFixupPhase.cpp: 1085 (JSC::DFG::FixupPhase::fixupNode): 1086 10872013-10-04 Michael Saboff <msaboff@apple.com> 1088 1089 Transition stack check JITStubs to CCallHelper functions 1090 https://bugs.webkit.org/show_bug.cgi?id=122289 1091 1092 Reviewed by Filip Pizlo. 1093 1094 Replaced jit stubs cti_stack_check, cti_op_call_arityCheck and cti_op_construct_arityCheck with 1095 jit operations operationStackCheck, operationCallArityCheck & operationConstructArityCheck. 1096 Added new callOperationWithCallFrameRollbackOnException() in baseline and DFG JITs to call 1097 these new functions. Added code to unwind one frame in JIT::privateCompileExceptionHandlers() 1098 and JITCompiler::compileExceptionHandlers() for these cases that need to throw exceptions in 1099 their caller frame when the stack is exhausted. 1100 1101 * assembler/MacroAssembler.h: 1102 (JSC::MacroAssembler::andPtr): Added to handle masking a pointer with a literal. 1103 * assembler/MacroAssemblerX86_64.h: 1104 (JSC::MacroAssemblerX86_64::and64): Added to handle masking a pointer with a literal. 1105 * dfg/DFGJITCompiler.cpp: 1106 (JSC::DFG::JITCompiler::compileExceptionHandlers): 1107 (JSC::DFG::JITCompiler::compileFunction): 1108 (JSC::DFG::JITCompiler::linkFunction): 1109 * dfg/DFGJITCompiler.h: 1110 (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback): 1111 * dfg/DFGSpeculativeJIT.h: 1112 (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException): 1113 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): 1114 (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException): 1115 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult): 1116 (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult): 1117 * ftl/FTLLink.cpp: 1118 (JSC::FTL::link): 1119 * interpreter/CallFrame.h: 1120 (JSC::ExecState::hostCallFrameFlag): 1121 * jit/AssemblyHelpers.cpp: 1122 (JSC::AssemblyHelpers::jitAssertIsNull): 1123 * jit/AssemblyHelpers.h: 1124 (JSC::AssemblyHelpers::jitAssertIsNull): 1125 * jit/JIT.cpp: 1126 (JSC::JIT::privateCompile): 1127 (JSC::JIT::privateCompileExceptionHandlers): 1128 * jit/JIT.h: 1129 (JSC::JIT::exceptionCheckWithCallFrameRollback): 1130 * jit/JITInlines.h: 1131 (JSC::JIT::appendCallWithCallFrameRollbackOnException): 1132 (JSC::JIT::callOperationWithCallFrameRollbackOnException): 1133 * jit/JITOperations.cpp: 1134 * jit/JITOperations.h: 1135 * jit/JITStubs.cpp: 1136 * jit/JITStubs.h: 1137 11382013-10-07 Filip Pizlo <fpizlo@apple.com> 1139 1140 ASSERTION FAILED: isUInt32() in jsc-layout-tests.yaml/js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js.layout-dfg-eager-no-cjit 1141 https://bugs.webkit.org/show_bug.cgi?id=122419 1142 1143 Reviewed by Oliver Hunt. 1144 1145 AI was using JSValue::asUInt32() incorrectly. That method presumes that the input is 1146 both a int32 and a uint32 (it's in the range [0, 2^31)). The UInt32ToNumber node is 1147 instead dealing with an input that is always represented as a int32 but that has the 1148 meaning of a uint32 - so AI should use JSValue::asInt32() and then do the cast. 1149 1150 * dfg/DFGAbstractInterpreterInlines.h: 1151 (JSC::DFG::::executeEffects): 1152 11532013-10-07 Julien Brianceau <jbriance@cisco.com> 1154 1155 [sh4] Jump over maxJumpReplacementSize in revertJumpToMove. 1156 https://bugs.webkit.org/show_bug.cgi?id=120007 1157 1158 Reviewed by Oliver Hunt. 1159 1160 Jump over maxJumpReplacementSize in revertJumpToMove, even if there is no constant 1161 value within the area. This patch fixes debug ASSERTs failures for sh4 architecture. 1162 1163 * assembler/SH4Assembler.h: 1164 (JSC::SH4Assembler::revertJumpToMove): 1165 11662013-10-06 Anders Carlsson <andersca@apple.com> 1167 1168 Add OVERRIDE and virtual where appropriate 1169 https://bugs.webkit.org/show_bug.cgi?id=122439 1170 1171 Reviewed by Antti Koivisto. 1172 1173 * API/JSAPIWrapperObject.mm: 1174 * API/JSCallbackObject.h: 1175 (JSC::JSCallbackObjectData::~JSCallbackObjectData): 1176 * API/JSManagedValue.mm: 1177 * API/JSScriptRef.cpp: 1178 (OpaqueJSScript::~OpaqueJSScript): 1179 * bytecode/CodeBlock.h: 1180 * bytecode/StructureStubClearingWatchpoint.h: 1181 * dfg/DFGArrayifySlowPathGenerator.h: 1182 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: 1183 * dfg/DFGFailedFinalizer.h: 1184 * dfg/DFGJITCode.h: 1185 * dfg/DFGJITFinalizer.h: 1186 * dfg/DFGSaneStringGetByValSlowPathGenerator.h: 1187 * dfg/DFGSlowPathGenerator.h: 1188 * dfg/DFGSpeculativeJIT64.cpp: 1189 * heap/Heap.h: 1190 * heap/IncrementalSweeper.h: 1191 * heap/SuperRegion.h: 1192 * jit/ClosureCallStubRoutine.h: 1193 * jit/ExecutableAllocatorFixedVMPool.cpp: 1194 * jit/GCAwareJITStubRoutine.h: 1195 * jit/JITCode.h: 1196 * jit/JITStubs.cpp: 1197 * jit/JITToDFGDeferredCompilationCallback.h: 1198 * jit/JumpReplacementWatchpoint.h: 1199 * parser/Nodes.h: 1200 * runtime/DataView.h: 1201 * runtime/GCActivityCallback.h: 1202 * runtime/GenericTypedArrayView.h: 1203 * runtime/RegExpCache.h: 1204 * runtime/SimpleTypedArrayController.h: 1205 * runtime/WeakMapData.h: 1206 12072013-10-07 Filip Pizlo <fpizlo@apple.com> 1208 1209 Trap 5 (most likely int $3) in jsc-layout-tests.yaml/js/script-tests/integer-division-neg2tothe32-by-neg1.js.layout-dfg-eager-no-cjit 1210 https://bugs.webkit.org/show_bug.cgi?id=122420 1211 1212 Reviewed by Michael Saboff. 1213 1214 For the (-2^31/-1)|0 case, we were returning the left operand (i.e. -2^31) but we were 1215 failing to account for the possibility that this operand has high-bit garbage and 1216 int32Result() requires that the high bits are zero. 1217 1218 * dfg/DFGSpeculativeJIT.cpp: 1219 (JSC::DFG::SpeculativeJIT::compileArithDiv): 1220 12212013-10-06 Filip Pizlo <fpizlo@apple.com> 1222 1223 ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit 1224 https://bugs.webkit.org/show_bug.cgi?id=122418 1225 1226 Reviewed by Oliver Hunt. 1227 1228 This is pretty awesome. With stack compression, Arguments created in the DFG will point 1229 their m_registers pointers into a different slab of stack than they would have in byte 1230 code. 1231 1232 Hence OSR exit must repoint any Arguments objects' m_registers pointers. It previously 1233 neglected to do so. This patch fixes that. 1234 1235 Fixing this unveiled another bug: the stack reversal broke the reification of inlined 1236 phantom arguments. 1237 1238 * dfg/DFGOSRExitCompiler32_64.cpp: 1239 (JSC::DFG::OSRExitCompiler::compileExit): 1240 * dfg/DFGOSRExitCompiler64.cpp: 1241 (JSC::DFG::OSRExitCompiler::compileExit): 1242 * dfg/DFGOSRExitCompilerCommon.cpp: 1243 (JSC::DFG::reifyInlinedCallFrames): 1244 * dfg/DFGSpeculativeJIT.cpp: 1245 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): 1246 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): 1247 * dfg/DFGSpeculativeJIT64.cpp: 1248 (JSC::DFG::SpeculativeJIT::compile): 1249 * runtime/Arguments.h: 1250 (JSC::Arguments::offsetOfNumArguments): 1251 (JSC::Arguments::offsetOfRegisters): 1252 (JSC::Arguments::offsetOfSlowArgumentData): 1253 (JSC::Arguments::offsetOfOverrodeLength): 1254 12552013-10-06 Filip Pizlo <fpizlo@apple.com> 1256 1257 Unified test infrastructure via the jsc shell 1258 https://bugs.webkit.org/show_bug.cgi?id=120696 1259 1260 Reviewed by Oliver Hunt. 1261 1262 Add a mozilla-tests.yaml list. This is autogenerated by create-mozilla-js-test-list. 1263 I think it's better to leave this checked in; we may even just edit it directly in 1264 the future. Also generating it is not cheap. 1265 1266 Fix some low-hanging fruit bugs that I caught by introducing more test coverage. 1267 1268 - We were not emitting labels for CFA-unreachable blocks, which caused link errors. 1269 It's possible for a CFA-unreachable block to be jumped to, if the thing that causes 1270 it to be unreachable is a speculation in a Branch or peephole compare. 1271 1272 - The register allocation assertions didn't handle peephole branches correctly. Since 1273 the peephole branch handling returns early from compile(), the clearBlahbittyBlah() 1274 method wasn't being called. 1275 1276 * dfg/DFGSpeculativeJIT.cpp: 1277 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 1278 * dfg/DFGSpeculativeJIT32_64.cpp: 1279 (JSC::DFG::SpeculativeJIT::compile): 1280 * dfg/DFGSpeculativeJIT64.cpp: 1281 (JSC::DFG::SpeculativeJIT::compile): 1282 * tests/mozilla/mozilla-tests.yaml: Added. 1283 12842013-10-05 Andreas Kling <akling@apple.com> 1285 1286 Pass VM instead of ExecState to StringObject constructor. 1287 <https://webkit.org/b/122395> 1288 1289 Reviewed by Sam Weinig. 1290 1291 StringObject() only uses the ExecState to find the VM. 1292 12932013-10-05 Filip Pizlo <fpizlo@apple.com> 1294 1295 Compress DFG stack layout 1296 https://bugs.webkit.org/show_bug.cgi?id=122024 1297 1298 Reviewed by Oliver Hunt. 1299 1300 The DFG needs to be able to store things at a known offset from frame pointer so that 1301 the runtime can read those things. Prior to this patch, the DFG would use the exact 1302 offsets that the bytecode asked for, even in the case of inlining, where it would use 1303 the callsite stack offset to shift all of the inlined function's variables over just as 1304 they would have been if a bytecode interpreter had really made the call. 1305 1306 But this won't work once WebKit-LLVM integration is complete. LLVM has no notion of 1307 storing things at a fixed offset from the frame pointer. We could try to hack LLVM to do 1308 that, but it would seriously complicate LLVM's stack layout. But what we might be able 1309 to do is have LLVM tell us (via an addressof intrinsic and a side-channel) where some 1310 alloca landed relative to the frame pointer. Hence if the DFG can put all of its flushed 1311 variables in a contiguous range that can be expressed to LLVM as a struct that we 1312 alloca, then all of this can still work just fine. 1313 1314 Previously the flushed variables didn't fit in a contiguous range, but this patch makes 1315 them contiguous by allowing the stack layout to be compressed. 1316 1317 What this really means is that there is now a distinction between where the DFG saw a 1318 variable stored in bytecode and where it will actually store it in the resulting machine 1319 code. Henceforth when the DFG says "local" or "virtual register" it means the variable 1320 according to bytecode (with the stack offsetting for inlined code as before), but when 1321 it says "machine local" or "machine virtual register" it means the actual place where it 1322 will store things in the resulting machine code. All of the OSR exit, inlined arguments, 1323 captured variables, and various stack unwinding machine now knows about all of this. 1324 1325 Note that the DFG's abstract interpretation still uses bytecode variables rather than 1326 machine variables. Same for CSE and abstract heaps. This makes sense since it means that 1327 we don't have to decide on machine variable allocation just to do those optimizations. 1328 1329 The decision of what a local's machine location becomes is deferred to very late in 1330 compilation. We only need to assign machine locations to variables that must be stored 1331 to the stack. It's now mandatory to run some kind of "stack layout phase" that makes the 1332 decision and updates all data structures. 1333 1334 So far the way that this is being used is just to compress the DFG stack layout, which 1335 is something that we should have done anyway, a long time ago. And the compression isn't 1336 even that good - the current StackLayoutPhase just identifies local indices that are 1337 unused in machine code and slides all other variables towards zero. This doesn't achieve 1338 particularly good compression but it is better than nothing. Note that this phase makes 1339 it seem like the bytecode-machine mapping is based on bytecode local indices; for 1340 example if bytecode local 4 is mapped to machine local 3 then it always will be. That's 1341 true for the current StackLayoutPhase but it _will not_ be true for all possible stack 1342 layout phases and it would be incorrect to assume that it should be true. This is why 1343 the current data structures have each VariableAccessData hold its own copy of the 1344 machine virtual register, and also have each InlineCallFrame report their own machine 1345 virtual registers for the various things. The DFG backend is likely to always use the 1346 dumb StackLayoutPhase since it is very cheap to run, but the FTL backend is likely to 1347 eventually get a better one, where we do some kind of constraint-based coloring: we 1348 institute constraints where some VariableAccessData's must have the same indices as some 1349 other ones, and also must be right next to some other ones; then we process all 1350 VariableAccessData's and attempt to assign them machine locals while preserving those 1351 constraints. This could lead to two VariableAccessDatas for the same bytecode local 1352 ending up with different machine locals. 1353 1354 * CMakeLists.txt: 1355 * GNUmakefile.list.am: 1356 * JavaScriptCore.xcodeproj/project.pbxproj: 1357 * bytecode/CodeBlock.cpp: 1358 (JSC::CodeBlock::CodeBlock): 1359 (JSC::CodeBlock::isCaptured): 1360 (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): 1361 (JSC::CodeBlock::machineSlowArguments): 1362 * bytecode/CodeBlock.h: 1363 (JSC::CodeBlock::hasSlowArguments): 1364 * bytecode/CodeOrigin.cpp: 1365 (JSC::CodeOrigin::dump): 1366 (JSC::InlineCallFrame::calleeForCallFrame): 1367 (JSC::InlineCallFrame::dumpInContext): 1368 * bytecode/CodeOrigin.h: 1369 (JSC::InlineCallFrame::InlineCallFrame): 1370 (JSC::InlineCallFrame::calleeConstant): 1371 * bytecode/Operands.h: 1372 (JSC::Operands::indexForOperand): 1373 * dfg/DFGBasicBlock.cpp: 1374 (JSC::DFG::BasicBlock::SSAData::SSAData): 1375 * dfg/DFGBasicBlock.h: 1376 * dfg/DFGByteCodeParser.cpp: 1377 (JSC::DFG::ByteCodeParser::ByteCodeParser): 1378 (JSC::DFG::ByteCodeParser::get): 1379 (JSC::DFG::ByteCodeParser::getLocal): 1380 (JSC::DFG::ByteCodeParser::flushDirect): 1381 (JSC::DFG::ByteCodeParser::flush): 1382 (JSC::DFG::ByteCodeParser::handleInlining): 1383 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 1384 (JSC::DFG::ByteCodeParser::parse): 1385 * dfg/DFGCommon.h: 1386 * dfg/DFGCommonData.h: 1387 (JSC::DFG::CommonData::CommonData): 1388 * dfg/DFGDesiredWriteBarriers.cpp: 1389 (JSC::DFG::DesiredWriteBarrier::trigger): 1390 * dfg/DFGDesiredWriteBarriers.h: 1391 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 1392 (JSC::DFG::FlushLivenessAnalysisPhase::run): 1393 (JSC::DFG::FlushLivenessAnalysisPhase::process): 1394 (JSC::DFG::FlushLivenessAnalysisPhase::reportError): 1395 * dfg/DFGFlushedAt.cpp: Added. 1396 (JSC::DFG::FlushedAt::dump): 1397 (JSC::DFG::FlushedAt::dumpInContext): 1398 * dfg/DFGFlushedAt.h: Added. 1399 (JSC::DFG::FlushedAt::FlushedAt): 1400 (JSC::DFG::FlushedAt::operator!): 1401 (JSC::DFG::FlushedAt::format): 1402 (JSC::DFG::FlushedAt::virtualRegister): 1403 (JSC::DFG::FlushedAt::operator==): 1404 (JSC::DFG::FlushedAt::operator!=): 1405 * dfg/DFGGraph.cpp: 1406 (JSC::DFG::Graph::Graph): 1407 (JSC::DFG::Graph::dump): 1408 * dfg/DFGGraph.h: 1409 (JSC::DFG::Graph::bytecodeRegisterForArgument): 1410 (JSC::DFG::Graph::argumentsRegisterFor): 1411 (JSC::DFG::Graph::machineArgumentsRegisterFor): 1412 (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): 1413 (JSC::DFG::Graph::activationRegister): 1414 (JSC::DFG::Graph::uncheckedActivationRegister): 1415 (JSC::DFG::Graph::machineActivationRegister): 1416 (JSC::DFG::Graph::uncheckedMachineActivationRegister): 1417 * dfg/DFGJITCompiler.cpp: 1418 (JSC::DFG::JITCompiler::link): 1419 * dfg/DFGJITCompiler.h: 1420 (JSC::DFG::JITCompiler::noticeOSREntry): 1421 * dfg/DFGNode.h: 1422 (JSC::DFG::Node::convertToGetLocalUnlinked): 1423 (JSC::DFG::Node::convertToGetLocal): 1424 (JSC::DFG::Node::machineLocal): 1425 (JSC::DFG::Node::hasUnlinkedMachineLocal): 1426 (JSC::DFG::Node::setUnlinkedMachineLocal): 1427 (JSC::DFG::Node::unlinkedMachineLocal): 1428 (JSC::DFG::Node::hasInlineStartData): 1429 (JSC::DFG::Node::inlineStartData): 1430 * dfg/DFGNodeFlags.cpp: 1431 (JSC::DFG::dumpNodeFlags): 1432 * dfg/DFGOSREntry.cpp: 1433 (JSC::DFG::prepareOSREntry): 1434 * dfg/DFGOSREntry.h: 1435 (JSC::DFG::OSREntryReshuffling::OSREntryReshuffling): 1436 * dfg/DFGOSRExitCompiler64.cpp: 1437 (JSC::DFG::OSRExitCompiler::compileExit): 1438 * dfg/DFGOSRExitCompilerCommon.cpp: 1439 (JSC::DFG::reifyInlinedCallFrames): 1440 * dfg/DFGOperations.cpp: 1441 * dfg/DFGOperations.h: 1442 * dfg/DFGPlan.cpp: 1443 (JSC::DFG::Plan::compileInThreadImpl): 1444 * dfg/DFGScoreBoard.h: 1445 (JSC::DFG::ScoreBoard::ScoreBoard): 1446 * dfg/DFGSpeculativeJIT.cpp: 1447 (JSC::DFG::SpeculativeJIT::compileInlineStart): 1448 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 1449 (JSC::DFG::SpeculativeJIT::createOSREntries): 1450 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): 1451 * dfg/DFGSpeculativeJIT.h: 1452 (JSC::DFG::SpeculativeJIT::calleeFrameOffset): 1453 (JSC::DFG::SpeculativeJIT::callFrameSlot): 1454 (JSC::DFG::SpeculativeJIT::argumentSlot): 1455 (JSC::DFG::SpeculativeJIT::callFrameTagSlot): 1456 (JSC::DFG::SpeculativeJIT::callFramePayloadSlot): 1457 (JSC::DFG::SpeculativeJIT::argumentTagSlot): 1458 (JSC::DFG::SpeculativeJIT::argumentPayloadSlot): 1459 (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): 1460 (JSC::DFG::SpeculativeJIT::callOperation): 1461 (JSC::DFG::SpeculativeJIT::recordSetLocal): 1462 * dfg/DFGSpeculativeJIT32_64.cpp: 1463 (JSC::DFG::SpeculativeJIT::emitCall): 1464 (JSC::DFG::SpeculativeJIT::compile): 1465 * dfg/DFGSpeculativeJIT64.cpp: 1466 (JSC::DFG::SpeculativeJIT::emitCall): 1467 (JSC::DFG::SpeculativeJIT::compile): 1468 * dfg/DFGStackLayoutPhase.cpp: Added. 1469 (JSC::DFG::StackLayoutPhase::StackLayoutPhase): 1470 (JSC::DFG::StackLayoutPhase::run): 1471 (JSC::DFG::performStackLayout): 1472 * dfg/DFGStackLayoutPhase.h: Added. 1473 * dfg/DFGValidate.cpp: 1474 (JSC::DFG::Validate::validate): 1475 * dfg/DFGVariableAccessData.h: 1476 (JSC::DFG::VariableAccessData::machineLocal): 1477 (JSC::DFG::VariableAccessData::flushedAt): 1478 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 1479 (JSC::DFG::VirtualRegisterAllocationPhase::run): 1480 * ftl/FTLExitValue.h: 1481 (JSC::FTL::ExitValue::inJSStack): 1482 (JSC::FTL::ExitValue::inJSStackAsInt32): 1483 (JSC::FTL::ExitValue::inJSStackAsInt52): 1484 (JSC::FTL::ExitValue::inJSStackAsDouble): 1485 (JSC::FTL::ExitValue::virtualRegister): 1486 * ftl/FTLLowerDFGToLLVM.cpp: 1487 (JSC::FTL::LowerDFGToLLVM::compileGetArgument): 1488 (JSC::FTL::LowerDFGToLLVM::compileGetLocal): 1489 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 1490 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): 1491 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 1492 * ftl/FTLOSRExitCompiler.cpp: 1493 (JSC::FTL::compileStub): 1494 * ftl/FTLValueSource.cpp: 1495 (JSC::FTL::ValueSource::dump): 1496 * ftl/FTLValueSource.h: 1497 (JSC::FTL::ValueSource::ValueSource): 1498 (JSC::FTL::ValueSource::kind): 1499 (JSC::FTL::ValueSource::operator!): 1500 (JSC::FTL::ValueSource::node): 1501 (JSC::FTL::ValueSource::virtualRegister): 1502 * interpreter/Interpreter.cpp: 1503 (JSC::unwindCallFrame): 1504 * interpreter/StackVisitor.cpp: 1505 (JSC::StackVisitor::readInlinedFrame): 1506 (JSC::StackVisitor::Frame::createArguments): 1507 (JSC::StackVisitor::Frame::existingArguments): 1508 * interpreter/StackVisitor.h: 1509 * jit/AssemblyHelpers.h: 1510 (JSC::AssemblyHelpers::addressFor): 1511 (JSC::AssemblyHelpers::tagFor): 1512 (JSC::AssemblyHelpers::payloadFor): 1513 (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis): 1514 * runtime/Arguments.cpp: 1515 (JSC::Arguments::tearOff): 1516 * runtime/Arguments.h: 1517 (JSC::Arguments::allocateSlowArguments): 1518 (JSC::Arguments::tryDeleteArgument): 1519 (JSC::Arguments::isDeletedArgument): 1520 (JSC::Arguments::isArgument): 1521 (JSC::Arguments::argument): 1522 (JSC::Arguments::finishCreation): 1523 * runtime/JSActivation.h: 1524 (JSC::JSActivation::create): 1525 (JSC::JSActivation::JSActivation): 1526 * runtime/JSFunction.cpp: 1527 (JSC::RetrieveArgumentsFunctor::operator()): 1528 15292013-10-05 Anders Carlsson <andersca@apple.com> 1530 1531 Remove createOwned 1532 https://bugs.webkit.org/show_bug.cgi?id=122388 1533 1534 Reviewed by Darin Adler. 1535 1536 * profiler/ProfilerDatabase.cpp: 1537 (JSC::Profiler::Database::save): 1538 15392013-10-05 Darin Adler <darin@apple.com> 1540 1541 Cut down on use of String::number 1542 https://bugs.webkit.org/show_bug.cgi?id=122382 1543 1544 Reviewed by Anders Carlsson. 1545 1546 * API/JSCallbackObjectFunctions.h: 1547 (JSC::JSCallbackObject::putByIndex): Use Identifier::from instead of calling 1548 String::number and creating an identifier from that. Can save creating and then 1549 destroying a string if an identifier already exists. 1550 * runtime/Arguments.cpp: 1551 (JSC::Arguments::getOwnPropertySlotByIndex): Ditto. 1552 (JSC::Arguments::getOwnPropertyNames): Ditto. 1553 (JSC::Arguments::putByIndex): Ditto. 1554 * runtime/JSGenericTypedArrayViewInlines.h: 1555 (JSC::::getOwnPropertyNames): Ditto. 1556 * runtime/StringObject.cpp: 1557 (JSC::StringObject::getOwnPropertyNames): Ditto. 1558 15592013-10-04 Mark Lam <mark.lam@apple.com> 1560 1561 Change ScriptDebugServer to use DebuggerCallFrame instead of JavaScriptCallFrame. 1562 https://bugs.webkit.org/show_bug.cgi?id=121969. 1563 1564 Reviewed by Geoffrey Garen. 1565 1566 1. Make JavaScriptCallFrame a thin shell around the DebuggerCallFrame. 1567 DebuggerCallFrame now tracks whether it is valid instead of needing 1568 JavaScriptCallFrame do it. 1569 2. ScriptDebugServer now only instantiates an DebuggerCallFrame when needed 1570 just before it pauses and calls back to its client, and then invalidates 1571 it immediately when the callback returns. Every subsequent callback to 1572 the client will use a new instance of the DebuggerCallFrame. 1573 3. Similarly, ScriptDebugServer now only creates a JavaScriptCallFrame when 1574 it "pauses". 1575 4. DebuggerCallFrame only creates its caller DebuggerCallFrame when 1576 it is needed i.e. when the client calls callerFrame(). Similarly, 1577 JavaScriptCallFrame only creates its caller when it's requested. 1578 5. DebuggerCallFrame's line() and column() now returns a base-zero int. 1579 6. WebScriptDebugDelegate now only caches the functionName of the frame 1580 instead of the entire DebuggerCallFrame because that is all that is 1581 needed. 1582 7. Also removed evaluateInGlobalCallFrame() which is not used anywhere. 1583 1584 * debugger/Debugger.cpp: 1585 * debugger/Debugger.h: 1586 * debugger/DebuggerCallFrame.cpp: 1587 (JSC::DebuggerCallFrame::DebuggerCallFrame): 1588 (JSC::DebuggerCallFrame::callerFrame): 1589 (JSC::DebuggerCallFrame::dynamicGlobalObject): 1590 (JSC::DebuggerCallFrame::sourceId): 1591 (JSC::DebuggerCallFrame::functionName): 1592 (JSC::DebuggerCallFrame::scope): 1593 (JSC::DebuggerCallFrame::type): 1594 (JSC::DebuggerCallFrame::thisValue): 1595 (JSC::DebuggerCallFrame::evaluate): 1596 (JSC::DebuggerCallFrame::evaluateWithCallFrame): 1597 (JSC::DebuggerCallFrame::invalidate): 1598 (JSC::DebuggerCallFrame::positionForCallFrame): 1599 (JSC::DebuggerCallFrame::sourceIdForCallFrame): 1600 (JSC::DebuggerCallFrame::thisValueForCallFrame): 1601 * debugger/DebuggerCallFrame.h: 1602 (JSC::DebuggerCallFrame::create): 1603 (JSC::DebuggerCallFrame::exec): 1604 (JSC::DebuggerCallFrame::line): 1605 (JSC::DebuggerCallFrame::column): 1606 (JSC::DebuggerCallFrame::position): 1607 (JSC::DebuggerCallFrame::isValid): 1608 * interpreter/StackVisitor.cpp: 1609 16102013-10-04 Brent Fulgham <bfulgham@apple.com> 1611 1612 Silence compiler warning when building 64-bit (on Windows) 1613 1614 Reviewed by Geoffrey Garen. 1615 1616 * jit/JSInterfaceJIT.h: Add a static cast for assignment. 1617 16182013-10-04 Nadav Rotem <nrotem@apple.com> 1619 1620 FTL: Add support for ValueToInt32(bool(x)) 1621 https://bugs.webkit.org/show_bug.cgi?id=122346 1622 1623 Reviewed by Geoffrey Garen. 1624 1625 * ftl/FTLCapabilities.cpp: 1626 (JSC::FTL::canCompile): 1627 * ftl/FTLLowerDFGToLLVM.cpp: 1628 (JSC::FTL::LowerDFGToLLVM::compileNode): 1629 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): 1630 16312013-10-04 Oliver Hunt <oliver@apple.com> 1632 1633 Build fix. 1634 1635 * runtime/JSArrayIterator.cpp: 1636 16372013-10-04 Oliver Hunt <oliver@apple.com> 1638 1639 Support for-of syntax 1640 https://bugs.webkit.org/show_bug.cgi?id=122339 1641 1642 Reviewed by Geoffrey Garen. 1643 1644 Add support for for-of syntax to JSC. As part of doing this I had to make 1645 us support unique empty strings as identifiers. In a follow on patch i'm 1646 going to remove the distinction entirely as it's purely a complicating 1647 separation. 1648 1649 Otherwise the logic here is fairly self-explanatory. 1650 1651 * bytecompiler/BytecodeGenerator.cpp: 1652 (JSC::BytecodeGenerator::addConstant): 1653 (JSC::BytecodeGenerator::emitCall): 1654 * bytecompiler/BytecodeGenerator.h: 1655 * bytecompiler/NodesCodegen.cpp: 1656 (JSC::CallArguments::CallArguments): 1657 (JSC::ForOfNode::emitBytecode): 1658 * jit/JITOperations.cpp: 1659 * parser/ASTBuilder.h: 1660 (JSC::ASTBuilder::createForOfLoop): 1661 * parser/NodeConstructors.h: 1662 (JSC::EnumerationNode::EnumerationNode): 1663 (JSC::ForInNode::ForInNode): 1664 (JSC::ForOfNode::ForOfNode): 1665 * parser/Nodes.h: 1666 * parser/Parser.cpp: 1667 (JSC::::parseVarDeclarationList): 1668 (JSC::::parseForStatement): 1669 * parser/Parser.h: 1670 (JSC::Parser::isofToken): 1671 * parser/SyntaxChecker.h: 1672 (JSC::SyntaxChecker::createForOfLoop): 1673 * runtime/ArrayIteratorPrototype.cpp: 1674 (JSC::ArrayIteratorPrototype::finishCreation): 1675 (JSC::arrayIteratorPrototypeIterate): 1676 * runtime/ArrayPrototype.cpp: 1677 (JSC::ArrayPrototype::create): 1678 (JSC::ArrayPrototype::finishCreation): 1679 * runtime/ArrayPrototype.h: 1680 * runtime/CommonIdentifiers.cpp: 1681 (JSC::CommonIdentifiers::CommonIdentifiers): 1682 * runtime/CommonIdentifiers.h: 1683 * runtime/Identifier.h: 1684 (JSC::Identifier::from): 1685 * runtime/JSCJSValue.cpp: 1686 (JSC::JSValue::dumpInContext): 1687 * runtime/JSGlobalObject.cpp: 1688 (JSC::JSGlobalObject::reset): 1689 * runtime/JSObject.cpp: 1690 (JSC::JSObject::putDirectNativeFunction): 1691 * runtime/PrivateName.h: 1692 (JSC::PrivateName::PrivateName): 1693 * runtime/PropertyName.h: 1694 (JSC::PropertyName::PropertyName): 1695 16962013-10-04 Michael Saboff <msaboff@apple.com> 1697 1698 FTL::OSRExit::convertToForward() shouldn't misuse Operands<>::operator[] 1699 https://bugs.webkit.org/show_bug.cgi?id=122336 1700 1701 Reviewed by Geoffrey Garen. 1702 1703 Changed code in change set r156900 to use the operand() accessor instead of operator[]. 1704 1705 * ftl/FTLOSRExit.cpp: 1706 (JSC::FTL::OSRExit::convertToForward): 1707 17082013-10-04 Michael Saboff <msaboff@apple.com> 1709 1710 FTL: Crash in OSRExit::convertToForward() using VirtualRegister.offset() as array index 1711 https://bugs.webkit.org/show_bug.cgi?id=122332 1712 1713 Reviewed by Oliver Hunt. 1714 1715 Changed the uses of .offset(), which returns a negative number for locals, to be 1716 toLocal() which returns a local's ordinal number. 1717 1718 * ftl/FTLOSRExit.cpp: 1719 (JSC::FTL::OSRExit::convertToForward): 1720 17212013-10-04 Michael Saboff <msaboff@apple.com> 1722 1723 Add callOperation to Baseline JIT 1724 https://bugs.webkit.org/show_bug.cgi?id=122306 1725 1726 Reviewed by Geoffrey Garen. 1727 1728 Created baseline JIT compatible versions for a few flavors of callOperation(). 1729 Migrated cti_op_new_regexp() and its caller to callOperation(operationNewRegexp()). 1730 1731 * dfg/DFGOperations.cpp: Moved operationNewRegexp() to JITOperations 1732 * dfg/DFGOperations.h: 1733 * jit/JIT.h: 1734 (JSC::JIT::appendCall): 1735 * jit/JITInlines.h: 1736 (JSC::JIT::appendCallWithExceptionCheck): 1737 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult): 1738 (JSC::JIT::callOperation): 1739 * jit/JITOpcodes.cpp: 1740 (JSC::JIT::emit_op_new_regexp): 1741 * jit/JITOperations.cpp: 1742 * jit/JITOperations.h: 1743 * jit/JITStubs.cpp: 1744 * jit/JITStubs.h: 1745 * jit/JSInterfaceJIT.h: 1746 17472013-10-03 Mark Rowe <mrowe@apple.com> 1748 1749 REGRESSION (r156811): WebCore rebuilds from scratch when doing an incremental build 1750 1751 The change in r156811 resulted in several public headers in the JavaScriptCore framework having their modification 1752 date touched on every build, even if their contents had not changed. This resulted in a large portion of WebCore 1753 needing to rebuilt after an incremental build of JavaScriptCore. 1754 1755 Reviewed by Dan Bernstein. 1756 1757 * JavaScriptCore.xcodeproj/project.pbxproj: Have unifdef generate its output to a temporary file. If its exit status 1758 indicates that the content did not change, remove the temporary file. If the content changed, moved the temporary file 1759 over the destination. 1760 17612013-10-03 Brent Fulgham <bfulgham@apple.com> 1762 1763 [Win] Unreviewed gardening. 1764 1765 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Clean up the 1766 paths for various files added outside of Visual Studio. They are all 1767 displayed in the root of the project, rather than the proper sub-folder. 1768 17692013-10-03 Brent Fulgham <bfulgham@apple.com> 1770 1771 [Win] Update solutions and projects to support 64-bit builds. 1772 https://bugs.webkit.org/show_bug.cgi?id=122225 1773 1774 Reviewed by Anders Carlsson. 1775 1776 Revise ordering of CPU(X86) and CPU(X86_64) tests, because MSVC always defines 1777 both when targeting a 64-bit build. 1778 1779 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Add an x64 target 1780 for 64-bit builds. 1781 17822013-10-03 Michael Saboff <msaboff@apple.com> 1783 1784 Eliminate unused JITStub function declarations 1785 https://bugs.webkit.org/show_bug.cgi?id=122288 1786 1787 Reviewed by Geoffrey Garen. 1788 1789 Removed unused JITStub declarations. 1790 1791 * jit/JITStubs.h: 1792 17932013-10-03 Sergio Correia <sergio.correia@openbossa.org> 1794 1795 [EFL] [DEBUG] JavaScriptCore fails to build 1796 https://bugs.webkit.org/show_bug.cgi?id=122267 1797 1798 Reviewed by Michael Saboff. 1799 1800 Build fails due to an expression containing comparison between signed 1801 and unsigned integer. 1802 1803 * llint/LLIntData.cpp: 1804 (JSC::LLInt::Data::performAssertions): Add cast to avoid signed vs. 1805 unsigned comparison warning. 1806 18072013-10-03 Nadav Rotem <nrotem@apple.com> 1808 1809 DFG: ConstProp the pattern ValueToInt32(Bool(x)) -> Int32(x) 1810 https://bugs.webkit.org/show_bug.cgi?id=122263 1811 1812 Reviewed by Geoffrey Garen. 1813 1814 * dfg/DFGAbstractInterpreterInlines.h: 1815 (JSC::DFG::::executeEffects): 1816 18172013-10-02 Dan Bernstein <mitz@apple.com> 1818 1819 REGRESSION (r156811): Objective-C JavaScriptCore API test failing on Mountain Lion bots 1820 https://bugs.webkit.org/show_bug.cgi?id=122260 1821 1822 Reviewed by Mark Rowe. 1823 1824 For the API to work, the tests need to be compiled with a newer version of the LLVM 1825 compiler. Until the bots are updated to that version, disable the tests on 10.8. 1826 1827 * API/tests/testapi.mm: 1828 18292013-10-02 Mark Lam <mark.lam@apple.com> 1830 1831 Make LLINT exception stack unwinding consistent with the JIT. 1832 https://bugs.webkit.org/show_bug.cgi?id=122255. 1833 1834 Reviewed by Filip Pizlo. 1835 1836 Previously, the CommonSlowPaths code is expected to behave in an 1837 inconsistent way in terms of whether to unwind the stack when handling 1838 exceptions or not. For the LLINT, the slow path should unwind the stack 1839 before returning. For the JIT, the slow path should not unwind the stack. 1840 This can result in the stack being unwound twice when the exception 1841 being handled is a TerminationException. 1842 1843 This patch fixes the LLINT's expectation so that it expects the same 1844 slow path behavior as the JIT does. 1845 1846 * llint/LLIntExceptions.cpp: 1847 (JSC::LLInt::returnToThrow): 1848 (JSC::LLInt::callToThrow): 1849 * llint/LLIntSlowPaths.cpp: 1850 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 1851 * llint/LLIntSlowPaths.h: 1852 * llint/LowLevelInterpreter32_64.asm: 1853 * llint/LowLevelInterpreter64.asm: 1854 * runtime/CommonSlowPathsExceptions.cpp: 1855 (JSC::CommonSlowPaths::interpreterThrowInCaller): 1856 18572013-10-02 Filip Pizlo <fpizlo@apple.com> 1858 1859 The DFG should use always DFG::Graph methods for determining where special registers are 1860 https://bugs.webkit.org/show_bug.cgi?id=122248 1861 1862 Reviewed by Michael Saboff. 1863 1864 This makes it possible to have the DFG use different registers than the other engines 1865 for things like activation and arguments. 1866 1867 * dfg/DFGCSEPhase.cpp: 1868 (JSC::DFG::CSEPhase::setLocalStoreElimination): 1869 * dfg/DFGClobberize.h: 1870 (JSC::DFG::clobberize): 1871 * dfg/DFGGraph.h: 1872 (JSC::DFG::Graph::activationRegister): 1873 (JSC::DFG::Graph::uncheckedActivationRegister): 1874 * dfg/DFGOSRExitCompiler32_64.cpp: 1875 (JSC::DFG::OSRExitCompiler::compileExit): 1876 * dfg/DFGOSRExitCompiler64.cpp: 1877 (JSC::DFG::OSRExitCompiler::compileExit): 1878 * dfg/DFGSpeculativeJIT32_64.cpp: 1879 (JSC::DFG::SpeculativeJIT::compile): 1880 * dfg/DFGSpeculativeJIT64.cpp: 1881 (JSC::DFG::SpeculativeJIT::compile): 1882 * jit/AssemblyHelpers.h: 1883 (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): 1884 18852013-10-02 Dan Bernstein <mitz@apple.com> 1886 1887 The Objective-C API should be available in 10.8 builds 1888 https://bugs.webkit.org/show_bug.cgi?id=122245 1889 1890 Reviewed by Mark Rowe. 1891 1892 Enabled the Objective-C API when building on OS X 10.8 with the modern Objective-C runtime, 1893 but kept the availability attributes in API headers for 10.9 and later as they were. 1894 1895 * API/JSBase.h: When JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 is defined, made 1896 JSC_OBJC_API_ENABLED true on 10.8 and above. 1897 * API/JSContext.h: When JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 is defined, marked the class 1898 as available on all OS X versions. 1899 * API/JSManagedValue.h: Ditto. 1900 * API/JSValue.h: Ditto. 1901 * API/JSVirtualMachine.h: Ditto. 1902 * Configurations/Base.xcconfig: Added JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 to 1903 GCC_PREPROCESSOR_DEFINITIONS. 1904 * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase to unifdef the 1905 above header files with JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 either defined or not based on 1906 the OS X version we are targeting. 1907 19082013-10-02 Michael Saboff <msaboff@apple.com> 1909 1910 Make Baseline JIT exception handling work like the DFG JIT 1911 https://bugs.webkit.org/show_bug.cgi?id=122244 1912 1913 Reviewed by Filip Pizlo. 1914 1915 Added a jump list (m_exceptionChecks) to JIT as a common place for exception processing within 1916 generated code. Added exceptionCheck() helpers that check for an exception which add a branch 1917 to the list. 1918 1919 * jit/JIT.cpp: 1920 (JSC::JIT::privateCompile): 1921 (JSC::JIT::privateCompileExceptionHandlers): 1922 * jit/JIT.h: 1923 (JSC::JIT::exceptionCheck): 1924 19252013-10-02 Oliver Hunt <oliver@apple.com> 1926 1927 Fix MSVC build 1928 1929 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 1930 19312013-10-02 Geoffrey Garen <ggaren@apple.com> 1932 1933 Optimized VM access from C++ code 1934 https://bugs.webkit.org/show_bug.cgi?id=122241 1935 1936 Reviewed by Filip Pizlo. 1937 1938 * runtime/JSScope.h: 1939 (JSC::JSScope::vm): Use MarkedBlock instead of Heap, since both have a 1940 pointer to the VM, and Heap is one extra load. 1941 19422013-10-02 Michael Saboff <msaboff@apple.com> 1943 1944 The LLInt should not use JITStackFrame 1945 https://bugs.webkit.org/show_bug.cgi?id=122231 1946 1947 Reviewed by Filip Pizlo. 1948 1949 Replaced uses of JITStackFrame::vm with code to either access the vm via the CodeBlock from 1950 known JavaScript call frames or via the JSScope* for host call frames. This eliminates 1951 all uses of JITStackFrame from the LLInt. 1952 1953 * heap/MarkedBlock.h: Made LLIntOffsetsExtractor a friend to access member offsets. 1954 * heap/WeakSet.h: Made LLIntOffsetsExtractor a friend to access member offsets. 1955 * llint/LLIntData.cpp: 1956 (JSC::LLInt::Data::performAssertions): Added an ASSERT for the newly added MarkedBlockMask 1957 * llint/LowLevelInterpreter.asm: 1958 * llint/LowLevelInterpreter32_64.asm: 1959 * llint/LowLevelInterpreter64.asm: 1960 19612013-10-01 Oliver Hunt <oliver@apple.com> 1962 1963 Implement Array key, value and entries iterators 1964 https://bugs.webkit.org/show_bug.cgi?id=122195 1965 1966 Reviewed by Filip Pizlo. 1967 1968 Add implementation of ES6 Array iterators for keys(), values() and entries() 1969 1970 Fairly self explanatory as we just need a simple implementation so that we can 1971 implement and test other features. 1972 1973 * JavaScriptCore.xcodeproj/project.pbxproj: 1974 * runtime/ArrayIteratorConstructor.cpp: Added. 1975 (JSC::ArrayIteratorConstructor::finishCreation): 1976 * runtime/ArrayIteratorConstructor.h: Added. 1977 (JSC::ArrayIteratorConstructor::create): 1978 (JSC::ArrayIteratorConstructor::createStructure): 1979 (JSC::ArrayIteratorConstructor::ArrayIteratorConstructor): 1980 * runtime/ArrayIteratorPrototype.cpp: Added. 1981 (JSC::ArrayIteratorPrototype::finishCreation): 1982 (JSC::createIteratorResult): 1983 (JSC::arrayIteratorPrototypeNext): 1984 * runtime/ArrayIteratorPrototype.h: Added. 1985 (JSC::ArrayIteratorPrototype::create): 1986 (JSC::ArrayIteratorPrototype::createStructure): 1987 (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): 1988 * runtime/ArrayPrototype.cpp: 1989 (JSC::arrayProtoFuncValues): 1990 (JSC::arrayProtoFuncEntries): 1991 (JSC::arrayProtoFuncKeys): 1992 * runtime/CommonIdentifiers.h: 1993 * runtime/Identifier.h: 1994 (JSC::Identifier::createEmptyUnique): 1995 * runtime/JSArrayIterator.cpp: Added. 1996 (JSC::JSArrayIterator::finishCreation): 1997 * runtime/JSArrayIterator.h: Added. 1998 (JSC::JSArrayIterator::createStructure): 1999 (JSC::JSArrayIterator::create): 2000 (JSC::JSArrayIterator::iterationKind): 2001 (JSC::JSArrayIterator::iteratedObject): 2002 (JSC::JSArrayIterator::nextIndex): 2003 (JSC::JSArrayIterator::setNextIndex): 2004 (JSC::JSArrayIterator::finish): 2005 (JSC::JSArrayIterator::JSArrayIterator): 2006 * runtime/JSGlobalObject.cpp: 2007 (JSC::JSGlobalObject::reset): 2008 * runtime/JSGlobalObject.h: 2009 (JSC::JSGlobalObject::iteratorResultStructure): 2010 20112013-10-02 Mark Hahnenberg <mhahnenberg@apple.com> 2012 2013 get_callee and to_this aren't properly cleared during finalizeUnconditionally 2014 https://bugs.webkit.org/show_bug.cgi?id=122224 2015 2016 Reviewed by Geoffrey Garen. 2017 2018 Even though there is code to clear unmarked inline cache objects in finalizeUnconditionally, 2019 it will never run because get_callee and to_this weren't added to the proper Vector in the 2020 UnlinkedCodeBlock that is iterated during finalizeUnconditionally. 2021 2022 * bytecompiler/BytecodeGenerator.cpp: 2023 (JSC::BytecodeGenerator::BytecodeGenerator): 2024 (JSC::BytecodeGenerator::emitCreateThis): 2025 20262013-09-25 Oliver Hunt <oliver@apple.com> 2027 2028 Implement prefixed-destructuring assignment 2029 https://bugs.webkit.org/show_bug.cgi?id=121930 2030 2031 Reviewed by Mark Hahnenberg. 2032 2033 Relanding with fix after rollout - it helps to not completely destroy 2034 optimisations for no reason. 2035 20362013-10-02 Nadav Rotem <nrotem@apple.com> 2037 2038 FTL: Refactor compileArithDiv and compileArithMod into one function. 2039 https://bugs.webkit.org/show_bug.cgi?id=122205 2040 2041 Reviewed by Filip Pizlo. 2042 2043 * ftl/FTLLowerDFGToLLVM.cpp: 2044 (JSC::FTL::LowerDFGToLLVM::compileNode): 2045 (JSC::FTL::LowerDFGToLLVM::compileAddSub): 2046 (JSC::FTL::LowerDFGToLLVM::compileArithDivMod): 2047 20482013-10-02 Anders Carlsson <andersca@apple.com> 2049 2050 Get rid of Qt code from JavaScriptCore 2051 https://bugs.webkit.org/show_bug.cgi?id=122223 2052 2053 Reviewed by Oliver Hunt. 2054 2055 * API/JSStringRefQt.cpp: Removed. 2056 * API/JSStringRefQt.h: Removed. 2057 * API/OpaqueJSString.h: 2058 * DerivedSources.pri: Removed. 2059 * JavaScriptCore.pri: Removed. 2060 * JavaScriptCore.pro: Removed. 2061 * LLIntOffsetsExtractor.pro: Removed. 2062 * Target.pri: Removed. 2063 * assembler/AbstractMacroAssembler.h: 2064 * assembler/MacroAssembler.h: 2065 (JSC::MacroAssembler::urshift32): 2066 * assembler/MacroAssemblerARMv7.h: 2067 (JSC::MacroAssemblerARMv7::shouldBlindForSpecificArch): 2068 * assembler/MacroAssemblerX86Common.h: 2069 * dfg/DFGSpeculativeJIT.cpp: 2070 (JSC::DFG::SpeculativeJIT::compileArithSub): 2071 * heap/HeapTimer.cpp: 2072 (JSC::HeapTimer::timerEvent): 2073 * heap/HeapTimer.h: 2074 * heap/IncrementalSweeper.cpp: 2075 (JSC::IncrementalSweeper::scheduleTimer): 2076 * heap/IncrementalSweeper.h: 2077 * jit/JITArithmetic32_64.cpp: 2078 (JSC::JIT::emitSub32Constant): 2079 * jsc.cpp: 2080 (main): 2081 * jsc.pro: Removed. 2082 * runtime/DateConstructor.cpp: 2083 * runtime/GCActivityCallback.cpp: 2084 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): 2085 (JSC::DefaultGCActivityCallback::cancelTimer): 2086 * runtime/GCActivityCallback.h: 2087 * testRegExp.cpp: 2088 (main): 2089 * yarr/yarr.pri: Removed. 2090 20912013-10-01 Filip Pizlo <fpizlo@apple.com> 2092 2093 FTL should use the new version of LLVM MCJIT memory manager APIs that take a SectionName 2094 https://bugs.webkit.org/show_bug.cgi?id=122193 2095 2096 Reviewed by Geoffrey Garen. 2097 2098 Update our usage of the LLVM C API since the API is about to change. 2099 2100 * ftl/FTLCompile.cpp: 2101 (JSC::FTL::mmAllocateCodeSection): 2102 (JSC::FTL::mmAllocateDataSection): 2103 21042013-10-01 Filip Pizlo <fpizlo@apple.com> 2105 2106 REGRESSION(156464): 50% regression on SunSpider/string-fasta 2107 https://bugs.webkit.org/show_bug.cgi?id=122202 2108 2109 Unreviewed, roll out r156464. 2110 2111 This is a progression on string-fasta, since it fixes the regression. 2112 2113 * bytecode/UnlinkedCodeBlock.cpp: 2114 (JSC::UnlinkedFunctionExecutable::paramString): 2115 * bytecompiler/BytecodeGenerator.cpp: 2116 (JSC::BytecodeGenerator::BytecodeGenerator): 2117 * bytecompiler/BytecodeGenerator.h: 2118 (JSC::BytecodeGenerator::emitExpressionInfo): 2119 * bytecompiler/NodesCodegen.cpp: 2120 (JSC::ForInNode::emitBytecode): 2121 (JSC::FuncExprNode::emitBytecode): 2122 * parser/ASTBuilder.h: 2123 (JSC::ASTBuilder::createFormalParameterList): 2124 (JSC::ASTBuilder::createForInLoop): 2125 (JSC::ASTBuilder::addVar): 2126 * parser/NodeConstructors.h: 2127 (JSC::CommaNode::CommaNode): 2128 (JSC::ParameterNode::ParameterNode): 2129 (JSC::ForInNode::ForInNode): 2130 * parser/Nodes.cpp: 2131 (JSC::FunctionParameters::create): 2132 (JSC::FunctionParameters::FunctionParameters): 2133 (JSC::FunctionParameters::~FunctionParameters): 2134 * parser/Nodes.h: 2135 (JSC::ExpressionNode::isDotAccessorNode): 2136 (JSC::CommaNode::append): 2137 (JSC::ParameterNode::ident): 2138 (JSC::FunctionParameters::at): 2139 (JSC::FunctionParameters::identifiers): 2140 * parser/Parser.cpp: 2141 (JSC::::Parser): 2142 (JSC::::parseVarDeclaration): 2143 (JSC::::parseVarDeclarationList): 2144 (JSC::::parseForStatement): 2145 (JSC::::parseFormalParameters): 2146 (JSC::::parseAssignmentExpression): 2147 * parser/Parser.h: 2148 (JSC::Scope::declareParameter): 2149 (JSC::Parser::declareParameter): 2150 * parser/SyntaxChecker.h: 2151 (JSC::SyntaxChecker::createFormalParameterList): 2152 (JSC::SyntaxChecker::createForInLoop): 2153 (JSC::SyntaxChecker::operatorStackPop): 2154 * runtime/JSONObject.cpp: 2155 * runtime/JSONObject.h: 2156 21572013-10-01 Filip Pizlo <fpizlo@apple.com> 2158 2159 Variable event stream (for DFG OSR exit) should be explicit about where on the stack a SetLocal put a value 2160 https://bugs.webkit.org/show_bug.cgi?id=122178 2161 2162 Reviewed by Geoffrey Garen. 2163 2164 Now if the DFG stores the value of a variable into the stack explicitly via a SetLocal, 2165 it will record where on the stack it stored the value in addition to recording where on 2166 the stack the bytecode would have done the SetLocal. Previously it just recorded the 2167 format and the bytecode variable. Recording just the bytecode variable is currently fine 2168 since the DFG always executes SetLocal's to the same stack location that the bytecode 2169 would have used. But that prevents stack compression (webkit.org/b/122024) so this patch 2170 allows the SetLocal to say both the bytecode variable that we're speaking of and the 2171 actual stack location to which the SetLocal stored the value. 2172 2173 This had to touch a lot of code, so I took the opportunity to also resolve 2174 webkit.org/b/108019. 2175 2176 * bytecode/Operands.h: 2177 (JSC::Operands::hasOperand): 2178 * dfg/DFGFlushFormat.h: 2179 (JSC::DFG::dataFormatFor): 2180 * dfg/DFGMinifiedID.h: 2181 (JSC::DFG::MinifiedID::bits): 2182 (JSC::DFG::MinifiedID::invalidID): 2183 (JSC::DFG::MinifiedID::otherInvalidID): 2184 * dfg/DFGSpeculativeJIT.cpp: 2185 (JSC::DFG::SpeculativeJIT::compileMovHint): 2186 (JSC::DFG::SpeculativeJIT::compileInlineStart): 2187 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 2188 * dfg/DFGSpeculativeJIT.h: 2189 (JSC::DFG::SpeculativeJIT::recordSetLocal): 2190 * dfg/DFGSpeculativeJIT32_64.cpp: 2191 (JSC::DFG::SpeculativeJIT::compile): 2192 * dfg/DFGSpeculativeJIT64.cpp: 2193 (JSC::DFG::SpeculativeJIT::compile): 2194 * dfg/DFGValueSource.cpp: 2195 (JSC::DFG::ValueSource::dump): 2196 * dfg/DFGValueSource.h: 2197 (JSC::DFG::ValueSource::ValueSource): 2198 (JSC::DFG::ValueSource::forFlushFormat): 2199 (JSC::DFG::ValueSource::forDataFormat): 2200 (JSC::DFG::ValueSource::isSet): 2201 (JSC::DFG::ValueSource::kind): 2202 (JSC::DFG::ValueSource::valueRecovery): 2203 (JSC::DFG::ValueSource::id): 2204 (JSC::DFG::ValueSource::virtualRegister): 2205 * dfg/DFGVariableEvent.cpp: 2206 (JSC::DFG::VariableEvent::dump): 2207 (JSC::DFG::VariableEvent::dumpSpillInfo): 2208 * dfg/DFGVariableEvent.h: 2209 (JSC::DFG::VariableEvent::fillGPR): 2210 (JSC::DFG::VariableEvent::fillPair): 2211 (JSC::DFG::VariableEvent::fillFPR): 2212 (JSC::DFG::VariableEvent::spill): 2213 (JSC::DFG::VariableEvent::death): 2214 (JSC::DFG::VariableEvent::setLocal): 2215 (JSC::DFG::VariableEvent::movHint): 2216 (JSC::DFG::VariableEvent::id): 2217 (JSC::DFG::VariableEvent::gpr): 2218 (JSC::DFG::VariableEvent::tagGPR): 2219 (JSC::DFG::VariableEvent::payloadGPR): 2220 (JSC::DFG::VariableEvent::fpr): 2221 (JSC::DFG::VariableEvent::spillRegister): 2222 (JSC::DFG::VariableEvent::bytecodeRegister): 2223 (JSC::DFG::VariableEvent::machineRegister): 2224 (JSC::DFG::VariableEvent::variableRepresentation): 2225 * dfg/DFGVariableEventStream.cpp: 2226 (JSC::DFG::VariableEventStream::reconstruct): 2227 22282013-10-01 Nadav Rotem <nrotem@apple.com> 2229 2230 FTL: split overflow checks into non-overflow arithmetic and an additional call to the overflow intrinsic check. 2231 https://bugs.webkit.org/show_bug.cgi?id=122170 2232 2233 Reviewed by Filip Pizlo. 2234 2235 Overflow intrinsics are preventing SCEV and other LLVM analysis passes from analyzing loops. This patch changes the FTL-IR gen by splitting arithmetic calculations into two parts: 2236 1. Generate the arithmetic calculation (that may overflow) 2237 2. Generate the overflow check (that is only used by the OSR-exit logic). 2238 2239 We trust LLVM (SelectionDAG) to merge these calculations into a single opcode. 2240 2241 This JS function: 2242 2243 function foo() { 2244 for (i=0; i < 10000000; i++) { } 2245 } 2246 2247 Is now compiled into this LLVM-IR: 2248 2249 "OSR exit continuation for @24<Int32>": ; preds = %"Block #0", %"OSR exit continuation for @24<Int32>2" 2250 %4 = phi i64 [ %10, %"OSR exit continuation for @24<Int32>2" ], [ -281474976710656, %"Block #0" ] 2251 %5 = trunc i64 %4 to i32 2252 %6 = add i32 %5, 1 2253 %7 = tail call { i32, i1 } @llvm.sadd.with.overflow.i32(i32 %5, i32 1) 2254 %8 = extractvalue { i32, i1 } %7, 1 2255 br i1 %8, label %"OSR exit failCase for @24<Int32>1", label %"OSR exit continuation for @24<Int32>2" 2256 2257 And into this assembly: 2258 2259 LBB0_1: ## %OSR exit continuation for @24<Int32> 2260 ## =>This Inner Loop Header: Depth=1 2261 movl %ecx, %esi 2262 incl %esi 2263 jo LBB0_4 2264 2265 * ftl/FTLLowerDFGToLLVM.cpp: 2266 (JSC::FTL::LowerDFGToLLVM::compileAddSub): 2267 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 2268 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 2269 22702013-10-01 Nadav Rotem <nrotem@apple.com> 2271 2272 Consolidate multiple OSRExit calls into one. 2273 https://bugs.webkit.org/show_bug.cgi?id=122168 2274 2275 Reviewed by Filip Pizlo. 2276 2277 * ftl/FTLLowerDFGToLLVM.cpp: 2278 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 2279 (JSC::FTL::LowerDFGToLLVM::compileArithDiv): 2280 (JSC::FTL::LowerDFGToLLVM::compileArithMod): 2281 22822013-09-30 Filip Pizlo <fpizlo@apple.com> 2283 2284 SpeculativeJIT::m_arguments/m_variables are vestiges of a time long gone 2285 https://bugs.webkit.org/show_bug.cgi?id=122140 2286 2287 Reviewed by Darin Adler. 2288 2289 Just killing code. 2290 2291 * dfg/DFGSpeculativeJIT.cpp: 2292 (JSC::DFG::SpeculativeJIT::SpeculativeJIT): 2293 (JSC::DFG::SpeculativeJIT::compileInlineStart): 2294 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 2295 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 2296 * dfg/DFGSpeculativeJIT.h: 2297 (JSC::DFG::SpeculativeJIT::recordSetLocal): 2298 22992013-10-01 Daniel Bates <dabates@apple.com> 2300 2301 [iOS] JavaScriptCore fails to build with newer versions of clang 2302 https://bugs.webkit.org/show_bug.cgi?id=122162 2303 2304 Reviewed by Darin Adler. 2305 2306 * runtime/GCActivityCallback.cpp: Add !PLATFORM(IOS)-guard around constant pagingTimeOut 2307 as we don't compile the code that uses it on iOS. 2308 23092013-09-30 Sam Weinig <sam@webkit.org> 2310 2311 Remove support for DOMFileSystem 2312 https://bugs.webkit.org/show_bug.cgi?id=122137 2313 2314 Reviewed by Anders Carlsson. 2315 2316 * Configurations/FeatureDefines.xcconfig: 2317 23182013-09-30 Dan Bernstein <mitz@apple.com> 2319 2320 <rdar://problem/15114974> Assertion failure under -[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:] if no classes conform to JSExport 2321 https://bugs.webkit.org/show_bug.cgi?id=122124 2322 2323 Reviewed by Darin Adler. 2324 2325 * API/JSWrapperMap.mm: Defined an empty class that conforms to the JSExport protocol, to 2326 ensure that the protocol is always registered with the runtime by the time 2327 getJSExportProtocol() is called. 2328 23292013-09-30 Benjamin Poulain <benjamin@webkit.org> 2330 2331 Remove the code guarded by STYLE_SCOPED 2332 https://bugs.webkit.org/show_bug.cgi?id=122123 2333 2334 Reviewed by Anders Carlsson. 2335 2336 * Configurations/FeatureDefines.xcconfig: 2337 23382013-09-30 Andreas Kling <akling@apple.com> 2339 2340 Pass VM instead of ExecState to ObjectPrototype constructor. 2341 <https://webkit.org/b/122116> 2342 2343 Reviewed by Geoffrey Garen. 2344 2345 The ObjectPrototype constructor was only using the ExecState to get 2346 to the VM. 2347 23482013-09-30 Andreas Kling <akling@apple.com> 2349 2350 Pass VM instead of JSGlobalObject to MathObject constructor. 2351 <https://webkit.org/b/122119> 2352 2353 Reviewed by Geoffrey Garen. 2354 2355 The MathObject constructor was only using the global object to get 2356 to the VM. finishCreation() still uses it to set up functions. 2357 23582013-09-30 Filip Pizlo <fpizlo@apple.com> 2359 2360 Get rid of the AlreadyInJSStack recoveries since they are totally redundant with the DisplacedInJSStack recoveries 2361 https://bugs.webkit.org/show_bug.cgi?id=122065 2362 2363 Reviewed by Mark Hahnenberg. 2364 2365 This mostly just kills a bunch of code. 2366 2367 But incidentaly while killing that code, I uncovered a bug in our FTL OSR entrypoint 2368 creation phase. The phase inserts a sequence of SetLocal(ExtractOSREntryLocal) nodes. 2369 If we hoist some type check into the local, then we might inject a conversion node 2370 between the ExtractOSREntryLocal and the SetLocal - for example we might put in a 2371 Int32ToDouble node. But currently the FixupPhase will make all conversion nodes placed 2372 on an edge of a SetLocal use forward exit. This then confuses the OSR exit machinery. 2373 When OSR exit sees a forward exit, it tries to "roll forward" execution from the exiting 2374 node to the first node that has a different CodeOrigin. This only works if the nodes 2375 after the forward exit are MovHints or other tnings that the OSR exit compiler can 2376 forward-execute. But here, it will see a bunch of SetLocal and ExtractOSREntryLocal 2377 nodes for the same bytecode index. Two possible solutions exist. We could teach the 2378 forward-execution logic how to deal with multiple SetLocals and ExtractOSREntryLocals. 2379 This would be a lot of complexity; right now it just needs to deal with exactly one 2380 SetLocal-like operation. The alternative is to make sure that the conversion node that 2381 we inject ends up exiting *backward* rather than forward. 2382 2383 But making the conversion nodes exit backward is somewhat tricky. Before this patch, 2384 conversion nodes always exit forward for SetLocals and backwards otherwise. It turns out 2385 that the solution is to rationalize how we choose the speculation direciton for a 2386 conversion node. The conversion node's speculation direction should be the same as the 2387 speculation direction of the node for which it is doing a conversion. Since SetLocal's 2388 already exit forward by default, this policy preserves our previous behavior. But it 2389 also allows the OSR entrypoint creation phase to make its SetLocals exit backward 2390 instead. 2391 2392 Of course, if the SetLocal(ExtractOSREntryLocal) sequences exit backward, then we need 2393 to make sure that the OSR exit machine knows that the local variables are indeed live. 2394 Consider that if we have: 2395 2396 a: ExtractOSREntryLocal(loc1) 2397 b: SetLocal(@a, loc1) 2398 c: ExtractOSRentryLocal(loc2) 2399 d: SetLocal(@c, loc2) 2400 2401 Without additional magic, the exit at @b will think that loc2 is dead and the OSR exit 2402 compiler will clobber loc2 with Undefined. So we need to make sure that we actually 2403 emit code like: 2404 2405 a: ExtractOSREntryLocal(loc1) 2406 b: ExtractOSREntryLocal(loc2) 2407 c: SetLocal(@a, loc1) 2408 d: SetLocal(@b, loc2) 2409 e: SetLocal(@a, loc1) 2410 f: SetLocal(@b, loc2) 2411 2412 * CMakeLists.txt: 2413 * GNUmakefile.list.am: 2414 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 2415 * JavaScriptCore.xcodeproj/project.pbxproj: 2416 * Target.pri: 2417 * bytecode/CodeOrigin.h: 2418 * bytecode/ValueRecovery.cpp: Added. 2419 (JSC::ValueRecovery::recover): 2420 (JSC::ValueRecovery::dumpInContext): 2421 (JSC::ValueRecovery::dump): 2422 * bytecode/ValueRecovery.h: 2423 * dfg/DFGFixupPhase.cpp: 2424 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): 2425 (JSC::DFG::FixupPhase::fixEdge): 2426 * dfg/DFGJITCode.cpp: 2427 (JSC::DFG::JITCode::reconstruct): 2428 * dfg/DFGNode.h: 2429 (JSC::DFG::Node::speculationDirection): 2430 (JSC::DFG::Node::setSpeculationDirection): 2431 * dfg/DFGOSREntrypointCreationPhase.cpp: 2432 (JSC::DFG::OSREntrypointCreationPhase::run): 2433 * dfg/DFGOSRExitCompiler32_64.cpp: 2434 (JSC::DFG::OSRExitCompiler::compileExit): 2435 * dfg/DFGOSRExitCompiler64.cpp: 2436 (JSC::DFG::OSRExitCompiler::compileExit): 2437 * dfg/DFGSpeculativeJIT.cpp: 2438 (JSC::DFG::SpeculativeJIT::compileInlineStart): 2439 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): 2440 * dfg/DFGSpeculativeJIT.h: 2441 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): 2442 * dfg/DFGValueSource.h: 2443 (JSC::DFG::ValueSource::valueRecovery): 2444 * dfg/DFGVariableEventStream.cpp: 2445 (JSC::DFG::VariableEventStream::reconstruct): 2446 * ftl/FTLLowerDFGToLLVM.cpp: 2447 (JSC::FTL::LowerDFGToLLVM::speculate): 2448 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): 2449 * interpreter/Register.h: 2450 (JSC::Register::unboxedStrictInt52): 2451 * runtime/Arguments.cpp: 2452 (JSC::Arguments::tearOff): 2453 * runtime/Arguments.h: 2454 24552013-09-30 Alex Christensen <alex.christensen@flexsim.com> 2456 2457 Win64 compile fix after r1256490. 2458 https://bugs.webkit.org/show_bug.cgi?id=122117 2459 2460 Reviewed by Michael Saboff. 2461 2462 * jit/JITStubsMSVC64.asm: 2463 Implemented getHostCallReturnValue for Windows x86_64 processors. 2464 24652013-09-30 Andreas Kling <akling@apple.com> 2466 2467 Pass VM instead of JSGlobalObject to RegExp constructor. 2468 <https://webkit.org/b/122113> 2469 2470 Reviewed by Darin Adler. 2471 2472 RegExps don't need anything from the global object during their 2473 construction and only use it to get to the VM. Reduce loads by 2474 simply passing the VM around instead. 2475 2476 JSC release binary size -= 120 bytes(!) 2477 24782013-09-30 Patrick Gansterer <paroga@webkit.org> 2479 2480 Fix compilation for COMPILER(MSVC) && !CPU(X86) after r156490. 2481 https://bugs.webkit.org/show_bug.cgi?id=122102 2482 2483 Reviewed by Geoffrey Garen. 2484 2485 _AddressOfReturnAddress() is supported for all platforms of 2486 ths Microsoft compiler, so we can use it for !CPU(X86) too. 2487 2488 * jit/JITOperationWrappers.h: 2489 24902013-09-30 Gabor Rapcsanyi <rgabor@webkit.org> 2491 2492 Unreviewed. Build fix for DEBUG_VERBOSE mode after r156511. 2493 2494 * dfg/DFGSpeculativeJIT.cpp: 2495 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 2496 24972013-09-30 Gabor Rapcsanyi <rgabor@webkit.org> 2498 2499 Unreviewed. Speculative build fix on ARMv7 Thumb2 after r156490. 2500 2501 * dfg/DFGSpeculativeJIT.cpp: 2502 (JSC::DFG::fmodAsDFGOperation): 2503 25042013-09-29 Nadav Rotem <nrotem@apple.com> 2505 2506 FTL: refactor compileAdd and compileArithSub into one function. 2507 https://bugs.webkit.org/show_bug.cgi?id=122081 2508 2509 Reviewed by Geoffrey Garen. 2510 2511 * ftl/FTLLowerDFGToLLVM.cpp: 2512 (JSC::FTL::LowerDFGToLLVM::compileNode): 2513 (JSC::FTL::LowerDFGToLLVM::compileAddSub): 2514 25152013-09-29 Andreas Kling <akling@apple.com> 2516 2517 Pass VM instead of JSGlobalObject to function constructors. 2518 <https://webkit.org/b/122082> 2519 2520 Reviewed by Darin Adler. 2521 2522 Functions don't need anything from the global object during their 2523 construction and only use it to get to the VM. Reduce loads by 2524 simply passing the VM around instead. 2525 2526 This patch is mostly mechanical, I just changed the signature of 2527 InternalFunction and worked my way from there until it built. 2528 2529 JSC release binary size -= 4840 bytes. 2530 25312013-09-29 Andreas Kling <akling@apple.com> 2532 2533 Pass VM instead of JSGlobalObject to ArrayPrototype constructor. 2534 <https://webkit.org/b/122079> 2535 2536 Reviewed by Geoffrey Garen. 2537 2538 ArrayPrototype doesn't need the global object for anything during 2539 construction, so reduce the amount of loads by just passing the VM. 2540 25412013-09-29 Andreas Kling <akling@apple.com> 2542 2543 Pass VM instead of ExecState to simple builtin constructors. 2544 <https://webkit.org/b/122077> 2545 2546 Reviewed by Sam Weinig. 2547 2548 None of the simple builtins need the ExecState for anything during 2549 their construction, so reduce the amount of loads by just passing 2550 the VM around instead. 2551 25522013-09-29 Nadav Rotem <nrotem@apple.com> 2553 2554 Refactor code for finding x86 scratch register. 2555 https://bugs.webkit.org/show_bug.cgi?id=122072 2556 2557 Reviewed by Geoffrey Garen. 2558 2559 * assembler/MacroAssemblerX86Common.h: 2560 (JSC::MacroAssemblerX86Common::getUnusedRegister): 2561 (JSC::MacroAssemblerX86Common::store8): 2562 (JSC::MacroAssemblerX86Common::store16): 2563 25642013-09-28 Mark Rowe <mrowe@apple.com> 2565 2566 Take Xcode's advice and enable some extra warnings. 2567 2568 Reviewed by Sam Weinig. 2569 2570 * Configurations/Base.xcconfig: 2571 * JavaScriptCore.xcodeproj/project.pbxproj: 2572 25732013-09-28 Andreas Kling <akling@apple.com> 2574 2575 Pass VM instead of ExecState to JSFunction constructors. 2576 <https://webkit.org/b/122014> 2577 2578 Reviewed by Geoffrey Garen. 2579 2580 JSFunction doesn't need the ExecState for anything during its 2581 construction, so reduce the amount of loads by just passing the 2582 VM around instead. 2583 2584 Factored out putDirectNonIndexAccessor() from the existing 2585 putDirectAccessor() to avoid snowballing the patch (and because 2586 it's kinda neat to avoid the extra branch.) 2587 2588 JSC release binary size -= 9680 bytes. 2589 25902013-09-28 Mark Rowe <mrowe@apple.com> 2591 2592 JavaScriptCore fails to build with newer versions of clang. 2593 2594 Reviewed by Sam Weinig. 2595 2596 * interpreter/Interpreter.cpp: Remove an unused function. 2597 * parser/SourceProvider.cpp: Ditto. 2598 * runtime/GCActivityCallback.cpp: #if a constant that's only used on non-CF platforms. 2599 * runtime/JSCJSValue.cpp: Remove an unused constant. 2600 * runtime/JSString.cpp: Ditto. 2601 26022013-09-27 Filip Pizlo <fpizlo@apple.com> 2603 2604 Get rid of SetMyScope/SetCallee; use normal variables for the scope and callee of inlined call frames of closures 2605 https://bugs.webkit.org/show_bug.cgi?id=122047 2606 2607 Reviewed by Oliver Hunt. 2608 2609 Currently we have the DFG reserve space for inline call frames at exactly the same stack 2610 offsets that you would have gotten if the baseline interpreter/JIT had made the calls. 2611 We need to get rid of that. One of the weirder parts of this is that we have special DFG 2612 operations for accessing these inlined call frame headers. It's really hard for any 2613 analysis of DFG IR to see what the liveness of any of those frame header "variables" is; 2614 the liveness behaves like flushed arguments (it's all live until end of the inlinee) but 2615 we don't have anything like a Flush node for those special variables. 2616 2617 This patch gets rid of the special operations for accessing inline call frame headers. 2618 GetMyScope and GetCallee still remain, and are only for accessing the machine call 2619 frame's scope/callee entries. The inline call frame's scope/callee now behave like 2620 normal variables, and have Flush behavior just like inline arguments. 2621 2622 * dfg/DFGAbstractInterpreterInlines.h: 2623 (JSC::DFG::::executeEffects): 2624 * dfg/DFGByteCodeParser.cpp: 2625 (JSC::DFG::ByteCodeParser::getDirect): 2626 (JSC::DFG::ByteCodeParser::get): 2627 (JSC::DFG::ByteCodeParser::setDirect): 2628 (JSC::DFG::ByteCodeParser::set): 2629 (JSC::DFG::ByteCodeParser::setLocal): 2630 (JSC::DFG::ByteCodeParser::setArgument): 2631 (JSC::DFG::ByteCodeParser::flush): 2632 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): 2633 (JSC::DFG::ByteCodeParser::handleInlining): 2634 (JSC::DFG::ByteCodeParser::getScope): 2635 * dfg/DFGCSEPhase.cpp: 2636 (JSC::DFG::CSEPhase::getCalleeLoadElimination): 2637 (JSC::DFG::CSEPhase::getMyScopeLoadElimination): 2638 (JSC::DFG::CSEPhase::performNodeCSE): 2639 * dfg/DFGClobberize.h: 2640 (JSC::DFG::clobberize): 2641 * dfg/DFGFixupPhase.cpp: 2642 (JSC::DFG::FixupPhase::fixupNode): 2643 * dfg/DFGNodeType.h: 2644 * dfg/DFGPredictionPropagationPhase.cpp: 2645 (JSC::DFG::PredictionPropagationPhase::propagate): 2646 * dfg/DFGSafeToExecute.h: 2647 (JSC::DFG::safeToExecute): 2648 * dfg/DFGSpeculativeJIT32_64.cpp: 2649 (JSC::DFG::SpeculativeJIT::compile): 2650 * dfg/DFGSpeculativeJIT64.cpp: 2651 (JSC::DFG::SpeculativeJIT::compile): 2652 26532013-09-27 Filip Pizlo <fpizlo@apple.com> 2654 2655 Deoptimize 32-bit deoptimization 2656 https://bugs.webkit.org/show_bug.cgi?id=122025 2657 2658 Reviewed by Oliver Hunt. 2659 2660 Just simplifying a bunch of code. I don't want the old, super-complicated, 2661 deoptimization code to get in the way of changes I'll be making to DFG stack layout. 2662 2663 * bytecode/ValueRecovery.h: 2664 (JSC::ValueRecovery::inGPR): 2665 (JSC::ValueRecovery::isInRegisters): 2666 (JSC::ValueRecovery::gpr): 2667 (JSC::ValueRecovery::dumpInContext): 2668 * dfg/DFGOSRExitCompiler32_64.cpp: 2669 (JSC::DFG::OSRExitCompiler::compileExit): 2670 * dfg/DFGOSRExitCompiler64.cpp: 2671 (JSC::DFG::OSRExitCompiler::compileExit): 2672 26732013-09-27 Alex Christensen <alex.christensen@flexsim.com> 2674 2675 Fixed Win64 build after r156184. 2676 https://bugs.webkit.org/show_bug.cgi?id=121994 2677 2678 Reviewed by Oliver Hunt. 2679 2680 * jit/CCallHelpers.h: 2681 (JSC::CCallHelpers::setupTwoStubArgsGPR): 2682 (JSC::CCallHelpers::setupTwoStubArgsFPR): 2683 Renamed from setupTwoStubArgs. 2684 Visual Studio x64 compiler fails to see that this is an overloaded template function. 2685 (JSC::CCallHelpers::setupStubArguments): 2686 (JSC::CCallHelpers::setupArguments): 2687 (JSC::CCallHelpers::setupArgumentsWithExecState): 2688 Use setupTwoStubArgsGPR or setupTwoStubArgsFPR instead of setupTwoStubArgs. 2689 26902013-09-27 Gabor Rapcsanyi <rgabor@webkit.org> 2691 2692 LLInt alignment problem on ARM in debug mode 2693 https://bugs.webkit.org/show_bug.cgi?id=122012 2694 2695 Reviewed by Michael Saboff. 2696 2697 Force GCC to put the LLInt code to .text section. 2698 2699 * llint/LowLevelInterpreter.cpp: 2700 27012013-09-06 Jer Noble <jer.noble@apple.com> 2702 2703 [Mac] Implement the media controls in JavaScript. 2704 https://bugs.webkit.org/show_bug.cgi?id=120895 2705 2706 Reviewed by Dean Jackson. 2707 2708 Define and turn on ENABLE_MEDIA_CONTROLS_SCRIPT. 2709 2710 * Configurations/FeatureDefines.xcconfig: 2711 27122013-09-27 Andreas Kling <akling@apple.com> 2713 2714 Pass VM instead of ExecState to JSDateMath functions. 2715 <https://webkit.org/b/121997> 2716 2717 Reviewed by Geoffrey Garen. 2718 2719 The JSC date math functions only need the VM, so pass that from 2720 callers instead of the whole ExecState. 2721 27222013-09-26 Andreas Kling <akling@apple.com> 2723 2724 GetterSetter construction should take a VM instead of ExecState. 2725 <https://webkit.org/b/121993> 2726 2727 Reviewed by Sam Weinig. 2728 2729 Pass VM& instead of ExecState* to GetterSetter. Updated surrounding 2730 code at touched sites to cache VM in a local for fewer loads. 2731 2732 JSC release binary size -= 4120 bytes. 2733 27342013-09-26 Oliver Hunt <oliver@apple.com> 2735 2736 Make GCC happy 2737 2738 * parser/Parser.h: 2739 27402013-09-25 Oliver Hunt <oliver@apple.com> 2741 2742 Implement prefixed-destructuring assignment 2743 https://bugs.webkit.org/show_bug.cgi?id=121930 2744 2745 Reviewed by Mark Hahnenberg. 2746 2747 Relanding with fix after rollout 2748 27492013-09-26 Michael Saboff <msaboff@apple.com> 2750 2751 VirtualRegister should be a class 2752 https://bugs.webkit.org/show_bug.cgi?id=121732 2753 2754 Reviewed by Geoffrey Garen. 2755 2756 This is a refactoring change. Changed VirtualRegister from an enum to a class. 2757 Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand() 2758 and the similar functions for locals to VirtualRegister class. 2759 2760 This is in preparation for changing the offset for the first local register from 2761 0 to -1. This is needed since most native calling conventions have the architected 2762 frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame 2763 pointer. Local values start below that address. 2764 2765 * bytecode/CodeBlock.cpp: 2766 * bytecode/CodeBlock.h: 2767 * bytecode/Instruction.h: 2768 * bytecode/LazyOperandValueProfile.h: 2769 * bytecode/MethodOfGettingAValueProfile.cpp: 2770 * bytecode/Operands.h: 2771 * bytecode/UnlinkedCodeBlock.cpp: 2772 * bytecode/UnlinkedCodeBlock.h: 2773 * bytecode/ValueRecovery.h: 2774 * bytecode/VirtualRegister.h: 2775 * bytecompiler/BytecodeGenerator.cpp: 2776 * bytecompiler/BytecodeGenerator.h: 2777 * bytecompiler/RegisterID.h: 2778 * debugger/DebuggerCallFrame.cpp: 2779 * dfg/DFGAbstractHeap.h: 2780 * dfg/DFGAbstractInterpreterInlines.h: 2781 * dfg/DFGArgumentPosition.h: 2782 * dfg/DFGArgumentsSimplificationPhase.cpp: 2783 * dfg/DFGByteCodeParser.cpp: 2784 * dfg/DFGCFGSimplificationPhase.cpp: 2785 * dfg/DFGCPSRethreadingPhase.cpp: 2786 * dfg/DFGCapabilities.cpp: 2787 * dfg/DFGConstantFoldingPhase.cpp: 2788 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 2789 * dfg/DFGGraph.cpp: 2790 * dfg/DFGGraph.h: 2791 * dfg/DFGJITCode.cpp: 2792 * dfg/DFGNode.h: 2793 * dfg/DFGOSREntry.cpp: 2794 * dfg/DFGOSREntrypointCreationPhase.cpp: 2795 * dfg/DFGOSRExit.h: 2796 * dfg/DFGOSRExitCompiler32_64.cpp: 2797 * dfg/DFGOSRExitCompiler64.cpp: 2798 * dfg/DFGRegisterBank.h: 2799 * dfg/DFGScoreBoard.h: 2800 * dfg/DFGSpeculativeJIT.cpp: 2801 * dfg/DFGSpeculativeJIT.h: 2802 * dfg/DFGSpeculativeJIT32_64.cpp: 2803 * dfg/DFGSpeculativeJIT64.cpp: 2804 * dfg/DFGValidate.cpp: 2805 * dfg/DFGValueRecoveryOverride.h: 2806 * dfg/DFGVariableAccessData.h: 2807 * dfg/DFGVariableEvent.h: 2808 * dfg/DFGVariableEventStream.cpp: 2809 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 2810 * ftl/FTLExitArgumentForOperand.h: 2811 * ftl/FTLLink.cpp: 2812 * ftl/FTLLowerDFGToLLVM.cpp: 2813 * ftl/FTLOSREntry.cpp: 2814 * ftl/FTLOSRExit.cpp: 2815 * ftl/FTLOSRExit.h: 2816 * ftl/FTLOSRExitCompiler.cpp: 2817 * interpreter/CallFrame.h: 2818 * interpreter/Interpreter.cpp: 2819 * jit/AssemblyHelpers.h: 2820 * jit/JIT.h: 2821 * jit/JITCall.cpp: 2822 * jit/JITCall32_64.cpp: 2823 * jit/JITInlines.h: 2824 * jit/JITOpcodes.cpp: 2825 * jit/JITOpcodes32_64.cpp: 2826 * jit/JITPropertyAccess32_64.cpp: 2827 * jit/JITStubs.cpp: 2828 * llint/LLIntSlowPaths.cpp: 2829 * profiler/ProfilerBytecodeSequence.cpp: 2830 * runtime/CommonSlowPaths.cpp: 2831 * runtime/JSActivation.cpp: 2832 28332013-09-26 Anders Carlsson <andersca@apple.com> 2834 2835 Work around another MSVC bug. 2836 2837 * runtime/PrototypeMap.cpp: 2838 (JSC::PrototypeMap::emptyObjectStructureForPrototype): 2839 28402013-09-26 Anders Carlsson <andersca@apple.com> 2841 2842 Attempt to fix the FTL build. 2843 2844 * ftl/FTLAbstractHeap.cpp: 2845 (JSC::FTL::IndexedAbstractHeap::atSlow): 2846 28472013-09-26 Andreas Kling <akling@apple.com> 2848 2849 Pass VM instead of ExecState to many finishCreation() functions. 2850 <https://webkit.org/b/121975> 2851 2852 Reviewed by Sam Weinig. 2853 2854 Reduce unnecessary loads by passing the VM to object creation 2855 functions that don't need the ExecState. 2856 2857 There are tons of opportunities in this area, I'm just scratching 2858 the surface. 2859 28602013-09-26 Commit Queue <commit-queue@webkit.org> 2861 2862 Unreviewed, rolling out r156464 and r156480. 2863 http://trac.webkit.org/changeset/156464 2864 http://trac.webkit.org/changeset/156480 2865 https://bugs.webkit.org/show_bug.cgi?id=121981 2866 2867 Leaking too much and killing buildbot. (Requested by xenon on 2868 #webkit). 2869 2870 * bytecode/UnlinkedCodeBlock.cpp: 2871 (JSC::UnlinkedFunctionExecutable::paramString): 2872 * bytecompiler/BytecodeGenerator.cpp: 2873 (JSC::BytecodeGenerator::BytecodeGenerator): 2874 * bytecompiler/BytecodeGenerator.h: 2875 (JSC::BytecodeGenerator::emitExpressionInfo): 2876 * bytecompiler/NodesCodegen.cpp: 2877 (JSC::ForInNode::emitBytecode): 2878 (JSC::FuncExprNode::emitBytecode): 2879 * parser/ASTBuilder.h: 2880 (JSC::ASTBuilder::createFormalParameterList): 2881 (JSC::ASTBuilder::createForInLoop): 2882 (JSC::ASTBuilder::addVar): 2883 * parser/NodeConstructors.h: 2884 (JSC::CommaNode::CommaNode): 2885 (JSC::ParameterNode::ParameterNode): 2886 (JSC::ForInNode::ForInNode): 2887 * parser/Nodes.cpp: 2888 (JSC::FunctionParameters::create): 2889 (JSC::FunctionParameters::FunctionParameters): 2890 (JSC::FunctionParameters::~FunctionParameters): 2891 * parser/Nodes.h: 2892 (JSC::CommaNode::append): 2893 (JSC::ParameterNode::ident): 2894 (JSC::FunctionParameters::at): 2895 (JSC::FunctionParameters::identifiers): 2896 * parser/Parser.cpp: 2897 (JSC::::Parser): 2898 (JSC::::parseVarDeclaration): 2899 (JSC::::parseVarDeclarationList): 2900 (JSC::::parseForStatement): 2901 (JSC::::parseFormalParameters): 2902 (JSC::::parseAssignmentExpression): 2903 * parser/Parser.h: 2904 (JSC::Scope::declareParameter): 2905 * parser/SyntaxChecker.h: 2906 (JSC::SyntaxChecker::createFormalParameterList): 2907 (JSC::SyntaxChecker::createForInLoop): 2908 (JSC::SyntaxChecker::operatorStackPop): 2909 * runtime/JSONObject.cpp: 2910 * runtime/JSONObject.h: 2911 29122013-09-26 Anders Carlsson <andersca@apple.com> 2913 2914 Try to fix the Windows build. 2915 2916 * jit/JITThunks.cpp: 2917 (JSC::JITThunks::hostFunctionStub): 2918 * jit/JITThunks.h: 2919 29202013-09-26 Anders Carlsson <andersca@apple.com> 2921 2922 Change a couple of HashMap value types from OwnPtr to std::unique_ptr 2923 https://bugs.webkit.org/show_bug.cgi?id=121973 2924 2925 Reviewed by Andreas Kling. 2926 2927 * API/JSClassRef.cpp: 2928 (OpaqueJSClassContextData::OpaqueJSClassContextData): 2929 (OpaqueJSClass::contextData): 2930 * API/JSClassRef.h: 2931 * bytecode/SamplingTool.h: 2932 * ftl/FTLAbstractHeap.h: 2933 * parser/Parser.cpp: 2934 (JSC::::parseFunctionInfo): 2935 * parser/SourceProviderCache.cpp: 2936 (JSC::SourceProviderCache::add): 2937 * parser/SourceProviderCache.h: 2938 * parser/SourceProviderCacheItem.h: 2939 (JSC::SourceProviderCacheItem::create): 2940 * profiler/ProfilerCompilation.cpp: 2941 (JSC::Profiler::Compilation::executionCounterFor): 2942 (JSC::Profiler::Compilation::toJS): 2943 * profiler/ProfilerCompilation.h: 2944 * runtime/JSGlobalObject.h: 2945 29462013-09-26 Mark Lam <mark.lam@apple.com> 2947 2948 Move DFG inline caching logic into jit/. 2949 https://bugs.webkit.org/show_bug.cgi?id=121749. 2950 2951 Reviewed by Geoffrey Garen. 2952 2953 Relanding http://trac.webkit.org/changeset/156235 after rebasing to latest 2954 revision and fixing build breakages on Windows. 2955 2956 * CMakeLists.txt: 2957 * GNUmakefile.list.am: 2958 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 2959 * JavaScriptCore.xcodeproj/project.pbxproj: 2960 * Target.pri: 2961 * bytecode/CallLinkInfo.cpp: 2962 (JSC::CallLinkInfo::unlink): 2963 * bytecode/CodeBlock.cpp: 2964 (JSC::CodeBlock::resetStubInternal): 2965 * bytecode/StructureStubInfo.h: 2966 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: 2967 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator): 2968 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator): 2969 * dfg/DFGJITCompiler.h: 2970 * dfg/DFGOSRExitCompiler.h: 2971 * dfg/DFGOperations.cpp: 2972 (JSC::DFG::operationPutByValInternal): 2973 * dfg/DFGOperations.h: 2974 (JSC::DFG::operationNewTypedArrayWithSizeForType): 2975 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType): 2976 * dfg/DFGRegisterSet.h: Removed. 2977 * dfg/DFGRepatch.cpp: Removed. 2978 * dfg/DFGRepatch.h: Removed. 2979 * dfg/DFGScratchRegisterAllocator.h: Removed. 2980 * dfg/DFGSpeculativeJIT.cpp: 2981 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): 2982 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 2983 (JSC::DFG::SpeculativeJIT::compare): 2984 * dfg/DFGSpeculativeJIT.h: 2985 (JSC::DFG::SpeculativeJIT::callOperation): 2986 * dfg/DFGSpeculativeJIT32_64.cpp: 2987 (JSC::DFG::SpeculativeJIT::cachedPutById): 2988 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 2989 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): 2990 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 2991 (JSC::DFG::SpeculativeJIT::compile): 2992 * dfg/DFGSpeculativeJIT64.cpp: 2993 (JSC::DFG::SpeculativeJIT::cachedPutById): 2994 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 2995 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): 2996 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 2997 (JSC::DFG::SpeculativeJIT::compile): 2998 * dfg/DFGThunks.cpp: 2999 * dfg/DFGThunks.h: 3000 * ftl/FTLIntrinsicRepository.h: 3001 * ftl/FTLLowerDFGToLLVM.cpp: 3002 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): 3003 * ftl/FTLOSRExitCompiler.h: 3004 * jit/AssemblyHelpers.h: 3005 (JSC::AssemblyHelpers::writeBarrier): 3006 * jit/JIT.cpp: 3007 (JSC::JIT::linkFor): 3008 (JSC::JIT::linkSlowCall): 3009 * jit/JITCall.cpp: 3010 (JSC::JIT::compileCallEvalSlowCase): 3011 (JSC::JIT::compileOpCallSlowCase): 3012 (JSC::JIT::privateCompileClosureCall): 3013 * jit/JITCall32_64.cpp: 3014 (JSC::JIT::compileCallEvalSlowCase): 3015 (JSC::JIT::compileOpCallSlowCase): 3016 (JSC::JIT::privateCompileClosureCall): 3017 * jit/JITOperationWrappers.h: Copied from Source/JavaScriptCore/jit/JITOperationWrappers.h. 3018 * jit/JITOperations.cpp: Copied from Source/JavaScriptCore/jit/JITOperations.cpp. 3019 (JSC::getHostCallReturnValueWithExecState): 3020 * jit/JITOperations.h: Copied from Source/JavaScriptCore/jit/JITOperations.h. 3021 * jit/RegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h. 3022 * jit/Repatch.cpp: Copied from Source/JavaScriptCore/jit/Repatch.cpp. 3023 (JSC::tryBuildGetByIDList): 3024 * jit/Repatch.h: Copied from Source/JavaScriptCore/jit/Repatch.h. 3025 * jit/ScratchRegisterAllocator.h: Copied from Source/JavaScriptCore/jit/ScratchRegisterAllocator.h. 3026 * jit/ThunkGenerators.cpp: 3027 (JSC::oldStyleGenerateSlowCaseFor): 3028 (JSC::oldStyleLinkForGenerator): 3029 (JSC::oldStyleLinkCallGenerator): 3030 (JSC::oldStyleLinkConstructGenerator): 3031 (JSC::oldStyleLinkClosureCallGenerator): 3032 (JSC::oldStyleVirtualForGenerator): 3033 (JSC::oldStyleVirtualCallGenerator): 3034 (JSC::oldStyleVirtualConstructGenerator): 3035 (JSC::emitPointerValidation): 3036 (JSC::throwExceptionFromCallSlowPathGenerator): 3037 (JSC::slowPathFor): 3038 (JSC::linkForThunkGenerator): 3039 (JSC::linkCallThunkGenerator): 3040 (JSC::linkConstructThunkGenerator): 3041 (JSC::linkClosureCallThunkGenerator): 3042 (JSC::virtualForThunkGenerator): 3043 (JSC::virtualCallThunkGenerator): 3044 (JSC::virtualConstructThunkGenerator): 3045 * jit/ThunkGenerators.h: 3046 30472013-09-26 Anders Carlsson <andersca@apple.com> 3048 3049 Remove PassWeak.h 3050 https://bugs.webkit.org/show_bug.cgi?id=121971 3051 3052 Reviewed by Geoffrey Garen. 3053 3054 * GNUmakefile.list.am: 3055 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 3056 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 3057 * JavaScriptCore.xcodeproj/project.pbxproj: 3058 * heap/PassWeak.h: Removed. 3059 * heap/WeakInlines.h: 3060 30612013-09-26 Anders Carlsson <andersca@apple.com> 3062 3063 Stop using PassWeak 3064 https://bugs.webkit.org/show_bug.cgi?id=121968 3065 3066 Reviewed by Sam Weinig. 3067 3068 * heap/Weak.h: 3069 Remove all knowledge of PassWeak. 3070 3071 (JSC::Weak::Weak): 3072 These constructors don't need to be explicit. 3073 3074 * heap/WeakInlines.h: 3075 (JSC::weakAdd): 3076 Change Value to be an rvalue reference and use std::forward. 3077 3078 * jit/JITThunks.cpp: 3079 (JSC::JITThunks::hostFunctionStub): 3080 Remove PassWeak. 3081 3082 * runtime/RegExpCache.cpp: 3083 (JSC::RegExpCache::lookupOrCreate): 3084 Use Weak instead of PassWeak. 3085 3086 * runtime/SimpleTypedArrayController.cpp: 3087 Change add and set to take Weak by value and std::move into place. 3088 3089 * runtime/WeakGCMap.h: 3090 (JSC::WeakGCMap::get): 3091 (JSC::WeakGCMap::set): 3092 (JSC::WeakGCMap::add): 3093 30942013-09-26 Commit Queue <commit-queue@webkit.org> 3095 3096 Unreviewed, rolling out r156474. 3097 http://trac.webkit.org/changeset/156474 3098 https://bugs.webkit.org/show_bug.cgi?id=121966 3099 3100 Broke the builds. (Requested by xenon on #webkit). 3101 3102 * bytecode/CodeBlock.cpp: 3103 (JSC::CodeBlock::registerName): 3104 (JSC::CodeBlock::dumpBytecode): 3105 (JSC::CodeBlock::CodeBlock): 3106 (JSC::CodeBlock::createActivation): 3107 (JSC::CodeBlock::nameForRegister): 3108 * bytecode/CodeBlock.h: 3109 (JSC::unmodifiedArgumentsRegister): 3110 (JSC::CodeBlock::isKnownNotImmediate): 3111 (JSC::CodeBlock::setThisRegister): 3112 (JSC::CodeBlock::thisRegister): 3113 (JSC::CodeBlock::setArgumentsRegister): 3114 (JSC::CodeBlock::argumentsRegister): 3115 (JSC::CodeBlock::uncheckedArgumentsRegister): 3116 (JSC::CodeBlock::setActivationRegister): 3117 (JSC::CodeBlock::activationRegister): 3118 (JSC::CodeBlock::uncheckedActivationRegister): 3119 (JSC::CodeBlock::usesArguments): 3120 (JSC::CodeBlock::isCaptured): 3121 * bytecode/Instruction.h: 3122 * bytecode/LazyOperandValueProfile.h: 3123 (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey): 3124 (JSC::LazyOperandValueProfileKey::operator!): 3125 (JSC::LazyOperandValueProfileKey::hash): 3126 (JSC::LazyOperandValueProfileKey::operand): 3127 (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue): 3128 (JSC::LazyOperandValueProfile::LazyOperandValueProfile): 3129 * bytecode/MethodOfGettingAValueProfile.cpp: 3130 (JSC::MethodOfGettingAValueProfile::fromLazyOperand): 3131 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket): 3132 * bytecode/Operands.h: 3133 (JSC::localToOperand): 3134 (JSC::operandIsLocal): 3135 (JSC::operandToLocal): 3136 (JSC::operandIsArgument): 3137 (JSC::operandToArgument): 3138 (JSC::argumentToOperand): 3139 (JSC::Operands::operand): 3140 (JSC::Operands::hasOperand): 3141 (JSC::Operands::setOperand): 3142 (JSC::Operands::operandForIndex): 3143 (JSC::Operands::setOperandFirstTime): 3144 * bytecode/UnlinkedCodeBlock.cpp: 3145 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 3146 * bytecode/UnlinkedCodeBlock.h: 3147 (JSC::UnlinkedCodeBlock::setThisRegister): 3148 (JSC::UnlinkedCodeBlock::setActivationRegister): 3149 (JSC::UnlinkedCodeBlock::setArgumentsRegister): 3150 (JSC::UnlinkedCodeBlock::usesArguments): 3151 (JSC::UnlinkedCodeBlock::argumentsRegister): 3152 (JSC::UnlinkedCodeBlock::usesGlobalObject): 3153 (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): 3154 (JSC::UnlinkedCodeBlock::globalObjectRegister): 3155 (JSC::UnlinkedCodeBlock::thisRegister): 3156 (JSC::UnlinkedCodeBlock::activationRegister): 3157 * bytecode/ValueRecovery.h: 3158 (JSC::ValueRecovery::displacedInJSStack): 3159 (JSC::ValueRecovery::virtualRegister): 3160 (JSC::ValueRecovery::dumpInContext): 3161 * bytecode/VirtualRegister.h: 3162 (WTF::printInternal): 3163 * bytecompiler/BytecodeGenerator.cpp: 3164 (JSC::BytecodeGenerator::generate): 3165 (JSC::BytecodeGenerator::addVar): 3166 (JSC::BytecodeGenerator::BytecodeGenerator): 3167 (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): 3168 (JSC::BytecodeGenerator::newRegister): 3169 (JSC::BytecodeGenerator::emitLoadGlobalObject): 3170 (JSC::BytecodeGenerator::emitGetArgumentsLength): 3171 (JSC::BytecodeGenerator::emitGetArgumentByVal): 3172 (JSC::BytecodeGenerator::createArgumentsIfNecessary): 3173 (JSC::BytecodeGenerator::emitReturn): 3174 * bytecompiler/BytecodeGenerator.h: 3175 (JSC::BytecodeGenerator::registerFor): 3176 * bytecompiler/RegisterID.h: 3177 (JSC::RegisterID::RegisterID): 3178 (JSC::RegisterID::setIndex): 3179 (JSC::RegisterID::index): 3180 * debugger/DebuggerCallFrame.cpp: 3181 (JSC::DebuggerCallFrame::thisObject): 3182 * dfg/DFGAbstractHeap.h: 3183 (JSC::DFG::AbstractHeap::Payload::Payload): 3184 * dfg/DFGAbstractInterpreterInlines.h: 3185 (JSC::DFG::::executeEffects): 3186 (JSC::DFG::::clobberCapturedVars): 3187 * dfg/DFGArgumentPosition.h: 3188 (JSC::DFG::ArgumentPosition::dump): 3189 * dfg/DFGArgumentsSimplificationPhase.cpp: 3190 (JSC::DFG::ArgumentsSimplificationPhase::run): 3191 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse): 3192 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize): 3193 * dfg/DFGByteCodeParser.cpp: 3194 (JSC::DFG::ByteCodeParser::newVariableAccessData): 3195 (JSC::DFG::ByteCodeParser::getDirect): 3196 (JSC::DFG::ByteCodeParser::get): 3197 (JSC::DFG::ByteCodeParser::setDirect): 3198 (JSC::DFG::ByteCodeParser::set): 3199 (JSC::DFG::ByteCodeParser::getLocal): 3200 (JSC::DFG::ByteCodeParser::setLocal): 3201 (JSC::DFG::ByteCodeParser::getArgument): 3202 (JSC::DFG::ByteCodeParser::setArgument): 3203 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal): 3204 (JSC::DFG::ByteCodeParser::findArgumentPosition): 3205 (JSC::DFG::ByteCodeParser::flush): 3206 (JSC::DFG::ByteCodeParser::flushDirect): 3207 (JSC::DFG::ByteCodeParser::getToInt32): 3208 (JSC::DFG::ByteCodeParser::getThis): 3209 (JSC::DFG::ByteCodeParser::addCall): 3210 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): 3211 (JSC::DFG::ByteCodeParser::handleCall): 3212 (JSC::DFG::ByteCodeParser::emitFunctionChecks): 3213 (JSC::DFG::ByteCodeParser::emitArgumentPhantoms): 3214 (JSC::DFG::ByteCodeParser::handleInlining): 3215 (JSC::DFG::ByteCodeParser::handleMinMax): 3216 (JSC::DFG::ByteCodeParser::handleIntrinsic): 3217 (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor): 3218 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): 3219 (JSC::DFG::ByteCodeParser::handleGetByOffset): 3220 (JSC::DFG::ByteCodeParser::handleGetById): 3221 (JSC::DFG::ByteCodeParser::parseBlock): 3222 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 3223 (JSC::DFG::ByteCodeParser::parse): 3224 * dfg/DFGCFGSimplificationPhase.cpp: 3225 * dfg/DFGCPSRethreadingPhase.cpp: 3226 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal): 3227 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal): 3228 (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): 3229 * dfg/DFGCapabilities.cpp: 3230 (JSC::DFG::capabilityLevel): 3231 * dfg/DFGConstantFoldingPhase.cpp: 3232 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter): 3233 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 3234 (JSC::DFG::FlushLivenessAnalysisPhase::setForNode): 3235 * dfg/DFGGraph.cpp: 3236 (JSC::DFG::Graph::dump): 3237 * dfg/DFGGraph.h: 3238 (JSC::DFG::Graph::argumentsRegisterFor): 3239 (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): 3240 (JSC::DFG::Graph::uncheckedActivationRegisterFor): 3241 (JSC::DFG::Graph::valueProfileFor): 3242 * dfg/DFGJITCode.cpp: 3243 (JSC::DFG::JITCode::reconstruct): 3244 * dfg/DFGNode.h: 3245 (JSC::DFG::Node::Node): 3246 (JSC::DFG::Node::convertToGetLocalUnlinked): 3247 (JSC::DFG::Node::hasVirtualRegister): 3248 (JSC::DFG::Node::virtualRegister): 3249 (JSC::DFG::Node::setVirtualRegister): 3250 * dfg/DFGOSREntry.cpp: 3251 (JSC::DFG::prepareOSREntry): 3252 * dfg/DFGOSREntrypointCreationPhase.cpp: 3253 (JSC::DFG::OSREntrypointCreationPhase::run): 3254 * dfg/DFGOSRExit.h: 3255 * dfg/DFGOSRExitCompiler32_64.cpp: 3256 (JSC::DFG::OSRExitCompiler::compileExit): 3257 * dfg/DFGOSRExitCompiler64.cpp: 3258 (JSC::DFG::OSRExitCompiler::compileExit): 3259 * dfg/DFGRegisterBank.h: 3260 (JSC::DFG::RegisterBank::tryAllocate): 3261 (JSC::DFG::RegisterBank::allocateSpecific): 3262 (JSC::DFG::RegisterBank::retain): 3263 (JSC::DFG::RegisterBank::isInUse): 3264 (JSC::DFG::RegisterBank::dump): 3265 (JSC::DFG::RegisterBank::releaseAtIndex): 3266 (JSC::DFG::RegisterBank::allocateInternal): 3267 (JSC::DFG::RegisterBank::MapEntry::MapEntry): 3268 * dfg/DFGScoreBoard.h: 3269 (JSC::DFG::ScoreBoard::allocate): 3270 (JSC::DFG::ScoreBoard::use): 3271 * dfg/DFGSpeculativeJIT.cpp: 3272 (JSC::DFG::SpeculativeJIT::SpeculativeJIT): 3273 (JSC::DFG::SpeculativeJIT::checkConsistency): 3274 (JSC::DFG::SpeculativeJIT::compileMovHint): 3275 (JSC::DFG::SpeculativeJIT::compileInlineStart): 3276 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 3277 * dfg/DFGSpeculativeJIT.h: 3278 (JSC::DFG::SpeculativeJIT::allocate): 3279 (JSC::DFG::SpeculativeJIT::fprAllocate): 3280 (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl): 3281 (JSC::DFG::SpeculativeJIT::flushRegisters): 3282 (JSC::DFG::SpeculativeJIT::isFlushed): 3283 (JSC::DFG::SpeculativeJIT::argumentSlot): 3284 (JSC::DFG::SpeculativeJIT::argumentTagSlot): 3285 (JSC::DFG::SpeculativeJIT::argumentPayloadSlot): 3286 (JSC::DFG::SpeculativeJIT::valueSourceForOperand): 3287 (JSC::DFG::SpeculativeJIT::setNodeForOperand): 3288 (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand): 3289 (JSC::DFG::SpeculativeJIT::recordSetLocal): 3290 (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister): 3291 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): 3292 * dfg/DFGSpeculativeJIT64.cpp: 3293 (JSC::DFG::SpeculativeJIT::compile): 3294 * dfg/DFGValidate.cpp: 3295 (JSC::DFG::Validate::validate): 3296 (JSC::DFG::Validate::validateCPS): 3297 (JSC::DFG::Validate::checkOperand): 3298 (JSC::DFG::Validate::reportValidationContext): 3299 * dfg/DFGValueRecoveryOverride.h: 3300 (JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride): 3301 * dfg/DFGVariableAccessData.h: 3302 (JSC::DFG::VariableAccessData::operand): 3303 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): 3304 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): 3305 (JSC::DFG::VariableAccessData::flushFormat): 3306 * dfg/DFGVariableEvent.h: 3307 (JSC::DFG::VariableEvent::spill): 3308 (JSC::DFG::VariableEvent::setLocal): 3309 * dfg/DFGVariableEventStream.cpp: 3310 (JSC::DFG::VariableEventStream::reconstruct): 3311 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 3312 (JSC::DFG::VirtualRegisterAllocationPhase::run): 3313 * ftl/FTLExitArgumentForOperand.h: 3314 (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand): 3315 (JSC::FTL::ExitArgumentForOperand::operand): 3316 * ftl/FTLLink.cpp: 3317 (JSC::FTL::link): 3318 * ftl/FTLLowerDFGToLLVM.cpp: 3319 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 3320 (JSC::FTL::LowerDFGToLLVM::compileGetArgument): 3321 (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal): 3322 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): 3323 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 3324 (JSC::FTL::LowerDFGToLLVM::observeMovHint): 3325 (JSC::FTL::LowerDFGToLLVM::addressFor): 3326 (JSC::FTL::LowerDFGToLLVM::payloadFor): 3327 (JSC::FTL::LowerDFGToLLVM::tagFor): 3328 * ftl/FTLOSREntry.cpp: 3329 (JSC::FTL::prepareOSREntry): 3330 * ftl/FTLOSRExit.cpp: 3331 (JSC::FTL::OSRExit::convertToForward): 3332 * ftl/FTLOSRExit.h: 3333 * ftl/FTLOSRExitCompiler.cpp: 3334 (JSC::FTL::compileStub): 3335 * interpreter/CallFrame.h: 3336 * interpreter/Interpreter.cpp: 3337 (JSC::Interpreter::dumpRegisters): 3338 (JSC::unwindCallFrame): 3339 (JSC::Interpreter::unwind): 3340 * jit/AssemblyHelpers.h: 3341 (JSC::AssemblyHelpers::addressFor): 3342 (JSC::AssemblyHelpers::tagFor): 3343 (JSC::AssemblyHelpers::payloadFor): 3344 (JSC::AssemblyHelpers::argumentsRegisterFor): 3345 * jit/JIT.h: 3346 * jit/JITCall.cpp: 3347 (JSC::JIT::compileLoadVarargs): 3348 * jit/JITInlines.h: 3349 (JSC::JIT::emitGetVirtualRegister): 3350 * jit/JITOpcodes.cpp: 3351 (JSC::JIT::emit_op_tear_off_arguments): 3352 (JSC::JIT::emit_op_get_pnames): 3353 (JSC::JIT::emit_op_enter): 3354 (JSC::JIT::emit_op_create_arguments): 3355 (JSC::JIT::emitSlow_op_get_argument_by_val): 3356 * jit/JITOpcodes32_64.cpp: 3357 (JSC::JIT::emit_op_enter): 3358 * jit/JITStubs.cpp: 3359 (JSC::DEFINE_STUB_FUNCTION): 3360 * llint/LLIntSlowPaths.cpp: 3361 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 3362 * profiler/ProfilerBytecodeSequence.cpp: 3363 (JSC::Profiler::BytecodeSequence::BytecodeSequence): 3364 * runtime/CommonSlowPaths.cpp: 3365 (JSC::SLOW_PATH_DECL): 3366 * runtime/JSActivation.cpp: 3367 (JSC::JSActivation::argumentsGetter): 3368 33692013-09-26 Oliver Hunt <oliver@apple.com> 3370 3371 Attempt to fix MSVC build 3372 3373 * parser/Parser.cpp: 3374 (JSC::::createBindingPattern): 3375 (JSC::::parseDeconstructionPattern): 3376 * parser/Parser.h: 3377 33782013-09-26 Julien Brianceau <jbriance@cisco.com> 3379 3380 [sh4] JSValue* exception is unused since r70703 in JITStackFrame. 3381 https://bugs.webkit.org/show_bug.cgi?id=121962 3382 3383 This is a cosmetic change, but it could avoid people reading sh4 part to 3384 waste time to understand why there is a JSValue* here. 3385 3386 Reviewed by Darin Adler. 3387 3388 * jit/JITStubs.h: 3389 33902013-09-26 Anders Carlsson <andersca@apple.com> 3391 3392 WeakGCMap should not inherit from HashMap 3393 https://bugs.webkit.org/show_bug.cgi?id=121964 3394 3395 Reviewed by Geoffrey Garen. 3396 3397 Add the HashMap as a member variable instead and implement the missing member functions. 3398 3399 * runtime/WeakGCMap.h: 3400 34012013-09-25 Michael Saboff <msaboff@apple.com> 3402 3403 VirtualRegister should be a class 3404 https://bugs.webkit.org/show_bug.cgi?id=121732 3405 3406 Reviewed by Geoffrey Garen. 3407 3408 This is a refactoring change. Changed VirtualRegister from an enum to a class. 3409 Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand() 3410 and the similar functions for locals to VirtualRegister class. 3411 3412 This is in preparation for changing the offset for the first local register from 3413 0 to -1. This is needed since most native calling conventions have the architected 3414 frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame 3415 pointer. Local values start below that address. 3416 3417 * bytecode/CodeBlock.cpp: 3418 * bytecode/CodeBlock.h: 3419 * bytecode/Instruction.h: 3420 * bytecode/LazyOperandValueProfile.h: 3421 * bytecode/MethodOfGettingAValueProfile.cpp: 3422 * bytecode/Operands.h: 3423 * bytecode/UnlinkedCodeBlock.cpp: 3424 * bytecode/UnlinkedCodeBlock.h: 3425 * bytecode/ValueRecovery.h: 3426 * bytecode/VirtualRegister.h: 3427 * bytecompiler/BytecodeGenerator.cpp: 3428 * bytecompiler/BytecodeGenerator.h: 3429 * bytecompiler/RegisterID.h: 3430 * debugger/DebuggerCallFrame.cpp: 3431 * dfg/DFGAbstractHeap.h: 3432 * dfg/DFGAbstractInterpreterInlines.h: 3433 * dfg/DFGArgumentPosition.h: 3434 * dfg/DFGArgumentsSimplificationPhase.cpp: 3435 * dfg/DFGByteCodeParser.cpp: 3436 * dfg/DFGCFGSimplificationPhase.cpp: 3437 * dfg/DFGCPSRethreadingPhase.cpp: 3438 * dfg/DFGCapabilities.cpp: 3439 * dfg/DFGConstantFoldingPhase.cpp: 3440 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 3441 * dfg/DFGGraph.cpp: 3442 * dfg/DFGGraph.h: 3443 * dfg/DFGJITCode.cpp: 3444 * dfg/DFGNode.h: 3445 * dfg/DFGOSREntry.cpp: 3446 * dfg/DFGOSREntrypointCreationPhase.cpp: 3447 * dfg/DFGOSRExit.h: 3448 * dfg/DFGOSRExitCompiler32_64.cpp: 3449 * dfg/DFGOSRExitCompiler64.cpp: 3450 * dfg/DFGRegisterBank.h: 3451 * dfg/DFGScoreBoard.h: 3452 * dfg/DFGSpeculativeJIT.cpp: 3453 * dfg/DFGSpeculativeJIT.h: 3454 * dfg/DFGSpeculativeJIT64.cpp: 3455 * dfg/DFGValidate.cpp: 3456 * dfg/DFGValueRecoveryOverride.h: 3457 * dfg/DFGVariableAccessData.h: 3458 * dfg/DFGVariableEvent.h: 3459 * dfg/DFGVariableEventStream.cpp: 3460 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 3461 * ftl/FTLExitArgumentForOperand.h: 3462 * ftl/FTLLink.cpp: 3463 * ftl/FTLLowerDFGToLLVM.cpp: 3464 * ftl/FTLOSREntry.cpp: 3465 * ftl/FTLOSRExit.cpp: 3466 * ftl/FTLOSRExit.h: 3467 * ftl/FTLOSRExitCompiler.cpp: 3468 * interpreter/CallFrame.h: 3469 * interpreter/Interpreter.cpp: 3470 * jit/AssemblyHelpers.h: 3471 * jit/JIT.h: 3472 * jit/JITCall.cpp: 3473 * jit/JITInlines.h: 3474 * jit/JITOpcodes.cpp: 3475 * jit/JITOpcodes32_64.cpp: 3476 * jit/JITStubs.cpp: 3477 * llint/LLIntSlowPaths.cpp: 3478 * profiler/ProfilerBytecodeSequence.cpp: 3479 * runtime/CommonSlowPaths.cpp: 3480 * runtime/JSActivation.cpp: 3481 34822013-09-26 Anders Carlsson <andersca@apple.com> 3483 3484 Weak should have a move constructor and move assignment operator 3485 https://bugs.webkit.org/show_bug.cgi?id=121963 3486 3487 Reviewed by Oliver Hunt. 3488 3489 This is the first step towards getting rid of PassWeak. 3490 3491 * API/JSClassRef.cpp: 3492 (OpaqueJSClass::prototype): 3493 * heap/Weak.h: 3494 * heap/WeakInlines.h: 3495 (JSC::::Weak): 3496 (JSC::::leakImpl): 3497 * runtime/SimpleTypedArrayController.cpp: 3498 (JSC::SimpleTypedArrayController::toJS): 3499 35002013-09-26 Mark Hahnenberg <mhahnenberg@apple.com> 3501 3502 op_to_this shouldn't use value profiling 3503 https://bugs.webkit.org/show_bug.cgi?id=121920 3504 3505 Reviewed by Geoffrey Garen. 3506 3507 Currently it's the only opcode that uses m_singletonValue, which is unnecessary. Our current plan is 3508 to remove m_singletonValue so that GenGC can have a simpler story for handling CodeBlocks/FunctionExecutables 3509 during nursery collections. 3510 3511 This patch adds an inline cache for the Structure of to_this so it no longer depends on the ValueProfile's 3512 m_singletonValue. Since nobody uses m_singletonValue now, this patch also removes m_singletonValue from 3513 ValueProfile. 3514 3515 * bytecode/CodeBlock.cpp: 3516 (JSC::CodeBlock::CodeBlock): 3517 (JSC::CodeBlock::finalizeUnconditionally): 3518 (JSC::CodeBlock::stronglyVisitStrongReferences): 3519 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): 3520 (JSC::CodeBlock::updateAllValueProfilePredictions): 3521 (JSC::CodeBlock::updateAllPredictions): 3522 (JSC::CodeBlock::shouldOptimizeNow): 3523 * bytecode/CodeBlock.h: 3524 (JSC::CodeBlock::updateAllValueProfilePredictions): 3525 (JSC::CodeBlock::updateAllPredictions): 3526 * bytecode/LazyOperandValueProfile.cpp: 3527 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions): 3528 * bytecode/LazyOperandValueProfile.h: 3529 * bytecode/ValueProfile.h: 3530 (JSC::ValueProfileBase::ValueProfileBase): 3531 (JSC::ValueProfileBase::briefDescription): 3532 (JSC::ValueProfileBase::dump): 3533 (JSC::ValueProfileBase::computeUpdatedPrediction): 3534 * bytecompiler/BytecodeGenerator.cpp: 3535 (JSC::BytecodeGenerator::BytecodeGenerator): 3536 * dfg/DFGByteCodeParser.cpp: 3537 (JSC::DFG::ByteCodeParser::parseBlock): 3538 * jit/JITOpcodes.cpp: 3539 (JSC::JIT::emit_op_to_this): 3540 (JSC::JIT::emitSlow_op_to_this): 3541 * jit/JITOpcodes32_64.cpp: 3542 (JSC::JIT::emit_op_to_this): 3543 (JSC::JIT::emitSlow_op_to_this): 3544 * llint/LowLevelInterpreter32_64.asm: 3545 * llint/LowLevelInterpreter64.asm: 3546 * runtime/CommonSlowPaths.cpp: 3547 (JSC::SLOW_PATH_DECL): 3548 35492013-09-25 Oliver Hunt <oliver@apple.com> 3550 3551 Implement prefixed-destructuring assignment 3552 https://bugs.webkit.org/show_bug.cgi?id=121930 3553 3554 Reviewed by Mark Hahnenberg. 3555 3556 This is mostly simple - the semantics of deconstruction are already 3557 present in the language, so most of the complexity (if you call it 3558 that) is addition of new AST nodes, and parsing the syntax. 3559 3560 In order to get correct semantics for the parameter lists, FunctionParameters 3561 now needs to store refcounted references to the parameter patterns. 3562 There's also a little work to ensure that variable creation and assignment 3563 occurs in the correct order while the BytecodeGenerator is being constructed. 3564 3565 * bytecode/UnlinkedCodeBlock.cpp: 3566 (JSC::UnlinkedFunctionExecutable::paramString): 3567 * bytecompiler/BytecodeGenerator.cpp: 3568 (JSC::BytecodeGenerator::BytecodeGenerator): 3569 * bytecompiler/BytecodeGenerator.h: 3570 (JSC::BytecodeGenerator::emitExpressionInfo): 3571 * bytecompiler/NodesCodegen.cpp: 3572 (JSC::ForInNode::emitBytecode): 3573 (JSC::DeconstructingAssignmentNode::emitBytecode): 3574 (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): 3575 (JSC::ArrayPatternNode::emitBytecode): 3576 (JSC::ArrayPatternNode::emitDirectBinding): 3577 (JSC::ArrayPatternNode::toString): 3578 (JSC::ArrayPatternNode::collectBoundIdentifiers): 3579 (JSC::ObjectPatternNode::toString): 3580 (JSC::ObjectPatternNode::emitBytecode): 3581 (JSC::ObjectPatternNode::collectBoundIdentifiers): 3582 (JSC::BindingNode::emitBytecode): 3583 (JSC::BindingNode::toString): 3584 (JSC::BindingNode::collectBoundIdentifiers): 3585 * parser/ASTBuilder.h: 3586 (JSC::ASTBuilder::createFormalParameterList): 3587 (JSC::ASTBuilder::createForInLoop): 3588 (JSC::ASTBuilder::addVar): 3589 (JSC::ASTBuilder::createDeconstructingAssignment): 3590 (JSC::ASTBuilder::createArrayPattern): 3591 (JSC::ASTBuilder::appendArrayPatternSkipEntry): 3592 (JSC::ASTBuilder::appendArrayPatternEntry): 3593 (JSC::ASTBuilder::createObjectPattern): 3594 (JSC::ASTBuilder::appendObjectPatternEntry): 3595 (JSC::ASTBuilder::createBindingLocation): 3596 * parser/NodeConstructors.h: 3597 (JSC::CommaNode::CommaNode): 3598 (JSC::ParameterNode::ParameterNode): 3599 (JSC::ForInNode::ForInNode): 3600 (JSC::DeconstructionPatternNode::DeconstructionPatternNode): 3601 (JSC::ArrayPatternNode::ArrayPatternNode): 3602 (JSC::ArrayPatternNode::create): 3603 (JSC::ObjectPatternNode::ObjectPatternNode): 3604 (JSC::ObjectPatternNode::create): 3605 (JSC::BindingNode::create): 3606 (JSC::BindingNode::BindingNode): 3607 (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): 3608 * parser/Nodes.cpp: 3609 (JSC::FunctionParameters::create): 3610 (JSC::FunctionParameters::FunctionParameters): 3611 (JSC::FunctionParameters::~FunctionParameters): 3612 * parser/Nodes.h: 3613 (JSC::ExpressionNode::isDeconstructionNode): 3614 (JSC::ArrayNode::elements): 3615 (JSC::CommaNode::append): 3616 (JSC::ParameterNode::pattern): 3617 (JSC::FunctionParameters::at): 3618 (JSC::FunctionParameters::patterns): 3619 (JSC::DeconstructionPatternNode::isBindingNode): 3620 (JSC::DeconstructionPatternNode::emitDirectBinding): 3621 (JSC::ArrayPatternNode::appendIndex): 3622 (JSC::ObjectPatternNode::appendEntry): 3623 (JSC::ObjectPatternNode::Entry::Entry): 3624 (JSC::BindingNode::boundProperty): 3625 (JSC::BindingNode::isBindingNode): 3626 (JSC::DeconstructingAssignmentNode::bindings): 3627 (JSC::DeconstructingAssignmentNode::isLocation): 3628 (JSC::DeconstructingAssignmentNode::isDeconstructionNode): 3629 * parser/Parser.cpp: 3630 (JSC::::Parser): 3631 (JSC::::parseVarDeclaration): 3632 (JSC::::parseVarDeclarationList): 3633 (JSC::::createBindingPattern): 3634 (JSC::::parseDeconstructionPattern): 3635 (JSC::::parseForStatement): 3636 (JSC::::parseFormalParameters): 3637 (JSC::::parseAssignmentExpression): 3638 * parser/Parser.h: 3639 (JSC::Scope::declareBoundParameter): 3640 (JSC::Parser::declareBoundParameter): 3641 * parser/SyntaxChecker.h: 3642 (JSC::SyntaxChecker::createFormalParameterList): 3643 (JSC::SyntaxChecker::addVar): 3644 (JSC::SyntaxChecker::operatorStackPop): 3645 * runtime/JSONObject.cpp: 3646 (JSC::escapeStringToBuilder): 3647 * runtime/JSONObject.h: 3648 36492013-09-25 Brady Eidson <beidson@apple.com> 3650 3651 Enable the IndexedDB build on Mac, but leave the feature non-functional 3652 https://bugs.webkit.org/show_bug.cgi?id=121918 3653 3654 Reviewed by Alexey Proskuryakov. 3655 3656 * Configurations/FeatureDefines.xcconfig: 3657 36582013-09-25 Commit Queue <commit-queue@webkit.org> 3659 3660 Unreviewed, rolling out r156432. 3661 http://trac.webkit.org/changeset/156432 3662 https://bugs.webkit.org/show_bug.cgi?id=121932 3663 3664 some integer conversion things that need brady to fix 3665 (Requested by thorton on #webkit). 3666 3667 * Configurations/FeatureDefines.xcconfig: 3668 36692013-09-25 Anders Carlsson <andersca@apple.com> 3670 3671 Move KeyValuePairTraits inside HashMap 3672 https://bugs.webkit.org/show_bug.cgi?id=121931 3673 3674 Reviewed by Sam Weinig. 3675 3676 * tools/ProfileTreeNode.h: 3677 36782013-09-25 Brady Eidson <beidson@apple.com> 3679 3680 Enable the IndexedDB build on Mac, but leave the feature non-functional 3681 https://bugs.webkit.org/show_bug.cgi?id=121918 3682 3683 Reviewed by Alexey Proskuryakov. 3684 3685 * Configurations/FeatureDefines.xcconfig: 3686 36872013-09-25 Brady Eidson <beidson@apple.com> 3688 3689 FeatureDefine.xcconfig cleanup (They should all be identical). 3690 https://bugs.webkit.org/show_bug.cgi?id=121921 3691 3692 Reviewed by Mark Rowe. 3693 3694 * Configurations/FeatureDefines.xcconfig: 3695 36962013-09-25 Patrick Gansterer <paroga@webkit.org> 3697 3698 Build fix for WinCE after r155098. 3699 3700 Windows CE does not support getenv(). 3701 3702 * jsc.cpp: 3703 (main): 3704 37052013-09-24 Mark Hahnenberg <mhahnenberg@apple.com> 3706 3707 op_get_callee shouldn't use value profiling 3708 https://bugs.webkit.org/show_bug.cgi?id=121821 3709 3710 Reviewed by Filip Pizlo. 3711 3712 Currently it's one of the two opcodes that uses m_singletonValue, which is unnecessary. 3713 Our current plan is to remove m_singletonValue so that GenGC can have a simpler story 3714 for handling CodeBlocks/FunctionExecutables during nursery collections. 3715 3716 Instead of using a ValueProfile op_get_callee now has a simple inline cache of the most 3717 recent JSFunction that we saw. 3718 3719 * bytecode/CodeBlock.cpp: 3720 (JSC::CodeBlock::CodeBlock): 3721 (JSC::CodeBlock::finalizeUnconditionally): 3722 * bytecompiler/BytecodeGenerator.cpp: 3723 (JSC::BytecodeGenerator::emitCreateThis): 3724 * dfg/DFGByteCodeParser.cpp: 3725 (JSC::DFG::ByteCodeParser::parseBlock): 3726 * jit/JIT.cpp: 3727 (JSC::JIT::privateCompileSlowCases): 3728 * jit/JIT.h: 3729 * jit/JITOpcodes.cpp: 3730 (JSC::JIT::emit_op_get_callee): 3731 (JSC::JIT::emitSlow_op_get_callee): 3732 * jit/JITOpcodes32_64.cpp: 3733 (JSC::JIT::emit_op_get_callee): 3734 (JSC::JIT::emitSlow_op_get_callee): 3735 * llint/LowLevelInterpreter32_64.asm: 3736 * llint/LowLevelInterpreter64.asm: 3737 * runtime/CommonSlowPaths.cpp: 3738 (JSC::SLOW_PATH_DECL): 3739 * runtime/CommonSlowPaths.h: 3740 37412013-09-24 Mark Lam <mark.lam@apple.com> 3742 3743 Change JSC debug hooks to pass a CallFrame* instead of a DebuggerCallFrame. 3744 https://bugs.webkit.org/show_bug.cgi?id=121867. 3745 3746 Reviewed by Geoffrey Garen. 3747 3748 1. Removed the need for passing the line and column info to the debug hook 3749 callbacks. We now get the line and column info from the CallFrame. 3750 3751 2. Simplify BytecodeGenerator::emitDebugHook() to only take 1 line number 3752 argument. The caller can determine whether to pass in the first or last 3753 line number of the block of source code as appropriate. 3754 Note: we still need to pass in the line and column info to emitDebugHook() 3755 because it uses this info to emit expression info which is later used by 3756 the StackVisitor to determine the line and column info for its "pc". 3757 3758 3. Pass the exceptionValue explicitly to the exception() debug hook 3759 callback. It should not be embedded in the CallFrame / DebuggerCallFrame. 3760 3761 4. Change the op_debug opcode size to 2 (from 5) since we've removing 3 arg 3762 values. Update the LLINT and JIT code to handle this. 3763 3764 * bytecode/CodeBlock.cpp: 3765 (JSC::CodeBlock::dumpBytecode): 3766 (JSC::CodeBlock::CodeBlock): 3767 * bytecode/Opcode.h: 3768 (JSC::padOpcodeName): 3769 * bytecompiler/BytecodeGenerator.cpp: 3770 (JSC::BytecodeGenerator::emitDebugHook): 3771 * bytecompiler/BytecodeGenerator.h: 3772 * bytecompiler/NodesCodegen.cpp: 3773 (JSC::ConstStatementNode::emitBytecode): 3774 (JSC::EmptyStatementNode::emitBytecode): 3775 (JSC::DebuggerStatementNode::emitBytecode): 3776 (JSC::ExprStatementNode::emitBytecode): 3777 (JSC::VarStatementNode::emitBytecode): 3778 (JSC::IfElseNode::emitBytecode): 3779 (JSC::DoWhileNode::emitBytecode): 3780 (JSC::WhileNode::emitBytecode): 3781 (JSC::ForNode::emitBytecode): 3782 (JSC::ForInNode::emitBytecode): 3783 (JSC::ContinueNode::emitBytecode): 3784 (JSC::BreakNode::emitBytecode): 3785 (JSC::ReturnNode::emitBytecode): 3786 (JSC::WithNode::emitBytecode): 3787 (JSC::SwitchNode::emitBytecode): 3788 (JSC::LabelNode::emitBytecode): 3789 (JSC::ThrowNode::emitBytecode): 3790 (JSC::TryNode::emitBytecode): 3791 (JSC::ProgramNode::emitBytecode): 3792 (JSC::EvalNode::emitBytecode): 3793 (JSC::FunctionBodyNode::emitBytecode): 3794 * debugger/Debugger.h: 3795 * debugger/DebuggerCallFrame.cpp: 3796 (JSC::LineAndColumnFunctor::operator()): 3797 (JSC::LineAndColumnFunctor::line): 3798 (JSC::LineAndColumnFunctor::column): 3799 (JSC::DebuggerCallFrame::DebuggerCallFrame): 3800 (JSC::DebuggerCallFrame::clear): 3801 * debugger/DebuggerCallFrame.h: 3802 (JSC::DebuggerCallFrame::line): 3803 (JSC::DebuggerCallFrame::column): 3804 * interpreter/Interpreter.cpp: 3805 (JSC::unwindCallFrame): 3806 (JSC::UnwindFunctor::UnwindFunctor): 3807 (JSC::UnwindFunctor::operator()): 3808 (JSC::Interpreter::unwind): 3809 (JSC::Interpreter::debug): 3810 * interpreter/Interpreter.h: 3811 * jit/JITOpcodes.cpp: 3812 (JSC::JIT::emit_op_debug): 3813 * jit/JITOpcodes32_64.cpp: 3814 (JSC::JIT::emit_op_debug): 3815 * jit/JITStubs.cpp: 3816 (JSC::DEFINE_STUB_FUNCTION): 3817 * llint/LLIntSlowPaths.cpp: 3818 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 3819 * llint/LowLevelInterpreter.asm: 3820 38212013-09-24 Filip Pizlo <fpizlo@apple.com> 3822 3823 Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com 3824 https://bugs.webkit.org/show_bug.cgi?id=121844 3825 3826 Reviewed by Mark Hahnenberg. 3827 3828 Fix some int52 bugs that caused this. 3829 3830 * bytecode/ValueRecovery.h: 3831 (JSC::ValueRecovery::dumpInContext): There's no such thing as int53. 3832 * dfg/DFGSpeculativeJIT.h: 3833 (JSC::DFG::SpeculativeJIT::spill): Actually spill int52's, instead of hitting an assert and crashing. 3834 * dfg/DFGSpeculativeJIT64.cpp: 3835 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): Use the right format (from before when we clobber it). 3836 38372013-09-24 Mark Rowe <mrowe@apple.com> 3838 3839 <rdar://problem/14971518> WebKit should build against the Xcode default toolchain when targeting OS X 10.8 3840 3841 Reviewed by Dan Bernstein. 3842 3843 * Configurations/Base.xcconfig: 3844 38452013-09-23 Patrick Gansterer <paroga@webkit.org> 3846 3847 use NOMINMAX instead of #define min min 3848 https://bugs.webkit.org/show_bug.cgi?id=73563 3849 3850 Reviewed by Brent Fulgham. 3851 3852 Use NOMINMAX instead of #define min/max as a cleaner 3853 way of ensuring that Windows system header files don't 3854 define min/max as macro in the first place. 3855 3856 * config.h: 3857 38582013-09-23 Filip Pizlo <fpizlo@apple.com> 3859 3860 Never use ReturnPC for exception handling and quit using exception check indices as a lame replica of the CodeOrigin index 3861 https://bugs.webkit.org/show_bug.cgi?id=121734 3862 3863 Reviewed by Mark Hahnenberg. 3864 3865 Exception handling can deduce where the exception was thrown from by looking at the 3866 code origin that was stored into the call frame header. There is no need to pass any 3867 additional meta-data into the exception throwing logic. But the DFG was still doing it 3868 anyway. 3869 3870 This removes all of the logic to pass extra meta-data into lookupExceptionHandler() 3871 and friends. It simplifies a lot of code. 3872 3873 * CMakeLists.txt: 3874 * GNUmakefile.list.am: 3875 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 3876 * JavaScriptCore.xcodeproj/project.pbxproj: 3877 * Target.pri: 3878 * bytecode/CodeBlock.cpp: 3879 (JSC::CodeBlock::shrinkToFit): 3880 * bytecode/CodeBlock.h: 3881 (JSC::CodeBlock::codeOrigins): 3882 (JSC::CodeBlock::hasCodeOrigins): 3883 (JSC::CodeBlock::canGetCodeOrigin): 3884 (JSC::CodeBlock::codeOrigin): 3885 * bytecode/CodeOrigin.h: 3886 (JSC::InlineCallFrame::InlineCallFrame): 3887 * bytecode/InlineCallFrameSet.cpp: Added. 3888 (JSC::InlineCallFrameSet::InlineCallFrameSet): 3889 (JSC::InlineCallFrameSet::~InlineCallFrameSet): 3890 (JSC::InlineCallFrameSet::add): 3891 (JSC::InlineCallFrameSet::shrinkToFit): 3892 * bytecode/InlineCallFrameSet.h: Added. 3893 (JSC::InlineCallFrameSet::isEmpty): 3894 (JSC::InlineCallFrameSet::size): 3895 (JSC::InlineCallFrameSet::at): 3896 * dfg/DFGArgumentsSimplificationPhase.cpp: 3897 (JSC::DFG::ArgumentsSimplificationPhase::run): 3898 * dfg/DFGByteCodeParser.cpp: 3899 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 3900 * dfg/DFGCommonData.cpp: 3901 (JSC::DFG::CommonData::addCodeOrigin): 3902 (JSC::DFG::CommonData::shrinkToFit): 3903 * dfg/DFGCommonData.h: 3904 * dfg/DFGDesiredWriteBarriers.cpp: 3905 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier): 3906 (JSC::DFG::DesiredWriteBarrier::trigger): 3907 * dfg/DFGDesiredWriteBarriers.h: 3908 (JSC::DFG::DesiredWriteBarriers::add): 3909 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable): 3910 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee): 3911 * dfg/DFGGraph.cpp: 3912 (JSC::DFG::Graph::Graph): 3913 * dfg/DFGGraph.h: 3914 * dfg/DFGJITCompiler.cpp: 3915 (JSC::DFG::JITCompiler::JITCompiler): 3916 (JSC::DFG::JITCompiler::compileExceptionHandlers): 3917 (JSC::DFG::JITCompiler::link): 3918 (JSC::DFG::JITCompiler::compileFunction): 3919 * dfg/DFGJITCompiler.h: 3920 (JSC::DFG::JITCompiler::emitStoreCodeOrigin): 3921 (JSC::DFG::JITCompiler::exceptionCheck): 3922 (JSC::DFG::JITCompiler::fastExceptionCheck): 3923 * dfg/DFGOperations.cpp: 3924 * dfg/DFGOperations.h: 3925 * dfg/DFGRepatch.cpp: 3926 (JSC::DFG::tryBuildGetByIDList): 3927 * dfg/DFGSpeculativeJIT.h: 3928 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): 3929 (JSC::DFG::SpeculativeJIT::appendCallSetResult): 3930 (JSC::DFG::SpeculativeJIT::appendCall): 3931 * dfg/DFGSpeculativeJIT32_64.cpp: 3932 (JSC::DFG::SpeculativeJIT::emitCall): 3933 * dfg/DFGSpeculativeJIT64.cpp: 3934 (JSC::DFG::SpeculativeJIT::emitCall): 3935 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 3936 (JSC::DFG::VirtualRegisterAllocationPhase::run): 3937 * ftl/FTLLowerDFGToLLVM.cpp: 3938 (JSC::FTL::LowerDFGToLLVM::callPreflight): 3939 * jit/AssemblyHelpers.h: 3940 (JSC::AssemblyHelpers::emitExceptionCheck): 3941 39422013-09-23 Oliver Hunt <oliver@apple.com> 3943 3944 CodeLoad performance regression 3945 3946 Reviewed by Filip Pizlo. 3947 3948 Temporarily remove the ExpressionInfo compression until we can 3949 work out how to make it not clobber performance. 3950 3951 * bytecode/UnlinkedCodeBlock.cpp: 3952 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): 3953 (JSC::UnlinkedCodeBlock::addExpressionInfo): 3954 * bytecode/UnlinkedCodeBlock.h: 3955 39562013-09-23 Patrick Gansterer <paroga@webkit.org> 3957 3958 Cleanup CMake files in JavaScriptCore 3959 https://bugs.webkit.org/show_bug.cgi?id=121762 3960 3961 Reviewed by Gyuyoung Kim. 3962 3963 Sort files and unify style. 3964 3965 * CMakeLists.txt: 3966 * shell/CMakeLists.txt: 3967 * shell/PlatformBlackBerry.cmake: 3968 * shell/PlatformEfl.cmake: 3969 39702013-09-22 Filip Pizlo <fpizlo@apple.com> 3971 3972 Get rid of CodeBlock::RareData::callReturnIndexVector and most of the evil that it introduced 3973 https://bugs.webkit.org/show_bug.cgi?id=121766 3974 3975 Reviewed by Andreas Kling. 3976 3977 * bytecode/CodeBlock.cpp: 3978 (JSC::CodeBlock::shrinkToFit): 3979 * bytecode/CodeBlock.h: 3980 * dfg/DFGJITCompiler.cpp: 3981 (JSC::DFG::JITCompiler::compileExceptionHandlers): 3982 (JSC::DFG::JITCompiler::link): 3983 * jit/JIT.cpp: 3984 (JSC::JIT::privateCompile): 3985 39862013-09-21 Filip Pizlo <fpizlo@apple.com> 3987 3988 Interpreter::unwind() has no need for the bytecodeOffset 3989 https://bugs.webkit.org/show_bug.cgi?id=121755 3990 3991 Reviewed by Oliver Hunt. 3992 3993 It was only using the bytecodeOffset for some debugger stuff, but the debugger could 3994 just get the bytecodeOffset the same way the rest of the machinery does: by using the 3995 CallFrame's location. 3996 3997 It turns out that a lot of really ugly code was in place just to supply this 3998 bytecodeOffset. This patch kills most of that code, and allows us to kill even more 3999 code in a future patch - though most likely that killage will involve further 4000 refactorings as well, see https://bugs.webkit.org/show_bug.cgi?id=121734. 4001 4002 * dfg/DFGOperations.cpp: 4003 * interpreter/CallFrame.cpp: 4004 (JSC::CallFrame::bytecodeOffset): 4005 (JSC::CallFrame::codeOrigin): 4006 * interpreter/CallFrame.h: 4007 * interpreter/Interpreter.cpp: 4008 (JSC::Interpreter::unwind): 4009 * interpreter/Interpreter.h: 4010 * jit/JITExceptions.cpp: 4011 (JSC::genericUnwind): 4012 * jit/JITExceptions.h: 4013 * jit/JITStubs.cpp: 4014 (JSC::DEFINE_STUB_FUNCTION): 4015 (JSC::cti_vm_handle_exception): 4016 * llint/LLIntExceptions.cpp: 4017 (JSC::LLInt::doThrow): 4018 (JSC::LLInt::returnToThrow): 4019 (JSC::LLInt::callToThrow): 4020 * llint/LLIntExceptions.h: 4021 * llint/LLIntSlowPaths.cpp: 4022 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 4023 * runtime/CommonSlowPaths.cpp: 4024 (JSC::SLOW_PATH_DECL): 4025 * runtime/CommonSlowPathsExceptions.cpp: 4026 (JSC::CommonSlowPaths::interpreterThrowInCaller): 4027 * runtime/CommonSlowPathsExceptions.h: 4028 40292013-09-21 Darin Adler <darin@apple.com> 4030 4031 Add ExecState::uncheckedArgument and use where possible to shrink a bit 4032 https://bugs.webkit.org/show_bug.cgi?id=121750 4033 4034 Reviewed by Andreas Kling. 4035 4036 * interpreter/CallFrame.h: 4037 (JSC::ExecState::uncheckedArgument): Added. Like argument, but with an 4038 assertion rather than a runtime check. 4039 4040 * API/APICallbackFunction.h: 4041 (JSC::APICallbackFunction::call): Use uncheckedArgument because we are 4042 already in a loop over arguments, so don't need a range check. 4043 * API/JSCallbackConstructor.cpp: 4044 (JSC::constructJSCallback): Ditto. 4045 * API/JSCallbackObjectFunctions.h: 4046 (JSC::JSCallbackObject::construct): Ditto. 4047 (JSC::JSCallbackObject::call): Ditto. 4048 * jsc.cpp: 4049 (functionPrint): Ditto. 4050 (functionRun): Ditto. 4051 (functionSetSamplingFlags): Ditto. 4052 (functionClearSamplingFlags): Ditto. 4053 * runtime/ArrayPrototype.cpp: 4054 (JSC::arrayProtoFuncConcat): Ditto. 4055 (JSC::arrayProtoFuncPush): Use uncheckedArgument because there is already 4056 code that explicitly checks argumentCount. 4057 (JSC::arrayProtoFuncSplice): Ditto. 4058 (JSC::arrayProtoFuncUnShift): Ditto. 4059 (JSC::arrayProtoFuncReduce): Ditto. 4060 (JSC::arrayProtoFuncReduceRight): Ditto. 4061 (JSC::arrayProtoFuncLastIndexOf): Ditto. 4062 * runtime/DatePrototype.cpp: 4063 (JSC::fillStructuresUsingTimeArgs): Ditto. 4064 (JSC::fillStructuresUsingDateArgs): Ditto. 4065 * runtime/JSArrayBufferConstructor.cpp: 4066 (JSC::constructArrayBuffer): Ditto. 4067 * runtime/JSArrayBufferPrototype.cpp: 4068 (JSC::arrayBufferProtoFuncSlice): Ditto. 4069 * runtime/JSBoundFunction.cpp: 4070 (JSC::boundFunctionCall): Ditto. 4071 (JSC::boundFunctionConstruct): Ditto. 4072 * runtime/JSDataViewPrototype.cpp: 4073 (JSC::getData): Ditto. 4074 (JSC::setData): Ditto. 4075 * runtime/JSGenericTypedArrayViewConstructorInlines.h: 4076 (JSC::constructGenericTypedArrayView): Ditto. 4077 * runtime/JSGenericTypedArrayViewPrototypeInlines.h: 4078 (JSC::genericTypedArrayViewProtoFuncSet): Ditto. 4079 (JSC::genericTypedArrayViewProtoFuncSubarray): Ditto. 4080 * runtime/JSONObject.cpp: 4081 (JSC::JSONProtoFuncParse): Ditto. 4082 (JSC::JSONProtoFuncStringify): Ditto. 4083 * runtime/JSPromiseConstructor.cpp: 4084 (JSC::constructPromise): Ditto. 4085 (JSC::JSPromiseConstructorFuncFulfill): Ditto. 4086 (JSC::JSPromiseConstructorFuncResolve): Ditto. 4087 (JSC::JSPromiseConstructorFuncReject): Ditto. 4088 * runtime/MathObject.cpp: 4089 (JSC::mathProtoFuncMax): Ditto. 4090 (JSC::mathProtoFuncMin): Ditto. 4091 4092 * runtime/NameConstructor.cpp: 4093 (JSC::constructPrivateName): Removed unneeded check of argumentCout 4094 that simply repeats what argument already does. 4095 * runtime/NativeErrorConstructor.cpp: 4096 (JSC::Interpreter::constructWithNativeErrorConstructor): Ditto. 4097 (JSC::Interpreter::callNativeErrorConstructor): Ditto. 4098 4099 * runtime/NumberConstructor.cpp: 4100 (JSC::constructWithNumberConstructor): Use uncheckedArgument since 4101 there is already code that explicitly checks argument count. 4102 (JSC::callNumberConstructor): Ditto. 4103 4104 * runtime/ObjectConstructor.cpp: 4105 (JSC::objectConstructorCreate): Small refactoring to not call argument(0) 4106 three times. 4107 4108 * runtime/SetConstructor.cpp: 4109 (JSC::constructSet): Use uncheckedArgument since we are already in a loop 4110 over arguments. 4111 4112 * runtime/StringConstructor.cpp: 4113 (JSC::stringFromCharCodeSlowCase): In a loop. 4114 (JSC::stringFromCharCode): Already checked count. 4115 (JSC::constructWithStringConstructor): Ditto. 4116 (JSC::callStringConstructor): Ditto. 4117 * runtime/StringPrototype.cpp: 4118 (JSC::stringProtoFuncConcat): Already checked count. 4119 * runtime/TestRunnerUtils.cpp: 4120 (JSC::numberOfDFGCompiles): Ditto. 4121 (JSC::setNeverInline): Ditto. 4122 41232013-09-21 Filip Pizlo <fpizlo@apple.com> 4124 4125 Remove the notion that a CallFrame can have a pointer to an InlineCallFrame, since that doesn't happen anymore 4126 https://bugs.webkit.org/show_bug.cgi?id=121753 4127 4128 Reviewed by Darin Adler. 4129 4130 * interpreter/CallFrame.cpp: 4131 (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex): 4132 * interpreter/CallFrame.h: 4133 * interpreter/Register.h: 4134 41352013-09-21 Filip Pizlo <fpizlo@apple.com> 4136 4137 Unreviewed, fix the revert. 4138 4139 * dfg/DFGRepatch.cpp: 4140 41412013-09-21 Filip Pizlo <fpizlo@apple.com> 4142 4143 Unreviewed, revert http://trac.webkit.org/changeset/156235. It won't work on Windows. 4144 4145 * CMakeLists.txt: 4146 * GNUmakefile.list.am: 4147 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4148 * JavaScriptCore.xcodeproj/project.pbxproj: 4149 * Target.pri: 4150 * bytecode/CallLinkInfo.cpp: 4151 (JSC::CallLinkInfo::unlink): 4152 * bytecode/CodeBlock.cpp: 4153 (JSC::CodeBlock::resetStubInternal): 4154 * bytecode/StructureStubInfo.h: 4155 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: 4156 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator): 4157 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator): 4158 * dfg/DFGJITCompiler.h: 4159 * dfg/DFGOSRExitCompiler.h: 4160 * dfg/DFGOperations.cpp: 4161 (JSC::DFG::operationPutByValInternal): 4162 * dfg/DFGOperations.h: 4163 (JSC::DFG::operationNewTypedArrayWithSizeForType): 4164 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType): 4165 * dfg/DFGRegisterSet.h: Added. 4166 (JSC::DFG::RegisterSet::RegisterSet): 4167 (JSC::DFG::RegisterSet::asPOD): 4168 (JSC::DFG::RegisterSet::copyInfo): 4169 (JSC::DFG::RegisterSet::set): 4170 (JSC::DFG::RegisterSet::setGPRByIndex): 4171 (JSC::DFG::RegisterSet::clear): 4172 (JSC::DFG::RegisterSet::get): 4173 (JSC::DFG::RegisterSet::getGPRByIndex): 4174 (JSC::DFG::RegisterSet::getFreeGPR): 4175 (JSC::DFG::RegisterSet::setFPRByIndex): 4176 (JSC::DFG::RegisterSet::getFPRByIndex): 4177 (JSC::DFG::RegisterSet::setByIndex): 4178 (JSC::DFG::RegisterSet::getByIndex): 4179 (JSC::DFG::RegisterSet::numberOfSetGPRs): 4180 (JSC::DFG::RegisterSet::numberOfSetFPRs): 4181 (JSC::DFG::RegisterSet::numberOfSetRegisters): 4182 (JSC::DFG::RegisterSet::setBit): 4183 (JSC::DFG::RegisterSet::clearBit): 4184 (JSC::DFG::RegisterSet::getBit): 4185 * dfg/DFGRepatch.cpp: Added. 4186 (JSC::DFG::repatchCall): 4187 (JSC::DFG::repatchByIdSelfAccess): 4188 (JSC::DFG::addStructureTransitionCheck): 4189 (JSC::DFG::replaceWithJump): 4190 (JSC::DFG::emitRestoreScratch): 4191 (JSC::DFG::linkRestoreScratch): 4192 (JSC::DFG::generateProtoChainAccessStub): 4193 (JSC::DFG::tryCacheGetByID): 4194 (JSC::DFG::repatchGetByID): 4195 (JSC::DFG::getPolymorphicStructureList): 4196 (JSC::DFG::patchJumpToGetByIdStub): 4197 (JSC::DFG::tryBuildGetByIDList): 4198 (JSC::DFG::buildGetByIDList): 4199 (JSC::DFG::appropriateGenericPutByIdFunction): 4200 (JSC::DFG::appropriateListBuildingPutByIdFunction): 4201 (JSC::DFG::emitPutReplaceStub): 4202 (JSC::DFG::emitPutTransitionStub): 4203 (JSC::DFG::tryCachePutByID): 4204 (JSC::DFG::repatchPutByID): 4205 (JSC::DFG::tryBuildPutByIdList): 4206 (JSC::DFG::buildPutByIdList): 4207 (JSC::DFG::tryRepatchIn): 4208 (JSC::DFG::repatchIn): 4209 (JSC::DFG::linkSlowFor): 4210 (JSC::DFG::linkFor): 4211 (JSC::DFG::linkClosureCall): 4212 (JSC::DFG::resetGetByID): 4213 (JSC::DFG::resetPutByID): 4214 (JSC::DFG::resetIn): 4215 * dfg/DFGRepatch.h: Added. 4216 (JSC::DFG::resetGetByID): 4217 (JSC::DFG::resetPutByID): 4218 (JSC::DFG::resetIn): 4219 * dfg/DFGScratchRegisterAllocator.h: Added. 4220 (JSC::DFG::ScratchRegisterAllocator::ScratchRegisterAllocator): 4221 (JSC::DFG::ScratchRegisterAllocator::lock): 4222 (JSC::DFG::ScratchRegisterAllocator::allocateScratch): 4223 (JSC::DFG::ScratchRegisterAllocator::allocateScratchGPR): 4224 (JSC::DFG::ScratchRegisterAllocator::allocateScratchFPR): 4225 (JSC::DFG::ScratchRegisterAllocator::didReuseRegisters): 4226 (JSC::DFG::ScratchRegisterAllocator::preserveReusedRegistersByPushing): 4227 (JSC::DFG::ScratchRegisterAllocator::restoreReusedRegistersByPopping): 4228 (JSC::DFG::ScratchRegisterAllocator::desiredScratchBufferSize): 4229 (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer): 4230 (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer): 4231 * dfg/DFGSpeculativeJIT.cpp: 4232 (JSC::DFG::SpeculativeJIT::writeBarrier): 4233 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): 4234 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 4235 (JSC::DFG::SpeculativeJIT::compare): 4236 * dfg/DFGSpeculativeJIT.h: 4237 (JSC::DFG::SpeculativeJIT::callOperation): 4238 * dfg/DFGSpeculativeJIT32_64.cpp: 4239 (JSC::DFG::SpeculativeJIT::cachedPutById): 4240 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 4241 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): 4242 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 4243 (JSC::DFG::SpeculativeJIT::compile): 4244 * dfg/DFGSpeculativeJIT64.cpp: 4245 (JSC::DFG::SpeculativeJIT::cachedPutById): 4246 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 4247 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): 4248 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 4249 (JSC::DFG::SpeculativeJIT::compile): 4250 * dfg/DFGThunks.cpp: 4251 (JSC::DFG::emitPointerValidation): 4252 (JSC::DFG::throwExceptionFromCallSlowPathGenerator): 4253 (JSC::DFG::slowPathFor): 4254 (JSC::DFG::linkForThunkGenerator): 4255 (JSC::DFG::linkCallThunkGenerator): 4256 (JSC::DFG::linkConstructThunkGenerator): 4257 (JSC::DFG::linkClosureCallThunkGenerator): 4258 (JSC::DFG::virtualForThunkGenerator): 4259 (JSC::DFG::virtualCallThunkGenerator): 4260 (JSC::DFG::virtualConstructThunkGenerator): 4261 * dfg/DFGThunks.h: 4262 * ftl/FTLIntrinsicRepository.h: 4263 * ftl/FTLLowerDFGToLLVM.cpp: 4264 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): 4265 * ftl/FTLOSRExitCompiler.h: 4266 * jit/AssemblyHelpers.h: 4267 * jit/JIT.cpp: 4268 (JSC::JIT::linkFor): 4269 (JSC::JIT::linkSlowCall): 4270 * jit/JITCall.cpp: 4271 (JSC::JIT::compileCallEvalSlowCase): 4272 (JSC::JIT::compileOpCallSlowCase): 4273 (JSC::JIT::privateCompileClosureCall): 4274 * jit/JITCall32_64.cpp: 4275 (JSC::JIT::compileCallEvalSlowCase): 4276 (JSC::JIT::compileOpCallSlowCase): 4277 (JSC::JIT::privateCompileClosureCall): 4278 * jit/JITOperationWrappers.h: Removed. 4279 * jit/JITOperations.cpp: Removed. 4280 * jit/JITOperations.h: Removed. 4281 * jit/RegisterSet.h: Removed. 4282 * jit/Repatch.cpp: Removed. 4283 * jit/Repatch.h: Removed. 4284 * jit/ScratchRegisterAllocator.h: Removed. 4285 * jit/ThunkGenerators.cpp: 4286 (JSC::generateSlowCaseFor): 4287 (JSC::linkForGenerator): 4288 (JSC::linkCallGenerator): 4289 (JSC::linkConstructGenerator): 4290 (JSC::linkClosureCallGenerator): 4291 (JSC::virtualForGenerator): 4292 (JSC::virtualCallGenerator): 4293 (JSC::virtualConstructGenerator): 4294 * jit/ThunkGenerators.h: 4295 42962013-09-21 Filip Pizlo <fpizlo@apple.com> 4297 4298 Move DFG inline caching logic into jit/ 4299 https://bugs.webkit.org/show_bug.cgi?id=121749 4300 4301 Rubber stamped by Sam Weinig. 4302 4303 We want to get rid of the baseline JIT's inline caching machinery and have it use the 4304 DFG's instead. But before we do that we need to move the DFG's inline caching machine 4305 out from behind its ENABLE(DFG_JIT) guards and make it available to the whole system. 4306 This patch does that: 4307 4308 - dfg/DFGRepatch becomes jit/Repatch. 4309 4310 - The thunks used by the DFG IC go into jit/ThunkGenerators, instead of dfg/DFGThunks. 4311 4312 - The operations used by the DFG IC go into jit/JITOperations, instead of 4313 dfg/DFGOperations. 4314 4315 - The old JIT's thunk generators for calls are renamed to reduce confusion. Previously 4316 it was easy to know which generators belong to which JIT because the old JIT used 4317 JSC::virtualCallBlah and the DFG used JSC::DFG::virtualCallBlah, but that's not the 4318 case anymore. Note that the old JIT's thunk generators will die in a future patch. 4319 4320 No functional changes beyond those moves. 4321 4322 * CMakeLists.txt: 4323 * GNUmakefile.list.am: 4324 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4325 * JavaScriptCore.xcodeproj/project.pbxproj: 4326 * Target.pri: 4327 * bytecode/CallLinkInfo.cpp: 4328 (JSC::CallLinkInfo::unlink): 4329 * bytecode/CodeBlock.cpp: 4330 (JSC::CodeBlock::resetStubInternal): 4331 * bytecode/StructureStubInfo.h: 4332 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: 4333 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator): 4334 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator): 4335 * dfg/DFGJITCompiler.h: 4336 * dfg/DFGOSRExitCompiler.h: 4337 * dfg/DFGOperations.cpp: 4338 (JSC::DFG::operationPutByValInternal): 4339 * dfg/DFGOperations.h: 4340 (JSC::DFG::operationNewTypedArrayWithSizeForType): 4341 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType): 4342 * dfg/DFGRegisterSet.h: Removed. 4343 * dfg/DFGRepatch.cpp: Removed. 4344 * dfg/DFGRepatch.h: Removed. 4345 * dfg/DFGScratchRegisterAllocator.h: Removed. 4346 * dfg/DFGSpeculativeJIT.cpp: 4347 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): 4348 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 4349 (JSC::DFG::SpeculativeJIT::compare): 4350 * dfg/DFGSpeculativeJIT.h: 4351 (JSC::DFG::SpeculativeJIT::callOperation): 4352 * dfg/DFGSpeculativeJIT32_64.cpp: 4353 (JSC::DFG::SpeculativeJIT::cachedPutById): 4354 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 4355 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): 4356 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 4357 (JSC::DFG::SpeculativeJIT::compile): 4358 * dfg/DFGSpeculativeJIT64.cpp: 4359 (JSC::DFG::SpeculativeJIT::cachedPutById): 4360 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 4361 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): 4362 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 4363 (JSC::DFG::SpeculativeJIT::compile): 4364 * dfg/DFGThunks.cpp: 4365 * dfg/DFGThunks.h: 4366 * ftl/FTLIntrinsicRepository.h: 4367 * ftl/FTLLowerDFGToLLVM.cpp: 4368 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): 4369 * jit/AssemblyHelpers.h: 4370 (JSC::AssemblyHelpers::writeBarrier): 4371 * jit/JIT.cpp: 4372 (JSC::JIT::linkFor): 4373 (JSC::JIT::linkSlowCall): 4374 * jit/JITCall.cpp: 4375 (JSC::JIT::compileCallEval): 4376 (JSC::JIT::compileCallEvalSlowCase): 4377 (JSC::JIT::compileOpCallSlowCase): 4378 (JSC::JIT::privateCompileClosureCall): 4379 * jit/JITCall32_64.cpp: 4380 (JSC::JIT::compileCallEvalSlowCase): 4381 (JSC::JIT::compileOpCallSlowCase): 4382 (JSC::JIT::privateCompileClosureCall): 4383 * jit/JITOperationWrappers.h: Added. 4384 * jit/JITOperations.cpp: Added. 4385 * jit/JITOperations.h: Added. 4386 * jit/RegisterSet.h: Added. 4387 (JSC::RegisterSet::RegisterSet): 4388 (JSC::RegisterSet::asPOD): 4389 (JSC::RegisterSet::copyInfo): 4390 (JSC::RegisterSet::set): 4391 (JSC::RegisterSet::setGPRByIndex): 4392 (JSC::RegisterSet::clear): 4393 (JSC::RegisterSet::get): 4394 (JSC::RegisterSet::getGPRByIndex): 4395 (JSC::RegisterSet::getFreeGPR): 4396 (JSC::RegisterSet::setFPRByIndex): 4397 (JSC::RegisterSet::getFPRByIndex): 4398 (JSC::RegisterSet::setByIndex): 4399 (JSC::RegisterSet::getByIndex): 4400 (JSC::RegisterSet::numberOfSetGPRs): 4401 (JSC::RegisterSet::numberOfSetFPRs): 4402 (JSC::RegisterSet::numberOfSetRegisters): 4403 (JSC::RegisterSet::setBit): 4404 (JSC::RegisterSet::clearBit): 4405 (JSC::RegisterSet::getBit): 4406 * jit/Repatch.cpp: Added. 4407 (JSC::repatchCall): 4408 (JSC::repatchByIdSelfAccess): 4409 (JSC::addStructureTransitionCheck): 4410 (JSC::replaceWithJump): 4411 (JSC::emitRestoreScratch): 4412 (JSC::linkRestoreScratch): 4413 (JSC::generateProtoChainAccessStub): 4414 (JSC::tryCacheGetByID): 4415 (JSC::repatchGetByID): 4416 (JSC::getPolymorphicStructureList): 4417 (JSC::patchJumpToGetByIdStub): 4418 (JSC::tryBuildGetByIDList): 4419 (JSC::buildGetByIDList): 4420 (JSC::appropriateGenericPutByIdFunction): 4421 (JSC::appropriateListBuildingPutByIdFunction): 4422 (JSC::emitPutReplaceStub): 4423 (JSC::emitPutTransitionStub): 4424 (JSC::tryCachePutByID): 4425 (JSC::repatchPutByID): 4426 (JSC::tryBuildPutByIdList): 4427 (JSC::buildPutByIdList): 4428 (JSC::tryRepatchIn): 4429 (JSC::repatchIn): 4430 (JSC::linkSlowFor): 4431 (JSC::linkFor): 4432 (JSC::linkClosureCall): 4433 (JSC::resetGetByID): 4434 (JSC::resetPutByID): 4435 (JSC::resetIn): 4436 * jit/Repatch.h: Added. 4437 (JSC::resetGetByID): 4438 (JSC::resetPutByID): 4439 (JSC::resetIn): 4440 * jit/ScratchRegisterAllocator.h: Added. 4441 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator): 4442 (JSC::ScratchRegisterAllocator::lock): 4443 (JSC::ScratchRegisterAllocator::allocateScratch): 4444 (JSC::ScratchRegisterAllocator::allocateScratchGPR): 4445 (JSC::ScratchRegisterAllocator::allocateScratchFPR): 4446 (JSC::ScratchRegisterAllocator::didReuseRegisters): 4447 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): 4448 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): 4449 (JSC::ScratchRegisterAllocator::desiredScratchBufferSize): 4450 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer): 4451 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer): 4452 * jit/ThunkGenerators.cpp: 4453 (JSC::oldStyleGenerateSlowCaseFor): 4454 (JSC::oldStyleLinkForGenerator): 4455 (JSC::oldStyleLinkCallGenerator): 4456 (JSC::oldStyleLinkConstructGenerator): 4457 (JSC::oldStyleLinkClosureCallGenerator): 4458 (JSC::oldStyleVirtualForGenerator): 4459 (JSC::oldStyleVirtualCallGenerator): 4460 (JSC::oldStyleVirtualConstructGenerator): 4461 (JSC::emitPointerValidation): 4462 (JSC::throwExceptionFromCallSlowPathGenerator): 4463 (JSC::slowPathFor): 4464 (JSC::linkForThunkGenerator): 4465 (JSC::linkCallThunkGenerator): 4466 (JSC::linkConstructThunkGenerator): 4467 (JSC::linkClosureCallThunkGenerator): 4468 (JSC::virtualForThunkGenerator): 4469 (JSC::virtualCallThunkGenerator): 4470 (JSC::virtualConstructThunkGenerator): 4471 * jit/ThunkGenerators.h: 4472 44732013-09-21 Anders Carlsson <andersca@apple.com> 4474 4475 Fix the non-DFG build. 4476 4477 * interpreter/Interpreter.cpp: 4478 (JSC::unwindCallFrame): 4479 * interpreter/StackVisitor.cpp: 4480 (JSC::StackVisitor::Frame::r): 4481 44822013-09-21 Filip Pizlo <fpizlo@apple.com> 4483 4484 Get rid of IsInlinedCodeTag and its associated methods since it's unused 4485 https://bugs.webkit.org/show_bug.cgi?id=121737 4486 4487 Reviewed by Sam Weinig. 4488 4489 This was meant to be easy, but I kept wondering if it was safe to remove the 4490 inline call frame check in Arguments::tearOff(). The check was clearly dead 4491 since the bit wasn't being set anywhere. 4492 4493 It turns out that the unwindCallFrame() function was relying on tearOff() 4494 doing the right thing for inlined code, but it wasn't even passing it an 4495 inline call frame. I fixed this by having unwindCallFrame() inlining check, 4496 while also making sure that the code uses the right operand index for the 4497 arguments register. 4498 4499 * interpreter/CallFrame.h: 4500 * interpreter/CallFrameInlines.h: 4501 * interpreter/Interpreter.cpp: 4502 (JSC::unwindCallFrame): 4503 * interpreter/StackVisitor.cpp: 4504 (JSC::StackVisitor::Frame::r): 4505 * interpreter/StackVisitor.h: 4506 * runtime/Arguments.cpp: 4507 (JSC::Arguments::tearOff): 4508 45092013-09-20 Mark Hahnenberg <mhahnenberg@apple.com> 4510 4511 (un)shiftCountWithAnyIndexingType will start over in the middle of copying if it sees a hole 4512 https://bugs.webkit.org/show_bug.cgi?id=121717 4513 4514 Reviewed by Oliver Hunt. 4515 4516 This bug caused the array to become corrupted. We now check for holes before we start moving things, 4517 and start moving things only once we've determined that there are none. 4518 4519 * runtime/JSArray.cpp: 4520 (JSC::JSArray::shiftCountWithAnyIndexingType): 4521 (JSC::JSArray::unshiftCountWithAnyIndexingType): 4522 45232013-09-20 Filip Pizlo <fpizlo@apple.com> 4524 4525 REGRESSION(r156047): WebCore hangs inside JSC::toInt32(double) 4526 https://bugs.webkit.org/show_bug.cgi?id=121648 4527 4528 Reviewed by Mark Hahnenberg. 4529 4530 The Int52<->StrictInt52 conversion did the opposite fill() than what it was 4531 supposed to. For example when converting a Int52 to a StrictInt52 it would fill 4532 as Int52, and vice-versa. 4533 4534 * dfg/DFGSpeculativeJIT64.cpp: 4535 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): 4536 45372013-09-20 Oliver Hunt <oliver@apple.com> 4538 4539 REGRESSION(r153215): New iCloud site crashes 4540 https://bugs.webkit.org/show_bug.cgi?id=121710 4541 4542 Reviewed by Filip Pizlo. 4543 4544 Don't claim to be able to rely on the arguments structure, use the Arguments 4545 speculation type 4546 4547 * dfg/DFGAbstractInterpreterInlines.h: 4548 (JSC::DFG::::executeEffects): 4549 45502013-09-20 Mark Hahnenberg <mhahnenberg@apple.com> 4551 4552 Clobberize phase forgets to indicate that it writes GCState for several node types 4553 https://bugs.webkit.org/show_bug.cgi?id=121702 4554 4555 Reviewed by Oliver Hunt. 4556 4557 Added read and write for GCState to the nodes that could end up allocating (and thereby 4558 cause a garbage collection). 4559 4560 * dfg/DFGClobberize.h: 4561 (JSC::DFG::clobberize): 4562 45632013-09-19 Filip Pizlo <fpizlo@apple.com> 4564 4565 Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them 4566 https://bugs.webkit.org/show_bug.cgi?id=121637 4567 4568 Rubber stamped by Michael Saboff. 4569 4570 Also moved GPRInfo/FPRInfo into jit/. Rolling back in after fixing JIT-only build 4571 and tests. 4572 4573 * CMakeLists.txt: 4574 * GNUmakefile.list.am: 4575 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4576 * JavaScriptCore.xcodeproj/project.pbxproj: 4577 * Target.pri: 4578 * bytecode/ValueRecovery.h: 4579 (JSC::ValueRecovery::dumpInContext): 4580 * dfg/DFGAssemblyHelpers.cpp: Removed. 4581 * dfg/DFGAssemblyHelpers.h: Removed. 4582 * dfg/DFGBinarySwitch.h: 4583 * dfg/DFGByteCodeParser.cpp: 4584 * dfg/DFGCCallHelpers.h: Removed. 4585 * dfg/DFGDisassembler.cpp: 4586 * dfg/DFGFPRInfo.h: Removed. 4587 * dfg/DFGGPRInfo.h: Removed. 4588 * dfg/DFGGraph.cpp: 4589 * dfg/DFGGraph.h: 4590 * dfg/DFGJITCompiler.h: 4591 * dfg/DFGOSRExit.cpp: 4592 * dfg/DFGOSRExit.h: 4593 * dfg/DFGOSRExitCompiler.h: 4594 * dfg/DFGOSRExitCompilerCommon.h: 4595 * dfg/DFGRegisterBank.h: 4596 * dfg/DFGRegisterSet.h: 4597 * dfg/DFGRepatch.cpp: 4598 * dfg/DFGSilentRegisterSavePlan.h: 4599 * dfg/DFGThunks.cpp: 4600 * dfg/DFGVariableEvent.cpp: 4601 * ftl/FTLCArgumentGetter.h: 4602 (JSC::FTL::CArgumentGetter::CArgumentGetter): 4603 (JSC::FTL::CArgumentGetter::loadNext8): 4604 (JSC::FTL::CArgumentGetter::loadNext32): 4605 (JSC::FTL::CArgumentGetter::loadNext64): 4606 (JSC::FTL::CArgumentGetter::loadNextPtr): 4607 (JSC::FTL::CArgumentGetter::loadNextDouble): 4608 * ftl/FTLCompile.cpp: 4609 * ftl/FTLExitThunkGenerator.h: 4610 * ftl/FTLLink.cpp: 4611 * ftl/FTLThunks.cpp: 4612 * jit/AssemblyHelpers.cpp: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp. 4613 * jit/AssemblyHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h. 4614 (JSC::AssemblyHelpers::AssemblyHelpers): 4615 (JSC::AssemblyHelpers::debugCall): 4616 * jit/CCallHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGCCallHelpers.h. 4617 * jit/FPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGFPRInfo.h. 4618 (WTF::printInternal): 4619 * jit/GPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGGPRInfo.h. 4620 (WTF::printInternal): 4621 * jit/JIT.cpp: 4622 (JSC::JIT::JIT): 4623 * jit/JIT.h: 4624 * jit/JITPropertyAccess.cpp: 4625 (JSC::JIT::stringGetByValStubGenerator): 4626 * jit/JITPropertyAccess32_64.cpp: 4627 (JSC::JIT::stringGetByValStubGenerator): 4628 * jit/JSInterfaceJIT.h: 4629 (JSC::JSInterfaceJIT::JSInterfaceJIT): 4630 * jit/SpecializedThunkJIT.h: 4631 (JSC::SpecializedThunkJIT::SpecializedThunkJIT): 4632 (JSC::SpecializedThunkJIT::finalize): 4633 * jit/ThunkGenerators.cpp: 4634 (JSC::linkForGenerator): 4635 (JSC::virtualForGenerator): 4636 (JSC::stringLengthTrampolineGenerator): 4637 (JSC::nativeForGenerator): 4638 (JSC::arityFixup): 4639 (JSC::charCodeAtThunkGenerator): 4640 (JSC::charAtThunkGenerator): 4641 (JSC::fromCharCodeThunkGenerator): 4642 (JSC::sqrtThunkGenerator): 4643 (JSC::floorThunkGenerator): 4644 (JSC::ceilThunkGenerator): 4645 (JSC::roundThunkGenerator): 4646 (JSC::expThunkGenerator): 4647 (JSC::logThunkGenerator): 4648 (JSC::absThunkGenerator): 4649 (JSC::powThunkGenerator): 4650 (JSC::imulThunkGenerator): 4651 * llint/LLIntThunks.cpp: 4652 (JSC::LLInt::generateThunkWithJumpTo): 4653 * runtime/JSCJSValue.h: 4654 46552013-09-20 Allan Sandfeld Jensen <allan.jensen@digia.com> 4656 4657 Inline method exported 4658 https://bugs.webkit.org/show_bug.cgi?id=121664 4659 4660 Reviewed by Darin Adler. 4661 4662 WatchDog::didFire() is marked as an exported symbol eventhough it is 4663 defined inline. This breaks the build on MinGW since it results in dllimport 4664 being declared on a definition. 4665 4666 * runtime/Watchdog.h: 4667 (JSC::Watchdog::didFire): 4668 46692013-09-20 Patrick Gansterer <paroga@webkit.org> 4670 4671 [CMake] Use COMPILE_DEFINITIONS target property for setting BUILDING_* defines 4672 https://bugs.webkit.org/show_bug.cgi?id=121672 4673 4674 Reviewed by Gyuyoung Kim. 4675 4676 Since the scope of add_definitions() is always a whole file, we need to use 4677 target properties instead to set definitions only for specific targets. 4678 4679 * CMakeLists.txt: 4680 46812013-09-19 Commit Queue <commit-queue@webkit.org> 4682 4683 Unreviewed, rolling out r156120. 4684 http://trac.webkit.org/changeset/156120 4685 https://bugs.webkit.org/show_bug.cgi?id=121651 4686 4687 Broke windows runtime and all tests (Requested by bfulgham on 4688 #webkit). 4689 4690 * CMakeLists.txt: 4691 * GNUmakefile.list.am: 4692 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4693 * JavaScriptCore.xcodeproj/project.pbxproj: 4694 * Target.pri: 4695 * bytecode/ValueRecovery.h: 4696 (JSC::ValueRecovery::dumpInContext): 4697 * dfg/DFGAssemblyHelpers.cpp: Renamed from Source/JavaScriptCore/jit/AssemblyHelpers.cpp. 4698 (JSC::DFG::AssemblyHelpers::executableFor): 4699 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor): 4700 (JSC::DFG::AssemblyHelpers::setSamplingFlag): 4701 (JSC::DFG::AssemblyHelpers::clearSamplingFlag): 4702 (JSC::DFG::AssemblyHelpers::jitAssertIsInt32): 4703 (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32): 4704 (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber): 4705 (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble): 4706 (JSC::DFG::AssemblyHelpers::jitAssertIsCell): 4707 (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame): 4708 * dfg/DFGAssemblyHelpers.h: Renamed from Source/JavaScriptCore/jit/AssemblyHelpers.h. 4709 (JSC::DFG::AssemblyHelpers::AssemblyHelpers): 4710 (JSC::DFG::AssemblyHelpers::codeBlock): 4711 (JSC::DFG::AssemblyHelpers::vm): 4712 (JSC::DFG::AssemblyHelpers::assembler): 4713 (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall): 4714 (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn): 4715 (JSC::DFG::AssemblyHelpers::emitGetFromCallFrameHeaderPtr): 4716 (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader): 4717 (JSC::DFG::AssemblyHelpers::emitPutImmediateToCallFrameHeader): 4718 (JSC::DFG::AssemblyHelpers::branchIfNotCell): 4719 (JSC::DFG::AssemblyHelpers::addressFor): 4720 (JSC::DFG::AssemblyHelpers::tagFor): 4721 (JSC::DFG::AssemblyHelpers::payloadFor): 4722 (JSC::DFG::AssemblyHelpers::branchIfNotObject): 4723 (JSC::DFG::AssemblyHelpers::selectScratchGPR): 4724 (JSC::DFG::AssemblyHelpers::debugCall): 4725 (JSC::DFG::AssemblyHelpers::jitAssertIsInt32): 4726 (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32): 4727 (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber): 4728 (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble): 4729 (JSC::DFG::AssemblyHelpers::jitAssertIsCell): 4730 (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame): 4731 (JSC::DFG::AssemblyHelpers::boxDouble): 4732 (JSC::DFG::AssemblyHelpers::unboxDouble): 4733 (JSC::DFG::AssemblyHelpers::boxInt52): 4734 (JSC::DFG::AssemblyHelpers::emitExceptionCheck): 4735 (JSC::DFG::AssemblyHelpers::emitCount): 4736 (JSC::DFG::AssemblyHelpers::globalObjectFor): 4737 (JSC::DFG::AssemblyHelpers::strictModeFor): 4738 (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor): 4739 (JSC::DFG::AssemblyHelpers::baselineCodeBlock): 4740 (JSC::DFG::AssemblyHelpers::argumentsRegisterFor): 4741 (JSC::DFG::AssemblyHelpers::symbolTableFor): 4742 (JSC::DFG::AssemblyHelpers::offsetOfLocals): 4743 (JSC::DFG::AssemblyHelpers::offsetOfArgumentsIncludingThis): 4744 * dfg/DFGBinarySwitch.h: 4745 * dfg/DFGByteCodeParser.cpp: 4746 * dfg/DFGCCallHelpers.h: Renamed from Source/JavaScriptCore/jit/CCallHelpers.h. 4747 (JSC::DFG::CCallHelpers::CCallHelpers): 4748 (JSC::DFG::CCallHelpers::resetCallArguments): 4749 (JSC::DFG::CCallHelpers::addCallArgument): 4750 (JSC::DFG::CCallHelpers::setupArguments): 4751 (JSC::DFG::CCallHelpers::setupArgumentsExecState): 4752 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 4753 (JSC::DFG::CCallHelpers::setupTwoStubArgs): 4754 (JSC::DFG::CCallHelpers::setupStubArguments): 4755 (JSC::DFG::CCallHelpers::setupResults): 4756 * dfg/DFGDisassembler.cpp: 4757 * dfg/DFGFPRInfo.h: Renamed from Source/JavaScriptCore/jit/FPRInfo.h. 4758 (JSC::DFG::FPRInfo::toRegister): 4759 (JSC::DFG::FPRInfo::toIndex): 4760 (JSC::DFG::FPRInfo::toArgumentRegister): 4761 (JSC::DFG::FPRInfo::debugName): 4762 * dfg/DFGGPRInfo.h: Renamed from Source/JavaScriptCore/jit/GPRInfo.h. 4763 (JSC::DFG::JSValueRegs::JSValueRegs): 4764 (JSC::DFG::JSValueRegs::payloadOnly): 4765 (JSC::DFG::JSValueRegs::operator!): 4766 (JSC::DFG::JSValueRegs::gpr): 4767 (JSC::DFG::JSValueRegs::payloadGPR): 4768 (JSC::DFG::JSValueSource::JSValueSource): 4769 (JSC::DFG::JSValueSource::unboxedCell): 4770 (JSC::DFG::JSValueSource::operator!): 4771 (JSC::DFG::JSValueSource::isAddress): 4772 (JSC::DFG::JSValueSource::offset): 4773 (JSC::DFG::JSValueSource::base): 4774 (JSC::DFG::JSValueSource::gpr): 4775 (JSC::DFG::JSValueSource::asAddress): 4776 (JSC::DFG::JSValueSource::notAddress): 4777 (JSC::DFG::JSValueRegs::tagGPR): 4778 (JSC::DFG::JSValueSource::tagGPR): 4779 (JSC::DFG::JSValueSource::payloadGPR): 4780 (JSC::DFG::JSValueSource::hasKnownTag): 4781 (JSC::DFG::JSValueSource::tag): 4782 (JSC::DFG::GPRInfo::toRegister): 4783 (JSC::DFG::GPRInfo::toIndex): 4784 (JSC::DFG::GPRInfo::debugName): 4785 (JSC::DFG::GPRInfo::toArgumentRegister): 4786 * dfg/DFGGraph.cpp: 4787 * dfg/DFGGraph.h: 4788 * dfg/DFGJITCompiler.h: 4789 * dfg/DFGOSRExit.cpp: 4790 * dfg/DFGOSRExit.h: 4791 * dfg/DFGOSRExitCompiler.h: 4792 * dfg/DFGOSRExitCompilerCommon.h: 4793 * dfg/DFGRegisterBank.h: 4794 * dfg/DFGRegisterSet.h: 4795 * dfg/DFGRepatch.cpp: 4796 * dfg/DFGSilentRegisterSavePlan.h: 4797 * dfg/DFGThunks.cpp: 4798 * dfg/DFGVariableEvent.cpp: 4799 * ftl/FTLCArgumentGetter.h: 4800 (JSC::FTL::CArgumentGetter::CArgumentGetter): 4801 (JSC::FTL::CArgumentGetter::loadNext8): 4802 (JSC::FTL::CArgumentGetter::loadNext32): 4803 (JSC::FTL::CArgumentGetter::loadNext64): 4804 (JSC::FTL::CArgumentGetter::loadNextPtr): 4805 (JSC::FTL::CArgumentGetter::loadNextDouble): 4806 * ftl/FTLCompile.cpp: 4807 * ftl/FTLExitThunkGenerator.h: 4808 * ftl/FTLLink.cpp: 4809 * ftl/FTLThunks.cpp: 4810 * jit/JIT.cpp: 4811 (JSC::JIT::JIT): 4812 * jit/JIT.h: 4813 * jit/JITPropertyAccess.cpp: 4814 (JSC::JIT::stringGetByValStubGenerator): 4815 * jit/JITPropertyAccess32_64.cpp: 4816 (JSC::JIT::stringGetByValStubGenerator): 4817 * jit/JSInterfaceJIT.h: 4818 (JSC::JSInterfaceJIT::preserveReturnAddressAfterCall): 4819 (JSC::JSInterfaceJIT::restoreReturnAddressBeforeReturn): 4820 * jit/SpecializedThunkJIT.h: 4821 (JSC::SpecializedThunkJIT::SpecializedThunkJIT): 4822 (JSC::SpecializedThunkJIT::finalize): 4823 * jit/ThunkGenerators.cpp: 4824 (JSC::linkForGenerator): 4825 (JSC::virtualForGenerator): 4826 (JSC::stringLengthTrampolineGenerator): 4827 (JSC::nativeForGenerator): 4828 (JSC::arityFixup): 4829 (JSC::charCodeAtThunkGenerator): 4830 (JSC::charAtThunkGenerator): 4831 (JSC::fromCharCodeThunkGenerator): 4832 (JSC::sqrtThunkGenerator): 4833 (JSC::floorThunkGenerator): 4834 (JSC::ceilThunkGenerator): 4835 (JSC::roundThunkGenerator): 4836 (JSC::expThunkGenerator): 4837 (JSC::logThunkGenerator): 4838 (JSC::absThunkGenerator): 4839 (JSC::powThunkGenerator): 4840 (JSC::imulThunkGenerator): 4841 * llint/LLIntThunks.cpp: 4842 (JSC::LLInt::generateThunkWithJumpTo): 4843 * runtime/JSCJSValue.h: 4844 48452013-09-19 Filip Pizlo <fpizlo@apple.com> 4846 4847 Unreviewed, fix Windows build part 2. m_jitCodeMap should always be there. 4848 4849 * bytecode/CodeBlock.h: 4850 (JSC::CodeBlock::jitCodeMap): 4851 48522013-09-19 Filip Pizlo <fpizlo@apple.com> 4853 4854 Remove some of the tautologies in DFGRepatch function naming. 4855 4856 Rubber stamped by Mark Hahnenberg. 4857 4858 For example change DFG::dfgLinkFor() to be DFG::linkFor(). 4859 4860 * bytecode/CodeBlock.cpp: 4861 (JSC::CodeBlock::resetStubInternal): 4862 * dfg/DFGOperations.cpp: 4863 * dfg/DFGRepatch.cpp: 4864 (JSC::DFG::repatchCall): 4865 (JSC::DFG::repatchByIdSelfAccess): 4866 (JSC::DFG::tryCacheGetByID): 4867 (JSC::DFG::repatchGetByID): 4868 (JSC::DFG::buildGetByIDList): 4869 (JSC::DFG::tryCachePutByID): 4870 (JSC::DFG::repatchPutByID): 4871 (JSC::DFG::buildPutByIdList): 4872 (JSC::DFG::repatchIn): 4873 (JSC::DFG::linkFor): 4874 (JSC::DFG::linkSlowFor): 4875 (JSC::DFG::linkClosureCall): 4876 (JSC::DFG::resetGetByID): 4877 (JSC::DFG::resetPutByID): 4878 (JSC::DFG::resetIn): 4879 * dfg/DFGRepatch.h: 4880 (JSC::DFG::resetGetByID): 4881 (JSC::DFG::resetPutByID): 4882 (JSC::DFG::resetIn): 4883 48842013-09-19 Filip Pizlo <fpizlo@apple.com> 4885 4886 Unreviewed, fix Windows build. ScratchBuffer should always be available regardless of 4887 ENABLE_DFG_JIT. 4888 4889 * runtime/VM.h: 4890 48912013-09-19 Daniel Bates <dabates@apple.com> 4892 4893 [iOS] Add more iOS logic to the JavaScriptCore build configuration files 4894 https://bugs.webkit.org/show_bug.cgi?id=121635 4895 4896 Reviewed by Geoffrey Garen. 4897 4898 Towards building JavaScriptCore for both OS X and iOS using the same 4899 set of configuration files, add more iOS logic. 4900 4901 * Configurations/Base.xcconfig: 4902 * Configurations/JSC.xcconfig: 4903 * Configurations/JavaScriptCore.xcconfig: 4904 * Configurations/ToolExecutable.xcconfig: 4905 49062013-09-19 Filip Pizlo <fpizlo@apple.com> 4907 4908 Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them 4909 https://bugs.webkit.org/show_bug.cgi?id=121637 4910 4911 Rubber stamped by Michael Saboff. 4912 4913 Also moved GPRInfo/FPRInfo into jit/. 4914 4915 * CMakeLists.txt: 4916 * GNUmakefile.list.am: 4917 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4918 * JavaScriptCore.xcodeproj/project.pbxproj: 4919 * Target.pri: 4920 * bytecode/ValueRecovery.h: 4921 (JSC::ValueRecovery::dumpInContext): 4922 * dfg/DFGAssemblyHelpers.cpp: Removed. 4923 * dfg/DFGAssemblyHelpers.h: Removed. 4924 * dfg/DFGBinarySwitch.h: 4925 * dfg/DFGByteCodeParser.cpp: 4926 * dfg/DFGCCallHelpers.h: Removed. 4927 * dfg/DFGDisassembler.cpp: 4928 * dfg/DFGFPRInfo.h: Removed. 4929 * dfg/DFGGPRInfo.h: Removed. 4930 * dfg/DFGGraph.cpp: 4931 * dfg/DFGGraph.h: 4932 * dfg/DFGJITCompiler.h: 4933 * dfg/DFGOSRExit.cpp: 4934 * dfg/DFGOSRExit.h: 4935 * dfg/DFGOSRExitCompiler.h: 4936 * dfg/DFGOSRExitCompilerCommon.h: 4937 * dfg/DFGRegisterBank.h: 4938 * dfg/DFGRegisterSet.h: 4939 * dfg/DFGRepatch.cpp: 4940 * dfg/DFGSilentRegisterSavePlan.h: 4941 * dfg/DFGThunks.cpp: 4942 * dfg/DFGVariableEvent.cpp: 4943 * ftl/FTLCArgumentGetter.h: 4944 (JSC::FTL::CArgumentGetter::CArgumentGetter): 4945 (JSC::FTL::CArgumentGetter::loadNext8): 4946 (JSC::FTL::CArgumentGetter::loadNext32): 4947 (JSC::FTL::CArgumentGetter::loadNext64): 4948 (JSC::FTL::CArgumentGetter::loadNextPtr): 4949 (JSC::FTL::CArgumentGetter::loadNextDouble): 4950 * ftl/FTLCompile.cpp: 4951 * ftl/FTLExitThunkGenerator.h: 4952 * ftl/FTLLink.cpp: 4953 * ftl/FTLThunks.cpp: 4954 * jit/AssemblyHelpers.cpp: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp. 4955 * jit/AssemblyHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h. 4956 (JSC::AssemblyHelpers::AssemblyHelpers): 4957 (JSC::AssemblyHelpers::debugCall): 4958 * jit/CCallHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGCCallHelpers.h. 4959 * jit/FPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGFPRInfo.h. 4960 (WTF::printInternal): 4961 * jit/GPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGGPRInfo.h. 4962 (WTF::printInternal): 4963 * jit/JIT.cpp: 4964 (JSC::JIT::JIT): 4965 * jit/JIT.h: 4966 * jit/JITPropertyAccess.cpp: 4967 (JSC::JIT::stringGetByValStubGenerator): 4968 * jit/JITPropertyAccess32_64.cpp: 4969 (JSC::JIT::stringGetByValStubGenerator): 4970 * jit/JSInterfaceJIT.h: 4971 (JSC::JSInterfaceJIT::JSInterfaceJIT): 4972 * jit/SpecializedThunkJIT.h: 4973 (JSC::SpecializedThunkJIT::SpecializedThunkJIT): 4974 (JSC::SpecializedThunkJIT::finalize): 4975 * jit/ThunkGenerators.cpp: 4976 (JSC::linkForGenerator): 4977 (JSC::virtualForGenerator): 4978 (JSC::stringLengthTrampolineGenerator): 4979 (JSC::nativeForGenerator): 4980 (JSC::arityFixup): 4981 (JSC::charCodeAtThunkGenerator): 4982 (JSC::charAtThunkGenerator): 4983 (JSC::fromCharCodeThunkGenerator): 4984 (JSC::sqrtThunkGenerator): 4985 (JSC::floorThunkGenerator): 4986 (JSC::ceilThunkGenerator): 4987 (JSC::roundThunkGenerator): 4988 (JSC::expThunkGenerator): 4989 (JSC::logThunkGenerator): 4990 (JSC::absThunkGenerator): 4991 (JSC::powThunkGenerator): 4992 (JSC::imulThunkGenerator): 4993 * llint/LLIntThunks.cpp: 4994 (JSC::LLInt::generateThunkWithJumpTo): 4995 * runtime/JSCJSValue.h: 4996 49972013-09-19 Daniel Bates <dabates@apple.com> 4998 4999 [iOS] Substitute UNREACHABLE_FOR_PLATFORM() for RELEASE_ASSERT_NOT_REACHED() 5000 5001 Rubber-stamped by Joseph Pecoraro. 5002 5003 Use UNREACHABLE_FOR_PLATFORM() instead of RELEASE_ASSERT_NOT_REACHED() in 5004 the non-x86/x86-64 variant of JIT::emitSlow_op_mod() so as to avoid a missing 5005 noreturn warning in Clang while simultaneously asserting unreachable code. 5006 5007 * jit/JITArithmetic.cpp: 5008 (JSC::JIT::emitSlow_op_mod): 5009 50102013-09-19 Michael Saboff <msaboff@apple.com> 5011 5012 JSC: X86 disassembler shows 16, 32 and 64 bit displacements as unsigned 5013 https://bugs.webkit.org/show_bug.cgi?id=121625 5014 5015 Rubber-stamped by Filip Pizlo. 5016 5017 Chenged 16, 32 and 64 bit offsets to be signed. Kept the original tab indented 5018 spacing to match the rest of the file. 5019 5020 * disassembler/udis86/udis86_syn-att.c: 5021 (gen_operand): 5022 50232013-09-19 Daniel Bates <dabates@apple.com> 5024 5025 Remove names of unused arguments from the non-x86/x86-64 function prototype 5026 for JIT::emitSlow_op_mod() 5027 5028 Rubber-stamped by Ryosuke Niwa. 5029 5030 * jit/JITArithmetic.cpp: 5031 (JSC::JIT::emitSlow_op_mod): 5032 50332013-09-18 Sam Weinig <sam@webkit.org> 5034 5035 Replace use of OwnArrayPtr<Foo> with std::unique_ptr<Foo[]> in JavaScriptCore 5036 https://bugs.webkit.org/show_bug.cgi?id=121583 5037 5038 Reviewed by Anders Carlsson. 5039 5040 * API/JSStringRefCF.cpp: 5041 (JSStringCreateWithCFString): 5042 * API/JSStringRefQt.cpp: 5043 * bytecompiler/BytecodeGenerator.cpp: 5044 (JSC::BytecodeGenerator::BytecodeGenerator): 5045 * dfg/DFGByteCodeParser.cpp: 5046 (JSC::DFG::ByteCodeParser::parseBlock): 5047 * dfg/DFGDisassembler.cpp: 5048 (JSC::DFG::Disassembler::dumpDisassembly): 5049 * runtime/Arguments.cpp: 5050 (JSC::Arguments::tearOff): 5051 * runtime/Arguments.h: 5052 (JSC::Arguments::isTornOff): 5053 (JSC::Arguments::allocateSlowArguments): 5054 * runtime/JSPropertyNameIterator.cpp: 5055 (JSC::JSPropertyNameIterator::JSPropertyNameIterator): 5056 * runtime/JSPropertyNameIterator.h: 5057 * runtime/JSSegmentedVariableObject.h: 5058 * runtime/JSVariableObject.h: 5059 * runtime/PropertyNameArray.h: 5060 * runtime/RegExp.cpp: 5061 * runtime/StructureChain.h: 5062 (JSC::StructureChain::finishCreation): 5063 * runtime/SymbolTable.h: 5064 (JSC::SharedSymbolTable::setSlowArguments): 5065 50662013-09-18 Brent Fulgham <bfulgham@apple.com> 5067 5068 [Windows] Unreviewed build fix after r156064. 5069 5070 * jsc.cpp: 5071 (jscmain): Need a temporary to perform '&' in VS2010. 5072 50732013-09-18 Filip Pizlo <fpizlo@apple.com> 5074 5075 Give 'jsc' commandline an option to disable deleting the VM. 5076 5077 Reviewed by Mark Hahnenberg. 5078 5079 * jsc.cpp: 5080 (jscmain): 5081 * runtime/Options.h: 5082 50832013-09-18 Anders Carlsson <andersca@apple.com> 5084 5085 RefPtrHashMap should work with move only types 5086 https://bugs.webkit.org/show_bug.cgi?id=121564 5087 5088 Reviewed by Andreas Kling. 5089 5090 * runtime/VM.cpp: 5091 (JSC::VM::addSourceProviderCache): 5092 50932013-09-17 Mark Hahnenberg <mhahnenberg@apple.com> 5094 5095 Rename OperationInProgress to HeapOperation and move it out of Heap.h into its own header 5096 https://bugs.webkit.org/show_bug.cgi?id=121534 5097 5098 Reviewed by Geoffrey Garen. 5099 5100 OperationInProgress is a silly name. 5101 5102 Many parts of the Heap would like to know what HeapOperation is currently underway, but 5103 since they are included in Heap.h they can't directly reference HeapOperation if it also 5104 lives in Heap.h. The simplest thing to do is to give HeapOperation its own header. While 5105 a bit overkill, it simplifies including it wherever its needed. 5106 5107 * JavaScriptCore.xcodeproj/project.pbxproj: 5108 * bytecode/CodeBlock.cpp: 5109 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): 5110 (JSC::CodeBlock::updateAllValueProfilePredictions): 5111 (JSC::CodeBlock::updateAllPredictions): 5112 * bytecode/CodeBlock.h: 5113 (JSC::CodeBlock::updateAllValueProfilePredictions): 5114 (JSC::CodeBlock::updateAllPredictions): 5115 * bytecode/LazyOperandValueProfile.cpp: 5116 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions): 5117 * bytecode/LazyOperandValueProfile.h: 5118 * bytecode/ValueProfile.h: 5119 (JSC::ValueProfileBase::computeUpdatedPrediction): 5120 * heap/Heap.h: 5121 * heap/HeapOperation.h: Added. 5122 51232013-09-18 Filip Pizlo <fpizlo@apple.com> 5124 5125 DFG should support Int52 for local variables 5126 https://bugs.webkit.org/show_bug.cgi?id=121064 5127 5128 Reviewed by Oliver Hunt. 5129 5130 This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on 5131 programs that have local int32 overflows but where a larger int representation can 5132 prevent us from having to convert all the way up to double. 5133 5134 It's a small speed-up for now. But we're just supporting Int52 for a handful of 5135 operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays 5136 the groundwork for adding Int52 to JSValue, which will probably be a bigger 5137 speed-up. 5138 5139 The basic approach is: 5140 5141 - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop 5142 or HeapTop - i.e. it doesn't arise from JSValues. 5143 5144 - DFG treats Int52 as being part of its FullTop and will treat it as being a 5145 subtype of double unless instructed otherwise. 5146 5147 - Prediction propagator creates Int52s whenever we have a node going doubly but due 5148 to large values rather than fractional values, and that node is known to be able 5149 to produce Int52 natively in the DFG backend. 5150 5151 - Fixup phase converts edges to MachineIntUses in nodes that are known to be able 5152 to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted 5153 input. 5154 5155 - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that 5156 are left-shifted by 16 (great for overflow checks) and ones that are 5157 sign-extended. Both backends know how to convert between Int52s and the other 5158 representations. 5159 5160 * assembler/MacroAssemblerX86_64.h: 5161 (JSC::MacroAssemblerX86_64::rshift64): 5162 (JSC::MacroAssemblerX86_64::mul64): 5163 (JSC::MacroAssemblerX86_64::branchMul64): 5164 (JSC::MacroAssemblerX86_64::branchNeg64): 5165 (JSC::MacroAssemblerX86_64::convertInt64ToDouble): 5166 * assembler/X86Assembler.h: 5167 (JSC::X86Assembler::imulq_rr): 5168 (JSC::X86Assembler::cvtsi2sdq_rr): 5169 * bytecode/DataFormat.h: 5170 (JSC::dataFormatToString): 5171 * bytecode/ExitKind.cpp: 5172 (JSC::exitKindToString): 5173 * bytecode/ExitKind.h: 5174 * bytecode/OperandsInlines.h: 5175 (JSC::::dumpInContext): 5176 * bytecode/SpeculatedType.cpp: 5177 (JSC::dumpSpeculation): 5178 (JSC::speculationToAbbreviatedString): 5179 (JSC::speculationFromValue): 5180 * bytecode/SpeculatedType.h: 5181 (JSC::isInt32SpeculationForArithmetic): 5182 (JSC::isInt52Speculation): 5183 (JSC::isMachineIntSpeculationForArithmetic): 5184 (JSC::isInt52AsDoubleSpeculation): 5185 (JSC::isBytecodeRealNumberSpeculation): 5186 (JSC::isFullRealNumberSpeculation): 5187 (JSC::isBytecodeNumberSpeculation): 5188 (JSC::isFullNumberSpeculation): 5189 (JSC::isBytecodeNumberSpeculationExpectingDefined): 5190 (JSC::isFullNumberSpeculationExpectingDefined): 5191 * bytecode/ValueRecovery.h: 5192 (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52): 5193 (JSC::ValueRecovery::inGPR): 5194 (JSC::ValueRecovery::displacedInJSStack): 5195 (JSC::ValueRecovery::isAlreadyInJSStack): 5196 (JSC::ValueRecovery::gpr): 5197 (JSC::ValueRecovery::virtualRegister): 5198 (JSC::ValueRecovery::dumpInContext): 5199 * dfg/DFGAbstractInterpreter.h: 5200 (JSC::DFG::AbstractInterpreter::needsTypeCheck): 5201 (JSC::DFG::AbstractInterpreter::filterByType): 5202 * dfg/DFGAbstractInterpreterInlines.h: 5203 (JSC::DFG::::executeEffects): 5204 * dfg/DFGAbstractValue.cpp: 5205 (JSC::DFG::AbstractValue::set): 5206 (JSC::DFG::AbstractValue::checkConsistency): 5207 * dfg/DFGAbstractValue.h: 5208 (JSC::DFG::AbstractValue::couldBeType): 5209 (JSC::DFG::AbstractValue::isType): 5210 (JSC::DFG::AbstractValue::checkConsistency): 5211 (JSC::DFG::AbstractValue::validateType): 5212 * dfg/DFGArrayMode.cpp: 5213 (JSC::DFG::ArrayMode::refine): 5214 * dfg/DFGAssemblyHelpers.h: 5215 (JSC::DFG::AssemblyHelpers::boxInt52): 5216 * dfg/DFGByteCodeParser.cpp: 5217 (JSC::DFG::ByteCodeParser::makeSafe): 5218 * dfg/DFGCSEPhase.cpp: 5219 (JSC::DFG::CSEPhase::pureCSE): 5220 (JSC::DFG::CSEPhase::getByValLoadElimination): 5221 (JSC::DFG::CSEPhase::performNodeCSE): 5222 * dfg/DFGClobberize.h: 5223 (JSC::DFG::clobberize): 5224 * dfg/DFGCommon.h: 5225 (JSC::DFG::enableInt52): 5226 * dfg/DFGDCEPhase.cpp: 5227 (JSC::DFG::DCEPhase::fixupBlock): 5228 * dfg/DFGFixupPhase.cpp: 5229 (JSC::DFG::FixupPhase::run): 5230 (JSC::DFG::FixupPhase::fixupNode): 5231 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): 5232 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): 5233 (JSC::DFG::FixupPhase::observeUseKindOnNode): 5234 (JSC::DFG::FixupPhase::fixEdge): 5235 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 5236 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): 5237 * dfg/DFGFlushFormat.cpp: 5238 (WTF::printInternal): 5239 * dfg/DFGFlushFormat.h: 5240 (JSC::DFG::resultFor): 5241 (JSC::DFG::useKindFor): 5242 * dfg/DFGGenerationInfo.h: 5243 (JSC::DFG::GenerationInfo::initInt52): 5244 (JSC::DFG::GenerationInfo::initStrictInt52): 5245 (JSC::DFG::GenerationInfo::isFormat): 5246 (JSC::DFG::GenerationInfo::isInt52): 5247 (JSC::DFG::GenerationInfo::isStrictInt52): 5248 (JSC::DFG::GenerationInfo::fillInt52): 5249 (JSC::DFG::GenerationInfo::fillStrictInt52): 5250 * dfg/DFGGraph.cpp: 5251 (JSC::DFG::Graph::dump): 5252 * dfg/DFGGraph.h: 5253 (JSC::DFG::Graph::addShouldSpeculateMachineInt): 5254 (JSC::DFG::Graph::mulShouldSpeculateMachineInt): 5255 (JSC::DFG::Graph::negateShouldSpeculateMachineInt): 5256 * dfg/DFGInPlaceAbstractState.cpp: 5257 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): 5258 * dfg/DFGJITCode.cpp: 5259 (JSC::DFG::JITCode::reconstruct): 5260 * dfg/DFGJITCompiler.h: 5261 (JSC::DFG::JITCompiler::noticeOSREntry): 5262 * dfg/DFGMinifiedNode.h: 5263 (JSC::DFG::belongsInMinifiedGraph): 5264 (JSC::DFG::MinifiedNode::hasChild): 5265 * dfg/DFGNode.h: 5266 (JSC::DFG::Node::shouldSpeculateNumber): 5267 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): 5268 (JSC::DFG::Node::canSpeculateInt52): 5269 * dfg/DFGNodeFlags.h: 5270 (JSC::DFG::nodeCanSpeculateInt52): 5271 * dfg/DFGNodeType.h: 5272 (JSC::DFG::permitsOSRBackwardRewiring): 5273 (JSC::DFG::forwardRewiringSelectionScore): 5274 * dfg/DFGOSREntry.cpp: 5275 (JSC::DFG::prepareOSREntry): 5276 * dfg/DFGOSREntry.h: 5277 * dfg/DFGOSRExitCompiler.cpp: 5278 * dfg/DFGOSRExitCompiler64.cpp: 5279 (JSC::DFG::OSRExitCompiler::compileExit): 5280 * dfg/DFGPredictionPropagationPhase.cpp: 5281 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): 5282 (JSC::DFG::PredictionPropagationPhase::propagate): 5283 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): 5284 * dfg/DFGSafeToExecute.h: 5285 (JSC::DFG::SafeToExecuteEdge::operator()): 5286 (JSC::DFG::safeToExecute): 5287 * dfg/DFGSilentRegisterSavePlan.h: 5288 * dfg/DFGSpeculativeJIT.cpp: 5289 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): 5290 (JSC::DFG::SpeculativeJIT::silentFill): 5291 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 5292 (JSC::DFG::SpeculativeJIT::compileInlineStart): 5293 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): 5294 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 5295 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 5296 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 5297 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 5298 (JSC::DFG::SpeculativeJIT::compileAdd): 5299 (JSC::DFG::SpeculativeJIT::compileArithSub): 5300 (JSC::DFG::SpeculativeJIT::compileArithNegate): 5301 (JSC::DFG::SpeculativeJIT::compileArithMul): 5302 (JSC::DFG::SpeculativeJIT::compare): 5303 (JSC::DFG::SpeculativeJIT::compileStrictEq): 5304 (JSC::DFG::SpeculativeJIT::speculateMachineInt): 5305 (JSC::DFG::SpeculativeJIT::speculateNumber): 5306 (JSC::DFG::SpeculativeJIT::speculateRealNumber): 5307 (JSC::DFG::SpeculativeJIT::speculate): 5308 * dfg/DFGSpeculativeJIT.h: 5309 (JSC::DFG::SpeculativeJIT::canReuse): 5310 (JSC::DFG::SpeculativeJIT::isFilled): 5311 (JSC::DFG::SpeculativeJIT::isFilledDouble): 5312 (JSC::DFG::SpeculativeJIT::use): 5313 (JSC::DFG::SpeculativeJIT::isKnownInteger): 5314 (JSC::DFG::SpeculativeJIT::isKnownCell): 5315 (JSC::DFG::SpeculativeJIT::isKnownNotNumber): 5316 (JSC::DFG::SpeculativeJIT::int52Result): 5317 (JSC::DFG::SpeculativeJIT::strictInt52Result): 5318 (JSC::DFG::SpeculativeJIT::initConstantInfo): 5319 (JSC::DFG::SpeculativeJIT::isInteger): 5320 (JSC::DFG::SpeculativeJIT::betterUseStrictInt52): 5321 (JSC::DFG::SpeculativeJIT::generationInfo): 5322 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand): 5323 (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand): 5324 (JSC::DFG::SpeculateInt52Operand::edge): 5325 (JSC::DFG::SpeculateInt52Operand::node): 5326 (JSC::DFG::SpeculateInt52Operand::gpr): 5327 (JSC::DFG::SpeculateInt52Operand::use): 5328 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand): 5329 (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand): 5330 (JSC::DFG::SpeculateStrictInt52Operand::edge): 5331 (JSC::DFG::SpeculateStrictInt52Operand::node): 5332 (JSC::DFG::SpeculateStrictInt52Operand::gpr): 5333 (JSC::DFG::SpeculateStrictInt52Operand::use): 5334 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand): 5335 (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand): 5336 (JSC::DFG::SpeculateWhicheverInt52Operand::edge): 5337 (JSC::DFG::SpeculateWhicheverInt52Operand::node): 5338 (JSC::DFG::SpeculateWhicheverInt52Operand::gpr): 5339 (JSC::DFG::SpeculateWhicheverInt52Operand::use): 5340 (JSC::DFG::SpeculateWhicheverInt52Operand::format): 5341 * dfg/DFGSpeculativeJIT32_64.cpp: 5342 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 5343 (JSC::DFG::SpeculativeJIT::compile): 5344 * dfg/DFGSpeculativeJIT64.cpp: 5345 (JSC::DFG::SpeculativeJIT::boxInt52): 5346 (JSC::DFG::SpeculativeJIT::fillJSValue): 5347 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 5348 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): 5349 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 5350 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 5351 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 5352 (JSC::DFG::SpeculativeJIT::compileInt52Compare): 5353 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch): 5354 (JSC::DFG::SpeculativeJIT::compile): 5355 * dfg/DFGUseKind.cpp: 5356 (WTF::printInternal): 5357 * dfg/DFGUseKind.h: 5358 (JSC::DFG::typeFilterFor): 5359 (JSC::DFG::isNumerical): 5360 * dfg/DFGValueSource.cpp: 5361 (JSC::DFG::ValueSource::dump): 5362 * dfg/DFGValueSource.h: 5363 (JSC::DFG::dataFormatToValueSourceKind): 5364 (JSC::DFG::valueSourceKindToDataFormat): 5365 (JSC::DFG::ValueSource::forFlushFormat): 5366 (JSC::DFG::ValueSource::valueRecovery): 5367 * dfg/DFGVariableAccessData.h: 5368 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): 5369 (JSC::DFG::VariableAccessData::flushFormat): 5370 * ftl/FTLCArgumentGetter.cpp: 5371 (JSC::FTL::CArgumentGetter::loadNextAndBox): 5372 * ftl/FTLCArgumentGetter.h: 5373 * ftl/FTLCapabilities.cpp: 5374 (JSC::FTL::canCompile): 5375 * ftl/FTLExitValue.cpp: 5376 (JSC::FTL::ExitValue::dumpInContext): 5377 * ftl/FTLExitValue.h: 5378 (JSC::FTL::ExitValue::inJSStackAsInt52): 5379 * ftl/FTLIntrinsicRepository.h: 5380 * ftl/FTLLowerDFGToLLVM.cpp: 5381 (JSC::FTL::LowerDFGToLLVM::createPhiVariables): 5382 (JSC::FTL::LowerDFGToLLVM::compileNode): 5383 (JSC::FTL::LowerDFGToLLVM::compileUpsilon): 5384 (JSC::FTL::LowerDFGToLLVM::compilePhi): 5385 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 5386 (JSC::FTL::LowerDFGToLLVM::compileAdd): 5387 (JSC::FTL::LowerDFGToLLVM::compileArithSub): 5388 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 5389 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 5390 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 5391 (JSC::FTL::LowerDFGToLLVM::compileCompareEq): 5392 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): 5393 (JSC::FTL::LowerDFGToLLVM::compileCompareLess): 5394 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq): 5395 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater): 5396 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq): 5397 (JSC::FTL::LowerDFGToLLVM::lowInt32): 5398 (JSC::FTL::LowerDFGToLLVM::lowInt52): 5399 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52): 5400 (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52): 5401 (JSC::FTL::LowerDFGToLLVM::bestInt52Kind): 5402 (JSC::FTL::LowerDFGToLLVM::opposite): 5403 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52): 5404 (JSC::FTL::LowerDFGToLLVM::lowCell): 5405 (JSC::FTL::LowerDFGToLLVM::lowBoolean): 5406 (JSC::FTL::LowerDFGToLLVM::lowDouble): 5407 (JSC::FTL::LowerDFGToLLVM::lowJSValue): 5408 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32): 5409 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble): 5410 (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue): 5411 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): 5412 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52): 5413 (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52): 5414 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): 5415 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): 5416 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 5417 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 5418 (JSC::FTL::LowerDFGToLLVM::setInt52): 5419 (JSC::FTL::LowerDFGToLLVM::setStrictInt52): 5420 * ftl/FTLOSRExitCompiler.cpp: 5421 (JSC::FTL::compileStub): 5422 * ftl/FTLOutput.h: 5423 (JSC::FTL::Output::addWithOverflow64): 5424 (JSC::FTL::Output::subWithOverflow64): 5425 (JSC::FTL::Output::mulWithOverflow64): 5426 * ftl/FTLValueFormat.cpp: 5427 (WTF::printInternal): 5428 * ftl/FTLValueFormat.h: 5429 * ftl/FTLValueSource.cpp: 5430 (JSC::FTL::ValueSource::dump): 5431 * ftl/FTLValueSource.h: 5432 * interpreter/Register.h: 5433 (JSC::Register::unboxedInt52): 5434 * runtime/Arguments.cpp: 5435 (JSC::Arguments::tearOffForInlineCallFrame): 5436 * runtime/IndexingType.cpp: 5437 (JSC::leastUpperBoundOfIndexingTypeAndType): 5438 * runtime/JSCJSValue.h: 5439 * runtime/JSCJSValueInlines.h: 5440 (JSC::JSValue::isMachineInt): 5441 (JSC::JSValue::asMachineInt): 5442 54432013-09-17 Michael Saboff <msaboff@apple.com> 5444 5445 REGRESSION(r155771): js/stack-overflow-arrity-catch.html is crashing on non-Mac platforms 5446 https://bugs.webkit.org/show_bug.cgi?id=121376 5447 5448 Reviewed by Oliver Hunt. 5449 5450 Fix stack grow() call for stack growing down. This should catch running out of stack space before 5451 we try to move the frame down due to arity mismatch. 5452 5453 * runtime/CommonSlowPaths.h: 5454 (JSC::CommonSlowPaths::arityCheckFor): 5455 54562013-09-18 Andreas Kling <akling@apple.com> 5457 5458 YARR: Put UCS2 canonicalization tables in read-only memory. 5459 <https://webkit.org/b/121547> 5460 5461 Reviewed by Sam Weinig. 5462 5463 These tables never mutate so mark them const. 5464 54652013-09-18 Commit Queue <commit-queue@webkit.org> 5466 5467 Unreviewed, rolling out r156019 and r156020. 5468 http://trac.webkit.org/changeset/156019 5469 http://trac.webkit.org/changeset/156020 5470 https://bugs.webkit.org/show_bug.cgi?id=121540 5471 5472 Broke tests (Requested by ap on #webkit). 5473 5474 * assembler/MacroAssemblerX86_64.h: 5475 * assembler/X86Assembler.h: 5476 * bytecode/DataFormat.h: 5477 (JSC::dataFormatToString): 5478 * bytecode/ExitKind.cpp: 5479 (JSC::exitKindToString): 5480 * bytecode/ExitKind.h: 5481 * bytecode/OperandsInlines.h: 5482 (JSC::::dumpInContext): 5483 * bytecode/SpeculatedType.cpp: 5484 (JSC::dumpSpeculation): 5485 (JSC::speculationToAbbreviatedString): 5486 (JSC::speculationFromValue): 5487 * bytecode/SpeculatedType.h: 5488 (JSC::isInt32SpeculationForArithmetic): 5489 (JSC::isInt48Speculation): 5490 (JSC::isMachineIntSpeculationForArithmetic): 5491 (JSC::isInt48AsDoubleSpeculation): 5492 (JSC::isRealNumberSpeculation): 5493 (JSC::isNumberSpeculation): 5494 (JSC::isNumberSpeculationExpectingDefined): 5495 * bytecode/ValueRecovery.h: 5496 (JSC::ValueRecovery::inGPR): 5497 (JSC::ValueRecovery::displacedInJSStack): 5498 (JSC::ValueRecovery::isAlreadyInJSStack): 5499 (JSC::ValueRecovery::gpr): 5500 (JSC::ValueRecovery::virtualRegister): 5501 (JSC::ValueRecovery::dumpInContext): 5502 * dfg/DFGAbstractInterpreter.h: 5503 (JSC::DFG::AbstractInterpreter::needsTypeCheck): 5504 (JSC::DFG::AbstractInterpreter::filterByType): 5505 * dfg/DFGAbstractInterpreterInlines.h: 5506 (JSC::DFG::::executeEffects): 5507 * dfg/DFGAbstractValue.cpp: 5508 (JSC::DFG::AbstractValue::set): 5509 (JSC::DFG::AbstractValue::checkConsistency): 5510 * dfg/DFGAbstractValue.h: 5511 (JSC::DFG::AbstractValue::validateType): 5512 * dfg/DFGArrayMode.cpp: 5513 (JSC::DFG::ArrayMode::refine): 5514 * dfg/DFGAssemblyHelpers.h: 5515 (JSC::DFG::AssemblyHelpers::unboxDouble): 5516 * dfg/DFGByteCodeParser.cpp: 5517 (JSC::DFG::ByteCodeParser::makeSafe): 5518 * dfg/DFGCSEPhase.cpp: 5519 (JSC::DFG::CSEPhase::canonicalize): 5520 (JSC::DFG::CSEPhase::pureCSE): 5521 (JSC::DFG::CSEPhase::getByValLoadElimination): 5522 (JSC::DFG::CSEPhase::performNodeCSE): 5523 * dfg/DFGClobberize.h: 5524 (JSC::DFG::clobberize): 5525 * dfg/DFGCommon.h: 5526 * dfg/DFGFixupPhase.cpp: 5527 (JSC::DFG::FixupPhase::run): 5528 (JSC::DFG::FixupPhase::fixupNode): 5529 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): 5530 (JSC::DFG::FixupPhase::observeUseKindOnNode): 5531 (JSC::DFG::FixupPhase::fixEdge): 5532 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 5533 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): 5534 * dfg/DFGFlushFormat.cpp: 5535 (WTF::printInternal): 5536 * dfg/DFGFlushFormat.h: 5537 (JSC::DFG::resultFor): 5538 (JSC::DFG::useKindFor): 5539 * dfg/DFGGenerationInfo.h: 5540 (JSC::DFG::GenerationInfo::initInt32): 5541 (JSC::DFG::GenerationInfo::fillInt32): 5542 * dfg/DFGGraph.cpp: 5543 (JSC::DFG::Graph::dump): 5544 * dfg/DFGGraph.h: 5545 (JSC::DFG::Graph::addShouldSpeculateMachineInt): 5546 (JSC::DFG::Graph::mulShouldSpeculateMachineInt): 5547 (JSC::DFG::Graph::negateShouldSpeculateMachineInt): 5548 * dfg/DFGInPlaceAbstractState.cpp: 5549 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): 5550 * dfg/DFGJITCode.cpp: 5551 (JSC::DFG::JITCode::reconstruct): 5552 * dfg/DFGMinifiedNode.h: 5553 (JSC::DFG::belongsInMinifiedGraph): 5554 (JSC::DFG::MinifiedNode::hasChild): 5555 * dfg/DFGNode.h: 5556 (JSC::DFG::Node::shouldSpeculateNumber): 5557 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): 5558 (JSC::DFG::Node::canSpeculateInt48): 5559 * dfg/DFGNodeFlags.h: 5560 (JSC::DFG::nodeCanSpeculateInt48): 5561 * dfg/DFGNodeType.h: 5562 (JSC::DFG::forwardRewiringSelectionScore): 5563 * dfg/DFGOSRExitCompiler.cpp: 5564 (JSC::DFG::shortOperandsDump): 5565 * dfg/DFGOSRExitCompiler64.cpp: 5566 (JSC::DFG::OSRExitCompiler::compileExit): 5567 * dfg/DFGPredictionPropagationPhase.cpp: 5568 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): 5569 (JSC::DFG::PredictionPropagationPhase::propagate): 5570 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): 5571 * dfg/DFGSafeToExecute.h: 5572 (JSC::DFG::SafeToExecuteEdge::operator()): 5573 (JSC::DFG::safeToExecute): 5574 * dfg/DFGSilentRegisterSavePlan.h: 5575 * dfg/DFGSpeculativeJIT.cpp: 5576 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): 5577 (JSC::DFG::SpeculativeJIT::silentFill): 5578 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 5579 (JSC::DFG::SpeculativeJIT::compileInlineStart): 5580 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): 5581 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 5582 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 5583 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 5584 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 5585 (JSC::DFG::SpeculativeJIT::compileAdd): 5586 (JSC::DFG::SpeculativeJIT::compileArithSub): 5587 (JSC::DFG::SpeculativeJIT::compileArithNegate): 5588 (JSC::DFG::SpeculativeJIT::compileArithMul): 5589 (JSC::DFG::SpeculativeJIT::compare): 5590 (JSC::DFG::SpeculativeJIT::compileStrictEq): 5591 (JSC::DFG::SpeculativeJIT::speculateNumber): 5592 (JSC::DFG::SpeculativeJIT::speculateRealNumber): 5593 (JSC::DFG::SpeculativeJIT::speculate): 5594 * dfg/DFGSpeculativeJIT.h: 5595 (JSC::DFG::SpeculativeJIT::canReuse): 5596 (JSC::DFG::SpeculativeJIT::isFilled): 5597 (JSC::DFG::SpeculativeJIT::isFilledDouble): 5598 (JSC::DFG::SpeculativeJIT::use): 5599 (JSC::DFG::SpeculativeJIT::boxDouble): 5600 (JSC::DFG::SpeculativeJIT::isKnownInteger): 5601 (JSC::DFG::SpeculativeJIT::isKnownCell): 5602 (JSC::DFG::SpeculativeJIT::isKnownNotNumber): 5603 (JSC::DFG::SpeculativeJIT::int32Result): 5604 (JSC::DFG::SpeculativeJIT::initConstantInfo): 5605 (JSC::DFG::SpeculativeJIT::isInteger): 5606 (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister): 5607 * dfg/DFGSpeculativeJIT32_64.cpp: 5608 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 5609 (JSC::DFG::SpeculativeJIT::compile): 5610 * dfg/DFGSpeculativeJIT64.cpp: 5611 (JSC::DFG::SpeculativeJIT::fillJSValue): 5612 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 5613 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 5614 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 5615 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 5616 (JSC::DFG::SpeculativeJIT::compile): 5617 * dfg/DFGUseKind.cpp: 5618 (WTF::printInternal): 5619 * dfg/DFGUseKind.h: 5620 (JSC::DFG::typeFilterFor): 5621 (JSC::DFG::isNumerical): 5622 * dfg/DFGValueSource.cpp: 5623 (JSC::DFG::ValueSource::dump): 5624 * dfg/DFGValueSource.h: 5625 (JSC::DFG::dataFormatToValueSourceKind): 5626 (JSC::DFG::valueSourceKindToDataFormat): 5627 (JSC::DFG::ValueSource::forFlushFormat): 5628 (JSC::DFG::ValueSource::valueRecovery): 5629 * dfg/DFGVariableAccessData.h: 5630 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): 5631 (JSC::DFG::VariableAccessData::flushFormat): 5632 * ftl/FTLCArgumentGetter.cpp: 5633 (JSC::FTL::CArgumentGetter::loadNextAndBox): 5634 * ftl/FTLCArgumentGetter.h: 5635 * ftl/FTLCapabilities.cpp: 5636 (JSC::FTL::canCompile): 5637 * ftl/FTLExitValue.cpp: 5638 (JSC::FTL::ExitValue::dumpInContext): 5639 * ftl/FTLExitValue.h: 5640 * ftl/FTLIntrinsicRepository.h: 5641 * ftl/FTLLowerDFGToLLVM.cpp: 5642 (JSC::FTL::LowerDFGToLLVM::createPhiVariables): 5643 (JSC::FTL::LowerDFGToLLVM::compileNode): 5644 (JSC::FTL::LowerDFGToLLVM::compileUpsilon): 5645 (JSC::FTL::LowerDFGToLLVM::compilePhi): 5646 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 5647 (JSC::FTL::LowerDFGToLLVM::compileAdd): 5648 (JSC::FTL::LowerDFGToLLVM::compileArithSub): 5649 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 5650 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 5651 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 5652 (JSC::FTL::LowerDFGToLLVM::compileCompareEq): 5653 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): 5654 (JSC::FTL::LowerDFGToLLVM::compileCompareLess): 5655 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq): 5656 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater): 5657 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq): 5658 (JSC::FTL::LowerDFGToLLVM::lowInt32): 5659 (JSC::FTL::LowerDFGToLLVM::lowCell): 5660 (JSC::FTL::LowerDFGToLLVM::lowBoolean): 5661 (JSC::FTL::LowerDFGToLLVM::lowDouble): 5662 (JSC::FTL::LowerDFGToLLVM::lowJSValue): 5663 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): 5664 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): 5665 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 5666 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 5667 (JSC::FTL::LowerDFGToLLVM::setInt32): 5668 * ftl/FTLOSRExitCompiler.cpp: 5669 (JSC::FTL::compileStub): 5670 * ftl/FTLOutput.h: 5671 (JSC::FTL::Output::mulWithOverflow32): 5672 * ftl/FTLValueFormat.cpp: 5673 (WTF::printInternal): 5674 * ftl/FTLValueFormat.h: 5675 * ftl/FTLValueSource.cpp: 5676 (JSC::FTL::ValueSource::dump): 5677 * ftl/FTLValueSource.h: 5678 * interpreter/Register.h: 5679 * runtime/Arguments.cpp: 5680 (JSC::Arguments::tearOffForInlineCallFrame): 5681 * runtime/IndexingType.cpp: 5682 (JSC::leastUpperBoundOfIndexingTypeAndType): 5683 * runtime/JSCJSValue.h: 5684 * runtime/JSCJSValueInlines.h: 5685 56862013-09-17 Filip Pizlo <fpizlo@apple.com> 5687 5688 Unreviewed, fix 32-bit build. 5689 5690 * runtime/JSCJSValue.h: 5691 56922013-09-16 Filip Pizlo <fpizlo@apple.com> 5693 5694 DFG should support Int52 for local variables 5695 https://bugs.webkit.org/show_bug.cgi?id=121064 5696 5697 Reviewed by Oliver Hunt. 5698 5699 This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on 5700 programs that have local int32 overflows but where a larger int representation can 5701 prevent us from having to convert all the way up to double. 5702 5703 It's a small speed-up for now. But we're just supporting Int52 for a handful of 5704 operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays 5705 the groundwork for adding Int52 to JSValue, which will probably be a bigger 5706 speed-up. 5707 5708 The basic approach is: 5709 5710 - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop 5711 or HeapTop - i.e. it doesn't arise from JSValues. 5712 5713 - DFG treats Int52 as being part of its FullTop and will treat it as being a 5714 subtype of double unless instructed otherwise. 5715 5716 - Prediction propagator creates Int52s whenever we have a node going doubly but due 5717 to large values rather than fractional values, and that node is known to be able 5718 to produce Int52 natively in the DFG backend. 5719 5720 - Fixup phase converts edges to MachineIntUses in nodes that are known to be able 5721 to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted 5722 input. 5723 5724 - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that 5725 are left-shifted by 16 (great for overflow checks) and ones that are 5726 sign-extended. Both backends know how to convert between Int52s and the other 5727 representations. 5728 5729 * assembler/MacroAssemblerX86_64.h: 5730 (JSC::MacroAssemblerX86_64::rshift64): 5731 (JSC::MacroAssemblerX86_64::mul64): 5732 (JSC::MacroAssemblerX86_64::branchMul64): 5733 (JSC::MacroAssemblerX86_64::branchNeg64): 5734 (JSC::MacroAssemblerX86_64::convertInt64ToDouble): 5735 * assembler/X86Assembler.h: 5736 (JSC::X86Assembler::imulq_rr): 5737 (JSC::X86Assembler::cvtsi2sdq_rr): 5738 * bytecode/DataFormat.h: 5739 (JSC::dataFormatToString): 5740 * bytecode/OperandsInlines.h: 5741 (JSC::::dumpInContext): 5742 * bytecode/SpeculatedType.cpp: 5743 (JSC::dumpSpeculation): 5744 (JSC::speculationToAbbreviatedString): 5745 (JSC::speculationFromValue): 5746 * bytecode/SpeculatedType.h: 5747 (JSC::isInt32SpeculationForArithmetic): 5748 (JSC::isMachineIntSpeculationForArithmetic): 5749 (JSC::isBytecodeRealNumberSpeculation): 5750 (JSC::isFullRealNumberSpeculation): 5751 (JSC::isBytecodeNumberSpeculation): 5752 (JSC::isFullNumberSpeculation): 5753 (JSC::isBytecodeNumberSpeculationExpectingDefined): 5754 (JSC::isFullNumberSpeculationExpectingDefined): 5755 * bytecode/ValueRecovery.h: 5756 (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52): 5757 (JSC::ValueRecovery::inGPR): 5758 (JSC::ValueRecovery::displacedInJSStack): 5759 (JSC::ValueRecovery::isAlreadyInJSStack): 5760 (JSC::ValueRecovery::gpr): 5761 (JSC::ValueRecovery::virtualRegister): 5762 (JSC::ValueRecovery::dumpInContext): 5763 * dfg/DFGAbstractInterpreter.h: 5764 (JSC::DFG::AbstractInterpreter::needsTypeCheck): 5765 (JSC::DFG::AbstractInterpreter::filterByType): 5766 * dfg/DFGAbstractInterpreterInlines.h: 5767 (JSC::DFG::::executeEffects): 5768 * dfg/DFGAbstractValue.cpp: 5769 (JSC::DFG::AbstractValue::set): 5770 (JSC::DFG::AbstractValue::checkConsistency): 5771 * dfg/DFGAbstractValue.h: 5772 (JSC::DFG::AbstractValue::couldBeType): 5773 (JSC::DFG::AbstractValue::isType): 5774 (JSC::DFG::AbstractValue::checkConsistency): 5775 (JSC::DFG::AbstractValue::validateType): 5776 * dfg/DFGArrayMode.cpp: 5777 (JSC::DFG::ArrayMode::refine): 5778 * dfg/DFGAssemblyHelpers.h: 5779 (JSC::DFG::AssemblyHelpers::boxInt52): 5780 * dfg/DFGCSEPhase.cpp: 5781 (JSC::DFG::CSEPhase::pureCSE): 5782 (JSC::DFG::CSEPhase::getByValLoadElimination): 5783 (JSC::DFG::CSEPhase::performNodeCSE): 5784 * dfg/DFGClobberize.h: 5785 (JSC::DFG::clobberize): 5786 * dfg/DFGCommon.h: 5787 (JSC::DFG::enableInt52): 5788 * dfg/DFGFixupPhase.cpp: 5789 (JSC::DFG::FixupPhase::run): 5790 (JSC::DFG::FixupPhase::fixupNode): 5791 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): 5792 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): 5793 (JSC::DFG::FixupPhase::observeUseKindOnNode): 5794 (JSC::DFG::FixupPhase::fixEdge): 5795 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 5796 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): 5797 * dfg/DFGFlushFormat.cpp: 5798 (WTF::printInternal): 5799 * dfg/DFGFlushFormat.h: 5800 (JSC::DFG::resultFor): 5801 (JSC::DFG::useKindFor): 5802 * dfg/DFGGenerationInfo.h: 5803 (JSC::DFG::GenerationInfo::initInt52): 5804 (JSC::DFG::GenerationInfo::initStrictInt52): 5805 (JSC::DFG::GenerationInfo::isFormat): 5806 (JSC::DFG::GenerationInfo::isInt52): 5807 (JSC::DFG::GenerationInfo::isStrictInt52): 5808 (JSC::DFG::GenerationInfo::fillInt52): 5809 (JSC::DFG::GenerationInfo::fillStrictInt52): 5810 * dfg/DFGGraph.cpp: 5811 (JSC::DFG::Graph::dump): 5812 * dfg/DFGGraph.h: 5813 (JSC::DFG::Graph::addShouldSpeculateMachineInt): 5814 (JSC::DFG::Graph::mulShouldSpeculateMachineInt): 5815 (JSC::DFG::Graph::negateShouldSpeculateMachineInt): 5816 * dfg/DFGInPlaceAbstractState.cpp: 5817 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): 5818 * dfg/DFGJITCode.cpp: 5819 (JSC::DFG::JITCode::reconstruct): 5820 * dfg/DFGMinifiedNode.h: 5821 (JSC::DFG::belongsInMinifiedGraph): 5822 (JSC::DFG::MinifiedNode::hasChild): 5823 * dfg/DFGNode.h: 5824 (JSC::DFG::Node::shouldSpeculateNumber): 5825 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): 5826 * dfg/DFGNodeFlags.h: 5827 * dfg/DFGNodeType.h: 5828 (JSC::DFG::forwardRewiringSelectionScore): 5829 * dfg/DFGOSRExitCompiler.cpp: 5830 * dfg/DFGOSRExitCompiler64.cpp: 5831 (JSC::DFG::OSRExitCompiler::compileExit): 5832 * dfg/DFGPredictionPropagationPhase.cpp: 5833 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): 5834 (JSC::DFG::PredictionPropagationPhase::propagate): 5835 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): 5836 * dfg/DFGSafeToExecute.h: 5837 (JSC::DFG::SafeToExecuteEdge::operator()): 5838 (JSC::DFG::safeToExecute): 5839 * dfg/DFGSilentRegisterSavePlan.h: 5840 * dfg/DFGSpeculativeJIT.cpp: 5841 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): 5842 (JSC::DFG::SpeculativeJIT::silentFill): 5843 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 5844 (JSC::DFG::SpeculativeJIT::compileInlineStart): 5845 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): 5846 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 5847 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 5848 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 5849 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 5850 (JSC::DFG::SpeculativeJIT::compileAdd): 5851 (JSC::DFG::SpeculativeJIT::compileArithSub): 5852 (JSC::DFG::SpeculativeJIT::compileArithNegate): 5853 (JSC::DFG::SpeculativeJIT::compileArithMul): 5854 (JSC::DFG::SpeculativeJIT::compare): 5855 (JSC::DFG::SpeculativeJIT::compileStrictEq): 5856 (JSC::DFG::SpeculativeJIT::speculateMachineInt): 5857 (JSC::DFG::SpeculativeJIT::speculateNumber): 5858 (JSC::DFG::SpeculativeJIT::speculateRealNumber): 5859 (JSC::DFG::SpeculativeJIT::speculate): 5860 * dfg/DFGSpeculativeJIT.h: 5861 (JSC::DFG::SpeculativeJIT::canReuse): 5862 (JSC::DFG::SpeculativeJIT::isFilled): 5863 (JSC::DFG::SpeculativeJIT::isFilledDouble): 5864 (JSC::DFG::SpeculativeJIT::use): 5865 (JSC::DFG::SpeculativeJIT::isKnownInteger): 5866 (JSC::DFG::SpeculativeJIT::isKnownCell): 5867 (JSC::DFG::SpeculativeJIT::isKnownNotNumber): 5868 (JSC::DFG::SpeculativeJIT::int52Result): 5869 (JSC::DFG::SpeculativeJIT::strictInt52Result): 5870 (JSC::DFG::SpeculativeJIT::initConstantInfo): 5871 (JSC::DFG::SpeculativeJIT::isInteger): 5872 (JSC::DFG::SpeculativeJIT::betterUseStrictInt52): 5873 (JSC::DFG::SpeculativeJIT::generationInfo): 5874 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand): 5875 (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand): 5876 (JSC::DFG::SpeculateInt52Operand::edge): 5877 (JSC::DFG::SpeculateInt52Operand::node): 5878 (JSC::DFG::SpeculateInt52Operand::gpr): 5879 (JSC::DFG::SpeculateInt52Operand::use): 5880 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand): 5881 (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand): 5882 (JSC::DFG::SpeculateStrictInt52Operand::edge): 5883 (JSC::DFG::SpeculateStrictInt52Operand::node): 5884 (JSC::DFG::SpeculateStrictInt52Operand::gpr): 5885 (JSC::DFG::SpeculateStrictInt52Operand::use): 5886 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand): 5887 (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand): 5888 (JSC::DFG::SpeculateWhicheverInt52Operand::edge): 5889 (JSC::DFG::SpeculateWhicheverInt52Operand::node): 5890 (JSC::DFG::SpeculateWhicheverInt52Operand::gpr): 5891 (JSC::DFG::SpeculateWhicheverInt52Operand::use): 5892 (JSC::DFG::SpeculateWhicheverInt52Operand::format): 5893 * dfg/DFGSpeculativeJIT32_64.cpp: 5894 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 5895 (JSC::DFG::SpeculativeJIT::compile): 5896 * dfg/DFGSpeculativeJIT64.cpp: 5897 (JSC::DFG::SpeculativeJIT::boxInt52): 5898 (JSC::DFG::SpeculativeJIT::fillJSValue): 5899 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 5900 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): 5901 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 5902 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 5903 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 5904 (JSC::DFG::SpeculativeJIT::compileInt52Compare): 5905 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch): 5906 (JSC::DFG::SpeculativeJIT::compile): 5907 * dfg/DFGUseKind.cpp: 5908 (WTF::printInternal): 5909 * dfg/DFGUseKind.h: 5910 (JSC::DFG::typeFilterFor): 5911 (JSC::DFG::isNumerical): 5912 * dfg/DFGValueSource.cpp: 5913 (JSC::DFG::ValueSource::dump): 5914 * dfg/DFGValueSource.h: 5915 (JSC::DFG::dataFormatToValueSourceKind): 5916 (JSC::DFG::valueSourceKindToDataFormat): 5917 (JSC::DFG::ValueSource::forFlushFormat): 5918 (JSC::DFG::ValueSource::valueRecovery): 5919 * dfg/DFGVariableAccessData.h: 5920 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): 5921 (JSC::DFG::VariableAccessData::flushFormat): 5922 * ftl/FTLCArgumentGetter.cpp: 5923 (JSC::FTL::CArgumentGetter::loadNextAndBox): 5924 * ftl/FTLCArgumentGetter.h: 5925 * ftl/FTLCapabilities.cpp: 5926 (JSC::FTL::canCompile): 5927 * ftl/FTLExitValue.cpp: 5928 (JSC::FTL::ExitValue::dumpInContext): 5929 * ftl/FTLExitValue.h: 5930 (JSC::FTL::ExitValue::inJSStackAsInt52): 5931 * ftl/FTLIntrinsicRepository.h: 5932 * ftl/FTLLowerDFGToLLVM.cpp: 5933 (JSC::FTL::LowerDFGToLLVM::createPhiVariables): 5934 (JSC::FTL::LowerDFGToLLVM::compileNode): 5935 (JSC::FTL::LowerDFGToLLVM::compileUpsilon): 5936 (JSC::FTL::LowerDFGToLLVM::compilePhi): 5937 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 5938 (JSC::FTL::LowerDFGToLLVM::compileAdd): 5939 (JSC::FTL::LowerDFGToLLVM::compileArithSub): 5940 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 5941 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 5942 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 5943 (JSC::FTL::LowerDFGToLLVM::compileCompareEq): 5944 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): 5945 (JSC::FTL::LowerDFGToLLVM::compileCompareLess): 5946 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq): 5947 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater): 5948 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq): 5949 (JSC::FTL::LowerDFGToLLVM::lowInt32): 5950 (JSC::FTL::LowerDFGToLLVM::lowInt52): 5951 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52): 5952 (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52): 5953 (JSC::FTL::LowerDFGToLLVM::bestInt52Kind): 5954 (JSC::FTL::LowerDFGToLLVM::opposite): 5955 (JSC::FTL::LowerDFGToLLVM::Int52s::operator[]): 5956 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52): 5957 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s): 5958 (JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s): 5959 (JSC::FTL::LowerDFGToLLVM::lowCell): 5960 (JSC::FTL::LowerDFGToLLVM::lowBoolean): 5961 (JSC::FTL::LowerDFGToLLVM::lowDouble): 5962 (JSC::FTL::LowerDFGToLLVM::lowJSValue): 5963 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32): 5964 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble): 5965 (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue): 5966 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): 5967 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52): 5968 (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52): 5969 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): 5970 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): 5971 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 5972 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 5973 (JSC::FTL::LowerDFGToLLVM::setInt52): 5974 (JSC::FTL::LowerDFGToLLVM::setStrictInt52): 5975 * ftl/FTLOSRExitCompiler.cpp: 5976 (JSC::FTL::compileStub): 5977 * ftl/FTLOutput.h: 5978 (JSC::FTL::Output::addWithOverflow64): 5979 (JSC::FTL::Output::subWithOverflow64): 5980 (JSC::FTL::Output::mulWithOverflow64): 5981 * ftl/FTLValueFormat.cpp: 5982 (WTF::printInternal): 5983 * ftl/FTLValueFormat.h: 5984 * ftl/FTLValueSource.cpp: 5985 (JSC::FTL::ValueSource::dump): 5986 * ftl/FTLValueSource.h: 5987 * interpreter/Register.h: 5988 (JSC::Register::unboxedInt52): 5989 * runtime/Arguments.cpp: 5990 (JSC::Arguments::tearOffForInlineCallFrame): 5991 * runtime/IndexingType.cpp: 5992 (JSC::leastUpperBoundOfIndexingTypeAndType): 5993 * runtime/JSCJSValue.h: 5994 * runtime/JSCJSValueInlines.h: 5995 (JSC::JSValue::isMachineInt): 5996 (JSC::JSValue::asMachineInt): 5997 59982013-09-17 Filip Pizlo <fpizlo@apple.com> 5999 6000 Use CheckStructure for checking the types of typed arrays whenever possible 6001 https://bugs.webkit.org/show_bug.cgi?id=121514 6002 6003 Reviewed by Oliver Hunt. 6004 6005 * bytecode/ArrayProfile.cpp: 6006 (JSC::ArrayProfile::computeUpdatedPrediction): 6007 * dfg/DFGArrayMode.cpp: 6008 (JSC::DFG::ArrayMode::fromObserved): 6009 (JSC::DFG::ArrayMode::refine): 6010 (JSC::DFG::ArrayMode::originalArrayStructure): 6011 (JSC::DFG::arrayClassToString): 6012 * dfg/DFGArrayMode.h: 6013 (JSC::DFG::ArrayMode::ArrayMode): 6014 (JSC::DFG::ArrayMode::arrayModesWithIndexingShape): 6015 * runtime/JSGlobalObject.h: 6016 (JSC::JSGlobalObject::isOriginalTypedArrayStructure): 6017 60182013-09-17 Filip Pizlo <fpizlo@apple.com> 6019 6020 DFG should use the (x & 0x7fffffff) trick for doing overflow and neg-zero checks on negation in one go 6021 https://bugs.webkit.org/show_bug.cgi?id=121520 6022 6023 Reviewed by Oliver Hunt. 6024 6025 * dfg/DFGSpeculativeJIT.cpp: 6026 (JSC::DFG::SpeculativeJIT::compileArithNegate): 6027 * ftl/FTLLowerDFGToLLVM.cpp: 6028 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 6029 60302013-09-17 Andreas Kling <akling@apple.com> 6031 6032 Pack create_hash_table tables better. 6033 <https://webkit.org/b/121517> 6034 6035 Reviewed by Sam Weinig. 6036 6037 Reduces JavaScriptCore binary size by 4648 bytes. 6038 6039 * create_hash_table: 6040 * runtime/Lookup.h: 6041 6042 Reorder HashTableValue members to avoid unnecessary padding. 6043 60442013-09-17 Mark Hahnenberg <mhahnenberg@apple.com> 6045 6046 DFG doesn't properly keep scope alive for op_put_to_scope 6047 https://bugs.webkit.org/show_bug.cgi?id=121519 6048 6049 Reviewed by Michael Saboff. 6050 6051 This was a latent bug that can't actually occur in ToT. It was uncovered by causing slow 6052 path calls in the baseline JIT for op_put_to_scope in places where we couldn't before (but 6053 which were necessary for gen GC). 6054 6055 * dfg/DFGByteCodeParser.cpp: 6056 (JSC::DFG::ByteCodeParser::parseBlock): 6057 60582013-09-17 Filip Pizlo <fpizlo@apple.com> 6059 6060 Don't GC while OSR compiling 6061 https://bugs.webkit.org/show_bug.cgi?id=121513 6062 6063 Reviewed by Mark Hahnenberg. 6064 6065 Fixes some rare crashes that I see in ConservativeRoots, while in a GC from OSR exit 6066 compilation. 6067 6068 * dfg/DFGOSRExitCompiler.cpp: 6069 * ftl/FTLOSRExitCompiler.cpp: 6070 (JSC::FTL::compileFTLOSRExit): 6071 60722013-09-17 Alberto Garcia <berto@igalia.com> 6073 6074 Unreviewed make distcheck fix. 6075 6076 * GNUmakefile.list.am: 6077 60782013-09-13 Mark Hahnenberg <mhahnenberg@apple.com> 6079 6080 MarkedBlocks shouldn't be put in Allocated state if they didn't produce a FreeList 6081 https://bugs.webkit.org/show_bug.cgi?id=121236 6082 6083 Reviewed by Geoffrey Garen. 6084 6085 Right now, after a collection all MarkedBlocks are in the Marked block state. When lazy sweeping 6086 happens, if a block returns an empty free list after being swept, we call didConsumeFreeList(), 6087 which moves the block into the Allocated block state. This happens to both the block that was 6088 just being allocated out of (i.e. m_currentBlock) as well as any blocks who are completely full. 6089 We should distinguish between these two cases: m_currentBlock should transition to 6090 Allocated (because we were just allocating out of it) and any subsequent block that returns an 6091 empty free list should transition back to the Marked state. This will make the block state more 6092 consistent with the actual state the block is in, and it will also allow us to speed up moving 6093 all blocks the the Marked state during generational collection. 6094 6095 Added new RAII-style HeapIterationScope class that notifies the Heap when it is about to be 6096 iterated and when iteration has finished. Any clients that need accurate liveness data when 6097 iterating over the Heap now need to use a HeapIterationScope so that the state of Heap can 6098 be properly restored after they are done iterating. No new GC-allocated objects can be created 6099 until this object goes out of scope. 6100 6101 * JavaScriptCore.xcodeproj/project.pbxproj: 6102 * debugger/Debugger.cpp: 6103 (JSC::Debugger::recompileAllJSFunctions): Added HeapIterationScope for the Recompiler iteration. 6104 * heap/Heap.cpp: 6105 (JSC::Heap::willStartIterating): Callback used by HeapIterationScope to indicate that iteration of 6106 the Heap is about to begin. This will cause cell liveness data to be canonicalized by calling stopAllocating. 6107 (JSC::Heap::didFinishIterating): Same, but indicates that iteration has finished. 6108 (JSC::Heap::globalObjectCount): Used HeapIterationScope. 6109 (JSC::Heap::objectTypeCounts): Ditto. 6110 (JSC::Heap::markDeadObjects): Ditto. 6111 (JSC::Heap::zombifyDeadObjects): Ditto. 6112 * heap/Heap.h: 6113 * heap/HeapIterationScope.h: Added. New RAII-style object for indicating to the Heap that it's about 6114 to be iterated or that iteration has finished. 6115 (JSC::HeapIterationScope::HeapIterationScope): 6116 (JSC::HeapIterationScope::~HeapIterationScope): 6117 * heap/HeapStatistics.cpp: 6118 (JSC::HeapStatistics::showObjectStatistics): Used new HeapIterationScope. 6119 * heap/MarkedAllocator.cpp: 6120 (JSC::MarkedAllocator::tryAllocateHelper): We now treat the case where we have just finished 6121 allocating out of the current block differently from the case where we sweep a block and it 6122 returns an empty free list. This was the primary point of this patch. 6123 (JSC::MarkedAllocator::allocateSlowCase): ASSERT that nobody is currently iterating the Heap 6124 when allocating. 6125 * heap/MarkedAllocator.h: 6126 (JSC::MarkedAllocator::reset): All allocators are reset after every collection. We need to make 6127 sure that the m_lastActiveBlock gets cleared, which it might not always because we don't call 6128 takeCanonicalizedBlock on blocks in the large allocators. 6129 (JSC::MarkedAllocator::stopAllocating): We shouldn't already have a last active block, 6130 so ASSERT as much. 6131 (JSC::MarkedAllocator::resumeAllocating): Do the opposite of what stopAllocating 6132 does. So, if we don't have a m_lastActiveBlock then we don't have to worry about undoing anything 6133 done by stopAllocating. If we do, then we call resumeAllocating on the block, which returns the FreeList 6134 as it was prior to stopping allocation. We then set the current block to the last active block and 6135 clear the last active block. 6136 * heap/MarkedBlock.cpp: 6137 (JSC::MarkedBlock::resumeAllocating): Any block resuming allocation should be in 6138 the Marked state, so ASSERT as much. We always allocate a m_newlyAllocated Bitmap if we're 6139 FreeListed, so if we didn't allocate one then we know we were Marked when allocation was stopped, 6140 so just return early with an empty FreeList. If we do have a non-null m_newlyAllocated Bitmap 6141 then we need to be swept in order to rebuild our FreeList. 6142 * heap/MarkedBlock.h: 6143 (JSC::MarkedBlock::didConsumeEmptyFreeList): This is called if we ever sweep a block and get back 6144 an empty free list. Instead of transitioning to the Allocated state, we now go straight back to the 6145 Marked state. This makes sense because we weren't actually allocated out of, so we shouldn't be in 6146 the allocated state. Also added some ASSERTs to make sure that we're in the state that we expect: all of 6147 our mark bits should be set and we should not have a m_newlyAllocated Bitmap. 6148 * heap/MarkedSpace.cpp: 6149 (JSC::MarkedSpace::MarkedSpace): 6150 (JSC::MarkedSpace::forEachAllocator): Added a new functor-style iteration method so that we can 6151 easily iterate over each allocator for, e.g., stopping and resuming allocators without 6152 duplicating code. 6153 (JSC::StopAllocatingFunctor::operator()): New functors for use with forEachAllocator. 6154 (JSC::MarkedSpace::stopAllocating): Ditto. 6155 (JSC::ResumeAllocatingFunctor::operator()): Ditto. 6156 (JSC::MarkedSpace::resumeAllocating): Ditto. 6157 (JSC::MarkedSpace::willStartIterating): Callback that notifies MarkedSpace that it is being iterated. 6158 Does some ASSERTs, sets a flag, canonicalizes cell liveness data by calling stopAllocating. 6159 (JSC::MarkedSpace::didFinishIterating): Ditto, but to signal that iteration has completed. 6160 * heap/MarkedSpace.h: 6161 (JSC::MarkedSpace::iterationInProgress): Returns true if a HeapIterationScope is currently active. 6162 (JSC::MarkedSpace::forEachLiveCell): Accepts a HeapIterationScope to enforce the rule that you have to 6163 create one prior to iterating over the Heap. 6164 (JSC::MarkedSpace::forEachDeadCell): Ditto. 6165 * runtime/JSGlobalObject.cpp: 6166 (JSC::JSGlobalObject::haveABadTime): Changed to use new HeapIterationScope. 6167 * runtime/VM.cpp: 6168 (JSC::VM::releaseExecutableMemory): Ditto. 6169 61702013-09-16 Filip Pizlo <fpizlo@apple.com> 6171 6172 Inlining should work in debug mode (i.e. Executable::newCodeBlock() should call recordParse()) 6173 https://bugs.webkit.org/show_bug.cgi?id=121444 6174 6175 Reviewed by Mark Hahnenberg. 6176 6177 * dfg/DFGArgumentPosition.h: Fix a bug discovered by reenabling inlining. ArgumentPosition may point to the non-canonical VariableAccessData but users of someVariable() want the canonical one. 6178 (JSC::DFG::ArgumentPosition::someVariable): 6179 * runtime/Executable.cpp: Call recordParse() so that the Executable knows things about itself (like if it has captured variables). Otherwise those fields are uninitialized. 6180 (JSC::ScriptExecutable::newCodeBlockFor): 6181 61822013-09-16 Balazs Kilvady <kilvadyb@homejinni.com> 6183 6184 Aligned argument signatures of setupArgumentsWithExecState are missing on MIPS. 6185 https://bugs.webkit.org/show_bug.cgi?id=121439 6186 6187 Reviewed by Geoffrey Garen. 6188 6189 Missing implementations of setupArgumentsWithExecState added. 6190 6191 * dfg/DFGCCallHelpers.h: 6192 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 6193 61942013-09-16 Julien Brianceau <jbriance@cisco.com> 6195 6196 [sh4] Fix typo in subp implementation in LLINT. 6197 https://bugs.webkit.org/show_bug.cgi?id=121438 6198 6199 Reviewed by Andreas Kling. 6200 6201 * offlineasm/sh4.rb: 6202 62032013-09-16 Julien Brianceau <jbriance@cisco.com> 6204 6205 [sh4] Handle subp opcode with 3 operands and bpbeq opcode in LLINT. 6206 https://bugs.webkit.org/show_bug.cgi?id=121412 6207 6208 Reviewed by Andreas Kling. 6209 6210 * offlineasm/sh4.rb: 6211 62122013-09-15 Gustavo Noronha Silva <gns@gnome.org> 6213 6214 Unreviewed make distcheck fix. 6215 6216 * GNUmakefile.list.am: 6217 62182013-09-15 Filip Pizlo <fpizlo@apple.com> 6219 6220 Deoptimize deoptimization: make DFGOSRExitCompiler64.cpp more hackable 6221 https://bugs.webkit.org/show_bug.cgi?id=121374 6222 6223 Reviewed by Geoffrey Garen. 6224 6225 This reduces the size of DFGOSRExitCompiler64.cpp by almost 50%, and makes it 6226 super easy to add new recovery kinds. For recoveries that involve reboxing, it 6227 allows you to keep most of the code common between the on-stack and in-reg 6228 cases: they all get funneled through the "load from scratch buffer, convert, 6229 and then store to stack" logic. 6230 6231 This opens up a bunch of possibilities. It'll make adding Int48 much easier, 6232 and it probably will come in handy as we do various DFG stack layout changes in 6233 support of the FTL. 6234 6235 * bytecode/ValueRecovery.h: 6236 (JSC::ValueRecovery::dumpInContext): 6237 (JSC::ValueRecovery::dump): 6238 * dfg/DFGOSRExitCompiler.cpp: 6239 (JSC::DFG::shortOperandsDump): 6240 * dfg/DFGOSRExitCompiler64.cpp: 6241 (JSC::DFG::OSRExitCompiler::compileExit): 6242 62432013-09-14 Filip Pizlo <fpizlo@apple.com> 6244 6245 It should be easy to add new nodes that do OSR forward rewiring in both DFG and FTL 6246 https://bugs.webkit.org/show_bug.cgi?id=121371 6247 6248 Reviewed by Sam Weinig. 6249 6250 Forward rewiring is a tricky part of OSR that handles the following: 6251 6252 a: Something(...) 6253 SetLocal(@a, locX) 6254 b: Int32ToDouble(@a) 6255 c: SomethingThatExits(@b) 6256 <no further uses of @a or @b> 6257 6258 Note that at @c, OSR will think that locX->@a, but @a will be dead. So it must be 6259 smart enough to find @b, which contains an equivalent value. It must do this for 6260 any identity functions we support. Currently we support four such functions. 6261 6262 Currently the code for doing this is basically duplicated between the DFG and the 6263 FTL. Also both versions of the code have some really weirdly written logic for 6264 picking the "best" identity function to use. 6265 6266 We should fix this by simply having a way to ask "is this node an identity 6267 function, and if so, then how good is it?" Then both the DFG and FTL could use 6268 this and have no hard-wired knowledge of those identity functions. 6269 6270 While we're at it, this also changes some terminology because I found the use of 6271 the word "needs" confusing. Note that this retains the somewhat confusing behavior 6272 that we don't search all possible forward/backward uses. We only search one step 6273 in each direction. This is because we only need to handle cases that FixupPhase 6274 and the parser insert. All other code that tries to insert intermediate conversion 6275 nodes should ensure to Phantom the original node. For example, the following 6276 transformation is illegal: 6277 6278 Before: 6279 x: SomethingThatExits(@a) 6280 6281 After: 6282 w: Conversion(@a) 6283 x: SomethingThatExits(@w) 6284 6285 The correct form of that transformation is one of these: 6286 6287 Correct #1: 6288 6289 v: DoAllChecks(@a) // exit here 6290 w: Conversion(@a) 6291 x: Something(@w) // no exit 6292 6293 Correct #2: 6294 6295 w: Conversion(@a) 6296 x: SomethingThatExits(@w) 6297 y: Phantom(@a) 6298 6299 Correct #3: 6300 6301 w: Conversion(@a) 6302 x: SomethingThatExits(@w, @a) 6303 6304 Note that we use #3 for some heap accesses, but of course it requires that the 6305 node you're using has an extra slot for a "dummy" use child. 6306 6307 Broadly speaking though, such transformations should be relegated to something 6308 below DFG IR, like LLVM IR. 6309 6310 * dfg/DFGNodeType.h: 6311 (JSC::DFG::forwardRewiringSelectionScore): 6312 (JSC::DFG::needsOSRForwardRewiring): 6313 * dfg/DFGVariableEventStream.cpp: 6314 (JSC::DFG::VariableEventStream::reconstruct): 6315 * ftl/FTLLowerDFGToLLVM.cpp: 6316 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 6317 63182013-09-14 Filip Pizlo <fpizlo@apple.com> 6319 6320 Rename IntegerBranch/IntegerCompare to Int32Branch/Int32Compare. 6321 6322 Rubber stamped by Mark Hahnenberg. 6323 6324 * dfg/DFGSpeculativeJIT.cpp: 6325 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch): 6326 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 6327 (JSC::DFG::SpeculativeJIT::compare): 6328 (JSC::DFG::SpeculativeJIT::compileStrictEq): 6329 * dfg/DFGSpeculativeJIT.h: 6330 * dfg/DFGSpeculativeJIT32_64.cpp: 6331 (JSC::DFG::SpeculativeJIT::compileInt32Compare): 6332 * dfg/DFGSpeculativeJIT64.cpp: 6333 (JSC::DFG::SpeculativeJIT::compileInt32Compare): 6334 63352013-09-13 Filip Pizlo <fpizlo@apple.com> 6336 6337 Rename SpeculativeJIT::integerResult() to int32Result(). 6338 6339 Rubber stamped by Mark Hahnenberg. 6340 6341 * dfg/DFGSpeculativeJIT.cpp: 6342 (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): 6343 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 6344 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): 6345 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): 6346 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 6347 (JSC::DFG::SpeculativeJIT::compileAdd): 6348 (JSC::DFG::SpeculativeJIT::compileArithSub): 6349 (JSC::DFG::SpeculativeJIT::compileArithNegate): 6350 (JSC::DFG::SpeculativeJIT::compileArithIMul): 6351 (JSC::DFG::SpeculativeJIT::compileArithMul): 6352 (JSC::DFG::SpeculativeJIT::compileArithDiv): 6353 (JSC::DFG::SpeculativeJIT::compileArithMod): 6354 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): 6355 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): 6356 (JSC::DFG::SpeculativeJIT::compileGetArrayLength): 6357 * dfg/DFGSpeculativeJIT.h: 6358 (JSC::DFG::SpeculativeJIT::int32Result): 6359 * dfg/DFGSpeculativeJIT32_64.cpp: 6360 (JSC::DFG::SpeculativeJIT::compile): 6361 * dfg/DFGSpeculativeJIT64.cpp: 6362 (JSC::DFG::SpeculativeJIT::compile): 6363 63642013-09-13 Michael Saboff <msaboff@apple.com> 6365 6366 FTL JIT broke after r155711 6367 https://bugs.webkit.org/show_bug.cgi?id=121332 6368 6369 Reviewed by Geoffrey Garen. 6370 6371 Fixed OSR entry to use the local variable's index instead of its VirtualRegister. 6372 Initialized ExitArgumentForOperand::m_operand to InvalidVirtualRegister instead of -1. 6373 Fixed compileCallOrConstruct() to update locals on callframe going down. 6374 Fixed prepareOSREntry() to grow stack down if needed. 6375 6376 * ftl/FTLExitArgumentForOperand.h: 6377 (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand): 6378 * ftl/FTLLink.cpp: 6379 (JSC::FTL::link): 6380 * ftl/FTLLowerDFGToLLVM.cpp: 6381 (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal): 6382 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): 6383 * ftl/FTLOSREntry.cpp: 6384 (JSC::FTL::prepareOSREntry): 6385 63862013-09-13 Anders Carlsson <andersca@apple.com> 6387 6388 Avoid a couple of zero-sized fastMalloc calls 6389 https://bugs.webkit.org/show_bug.cgi?id=121333 6390 6391 Reviewed by Geoffrey Garen. 6392 6393 * API/JSStringRefCF.cpp: 6394 (JSStringCopyCFString): 6395 Return an empty constant CFStringRef if the JSStringRef is empty. 6396 6397 * runtime/JSPropertyNameIterator.cpp: 6398 (JSC::JSPropertyNameIterator::JSPropertyNameIterator): 6399 Don't allocate an empty m_jsStrings array if m_jsStringsSize is 0. 6400 64012013-09-13 Filip Pizlo <fpizlo@apple.com> 6402 6403 DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining 6404 https://bugs.webkit.org/show_bug.cgi?id=121330 6405 6406 Reviewed by Mark Hahnenberg and Oliver Hunt. 6407 6408 Also print whether a function is strict mode in debug dumps. 6409 6410 * bytecode/CodeBlock.cpp: 6411 (JSC::CodeBlock::dumpAssumingJITType): 6412 * bytecode/CodeOrigin.cpp: 6413 (JSC::InlineCallFrame::dumpInContext): 6414 * dfg/DFGAbstractInterpreterInlines.h: 6415 (JSC::DFG::::executeEffects): 6416 * dfg/DFGOperations.cpp: 6417 * dfg/DFGOperations.h: 6418 * dfg/DFGSpeculativeJIT32_64.cpp: 6419 (JSC::DFG::SpeculativeJIT::compile): 6420 * dfg/DFGSpeculativeJIT64.cpp: 6421 (JSC::DFG::SpeculativeJIT::compile): 6422 64232013-09-13 Anders Carlsson <andersca@apple.com> 6424 6425 Use nullptr instead of 0 in calls to HashMap::add 6426 https://bugs.webkit.org/show_bug.cgi?id=121322 6427 6428 Reviewed by Sam Weinig. 6429 6430 * bytecompiler/BytecodeGenerator.cpp: 6431 (JSC::BytecodeGenerator::emitLoad): 6432 (JSC::BytecodeGenerator::addStringConstant): 6433 * dfg/DFGByteCodeParser.cpp: 6434 (JSC::DFG::ByteCodeParser::cellConstant): 6435 64362013-09-13 Oliver Hunt <oliver@apple.com> 6437 6438 Try to kill initialiser expression in for-in statements 6439 https://bugs.webkit.org/show_bug.cgi?id=121311 6440 6441 Reviewed by Gavin Barraclough. 6442 6443 We'd like to get rid of this pointless initialiser expression 6444 in for-in statements. Unfortunately we have to keep the no_in 6445 variant of expression parsing to avoid ambiguity in the grammar. 6446 There's a possibility that this will need to be rolled out, but 6447 we'll need to live on it to see. 6448 6449 * bytecompiler/NodesCodegen.cpp: 6450 (JSC::ForInNode::emitBytecode): 6451 * parser/ASTBuilder.h: 6452 (JSC::ASTBuilder::createForInLoop): 6453 * parser/NodeConstructors.h: 6454 (JSC::ForInNode::ForInNode): 6455 * parser/Nodes.h: 6456 * parser/Parser.cpp: 6457 (JSC::::parseForStatement): 6458 * parser/SyntaxChecker.h: 6459 (JSC::SyntaxChecker::createForInLoop): 6460 64612013-09-12 Michael Saboff <msaboff@apple.com> 6462 6463 fourthTier: Change JSStack to grow from high to low addresses 6464 https://bugs.webkit.org/show_bug.cgi?id=118758 6465 6466 Reviewed by Oliver Hunt. 6467 6468 Changed the JSC stack to grow down. Effectively the JSC stack frame is flipped from 6469 what it was. See JSStack.h for the new offsets. Changed JSStack begin() and end() 6470 to be getBaseOfStack() and getLimitOfStack(). Most of the changes are address or offset 6471 calculation changes. Decoupled a local register ordinal (loop variable or array index) 6472 from the offset into the callFrame using localToOperand() and the inverse operandToLocal(). 6473 6474 * assembler/MacroAssembler.h: 6475 (JSC::MacroAssembler::trustedImm32ForShift): 6476 (JSC::MacroAssembler::lshiftPtr): Added to create scaled addresses with a negative index 6477 * assembler/MacroAssemblerX86_64.h: 6478 (JSC::MacroAssemblerX86_64::lshift64): Added to create scaled addresses with a negative index 6479 * assembler/X86Assembler.h: 6480 (JSC::X86Assembler::shlq_i8r): Added to create scaled addresses with a negative index 6481 * bytecode/CodeBlock.cpp: 6482 (JSC::CodeBlock::dumpBytecode): 6483 * bytecode/CodeBlock.h: 6484 (JSC::unmodifiedArgumentsRegister): 6485 (JSC::CodeBlock::isCaptured): 6486 * bytecode/CodeOrigin.h: 6487 (JSC::CodeOrigin::stackOffset): 6488 * bytecode/Operands.h: 6489 (JSC::localToOperand): 6490 (JSC::operandIsLocal): 6491 (JSC::operandToLocal): 6492 (JSC::operandIsArgument): 6493 (JSC::operandToArgument): 6494 (JSC::argumentToOperand): 6495 * bytecode/VirtualRegister.h: Made InvalidVirtualRegister a positive value that fits in 6496 31 bits since it can be placed into the 31 bit field "stackOffset" in struct InlineCallFrame. 6497 * bytecompiler/BytecodeGenerator.cpp: 6498 (JSC::BytecodeGenerator::addVar): 6499 (JSC::BytecodeGenerator::BytecodeGenerator): 6500 (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): 6501 (JSC::BytecodeGenerator::newRegister): 6502 (JSC::BytecodeGenerator::emitNewArray): 6503 * bytecompiler/BytecodeGenerator.h: 6504 (JSC::CallArguments::registerOffset): 6505 * bytecompiler/NodesCodegen.cpp: 6506 (JSC::CallArguments::CallArguments): 6507 * dfg/DFGByteCodeParser.cpp: 6508 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal): 6509 (JSC::DFG::ByteCodeParser::addCall): 6510 (JSC::DFG::ByteCodeParser::handleCall): 6511 (JSC::DFG::ByteCodeParser::handleInlining): 6512 (JSC::DFG::ByteCodeParser::parseBlock): 6513 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 6514 * dfg/DFGJITCompiler.cpp: 6515 (JSC::DFG::JITCompiler::compileFunction): 6516 * dfg/DFGOSREntry.cpp: 6517 (JSC::DFG::prepareOSREntry): 6518 * dfg/DFGOSRExitCompiler32_64.cpp: 6519 (JSC::DFG::OSRExitCompiler::compileExit): 6520 * dfg/DFGOSRExitCompiler64.cpp: 6521 (JSC::DFG::OSRExitCompiler::compileExit): 6522 * dfg/DFGOperations.cpp: 6523 * dfg/DFGScoreBoard.h: 6524 (JSC::DFG::ScoreBoard::allocate): 6525 * dfg/DFGSpeculativeJIT.cpp: 6526 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): 6527 * dfg/DFGSpeculativeJIT.h: 6528 (JSC::DFG::SpeculativeJIT::callFrameSlot): 6529 (JSC::DFG::SpeculativeJIT::argumentSlot): 6530 (JSC::DFG::SpeculativeJIT::callFrameTagSlot): 6531 (JSC::DFG::SpeculativeJIT::callFramePayloadSlot): 6532 (JSC::DFG::SpeculativeJIT::argumentTagSlot): 6533 (JSC::DFG::SpeculativeJIT::argumentPayloadSlot): 6534 * dfg/DFGSpeculativeJIT32_64.cpp: 6535 (JSC::DFG::SpeculativeJIT::emitCall): 6536 (JSC::DFG::SpeculativeJIT::compile): 6537 * dfg/DFGSpeculativeJIT64.cpp: 6538 (JSC::DFG::SpeculativeJIT::emitCall): 6539 (JSC::DFG::SpeculativeJIT::compile): 6540 * dfg/DFGValidate.cpp: 6541 (JSC::DFG::Validate::reportValidationContext): 6542 * ftl/FTLLink.cpp: 6543 (JSC::FTL::link): 6544 * heap/ConservativeRoots.cpp: 6545 (JSC::ConservativeRoots::genericAddSpan): 6546 * interpreter/CallFrame.cpp: 6547 (JSC::CallFrame::frameExtentInternal): 6548 * interpreter/CallFrame.h: 6549 (JSC::ExecState::init): 6550 (JSC::ExecState::argumentOffset): 6551 (JSC::ExecState::argumentOffsetIncludingThis): 6552 (JSC::ExecState::argIndexForRegister): 6553 * interpreter/Interpreter.cpp: 6554 (JSC::loadVarargs): 6555 (JSC::Interpreter::dumpRegisters): 6556 * interpreter/JSStack.cpp: 6557 (JSC::JSStack::JSStack): 6558 (JSC::JSStack::~JSStack): 6559 (JSC::JSStack::growSlowCase): 6560 (JSC::JSStack::gatherConservativeRoots): 6561 (JSC::JSStack::releaseExcessCapacity): 6562 (JSC::JSStack::disableErrorStackReserve): 6563 * interpreter/JSStack.h: 6564 (JSC::JSStack::getBaseOfStack): 6565 (JSC::JSStack::getLimitOfStack): 6566 (JSC::JSStack::size): 6567 (JSC::JSStack::end): 6568 (JSC::JSStack::containsAddress): 6569 (JSC::JSStack::lowAddress): 6570 (JSC::JSStack::highAddress): 6571 (JSC::JSStack::reservationEnd): 6572 (JSC::JSStack::shrink): 6573 (JSC::JSStack::grow): 6574 * interpreter/JSStackInlines.h: 6575 (JSC::JSStack::getTopOfFrame): 6576 (JSC::JSStack::pushFrame): 6577 (JSC::JSStack::popFrame): 6578 (JSC::JSStack::installTrapsAfterFrame): 6579 * interpreter/StackVisitor.cpp: 6580 (JSC::inlinedFrameOffset): 6581 (JSC::StackVisitor::readInlinedFrame): 6582 * jit/JIT.cpp: 6583 (JSC::JIT::privateCompile): 6584 * jit/JITCall.cpp: 6585 (JSC::JIT::compileLoadVarargs): 6586 (JSC::JIT::compileOpCall): 6587 * jit/JITCall32_64.cpp: 6588 (JSC::JIT::compileLoadVarargs): 6589 (JSC::JIT::compileOpCall): 6590 * jit/JITOpcodes.cpp: 6591 (JSC::JIT::emit_op_create_activation): 6592 (JSC::JIT::emit_op_get_argument_by_val): 6593 * jit/JITOpcodes32_64.cpp: 6594 (JSC::JIT::emit_op_get_argument_by_val): 6595 * jit/JITStubs.cpp: 6596 (JSC::throwExceptionFromOpCall): 6597 (JSC::DEFINE_STUB_FUNCTION): 6598 * jit/ThunkGenerators.cpp: 6599 (JSC::arityFixup): 6600 * llint/LLIntData.cpp: 6601 (JSC::LLInt::Data::performAssertions): 6602 * llint/LLIntSlowPaths.cpp: 6603 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 6604 (JSC::LLInt::genericCall): 6605 * llint/LowLevelInterpreter.asm: 6606 * llint/LowLevelInterpreter32_64.asm: 6607 * llint/LowLevelInterpreter64.asm: 6608 * runtime/ArgList.cpp: 6609 (JSC::ArgList::getSlice): 6610 (JSC::MarkedArgumentBuffer::slowAppend): 6611 * runtime/ArgList.h: 6612 (JSC::MarkedArgumentBuffer::MarkedArgumentBuffer): 6613 (JSC::MarkedArgumentBuffer::slotFor): 6614 (JSC::MarkedArgumentBuffer::mallocBase): 6615 (JSC::ArgList::at): 6616 * runtime/Arguments.cpp: 6617 (JSC::Arguments::tearOff): 6618 * runtime/ArrayConstructor.cpp: 6619 (JSC::constructArrayWithSizeQuirk): 6620 * runtime/CommonSlowPaths.cpp: 6621 (JSC::SLOW_PATH_DECL): 6622 * runtime/JSActivation.h: 6623 (JSC::JSActivation::registersOffset): 6624 (JSC::JSActivation::tearOff): 6625 (JSC::JSActivation::isValidIndex): 6626 * runtime/JSArray.h: 6627 (JSC::constructArrayNegativeIndexed): New method to create an array from registers that grow down. 6628 * runtime/JSGlobalObject.cpp: 6629 (JSC::JSGlobalObject::globalExec): 6630 * runtime/JSGlobalObject.h: 6631 (JSC::constructArrayNegativeIndexed): 6632 * runtime/JSString.h: 6633 * runtime/Operations.h: 6634 (JSC::jsStringFromRegisterArray): 6635 * runtime/SymbolTable.h: 6636 (JSC::SharedSymbolTable::captureCount): 6637 66382013-09-13 Csaba Osztrogonác <ossy@webkit.org> 6639 6640 ARM EABI hardfp buildfix after r155675 6641 https://bugs.webkit.org/show_bug.cgi?id=121287 6642 6643 Reviewed by Geoffrey Garen. 6644 6645 * dfg/DFGCCallHelpers.h: 6646 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 6647 66482013-09-13 Youngho Yoo <youngho33.yoo@lge.com> 6649 6650 Fixed crash in V8 benchmark suite in ARM,softp,EABI environment. 6651 https://bugs.webkit.org/show_bug.cgi?id=117281 6652 6653 Reviewed by Michael Saboff. 6654 6655 Fix the missing EABI_32BIT_DUMMY_ARG in FPRReg using callOperation function. 6656 6657 Test 1 : fast/js/array-with-double-assign.html 6658 Test 2 : fast/js/array-with-double-push.html 6659 6660 * dfg/DFGCCallHelpers.h: 6661 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 6662 * dfg/DFGSpeculativeJIT.h: 6663 (JSC::DFG::SpeculativeJIT::callOperation): 6664 66652013-09-12 Filip Pizlo <fpizlo@apple.com> 6666 6667 DFG::Int32Operand and fillInt32() should go away and all uses should be replaced with SpeculateInt32Operand 6668 https://bugs.webkit.org/show_bug.cgi?id=121268 6669 6670 Reviewed by Oliver Hunt. 6671 6672 * dfg/DFGSpeculativeJIT.cpp: 6673 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): 6674 * dfg/DFGSpeculativeJIT.h: 6675 * dfg/DFGSpeculativeJIT32_64.cpp: 6676 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber): 6677 * dfg/DFGSpeculativeJIT64.cpp: 6678 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber): 6679 66802013-09-12 Geoffrey Garen <ggaren@apple.com> 6681 6682 Web Inspector shouldn't artificially allocate the arguments object in functions that don't use it 6683 https://bugs.webkit.org/show_bug.cgi?id=121206 6684 <rdar://problem/6911886> 6685 6686 Reviewed by Joseph Pecoraro. 6687 6688 This is a step toward better tools, and a 23% speedup in a simple 6689 JavaScript benchmark run with the Web Inspector open. 6690 6691 We want the Web Inspector to be fast, and we want it to produce reliable 6692 CPU and memory profiles. We can't do that if just opening the Web Inspector 6693 incurs huge CPU/memory penalties like the arguments object. 6694 6695 Also, since use of the 'arguments' identifier is an API for allocating 6696 an object, I think it's good for the UI to let developers know when 6697 they've invoked that API and when they haven't. 6698 6699 * bytecompiler/BytecodeGenerator.cpp: 6700 (JSC::BytecodeGenerator::BytecodeGenerator): No need to allocate the 6701 arguments object artificially for the debugger's sake. The activation 6702 object no longer assumes that the stack frame is laid out for one. 6703 6704 (Long-term, this code will move out of the activation object, into a 6705 special object for interfacing with the debugger.) 6706 6707 * runtime/JSActivation.cpp: 6708 (JSC::JSActivation::getOwnNonIndexPropertyNames): 6709 (JSC::JSActivation::getOwnPropertySlot): Don't advertise or provide an 6710 arguments object if the user function didn't include one. The bytecode 6711 generator will not have laid out the stack frame to support one. 6712 6713 (Eventually, we do want the Web Inspector to see an arguments 6714 object in scope in the console. That's a one-line change in JSActivation, 6715 but it's blocked by https://bugs.webkit.org/show_bug.cgi?id=121208.) 6716 6717 (JSC::JSActivation::argumentsGetter): 6718 * runtime/JSActivation.h: Removed this obsolete performance 6719 work-around. C++ property access to an activation object is no longer 6720 hot. 6721 67222013-09-12 Mark Hahnenberg <mhahnenberg@apple.com> 6723 6724 Rolling out r155632 6725 6726 Broke some tests. 6727 6728 * heap/MarkedAllocator.cpp: 6729 (JSC::MarkedAllocator::tryAllocateHelper): 6730 * heap/MarkedBlock.h: 6731 67322013-09-12 Ryosuke Niwa <rniwa@webkit.org> 6733 6734 Qt build fix. Add a return to make the compiler happy. 6735 6736 * dfg/DFGGPRInfo.h: 6737 (JSC::DFG::JSValueRegs::gpr): 6738 67392013-09-12 Filip Pizlo <fpizlo@apple.com> 6740 6741 DFG::GenerationInfo init/fill methods shouldn't duplicate a bunch of logic 6742 https://bugs.webkit.org/show_bug.cgi?id=121253 6743 6744 Reviewed by Oliver Hunt. 6745 6746 * dfg/DFGGenerationInfo.h: 6747 (JSC::DFG::GenerationInfo::initGPR): 6748 (JSC::DFG::GenerationInfo::initInt32): 6749 (JSC::DFG::GenerationInfo::initJSValue): 6750 (JSC::DFG::GenerationInfo::initCell): 6751 (JSC::DFG::GenerationInfo::initBoolean): 6752 (JSC::DFG::GenerationInfo::initStorage): 6753 (JSC::DFG::GenerationInfo::fillGPR): 6754 (JSC::DFG::GenerationInfo::fillJSValue): 6755 (JSC::DFG::GenerationInfo::fillCell): 6756 (JSC::DFG::GenerationInfo::fillInt32): 6757 (JSC::DFG::GenerationInfo::fillBoolean): 6758 (JSC::DFG::GenerationInfo::fillStorage): 6759 67602013-09-12 Filip Pizlo <fpizlo@apple.com> 6761 6762 Unreviewed, fix mispelling (Specualte -> Speculate) that I introduced in an 6763 earlier patch. 6764 6765 * dfg/DFGSpeculativeJIT.h: 6766 (JSC::DFG::SpeculateInt32Operand::gpr): 6767 (JSC::DFG::SpeculateStrictInt32Operand::gpr): 6768 * dfg/DFGSpeculativeJIT32_64.cpp: 6769 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 6770 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32): 6771 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict): 6772 * dfg/DFGSpeculativeJIT64.cpp: 6773 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 6774 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32): 6775 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict): 6776 67772013-09-12 Filip Pizlo <fpizlo@apple.com> 6778 6779 GPRTemporary's reuse constructor should be templatized to reduce code duplication, and the bool to denote tag or payload should be replaced with an enum 6780 https://bugs.webkit.org/show_bug.cgi?id=121250 6781 6782 Reviewed by Oliver Hunt. 6783 6784 * dfg/DFGGPRInfo.h: 6785 (JSC::DFG::JSValueRegs::gpr): 6786 * dfg/DFGSpeculativeJIT.cpp: 6787 (JSC::DFG::GPRTemporary::GPRTemporary): 6788 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 6789 (JSC::DFG::SpeculativeJIT::compileAdd): 6790 (JSC::DFG::SpeculativeJIT::compileStringEquality): 6791 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): 6792 (JSC::DFG::SpeculativeJIT::compileGetArrayLength): 6793 * dfg/DFGSpeculativeJIT.h: 6794 (JSC::DFG::JSValueOperand::gpr): 6795 (JSC::DFG::GPRTemporary::GPRTemporary): 6796 * dfg/DFGSpeculativeJIT32_64.cpp: 6797 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber): 6798 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 6799 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 6800 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 6801 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): 6802 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): 6803 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 6804 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 6805 (JSC::DFG::SpeculativeJIT::compile): 6806 * dfg/DFGSpeculativeJIT64.cpp: 6807 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber): 6808 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 6809 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 6810 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 6811 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 6812 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 6813 (JSC::DFG::SpeculativeJIT::compileIntegerCompare): 6814 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 6815 (JSC::DFG::SpeculativeJIT::compile): 6816 * runtime/JSCJSValue.h: 6817 68182013-09-12 Mark Hahnenberg <mhahnenberg@apple.com> 6819 6820 MarkedBlocks shouldn't be put in Allocated state if they didn't produce a FreeList 6821 https://bugs.webkit.org/show_bug.cgi?id=121236 6822 6823 Reviewed by Geoffrey Garen. 6824 6825 Right now, after a collection all MarkedBlocks are in the Marked block state. When lazy sweeping 6826 happens, if a block returns an empty free list after being swept, we call didConsumeFreeList(), 6827 which moves the block into the Allocated block state. This happens to both the block that was 6828 just being allocated out of (i.e. m_currentBlock) as well as any blocks who are completely full. 6829 We should distinguish between these two cases: m_currentBlock should transition to 6830 Allocated (because we were just allocating out of it) and any subsequent block that returns an 6831 empty free list should transition back to the Marked state. This will make the block state more 6832 consistent with the actual state the block is in, and it will also allow us to speed up moving 6833 all blocks to the Marked state during generational collection. 6834 6835 * heap/MarkedAllocator.cpp: 6836 (JSC::MarkedAllocator::tryAllocateHelper): 6837 * heap/MarkedBlock.h: 6838 (JSC::MarkedBlock::didConsumeEmptyFreeList): 6839 68402013-09-12 Mark Lam <mark.lam@apple.com> 6841 6842 Change debug hooks to pass sourceID and position info via the DebuggerCallFrame. 6843 https://bugs.webkit.org/show_bug.cgi?id=121214. 6844 6845 Reviewed by Geoffrey Garen. 6846 6847 * debugger/Debugger.h: 6848 * debugger/DebuggerCallFrame.cpp: 6849 (JSC::DebuggerCallFrame::sourceId): 6850 (JSC::DebuggerCallFrame::clear): 6851 * debugger/DebuggerCallFrame.h: 6852 (JSC::DebuggerCallFrame::DebuggerCallFrame): 6853 (JSC::DebuggerCallFrame::line): 6854 (JSC::DebuggerCallFrame::column): 6855 * interpreter/Interpreter.cpp: 6856 (JSC::unwindCallFrame): 6857 (JSC::Interpreter::unwind): 6858 (JSC::Interpreter::debug): 6859 68602013-09-12 Csaba Osztrogonác <ossy@webkit.org> 6861 6862 Add back c++11 features removed by buildfixes after all ports did the switch 6863 https://bugs.webkit.org/show_bug.cgi?id=119266 6864 6865 Reviewed by Anders Carlsson. 6866 6867 * bytecode/GetByIdStatus.h: 6868 (JSC::GetByIdStatus::GetByIdStatus): 6869 * dfg/DFGWorklist.cpp: 6870 (JSC::DFG::Worklist::~Worklist): 6871 * interpreter/StackVisitor.cpp: 6872 (JSC::StackVisitor::Frame::codeType): 6873 (JSC::StackVisitor::Frame::functionName): 6874 (JSC::StackVisitor::Frame::sourceURL): 6875 (JSC::StackVisitor::Frame::print): 6876 68772013-09-12 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com> 6878 6879 Remove home-brewed nullptr 6880 https://bugs.webkit.org/show_bug.cgi?id=119624 6881 6882 Reviewed by Anders Carlsson. 6883 6884 The standard C++11 nullptr and std::nullptr_t type should be used now. 6885 6886 * heap/PassWeak.h: 6887 * heap/Weak.h: 6888 68892013-09-11 Filip Pizlo <fpizlo@apple.com> 6890 6891 Rename initInteger() to initInt32() 6892 6893 Rubber stamped by Mark Hahnenberg. 6894 6895 * dfg/DFGGenerationInfo.h: 6896 (JSC::DFG::GenerationInfo::initInt32): 6897 * dfg/DFGSpeculativeJIT.h: 6898 (JSC::DFG::SpeculativeJIT::integerResult): 6899 * dfg/DFGSpeculativeJIT32_64.cpp: 6900 (JSC::DFG::SpeculativeJIT::compile): 6901 * dfg/DFGSpeculativeJIT64.cpp: 6902 (JSC::DFG::SpeculativeJIT::compile): 6903 69042013-09-11 Filip Pizlo <fpizlo@apple.com> 6905 6906 Rename IntegerOperand to Int32Operand and fillInteger() to fillInt32(). 6907 6908 Rubber stamped by Mark Hahnenberg. 6909 6910 * dfg/DFGGenerationInfo.h: 6911 (JSC::DFG::GenerationInfo::fillInt32): 6912 * dfg/DFGSpeculativeJIT.cpp: 6913 (JSC::DFG::GPRTemporary::GPRTemporary): 6914 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): 6915 * dfg/DFGSpeculativeJIT.h: 6916 (JSC::DFG::Int32Operand::Int32Operand): 6917 (JSC::DFG::Int32Operand::~Int32Operand): 6918 (JSC::DFG::Int32Operand::gpr): 6919 * dfg/DFGSpeculativeJIT32_64.cpp: 6920 (JSC::DFG::SpeculativeJIT::fillInt32): 6921 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber): 6922 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal): 6923 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 6924 * dfg/DFGSpeculativeJIT64.cpp: 6925 (JSC::DFG::SpeculativeJIT::fillInt32): 6926 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber): 6927 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal): 6928 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 6929 69302013-09-11 Filip Pizlo <fpizlo@apple.com> 6931 6932 FixupPhase should always call fixEdge() exactly once for every edge 6933 https://bugs.webkit.org/show_bug.cgi?id=121211 6934 6935 Reviewed by Geoffrey Garen. 6936 6937 Previously we only call fixEdge() on edges that we want to make typed. UntypedUse 6938 edges don't get fixEdge() called. This makes it difficult to add functionality in 6939 fixEdge() that runs for UntypedUses. It's difficult to remember to call fixEdge() 6940 for every edge that we don't want to turn into a typed edge; in an alternative 6941 universe where we did this, it would mean that every case in FixupPhase would 6942 have to make a fixEdge() call for *every* edge even ones that it doesn't want to 6943 modify. 6944 6945 This patch takes a different path. fixEdge() must never be called explicitly with 6946 UntypedUse. fixEdge() should be used to set the UseKind of edges. Consequently, 6947 all that FixupPhase has to do is call fixEdge<UntypedUse>(edge) for every edge 6948 that was still UntypedUse after we are done processing a node. 6949 6950 This is cheap and easy to implement and ought to be easy to maintain. We won't 6951 have a need to call fixEdge<UntypedUse>(edge) explicitly, so depending on that is 6952 only natural. 6953 6954 * dfg/DFGFixupPhase.cpp: 6955 (JSC::DFG::FixupPhase::fixupNode): 6956 (JSC::DFG::FixupPhase::observeUntypedEdge): 6957 (JSC::DFG::FixupPhase::observeUseKindOnNode): 6958 69592013-09-11 Filip Pizlo <fpizlo@apple.com> 6960 6961 FixupPhase's setUseKindAndUnboxBlahbittyblah and fixDoubleEdge methods should be merged and given intuitive names 6962 https://bugs.webkit.org/show_bug.cgi?id=121202 6963 6964 Reviewed by Geoffrey Garen. 6965 6966 Got rid of a method whose name was so descriptive that I couldn't ever remember 6967 it. And despite the descriptive name, I always had to look at its implementation 6968 to remind myself what it did, anyway. 6969 6970 Now that method is called fixEdge(). This is a good name because we're in a phase 6971 called FixupPhase, and we call this fixEdge() method on pretty much every edge. 6972 For the Int48 work, it makes more sense for this method to be a kind of hook into 6973 which we can place various things: it's just a way of observing edges that need 6974 attention. 6975 6976 As part of this refactoring, I also fold fixDoubleEdge into fixEdge. This makes 6977 sense because previously it was never correct to call fixDoubleEdge with non- 6978 double use kinds; and conversely it was never correct to call fixEdge with double 6979 use kinds. 6980 6981 Also I found that isDouble() in DFGUseKind.h would return true for KnownInt32Use. 6982 That's almost certainly wrong, and removing that behavior doesn't fail any tests. 6983 I'm assuming that was just a bug. 6984 6985 * dfg/DFGFixupPhase.cpp: 6986 (JSC::DFG::FixupPhase::fixupNode): 6987 (JSC::DFG::FixupPhase::fixupToPrimitive): 6988 (JSC::DFG::FixupPhase::fixupToString): 6989 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): 6990 (JSC::DFG::FixupPhase::fixEdge): 6991 (JSC::DFG::FixupPhase::fixIntEdge): 6992 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): 6993 (JSC::DFG::FixupPhase::convertToGetArrayLength): 6994 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset): 6995 * dfg/DFGUseKind.h: 6996 (JSC::DFG::isDouble): 6997 69982013-09-11 Mark Lam <mark.lam@apple.com> 6999 7000 Fixed indentation in JSC Debugger header files. 7001 https://bugs.webkit.org/show_bug.cgi?id=121203. 7002 7003 Reviewed by Ryosuke Niwa. 7004 7005 * debugger/Debugger.h: 7006 * debugger/DebuggerActivation.h: 7007 (JSC::DebuggerActivation::create): 7008 (JSC::DebuggerActivation::createStructure): 7009 * debugger/DebuggerCallFrame.h: 7010 (JSC::DebuggerCallFrame::DebuggerCallFrame): 7011 (JSC::DebuggerCallFrame::callFrame): 7012 (JSC::DebuggerCallFrame::dynamicGlobalObject): 7013 (JSC::DebuggerCallFrame::scope): 7014 (JSC::DebuggerCallFrame::exception): 7015 70162013-09-11 Filip Pizlo <fpizlo@apple.com> 7017 7018 Remove needsDataFormatConversion because it is unused. 7019 7020 Rubber stamped by Mark Hahnenberg. 7021 7022 * bytecode/DataFormat.h: 7023 70242013-09-11 Filip Pizlo <fpizlo@apple.com> 7025 7026 Rename fillSpeculateInt to fillSpeculateInt32. 7027 7028 Rubber stamped by Mark Hahnenberg. 7029 7030 * dfg/DFGSpeculativeJIT.h: 7031 (JSC::DFG::SpeculateInt32Operand::gpr): 7032 (JSC::DFG::SpeculateStrictInt32Operand::gpr): 7033 * dfg/DFGSpeculativeJIT32_64.cpp: 7034 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal): 7035 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32): 7036 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Strict): 7037 * dfg/DFGSpeculativeJIT64.cpp: 7038 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal): 7039 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32): 7040 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Strict): 7041 70422013-09-11 Filip Pizlo <fpizlo@apple.com> 7043 7044 Rename DataFormatInteger to DataFormatInt32. 7045 7046 Rubber stamped by Mark Hahnenberg. 7047 7048 * bytecode/DataFormat.h: 7049 (JSC::dataFormatToString): 7050 (JSC::needDataFormatConversion): 7051 (JSC::isJSInt32): 7052 * bytecode/ValueRecovery.h: 7053 (JSC::ValueRecovery::inGPR): 7054 (JSC::ValueRecovery::displacedInJSStack): 7055 * dfg/DFGGenerationInfo.h: 7056 (JSC::DFG::GenerationInfo::initInteger): 7057 (JSC::DFG::GenerationInfo::isJSInt32): 7058 (JSC::DFG::GenerationInfo::fillInteger): 7059 * dfg/DFGSpeculativeJIT.cpp: 7060 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): 7061 (JSC::DFG::SpeculativeJIT::checkConsistency): 7062 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): 7063 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 7064 * dfg/DFGSpeculativeJIT.h: 7065 (JSC::DFG::SpeculativeJIT::spill): 7066 (JSC::DFG::SpeculativeJIT::integerResult): 7067 (JSC::DFG::SpeculativeJIT::jsValueResult): 7068 (JSC::DFG::SpeculativeJIT::isInteger): 7069 (JSC::DFG::IntegerOperand::format): 7070 (JSC::DFG::SpeculateInt32Operand::format): 7071 * dfg/DFGSpeculativeJIT32_64.cpp: 7072 (JSC::DFG::SpeculativeJIT::fillInteger): 7073 (JSC::DFG::SpeculativeJIT::fillJSValue): 7074 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 7075 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 7076 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 7077 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 7078 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 7079 * dfg/DFGSpeculativeJIT64.cpp: 7080 (JSC::DFG::SpeculativeJIT::fillInteger): 7081 (JSC::DFG::SpeculativeJIT::fillJSValue): 7082 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 7083 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 7084 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 7085 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 7086 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 7087 (JSC::DFG::SpeculativeJIT::compile): 7088 * dfg/DFGValueSource.h: 7089 (JSC::DFG::dataFormatToValueSourceKind): 7090 (JSC::DFG::valueSourceKindToDataFormat): 7091 70922013-09-11 Filip Pizlo <fpizlo@apple.com> 7093 7094 Int32ToDouble should be predicted SpecInt48 and predictions should have nothing to do with constant folding 7095 https://bugs.webkit.org/show_bug.cgi?id=121141 7096 7097 Reviewed by Oliver Hunt. 7098 7099 Just changing Int32ToDouble to be predicted SpecInt48 breaks constant folding on that 7100 node because of soooper old code that prevented constant folding on mismatched 7101 predictions. Kill that code. 7102 7103 * dfg/DFGAbstractInterpreter.h: 7104 (JSC::DFG::AbstractInterpreter::setConstant): 7105 * dfg/DFGAbstractInterpreterInlines.h: 7106 (JSC::DFG::::executeEffects): 7107 * dfg/DFGFixupPhase.cpp: 7108 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 7109 71102013-09-10 Filip Pizlo <fpizlo@apple.com> 7111 7112 VariableAccessData::flushFormat() should be the universal way of deciding how to speculate on stores to locals and how locals are formatted 7113 https://bugs.webkit.org/show_bug.cgi?id=121142 7114 7115 Reviewed by Geoffrey Garen. 7116 7117 Make everyone rely on VariableAccessData::flushFormat() instead of trying to 7118 compute that information from scratch. The FTL already used flushFormat(), now 7119 the DFG does, too. 7120 7121 * dfg/DFGArgumentPosition.h: 7122 (JSC::DFG::ArgumentPosition::someVariable): 7123 (JSC::DFG::ArgumentPosition::flushFormat): 7124 * dfg/DFGCSEPhase.cpp: 7125 (JSC::DFG::CSEPhase::performNodeCSE): 7126 * dfg/DFGFixupPhase.cpp: 7127 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): 7128 * dfg/DFGGraph.cpp: 7129 (JSC::DFG::Graph::dump): 7130 * dfg/DFGInPlaceAbstractState.cpp: 7131 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): 7132 * dfg/DFGJITCompiler.h: 7133 (JSC::DFG::JITCompiler::noticeOSREntry): 7134 * dfg/DFGSpeculativeJIT.cpp: 7135 (JSC::DFG::SpeculativeJIT::compileInlineStart): 7136 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 7137 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 7138 * dfg/DFGSpeculativeJIT32_64.cpp: 7139 (JSC::DFG::SpeculativeJIT::compile): 7140 * dfg/DFGSpeculativeJIT64.cpp: 7141 (JSC::DFG::SpeculativeJIT::compile): 7142 * dfg/DFGValueSource.h: 7143 (JSC::DFG::ValueSource::forFlushFormat): 7144 * dfg/DFGVariableAccessDataDump.cpp: 7145 (JSC::DFG::VariableAccessDataDump::dump): 7146 * ftl/FTLLowerDFGToLLVM.cpp: 7147 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 7148 71492013-09-11 Oliver Hunt <oliver@apple.com> 7150 7151 Partial Information Leakage in Hash Table implementations (PrivateName) 7152 https://bugs.webkit.org/show_bug.cgi?id=120663 7153 7154 Reviewed by Michael Saboff. 7155 7156 Undo change to the PropertyTable in my last patch, instead lets just 7157 use a random value as the initial hash for unique strings. 7158 7159 * runtime/PropertyMapHashTable.h: 7160 (JSC::PropertyTable::find): 7161 (JSC::PropertyTable::findWithString): 7162 (JSC::PropertyTable::rehash): 7163 71642013-09-11 Oliver Hunt <oliver@apple.com> 7165 7166 Partial Information Leakage in Hash Table implementations (PrivateName) 7167 https://bugs.webkit.org/show_bug.cgi?id=120663 7168 7169 Reviewed by Michael Saboff. 7170 7171 These hashtables mix keys that are hashed on pointers or user controlled 7172 data. To prevent any potential information leak we mask the keys with 7173 a per table entropy value. 7174 7175 * runtime/MapData.cpp: 7176 (JSC::MapData::MapData): 7177 (JSC::MapData::find): 7178 (JSC::MapData::add): 7179 (JSC::MapData::remove): 7180 * runtime/MapData.h: 7181 * runtime/PropertyMapHashTable.h: 7182 (JSC::PropertyTable::find): 7183 (JSC::PropertyTable::findWithString): 7184 (JSC::PropertyTable::rehash): 7185 * runtime/PropertyTable.cpp: 7186 (JSC::PropertyTable::PropertyTable): 7187 71882013-09-11 Sam Weinig <sam@webkit.org> 7189 7190 MapData and WeakMapData don't need to be objects 7191 https://bugs.webkit.org/show_bug.cgi?id=121167 7192 7193 Reviewed by Geoffrey Garen. 7194 7195 * runtime/JSGlobalObject.cpp: 7196 (JSC::JSGlobalObject::reset): 7197 (JSC::JSGlobalObject::visitChildren): 7198 * runtime/JSGlobalObject.h: 7199 (JSC::JSGlobalObject::mapStructure): 7200 Remove MapData and WeakMapData structures (they moved to VM with other non-object Structures). 7201 7202 * runtime/JSMap.cpp: 7203 (JSC::JSMap::finishCreation): 7204 * runtime/JSMap.h: 7205 (JSC::JSMap::create): 7206 * runtime/JSSet.cpp: 7207 (JSC::JSSet::finishCreation): 7208 * runtime/JSSet.h: 7209 (JSC::JSSet::create): 7210 * runtime/JSWeakMap.cpp: 7211 (JSC::JSWeakMap::finishCreation): 7212 * runtime/JSWeakMap.h: 7213 (JSC::JSWeakMap::create): 7214 Update to not pass a global object to the MapData or WeakMapData Structure. 7215 7216 * runtime/MapData.cpp: 7217 (JSC::MapData::MapData): 7218 * runtime/MapData.h: 7219 (JSC::MapData::create): 7220 (JSC::MapData::createStructure): 7221 * runtime/WeakMapData.cpp: 7222 (JSC::WeakMapData::WeakMapData): 7223 (JSC::WeakMapData::set): Change to take a VM rather than a CallFrame, as that it all it needs. 7224 * runtime/WeakMapData.h: 7225 (JSC::WeakMapData::create): 7226 (JSC::WeakMapData::createStructure): 7227 Instead of inheriting from JSDestructibleObject, inherit from JSCell and mark self as needing destruction 7228 and having an immortal structure. 7229 7230 * runtime/VM.cpp: 7231 (JSC::VM::VM): 7232 * runtime/VM.h: 7233 Add MapData and WeakMapData Structures. 7234 7235 * runtime/WeakMapPrototype.cpp: 7236 (JSC::protoFuncWeakMapSet): 7237 Pass a VM rather than an ExecState. 7238 72392013-09-10 Filip Pizlo <fpizlo@apple.com> 7240 7241 Propagate the Int48 stuff into the prediction propagator. 7242 https://bugs.webkit.org/show_bug.cgi?id=121132 7243 7244 Reviewed by Mark Hahnenberg. 7245 7246 This still has no effect on codegen since Int48 still looks like a Double right now. 7247 7248 * bytecode/ExitKind.cpp: 7249 (JSC::exitKindToString): 7250 * bytecode/ExitKind.h: 7251 * bytecode/SpeculatedType.cpp: 7252 (JSC::speculationFromValue): 7253 * bytecode/SpeculatedType.h: 7254 (JSC::isMachineIntSpeculation): 7255 (JSC::isMachineIntSpeculationExpectingDefined): 7256 (JSC::isMachineIntSpeculationForArithmetic): 7257 * dfg/DFGGraph.cpp: 7258 (JSC::DFG::Graph::dump): 7259 * dfg/DFGGraph.h: 7260 (JSC::DFG::Graph::addShouldSpeculateMachineInt): 7261 (JSC::DFG::Graph::mulShouldSpeculateInt32): 7262 (JSC::DFG::Graph::mulShouldSpeculateMachineInt): 7263 (JSC::DFG::Graph::negateShouldSpeculateMachineInt): 7264 (JSC::DFG::Graph::hasExitSite): 7265 * dfg/DFGNode.h: 7266 (JSC::DFG::Node::shouldSpeculateMachineInt): 7267 (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): 7268 (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): 7269 (JSC::DFG::Node::canSpeculateInt48): 7270 * dfg/DFGNodeFlags.h: 7271 (JSC::DFG::nodeCanSpeculateInt48): 7272 * dfg/DFGPredictionPropagationPhase.cpp: 7273 (JSC::DFG::PredictionPropagationPhase::propagate): 7274 72752013-09-10 Filip Pizlo <fpizlo@apple.com> 7276 7277 Be explicit about backwards propagation properties that care about escaping to bytecode, as opposed to just escaping within DFG code. 7278 7279 Rubber stamped by Mark Hahnenberg. 7280 7281 We need to care about escaping to bytecode if we're doing a lossy optimization, 7282 i.e. the optimization means we produce less information and so we can't rescue 7283 ourselves during OSR exit. 7284 7285 We only need to care about escaping within the DFG code (and can ignore what 7286 might happen in bytecode) if we're doing an optimization that is lossless, i.e. 7287 we can always still reconstruct the values that bytecode wants. 7288 7289 Example #1: 7290 7291 Large int32 + int32 which overflows. We want to optimize away the overflow 7292 check and just do a 32-bit add. 7293 7294 This is lossy; the result should have one extra bit but we simply throw 7295 that bit away by doing a check-less 32-bit add. Hence we need to know that 7296 even the bytecode wouldn't have cared about that bit. This is true in cases 7297 like (a + b) | 0. 7298 7299 Example #2: 7300 7301 Larbe int32 + int32 which overflows. We want to optimize away the overflow 7302 check by doing a 64-bit add. 7303 7304 This is lossless. We can always convert the resulting 64-bit int back to a 7305 double if that's what bytecode wants. Hence we only need to know that the 7306 DFG code won't want to do something to this value that would make 64-bit 7307 ints either unprofitable or unsound. 7308 7309 The backwards propagator's notions of flags (NodeUsedAsValue, etc) are for lossy 7310 optimizations and so should be named in a way that reflects this. This patch 7311 calls then NodeBytecodeUsesAsValue, etc. 7312 7313 * dfg/DFGAbstractInterpreterInlines.h: 7314 (JSC::DFG::::executeEffects): 7315 * dfg/DFGArrayMode.cpp: 7316 (JSC::DFG::ArrayMode::refine): 7317 * dfg/DFGBackwardsPropagationPhase.cpp: 7318 (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags): 7319 (JSC::DFG::BackwardsPropagationPhase::propagate): 7320 * dfg/DFGFixupPhase.cpp: 7321 (JSC::DFG::FixupPhase::fixupNode): 7322 * dfg/DFGGraph.h: 7323 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): 7324 * dfg/DFGNode.h: 7325 (JSC::DFG::Node::arithNodeFlags): 7326 * dfg/DFGNodeFlags.cpp: 7327 (JSC::DFG::dumpNodeFlags): 7328 * dfg/DFGNodeFlags.h: 7329 (JSC::DFG::bytecodeUsesAsNumber): 7330 (JSC::DFG::bytecodeCanTruncateInteger): 7331 (JSC::DFG::bytecodeCanIgnoreNegativeZero): 7332 (JSC::DFG::nodeMayNegZero): 7333 (JSC::DFG::nodeCanSpeculateInt32): 7334 * dfg/DFGPredictionPropagationPhase.cpp: 7335 (JSC::DFG::PredictionPropagationPhase::propagate): 7336 * dfg/DFGSpeculativeJIT.cpp: 7337 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): 7338 (JSC::DFG::SpeculativeJIT::compileAdd): 7339 (JSC::DFG::SpeculativeJIT::compileArithSub): 7340 (JSC::DFG::SpeculativeJIT::compileArithNegate): 7341 (JSC::DFG::SpeculativeJIT::compileArithMul): 7342 (JSC::DFG::SpeculativeJIT::compileArithDiv): 7343 (JSC::DFG::SpeculativeJIT::compileArithMod): 7344 * dfg/DFGVariableAccessData.h: 7345 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): 7346 * ftl/FTLLowerDFGToLLVM.cpp: 7347 (JSC::FTL::LowerDFGToLLVM::compileAdd): 7348 (JSC::FTL::LowerDFGToLLVM::compileArithSub): 7349 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 7350 (JSC::FTL::LowerDFGToLLVM::compileArithDiv): 7351 (JSC::FTL::LowerDFGToLLVM::compileArithMod): 7352 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 7353 73542013-09-10 Chris Curtis <chris_curtis@apple.com> 7355 7356 WebKit crashes when trying to send a msg via 'today's birthdays' dialogue box on Facebook 7357 https://bugs.webkit.org/show_bug.cgi?id=120612#add_comment 7358 Reviewed by Geoffrey Garen. 7359 7360 The codeBlock was assumed to exist when appendSourceToMessage was set. 7361 This was an invalid assumption. I added a check to ensure that there is a 7362 valid codeBlock before accessing it. 7363 7364 * API/tests/testapi.c: 7365 (valueToObjectExceptionCallAsFunction): 7366 (valueToObjectExceptionTest): 7367 (main): 7368 * runtime/VM.cpp: 7369 (JSC::VM::throwException): 7370 73712013-09-10 Mark Lam <mark.lam@apple.com> 7372 7373 Fix some indentation in Interpreter.cpp. 7374 https://bugs.webkit.org/show_bug.cgi?id=121136. 7375 7376 Reviewed by Darin Adler. 7377 7378 * interpreter/Interpreter.cpp: 7379 (JSC::UnwindFunctor::operator()): 7380 73812013-09-10 Mark Hahnenberg <mhahnenberg@apple.com> 7382 7383 MapData has some issues 7384 https://bugs.webkit.org/show_bug.cgi?id=121118 7385 7386 Reviewed by Geoffrey Garen. 7387 7388 * heap/CopiedBlock.h: Added some debug-only consistency checking logic. We now make sure that 7389 m_liveBytes is consistent with another field, m_liveObjects. m_liveObjects is the number of 7390 "objects" that currently reside in the CopiedBlock. If we have zero live bytes then we should have 7391 zero live objects. The converse and the inverse should also be true. 7392 (JSC::CopiedBlock::CopiedBlock): 7393 (JSC::CopiedBlock::didSurviveGC): 7394 (JSC::CopiedBlock::didEvacuateBytes): 7395 (JSC::CopiedBlock::canBeRecycled): 7396 (JSC::CopiedBlock::shouldEvacuate): 7397 (JSC::CopiedBlock::liveBytes): 7398 (JSC::CopiedBlock::checkConsistency): 7399 * heap/CopiedBlockInlines.h: 7400 (JSC::CopiedBlock::reportLiveBytes): 7401 * heap/CopyVisitorInlines.h: 7402 (JSC::CopyVisitor::didCopy): 7403 * runtime/MapData.cpp: 7404 (JSC::MapData::replaceAndPackBackingStore): Renamed parameter to be consistent with its meaning. 7405 (JSC::MapData::replaceBackingStore): Ditto. Also removed an unnecessary local variable. 7406 (JSC::MapData::visitChildren): Before we passed the size of the MapData to copyLater(), which 7407 was wrong. Now we pass capacity * sizeof(Entry). 7408 (JSC::MapData::copyBackingStore): Before when we reassigned the newly copied backing store, we 7409 set the capacity (in elements) to the size (in bytes) of the backing store. This made us think 7410 we're way bigger than we actually are. Now we just pass the old capacity in. 7411 * runtime/MapData.h: 7412 (JSC::MapData::capacityInBytes): Helper function to calculate the size of the backing store. 7413 74142013-09-10 Filip Pizlo <fpizlo@apple.com> 7415 7416 We should say Int32 when we mean Int32. Saying Integer is just weird. 7417 7418 Rubber stamped by Mark Hahnenberg. 7419 7420 * dfg/DFGAbstractInterpreterInlines.h: 7421 (JSC::DFG::::executeEffects): 7422 * dfg/DFGFixupPhase.cpp: 7423 (JSC::DFG::FixupPhase::fixupNode): 7424 (JSC::DFG::FixupPhase::fixupToPrimitive): 7425 (JSC::DFG::FixupPhase::fixIntEdge): 7426 (JSC::DFG::FixupPhase::truncateConstantsIfNecessary): 7427 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): 7428 * dfg/DFGGraph.h: 7429 (JSC::DFG::Graph::addSpeculationMode): 7430 (JSC::DFG::Graph::valueAddSpeculationMode): 7431 (JSC::DFG::Graph::arithAddSpeculationMode): 7432 (JSC::DFG::Graph::addShouldSpeculateInt32): 7433 (JSC::DFG::Graph::mulShouldSpeculateInt32): 7434 (JSC::DFG::Graph::negateShouldSpeculateInt32): 7435 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): 7436 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): 7437 * dfg/DFGNode.h: 7438 (JSC::DFG::Node::shouldSpeculateInt32): 7439 (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic): 7440 (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): 7441 (JSC::DFG::Node::canSpeculateInt32): 7442 * dfg/DFGNodeFlags.h: 7443 (JSC::DFG::nodeCanSpeculateInt32): 7444 * dfg/DFGPredictionPropagationPhase.cpp: 7445 (JSC::DFG::PredictionPropagationPhase::propagate): 7446 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): 7447 * dfg/DFGSpeculativeJIT.cpp: 7448 (JSC::DFG::SpeculativeJIT::arrayify): 7449 (JSC::DFG::GPRTemporary::GPRTemporary): 7450 (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): 7451 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 7452 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): 7453 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 7454 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 7455 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 7456 (JSC::DFG::SpeculativeJIT::compileAdd): 7457 (JSC::DFG::SpeculativeJIT::compileArithSub): 7458 (JSC::DFG::SpeculativeJIT::compileArithNegate): 7459 (JSC::DFG::SpeculativeJIT::compileArithIMul): 7460 (JSC::DFG::SpeculativeJIT::compileArithMul): 7461 (JSC::DFG::SpeculativeJIT::compileArithDiv): 7462 (JSC::DFG::SpeculativeJIT::compileArithMod): 7463 (JSC::DFG::SpeculativeJIT::compileNewTypedArray): 7464 (JSC::DFG::SpeculativeJIT::speculateInt32): 7465 (JSC::DFG::SpeculativeJIT::emitSwitchImm): 7466 * dfg/DFGSpeculativeJIT.h: 7467 (JSC::DFG::SpeculateInt32Operand::SpeculateInt32Operand): 7468 (JSC::DFG::SpeculateInt32Operand::~SpeculateInt32Operand): 7469 * dfg/DFGSpeculativeJIT32_64.cpp: 7470 (JSC::DFG::SpeculativeJIT::compileIntegerCompare): 7471 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 7472 (JSC::DFG::SpeculativeJIT::emitBranch): 7473 (JSC::DFG::SpeculativeJIT::compile): 7474 * dfg/DFGSpeculativeJIT64.cpp: 7475 (JSC::DFG::SpeculativeJIT::compileIntegerCompare): 7476 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 7477 (JSC::DFG::SpeculativeJIT::emitBranch): 7478 (JSC::DFG::SpeculativeJIT::compile): 7479 * ftl/FTLLowerDFGToLLVM.cpp: 7480 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber): 7481 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 7482 74832013-09-10 Filip Pizlo <fpizlo@apple.com> 7484 7485 Introduce a SpecInt48 type and be more careful about what we mean by "Top" 7486 https://bugs.webkit.org/show_bug.cgi?id=121116 7487 7488 Reviewed by Oliver Hunt. 7489 7490 SpecInt48 will mean that we have something that would be a double if it was a JSValue, 7491 but it's profitable to represent it as something other than a double. 7492 7493 SpecInt48AsDouble means that it has a value that could have been represented like 7494 SpecInt48, but we're making a heuristic decision not to do it. 7495 7496 * bytecode/SpeculatedType.h: 7497 (JSC::isInt48Speculation): 7498 * dfg/DFGAbstractInterpreterInlines.h: 7499 (JSC::DFG::::executeEffects): 7500 (JSC::DFG::::clobberCapturedVars): 7501 * dfg/DFGAbstractValue.cpp: 7502 (JSC::DFG::AbstractValue::filter): 7503 * dfg/DFGAbstractValue.h: 7504 (JSC::DFG::AbstractValue::makeHeapTop): 7505 (JSC::DFG::AbstractValue::makeBytecodeTop): 7506 (JSC::DFG::AbstractValue::isHeapTop): 7507 (JSC::DFG::AbstractValue::heapTop): 7508 (JSC::DFG::AbstractValue::validateType): 7509 (JSC::DFG::AbstractValue::validate): 7510 (JSC::DFG::AbstractValue::makeTop): 7511 * dfg/DFGInPlaceAbstractState.cpp: 7512 (JSC::DFG::InPlaceAbstractState::initialize): 7513 * dfg/DFGJITCompiler.h: 7514 (JSC::DFG::JITCompiler::noticeOSREntry): 7515 * dfg/DFGUseKind.h: 7516 (JSC::DFG::typeFilterFor): 7517 75182013-09-09 Oliver Hunt <oliver@apple.com> 7519 7520 Support WeakMap 7521 https://bugs.webkit.org/show_bug.cgi?id=120912 7522 7523 Reviewed by Geoffrey Garen. 7524 7525 Add support for ES6 WeakMap. Add the cluster of boilerplate 7526 classes around the core WeakMapData class. 7527 7528 WeakMapData is a simple object->value hash table that uses a 7529 combo of WeakReferenceHarvester to conditionally keep the weak 7530 value reference live, and UnconditionalFinalizer to clean the 7531 dead keys from the table post-GC. 7532 7533 * CMakeLists.txt: 7534 * GNUmakefile.list.am: 7535 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 7536 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 7537 * JavaScriptCore.xcodeproj/project.pbxproj: 7538 * Target.pri: 7539 * runtime/CommonIdentifiers.h: 7540 * runtime/JSGlobalObject.cpp: 7541 * runtime/JSGlobalObject.h: 7542 (JSC::JSGlobalObject::weakMapDataStructure): 7543 * runtime/JSWeakMap.cpp: Added. 7544 (JSC::JSWeakMap::finishCreation): 7545 (JSC::JSWeakMap::visitChildren): 7546 * runtime/JSWeakMap.h: Added. 7547 (JSC::JSWeakMap::createStructure): 7548 (JSC::JSWeakMap::create): 7549 (JSC::JSWeakMap::weakMapData): 7550 (JSC::JSWeakMap::JSWeakMap): 7551 * runtime/WeakMapConstructor.cpp: Added. 7552 (JSC::WeakMapConstructor::finishCreation): 7553 (JSC::constructWeakMap): 7554 (JSC::WeakMapConstructor::getConstructData): 7555 (JSC::WeakMapConstructor::getCallData): 7556 * runtime/WeakMapConstructor.h: Added. 7557 (JSC::WeakMapConstructor::create): 7558 (JSC::WeakMapConstructor::createStructure): 7559 (JSC::WeakMapConstructor::WeakMapConstructor): 7560 * runtime/WeakMapData.cpp: Added. 7561 (JSC::WeakMapData::WeakMapData): 7562 (JSC::WeakMapData::finishCreation): 7563 (JSC::WeakMapData::destroy): 7564 (JSC::WeakMapData::visitChildren): 7565 (JSC::WeakMapData::set): 7566 (JSC::WeakMapData::get): 7567 (JSC::WeakMapData::remove): 7568 (JSC::WeakMapData::contains): 7569 (JSC::WeakMapData::clear): 7570 (JSC::WeakMapData::DeadKeyCleaner::visitWeakReferences): 7571 (JSC::WeakMapData::DeadKeyCleaner::finalizeUnconditionally): 7572 * runtime/WeakMapData.h: Added. 7573 (JSC::WeakMapData::create): 7574 (JSC::WeakMapData::createStructure): 7575 (JSC::WeakMapData::DeadKeyCleaner::DeadKeyCleaner): 7576 * runtime/WeakMapPrototype.cpp: Added. 7577 (JSC::WeakMapPrototype::finishCreation): 7578 (JSC::getWeakMapData): 7579 (JSC::protoFuncWeakMapClear): 7580 (JSC::protoFuncWeakMapDelete): 7581 (JSC::protoFuncWeakMapGet): 7582 (JSC::protoFuncWeakMapHas): 7583 (JSC::protoFuncWeakMapSet): 7584 * runtime/WeakMapPrototype.h: Added. 7585 (JSC::WeakMapPrototype::create): 7586 (JSC::WeakMapPrototype::createStructure): 7587 (JSC::WeakMapPrototype::WeakMapPrototype): 7588 75892013-09-10 Joseph Pecoraro <pecoraro@apple.com> 7590 7591 Web Inspector: [JSC] Caught exception is treated as uncaught 7592 https://bugs.webkit.org/show_bug.cgi?id=93607 7593 7594 Reviewed by Geoff Garen. 7595 7596 Check up the entire call stack to see if there is an exception handler. 7597 7598 * interpreter/Interpreter.cpp: 7599 (JSC::GetExceptionHandlerFunctor::GetExceptionHandlerFunctor): 7600 (JSC::GetExceptionHandlerFunctor::handler): 7601 (JSC::GetExceptionHandlerFunctor::operator()): 7602 76032013-09-10 Filip Pizlo <fpizlo@apple.com> 7604 7605 SpecType should have SpecInt48AsDouble 7606 https://bugs.webkit.org/show_bug.cgi?id=121065 7607 7608 Reviewed by Oliver Hunt. 7609 7610 * bytecode/SpeculatedType.cpp: 7611 (JSC::dumpSpeculation): 7612 (JSC::speculationToAbbreviatedString): 7613 (JSC::speculationFromValue): 7614 * bytecode/SpeculatedType.h: 7615 (JSC::isInt48AsDoubleSpeculation): 7616 (JSC::isIntegerSpeculation): 7617 (JSC::isDoubleRealSpeculation): 7618 76192013-09-10 Filip Pizlo <fpizlo@apple.com> 7620 7621 Don't GC while in the OSR-triggered jettison code 7622 https://bugs.webkit.org/show_bug.cgi?id=121106 7623 7624 Reviewed by Mark Hahnenberg. 7625 7626 * dfg/DFGOperations.cpp: 7627 76282013-09-10 Filip Pizlo <fpizlo@apple.com> 7629 7630 jsc commandline's run() function should take extra arguments 7631 https://bugs.webkit.org/show_bug.cgi?id=121098 7632 7633 Reviewed by Michael Saboff. 7634 7635 * jsc.cpp: 7636 (functionRun): 7637 76382013-09-09 Michael Saboff <msaboff@apple.com> 7639 7640 There should be one "invalid" virtual register constant 7641 https://bugs.webkit.org/show_bug.cgi?id=121057 7642 7643 Reviewed by Filip Pizlo. 7644 7645 Unify all references to an invalid virtual register to be the enum InvalidVirtualRegister. 7646 Changed the value of InvalidVirtualRegister to be maximum integer value. 7647 7648 * bytecode/CodeBlock.h: 7649 (JSC::CodeBlock::setArgumentsRegister): 7650 (JSC::CodeBlock::usesArguments): 7651 * bytecode/LazyOperandValueProfile.h: 7652 (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey): 7653 (JSC::LazyOperandValueProfileKey::operator!): 7654 (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue): 7655 (JSC::LazyOperandValueProfile::LazyOperandValueProfile): 7656 * bytecode/UnlinkedCodeBlock.cpp: 7657 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 7658 * bytecode/UnlinkedCodeBlock.h: 7659 (JSC::UnlinkedCodeBlock::usesArguments): 7660 (JSC::UnlinkedCodeBlock::usesGlobalObject): 7661 * bytecode/VirtualRegister.h: 7662 76632013-09-09 Michael Saboff <msaboff@apple.com> 7664 7665 Change virtual register function arguments from unsigned to int 7666 https://bugs.webkit.org/show_bug.cgi?id=121055 7667 7668 Reviewed by Filip Pizlo. 7669 7670 This is a largely mechanical change. This changes function paramaters and local variables used to 7671 represent bytecode operands from being unsigned to be int. 7672 7673 * bytecode/CodeOrigin.h: 7674 * dfg/DFGByteCodeParser.cpp: 7675 * jit/JIT.h: 7676 * jit/JITArithmetic.cpp: 7677 * jit/JITArithmetic32_64.cpp: 7678 * jit/JITInlines.h: 7679 * jit/JITOpcodes.cpp: 7680 * jit/JITOpcodes32_64.cpp: 7681 * jit/JITPropertyAccess.cpp: 7682 * jit/JITPropertyAccess32_64.cpp: 7683 * jit/JITStubCall.h: 7684 76852013-09-09 Michael Saboff <msaboff@apple.com> 7686 7687 Add local to/from operand helpers similar to argument to/from operand2 7688 https://bugs.webkit.org/show_bug.cgi?id=121056 7689 7690 Reviewed by Geoffrey Garen. 7691 7692 Added localToOperand(), operandToLocal() and operandIsLocal() to Operands.h, very similar to 7693 argumentToOperand(), et al. Used the new helpers everywhere where an index into a data 7694 structure is intended instead of the actual virtual register offset. When the stack is 7695 changed to grow down, local register offsets can be negative. Also added the helper 7696 DFG::SpeculativeJIT::generationInfoFromVirtualRegister() for the common case accessing 7697 m_generationInfo[operandToLocal(val)]. 7698 7699 * bytecode/CodeBlock.cpp: 7700 * bytecode/CodeBlock.h: 7701 * bytecode/Operands.h: 7702 (JSC::localToOperand): 7703 (JSC::operandIsLocal): 7704 (JSC::operandToLocal): 7705 * bytecompiler/BytecodeGenerator.h: 7706 * dfg/DFGAbstractInterpreterInlines.h: 7707 * dfg/DFGByteCodeParser.cpp: 7708 * dfg/DFGCFGSimplificationPhase.cpp: 7709 * dfg/DFGCPSRethreadingPhase.cpp: 7710 * dfg/DFGOSREntry.cpp: 7711 * dfg/DFGOSRExitCompiler32_64.cpp: 7712 * dfg/DFGOSRExitCompiler64.cpp: 7713 * dfg/DFGScoreBoard.h: 7714 * dfg/DFGSpeculativeJIT.cpp: 7715 * dfg/DFGSpeculativeJIT.h: 7716 (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister): 7717 * dfg/DFGSpeculativeJIT32_64.cpp: 7718 * dfg/DFGSpeculativeJIT64.cpp: 7719 * dfg/DFGValidate.cpp: 7720 * dfg/DFGVariableEventStream.cpp: 7721 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 7722 * jit/JITInlines.h: 7723 * jit/JITOpcodes.cpp: 7724 * jit/JITOpcodes32_64.cpp: 7725 77262013-09-09 Filip Pizlo <fpizlo@apple.com> 7727 7728 Unreviewed, disable GC logging. 7729 7730 * heap/Heap.cpp: 7731 77322013-09-09 Mark Hahnenberg <mhahnenberg@apple.com> 7733 7734 CopiedSpace::startedCopying should not call MarkedSpace::capacity 7735 https://bugs.webkit.org/show_bug.cgi?id=121045 7736 7737 Reviewed by Geoffrey Garen. 7738 7739 MarkedSpace::capacity() iterates every block in MarkedSpace. Instead we should just 7740 keep track of our total capacity in MarkedSpace as we add and remove MarkedBlocks. 7741 7742 * heap/MarkedSpace.cpp: 7743 (JSC::MarkedSpace::freeBlock): 7744 * heap/MarkedSpace.h: 7745 (JSC::MarkedSpace::didAddBlock): 7746 (JSC::MarkedSpace::capacity): 7747 77482013-09-09 Michael Saboff <msaboff@apple.com> 7749 7750 Wrong for SlowPathCall to load callFrame reg from vm.topCallFrame after call 7751 https://bugs.webkit.org/show_bug.cgi?id=120537 7752 7753 Reviewed by Geoffrey Garen. 7754 7755 Changed JITSlowPathCall::call() to update vm.topCallFrame from the callFrameRegister instead of the 7756 other way around. 7757 7758 * jit/JIT.h: 7759 * jit/JITInlines.h: 7760 * jit/SlowPathCall.h: 7761 (JSC::JITSlowPathCall::call): 7762 77632013-08-29 Mark Hahnenberg <mhahnenberg@apple.com> 7764 7765 JSArray::shiftCountWithArrayStorage doesn't change indexBias when shifting the last element in m_vector 7766 https://bugs.webkit.org/show_bug.cgi?id=120389 7767 7768 Reviewed by Michael Saboff. 7769 7770 Went through and cleaned up shiftCountWithArrayStorage. Gave meaningful variable names 7771 and commented the confusing parts. This led to realizing how to fix this bug, which has 7772 been done. The issue was that we were modifying the vector length unconditionally, even 7773 when we weren't logically changing the length of the vector. Instead, we should only modify 7774 the vector length when we modify the index bias. 7775 7776 * runtime/JSArray.cpp: 7777 (JSC::JSArray::shiftCountWithArrayStorage): 7778 77792013-09-08 Anders Carlsson <andersca@apple.com> 7780 7781 Begin moving off of TypeTraits.h 7782 https://bugs.webkit.org/show_bug.cgi?id=121006 7783 7784 Reviewed by Darin Adler. 7785 7786 Convert uses of WTF type traits to STL type traits. 7787 7788 * heap/PassWeak.h: 7789 * runtime/JSCell.h: 7790 (JSC::jsCast): 7791 (JSC::jsDynamicCast): 7792 * runtime/WriteBarrier.h: 7793 (JSC::validateCell): 7794 77952013-09-08 Mark Hahnenberg <mhahnenberg@apple.com> 7796 7797 Calculating the size of the Heap should not require walking over it 7798 https://bugs.webkit.org/show_bug.cgi?id=120910 7799 7800 Reviewed by Geoffrey Garen. 7801 7802 Currently Heap::size() is O(sizeof(Heap)). This is too expensive to 7803 call during a collection. We should keep a count of visited and copied 7804 bytes as each collection progresses so as to avoid re-walking the Heap 7805 at the end of collection. 7806 7807 * heap/GCThreadSharedData.cpp: 7808 (JSC::GCThreadSharedData::childBytesVisited): 7809 (JSC::GCThreadSharedData::childBytesCopied): 7810 * heap/GCThreadSharedData.h: 7811 * heap/Heap.cpp: 7812 (JSC::Heap::Heap): 7813 (JSC::Heap::markRoots): 7814 (JSC::Heap::sizeAfterCollect): 7815 (JSC::Heap::collect): 7816 * heap/Heap.h: 7817 * heap/SlotVisitor.cpp: 7818 (JSC::SlotVisitor::SlotVisitor): 7819 (JSC::SlotVisitor::reset): 7820 * heap/SlotVisitor.h: 7821 (JSC::SlotVisitor::bytesVisited): 7822 (JSC::SlotVisitor::bytesCopied): 7823 * heap/SlotVisitorInlines.h: 7824 (JSC::SlotVisitor::internalAppend): 7825 (JSC::SlotVisitor::copyLater): 7826 78272013-09-08 Mark Hahnenberg <mhahnenberg@apple.com> 7828 7829 Clearing MarkedBlock::m_newlyAllocated should be separate from MarkedBlock::clearMarks 7830 https://bugs.webkit.org/show_bug.cgi?id=121007 7831 7832 Reviewed by Oliver Hunt. 7833 7834 We call clearMarks on every MarkedBlock in the Heap, whereas we only need to clear 7835 m_newlyAllocated for the m_currentBlock at the time of the last canonicalizeCellLiveness() 7836 for each MarkedAllocator. We also need to call it on every block in the largeAllocators 7837 because each one of their blocks is canonicalized as it is used. 7838 7839 * heap/Heap.cpp: 7840 (JSC::Heap::markRoots): 7841 * heap/MarkedAllocator.h: 7842 (JSC::MarkedAllocator::getAndClearCanonicalizedBlock): 7843 (JSC::MarkedAllocator::MarkedAllocator): 7844 (JSC::MarkedAllocator::canonicalizeCellLivenessData): 7845 * heap/MarkedBlock.h: 7846 (JSC::MarkedBlock::lastChanceToFinalize): 7847 (JSC::MarkedBlock::clearMarks): 7848 (JSC::MarkedBlock::clearNewlyAllocated): 7849 * heap/MarkedSpace.cpp: 7850 (JSC::clearNewlyAllocatedInBlock): 7851 (JSC::ClearNewlyAllocated::operator()): 7852 (JSC::MarkedSpace::clearNewlyAllocated): 7853 * heap/MarkedSpace.h: 7854 78552013-09-07 Filip Pizlo <fpizlo@apple.com> 7856 7857 FTL should support typed array PutByVal 7858 https://bugs.webkit.org/show_bug.cgi?id=120972 7859 7860 Reviewed by Oliver Hunt. 7861 7862 Due to increased FTL coverage, this revealed a bug in LICM where we were trying to 7863 have AI execute the tail of a block that !cfaDidFinish. We don't need to execute AI 7864 for such blocks since LICM will bail for them anyway, and AI asserts that cfaDidFinish 7865 is true. 7866 7867 * dfg/DFGLICMPhase.cpp: 7868 (JSC::DFG::LICMPhase::attemptHoist): 7869 * ftl/FTLAbbreviations.h: 7870 (JSC::FTL::buildFPToUI): 7871 * ftl/FTLCapabilities.cpp: 7872 (JSC::FTL::canCompile): 7873 * ftl/FTLIntrinsicRepository.h: 7874 * ftl/FTLLowerDFGToLLVM.cpp: 7875 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 7876 (JSC::FTL::LowerDFGToLLVM::doubleToInt32): 7877 (JSC::FTL::LowerDFGToLLVM::doubleToUInt32): 7878 * ftl/FTLOutput.h: 7879 (JSC::FTL::Output::fpToUInt): 7880 (JSC::FTL::Output::fpToUInt32): 7881 (JSC::FTL::Output::store8): 7882 (JSC::FTL::Output::store16): 7883 (JSC::FTL::Output::storeFloat): 7884 78852013-09-07 Filip Pizlo <fpizlo@apple.com> 7886 7887 FTL should support basic closure operations 7888 https://bugs.webkit.org/show_bug.cgi?id=120987 7889 7890 Reviewed by Oliver Hunt. 7891 7892 * ftl/FTLAbstractHeapRepository.cpp: 7893 * ftl/FTLAbstractHeapRepository.h: 7894 * ftl/FTLCapabilities.cpp: 7895 (JSC::FTL::canCompile): 7896 * ftl/FTLLowerDFGToLLVM.cpp: 7897 (JSC::FTL::LowerDFGToLLVM::compileNode): 7898 (JSC::FTL::LowerDFGToLLVM::compileGetMyScope): 7899 (JSC::FTL::LowerDFGToLLVM::compileSkipScope): 7900 (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): 7901 (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar): 7902 (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar): 7903 79042013-09-07 Filip Pizlo <fpizlo@apple.com> 7905 7906 Only run FTL tests if we have the FTL 7907 https://bugs.webkit.org/show_bug.cgi?id=120974 7908 7909 Reviewed by Geoffrey Garen. 7910 7911 The test infrastructure is now smart enough to not pass --useExperimentalFTL=true 7912 unless it knows that we have the FTL. 7913 7914 * dfg/DFGTierUpCheckInjectionPhase.cpp: 7915 (JSC::DFG::TierUpCheckInjectionPhase::run): 7916 79172013-09-07 Anders Carlsson <andersca@apple.com> 7918 7919 Get rid of PassOwnArrayPtr 7920 https://bugs.webkit.org/show_bug.cgi?id=120964 7921 7922 Reviewed by Andreas Kling. 7923 7924 Use OwnArrayPtr instead of PassOwnArrayPtr. 7925 7926 * bytecompiler/BytecodeGenerator.cpp: 7927 (JSC::BytecodeGenerator::BytecodeGenerator): 7928 * runtime/SymbolTable.h: 7929 (JSC::SharedSymbolTable::setSlowArguments): 7930 79312013-09-07 Filip Pizlo <fpizlo@apple.com> 7932 7933 FTL should support typed array GetByVal and related ops 7934 https://bugs.webkit.org/show_bug.cgi?id=120965 7935 7936 Reviewed by Oliver Hunt. 7937 7938 This adds support for typed array instantiations of the following DFG IR ops: 7939 7940 - GetByVal 7941 7942 - GetIndexedPropertyStorage 7943 7944 - CheckArray 7945 7946 - GetArrayLength 7947 7948 This also adds CheckArray for Int32/Double/Contiguous arrays. 7949 7950 * dfg/DFGArrayMode.cpp: 7951 (JSC::DFG::toIndexingShape): 7952 * dfg/DFGArrayMode.h: 7953 (JSC::DFG::ArrayMode::shapeMask): 7954 * ftl/FTLAbbreviations.h: 7955 (JSC::FTL::floatType): 7956 (JSC::FTL::buildSExt): 7957 (JSC::FTL::buildFPCast): 7958 * ftl/FTLAbstractHeapRepository.h: 7959 * ftl/FTLCapabilities.cpp: 7960 (JSC::FTL::canCompile): 7961 * ftl/FTLCommonValues.cpp: 7962 (JSC::FTL::CommonValues::CommonValues): 7963 * ftl/FTLCommonValues.h: 7964 * ftl/FTLLowerDFGToLLVM.cpp: 7965 (JSC::FTL::LowerDFGToLLVM::compileNode): 7966 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage): 7967 (JSC::FTL::LowerDFGToLLVM::compileCheckArray): 7968 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): 7969 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 7970 (JSC::FTL::LowerDFGToLLVM::isArrayType): 7971 (JSC::FTL::LowerDFGToLLVM::hasClassInfo): 7972 * ftl/FTLOutput.h: 7973 (JSC::FTL::Output::constIntPtr): 7974 (JSC::FTL::Output::signExt): 7975 (JSC::FTL::Output::fpCast): 7976 (JSC::FTL::Output::loadFloat): 7977 79782013-09-07 Anders Carlsson <andersca@apple.com> 7979 7980 VectorMover should use std::move 7981 https://bugs.webkit.org/show_bug.cgi?id=120959 7982 7983 Reviewed by Geoffrey Garen. 7984 7985 Work around a bug in GCC by changing the type of the callType bitfield 7986 in CallLinkInfo to be unsigned instead of CallType. 7987 7988 * bytecode/CallLinkInfo.h: 7989 79902013-09-07 Anders Carlsson <andersca@apple.com> 7991 7992 Get rid of FastAllocBase.h 7993 https://bugs.webkit.org/show_bug.cgi?id=120952 7994 7995 Reviewed by Antti Koivisto. 7996 7997 Include FastMalloc.h instead of FastAllocBase.h. 7998 7999 * assembler/LinkBuffer.h: 8000 * bytecode/CodeBlock.h: 8001 * bytecode/StructureStubClearingWatchpoint.h: 8002 * dfg/DFGFinalizer.h: 8003 * dfg/DFGLongLivedState.h: 8004 * dfg/DFGSlowPathGenerator.h: 8005 * ftl/FTLAbstractHeap.h: 8006 * heap/JITStubRoutineSet.h: 8007 * jit/CompactJITCodeMap.h: 8008 * profiler/ProfilerDatabase.h: 8009 * profiler/ProfilerExecutionCounter.h: 8010 80112013-09-06 Filip Pizlo <fpizlo@apple.com> 8012 8013 FTL should support Call/Construct in the worst way possible 8014 https://bugs.webkit.org/show_bug.cgi?id=120916 8015 8016 Reviewed by Oliver Hunt. 8017 8018 This adds support for Call/Construct by just calling out to C code that uses 8019 the JSC::call/JSC::construct runtime functions for making calls. This is slow 8020 and terrible, but it dramatically extends FTL coverage. 8021 8022 Supporting calls in a meaningful way meant also supporting 8023 GlobalVarWatchpoint. 8024 8025 The extension of coverage helped to find a bunch of bugs: 8026 8027 - ObjectOrOtherUse was claimed to be supported in the FTL but speculate() 8028 didn't support it. That means that any node with an ObjectOrOtherUse edge 8029 that got DCE'd would cause the FTL to ICE. 8030 8031 - There was a bad fall-through compileCompareStrictEq() that led to ICE. 8032 8033 - The OSR exit reconstruction code was assuming it could do fast checks on 8034 node->child1() before even determining the type of node; that crashes if 8035 the node is HasVarArgs. Fixed by checking HasVarArgs first. 8036 8037 - The OSR exit compiler was using the wrong peekOffset for CArgumentGetter. 8038 The default is 1, which assumes that you didn't push anything onto the 8039 stack after getting called. The OSR exit thunks push FP, so the offset 8040 should be 2. 8041 8042 This passes stress tests and is probably huge performance regression if you 8043 --useExperimentalFTL=true. The regression will be fixed in 8044 https://bugs.webkit.org/show_bug.cgi?id=113621. 8045 8046 * dfg/DFGOperations.cpp: 8047 * dfg/DFGOperations.h: 8048 * ftl/FTLCapabilities.cpp: 8049 (JSC::FTL::canCompile): 8050 * ftl/FTLIntrinsicRepository.h: 8051 * ftl/FTLLowerDFGToLLVM.cpp: 8052 (JSC::FTL::LowerDFGToLLVM::compileNode): 8053 (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint): 8054 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): 8055 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): 8056 (JSC::FTL::LowerDFGToLLVM::speculate): 8057 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): 8058 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 8059 * ftl/FTLOSRExitCompiler.cpp: 8060 (JSC::FTL::compileStub): 8061 80622013-09-06 Filip Pizlo <fpizlo@apple.com> 8063 8064 jsc shell should destroy VM as a workaround for LLVM's exit-time destructors 8065 https://bugs.webkit.org/show_bug.cgi?id=120921 8066 8067 Reviewed by Oliver Hunt. 8068 8069 LLVM's exit-time destructors will fire when we exit. If there is an on-going 8070 FTL compile at exit, which will happen if the VM that triggered the compile 8071 isn't shut down, then we will crash. 8072 8073 We should get rid of LLVM's exit-time destructors. But before we do that, we 8074 should just do a clean VM shutdown to suppress spurious crashes. This will 8075 help in expanding LLVM coverage for now. 8076 8077 * jsc.cpp: 8078 (jscmain): 8079 80802013-09-06 Filip Pizlo <fpizlo@apple.com> 8081 8082 FTL ArithMod Int32Use doesn't check for negative zero correctly 8083 https://bugs.webkit.org/show_bug.cgi?id=120905 8084 8085 Reviewed by Mark Hahnenberg. 8086 8087 * ftl/FTLLowerDFGToLLVM.cpp: 8088 (JSC::FTL::LowerDFGToLLVM::compileArithMod): 8089 80902013-09-06 Filip Pizlo <fpizlo@apple.com> 8091 8092 FTL ArithNeg Int32Use doesn't check negative zero 8093 https://bugs.webkit.org/show_bug.cgi?id=120900 8094 8095 Reviewed by Mark Hahnenberg. 8096 8097 * ftl/FTLLowerDFGToLLVM.cpp: 8098 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 8099 81002013-09-06 Anders Carlsson <andersca@apple.com> 8101 8102 Stop using fastNew/fastDelete in JavaScriptCore 8103 https://bugs.webkit.org/show_bug.cgi?id=120898 8104 8105 Reviewed by Oliver Hunt. 8106 8107 Change all the hash table members in ExecState to be OwnPtrs and use 8108 adoptPtr instead. Also, since none of the hash tables can be null, change their getters 8109 to return references and propagate the reference types wherever we know that a HashTable can't be null. 8110 8111 * interpreter/CallFrame.h: 8112 (JSC::ExecState::arrayConstructorTable): 8113 (JSC::ExecState::arrayPrototypeTable): 8114 (JSC::ExecState::booleanPrototypeTable): 8115 (JSC::ExecState::dataViewTable): 8116 (JSC::ExecState::dateTable): 8117 (JSC::ExecState::dateConstructorTable): 8118 (JSC::ExecState::errorPrototypeTable): 8119 (JSC::ExecState::globalObjectTable): 8120 (JSC::ExecState::jsonTable): 8121 (JSC::ExecState::numberConstructorTable): 8122 (JSC::ExecState::numberPrototypeTable): 8123 (JSC::ExecState::objectConstructorTable): 8124 (JSC::ExecState::privateNamePrototypeTable): 8125 (JSC::ExecState::regExpTable): 8126 (JSC::ExecState::regExpConstructorTable): 8127 (JSC::ExecState::regExpPrototypeTable): 8128 (JSC::ExecState::stringConstructorTable): 8129 (JSC::ExecState::promisePrototypeTable): 8130 (JSC::ExecState::promiseConstructorTable): 8131 (JSC::ExecState::promiseResolverPrototypeTable): 8132 * runtime/ClassInfo.h: 8133 (JSC::ClassInfo::propHashTable): 8134 * runtime/Lookup.h: 8135 (JSC::getStaticPropertySlot): 8136 (JSC::getStaticFunctionSlot): 8137 (JSC::getStaticValueSlot): 8138 (JSC::lookupPut): 8139 * runtime/VM.cpp: 8140 (JSC::VM::VM): 8141 (JSC::VM::~VM): 8142 * runtime/VM.h: 8143 81442013-09-06 Filip Pizlo <fpizlo@apple.com> 8145 8146 Concurrent FTL causes !hasOptimizedReplacement() asserts in cti_optimize 8147 https://bugs.webkit.org/show_bug.cgi?id=120890 8148 8149 Reviewed by Mark Hahnenberg. 8150 8151 Don't install an FTL code block if the DFG code block has already been jettisoned. 8152 8153 * dfg/DFGToFTLDeferredCompilationCallback.cpp: 8154 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete): 8155 81562013-09-06 Filip Pizlo <fpizlo@apple.com> 8157 8158 REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG 8159 https://bugs.webkit.org/show_bug.cgi?id=120781 8160 8161 Reviewed by Mark Hahnenberg. 8162 8163 Roll this back in with a build fix. 8164 8165 - Use some method table hacks to detect if the CheckStructure optimization is 8166 valid for to_this. 8167 8168 - Introduce a FinalObjectUse and use it for ToThis->Identity conversion. 8169 8170 This looks like it might be perf-neutral on the major benchmarks, but it 8171 introduces some horrible performance cliffs. For example if you add methods to 8172 the Array prototype, you'll get horrible performance cliffs. As in virtual calls 8173 to C++ every time you call a JS function even if it's inlined. 8174 LongSpider/3d-cube appears to hit this. 8175 8176 * dfg/DFGAbstractInterpreterInlines.h: 8177 (JSC::DFG::::executeEffects): 8178 * dfg/DFGByteCodeParser.cpp: 8179 (JSC::DFG::ByteCodeParser::parseBlock): 8180 * dfg/DFGFixupPhase.cpp: 8181 (JSC::DFG::FixupPhase::fixupNode): 8182 * dfg/DFGRepatch.cpp: 8183 (JSC::DFG::emitPutTransitionStub): 8184 * dfg/DFGSafeToExecute.h: 8185 (JSC::DFG::SafeToExecuteEdge::operator()): 8186 * dfg/DFGSpeculativeJIT.cpp: 8187 (JSC::DFG::SpeculativeJIT::speculateFinalObject): 8188 (JSC::DFG::SpeculativeJIT::speculate): 8189 * dfg/DFGSpeculativeJIT.h: 8190 * dfg/DFGSpeculativeJIT32_64.cpp: 8191 (JSC::DFG::SpeculativeJIT::compile): 8192 * dfg/DFGSpeculativeJIT64.cpp: 8193 (JSC::DFG::SpeculativeJIT::compile): 8194 * dfg/DFGUseKind.cpp: 8195 (WTF::printInternal): 8196 * dfg/DFGUseKind.h: 8197 (JSC::DFG::typeFilterFor): 8198 (JSC::DFG::isCell): 8199 82002013-09-05 Filip Pizlo <fpizlo@apple.com> 8201 8202 Introduce a way to run benchmarks and JSRegress as stress tests with different jsc command-line options 8203 https://bugs.webkit.org/show_bug.cgi?id=120808 8204 8205 Reviewed by Mark Hahnenberg and rubber stamped by Geoffrey Garen. 8206 8207 Allow --useExperimentalFTL=true even if FTL isn't built since this simplifies 8208 testing. 8209 8210 * dfg/DFGTierUpCheckInjectionPhase.cpp: 8211 (JSC::DFG::TierUpCheckInjectionPhase::run): 8212 82132013-09-06 Zan Dobersek <zdobersek@igalia.com> 8214 8215 Unreviewed build fix for the GTK port when building with FTL JIT enabled. 8216 8217 * GNUmakefile.list.am: Add the missing files to the build. 8218 82192013-09-05 Oliver Hunt <oliver@apple.com> 8220 8221 Make it simpler to introduce new data types to the global object 8222 https://bugs.webkit.org/show_bug.cgi?id=120801 8223 8224 Reviewed by Gavin Barraclough. 8225 8226 Add an iterator macro that lists all the "simple" ES types (e.g. type 8227 consists of instance, constructor, and prototype classes). So that 8228 we don't need to have every new type litter JSGlobalObject.{cpp,h} with 8229 members, accessors, and manual GC visiting. 8230 8231 * runtime/JSGlobalObject.cpp: 8232 (JSC::JSGlobalObject::visitChildren): 8233 * runtime/JSGlobalObject.h: 8234 82352013-09-05 Mark Rowe <mrowe@apple.com> 8236 8237 Roll out r155149 since it broke the build. 8238 82392013-09-05 Michael Saboff <msaboff@apple.com> 8240 8241 Cleanup formatting of byte code debug output 8242 Source/JavaScriptCore/ChangeLog 8243 8244 Rubber stamped by Filip Pizlo. 8245 8246 Put the formatting of the byte code offset and operation into one common function to 8247 simplify and unify formatting. Changed CodeBlock::registerName() to return 8248 "thist" for argument register 0, "argN" for other argument registers and "locN" for 8249 local registers. 8250 8251 * bytecode/CodeBlock.cpp: 8252 (JSC::CodeBlock::registerName): 8253 (JSC::CodeBlock::printUnaryOp): 8254 (JSC::CodeBlock::printBinaryOp): 8255 (JSC::CodeBlock::printConditionalJump): 8256 (JSC::CodeBlock::printGetByIdOp): 8257 (JSC::CodeBlock::printCallOp): 8258 (JSC::CodeBlock::printPutByIdOp): 8259 (JSC::CodeBlock::dumpBytecode): 8260 * bytecode/CodeBlock.h: 8261 (JSC::CodeBlock::printLocationAndOp): 8262 (JSC::CodeBlock::printLocationOpAndRegisterOperand): 8263 82642013-09-05 Filip Pizlo <fpizlo@apple.com> 8265 8266 REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG 8267 https://bugs.webkit.org/show_bug.cgi?id=120781 8268 8269 Reviewed by Mark Hahnenberg. 8270 8271 - Use some method table hacks to detect if the CheckStructure optimization is 8272 valid for to_this. 8273 8274 - Introduce a FinalObjectUse and use it for ToThis->Identity conversion. 8275 8276 This looks like it might be perf-neutral on the major benchmarks, but it 8277 introduces some horrible performance cliffs. For example if you add methods to 8278 the Array prototype, you'll get horrible performance cliffs. As in virtual calls 8279 to C++ every time you call a JS function even if it's inlined. 8280 LongSpider/3d-cube appears to hit this. 8281 8282 * dfg/DFGAbstractInterpreterInlines.h: 8283 (JSC::DFG::::executeEffects): 8284 * dfg/DFGByteCodeParser.cpp: 8285 (JSC::DFG::ByteCodeParser::parseBlock): 8286 * dfg/DFGFixupPhase.cpp: 8287 (JSC::DFG::FixupPhase::fixupNode): 8288 * dfg/DFGSafeToExecute.h: 8289 (JSC::DFG::SafeToExecuteEdge::operator()): 8290 * dfg/DFGSpeculativeJIT.cpp: 8291 (JSC::DFG::SpeculativeJIT::speculateFinalObject): 8292 (JSC::DFG::SpeculativeJIT::speculate): 8293 * dfg/DFGSpeculativeJIT.h: 8294 * dfg/DFGSpeculativeJIT32_64.cpp: 8295 (JSC::DFG::SpeculativeJIT::compile): 8296 * dfg/DFGSpeculativeJIT64.cpp: 8297 (JSC::DFG::SpeculativeJIT::compile): 8298 * dfg/DFGUseKind.cpp: 8299 (WTF::printInternal): 8300 * dfg/DFGUseKind.h: 8301 (JSC::DFG::typeFilterFor): 8302 (JSC::DFG::isCell): 8303 83042013-09-05 Anders Carlsson <andersca@apple.com> 8305 8306 GCAssertions.h should use STL type traits and static_assert 8307 https://bugs.webkit.org/show_bug.cgi?id=120785 8308 8309 Reviewed by Andreas Kling. 8310 8311 There's no need to rely on compiler specific support to figure out if a class is trivially destructable, 8312 we can just use type traits from STL. Do this, fix the assert macro to use static_assert directly and 8313 rename it from ASSERT_HAS_TRIVIAL_DESTRUCTOR to STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE to clarify that 8314 it's a static assert and to match the STL nomenclature. 8315 8316 * API/JSCallbackFunction.cpp: 8317 * debugger/DebuggerActivation.cpp: 8318 * heap/GCAssertions.h: 8319 * runtime/ArrayConstructor.cpp: 8320 * runtime/BooleanConstructor.cpp: 8321 * runtime/BooleanObject.cpp: 8322 * runtime/BooleanPrototype.cpp: 8323 * runtime/DateConstructor.cpp: 8324 * runtime/ErrorConstructor.cpp: 8325 * runtime/ErrorInstance.cpp: 8326 * runtime/ErrorPrototype.cpp: 8327 * runtime/ExceptionHelpers.cpp: 8328 * runtime/FunctionConstructor.cpp: 8329 * runtime/FunctionPrototype.cpp: 8330 * runtime/GetterSetter.cpp: 8331 * runtime/InternalFunction.cpp: 8332 * runtime/JSAPIValueWrapper.cpp: 8333 * runtime/JSArray.cpp: 8334 * runtime/JSCell.cpp: 8335 * runtime/JSNotAnObject.cpp: 8336 * runtime/JSONObject.cpp: 8337 * runtime/JSObject.cpp: 8338 * runtime/JSPromiseConstructor.cpp: 8339 * runtime/JSPromisePrototype.cpp: 8340 * runtime/JSPromiseResolverConstructor.cpp: 8341 * runtime/JSPromiseResolverPrototype.cpp: 8342 * runtime/JSProxy.cpp: 8343 * runtime/JSScope.cpp: 8344 * runtime/JSWrapperObject.cpp: 8345 * runtime/MathObject.cpp: 8346 * runtime/NameConstructor.cpp: 8347 * runtime/NativeErrorConstructor.cpp: 8348 * runtime/NumberConstructor.cpp: 8349 * runtime/NumberObject.cpp: 8350 * runtime/NumberPrototype.cpp: 8351 * runtime/ObjectConstructor.cpp: 8352 * runtime/ObjectPrototype.cpp: 8353 * runtime/RegExpObject.cpp: 8354 * runtime/StrictEvalActivation.cpp: 8355 * runtime/StringConstructor.cpp: 8356 * runtime/StringObject.cpp: 8357 * runtime/StringPrototype.cpp: 8358 83592013-09-05 Brent Fulgham <bfulgham@apple.com> 8360 8361 [Windows] Unreviewed build fix for DebugSuffix target. 8362 8363 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Don't build 64-bit assembly in 32-bit build. 8364 Also correct 'filters' file so that files appear in categories that match their on-disk locations. 8365 83662013-09-04 Filip Pizlo <fpizlo@apple.com> 8367 8368 jsc tests should have timeouts 8369 https://bugs.webkit.org/show_bug.cgi?id=120725 8370 8371 Reviewed by Geoffrey Garen. 8372 8373 Add the timeout logic directly to 'jsc' because that's easier to do than 8374 writing shell/perl code for it. 8375 8376 * jsc.cpp: 8377 (timeoutThreadMain): 8378 (main): 8379 83802013-09-04 Filip Pizlo <fpizlo@apple.com> 8381 8382 fast/js/dfg-* tests should wait for the concurrent JIT 8383 https://bugs.webkit.org/show_bug.cgi?id=120723 8384 8385 Reviewed by Geoffrey Garen. 8386 8387 * runtime/TestRunnerUtils.cpp: 8388 (JSC::numberOfDFGCompiles): This should also handle constructors. 8389 83902013-09-04 Filip Pizlo <fpizlo@apple.com> 8391 8392 run-fast-jsc should work with new-school fast/js tests that loop until the DFG tiers up 8393 https://bugs.webkit.org/show_bug.cgi?id=120697 8394 8395 Reviewed by Mark Hahnenberg. 8396 8397 * API/JSCTestRunnerUtils.cpp: 8398 (JSC::numberOfDFGCompiles): 8399 (JSC::setNeverInline): 8400 * CMakeLists.txt: 8401 * GNUmakefile.list.am: 8402 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8403 * JavaScriptCore.xcodeproj/project.pbxproj: 8404 * Target.pri: 8405 * jsc.cpp: 8406 (GlobalObject::finishCreation): 8407 (functionNeverInlineFunction): 8408 (functionNumberOfDFGCompiles): 8409 * runtime/TestRunnerUtils.cpp: Added. 8410 (JSC::getExecutable): 8411 (JSC::numberOfDFGCompiles): 8412 (JSC::setNeverInline): 8413 * runtime/TestRunnerUtils.h: Added. 8414 84152013-09-04 Mark Lam <mark.lam@apple.com> 8416 8417 Renamed StackIterator to StackVisitor. 8418 https://bugs.webkit.org/show_bug.cgi?id=120706. 8419 8420 Reviewed by Geoffrey Garen. 8421 8422 Also did some minor refactoring: 8423 - Renamed StackIterator::iterate() to StackVisitor::visit(). 8424 - Make StackVisitor::visit() a static method. 8425 - Move the instantiation of the StackVisitor instance into StackVisitor::visit() 8426 from CallFrame::iterate(). 8427 - Removed StackIterator::resetIterator() and inline its body into the 8428 StackVisitor constructor since this is the only remaining caller of it. 8429 8430 * API/JSContextRef.cpp: 8431 (BacktraceFunctor::operator()): 8432 * CMakeLists.txt: 8433 * GNUmakefile.list.am: 8434 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8435 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 8436 * JavaScriptCore.xcodeproj/project.pbxproj: 8437 * Target.pri: 8438 * interpreter/CallFrame.h: 8439 (JSC::ExecState::iterate): 8440 * interpreter/Interpreter.cpp: 8441 (JSC::DumpRegisterFunctor::operator()): 8442 (JSC::unwindCallFrame): 8443 (JSC::getStackFrameCodeType): 8444 (JSC::GetStackTraceFunctor::operator()): 8445 (JSC::UnwindFunctor::operator()): 8446 * interpreter/Interpreter.h: 8447 * interpreter/StackIterator.cpp: Removed. 8448 * interpreter/StackIterator.h: Removed. 8449 * interpreter/StackVisitor.cpp: Copied from Source/JavaScriptCore/interpreter/StackIterator.cpp. 8450 (JSC::StackVisitor::StackVisitor): 8451 (JSC::StackVisitor::gotoNextFrame): 8452 (JSC::StackVisitor::readFrame): 8453 (JSC::StackVisitor::readNonInlinedFrame): 8454 (JSC::StackVisitor::readInlinedFrame): 8455 (JSC::StackVisitor::Frame::codeType): 8456 (JSC::StackVisitor::Frame::functionName): 8457 (JSC::StackVisitor::Frame::sourceURL): 8458 (JSC::StackVisitor::Frame::toString): 8459 (JSC::StackVisitor::Frame::arguments): 8460 (JSC::StackVisitor::Frame::computeLineAndColumn): 8461 (JSC::StackVisitor::Frame::retrieveExpressionInfo): 8462 (JSC::StackVisitor::Frame::setToEnd): 8463 (JSC::StackVisitor::Frame::print): 8464 (DebugPrintFrameFunctor::operator()): 8465 * interpreter/StackVisitor.h: Copied from Source/JavaScriptCore/interpreter/StackIterator.h. 8466 (JSC::StackVisitor::visit): 8467 * jsc.cpp: 8468 (FunctionJSCStackFunctor::operator()): 8469 * profiler/ProfileGenerator.cpp: 8470 (JSC::AddParentForConsoleStartFunctor::operator()): 8471 * runtime/JSFunction.cpp: 8472 (JSC::RetrieveArgumentsFunctor::operator()): 8473 (JSC::RetrieveCallerFunctionFunctor::operator()): 8474 * runtime/JSGlobalObjectFunctions.cpp: 8475 (JSC::GlobalFuncProtoGetterFunctor::operator()): 8476 (JSC::GlobalFuncProtoSetterFunctor::operator()): 8477 * runtime/ObjectConstructor.cpp: 8478 (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()): 8479 84802013-09-04 Roger Fong <roger_fong@apple.com> 8481 8482 Unreviewed Build fix for Windows DebugSuffix configuration. 8483 8484 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8485 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 8486 84872013-09-04 Mark Lam <mark.lam@apple.com> 8488 8489 Refining the StackIterator callback interface. 8490 https://bugs.webkit.org/show_bug.cgi?id=120695. 8491 8492 Reviewed by Geoffrey Garen. 8493 8494 Introduce CallFrame::iterate() which instantiates a StackIterator and 8495 invoke its iterate() method with the passed in functor. The only place 8496 where the client code gets access to the StackIterator now is as an 8497 argument to the client's functor. 8498 8499 * API/JSContextRef.cpp: 8500 (JSContextCreateBacktrace): 8501 * interpreter/CallFrame.cpp: 8502 * interpreter/CallFrame.h: 8503 (JSC::ExecState::iterate): 8504 * interpreter/Interpreter.cpp: 8505 (JSC::Interpreter::dumpRegisters): 8506 (JSC::Interpreter::getStackTrace): 8507 (JSC::Interpreter::unwind): 8508 * interpreter/StackIterator.cpp: 8509 (JSC::StackIterator::StackIterator): 8510 (DebugPrintFrameFunctor::DebugPrintFrameFunctor): 8511 (DebugPrintFrameFunctor::operator()): 8512 (debugPrintCallFrame): 8513 (debugPrintStack): 8514 * interpreter/StackIterator.h: 8515 (JSC::StackIterator::iterate): 8516 * jsc.cpp: 8517 (functionJSCStack): 8518 * profiler/ProfileGenerator.cpp: 8519 (JSC::ProfileGenerator::addParentForConsoleStart): 8520 * runtime/JSFunction.cpp: 8521 (JSC::retrieveArguments): 8522 (JSC::RetrieveCallerFunctionFunctor::operator()): 8523 (JSC::retrieveCallerFunction): 8524 * runtime/JSGlobalObjectFunctions.cpp: 8525 (JSC::globalFuncProtoGetter): 8526 (JSC::globalFuncProtoSetter): 8527 * runtime/ObjectConstructor.cpp: 8528 (JSC::objectConstructorGetPrototypeOf): 8529 85302013-09-04 Benjamin Poulain <benjamin@webkit.org> 8531 8532 JSGenericTypedArrayViewConstructor.h is referenced twice in the XCode project build section, causing warnings 8533 https://bugs.webkit.org/show_bug.cgi?id=120698 8534 8535 Reviewed by Darin Adler. 8536 8537 * JavaScriptCore.xcodeproj/project.pbxproj: 8538 85392013-09-04 Mark Hahnenberg <mhahnenberg@apple.com> 8540 8541 ASSERT in MarkedAllocator::allocateSlowCase is wrong 8542 https://bugs.webkit.org/show_bug.cgi?id=120639 8543 8544 Reviewed by Oliver Hunt. 8545 8546 ASSERT(!m_heap->shouldCollect()) is no longer true due to our use of the GC 8547 deferral mechanism. We could technically be beyond our byte allocation limit, 8548 but still not try to collect due to deferral. This patch amends shouldCollect() 8549 to return false if GC is currently deferred. 8550 8551 * heap/Heap.h: 8552 (JSC::Heap::shouldCollect): 8553 85542013-09-03 Filip Pizlo <fpizlo@apple.com> 8555 8556 The DFG should be able to tier-up and OSR enter into the FTL 8557 https://bugs.webkit.org/show_bug.cgi?id=112838 8558 8559 Reviewed by Mark Hahnenberg. 8560 8561 This adds the ability for the DFG to tier-up into the FTL. This works in both 8562 of the expected tier-up modes: 8563 8564 Replacement: frequently called functions eventually have their entrypoint 8565 replaced with one that goes into FTL-compiled code. Note, this will be a 8566 slow-down for now since we don't yet have LLVM calling convention integration. 8567 8568 OSR entry: code stuck in hot loops gets OSR'd into the FTL from the DFG. 8569 8570 This means that if the DFG detects that a function is an FTL candidate, it 8571 inserts execution counting code similar to the kind that the baseline JIT 8572 would use. If you trip on a loop count in a loop header that is an OSR 8573 candidate (it's not an inlined loop), we do OSR; otherwise we do replacement. 8574 OSR almost always also implies future replacement. 8575 8576 OSR entry into the FTL is really cool. It uses a specialized FTL compile of 8577 the code, where early in the DFG pipeline we replace the original root block 8578 with an OSR entrypoint block that jumps to the pre-header of the hot loop. 8579 The OSR entrypoint loads all live state at the loop pre-header using loads 8580 from a scratch buffer, which gets populated by the runtime's OSR entry 8581 preparation code (FTL::prepareOSREntry()). This approach appears to work well 8582 with all of our subsequent optimizations, including prediction propagation, 8583 CFA, and LICM. LLVM seems happy with it, too. Best of all, it works naturally 8584 with concurrent compilation: when we hit the tier-up trigger we spawn a 8585 compilation plan at the bytecode index from which we triggered; once the 8586 compilation finishes the next trigger will try to enter, at that bytecode 8587 index. If it can't - for example because the code has moved on to another 8588 loop - then we just try again. Loops that get hot enough for OSR entry (about 8589 25,000 iterations) will probably still be running when a concurrent compile 8590 finishes, so this doesn't appear to be a big problem. 8591 8592 This immediately gives us a 70% speed-up on imaging-gaussian-blur. We could 8593 get a bigger speed-up by adding some more intelligence and tweaking LLVM to 8594 compile code faster. Those things will happen eventually but this is a good 8595 start. Probably this code will see more tuning as we get more coverage in the 8596 FTL JIT, but I'll worry about that in future patches. 8597 8598 * CMakeLists.txt: 8599 * GNUmakefile.list.am: 8600 * JavaScriptCore.xcodeproj/project.pbxproj: 8601 * Target.pri: 8602 * bytecode/CodeBlock.cpp: 8603 (JSC::CodeBlock::CodeBlock): 8604 (JSC::CodeBlock::hasOptimizedReplacement): 8605 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): 8606 * bytecode/CodeBlock.h: 8607 * dfg/DFGAbstractInterpreterInlines.h: 8608 (JSC::DFG::::executeEffects): 8609 * dfg/DFGByteCodeParser.cpp: 8610 (JSC::DFG::ByteCodeParser::parseBlock): 8611 (JSC::DFG::ByteCodeParser::parse): 8612 * dfg/DFGCFGSimplificationPhase.cpp: 8613 (JSC::DFG::CFGSimplificationPhase::run): 8614 * dfg/DFGClobberize.h: 8615 (JSC::DFG::clobberize): 8616 * dfg/DFGDriver.cpp: 8617 (JSC::DFG::compileImpl): 8618 (JSC::DFG::compile): 8619 * dfg/DFGDriver.h: 8620 * dfg/DFGFixupPhase.cpp: 8621 (JSC::DFG::FixupPhase::fixupNode): 8622 * dfg/DFGGraph.cpp: 8623 (JSC::DFG::Graph::dump): 8624 (JSC::DFG::Graph::killBlockAndItsContents): 8625 (JSC::DFG::Graph::killUnreachableBlocks): 8626 * dfg/DFGGraph.h: 8627 * dfg/DFGInPlaceAbstractState.cpp: 8628 (JSC::DFG::InPlaceAbstractState::initialize): 8629 * dfg/DFGJITCode.cpp: 8630 (JSC::DFG::JITCode::reconstruct): 8631 (JSC::DFG::JITCode::checkIfOptimizationThresholdReached): 8632 (JSC::DFG::JITCode::optimizeNextInvocation): 8633 (JSC::DFG::JITCode::dontOptimizeAnytimeSoon): 8634 (JSC::DFG::JITCode::optimizeAfterWarmUp): 8635 (JSC::DFG::JITCode::optimizeSoon): 8636 (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently): 8637 (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult): 8638 * dfg/DFGJITCode.h: 8639 * dfg/DFGJITFinalizer.cpp: 8640 (JSC::DFG::JITFinalizer::finalize): 8641 (JSC::DFG::JITFinalizer::finalizeFunction): 8642 (JSC::DFG::JITFinalizer::finalizeCommon): 8643 * dfg/DFGLoopPreHeaderCreationPhase.cpp: 8644 (JSC::DFG::createPreHeader): 8645 (JSC::DFG::LoopPreHeaderCreationPhase::run): 8646 * dfg/DFGLoopPreHeaderCreationPhase.h: 8647 * dfg/DFGNode.h: 8648 (JSC::DFG::Node::hasUnlinkedLocal): 8649 (JSC::DFG::Node::unlinkedLocal): 8650 * dfg/DFGNodeType.h: 8651 * dfg/DFGOSREntry.cpp: 8652 (JSC::DFG::prepareOSREntry): 8653 * dfg/DFGOSREntrypointCreationPhase.cpp: Added. 8654 (JSC::DFG::OSREntrypointCreationPhase::OSREntrypointCreationPhase): 8655 (JSC::DFG::OSREntrypointCreationPhase::run): 8656 (JSC::DFG::performOSREntrypointCreation): 8657 * dfg/DFGOSREntrypointCreationPhase.h: Added. 8658 * dfg/DFGOperations.cpp: 8659 * dfg/DFGOperations.h: 8660 * dfg/DFGPlan.cpp: 8661 (JSC::DFG::Plan::Plan): 8662 (JSC::DFG::Plan::compileInThread): 8663 (JSC::DFG::Plan::compileInThreadImpl): 8664 * dfg/DFGPlan.h: 8665 * dfg/DFGPredictionInjectionPhase.cpp: 8666 (JSC::DFG::PredictionInjectionPhase::run): 8667 * dfg/DFGPredictionPropagationPhase.cpp: 8668 (JSC::DFG::PredictionPropagationPhase::propagate): 8669 * dfg/DFGSafeToExecute.h: 8670 (JSC::DFG::safeToExecute): 8671 * dfg/DFGSpeculativeJIT32_64.cpp: 8672 (JSC::DFG::SpeculativeJIT::compile): 8673 * dfg/DFGSpeculativeJIT64.cpp: 8674 (JSC::DFG::SpeculativeJIT::compile): 8675 * dfg/DFGTierUpCheckInjectionPhase.cpp: Added. 8676 (JSC::DFG::TierUpCheckInjectionPhase::TierUpCheckInjectionPhase): 8677 (JSC::DFG::TierUpCheckInjectionPhase::run): 8678 (JSC::DFG::performTierUpCheckInjection): 8679 * dfg/DFGTierUpCheckInjectionPhase.h: Added. 8680 * dfg/DFGToFTLDeferredCompilationCallback.cpp: Added. 8681 (JSC::DFG::ToFTLDeferredCompilationCallback::ToFTLDeferredCompilationCallback): 8682 (JSC::DFG::ToFTLDeferredCompilationCallback::~ToFTLDeferredCompilationCallback): 8683 (JSC::DFG::ToFTLDeferredCompilationCallback::create): 8684 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously): 8685 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete): 8686 * dfg/DFGToFTLDeferredCompilationCallback.h: Added. 8687 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: Added. 8688 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback): 8689 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::~ToFTLForOSREntryDeferredCompilationCallback): 8690 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create): 8691 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously): 8692 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete): 8693 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: Added. 8694 * dfg/DFGWorklist.cpp: 8695 (JSC::DFG::globalWorklist): 8696 * dfg/DFGWorklist.h: 8697 * ftl/FTLCapabilities.cpp: 8698 (JSC::FTL::canCompile): 8699 * ftl/FTLCapabilities.h: 8700 * ftl/FTLForOSREntryJITCode.cpp: Added. 8701 (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): 8702 (JSC::FTL::ForOSREntryJITCode::~ForOSREntryJITCode): 8703 (JSC::FTL::ForOSREntryJITCode::ftlForOSREntry): 8704 (JSC::FTL::ForOSREntryJITCode::initializeEntryBuffer): 8705 * ftl/FTLForOSREntryJITCode.h: Added. 8706 (JSC::FTL::ForOSREntryJITCode::entryBuffer): 8707 (JSC::FTL::ForOSREntryJITCode::setBytecodeIndex): 8708 (JSC::FTL::ForOSREntryJITCode::bytecodeIndex): 8709 (JSC::FTL::ForOSREntryJITCode::countEntryFailure): 8710 (JSC::FTL::ForOSREntryJITCode::entryFailureCount): 8711 * ftl/FTLJITFinalizer.cpp: 8712 (JSC::FTL::JITFinalizer::finalizeFunction): 8713 * ftl/FTLLink.cpp: 8714 (JSC::FTL::link): 8715 * ftl/FTLLowerDFGToLLVM.cpp: 8716 (JSC::FTL::LowerDFGToLLVM::compileBlock): 8717 (JSC::FTL::LowerDFGToLLVM::compileNode): 8718 (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal): 8719 (JSC::FTL::LowerDFGToLLVM::compileGetLocal): 8720 (JSC::FTL::LowerDFGToLLVM::addWeakReference): 8721 * ftl/FTLOSREntry.cpp: Added. 8722 (JSC::FTL::prepareOSREntry): 8723 * ftl/FTLOSREntry.h: Added. 8724 * ftl/FTLOutput.h: 8725 (JSC::FTL::Output::crashNonTerminal): 8726 (JSC::FTL::Output::crash): 8727 * ftl/FTLState.cpp: 8728 (JSC::FTL::State::State): 8729 * interpreter/Register.h: 8730 (JSC::Register::unboxedDouble): 8731 * jit/JIT.cpp: 8732 (JSC::JIT::emitEnterOptimizationCheck): 8733 * jit/JITCode.cpp: 8734 (JSC::JITCode::ftlForOSREntry): 8735 * jit/JITCode.h: 8736 * jit/JITStubs.cpp: 8737 (JSC::DEFINE_STUB_FUNCTION): 8738 * runtime/Executable.cpp: 8739 (JSC::ScriptExecutable::newReplacementCodeBlockFor): 8740 * runtime/Options.h: 8741 * runtime/VM.cpp: 8742 (JSC::VM::ensureWorklist): 8743 * runtime/VM.h: 8744 87452013-09-03 Filip Pizlo <fpizlo@apple.com> 8746 8747 CodeBlock memory cost reporting should be rationalized 8748 https://bugs.webkit.org/show_bug.cgi?id=120615 8749 8750 Reviewed by Darin Adler. 8751 8752 Report the size of the instruction stream, and then remind the GC that we're 8753 using memory when we trace. 8754 8755 This is a slight slow-down on some JSBench tests because it makes us GC a 8756 bit more frequently. But I think it's well worth it; if we really want those 8757 tests to GC less frequently then we can achieve that through other kinds of 8758 tuning. It's better that the GC knows that CodeBlocks do in fact use memory; 8759 what it does with that information is a somewhat orthogonal question. 8760 8761 * bytecode/CodeBlock.cpp: 8762 (JSC::CodeBlock::CodeBlock): 8763 (JSC::CodeBlock::visitAggregate): 8764 87652013-09-03 Mark Lam <mark.lam@apple.com> 8766 8767 Converting StackIterator to a callback interface. 8768 https://bugs.webkit.org/show_bug.cgi?id=120564. 8769 8770 Reviewed by Filip Pizlo. 8771 8772 * API/JSContextRef.cpp: 8773 (BacktraceFunctor::BacktraceFunctor): 8774 (BacktraceFunctor::operator()): 8775 (JSContextCreateBacktrace): 8776 * interpreter/CallFrame.cpp: 8777 * interpreter/CallFrame.h: 8778 * interpreter/Interpreter.cpp: 8779 (JSC::DumpRegisterFunctor::DumpRegisterFunctor): 8780 (JSC::DumpRegisterFunctor::operator()): 8781 (JSC::Interpreter::dumpRegisters): 8782 (JSC::unwindCallFrame): 8783 (JSC::GetStackTraceFunctor::GetStackTraceFunctor): 8784 (JSC::GetStackTraceFunctor::operator()): 8785 (JSC::Interpreter::getStackTrace): 8786 (JSC::Interpreter::stackTraceAsString): 8787 (JSC::UnwindFunctor::UnwindFunctor): 8788 (JSC::UnwindFunctor::operator()): 8789 (JSC::Interpreter::unwind): 8790 * interpreter/Interpreter.h: 8791 * interpreter/StackIterator.cpp: 8792 (JSC::StackIterator::numberOfFrames): 8793 (JSC::StackIterator::gotoFrameAtIndex): 8794 (JSC::StackIterator::gotoNextFrameWithFilter): 8795 (JSC::StackIterator::resetIterator): 8796 (JSC::StackIterator::Frame::print): 8797 (debugPrintCallFrame): 8798 (DebugPrintStackFunctor::operator()): 8799 (debugPrintStack): Added for debugging convenience. 8800 * interpreter/StackIterator.h: 8801 (JSC::StackIterator::Frame::index): 8802 (JSC::StackIterator::iterate): 8803 * jsc.cpp: 8804 (FunctionJSCStackFunctor::FunctionJSCStackFunctor): 8805 (FunctionJSCStackFunctor::operator()): 8806 (functionJSCStack): 8807 * profiler/ProfileGenerator.cpp: 8808 (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor): 8809 (JSC::AddParentForConsoleStartFunctor::foundParent): 8810 (JSC::AddParentForConsoleStartFunctor::operator()): 8811 (JSC::ProfileGenerator::addParentForConsoleStart): 8812 * runtime/JSFunction.cpp: 8813 (JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor): 8814 (JSC::RetrieveArgumentsFunctor::result): 8815 (JSC::RetrieveArgumentsFunctor::operator()): 8816 (JSC::retrieveArguments): 8817 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): 8818 (JSC::RetrieveCallerFunctionFunctor::result): 8819 (JSC::RetrieveCallerFunctionFunctor::operator()): 8820 (JSC::retrieveCallerFunction): 8821 * runtime/JSGlobalObjectFunctions.cpp: 8822 (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor): 8823 (JSC::GlobalFuncProtoGetterFunctor::result): 8824 (JSC::GlobalFuncProtoGetterFunctor::operator()): 8825 (JSC::globalFuncProtoGetter): 8826 (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor): 8827 (JSC::GlobalFuncProtoSetterFunctor::allowsAccess): 8828 (JSC::GlobalFuncProtoSetterFunctor::operator()): 8829 (JSC::globalFuncProtoSetter): 8830 * runtime/ObjectConstructor.cpp: 8831 (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor): 8832 (JSC::ObjectConstructorGetPrototypeOfFunctor::result): 8833 (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()): 8834 (JSC::objectConstructorGetPrototypeOf): 8835 88362013-09-03 Oliver Hunt <oliver@apple.com> 8837 8838 Support structured clone of Map and Set 8839 https://bugs.webkit.org/show_bug.cgi?id=120654 8840 8841 Reviewed by Simon Fraser. 8842 8843 Make xcode copy the required headers, and add appropriate export attributes 8844 8845 * JavaScriptCore.xcodeproj/project.pbxproj: 8846 * runtime/JSMap.h: 8847 * runtime/JSSet.h: 8848 * runtime/MapData.h: 8849 88502013-09-02 Ryosuke Niwa <rniwa@webkit.org> 8851 8852 Support the "json" responseType and JSON response entity in XHR 8853 https://bugs.webkit.org/show_bug.cgi?id=73648 8854 8855 Reviewed by Oliver Hunt. 8856 8857 Based on the patch written by Jarred Nicholls. 8858 8859 Add JSC::JSONParse. This function will be used in XMLHttpRequest.response of type 'json'. 8860 8861 * JavaScriptCore.xcodeproj/project.pbxproj: 8862 * runtime/JSONObject.cpp: 8863 (JSC::JSONParse): 8864 * runtime/JSONObject.h: 8865 88662013-09-02 Filip Pizlo <fpizlo@apple.com> 8867 8868 CodeBlock::jettison() should be implicit 8869 https://bugs.webkit.org/show_bug.cgi?id=120567 8870 8871 Reviewed by Oliver Hunt. 8872 8873 This is a risky change from a performance standpoint, but I believe it's 8874 necessary. This makes all CodeBlocks get swept by GC. Nobody but the GC 8875 can delete CodeBlocks because the GC always holds a reference to them. 8876 Once a CodeBlock reaches just one reference (i.e. the one from the GC) 8877 then the GC will free it only if it's not on the stack. 8878 8879 This allows me to get rid of the jettisoning logic. We need this for FTL 8880 tier-up. Well; we don't need it, but it will help prevent a lot of bugs. 8881 Previously, if you wanted to to replace one code block with another, you 8882 had to remember to tell the GC that the previous code block is 8883 "jettisoned". We would need to do this when tiering up from DFG to FTL 8884 and when dealing with DFG-to-FTL OSR entry code blocks. There are a lot 8885 of permutations here - tiering up to the FTL, OSR entering into the FTL, 8886 deciding that an OSR entry code block is not relevant anymore - just to 8887 name a few. In each of these cases we'd have to jettison the previous 8888 code block. It smells like a huge source of future bugs. 8889 8890 So I made jettisoning implicit by making the GC always watch out for a 8891 CodeBlock being owned solely by the GC. 8892 8893 This change is performance neutral. 8894 8895 * CMakeLists.txt: 8896 * GNUmakefile.list.am: 8897 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8898 * JavaScriptCore.xcodeproj/project.pbxproj: 8899 * Target.pri: 8900 * bytecode/CodeBlock.cpp: 8901 (JSC::CodeBlock::CodeBlock): 8902 (JSC::CodeBlock::~CodeBlock): 8903 (JSC::CodeBlock::visitAggregate): 8904 (JSC::CodeBlock::jettison): 8905 * bytecode/CodeBlock.h: 8906 (JSC::CodeBlock::setJITCode): 8907 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): 8908 (JSC::CodeBlockSet::mark): 8909 * dfg/DFGCommonData.h: 8910 (JSC::DFG::CommonData::CommonData): 8911 * heap/CodeBlockSet.cpp: Added. 8912 (JSC::CodeBlockSet::CodeBlockSet): 8913 (JSC::CodeBlockSet::~CodeBlockSet): 8914 (JSC::CodeBlockSet::add): 8915 (JSC::CodeBlockSet::clearMarks): 8916 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): 8917 (JSC::CodeBlockSet::traceMarked): 8918 * heap/CodeBlockSet.h: Added. 8919 * heap/ConservativeRoots.cpp: 8920 (JSC::ConservativeRoots::add): 8921 * heap/ConservativeRoots.h: 8922 * heap/DFGCodeBlocks.cpp: Removed. 8923 * heap/DFGCodeBlocks.h: Removed. 8924 * heap/Heap.cpp: 8925 (JSC::Heap::markRoots): 8926 (JSC::Heap::deleteAllCompiledCode): 8927 (JSC::Heap::deleteUnmarkedCompiledCode): 8928 * heap/Heap.h: 8929 * interpreter/JSStack.cpp: 8930 (JSC::JSStack::gatherConservativeRoots): 8931 * interpreter/JSStack.h: 8932 * runtime/Executable.cpp: 8933 (JSC::ScriptExecutable::installCode): 8934 * runtime/Executable.h: 8935 * runtime/VM.h: 8936 89372013-09-02 Darin Adler <darin@apple.com> 8938 8939 [Mac] No need for HardAutorelease, which is same as CFBridgingRelease 8940 https://bugs.webkit.org/show_bug.cgi?id=120569 8941 8942 Reviewed by Andy Estes. 8943 8944 * API/JSValue.mm: 8945 (valueToString): Use CFBridgingRelease. 8946 89472013-08-30 Filip Pizlo <fpizlo@apple.com> 8948 8949 CodeBlock refactoring broke profile dumping 8950 https://bugs.webkit.org/show_bug.cgi?id=120551 8951 8952 Reviewed by Michael Saboff. 8953 8954 Fix the bug, and did a big clean-up of how Executable returns CodeBlocks. A lot 8955 of the problems we have with code like CodeBlock::baselineVersion() is that we 8956 were trying *way too hard* to side-step the fact that Executable can't return a 8957 CodeBlock*. Previously it could only return CodeBlock&, so if it didn't have a 8958 CodeBlock yet, you were screwed. And if you didn't know, or weren't sure, if it 8959 did have a CodeBlock, you were really going to have a bad time. Also it really 8960 bugs me that the methods were called generatedBytecode(). In all other contexts 8961 if you ask for a CodeBlock, then method to call is codeBlock(). So I made all 8962 of those changes. 8963 8964 * bytecode/CodeBlock.cpp: 8965 (JSC::CodeBlock::baselineVersion): 8966 (JSC::ProgramCodeBlock::replacement): 8967 (JSC::EvalCodeBlock::replacement): 8968 (JSC::FunctionCodeBlock::replacement): 8969 (JSC::CodeBlock::globalObjectFor): 8970 * bytecode/CodeOrigin.cpp: 8971 (JSC::InlineCallFrame::hash): 8972 * dfg/DFGOperations.cpp: 8973 * interpreter/Interpreter.cpp: 8974 (JSC::Interpreter::execute): 8975 (JSC::Interpreter::executeCall): 8976 (JSC::Interpreter::executeConstruct): 8977 (JSC::Interpreter::prepareForRepeatCall): 8978 * jit/JITCode.h: 8979 (JSC::JITCode::isExecutableScript): 8980 (JSC::JITCode::isLowerTier): 8981 * jit/JITStubs.cpp: 8982 (JSC::lazyLinkFor): 8983 (JSC::DEFINE_STUB_FUNCTION): 8984 * llint/LLIntSlowPaths.cpp: 8985 (JSC::LLInt::traceFunctionPrologue): 8986 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 8987 (JSC::LLInt::setUpCall): 8988 * runtime/ArrayPrototype.cpp: 8989 (JSC::isNumericCompareFunction): 8990 * runtime/CommonSlowPaths.h: 8991 (JSC::CommonSlowPaths::arityCheckFor): 8992 * runtime/Executable.cpp: 8993 (JSC::ScriptExecutable::installCode): 8994 * runtime/Executable.h: 8995 (JSC::EvalExecutable::codeBlock): 8996 (JSC::ProgramExecutable::codeBlock): 8997 (JSC::FunctionExecutable::eitherCodeBlock): 8998 (JSC::FunctionExecutable::codeBlockForCall): 8999 (JSC::FunctionExecutable::codeBlockForConstruct): 9000 (JSC::FunctionExecutable::codeBlockFor): 9001 * runtime/FunctionExecutableDump.cpp: 9002 (JSC::FunctionExecutableDump::dump): 9003 90042013-08-30 Oliver Hunt <oliver@apple.com> 9005 9006 Implement ES6 Set class 9007 https://bugs.webkit.org/show_bug.cgi?id=120549 9008 9009 Reviewed by Filip Pizlo. 9010 9011 We simply reuse the MapData type from JSMap making the 9012 it much simpler. 9013 9014 * JavaScriptCore.xcodeproj/project.pbxproj: 9015 * runtime/CommonIdentifiers.h: 9016 * runtime/JSGlobalObject.cpp: 9017 (JSC::JSGlobalObject::reset): 9018 (JSC::JSGlobalObject::visitChildren): 9019 * runtime/JSGlobalObject.h: 9020 (JSC::JSGlobalObject::setStructure): 9021 * runtime/JSSet.cpp: Added. 9022 (JSC::JSSet::visitChildren): 9023 (JSC::JSSet::finishCreation): 9024 * runtime/JSSet.h: Added. 9025 (JSC::JSSet::createStructure): 9026 (JSC::JSSet::create): 9027 (JSC::JSSet::mapData): 9028 (JSC::JSSet::JSSet): 9029 * runtime/SetConstructor.cpp: Added. 9030 (JSC::SetConstructor::finishCreation): 9031 (JSC::callSet): 9032 (JSC::constructSet): 9033 (JSC::SetConstructor::getConstructData): 9034 (JSC::SetConstructor::getCallData): 9035 * runtime/SetConstructor.h: Added. 9036 (JSC::SetConstructor::create): 9037 (JSC::SetConstructor::createStructure): 9038 (JSC::SetConstructor::SetConstructor): 9039 * runtime/SetPrototype.cpp: Added. 9040 (JSC::SetPrototype::finishCreation): 9041 (JSC::getMapData): 9042 (JSC::setProtoFuncAdd): 9043 (JSC::setProtoFuncClear): 9044 (JSC::setProtoFuncDelete): 9045 (JSC::setProtoFuncForEach): 9046 (JSC::setProtoFuncHas): 9047 (JSC::setProtoFuncSize): 9048 * runtime/SetPrototype.h: Added. 9049 (JSC::SetPrototype::create): 9050 (JSC::SetPrototype::createStructure): 9051 (JSC::SetPrototype::SetPrototype): 9052 90532013-08-30 Oliver Hunt <oliver@apple.com> 9054 9055 Make JSValue bool conversion less dangerous 9056 https://bugs.webkit.org/show_bug.cgi?id=120505 9057 9058 Reviewed by Darin Adler. 9059 9060 Replaces JSValue::operator bool() with a operator UnspecifiedBoolType* as 9061 we do elsewhere. Then fix the places where terrible type coercion was 9062 happening. All of the changes made had no fundamental behavioural impact 9063 as they were coercion results that were ignored (returning undefined 9064 after an exception). 9065 9066 * dfg/DFGOperations.cpp: 9067 * interpreter/CallFrame.h: 9068 (JSC::ExecState::hadException): 9069 * runtime/JSCJSValue.h: 9070 * runtime/JSCJSValueInlines.h: 9071 (JSC::JSValue::operator UnspecifiedBoolType*): 9072 * runtime/JSGlobalObjectFunctions.cpp: 9073 (JSC::globalFuncEval): 9074 * runtime/PropertyDescriptor.cpp: 9075 (JSC::PropertyDescriptor::equalTo) 9076 90772013-08-30 Chris Curtis <chris_curtis@apple.com> 9078 9079 Cleaning errorDescriptionForValue after r154839 9080 https://bugs.webkit.org/show_bug.cgi?id=120531 9081 9082 Reviewed by Darin Adler. 9083 9084 Changed the assert to ASSERT_NOT_REACHED, now that r154839 has landed. errorDescriptionForValue 9085 can assert again that the parameterized JSValue is !isEmpty(). 9086 9087 * runtime/ExceptionHelpers.cpp: 9088 (JSC::errorDescriptionForValue): 9089 90902013-08-30 Antti Koivisto <antti@apple.com> 9091 9092 Remove code behind ENABLE(DIALOG_ELEMENT) 9093 https://bugs.webkit.org/show_bug.cgi?id=120467 9094 9095 Reviewed by Darin Adler. 9096 9097 * Configurations/FeatureDefines.xcconfig: 9098 90992013-08-29 Andreas Kling <akling@apple.com> 9100 9101 De-bork Qt build. 9102 9103 * Target.pri: 9104 91052013-08-29 Ryuan Choi <ryuan.choi@samsung.com> 9106 9107 Unreviewed build fix attempt for Windows. 9108 9109 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 9110 Renamed JSMapConstructor and JSMapPrototype. 9111 91122013-08-29 Ryuan Choi <ryuan.choi@samsung.com> 9113 9114 Fix build break after r154861 9115 https://bugs.webkit.org/show_bug.cgi?id=120503 9116 9117 Reviewed by Geoffrey Garen. 9118 9119 Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports. 9120 9121 * CMakeLists.txt: 9122 * GNUmakefile.list.am: 9123 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 9124 * Target.pri: 9125 * runtime/MapData.h: 9126 (JSC::MapData::KeyType::KeyType): 9127 91282013-08-29 Andreas Kling <akling@apple.com> 9129 9130 CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation. 9131 <https://webkit.org/b/120487> 9132 9133 Reviewed by Oliver Hunt. 9134 9135 CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector 9136 instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the 9137 exact amount of space needed. 9138 9139 * bytecode/CodeBlock.h: 9140 * bytecode/CodeBlock.cpp: 9141 (JSC::CodeBlock::CodeBlock): 9142 (JSC::CodeBlock::shrinkToFit): 9143 91442013-08-29 Oliver Hunt <oliver@apple.com> 9145 9146 Fix issues found by MSVC (which also happily fixes an unintentional pessimisation) 9147 9148 * runtime/MapData.h: 9149 (JSC::MapData::KeyType::KeyType): 9150 91512013-08-29 Oliver Hunt <oliver@apple.com> 9152 9153 9154 Implement ES6 Map object 9155 https://bugs.webkit.org/show_bug.cgi?id=120333 9156 9157 Reviewed by Geoffrey Garen. 9158 9159 Implement support for the ES6 Map type and related classes. 9160 9161 * JavaScriptCore.xcodeproj/project.pbxproj: 9162 * heap/CopyToken.h: Add a new token to track copying the backing store 9163 * runtime/CommonIdentifiers.h: Add new identifiers 9164 * runtime/JSGlobalObject.cpp: 9165 * runtime/JSGlobalObject.h: 9166 Add new structures and prototypes 9167 9168 * runtime/JSMap.cpp: Added. 9169 * runtime/JSMap.h: Added. 9170 New JSMap class to represent a Map instance 9171 9172 * runtime/MapConstructor.cpp: Added. 9173 * runtime/MapConstructor.h: Added. 9174 The Map constructor 9175 9176 * runtime/MapData.cpp: Added. 9177 * runtime/MapData.h: Added. 9178 The most interesting data structure. The roughly corresponds 9179 to the ES6 notion of MapData. It provides the core JSValue->JSValue 9180 map implementation. We implement it using 2 hashtables and a flat 9181 table. Due to the different semantics of string comparisons vs. 9182 all others we need have one map keyed by String and the other by 9183 generic JSValue. The actual table is represented more or less 9184 exactly as described in the ES6 draft - a single contiguous list of 9185 key/value pairs. The entire map could be achieved with just this 9186 table, however we need the HashMaps in order to maintain O(1) lookup. 9187 9188 Deleted values are simply cleared as the draft says, however the 9189 implementation compacts the storage on copy as long as the are no 9190 active iterators. 9191 9192 * runtime/MapPrototype.cpp: Added. 9193 * runtime/MapPrototype.h: Added. 9194 Implement Map prototype functions 9195 9196 * runtime/VM.cpp: 9197 Add new structures. 9198 91992013-08-29 Filip Pizlo <fpizlo@apple.com> 9200 9201 Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations 9202 https://bugs.webkit.org/show_bug.cgi?id=120489 9203 9204 Reviewed by Geoffrey Garen. 9205 9206 If the baseline JIT hits an OSR entry trigger into the DFG and we already have a 9207 DFG compilation but we've also started one or more FTL compilations, then we 9208 shouldn't get confused. Previously we would have gotten confused because we would 9209 see an in-process deferred compile (the FTL compile) and also an optimized 9210 replacement (the DFG code). 9211 9212 If the baseline JIT hits an OSR entry trigger into the DFG and we previously 9213 did two things in this order: triggered a tier-up compilation from the DFG into 9214 the FTL, and then jettisoned the DFG code because it exited a bunch, then we 9215 shouldn't be confused by the presence of an in-process deferred compile (the FTL 9216 compile). Previously we would have waited for that compile to finish; but the more 9217 sensible thing to do is to let it complete and then invalidate it, while at the 9218 same time enqueueing a DFG compile to create a new, more valid, DFG code block. 9219 9220 If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already 9221 triggered an FTL compile for replacement, then it should fire off a second compile 9222 instead of thinking that it can wait for that one to finish. Or vice-versa. We 9223 need to allow for two FTL compiles to be enqueued at the same time (one for 9224 replacement and one for OSR entry in a loop). 9225 9226 Then there's also the problem that DFG::compile() is almost certainly going to be 9227 the hook for triggering both DFG compiles and the two kinds of FTL compiles, but 9228 right now there is no way to tell it which one you want. 9229 9230 This fixes these problems and removes a bunch of potential confusion by making the 9231 key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode, 9232 FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile(). 9233 9234 Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so 9235 DFG::compile() is always passed DFGMode and then it might do an FTL compile if 9236 possible. Fixing that is a bigger issue for a later changeset. 9237 9238 * CMakeLists.txt: 9239 * GNUmakefile.list.am: 9240 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 9241 * JavaScriptCore.xcodeproj/project.pbxproj: 9242 * Target.pri: 9243 * bytecode/CodeBlock.cpp: 9244 (JSC::CodeBlock::checkIfOptimizationThresholdReached): 9245 * dfg/DFGCompilationKey.cpp: Added. 9246 (JSC::DFG::CompilationKey::dump): 9247 * dfg/DFGCompilationKey.h: Added. 9248 (JSC::DFG::CompilationKey::CompilationKey): 9249 (JSC::DFG::CompilationKey::operator!): 9250 (JSC::DFG::CompilationKey::isHashTableDeletedValue): 9251 (JSC::DFG::CompilationKey::profiledBlock): 9252 (JSC::DFG::CompilationKey::mode): 9253 (JSC::DFG::CompilationKey::operator==): 9254 (JSC::DFG::CompilationKey::hash): 9255 (JSC::DFG::CompilationKeyHash::hash): 9256 (JSC::DFG::CompilationKeyHash::equal): 9257 * dfg/DFGCompilationMode.cpp: Added. 9258 (WTF::printInternal): 9259 * dfg/DFGCompilationMode.h: Added. 9260 * dfg/DFGDriver.cpp: 9261 (JSC::DFG::compileImpl): 9262 (JSC::DFG::compile): 9263 * dfg/DFGDriver.h: 9264 * dfg/DFGPlan.cpp: 9265 (JSC::DFG::Plan::Plan): 9266 (JSC::DFG::Plan::key): 9267 * dfg/DFGPlan.h: 9268 * dfg/DFGWorklist.cpp: 9269 (JSC::DFG::Worklist::enqueue): 9270 (JSC::DFG::Worklist::compilationState): 9271 (JSC::DFG::Worklist::completeAllReadyPlansForVM): 9272 (JSC::DFG::Worklist::runThread): 9273 * dfg/DFGWorklist.h: 9274 * jit/JITStubs.cpp: 9275 (JSC::DEFINE_STUB_FUNCTION): 9276 92772013-08-29 Brent Fulgham <bfulgham@apple.com> 9278 9279 [Windows] Unreviewed build fix after r154847. 9280 If you are going to exclude promises, actually exclude the build components. 9281 9282 * interpreter/CallFrame.h: Exclude promise declarations 9283 * runtime/JSGlobalObject.cpp: 9284 (JSC::JSGlobalObject::reset): Exclude promise code. 9285 (JSC::JSGlobalObject::visitChildren): Ditto. 9286 * runtime/VM.cpp: Ditto. 9287 (JSC::VM::VM): 9288 (JSC::VM::~VM): 9289 * runtime/VM.h: 9290 92912013-08-29 Sam Weinig <sam@webkit.org> 9292 9293 Add ENABLE guards for Promises 9294 https://bugs.webkit.org/show_bug.cgi?id=120488 9295 9296 Reviewed by Andreas Kling. 9297 9298 * Configurations/FeatureDefines.xcconfig: 9299 * runtime/JSGlobalObject.cpp: 9300 * runtime/JSGlobalObject.h: 9301 * runtime/JSPromise.cpp: 9302 * runtime/JSPromise.h: 9303 * runtime/JSPromiseCallback.cpp: 9304 * runtime/JSPromiseCallback.h: 9305 * runtime/JSPromiseConstructor.cpp: 9306 * runtime/JSPromiseConstructor.h: 9307 * runtime/JSPromisePrototype.cpp: 9308 * runtime/JSPromisePrototype.h: 9309 * runtime/JSPromiseResolver.cpp: 9310 * runtime/JSPromiseResolver.h: 9311 * runtime/JSPromiseResolverConstructor.cpp: 9312 * runtime/JSPromiseResolverConstructor.h: 9313 * runtime/JSPromiseResolverPrototype.cpp: 9314 * runtime/JSPromiseResolverPrototype.h: 9315 93162013-08-29 Filip Pizlo <fpizlo@apple.com> 9317 9318 Unreviewed, fix FTL build. 9319 9320 * ftl/FTLLowerDFGToLLVM.cpp: 9321 (JSC::FTL::LowerDFGToLLVM::callCheck): 9322 93232013-08-29 Julien Brianceau <jbriance@cisco.com> 9324 9325 REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark. 9326 https://bugs.webkit.org/show_bug.cgi?id=120080 9327 9328 Reviewed by Michael Saboff. 9329 9330 * jit/JITOpcodes32_64.cpp: 9331 (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function. 9332 93332013-08-29 Filip Pizlo <fpizlo@apple.com> 9334 9335 Kill code that became dead after http://trac.webkit.org/changeset/154833 9336 9337 Rubber stamped by Oliver Hunt. 9338 9339 * dfg/DFGDriver.h: 9340 93412013-08-29 Filip Pizlo <fpizlo@apple.com> 9342 9343 CodeBlock's magic for scaling tier-up thresholds should be more reusable 9344 https://bugs.webkit.org/show_bug.cgi?id=120486 9345 9346 Reviewed by Oliver Hunt. 9347 9348 Removed the counterValueForBlah() methods and exposed the reusable scaling logic 9349 as a adjustedCounterValue() method. 9350 9351 * bytecode/CodeBlock.cpp: 9352 (JSC::CodeBlock::adjustedCounterValue): 9353 (JSC::CodeBlock::optimizeAfterWarmUp): 9354 (JSC::CodeBlock::optimizeAfterLongWarmUp): 9355 (JSC::CodeBlock::optimizeSoon): 9356 * bytecode/CodeBlock.h: 9357 * dfg/DFGOSRExitCompilerCommon.cpp: 9358 (JSC::DFG::handleExitCounts): 9359 93602013-08-29 Filip Pizlo <fpizlo@apple.com> 9361 9362 CodeBlock::prepareForExecution() is silly 9363 https://bugs.webkit.org/show_bug.cgi?id=120453 9364 9365 Reviewed by Oliver Hunt. 9366 9367 Instead of saying: 9368 9369 codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff) 9370 9371 we should just say: 9372 9373 JIT::compile(stuff, codeBlock, more stuff); 9374 9375 And similarly for the LLInt and DFG. 9376 9377 This kills a bunch of code, since CodeBlock::prepareForExecution() is just a 9378 wrapper that uses the JITType argument to call into the appropriate execution 9379 engine, which is what the user wanted to do in the first place. 9380 9381 * CMakeLists.txt: 9382 * GNUmakefile.list.am: 9383 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 9384 * JavaScriptCore.xcodeproj/project.pbxproj: 9385 * Target.pri: 9386 * bytecode/CodeBlock.cpp: 9387 * bytecode/CodeBlock.h: 9388 * dfg/DFGDriver.cpp: 9389 (JSC::DFG::compileImpl): 9390 (JSC::DFG::compile): 9391 * dfg/DFGDriver.h: 9392 (JSC::DFG::tryCompile): 9393 * dfg/DFGOSRExitPreparation.cpp: 9394 (JSC::DFG::prepareCodeOriginForOSRExit): 9395 * dfg/DFGWorklist.cpp: 9396 (JSC::DFG::globalWorklist): 9397 * dfg/DFGWorklist.h: 9398 * jit/JIT.cpp: 9399 (JSC::JIT::privateCompile): 9400 * jit/JIT.h: 9401 (JSC::JIT::compile): 9402 * jit/JITStubs.cpp: 9403 (JSC::DEFINE_STUB_FUNCTION): 9404 * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp. 9405 (JSC::LLInt::setFunctionEntrypoint): 9406 (JSC::LLInt::setEvalEntrypoint): 9407 (JSC::LLInt::setProgramEntrypoint): 9408 (JSC::LLInt::setEntrypoint): 9409 * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h. 9410 * llint/LLIntEntrypoints.cpp: Removed. 9411 * llint/LLIntEntrypoints.h: Removed. 9412 * llint/LLIntSlowPaths.cpp: 9413 (JSC::LLInt::jitCompileAndSetHeuristics): 9414 * runtime/Executable.cpp: 9415 (JSC::ScriptExecutable::prepareForExecutionImpl): 9416 94172013-08-29 Mark Lam <mark.lam@apple.com> 9418 9419 Gardening: fixed broken non-DFG build. 9420 https://bugs.webkit.org/show_bug.cgi?id=120481. 9421 9422 Not reviewed. 9423 9424 * interpreter/StackIterator.h: 9425 94262013-08-29 Filip Pizlo <fpizlo@apple.com> 9427 9428 CodeBlock compilation and installation should be simplified and rationalized 9429 https://bugs.webkit.org/show_bug.cgi?id=120326 9430 9431 Reviewed by Oliver Hunt. 9432 9433 Rolling r154804 back in after fixing no-LLInt build. 9434 9435 Previously Executable owned the code for generating JIT code; you always had 9436 to go through Executable. But often you also had to go through CodeBlock, 9437 because ScriptExecutable couldn't have virtual methods, but CodeBlock could. 9438 So you'd ask CodeBlock to do something, which would dispatch through a 9439 virtual method that would select the appropriate Executable subtype's method. 9440 This all meant that the same code would often be duplicated, because most of 9441 the work needed to compile something was identical regardless of code type. 9442 But then we tried to fix this, by having templatized helpers in 9443 ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find 9444 out what happened when you asked for something to be compiled, you'd go on a 9445 wild ride that started with CodeBlock, touched upon Executable, and then 9446 ricocheted into either ExecutionHarness or JITDriver (likely both). 9447 9448 Another awkwardness was that for concurrent compiles, the DFG::Worklist had 9449 super-special inside knowledge of what JITStubs.cpp's cti_optimize would have 9450 done once the compilation finished. 9451 9452 Also, most of the DFG JIT drivers assumed that they couldn't install the 9453 JITCode into the CodeBlock directly - instead they would return it via a 9454 reference, which happened to be a reference to the JITCode pointer in 9455 Executable. This was super weird. 9456 9457 Finally, there was no notion of compiling code into a special CodeBlock that 9458 wasn't used for handling calls into an Executable. I'd like this for FTL OSR 9459 entry. 9460 9461 This patch solves these problems by reducing all of that complexity into just 9462 three primitives: 9463 9464 - Executable::newCodeBlock(). This gives you a new code block, either for call 9465 or for construct, and either to serve as the baseline code or the optimized 9466 code. The new code block is then owned by the caller; Executable doesn't 9467 register it anywhere. The new code block has no JITCode and isn't callable, 9468 but it has all of the bytecode. 9469 9470 - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and 9471 produces a JITCode, and then installs the JITCode into the CodeBlock. This 9472 method takes a JITType, and always compiles with that JIT. If you ask for 9473 JITCode::InterpreterThunk then you'll get JITCode that just points to the 9474 LLInt entrypoints. Once this returns, it is possible to call into the 9475 CodeBlock if you do so manually - but the Executable still won't know about 9476 it so JS calls to that Executable will still be routed to whatever CodeBlock 9477 is associated with the Executable. 9478 9479 - Executable::installCode(). This takes a CodeBlock and makes it the code-for- 9480 entry for that Executable. This involves unlinking the Executable's last 9481 CodeBlock, if there was one. This also tells the GC about any effect on 9482 memory usage and does a bunch of weird data structure rewiring, since 9483 Executable caches some of CodeBlock's fields for the benefit of virtual call 9484 fast paths. 9485 9486 This functionality is then wrapped around three convenience methods: 9487 9488 - Executable::prepareForExecution(). If there is no code block for that 9489 Executable, then one is created (newCodeBlock()), compiled 9490 (CodeBlock::prepareForExecution()) and installed (installCode()). 9491 9492 - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that 9493 can serve as an optimized replacement of the current one. 9494 9495 - CodeBlock::install(). Asks the Executable to install this code block. 9496 9497 This patch allows me to kill *a lot* of code and to remove a lot of 9498 specializations for functions vs. not-functions, and a lot of places where we 9499 pass around JITCode references and such. ExecutionHarness and JITDriver are 9500 both gone. Overall this patch has more red than green. 9501 9502 It also allows me to work on FTL OSR entry and tier-up: 9503 9504 - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist 9505 to do some compilation, but it will require the DFG::Worklist to do 9506 something different than what JITStubs.cpp would want, once the compilation 9507 finishes. This patch introduces a callback mechanism for that purpose. 9508 9509 - FTL OSR entry: this will involve creating a special auto-jettisoned 9510 CodeBlock that is used only for FTL OSR entry. The new set of primitives 9511 allows for this: Executable can vend you a fresh new CodeBlock, and you can 9512 ask that CodeBlock to compile itself with any JIT of your choosing. Or you 9513 can take that CodeBlock and compile it yourself. Previously the act of 9514 producing a CodeBlock-for-optimization and the act of compiling code for it 9515 were tightly coupled; now you can separate them and you can create such 9516 auto-jettisoned CodeBlocks that are used for a one-shot OSR entry. 9517 9518 * CMakeLists.txt: 9519 * GNUmakefile.list.am: 9520 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 9521 * JavaScriptCore.xcodeproj/project.pbxproj: 9522 * Target.pri: 9523 * bytecode/CodeBlock.cpp: 9524 (JSC::CodeBlock::unlinkIncomingCalls): 9525 (JSC::CodeBlock::prepareForExecutionImpl): 9526 (JSC::CodeBlock::prepareForExecution): 9527 (JSC::CodeBlock::prepareForExecutionAsynchronously): 9528 (JSC::CodeBlock::install): 9529 (JSC::CodeBlock::newReplacement): 9530 (JSC::FunctionCodeBlock::jettisonImpl): 9531 * bytecode/CodeBlock.h: 9532 (JSC::CodeBlock::hasBaselineJITProfiling): 9533 * bytecode/DeferredCompilationCallback.cpp: Added. 9534 (JSC::DeferredCompilationCallback::DeferredCompilationCallback): 9535 (JSC::DeferredCompilationCallback::~DeferredCompilationCallback): 9536 * bytecode/DeferredCompilationCallback.h: Added. 9537 * dfg/DFGDriver.cpp: 9538 (JSC::DFG::tryCompile): 9539 * dfg/DFGDriver.h: 9540 (JSC::DFG::tryCompile): 9541 * dfg/DFGFailedFinalizer.cpp: 9542 (JSC::DFG::FailedFinalizer::finalize): 9543 (JSC::DFG::FailedFinalizer::finalizeFunction): 9544 * dfg/DFGFailedFinalizer.h: 9545 * dfg/DFGFinalizer.h: 9546 * dfg/DFGJITFinalizer.cpp: 9547 (JSC::DFG::JITFinalizer::finalize): 9548 (JSC::DFG::JITFinalizer::finalizeFunction): 9549 * dfg/DFGJITFinalizer.h: 9550 * dfg/DFGOSRExitPreparation.cpp: 9551 (JSC::DFG::prepareCodeOriginForOSRExit): 9552 * dfg/DFGOperations.cpp: 9553 * dfg/DFGPlan.cpp: 9554 (JSC::DFG::Plan::Plan): 9555 (JSC::DFG::Plan::compileInThreadImpl): 9556 (JSC::DFG::Plan::notifyReady): 9557 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): 9558 (JSC::DFG::Plan::finalizeAndNotifyCallback): 9559 * dfg/DFGPlan.h: 9560 * dfg/DFGSpeculativeJIT32_64.cpp: 9561 (JSC::DFG::SpeculativeJIT::compile): 9562 * dfg/DFGWorklist.cpp: 9563 (JSC::DFG::Worklist::completeAllReadyPlansForVM): 9564 (JSC::DFG::Worklist::runThread): 9565 * ftl/FTLJITFinalizer.cpp: 9566 (JSC::FTL::JITFinalizer::finalize): 9567 (JSC::FTL::JITFinalizer::finalizeFunction): 9568 * ftl/FTLJITFinalizer.h: 9569 * heap/Heap.h: 9570 (JSC::Heap::isDeferred): 9571 * interpreter/Interpreter.cpp: 9572 (JSC::Interpreter::execute): 9573 (JSC::Interpreter::executeCall): 9574 (JSC::Interpreter::executeConstruct): 9575 (JSC::Interpreter::prepareForRepeatCall): 9576 * jit/JITDriver.h: Removed. 9577 * jit/JITStubs.cpp: 9578 (JSC::DEFINE_STUB_FUNCTION): 9579 (JSC::jitCompileFor): 9580 (JSC::lazyLinkFor): 9581 * jit/JITToDFGDeferredCompilationCallback.cpp: Added. 9582 (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback): 9583 (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback): 9584 (JSC::JITToDFGDeferredCompilationCallback::create): 9585 (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously): 9586 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete): 9587 * jit/JITToDFGDeferredCompilationCallback.h: Added. 9588 * llint/LLIntEntrypoints.cpp: 9589 (JSC::LLInt::setFunctionEntrypoint): 9590 (JSC::LLInt::setEvalEntrypoint): 9591 (JSC::LLInt::setProgramEntrypoint): 9592 * llint/LLIntEntrypoints.h: 9593 * llint/LLIntSlowPaths.cpp: 9594 (JSC::LLInt::jitCompileAndSetHeuristics): 9595 (JSC::LLInt::setUpCall): 9596 * runtime/ArrayPrototype.cpp: 9597 (JSC::isNumericCompareFunction): 9598 * runtime/CommonSlowPaths.cpp: 9599 * runtime/CompilationResult.cpp: 9600 (WTF::printInternal): 9601 * runtime/CompilationResult.h: 9602 * runtime/Executable.cpp: 9603 (JSC::ScriptExecutable::installCode): 9604 (JSC::ScriptExecutable::newCodeBlockFor): 9605 (JSC::ScriptExecutable::newReplacementCodeBlockFor): 9606 (JSC::ScriptExecutable::prepareForExecutionImpl): 9607 * runtime/Executable.h: 9608 (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor): 9609 (JSC::ExecutableBase::offsetOfNumParametersFor): 9610 (JSC::ScriptExecutable::prepareForExecution): 9611 (JSC::FunctionExecutable::jettisonOptimizedCodeFor): 9612 * runtime/ExecutionHarness.h: Removed. 9613 96142013-08-29 Mark Lam <mark.lam@apple.com> 9615 9616 Change StackIterator to not require writes to the JS stack. 9617 https://bugs.webkit.org/show_bug.cgi?id=119657. 9618 9619 Reviewed by Geoffrey Garen. 9620 9621 * GNUmakefile.list.am: 9622 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 9623 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 9624 * JavaScriptCore.xcodeproj/project.pbxproj: 9625 * interpreter/CallFrame.h: 9626 - Removed references to StackIteratorPrivate.h. 9627 * interpreter/StackIterator.cpp: 9628 (JSC::StackIterator::numberOfFrames): 9629 (JSC::StackIterator::gotoFrameAtIndex): 9630 (JSC::StackIterator::gotoNextFrame): 9631 (JSC::StackIterator::resetIterator): 9632 (JSC::StackIterator::find): 9633 (JSC::StackIterator::readFrame): 9634 (JSC::StackIterator::readNonInlinedFrame): 9635 - Reads in the current CallFrame's data for non-inlined frames. 9636 (JSC::inlinedFrameOffset): 9637 - Convenience function to compute the inlined frame offset based on the 9638 CodeOrigin. If the offset is 0, then we're looking at the physical frame. 9639 Otherwise, it's an inlined frame. 9640 (JSC::StackIterator::readInlinedFrame): 9641 - Determines the inlined frame's caller frame. Will read in the caller 9642 frame if it is also an inlined frame i.e. we haven't reached the 9643 outer most frame yet. Otherwise, will call readNonInlinedFrame() to 9644 read on the outer most frame. 9645 This is based on the old StackIterator::Frame::logicalFrame(). 9646 (JSC::StackIterator::updateFrame): 9647 - Reads the data of the caller frame of the current one. This function 9648 is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(), 9649 but is now simplified because it delegates to the readInlinedFrame() 9650 to get the caller for inlined frames. 9651 (JSC::StackIterator::Frame::arguments): 9652 - Fixed to use the inlined frame versions of Arguments::create() and 9653 Arguments::tearOff() when the frame is an inlined frame. 9654 (JSC::StackIterator::Frame::print): 9655 (debugPrintCallFrame): 9656 (debugPrintStack): 9657 - Because sometimes, we want to see the whole stack while debugging. 9658 * interpreter/StackIterator.h: 9659 (JSC::StackIterator::Frame::argumentCount): 9660 (JSC::StackIterator::Frame::callerFrame): 9661 (JSC::StackIterator::Frame::callee): 9662 (JSC::StackIterator::Frame::scope): 9663 (JSC::StackIterator::Frame::codeBlock): 9664 (JSC::StackIterator::Frame::bytecodeOffset): 9665 (JSC::StackIterator::Frame::inlinedFrameInfo): 9666 (JSC::StackIterator::Frame::isJSFrame): 9667 (JSC::StackIterator::Frame::isInlinedFrame): 9668 (JSC::StackIterator::Frame::callFrame): 9669 (JSC::StackIterator::Frame::Frame): 9670 (JSC::StackIterator::Frame::~Frame): 9671 - StackIterator::Frame now caches commonly used accessed values from 9672 the CallFrame. It still delegates argument queries to the CallFrame. 9673 (JSC::StackIterator::operator*): 9674 (JSC::StackIterator::operator->): 9675 (JSC::StackIterator::operator!=): 9676 (JSC::StackIterator::operator++): 9677 (JSC::StackIterator::end): 9678 (JSC::StackIterator::operator==): 9679 * interpreter/StackIteratorPrivate.h: Removed. 9680 96812013-08-29 Chris Curtis <chris_curtis@apple.com> 9682 9683 VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT) 9684 https://bugs.webkit.org/show_bug.cgi?id=120472 9685 9686 Reviewed by Filip Pizlo. 9687 9688 With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 9689 but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller 9690 throwException can be called when topCallFrame is set. 9691 * llint/LLIntSlowPaths.cpp: 9692 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 9693 * runtime/CommonSlowPaths.cpp: 9694 (JSC::SLOW_PATH_DECL): 9695 * runtime/CommonSlowPathsExceptions.cpp: 9696 (JSC::CommonSlowPaths::interpreterThrowInCaller): 9697 * runtime/CommonSlowPathsExceptions.h: 9698 9699 Renamed genericThrow -> genericUnwind, because this function no longer has the ability 9700 to throw errors. It unwinds the stack in order to report them. 9701 * dfg/DFGOperations.cpp: 9702 * jit/JITExceptions.cpp: 9703 (JSC::genericUnwind): 9704 (JSC::jitThrowNew): 9705 (JSC::jitThrow): 9706 * jit/JITExceptions.h: 9707 * llint/LLIntExceptions.cpp: 9708 (JSC::LLInt::doThrow): 9709 97102013-08-29 Commit Queue <commit-queue@webkit.org> 9711 9712 Unreviewed, rolling out r154804. 9713 http://trac.webkit.org/changeset/154804 9714 https://bugs.webkit.org/show_bug.cgi?id=120477 9715 9716 Broke Windows build (assumes LLInt features not enabled on 9717 this build) (Requested by bfulgham on #webkit). 9718 9719 * CMakeLists.txt: 9720 * GNUmakefile.list.am: 9721 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 9722 * JavaScriptCore.xcodeproj/project.pbxproj: 9723 * Target.pri: 9724 * bytecode/CodeBlock.cpp: 9725 (JSC::CodeBlock::linkIncomingCall): 9726 (JSC::CodeBlock::unlinkIncomingCalls): 9727 (JSC::CodeBlock::reoptimize): 9728 (JSC::ProgramCodeBlock::replacement): 9729 (JSC::EvalCodeBlock::replacement): 9730 (JSC::FunctionCodeBlock::replacement): 9731 (JSC::ProgramCodeBlock::compileOptimized): 9732 (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode): 9733 (JSC::EvalCodeBlock::compileOptimized): 9734 (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode): 9735 (JSC::FunctionCodeBlock::compileOptimized): 9736 (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode): 9737 (JSC::ProgramCodeBlock::jitCompileImpl): 9738 (JSC::EvalCodeBlock::jitCompileImpl): 9739 (JSC::FunctionCodeBlock::jitCompileImpl): 9740 * bytecode/CodeBlock.h: 9741 (JSC::CodeBlock::jitType): 9742 (JSC::CodeBlock::jitCompile): 9743 * bytecode/DeferredCompilationCallback.cpp: Removed. 9744 * bytecode/DeferredCompilationCallback.h: Removed. 9745 * dfg/DFGDriver.cpp: 9746 (JSC::DFG::compile): 9747 (JSC::DFG::tryCompile): 9748 (JSC::DFG::tryCompileFunction): 9749 (JSC::DFG::tryFinalizePlan): 9750 * dfg/DFGDriver.h: 9751 (JSC::DFG::tryCompile): 9752 (JSC::DFG::tryCompileFunction): 9753 (JSC::DFG::tryFinalizePlan): 9754 * dfg/DFGFailedFinalizer.cpp: 9755 (JSC::DFG::FailedFinalizer::finalize): 9756 (JSC::DFG::FailedFinalizer::finalizeFunction): 9757 * dfg/DFGFailedFinalizer.h: 9758 * dfg/DFGFinalizer.h: 9759 * dfg/DFGJITFinalizer.cpp: 9760 (JSC::DFG::JITFinalizer::finalize): 9761 (JSC::DFG::JITFinalizer::finalizeFunction): 9762 * dfg/DFGJITFinalizer.h: 9763 * dfg/DFGOSRExitPreparation.cpp: 9764 (JSC::DFG::prepareCodeOriginForOSRExit): 9765 * dfg/DFGOperations.cpp: 9766 * dfg/DFGPlan.cpp: 9767 (JSC::DFG::Plan::Plan): 9768 (JSC::DFG::Plan::compileInThreadImpl): 9769 (JSC::DFG::Plan::finalize): 9770 * dfg/DFGPlan.h: 9771 * dfg/DFGSpeculativeJIT32_64.cpp: 9772 (JSC::DFG::SpeculativeJIT::compile): 9773 * dfg/DFGWorklist.cpp: 9774 (JSC::DFG::Worklist::completeAllReadyPlansForVM): 9775 (JSC::DFG::Worklist::runThread): 9776 * ftl/FTLJITFinalizer.cpp: 9777 (JSC::FTL::JITFinalizer::finalize): 9778 (JSC::FTL::JITFinalizer::finalizeFunction): 9779 * ftl/FTLJITFinalizer.h: 9780 * heap/Heap.h: 9781 * interpreter/Interpreter.cpp: 9782 (JSC::Interpreter::execute): 9783 (JSC::Interpreter::executeCall): 9784 (JSC::Interpreter::executeConstruct): 9785 (JSC::Interpreter::prepareForRepeatCall): 9786 * jit/JITDriver.h: Added. 9787 (JSC::jitCompileIfAppropriateImpl): 9788 (JSC::jitCompileFunctionIfAppropriateImpl): 9789 (JSC::jitCompileIfAppropriate): 9790 (JSC::jitCompileFunctionIfAppropriate): 9791 * jit/JITStubs.cpp: 9792 (JSC::DEFINE_STUB_FUNCTION): 9793 (JSC::jitCompileFor): 9794 (JSC::lazyLinkFor): 9795 * jit/JITToDFGDeferredCompilationCallback.cpp: Removed. 9796 * jit/JITToDFGDeferredCompilationCallback.h: Removed. 9797 * llint/LLIntEntrypoints.cpp: 9798 (JSC::LLInt::getFunctionEntrypoint): 9799 (JSC::LLInt::getEvalEntrypoint): 9800 (JSC::LLInt::getProgramEntrypoint): 9801 * llint/LLIntEntrypoints.h: 9802 (JSC::LLInt::getEntrypoint): 9803 * llint/LLIntSlowPaths.cpp: 9804 (JSC::LLInt::jitCompileAndSetHeuristics): 9805 (JSC::LLInt::setUpCall): 9806 * runtime/ArrayPrototype.cpp: 9807 (JSC::isNumericCompareFunction): 9808 * runtime/CommonSlowPaths.cpp: 9809 * runtime/CompilationResult.cpp: 9810 (WTF::printInternal): 9811 * runtime/CompilationResult.h: 9812 * runtime/Executable.cpp: 9813 (JSC::EvalExecutable::compileOptimized): 9814 (JSC::EvalExecutable::jitCompile): 9815 (JSC::EvalExecutable::compileInternal): 9816 (JSC::EvalExecutable::replaceWithDeferredOptimizedCode): 9817 (JSC::ProgramExecutable::compileOptimized): 9818 (JSC::ProgramExecutable::jitCompile): 9819 (JSC::ProgramExecutable::compileInternal): 9820 (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode): 9821 (JSC::FunctionExecutable::compileOptimizedForCall): 9822 (JSC::FunctionExecutable::compileOptimizedForConstruct): 9823 (JSC::FunctionExecutable::jitCompileForCall): 9824 (JSC::FunctionExecutable::jitCompileForConstruct): 9825 (JSC::FunctionExecutable::produceCodeBlockFor): 9826 (JSC::FunctionExecutable::compileForCallInternal): 9827 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall): 9828 (JSC::FunctionExecutable::compileForConstructInternal): 9829 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct): 9830 * runtime/Executable.h: 9831 (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor): 9832 (JSC::ExecutableBase::offsetOfNumParametersFor): 9833 (JSC::ExecutableBase::catchRoutineFor): 9834 (JSC::EvalExecutable::compile): 9835 (JSC::ProgramExecutable::compile): 9836 (JSC::FunctionExecutable::compileForCall): 9837 (JSC::FunctionExecutable::compileForConstruct): 9838 (JSC::FunctionExecutable::compileFor): 9839 (JSC::FunctionExecutable::compileOptimizedFor): 9840 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor): 9841 (JSC::FunctionExecutable::jitCompileFor): 9842 * runtime/ExecutionHarness.h: Added. 9843 (JSC::prepareForExecutionImpl): 9844 (JSC::prepareFunctionForExecutionImpl): 9845 (JSC::installOptimizedCode): 9846 (JSC::prepareForExecution): 9847 (JSC::prepareFunctionForExecution): 9848 (JSC::replaceWithDeferredOptimizedCode): 9849 98502013-08-28 Filip Pizlo <fpizlo@apple.com> 9851 9852 CodeBlock compilation and installation should be simplified and rationalized 9853 https://bugs.webkit.org/show_bug.cgi?id=120326 9854 9855 Reviewed by Oliver Hunt. 9856 9857 Previously Executable owned the code for generating JIT code; you always had 9858 to go through Executable. But often you also had to go through CodeBlock, 9859 because ScriptExecutable couldn't have virtual methods, but CodeBlock could. 9860 So you'd ask CodeBlock to do something, which would dispatch through a 9861 virtual method that would select the appropriate Executable subtype's method. 9862 This all meant that the same code would often be duplicated, because most of 9863 the work needed to compile something was identical regardless of code type. 9864 But then we tried to fix this, by having templatized helpers in 9865 ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find 9866 out what happened when you asked for something to be compiled, you'd go on a 9867 wild ride that started with CodeBlock, touched upon Executable, and then 9868 ricocheted into either ExecutionHarness or JITDriver (likely both). 9869 9870 Another awkwardness was that for concurrent compiles, the DFG::Worklist had 9871 super-special inside knowledge of what JITStubs.cpp's cti_optimize would have 9872 done once the compilation finished. 9873 9874 Also, most of the DFG JIT drivers assumed that they couldn't install the 9875 JITCode into the CodeBlock directly - instead they would return it via a 9876 reference, which happened to be a reference to the JITCode pointer in 9877 Executable. This was super weird. 9878 9879 Finally, there was no notion of compiling code into a special CodeBlock that 9880 wasn't used for handling calls into an Executable. I'd like this for FTL OSR 9881 entry. 9882 9883 This patch solves these problems by reducing all of that complexity into just 9884 three primitives: 9885 9886 - Executable::newCodeBlock(). This gives you a new code block, either for call 9887 or for construct, and either to serve as the baseline code or the optimized 9888 code. The new code block is then owned by the caller; Executable doesn't 9889 register it anywhere. The new code block has no JITCode and isn't callable, 9890 but it has all of the bytecode. 9891 9892 - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and 9893 produces a JITCode, and then installs the JITCode into the CodeBlock. This 9894 method takes a JITType, and always compiles with that JIT. If you ask for 9895 JITCode::InterpreterThunk then you'll get JITCode that just points to the 9896 LLInt entrypoints. Once this returns, it is possible to call into the 9897 CodeBlock if you do so manually - but the Executable still won't know about 9898 it so JS calls to that Executable will still be routed to whatever CodeBlock 9899 is associated with the Executable. 9900 9901 - Executable::installCode(). This takes a CodeBlock and makes it the code-for- 9902 entry for that Executable. This involves unlinking the Executable's last 9903 CodeBlock, if there was one. This also tells the GC about any effect on 9904 memory usage and does a bunch of weird data structure rewiring, since 9905 Executable caches some of CodeBlock's fields for the benefit of virtual call 9906 fast paths. 9907 9908 This functionality is then wrapped around three convenience methods: 9909 9910 - Executable::prepareForExecution(). If there is no code block for that 9911 Executable, then one is created (newCodeBlock()), compiled 9912 (CodeBlock::prepareForExecution()) and installed (installCode()). 9913 9914 - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that 9915 can serve as an optimized replacement of the current one. 9916 9917 - CodeBlock::install(). Asks the Executable to install this code block. 9918 9919 This patch allows me to kill *a lot* of code and to remove a lot of 9920 specializations for functions vs. not-functions, and a lot of places where we 9921 pass around JITCode references and such. ExecutionHarness and JITDriver are 9922 both gone. Overall this patch has more red than green. 9923 9924 It also allows me to work on FTL OSR entry and tier-up: 9925 9926 - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist 9927 to do some compilation, but it will require the DFG::Worklist to do 9928 something different than what JITStubs.cpp would want, once the compilation 9929 finishes. This patch introduces a callback mechanism for that purpose. 9930 9931 - FTL OSR entry: this will involve creating a special auto-jettisoned 9932 CodeBlock that is used only for FTL OSR entry. The new set of primitives 9933 allows for this: Executable can vend you a fresh new CodeBlock, and you can 9934 ask that CodeBlock to compile itself with any JIT of your choosing. Or you 9935 can take that CodeBlock and compile it yourself. Previously the act of 9936 producing a CodeBlock-for-optimization and the act of compiling code for it 9937 were tightly coupled; now you can separate them and you can create such 9938 auto-jettisoned CodeBlocks that are used for a one-shot OSR entry. 9939 9940 * CMakeLists.txt: 9941 * GNUmakefile.list.am: 9942 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 9943 * JavaScriptCore.xcodeproj/project.pbxproj: 9944 * Target.pri: 9945 * bytecode/CodeBlock.cpp: 9946 (JSC::CodeBlock::prepareForExecution): 9947 (JSC::CodeBlock::install): 9948 (JSC::CodeBlock::newReplacement): 9949 (JSC::FunctionCodeBlock::jettisonImpl): 9950 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): 9951 * bytecode/CodeBlock.h: 9952 (JSC::CodeBlock::hasBaselineJITProfiling): 9953 * bytecode/DeferredCompilationCallback.cpp: Added. 9954 (JSC::DeferredCompilationCallback::DeferredCompilationCallback): 9955 (JSC::DeferredCompilationCallback::~DeferredCompilationCallback): 9956 * bytecode/DeferredCompilationCallback.h: Added. 9957 * dfg/DFGDriver.cpp: 9958 (JSC::DFG::tryCompile): 9959 * dfg/DFGDriver.h: 9960 (JSC::DFG::tryCompile): 9961 * dfg/DFGFailedFinalizer.cpp: 9962 (JSC::DFG::FailedFinalizer::finalize): 9963 (JSC::DFG::FailedFinalizer::finalizeFunction): 9964 * dfg/DFGFailedFinalizer.h: 9965 * dfg/DFGFinalizer.h: 9966 * dfg/DFGJITFinalizer.cpp: 9967 (JSC::DFG::JITFinalizer::finalize): 9968 (JSC::DFG::JITFinalizer::finalizeFunction): 9969 * dfg/DFGJITFinalizer.h: 9970 * dfg/DFGOSRExitPreparation.cpp: 9971 (JSC::DFG::prepareCodeOriginForOSRExit): 9972 * dfg/DFGOperations.cpp: 9973 * dfg/DFGPlan.cpp: 9974 (JSC::DFG::Plan::Plan): 9975 (JSC::DFG::Plan::compileInThreadImpl): 9976 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): 9977 (JSC::DFG::Plan::finalizeAndNotifyCallback): 9978 * dfg/DFGPlan.h: 9979 * dfg/DFGWorklist.cpp: 9980 (JSC::DFG::Worklist::completeAllReadyPlansForVM): 9981 * ftl/FTLJITFinalizer.cpp: 9982 (JSC::FTL::JITFinalizer::finalize): 9983 (JSC::FTL::JITFinalizer::finalizeFunction): 9984 * ftl/FTLJITFinalizer.h: 9985 * heap/Heap.h: 9986 (JSC::Heap::isDeferred): 9987 * interpreter/Interpreter.cpp: 9988 (JSC::Interpreter::execute): 9989 (JSC::Interpreter::executeCall): 9990 (JSC::Interpreter::executeConstruct): 9991 (JSC::Interpreter::prepareForRepeatCall): 9992 * jit/JITDriver.h: Removed. 9993 * jit/JITStubs.cpp: 9994 (JSC::DEFINE_STUB_FUNCTION): 9995 (JSC::jitCompileFor): 9996 (JSC::lazyLinkFor): 9997 * jit/JITToDFGDeferredCompilationCallback.cpp: Added. 9998 (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback): 9999 (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback): 10000 (JSC::JITToDFGDeferredCompilationCallback::create): 10001 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete): 10002 * jit/JITToDFGDeferredCompilationCallback.h: Added. 10003 * llint/LLIntEntrypoints.cpp: 10004 (JSC::LLInt::setFunctionEntrypoint): 10005 (JSC::LLInt::setEvalEntrypoint): 10006 (JSC::LLInt::setProgramEntrypoint): 10007 * llint/LLIntEntrypoints.h: 10008 * llint/LLIntSlowPaths.cpp: 10009 (JSC::LLInt::jitCompileAndSetHeuristics): 10010 (JSC::LLInt::setUpCall): 10011 * runtime/ArrayPrototype.cpp: 10012 (JSC::isNumericCompareFunction): 10013 * runtime/CommonSlowPaths.cpp: 10014 * runtime/CompilationResult.cpp: 10015 (WTF::printInternal): 10016 * runtime/CompilationResult.h: 10017 * runtime/Executable.cpp: 10018 (JSC::ScriptExecutable::installCode): 10019 (JSC::ScriptExecutable::newCodeBlockFor): 10020 (JSC::ScriptExecutable::newReplacementCodeBlockFor): 10021 (JSC::ScriptExecutable::prepareForExecutionImpl): 10022 * runtime/Executable.h: 10023 (JSC::ScriptExecutable::prepareForExecution): 10024 (JSC::FunctionExecutable::jettisonOptimizedCodeFor): 10025 * runtime/ExecutionHarness.h: Removed. 10026 100272013-08-28 Chris Curtis <chris_curtis@apple.com> 10028 10029 https://bugs.webkit.org/show_bug.cgi?id=119548 10030 Refactoring Exception throws. 10031 10032 Reviewed by Geoffrey Garen. 10033 10034 Gardening of exception throws. The act of throwing an exception was being handled in 10035 different ways depending on whether the code was running in the LLint, Baseline JIT, 10036 or the DFG Jit. This made development in the vm exception and error objects difficult. 10037 10038 * runtime/VM.cpp: 10039 (JSC::appendSourceToError): 10040 This function moved from the interpreter into the VM. It views the developers code 10041 (if there is a codeBlock) to extract what was trying to be evaluated when the error 10042 occurred. 10043 10044 (JSC::VM::throwException): 10045 This function takes in the error object and sets the following: 10046 1: The VM's exception stack 10047 2: The VM's exception 10048 3: Appends extra information on the error message(via appendSourceToError) 10049 4: The error object's line number 10050 5: The error object's column number 10051 6: The error object's sourceURL 10052 7: The error object's stack trace (unless it already exists because the developer 10053 created the error object). 10054 10055 (JSC::VM::getExceptionInfo): 10056 (JSC::VM::setExceptionInfo): 10057 (JSC::VM::clearException): 10058 (JSC::clearExceptionStack): 10059 * runtime/VM.h: 10060 (JSC::VM::exceptionOffset): 10061 (JSC::VM::exception): 10062 (JSC::VM::addressOfException): 10063 (JSC::VM::exceptionStack): 10064 VM exception and exceptionStack are now private data members. 10065 10066 * interpreter/Interpreter.h: 10067 (JSC::ClearExceptionScope::ClearExceptionScope): 10068 Created this structure to temporarily clear the exception within the VM. This 10069 needed to see if addition errors occur when setting the debugger as we are 10070 unwinding the stack. 10071 10072 * interpreter/Interpreter.cpp: 10073 (JSC::Interpreter::unwind): 10074 Removed the code that would try to add error information if it did not exist. 10075 All of this functionality has moved into the VM and all error information is set 10076 at the time the error occurs. 10077 10078 The rest of these functions reference the new calling convention to throw an error. 10079 10080 * API/APICallbackFunction.h: 10081 (JSC::APICallbackFunction::call): 10082 * API/JSCallbackConstructor.cpp: 10083 (JSC::constructJSCallback): 10084 * API/JSCallbackObjectFunctions.h: 10085 (JSC::::getOwnPropertySlot): 10086 (JSC::::defaultValue): 10087 (JSC::::put): 10088 (JSC::::putByIndex): 10089 (JSC::::deleteProperty): 10090 (JSC::::construct): 10091 (JSC::::customHasInstance): 10092 (JSC::::call): 10093 (JSC::::getStaticValue): 10094 (JSC::::staticFunctionGetter): 10095 (JSC::::callbackGetter): 10096 * debugger/Debugger.cpp: 10097 (JSC::evaluateInGlobalCallFrame): 10098 * debugger/DebuggerCallFrame.cpp: 10099 (JSC::DebuggerCallFrame::evaluate): 10100 * dfg/DFGAssemblyHelpers.h: 10101 (JSC::DFG::AssemblyHelpers::emitExceptionCheck): 10102 * dfg/DFGOperations.cpp: 10103 (JSC::DFG::operationPutByValInternal): 10104 * ftl/FTLLowerDFGToLLVM.cpp: 10105 (JSC::FTL::LowerDFGToLLVM::callCheck): 10106 * heap/Heap.cpp: 10107 (JSC::Heap::markRoots): 10108 * interpreter/CallFrame.h: 10109 (JSC::ExecState::clearException): 10110 (JSC::ExecState::exception): 10111 (JSC::ExecState::hadException): 10112 * interpreter/Interpreter.cpp: 10113 (JSC::eval): 10114 (JSC::loadVarargs): 10115 (JSC::stackTraceAsString): 10116 (JSC::Interpreter::execute): 10117 (JSC::Interpreter::executeCall): 10118 (JSC::Interpreter::executeConstruct): 10119 (JSC::Interpreter::prepareForRepeatCall): 10120 * interpreter/Interpreter.h: 10121 (JSC::ClearExceptionScope::ClearExceptionScope): 10122 * jit/JITCode.cpp: 10123 (JSC::JITCode::execute): 10124 * jit/JITExceptions.cpp: 10125 (JSC::genericThrow): 10126 * jit/JITOpcodes.cpp: 10127 (JSC::JIT::emit_op_catch): 10128 * jit/JITOpcodes32_64.cpp: 10129 (JSC::JIT::privateCompileCTINativeCall): 10130 (JSC::JIT::emit_op_catch): 10131 * jit/JITStubs.cpp: 10132 (JSC::returnToThrowTrampoline): 10133 (JSC::throwExceptionFromOpCall): 10134 (JSC::DEFINE_STUB_FUNCTION): 10135 (JSC::jitCompileFor): 10136 (JSC::lazyLinkFor): 10137 (JSC::putByVal): 10138 (JSC::cti_vm_handle_exception): 10139 * jit/SlowPathCall.h: 10140 (JSC::JITSlowPathCall::call): 10141 * jit/ThunkGenerators.cpp: 10142 (JSC::nativeForGenerator): 10143 * jsc.cpp: 10144 (functionRun): 10145 (functionLoad): 10146 (functionCheckSyntax): 10147 * llint/LLIntExceptions.cpp: 10148 (JSC::LLInt::doThrow): 10149 (JSC::LLInt::returnToThrow): 10150 (JSC::LLInt::callToThrow): 10151 * llint/LLIntSlowPaths.cpp: 10152 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 10153 * llint/LowLevelInterpreter.cpp: 10154 (JSC::CLoop::execute): 10155 * llint/LowLevelInterpreter32_64.asm: 10156 * llint/LowLevelInterpreter64.asm: 10157 * runtime/ArrayConstructor.cpp: 10158 (JSC::constructArrayWithSizeQuirk): 10159 * runtime/CommonSlowPaths.cpp: 10160 (JSC::SLOW_PATH_DECL): 10161 * runtime/CommonSlowPaths.h: 10162 (JSC::CommonSlowPaths::opIn): 10163 * runtime/CommonSlowPathsExceptions.cpp: 10164 (JSC::CommonSlowPaths::interpreterThrowInCaller): 10165 * runtime/Completion.cpp: 10166 (JSC::evaluate): 10167 * runtime/Error.cpp: 10168 (JSC::addErrorInfo): 10169 (JSC::throwTypeError): 10170 (JSC::throwSyntaxError): 10171 * runtime/Error.h: 10172 (JSC::throwVMError): 10173 * runtime/ExceptionHelpers.cpp: 10174 (JSC::throwOutOfMemoryError): 10175 (JSC::throwStackOverflowError): 10176 (JSC::throwTerminatedExecutionException): 10177 * runtime/Executable.cpp: 10178 (JSC::EvalExecutable::create): 10179 (JSC::FunctionExecutable::produceCodeBlockFor): 10180 * runtime/FunctionConstructor.cpp: 10181 (JSC::constructFunction): 10182 (JSC::constructFunctionSkippingEvalEnabledCheck): 10183 * runtime/JSArray.cpp: 10184 (JSC::JSArray::defineOwnProperty): 10185 (JSC::JSArray::put): 10186 (JSC::JSArray::push): 10187 * runtime/JSCJSValue.cpp: 10188 (JSC::JSValue::toObjectSlowCase): 10189 (JSC::JSValue::synthesizePrototype): 10190 (JSC::JSValue::putToPrimitive): 10191 * runtime/JSFunction.cpp: 10192 (JSC::JSFunction::defineOwnProperty): 10193 * runtime/JSGenericTypedArrayViewInlines.h: 10194 (JSC::::create): 10195 (JSC::::createUninitialized): 10196 (JSC::::validateRange): 10197 (JSC::::setWithSpecificType): 10198 * runtime/JSGlobalObjectFunctions.cpp: 10199 (JSC::encode): 10200 (JSC::decode): 10201 (JSC::globalFuncProtoSetter): 10202 * runtime/JSNameScope.cpp: 10203 (JSC::JSNameScope::put): 10204 * runtime/JSONObject.cpp: 10205 (JSC::Stringifier::appendStringifiedValue): 10206 (JSC::Walker::walk): 10207 * runtime/JSObject.cpp: 10208 (JSC::JSObject::put): 10209 (JSC::JSObject::defaultValue): 10210 (JSC::JSObject::hasInstance): 10211 (JSC::JSObject::defaultHasInstance): 10212 (JSC::JSObject::defineOwnNonIndexProperty): 10213 (JSC::throwTypeError): 10214 * runtime/ObjectConstructor.cpp: 10215 (JSC::toPropertyDescriptor): 10216 * runtime/RegExpConstructor.cpp: 10217 (JSC::constructRegExp): 10218 * runtime/StringObject.cpp: 10219 (JSC::StringObject::defineOwnProperty): 10220 * runtime/StringRecursionChecker.cpp: 10221 (JSC::StringRecursionChecker::throwStackOverflowError): 10222 102232013-08-28 Zan Dobersek <zdobersek@igalia.com> 10224 10225 [GTK] Add support for building JSC with FTL JIT enabled 10226 https://bugs.webkit.org/show_bug.cgi?id=120270 10227 10228 Reviewed by Filip Pizlo. 10229 10230 * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of 10231 compiler flags for the JSC library. 10232 * GNUmakefile.list.am: Add the missing build targets. 10233 * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation 10234 failures when using the Clang compiler with the libstdc++ standard library. 10235 (JSC::FTL::mdKindID): 10236 (JSC::FTL::mdString): 10237 102382013-08-23 Andy Estes <aestes@apple.com> 10239 10240 Fix issues found by the Clang Static Analyzer 10241 https://bugs.webkit.org/show_bug.cgi?id=120230 10242 10243 Reviewed by Darin Adler. 10244 10245 * API/JSValue.mm: 10246 (valueToString): Don't leak every CFStringRef when in Objective-C GC. 10247 * API/ObjCCallbackFunction.mm: 10248 (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't 10249 release m_invocation's target since NSInvocation will do it for us on 10250 -dealloc. 10251 (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target 10252 and -release our reference to the copied block. 10253 * API/tests/minidom.c: 10254 (createStringWithContentsOfFile): Free buffer before returning. 10255 * API/tests/testapi.c: 10256 (createStringWithContentsOfFile): Ditto. 10257 102582013-08-26 Brent Fulgham <bfulgham@apple.com> 10259 10260 [Windows] Unreviewed build fix after r154629. 10261 10262 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files. 10263 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 10264 102652013-08-26 Ryosuke Niwa <rniwa@webkit.org> 10266 10267 Windows build fix attempt after r154629. 10268 10269 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 10270 102712013-08-25 Mark Hahnenberg <mhahnenberg@apple.com> 10272 10273 JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it 10274 https://bugs.webkit.org/show_bug.cgi?id=120278 10275 10276 Reviewed by Geoffrey Garen. 10277 10278 * runtime/JSObject.cpp: 10279 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): 10280 102812013-08-26 Filip Pizlo <fpizlo@apple.com> 10282 10283 Fix indention of Executable.h. 10284 10285 Rubber stamped by Mark Hahnenberg. 10286 10287 * runtime/Executable.h: 10288 102892013-08-26 Mark Hahnenberg <mhahnenberg@apple.com> 10290 10291 Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0 10292 https://bugs.webkit.org/show_bug.cgi?id=120314 10293 10294 Reviewed by Darin Adler. 10295 10296 Currently with the way that defineProperty works, we leave a stray low bit set in 10297 PropertyDescriptor::m_attributes in the following code: 10298 10299 var o = {}; 10300 Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"}); 10301 10302 This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 10303 instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 10304 but only the top three bits mean anything. Even in the case above, the top three bits are set 10305 to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero. 10306 10307 Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 10308 framework's public C API, it's safer to just change how we calculate the default value, which is 10309 where the weirdness was originating from in the first place. 10310 10311 * runtime/PropertyDescriptor.cpp: 10312 103132013-08-24 Sam Weinig <sam@webkit.org> 10314 10315 Add support for Promises 10316 https://bugs.webkit.org/show_bug.cgi?id=120260 10317 10318 Reviewed by Darin Adler. 10319 10320 Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises. 10321 - Despite Promises being defined in the DOM, the implementation is being put in JSC 10322 in preparation for the Promises eventually being defined in ECMAScript. 10323 10324 * CMakeLists.txt: 10325 * DerivedSources.make: 10326 * DerivedSources.pri: 10327 * GNUmakefile.list.am: 10328 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 10329 * JavaScriptCore.xcodeproj/project.pbxproj: 10330 * Target.pri: 10331 Add new files. 10332 10333 * jsc.cpp: 10334 Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's 10335 you can't quite use Promises with with the command line tool yet. 10336 10337 * interpreter/CallFrame.h: 10338 (JSC::ExecState::promisePrototypeTable): 10339 (JSC::ExecState::promiseConstructorTable): 10340 (JSC::ExecState::promiseResolverPrototypeTable): 10341 * runtime/VM.cpp: 10342 (JSC::VM::VM): 10343 (JSC::VM::~VM): 10344 * runtime/VM.h: 10345 Add supporting code for the new static lookup tables. 10346 10347 * runtime/CommonIdentifiers.h: 10348 Add 3 new identifiers, "Promise", "PromiseResolver", and "then". 10349 10350 * runtime/JSGlobalObject.cpp: 10351 (JSC::JSGlobalObject::reset): 10352 (JSC::JSGlobalObject::visitChildren): 10353 Add supporting code Promise and PromiseResolver's constructors and structures. 10354 10355 * runtime/JSGlobalObject.h: 10356 (JSC::TaskContext::~TaskContext): 10357 Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop. 10358 10359 (JSC::JSGlobalObject::promisePrototype): 10360 (JSC::JSGlobalObject::promiseResolverPrototype): 10361 (JSC::JSGlobalObject::promiseStructure): 10362 (JSC::JSGlobalObject::promiseResolverStructure): 10363 (JSC::JSGlobalObject::promiseCallbackStructure): 10364 (JSC::JSGlobalObject::promiseWrapperCallbackStructure): 10365 Add supporting code Promise and PromiseResolver's constructors and structures. 10366 10367 * runtime/JSPromise.cpp: Added. 10368 * runtime/JSPromise.h: Added. 10369 * runtime/JSPromiseCallback.cpp: Added. 10370 * runtime/JSPromiseCallback.h: Added. 10371 * runtime/JSPromiseConstructor.cpp: Added. 10372 * runtime/JSPromiseConstructor.h: Added. 10373 * runtime/JSPromisePrototype.cpp: Added. 10374 * runtime/JSPromisePrototype.h: Added. 10375 * runtime/JSPromiseResolver.cpp: Added. 10376 * runtime/JSPromiseResolver.h: Added. 10377 * runtime/JSPromiseResolverConstructor.cpp: Added. 10378 * runtime/JSPromiseResolverConstructor.h: Added. 10379 * runtime/JSPromiseResolverPrototype.cpp: Added. 10380 * runtime/JSPromiseResolverPrototype.h: Added. 10381 Add Promise implementation. 10382 103832013-08-26 Zan Dobersek <zdobersek@igalia.com> 10384 10385 Plenty of -Wcast-align warnings in KeywordLookup.h 10386 https://bugs.webkit.org/show_bug.cgi?id=120316 10387 10388 Reviewed by Darin Adler. 10389 10390 * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting 10391 the character pointers to types of larger size. This avoids spewing lots of warnings 10392 in the KeywordLookup.h header when compiling with the -Wcast-align option. 10393 103942013-08-26 Gavin Barraclough <barraclough@apple.com> 10395 10396 RegExpMatchesArray should not call [[put]] 10397 https://bugs.webkit.org/show_bug.cgi?id=120317 10398 10399 Reviewed by Oliver Hunt. 10400 10401 This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only 10402 property called index or input to either of these prototypes will result in broken behavior. 10403 10404 * runtime/RegExpMatchesArray.cpp: 10405 (JSC::RegExpMatchesArray::reifyAllProperties): 10406 - put -> putDirect 10407 104082013-08-24 Filip Pizlo <fpizlo@apple.com> 10409 10410 FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions 10411 https://bugs.webkit.org/show_bug.cgi?id=120228 10412 10413 Reviewed by Oliver Hunt. 10414 10415 It turns out that there were three problems: 10416 10417 - Using jsNumber() meant that we were converting doubles to integers and then 10418 possibly back again whenever doing a set() between floating point arrays. 10419 10420 - Slow-path accesses to double typed arrays were slower than necessary because 10421 of the to-int conversion attempt. 10422 10423 - The use of JSValue as an intermediate for converting between differen types 10424 in typedArray.set() resulted in worse code than I had previously expected. 10425 10426 This patch solves the problem by using template double-dispatch to ensure that 10427 that C++ compiler sees the simplest possible combination of casts between any 10428 combination of typed array types, while still preserving JS and typed array 10429 conversion semantics. Conversions are done as follows: 10430 10431 SourceAdaptor::convertTo<TargetAdaptor>(value) 10432 10433 Internally, convertTo() calls one of three possible methods on TargetAdaptor, 10434 with one method for each of int32_t, uint32_t, and double. This means that the 10435 C++ compiler will at worst see a widening cast to one of those types followed 10436 by a narrowing conversion (not necessarily a cast - may have clamping or the 10437 JS toInt32() function). 10438 10439 This change doesn't just affect typedArray.set(); it also affects slow-path 10440 accesses to typed arrays as well. This patch also adds a bunch of new test 10441 coverage. 10442 10443 This change is a ~50% speed-up on typedArray.set() involving floating point 10444 types. 10445 10446 * GNUmakefile.list.am: 10447 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 10448 * JavaScriptCore.xcodeproj/project.pbxproj: 10449 * runtime/GenericTypedArrayView.h: 10450 (JSC::GenericTypedArrayView::set): 10451 * runtime/JSDataViewPrototype.cpp: 10452 (JSC::setData): 10453 * runtime/JSGenericTypedArrayView.h: 10454 (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): 10455 (JSC::JSGenericTypedArrayView::setIndexQuickly): 10456 * runtime/JSGenericTypedArrayViewInlines.h: 10457 (JSC::::setWithSpecificType): 10458 (JSC::::set): 10459 * runtime/ToNativeFromValue.h: Added. 10460 (JSC::toNativeFromValue): 10461 * runtime/TypedArrayAdaptors.h: 10462 (JSC::IntegralTypedArrayAdaptor::toJSValue): 10463 (JSC::IntegralTypedArrayAdaptor::toDouble): 10464 (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32): 10465 (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32): 10466 (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble): 10467 (JSC::IntegralTypedArrayAdaptor::convertTo): 10468 (JSC::FloatTypedArrayAdaptor::toJSValue): 10469 (JSC::FloatTypedArrayAdaptor::toDouble): 10470 (JSC::FloatTypedArrayAdaptor::toNativeFromInt32): 10471 (JSC::FloatTypedArrayAdaptor::toNativeFromUint32): 10472 (JSC::FloatTypedArrayAdaptor::toNativeFromDouble): 10473 (JSC::FloatTypedArrayAdaptor::convertTo): 10474 (JSC::Uint8ClampedAdaptor::toJSValue): 10475 (JSC::Uint8ClampedAdaptor::toDouble): 10476 (JSC::Uint8ClampedAdaptor::toNativeFromInt32): 10477 (JSC::Uint8ClampedAdaptor::toNativeFromUint32): 10478 (JSC::Uint8ClampedAdaptor::toNativeFromDouble): 10479 (JSC::Uint8ClampedAdaptor::convertTo): 10480 104812013-08-24 Dan Bernstein <mitz@apple.com> 10482 10483 [mac] link against libz in a more civilized manner 10484 https://bugs.webkit.org/show_bug.cgi?id=120258 10485 10486 Reviewed by Darin Adler. 10487 10488 * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE. 10489 * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s 10490 Link Binary With Libraries build phase. 10491 104922013-08-23 Laszlo Papp <lpapp@kde.org> 10493 10494 Failure building with python3 10495 https://bugs.webkit.org/show_bug.cgi?id=106645 10496 10497 Reviewed by Benjamin Poulain. 10498 10499 Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well. 10500 Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5. 10501 10502 * disassembler/udis86/itab.py: 10503 (UdItabGenerator.genInsnTable): 10504 * disassembler/udis86/ud_opcode.py: 10505 (UdOpcodeTables.print_table): 10506 * disassembler/udis86/ud_optable.py: 10507 (UdOptableXmlParser.parseDef): 10508 (UdOptableXmlParser.parse): 10509 (printFn): 10510 105112013-08-23 Filip Pizlo <fpizlo@apple.com> 10512 10513 Incorrect TypedArray#set behavior 10514 https://bugs.webkit.org/show_bug.cgi?id=83818 10515 10516 Reviewed by Oliver Hunt and Mark Hahnenberg. 10517 10518 This was so much fun! typedArray.set() is like a memmove on steroids, and I'm 10519 not smart enough to figure out optimal versions for *all* of the cases. But I 10520 did come up with optimal implementations for most of the cases, and I wrote 10521 spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart 10522 enough to write optimal code for. 10523 10524 * runtime/JSArrayBufferView.h: 10525 (JSC::JSArrayBufferView::hasArrayBuffer): 10526 * runtime/JSArrayBufferViewInlines.h: 10527 (JSC::JSArrayBufferView::buffer): 10528 (JSC::JSArrayBufferView::existingBufferInButterfly): 10529 (JSC::JSArrayBufferView::neuter): 10530 (JSC::JSArrayBufferView::byteOffset): 10531 * runtime/JSGenericTypedArrayView.h: 10532 * runtime/JSGenericTypedArrayViewInlines.h: 10533 (JSC::::setWithSpecificType): 10534 (JSC::::set): 10535 (JSC::::existingBuffer): 10536 105372013-08-23 Alex Christensen <achristensen@apple.com> 10538 10539 Re-separating Win32 and Win64 builds. 10540 https://bugs.webkit.org/show_bug.cgi?id=120178 10541 10542 Reviewed by Brent Fulgham. 10543 10544 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: 10545 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: 10546 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: 10547 Pass PlatformArchitecture as a command line parameter to bash scripts. 10548 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 10549 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: 10550 * JavaScriptCore.vcxproj/build-generated-files.sh: 10551 Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64). 10552 105532013-08-22 Filip Pizlo <fpizlo@apple.com> 10554 10555 build-jsc --ftl-jit should work 10556 https://bugs.webkit.org/show_bug.cgi?id=120194 10557 10558 Reviewed by Oliver Hunt. 10559 10560 * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES 10561 * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES 10562 * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES 10563 * ftl/FTLLowerDFGToLLVM.cpp: Build fix 10564 (JSC::FTL::LowerDFGToLLVM::compilePutStructure): 10565 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): 10566 105672013-08-23 Oliver Hunt <oliver@apple.com> 10568 10569 Re-sort xcode project file 10570 10571 * JavaScriptCore.xcodeproj/project.pbxproj: 10572 105732013-08-23 Oliver Hunt <oliver@apple.com> 10574 10575 Support in memory compression of rarely used data 10576 https://bugs.webkit.org/show_bug.cgi?id=120143 10577 10578 Reviewed by Gavin Barraclough. 10579 10580 Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector. This saves ~200k on google maps. 10581 10582 * Configurations/JavaScriptCore.xcconfig: 10583 * bytecode/UnlinkedCodeBlock.cpp: 10584 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): 10585 (JSC::UnlinkedCodeBlock::addExpressionInfo): 10586 * bytecode/UnlinkedCodeBlock.h: 10587 105882013-08-22 Mark Hahnenberg <mhahnenberg@apple.com> 10589 10590 JSObject and JSArray code shouldn't have to tiptoe around garbage collection 10591 https://bugs.webkit.org/show_bug.cgi?id=120179 10592 10593 Reviewed by Geoffrey Garen. 10594 10595 There are many places in the code for JSObject and JSArray where they are manipulating their 10596 Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 10597 these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 10598 like it will make this dance even more intricate. To make everybody's lives easier we should use 10599 the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 10600 code and trivially safe. Deferring collections will usually only last marginally longer, thus we 10601 should not incur any additional overhead. 10602 10603 * heap/Heap.h: 10604 * runtime/JSArray.cpp: 10605 (JSC::JSArray::unshiftCountSlowCase): 10606 * runtime/JSObject.cpp: 10607 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): 10608 (JSC::JSObject::createInitialUndecided): 10609 (JSC::JSObject::createInitialInt32): 10610 (JSC::JSObject::createInitialDouble): 10611 (JSC::JSObject::createInitialContiguous): 10612 (JSC::JSObject::createArrayStorage): 10613 (JSC::JSObject::convertUndecidedToArrayStorage): 10614 (JSC::JSObject::convertInt32ToArrayStorage): 10615 (JSC::JSObject::convertDoubleToArrayStorage): 10616 (JSC::JSObject::convertContiguousToArrayStorage): 10617 (JSC::JSObject::increaseVectorLength): 10618 (JSC::JSObject::ensureLengthSlow): 10619 * runtime/JSObject.h: 10620 (JSC::JSObject::putDirectInternal): 10621 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): 10622 (JSC::JSObject::putDirectWithoutTransition): 10623 106242013-08-22 Filip Pizlo <fpizlo@apple.com> 10625 10626 Update LLVM binary drops and scripts to the latest version from SVN 10627 https://bugs.webkit.org/show_bug.cgi?id=120184 10628 10629 Reviewed by Mark Hahnenberg. 10630 10631 * dfg/DFGPlan.cpp: 10632 (JSC::DFG::Plan::compileInThreadImpl): 10633 106342013-08-22 Gavin Barraclough <barraclough@apple.com> 10635 10636 Don't leak registers for redeclared variables 10637 https://bugs.webkit.org/show_bug.cgi?id=120174 10638 10639 Reviewed by Geoff Garen. 10640 10641 We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared. 10642 Only allocate new registers when necessary. 10643 10644 No performance impact. 10645 10646 * interpreter/Interpreter.cpp: 10647 (JSC::Interpreter::execute): 10648 * runtime/Executable.cpp: 10649 (JSC::ProgramExecutable::initializeGlobalProperties): 10650 - Don't allocate the register here. 10651 * runtime/JSGlobalObject.cpp: 10652 (JSC::JSGlobalObject::addGlobalVar): 10653 - Allocate the register here instead. 10654 106552013-08-22 Gavin Barraclough <barraclough@apple.com> 10656 10657 https://bugs.webkit.org/show_bug.cgi?id=120128 10658 Remove putDirectVirtual 10659 10660 Unreviewed, checked in commented out code. :-( 10661 10662 * interpreter/Interpreter.cpp: 10663 (JSC::Interpreter::execute): 10664 - delete commented out code 10665 106662013-08-22 Gavin Barraclough <barraclough@apple.com> 10667 10668 Error.stack should not be enumerable 10669 https://bugs.webkit.org/show_bug.cgi?id=120171 10670 10671 Reviewed by Oliver Hunt. 10672 10673 Breaks ECMA tests. 10674 10675 * runtime/ErrorInstance.cpp: 10676 (JSC::ErrorInstance::finishCreation): 10677 - None -> DontEnum 10678 106792013-08-21 Gavin Barraclough <barraclough@apple.com> 10680 10681 https://bugs.webkit.org/show_bug.cgi?id=120128 10682 Remove putDirectVirtual 10683 10684 Reviewed by Sam Weinig. 10685 10686 This could most generously be described as 'vestigial'. 10687 No performance impact. 10688 10689 * API/JSObjectRef.cpp: 10690 (JSObjectSetProperty): 10691 - changed to use defineOwnProperty 10692 * debugger/DebuggerActivation.cpp: 10693 * debugger/DebuggerActivation.h: 10694 - remove putDirectVirtual 10695 * interpreter/Interpreter.cpp: 10696 (JSC::Interpreter::execute): 10697 - changed to use defineOwnProperty 10698 * runtime/ClassInfo.h: 10699 * runtime/JSActivation.cpp: 10700 * runtime/JSActivation.h: 10701 * runtime/JSCell.cpp: 10702 * runtime/JSCell.h: 10703 * runtime/JSGlobalObject.cpp: 10704 * runtime/JSGlobalObject.h: 10705 * runtime/JSObject.cpp: 10706 * runtime/JSObject.h: 10707 * runtime/JSProxy.cpp: 10708 * runtime/JSProxy.h: 10709 * runtime/JSSymbolTableObject.cpp: 10710 * runtime/JSSymbolTableObject.h: 10711 - remove putDirectVirtual 10712 * runtime/PropertyDescriptor.h: 10713 (JSC::PropertyDescriptor::PropertyDescriptor): 10714 - added constructor for convenience 10715 107162013-08-22 Chris Curtis <chris_curtis@apple.com> 10717 10718 errorDescriptionForValue() should not assume error value is an Object 10719 https://bugs.webkit.org/show_bug.cgi?id=119812 10720 10721 Reviewed by Geoffrey Garen. 10722 10723 Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue 10724 has no type, the function now returns the empty string. 10725 * runtime/ExceptionHelpers.cpp: 10726 (JSC::errorDescriptionForValue): 10727 107282013-08-22 Julien Brianceau <jbrianceau@nds.com> 10729 10730 Fix P_DFGOperation_EJS call for MIPS and ARM EABI. 10731 https://bugs.webkit.org/show_bug.cgi?id=120107 10732 10733 Reviewed by Yong Li. 10734 10735 EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI. 10736 10737 * dfg/DFGSpeculativeJIT.h: 10738 (JSC::DFG::SpeculativeJIT::callOperation): 10739 107402013-08-21 Commit Queue <commit-queue@webkit.org> 10741 10742 Unreviewed, rolling out r154416. 10743 http://trac.webkit.org/changeset/154416 10744 https://bugs.webkit.org/show_bug.cgi?id=120147 10745 10746 Broke Windows builds (Requested by rniwa on #webkit). 10747 10748 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: 10749 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: 10750 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 10751 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: 10752 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: 10753 * JavaScriptCore.vcxproj/build-generated-files.sh: 10754 107552013-08-21 Gavin Barraclough <barraclough@apple.com> 10756 10757 Clarify var/const/function declaration 10758 https://bugs.webkit.org/show_bug.cgi?id=120144 10759 10760 Reviewed by Sam Weinig. 10761 10762 Add methods to JSGlobalObject to declare vars, consts, and functions. 10763 10764 * runtime/Executable.cpp: 10765 (JSC::ProgramExecutable::initializeGlobalProperties): 10766 * runtime/Executable.h: 10767 - Moved declaration code to JSGlobalObject 10768 * runtime/JSGlobalObject.cpp: 10769 (JSC::JSGlobalObject::addGlobalVar): 10770 - internal implementation of addVar, addConst, addFunction 10771 * runtime/JSGlobalObject.h: 10772 (JSC::JSGlobalObject::addVar): 10773 (JSC::JSGlobalObject::addConst): 10774 (JSC::JSGlobalObject::addFunction): 10775 - Added methods to declare vars, consts, and functions 10776 107772013-08-21 Yi Shen <max.hong.shen@gmail.com> 10778 10779 https://bugs.webkit.org/show_bug.cgi?id=119900 10780 Exception in global setter doesn't unwind correctly 10781 10782 Reviewed by Geoffrey Garen. 10783 10784 Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception. 10785 10786 * jit/JITStubs.cpp: 10787 (JSC::DEFINE_STUB_FUNCTION): 10788 107892013-08-21 Mark Hahnenberg <mhahnenberg@apple.com> 10790 10791 Rename/refactor setButterfly/setStructure 10792 https://bugs.webkit.org/show_bug.cgi?id=120138 10793 10794 Reviewed by Geoffrey Garen. 10795 10796 setButterfly becomes setStructureAndButterfly. 10797 10798 Also removed the Butterfly* argument from setStructure and just implicitly 10799 used m_butterfly internally since that's what every single client of setStructure 10800 was doing already. 10801 10802 * jit/JITStubs.cpp: 10803 (JSC::DEFINE_STUB_FUNCTION): 10804 * runtime/JSObject.cpp: 10805 (JSC::JSObject::notifyPresenceOfIndexedAccessors): 10806 (JSC::JSObject::createInitialUndecided): 10807 (JSC::JSObject::createInitialInt32): 10808 (JSC::JSObject::createInitialDouble): 10809 (JSC::JSObject::createInitialContiguous): 10810 (JSC::JSObject::createArrayStorage): 10811 (JSC::JSObject::convertUndecidedToInt32): 10812 (JSC::JSObject::convertUndecidedToDouble): 10813 (JSC::JSObject::convertUndecidedToContiguous): 10814 (JSC::JSObject::convertUndecidedToArrayStorage): 10815 (JSC::JSObject::convertInt32ToDouble): 10816 (JSC::JSObject::convertInt32ToContiguous): 10817 (JSC::JSObject::convertInt32ToArrayStorage): 10818 (JSC::JSObject::genericConvertDoubleToContiguous): 10819 (JSC::JSObject::convertDoubleToArrayStorage): 10820 (JSC::JSObject::convertContiguousToArrayStorage): 10821 (JSC::JSObject::switchToSlowPutArrayStorage): 10822 (JSC::JSObject::setPrototype): 10823 (JSC::JSObject::putDirectAccessor): 10824 (JSC::JSObject::seal): 10825 (JSC::JSObject::freeze): 10826 (JSC::JSObject::preventExtensions): 10827 (JSC::JSObject::reifyStaticFunctionsForDelete): 10828 (JSC::JSObject::removeDirect): 10829 * runtime/JSObject.h: 10830 (JSC::JSObject::setStructureAndButterfly): 10831 (JSC::JSObject::setStructure): 10832 (JSC::JSObject::putDirectInternal): 10833 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): 10834 (JSC::JSObject::putDirectWithoutTransition): 10835 * runtime/Structure.cpp: 10836 (JSC::Structure::flattenDictionaryStructure): 10837 108382013-08-21 Gavin Barraclough <barraclough@apple.com> 10839 10840 https://bugs.webkit.org/show_bug.cgi?id=120127 10841 Remove JSObject::propertyIsEnumerable 10842 10843 Unreviewed typo fix 10844 10845 * runtime/JSObject.h: 10846 - fix typo 10847 108482013-08-21 Gavin Barraclough <barraclough@apple.com> 10849 10850 https://bugs.webkit.org/show_bug.cgi?id=120139 10851 PropertyDescriptor argument to define methods should be const 10852 10853 Rubber stamped by Sam Weinig. 10854 10855 This should never be modified, and this way we can use rvalues. 10856 10857 * debugger/DebuggerActivation.cpp: 10858 (JSC::DebuggerActivation::defineOwnProperty): 10859 * debugger/DebuggerActivation.h: 10860 * runtime/Arguments.cpp: 10861 (JSC::Arguments::defineOwnProperty): 10862 * runtime/Arguments.h: 10863 * runtime/ClassInfo.h: 10864 * runtime/JSArray.cpp: 10865 (JSC::JSArray::defineOwnProperty): 10866 * runtime/JSArray.h: 10867 * runtime/JSArrayBuffer.cpp: 10868 (JSC::JSArrayBuffer::defineOwnProperty): 10869 * runtime/JSArrayBuffer.h: 10870 * runtime/JSArrayBufferView.cpp: 10871 (JSC::JSArrayBufferView::defineOwnProperty): 10872 * runtime/JSArrayBufferView.h: 10873 * runtime/JSCell.cpp: 10874 (JSC::JSCell::defineOwnProperty): 10875 * runtime/JSCell.h: 10876 * runtime/JSFunction.cpp: 10877 (JSC::JSFunction::defineOwnProperty): 10878 * runtime/JSFunction.h: 10879 * runtime/JSGenericTypedArrayView.h: 10880 * runtime/JSGenericTypedArrayViewInlines.h: 10881 (JSC::::defineOwnProperty): 10882 * runtime/JSGlobalObject.cpp: 10883 (JSC::JSGlobalObject::defineOwnProperty): 10884 * runtime/JSGlobalObject.h: 10885 * runtime/JSObject.cpp: 10886 (JSC::JSObject::putIndexedDescriptor): 10887 (JSC::JSObject::defineOwnIndexedProperty): 10888 (JSC::putDescriptor): 10889 (JSC::JSObject::defineOwnNonIndexProperty): 10890 (JSC::JSObject::defineOwnProperty): 10891 * runtime/JSObject.h: 10892 * runtime/JSProxy.cpp: 10893 (JSC::JSProxy::defineOwnProperty): 10894 * runtime/JSProxy.h: 10895 * runtime/RegExpMatchesArray.h: 10896 (JSC::RegExpMatchesArray::defineOwnProperty): 10897 * runtime/RegExpObject.cpp: 10898 (JSC::RegExpObject::defineOwnProperty): 10899 * runtime/RegExpObject.h: 10900 * runtime/StringObject.cpp: 10901 (JSC::StringObject::defineOwnProperty): 10902 * runtime/StringObject.h: 10903 - make PropertyDescriptor const 10904 109052013-08-21 Filip Pizlo <fpizlo@apple.com> 10906 10907 REGRESSION: Crash under JITCompiler::link while loading Gmail 10908 https://bugs.webkit.org/show_bug.cgi?id=119872 10909 10910 Reviewed by Mark Hahnenberg. 10911 10912 Apparently, unsigned + signed = unsigned. Work around it with a cast. 10913 10914 * dfg/DFGByteCodeParser.cpp: 10915 (JSC::DFG::ByteCodeParser::parseBlock): 10916 109172013-08-21 Alex Christensen <achristensen@apple.com> 10918 10919 <https://webkit.org/b/120137> Separating Win32 and Win64 builds. 10920 10921 Reviewed by Brent Fulgham. 10922 10923 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: 10924 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: 10925 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: 10926 Pass PlatformArchitecture as a command line parameter to bash scripts. 10927 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 10928 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: 10929 * JavaScriptCore.vcxproj/build-generated-files.sh: 10930 Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64). 10931 109322013-08-21 Filip Pizlo <fpizlo@apple.com> 10933 10934 Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView 10935 https://bugs.webkit.org/show_bug.cgi?id=120099 10936 10937 Reviewed by Mark Hahnenberg. 10938 10939 JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since 10940 JSDataView may have ordinary JS indexed properties. 10941 10942 * runtime/ClassInfo.h: 10943 * runtime/JSArrayBufferView.cpp: 10944 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): 10945 (JSC::JSArrayBufferView::finishCreation): 10946 * runtime/JSArrayBufferView.h: 10947 (JSC::hasArrayBuffer): 10948 * runtime/JSArrayBufferViewInlines.h: 10949 (JSC::JSArrayBufferView::buffer): 10950 (JSC::JSArrayBufferView::neuter): 10951 (JSC::JSArrayBufferView::byteOffset): 10952 * runtime/JSCell.cpp: 10953 (JSC::JSCell::slowDownAndWasteMemory): 10954 * runtime/JSCell.h: 10955 * runtime/JSDataView.cpp: 10956 (JSC::JSDataView::JSDataView): 10957 (JSC::JSDataView::create): 10958 (JSC::JSDataView::slowDownAndWasteMemory): 10959 * runtime/JSDataView.h: 10960 (JSC::JSDataView::buffer): 10961 * runtime/JSGenericTypedArrayView.h: 10962 * runtime/JSGenericTypedArrayViewInlines.h: 10963 (JSC::::visitChildren): 10964 (JSC::::slowDownAndWasteMemory): 10965 109662013-08-21 Mark Hahnenberg <mhahnenberg@apple.com> 10967 10968 Remove incorrect ASSERT from CopyVisitor::visitItem 10969 10970 Rubber stamped by Filip Pizlo. 10971 10972 * heap/CopyVisitorInlines.h: 10973 (JSC::CopyVisitor::visitItem): 10974 109752013-08-21 Gavin Barraclough <barraclough@apple.com> 10976 10977 https://bugs.webkit.org/show_bug.cgi?id=120127 10978 Remove JSObject::propertyIsEnumerable 10979 10980 Reviewed by Sam Weinig. 10981 10982 This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC. 10983 10984 * runtime/JSObject.cpp: 10985 * runtime/JSObject.h: 10986 - remove propertyIsEnumerable 10987 * runtime/ObjectPrototype.cpp: 10988 (JSC::objectProtoFuncPropertyIsEnumerable): 10989 - Move implementation here using getOwnPropertyDescriptor directly. 10990 109912013-08-20 Filip Pizlo <fpizlo@apple.com> 10992 10993 DFG should inline new typedArray() 10994 https://bugs.webkit.org/show_bug.cgi?id=120022 10995 10996 Reviewed by Oliver Hunt. 10997 10998 Adds inlining of typed array allocations in the DFG. Any operation of the 10999 form: 11000 11001 new foo(blah) 11002 11003 or: 11004 11005 foo(blah) 11006 11007 where 'foo' is a typed array constructor and 'blah' is exactly one argument, 11008 is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah') 11009 is predicted integer, we generate inline code for an allocation. Otherwise 11010 it turns into a call to an operation that behaves like the constructor would 11011 if it was passed one argument (i.e. it may wrap a buffer or it may create a 11012 copy or another array, or it may allocate an array of that length). 11013 11014 * bytecode/SpeculatedType.cpp: 11015 (JSC::speculationFromTypedArrayType): 11016 (JSC::speculationFromClassInfo): 11017 * bytecode/SpeculatedType.h: 11018 * dfg/DFGAbstractInterpreterInlines.h: 11019 (JSC::DFG::::executeEffects): 11020 * dfg/DFGBackwardsPropagationPhase.cpp: 11021 (JSC::DFG::BackwardsPropagationPhase::propagate): 11022 * dfg/DFGByteCodeParser.cpp: 11023 (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor): 11024 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): 11025 * dfg/DFGCCallHelpers.h: 11026 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 11027 * dfg/DFGCSEPhase.cpp: 11028 (JSC::DFG::CSEPhase::putStructureStoreElimination): 11029 * dfg/DFGClobberize.h: 11030 (JSC::DFG::clobberize): 11031 * dfg/DFGFixupPhase.cpp: 11032 (JSC::DFG::FixupPhase::fixupNode): 11033 * dfg/DFGGraph.cpp: 11034 (JSC::DFG::Graph::dump): 11035 * dfg/DFGNode.h: 11036 (JSC::DFG::Node::hasTypedArrayType): 11037 (JSC::DFG::Node::typedArrayType): 11038 * dfg/DFGNodeType.h: 11039 * dfg/DFGOperations.cpp: 11040 (JSC::DFG::newTypedArrayWithSize): 11041 (JSC::DFG::newTypedArrayWithOneArgument): 11042 * dfg/DFGOperations.h: 11043 (JSC::DFG::operationNewTypedArrayWithSizeForType): 11044 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType): 11045 * dfg/DFGPredictionPropagationPhase.cpp: 11046 (JSC::DFG::PredictionPropagationPhase::propagate): 11047 * dfg/DFGSafeToExecute.h: 11048 (JSC::DFG::safeToExecute): 11049 * dfg/DFGSpeculativeJIT.cpp: 11050 (JSC::DFG::SpeculativeJIT::compileNewTypedArray): 11051 * dfg/DFGSpeculativeJIT.h: 11052 (JSC::DFG::SpeculativeJIT::callOperation): 11053 * dfg/DFGSpeculativeJIT32_64.cpp: 11054 (JSC::DFG::SpeculativeJIT::compile): 11055 * dfg/DFGSpeculativeJIT64.cpp: 11056 (JSC::DFG::SpeculativeJIT::compile): 11057 * jit/JITOpcodes.cpp: 11058 (JSC::JIT::emit_op_new_object): 11059 * jit/JITOpcodes32_64.cpp: 11060 (JSC::JIT::emit_op_new_object): 11061 * runtime/JSArray.h: 11062 (JSC::JSArray::allocationSize): 11063 * runtime/JSArrayBufferView.h: 11064 (JSC::JSArrayBufferView::allocationSize): 11065 * runtime/JSGenericTypedArrayViewConstructorInlines.h: 11066 (JSC::constructGenericTypedArrayView): 11067 * runtime/JSObject.h: 11068 (JSC::JSFinalObject::allocationSize): 11069 * runtime/TypedArrayType.cpp: 11070 (JSC::constructorClassInfoForType): 11071 * runtime/TypedArrayType.h: 11072 (JSC::indexToTypedArrayType): 11073 110742013-08-21 Julien Brianceau <jbrianceau@nds.com> 11075 11076 <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG. 11077 11078 Reviewed by Geoffrey Garen. 11079 11080 * dfg/DFGOperations.h: 11081 110822013-08-20 Gavin Barraclough <barraclough@apple.com> 11083 11084 https://bugs.webkit.org/show_bug.cgi?id=120093 11085 Remove getOwnPropertyDescriptor trap 11086 11087 Reviewed by Geoff Garen. 11088 11089 All implementations of this method are now called via the method table, and equivalent in behaviour. 11090 Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject. 11091 11092 * API/JSCallbackObject.h: 11093 * API/JSCallbackObjectFunctions.h: 11094 * debugger/DebuggerActivation.cpp: 11095 * debugger/DebuggerActivation.h: 11096 * runtime/Arguments.cpp: 11097 * runtime/Arguments.h: 11098 * runtime/ArrayConstructor.cpp: 11099 * runtime/ArrayConstructor.h: 11100 * runtime/ArrayPrototype.cpp: 11101 * runtime/ArrayPrototype.h: 11102 * runtime/BooleanPrototype.cpp: 11103 * runtime/BooleanPrototype.h: 11104 - remove getOwnPropertyDescriptor 11105 * runtime/ClassInfo.h: 11106 - remove getOwnPropertyDescriptor from MethodTable 11107 * runtime/DateConstructor.cpp: 11108 * runtime/DateConstructor.h: 11109 * runtime/DatePrototype.cpp: 11110 * runtime/DatePrototype.h: 11111 * runtime/ErrorPrototype.cpp: 11112 * runtime/ErrorPrototype.h: 11113 * runtime/JSActivation.cpp: 11114 * runtime/JSActivation.h: 11115 * runtime/JSArray.cpp: 11116 * runtime/JSArray.h: 11117 * runtime/JSArrayBuffer.cpp: 11118 * runtime/JSArrayBuffer.h: 11119 * runtime/JSArrayBufferView.cpp: 11120 * runtime/JSArrayBufferView.h: 11121 * runtime/JSCell.cpp: 11122 * runtime/JSCell.h: 11123 * runtime/JSDataView.cpp: 11124 * runtime/JSDataView.h: 11125 * runtime/JSDataViewPrototype.cpp: 11126 * runtime/JSDataViewPrototype.h: 11127 * runtime/JSFunction.cpp: 11128 * runtime/JSFunction.h: 11129 * runtime/JSGenericTypedArrayView.h: 11130 * runtime/JSGenericTypedArrayViewInlines.h: 11131 * runtime/JSGlobalObject.cpp: 11132 * runtime/JSGlobalObject.h: 11133 * runtime/JSNotAnObject.cpp: 11134 * runtime/JSNotAnObject.h: 11135 * runtime/JSONObject.cpp: 11136 * runtime/JSONObject.h: 11137 - remove getOwnPropertyDescriptor 11138 * runtime/JSObject.cpp: 11139 (JSC::JSObject::propertyIsEnumerable): 11140 - switch to call new getOwnPropertyDescriptor member function 11141 (JSC::JSObject::getOwnPropertyDescriptor): 11142 - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL 11143 (JSC::JSObject::defineOwnNonIndexProperty): 11144 - switch to call new getOwnPropertyDescriptor member function 11145 * runtime/JSObject.h: 11146 * runtime/JSProxy.cpp: 11147 * runtime/JSProxy.h: 11148 * runtime/NamePrototype.cpp: 11149 * runtime/NamePrototype.h: 11150 * runtime/NumberConstructor.cpp: 11151 * runtime/NumberConstructor.h: 11152 * runtime/NumberPrototype.cpp: 11153 * runtime/NumberPrototype.h: 11154 - remove getOwnPropertyDescriptor 11155 * runtime/ObjectConstructor.cpp: 11156 (JSC::objectConstructorGetOwnPropertyDescriptor): 11157 (JSC::objectConstructorSeal): 11158 (JSC::objectConstructorFreeze): 11159 (JSC::objectConstructorIsSealed): 11160 (JSC::objectConstructorIsFrozen): 11161 - switch to call new getOwnPropertyDescriptor member function 11162 * runtime/ObjectConstructor.h: 11163 - remove getOwnPropertyDescriptor 11164 * runtime/PropertyDescriptor.h: 11165 - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL 11166 * runtime/RegExpConstructor.cpp: 11167 * runtime/RegExpConstructor.h: 11168 * runtime/RegExpMatchesArray.cpp: 11169 * runtime/RegExpMatchesArray.h: 11170 * runtime/RegExpObject.cpp: 11171 * runtime/RegExpObject.h: 11172 * runtime/RegExpPrototype.cpp: 11173 * runtime/RegExpPrototype.h: 11174 * runtime/StringConstructor.cpp: 11175 * runtime/StringConstructor.h: 11176 * runtime/StringObject.cpp: 11177 * runtime/StringObject.h: 11178 - remove getOwnPropertyDescriptor 11179 111802013-08-20 Mark Hahnenberg <mhahnenberg@apple.com> 11181 11182 <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption 11183 11184 Reviewed by Oliver Hunt. 11185 11186 When we flatten an object in dictionary mode, we compact its properties. If the object 11187 had out-of-line storage in the form of a Butterfly prior to this compaction, and after 11188 compaction its properties fit inline, the object's Structure "forgets" that the object 11189 has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 11190 with bytes = 0, which causes all sorts of badness in CopiedSpace. 11191 11192 Instead, after we flatten a dictionary, if properties fit inline we should clear the 11193 Butterfly pointer so that the GC doesn't get confused later. 11194 11195 This patch does this clearing, and it also adds JSObject::checkStructure, which overrides 11196 JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned 11197 agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check 11198 that the number of bytes reported to SlotVisitor::copyLater is non-zero. 11199 11200 * heap/SlotVisitorInlines.h: 11201 (JSC::SlotVisitor::copyLater): 11202 * runtime/JSObject.cpp: 11203 (JSC::JSObject::notifyPresenceOfIndexedAccessors): 11204 (JSC::JSObject::convertUndecidedToInt32): 11205 (JSC::JSObject::convertUndecidedToDouble): 11206 (JSC::JSObject::convertUndecidedToContiguous): 11207 (JSC::JSObject::convertInt32ToDouble): 11208 (JSC::JSObject::convertInt32ToContiguous): 11209 (JSC::JSObject::genericConvertDoubleToContiguous): 11210 (JSC::JSObject::switchToSlowPutArrayStorage): 11211 (JSC::JSObject::setPrototype): 11212 (JSC::JSObject::putDirectAccessor): 11213 (JSC::JSObject::seal): 11214 (JSC::JSObject::freeze): 11215 (JSC::JSObject::preventExtensions): 11216 (JSC::JSObject::reifyStaticFunctionsForDelete): 11217 (JSC::JSObject::removeDirect): 11218 * runtime/JSObject.h: 11219 (JSC::JSObject::setButterfly): 11220 (JSC::JSObject::putDirectInternal): 11221 (JSC::JSObject::setStructure): 11222 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): 11223 * runtime/Structure.cpp: 11224 (JSC::Structure::flattenDictionaryStructure): 11225 112262013-08-20 Alex Christensen <achristensen@apple.com> 11227 11228 Compile fix for Win64 after r154156. 11229 11230 Rubber stamped by Oliver Hunt. 11231 11232 * jit/JITStubsMSVC64.asm: 11233 Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and 11234 cti_vm_throw_slowpath to cti_vm_handle_exception. 11235 112362013-08-20 Alex Christensen <achristensen@apple.com> 11237 11238 <https://webkit.org/b/120076> More work towards a Win64 build 11239 11240 Reviewed by Brent Fulgham. 11241 11242 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: 11243 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: 11244 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: 11245 * JavaScriptCore.vcxproj/copy-files.cmd: 11246 * JavaScriptCore.vcxproj/jsc/jscCommon.props: 11247 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: 11248 Use PlatformArchitecture macro instead of bin32, lib32, and obj32. 11249 112502013-08-20 Mark Hahnenberg <mhahnenberg@apple.com> 11251 11252 <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML 11253 11254 Reviewed by Geoffrey Garen. 11255 11256 More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 11257 initializeLazyWriteBarrierFor* wrapper functions more sane. 11258 11259 Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock 11260 and index when triggering the WriteBarrier at the end of compilation. 11261 11262 The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing 11263 in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 11264 little extra work that really shouldn't have been its responsibility. 11265 11266 * dfg/DFGByteCodeParser.cpp: 11267 (JSC::DFG::ByteCodeParser::addConstant): 11268 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 11269 * dfg/DFGDesiredWriteBarriers.cpp: 11270 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier): 11271 (JSC::DFG::DesiredWriteBarrier::trigger): 11272 * dfg/DFGDesiredWriteBarriers.h: 11273 (JSC::DFG::DesiredWriteBarriers::add): 11274 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable): 11275 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee): 11276 (JSC::DFG::initializeLazyWriteBarrierForConstant): 11277 * dfg/DFGFixupPhase.cpp: 11278 (JSC::DFG::FixupPhase::truncateConstantToInt32): 11279 * dfg/DFGGraph.h: 11280 (JSC::DFG::Graph::constantRegisterForConstant): 11281 112822013-08-20 Michael Saboff <msaboff@apple.com> 11283 11284 https://bugs.webkit.org/show_bug.cgi?id=120075 11285 REGRESSION (r128400): BBC4 website not displaying pictures 11286 11287 Reviewed by Oliver Hunt. 11288 11289 * runtime/RegExpMatchesArray.h: 11290 (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage 11291 so that the match results will be reified before any other modification to the results array. 11292 112932013-08-19 Filip Pizlo <fpizlo@apple.com> 11294 11295 Incorrect behavior on emscripten-compiled cube2hash 11296 https://bugs.webkit.org/show_bug.cgi?id=120033 11297 11298 Reviewed by Mark Hahnenberg. 11299 11300 If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar 11301 then we should bail attempts to CSE. 11302 11303 * dfg/DFGCSEPhase.cpp: 11304 (JSC::DFG::CSEPhase::scopedVarLoadElimination): 11305 (JSC::DFG::CSEPhase::scopedVarStoreElimination): 11306 113072013-08-20 Gavin Barraclough <barraclough@apple.com> 11308 11309 https://bugs.webkit.org/show_bug.cgi?id=120073 11310 Remove use of GOPD from JSFunction::defineProperty 11311 11312 Reviewed by Oliver Hunt. 11313 11314 Call getOwnPropertySlot to check for existing properties instead. 11315 11316 * runtime/JSFunction.cpp: 11317 (JSC::JSFunction::defineOwnProperty): 11318 - getOwnPropertyDescriptor -> getOwnPropertySlot 11319 113202013-08-20 Gavin Barraclough <barraclough@apple.com> 11321 11322 https://bugs.webkit.org/show_bug.cgi?id=120067 11323 Remove getPropertyDescriptor 11324 11325 Reviewed by Oliver Hunt. 11326 11327 This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot. 11328 Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor(). 11329 11330 * runtime/JSObject.cpp: 11331 * runtime/JSObject.h: 11332 - remove getPropertyDescriptor 11333 * runtime/ObjectPrototype.cpp: 11334 (JSC::objectProtoFuncLookupGetter): 11335 (JSC::objectProtoFuncLookupSetter): 11336 - replace call to getPropertyDescriptor with getPropertySlot 11337 * runtime/PropertyDescriptor.h: 11338 * runtime/PropertySlot.h: 11339 (JSC::PropertySlot::isAccessor): 11340 (JSC::PropertySlot::isCacheableGetter): 11341 (JSC::PropertySlot::getterSetter): 11342 - rename isGetter() to isAccessor() 11343 113442013-08-20 Gavin Barraclough <barraclough@apple.com> 11345 11346 https://bugs.webkit.org/show_bug.cgi?id=120054 11347 Remove some dead code following getOwnPropertyDescriptor cleanup 11348 11349 Reviewed by Oliver Hunt. 11350 11351 * runtime/Lookup.h: 11352 (JSC::getStaticFunctionSlot): 11353 - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor. 11354 113552013-08-20 Gavin Barraclough <barraclough@apple.com> 11356 11357 https://bugs.webkit.org/show_bug.cgi?id=120052 11358 Remove custom getOwnPropertyDescriptor for JSProxy 11359 11360 Reviewed by Geoff Garen. 11361 11362 GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior. 11363 Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base 11364 object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely 11365 assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept 11366 the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works. 11367 11368 * runtime/JSProxy.cpp: 11369 - Remove custom getOwnPropertyDescriptor implementation. 11370 * runtime/PropertyDescriptor.h: 11371 - Modify own property access check to perform toThis conversion. 11372 113732013-08-20 Alex Christensen <achristensen@apple.com> 11374 11375 Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows. 11376 https://bugs.webkit.org/show_bug.cgi?id=119512 11377 11378 Reviewed by Brent Fulgham. 11379 11380 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 11381 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 11382 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 11383 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: 11384 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: 11385 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: 11386 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: 11387 Replaced obj32, bin32, and lib32 with macros for 64-bit build. 11388 113892013-08-20 Julien Brianceau <jbrianceau@nds.com> 11390 11391 <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT. 11392 11393 Reviewed by Allan Sandfeld Jensen. 11394 11395 branchPtrWithPatch() of baseline JIT must ensure that space is available for its 11396 instructions and two constants now DFG is enabled for sh4 architecture. 11397 These missing ensureSpace calls lead to random crashes. 11398 11399 * assembler/MacroAssemblerSH4.h: 11400 (JSC::MacroAssemblerSH4::branchPtrWithPatch): 11401 114022013-08-19 Gavin Barraclough <barraclough@apple.com> 11403 11404 https://bugs.webkit.org/show_bug.cgi?id=120034 11405 Remove custom getOwnPropertyDescriptor for global objects 11406 11407 Reviewed by Geoff Garen. 11408 11409 Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk. 11410 11411 * runtime/JSGlobalObject.cpp: 11412 - Remove custom getOwnPropertyDescriptor implementation. 11413 * runtime/JSSymbolTableObject.h: 11414 (JSC::symbolTableGet): 11415 - The symbol table does not store the DontDelete attribute, we should be adding it back in. 11416 * runtime/PropertyDescriptor.h: 11417 - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case. 11418 * runtime/PropertySlot.h: 11419 (JSC::PropertySlot::setUndefined): 11420 - This is used by WebCore when blocking access to properties on cross-frame access. 11421 Mark blocked properties as read-only, non-configurable to prevent defineProperty. 11422 114232013-08-17 Filip Pizlo <fpizlo@apple.com> 11424 11425 DFG should inline typedArray.byteOffset 11426 https://bugs.webkit.org/show_bug.cgi?id=119962 11427 11428 Reviewed by Oliver Hunt. 11429 11430 This adds a new node, GetTypedArrayByteOffset, which inlines 11431 typedArray.byteOffset. 11432 11433 Also, I improved a bunch of the clobbering logic related to typed arrays 11434 and clobbering in general. For example, PutByOffset/PutStructure are not 11435 clobber-world so they can be handled by most default cases in CSE. Also, 11436 It's better to use the 'Class_field' notation for typed arrays now that 11437 they no longer involve magical descriptor thingies. 11438 11439 * bytecode/SpeculatedType.h: 11440 * dfg/DFGAbstractHeap.h: 11441 * dfg/DFGAbstractInterpreterInlines.h: 11442 (JSC::DFG::::executeEffects): 11443 * dfg/DFGArrayMode.h: 11444 (JSC::DFG::neverNeedsStorage): 11445 * dfg/DFGCSEPhase.cpp: 11446 (JSC::DFG::CSEPhase::getByValLoadElimination): 11447 (JSC::DFG::CSEPhase::getByOffsetLoadElimination): 11448 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): 11449 (JSC::DFG::CSEPhase::checkArrayElimination): 11450 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): 11451 (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination): 11452 (JSC::DFG::CSEPhase::performNodeCSE): 11453 * dfg/DFGClobberize.h: 11454 (JSC::DFG::clobberize): 11455 * dfg/DFGFixupPhase.cpp: 11456 (JSC::DFG::FixupPhase::fixupNode): 11457 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength): 11458 (JSC::DFG::FixupPhase::convertToGetArrayLength): 11459 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset): 11460 * dfg/DFGNodeType.h: 11461 * dfg/DFGPredictionPropagationPhase.cpp: 11462 (JSC::DFG::PredictionPropagationPhase::propagate): 11463 * dfg/DFGSafeToExecute.h: 11464 (JSC::DFG::safeToExecute): 11465 * dfg/DFGSpeculativeJIT.cpp: 11466 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): 11467 * dfg/DFGSpeculativeJIT.h: 11468 * dfg/DFGSpeculativeJIT32_64.cpp: 11469 (JSC::DFG::SpeculativeJIT::compile): 11470 * dfg/DFGSpeculativeJIT64.cpp: 11471 (JSC::DFG::SpeculativeJIT::compile): 11472 * dfg/DFGTypeCheckHoistingPhase.cpp: 11473 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): 11474 * runtime/ArrayBuffer.h: 11475 (JSC::ArrayBuffer::offsetOfData): 11476 * runtime/Butterfly.h: 11477 (JSC::Butterfly::offsetOfArrayBuffer): 11478 * runtime/IndexingHeader.h: 11479 (JSC::IndexingHeader::offsetOfArrayBuffer): 11480 114812013-08-18 Filip Pizlo <fpizlo@apple.com> 11482 11483 <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects 11484 11485 Reviewed by Geoffrey Garen. 11486 11487 * dfg/DFGByteCodeParser.cpp: 11488 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): 11489 114902013-08-18 Gavin Barraclough <barraclough@apple.com> 11491 11492 https://bugs.webkit.org/show_bug.cgi?id=119995 11493 Start removing custom implementations of getOwnPropertyDescriptor 11494 11495 Reviewed by Oliver Hunt. 11496 11497 This can now typically implemented in terms of getOwnPropertySlot. 11498 Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS. 11499 Switch over most classes in JSC & the WebCore bindings generator to use this. 11500 11501 * API/JSCallbackObjectFunctions.h: 11502 * debugger/DebuggerActivation.cpp: 11503 * runtime/Arguments.cpp: 11504 * runtime/ArrayConstructor.cpp: 11505 * runtime/ArrayPrototype.cpp: 11506 * runtime/BooleanPrototype.cpp: 11507 * runtime/DateConstructor.cpp: 11508 * runtime/DatePrototype.cpp: 11509 * runtime/ErrorPrototype.cpp: 11510 * runtime/JSActivation.cpp: 11511 * runtime/JSArray.cpp: 11512 * runtime/JSArrayBuffer.cpp: 11513 * runtime/JSArrayBufferView.cpp: 11514 * runtime/JSCell.cpp: 11515 * runtime/JSDataView.cpp: 11516 * runtime/JSDataViewPrototype.cpp: 11517 * runtime/JSFunction.cpp: 11518 * runtime/JSGenericTypedArrayViewInlines.h: 11519 * runtime/JSNotAnObject.cpp: 11520 * runtime/JSONObject.cpp: 11521 * runtime/JSObject.cpp: 11522 * runtime/NamePrototype.cpp: 11523 * runtime/NumberConstructor.cpp: 11524 * runtime/NumberPrototype.cpp: 11525 * runtime/ObjectConstructor.cpp: 11526 - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL. 11527 * runtime/PropertyDescriptor.h: 11528 - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro. 11529 * runtime/PropertySlot.h: 11530 (JSC::PropertySlot::isValue): 11531 (JSC::PropertySlot::isGetter): 11532 (JSC::PropertySlot::isCustom): 11533 (JSC::PropertySlot::isCacheableValue): 11534 (JSC::PropertySlot::isCacheableGetter): 11535 (JSC::PropertySlot::isCacheableCustom): 11536 (JSC::PropertySlot::attributes): 11537 (JSC::PropertySlot::getterSetter): 11538 - Add accessors necessary to convert PropertySlot to descriptor. 11539 * runtime/RegExpConstructor.cpp: 11540 * runtime/RegExpMatchesArray.cpp: 11541 * runtime/RegExpMatchesArray.h: 11542 * runtime/RegExpObject.cpp: 11543 * runtime/RegExpPrototype.cpp: 11544 * runtime/StringConstructor.cpp: 11545 * runtime/StringObject.cpp: 11546 - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL. 11547 115482013-08-19 Michael Saboff <msaboff@apple.com> 11549 11550 https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com 11551 11552 Reviewed by Sam Weinig. 11553 11554 * dfg/DFGSpeculativeJIT32_64.cpp: 11555 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being 11556 DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in 11557 all versions of fillSpeculateBoolean(). 11558 115592013-08-19 Michael Saboff <msaboff@apple.com> 11560 11561 https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests 11562 11563 Reviewed by Benjamin Poulain. 11564 11565 Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers. 11566 Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di. 11567 11568 * assembler/MacroAssemblerX86Common.h: 11569 (JSC::MacroAssemblerX86Common::branchTest32): 11570 115712013-08-16 Oliver Hunt <oliver@apple.com> 11572 11573 <https://webkit.org/b/119860> Crash during exception unwinding 11574 11575 Reviewed by Filip Pizlo. 11576 11577 Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error 11578 to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node. 11579 11580 We need this so that Throw and ThrowReferenceError no longer need to be treated as 11581 terminals and the subsequent flush keeps the activation (and other registers) live. 11582 11583 * dfg/DFGAbstractInterpreterInlines.h: 11584 (JSC::DFG::::executeEffects): 11585 * dfg/DFGByteCodeParser.cpp: 11586 (JSC::DFG::ByteCodeParser::parseBlock): 11587 * dfg/DFGClobberize.h: 11588 (JSC::DFG::clobberize): 11589 * dfg/DFGFixupPhase.cpp: 11590 (JSC::DFG::FixupPhase::fixupNode): 11591 * dfg/DFGNode.h: 11592 (JSC::DFG::Node::isTerminal): 11593 * dfg/DFGNodeType.h: 11594 * dfg/DFGPredictionPropagationPhase.cpp: 11595 (JSC::DFG::PredictionPropagationPhase::propagate): 11596 * dfg/DFGSafeToExecute.h: 11597 (JSC::DFG::safeToExecute): 11598 * dfg/DFGSpeculativeJIT32_64.cpp: 11599 (JSC::DFG::SpeculativeJIT::compile): 11600 * dfg/DFGSpeculativeJIT64.cpp: 11601 (JSC::DFG::SpeculativeJIT::compile): 11602 116032013-08-19 Víctor Manuel Jáquez Leal <vjaquez@igalia.com> 11604 11605 <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken 11606 11607 Reviewed by Oliver Hunt. 11608 11609 Guard the compilation of these files only if DFG_JIT is enabled. 11610 11611 * dfg/DFGDesiredTransitions.cpp: 11612 * dfg/DFGDesiredTransitions.h: 11613 * dfg/DFGDesiredWeakReferences.cpp: 11614 * dfg/DFGDesiredWeakReferences.h: 11615 * dfg/DFGDesiredWriteBarriers.cpp: 11616 * dfg/DFGDesiredWriteBarriers.h: 11617 116182013-08-17 Filip Pizlo <fpizlo@apple.com> 11619 11620 REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse 11621 https://bugs.webkit.org/show_bug.cgi?id=119961 11622 11623 Reviewed by Mark Hahnenberg. 11624 11625 * dfg/DFGFixupPhase.cpp: 11626 (JSC::DFG::FixupPhase::fixupNode): 11627 116282013-08-18 Gavin Barraclough <barraclough@apple.com> 11629 11630 https://bugs.webkit.org/show_bug.cgi?id=119972 11631 Add attributes field to PropertySlot 11632 11633 Reviewed by Geoff Garen. 11634 11635 For all JSC types, this makes getOwnPropertyDescriptor redundant. 11636 There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour. 11637 (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally). 11638 11639 No performance impact. 11640 11641 * runtime/PropertySlot.h: 11642 (JSC::PropertySlot::setValue): 11643 (JSC::PropertySlot::setCustom): 11644 (JSC::PropertySlot::setCacheableCustom): 11645 (JSC::PropertySlot::setCustomIndex): 11646 (JSC::PropertySlot::setGetterSlot): 11647 (JSC::PropertySlot::setCacheableGetterSlot): 11648 - These mathods now all require 'attributes'. 11649 * runtime/JSObject.h: 11650 (JSC::JSObject::getDirect): 11651 (JSC::JSObject::getDirectOffset): 11652 (JSC::JSObject::inlineGetOwnPropertySlot): 11653 - Added variants of getDirect, getDirectOffset that return the attributes. 11654 * API/JSCallbackObjectFunctions.h: 11655 (JSC::::getOwnPropertySlot): 11656 * runtime/Arguments.cpp: 11657 (JSC::Arguments::getOwnPropertySlotByIndex): 11658 (JSC::Arguments::getOwnPropertySlot): 11659 * runtime/JSActivation.cpp: 11660 (JSC::JSActivation::symbolTableGet): 11661 (JSC::JSActivation::getOwnPropertySlot): 11662 * runtime/JSArray.cpp: 11663 (JSC::JSArray::getOwnPropertySlot): 11664 * runtime/JSArrayBuffer.cpp: 11665 (JSC::JSArrayBuffer::getOwnPropertySlot): 11666 * runtime/JSArrayBufferView.cpp: 11667 (JSC::JSArrayBufferView::getOwnPropertySlot): 11668 * runtime/JSDataView.cpp: 11669 (JSC::JSDataView::getOwnPropertySlot): 11670 * runtime/JSFunction.cpp: 11671 (JSC::JSFunction::getOwnPropertySlot): 11672 * runtime/JSGenericTypedArrayViewInlines.h: 11673 (JSC::::getOwnPropertySlot): 11674 (JSC::::getOwnPropertySlotByIndex): 11675 * runtime/JSObject.cpp: 11676 (JSC::JSObject::getOwnPropertySlotByIndex): 11677 (JSC::JSObject::fillGetterPropertySlot): 11678 * runtime/JSString.h: 11679 (JSC::JSString::getStringPropertySlot): 11680 * runtime/JSSymbolTableObject.h: 11681 (JSC::symbolTableGet): 11682 * runtime/Lookup.cpp: 11683 (JSC::setUpStaticFunctionSlot): 11684 * runtime/Lookup.h: 11685 (JSC::getStaticPropertySlot): 11686 (JSC::getStaticPropertyDescriptor): 11687 (JSC::getStaticValueSlot): 11688 (JSC::getStaticValueDescriptor): 11689 * runtime/RegExpObject.cpp: 11690 (JSC::RegExpObject::getOwnPropertySlot): 11691 * runtime/SparseArrayValueMap.cpp: 11692 (JSC::SparseArrayEntry::get): 11693 - Pass attributes to PropertySlot::set* methods. 11694 116952013-08-17 Mark Hahnenberg <mhahnenberg@apple.com> 11696 11697 <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML 11698 11699 Reviewed by Filip Pizlo. 11700 11701 Added a new mode for DesiredWriteBarrier that allows it to track a position in a 11702 Vector of WriteBarriers rather than the specific address. The fact that we were 11703 arbitrarily storing into a Vector's backing store for constants at the end of 11704 compilation after the Vector could have resized was causing crashes. 11705 11706 * bytecode/CodeBlock.h: 11707 (JSC::CodeBlock::constants): 11708 (JSC::CodeBlock::addConstantLazily): 11709 * dfg/DFGByteCodeParser.cpp: 11710 (JSC::DFG::ByteCodeParser::addConstant): 11711 * dfg/DFGDesiredWriteBarriers.cpp: 11712 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier): 11713 (JSC::DFG::DesiredWriteBarrier::trigger): 11714 (JSC::DFG::initializeLazyWriteBarrierForConstant): 11715 * dfg/DFGDesiredWriteBarriers.h: 11716 (JSC::DFG::DesiredWriteBarriers::add): 11717 * dfg/DFGFixupPhase.cpp: 11718 (JSC::DFG::FixupPhase::truncateConstantToInt32): 11719 * dfg/DFGGraph.h: 11720 (JSC::DFG::Graph::constantRegisterForConstant): 11721 117222013-08-16 Filip Pizlo <fpizlo@apple.com> 11723 11724 DFG should optimize typedArray.byteLength 11725 https://bugs.webkit.org/show_bug.cgi?id=119909 11726 11727 Reviewed by Oliver Hunt. 11728 11729 This adds typedArray.byteLength inlining to the DFG, and does so without changing 11730 the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is 11731 legal since the byteLength of a typed array cannot exceed 11732 numeric_limits<int32_t>::max(). 11733 11734 * bytecode/SpeculatedType.cpp: 11735 (JSC::typedArrayTypeFromSpeculation): 11736 * bytecode/SpeculatedType.h: 11737 * dfg/DFGArrayMode.cpp: 11738 (JSC::DFG::toArrayType): 11739 * dfg/DFGArrayMode.h: 11740 * dfg/DFGFixupPhase.cpp: 11741 (JSC::DFG::FixupPhase::fixupNode): 11742 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): 11743 (JSC::DFG::FixupPhase::attemptToMakeGetByteLength): 11744 (JSC::DFG::FixupPhase::convertToGetArrayLength): 11745 (JSC::DFG::FixupPhase::prependGetArrayLength): 11746 * dfg/DFGGraph.h: 11747 (JSC::DFG::Graph::constantRegisterForConstant): 11748 (JSC::DFG::Graph::convertToConstant): 11749 * runtime/TypedArrayType.h: 11750 (JSC::logElementSize): 11751 (JSC::elementSize): 11752 117532013-08-16 Filip Pizlo <fpizlo@apple.com> 11754 11755 DFG optimizes out strict mode arguments tear off 11756 https://bugs.webkit.org/show_bug.cgi?id=119504 11757 11758 Reviewed by Mark Hahnenberg and Oliver Hunt. 11759 11760 Don't do the optimization for strict mode. 11761 11762 * dfg/DFGArgumentsSimplificationPhase.cpp: 11763 (JSC::DFG::ArgumentsSimplificationPhase::run): 11764 (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations): 11765 117662013-08-16 Benjamin Poulain <benjamin@webkit.org> 11767 11768 [JSC] x86: improve code generation for xxxTest32 11769 https://bugs.webkit.org/show_bug.cgi?id=119876 11770 11771 Reviewed by Geoffrey Garen. 11772 11773 Try to use testb whenever possible when testing for an immediate value. 11774 11775 When the input is an address and an offset, we can tweak the mask 11776 and offset to be able to generate testb for any byte of the mask. 11777 11778 When the input is a register, we can use testb if we are only interested 11779 in testing the low bits. 11780 11781 * assembler/MacroAssemblerX86Common.h: 11782 (JSC::MacroAssemblerX86Common::branchTest32): 11783 (JSC::MacroAssemblerX86Common::test32): 11784 (JSC::MacroAssemblerX86Common::generateTest32): 11785 117862013-08-16 Mark Lam <mark.lam@apple.com> 11787 11788 <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous 11789 error message that an object is not a constructor though it expects a function 11790 11791 Reviewed by Michael Saboff. 11792 11793 * jit/JITStubs.cpp: 11794 (JSC::DEFINE_STUB_FUNCTION): 11795 117962013-08-16 Filip Pizlo <fpizlo@apple.com> 11797 11798 Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary 11799 https://bugs.webkit.org/show_bug.cgi?id=119897 11800 11801 Reviewed by Oliver Hunt. 11802 11803 6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up 11804 on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability 11805 to turn objects into dictionaries when you're storing using bracket syntax or using 11806 eval is still in place. 11807 11808 * bytecode/CodeBlock.h: 11809 (JSC::CodeBlock::putByIdContext): 11810 * dfg/DFGOperations.cpp: 11811 * jit/JITStubs.cpp: 11812 (JSC::DEFINE_STUB_FUNCTION): 11813 * llint/LLIntSlowPaths.cpp: 11814 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 11815 * runtime/JSObject.h: 11816 (JSC::JSObject::putDirectInternal): 11817 * runtime/PutPropertySlot.h: 11818 (JSC::PutPropertySlot::PutPropertySlot): 11819 (JSC::PutPropertySlot::context): 11820 * runtime/Structure.cpp: 11821 (JSC::Structure::addPropertyTransition): 11822 * runtime/Structure.h: 11823 118242013-08-16 Balazs Kilvady <kilvadyb@homejinni.com> 11825 11826 <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException 11827 11828 Reviewed by Allan Sandfeld Jensen. 11829 11830 ctiVMHandleException must jump/return using register ra (r31). 11831 11832 * jit/JITStubsMIPS.h: 11833 118342013-08-16 Julien Brianceau <jbrianceau@nds.com> 11835 11836 <https://webkit.org/b/119879> Fix sh4 build after r154156. 11837 11838 Reviewed by Allan Sandfeld Jensen. 11839 11840 Fix typo in JITStubsSH4.h file. 11841 11842 * jit/JITStubsSH4.h: 11843 118442013-08-15 Mark Hahnenberg <mhahnenberg@apple.com> 11845 11846 <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers 11847 11848 Reviewed by Oliver Hunt. 11849 11850 The concurrent compilation thread should interact minimally with the Heap, including not 11851 triggering WriteBarriers. This is a prerequisite for generational GC. 11852 11853 * JavaScriptCore.xcodeproj/project.pbxproj: 11854 * bytecode/CodeBlock.cpp: 11855 (JSC::CodeBlock::addOrFindConstant): 11856 (JSC::CodeBlock::findConstant): 11857 * bytecode/CodeBlock.h: 11858 (JSC::CodeBlock::addConstantLazily): 11859 * dfg/DFGByteCodeParser.cpp: 11860 (JSC::DFG::ByteCodeParser::getJSConstantForValue): 11861 (JSC::DFG::ByteCodeParser::constantUndefined): 11862 (JSC::DFG::ByteCodeParser::constantNull): 11863 (JSC::DFG::ByteCodeParser::one): 11864 (JSC::DFG::ByteCodeParser::constantNaN): 11865 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 11866 * dfg/DFGCommonData.cpp: 11867 (JSC::DFG::CommonData::notifyCompilingStructureTransition): 11868 * dfg/DFGCommonData.h: 11869 * dfg/DFGDesiredTransitions.cpp: Added. 11870 (JSC::DFG::DesiredTransition::DesiredTransition): 11871 (JSC::DFG::DesiredTransition::reallyAdd): 11872 (JSC::DFG::DesiredTransitions::DesiredTransitions): 11873 (JSC::DFG::DesiredTransitions::~DesiredTransitions): 11874 (JSC::DFG::DesiredTransitions::addLazily): 11875 (JSC::DFG::DesiredTransitions::reallyAdd): 11876 * dfg/DFGDesiredTransitions.h: Added. 11877 * dfg/DFGDesiredWeakReferences.cpp: Added. 11878 (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences): 11879 (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences): 11880 (JSC::DFG::DesiredWeakReferences::addLazily): 11881 (JSC::DFG::DesiredWeakReferences::reallyAdd): 11882 * dfg/DFGDesiredWeakReferences.h: Added. 11883 * dfg/DFGDesiredWriteBarriers.cpp: Added. 11884 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier): 11885 (JSC::DFG::DesiredWriteBarrier::trigger): 11886 (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers): 11887 (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers): 11888 (JSC::DFG::DesiredWriteBarriers::addImpl): 11889 (JSC::DFG::DesiredWriteBarriers::trigger): 11890 * dfg/DFGDesiredWriteBarriers.h: Added. 11891 (JSC::DFG::DesiredWriteBarriers::add): 11892 (JSC::DFG::initializeLazyWriteBarrier): 11893 * dfg/DFGFixupPhase.cpp: 11894 (JSC::DFG::FixupPhase::truncateConstantToInt32): 11895 * dfg/DFGGraph.h: 11896 (JSC::DFG::Graph::convertToConstant): 11897 * dfg/DFGJITCompiler.h: 11898 (JSC::DFG::JITCompiler::addWeakReference): 11899 * dfg/DFGPlan.cpp: 11900 (JSC::DFG::Plan::Plan): 11901 (JSC::DFG::Plan::reallyAdd): 11902 * dfg/DFGPlan.h: 11903 * dfg/DFGSpeculativeJIT32_64.cpp: 11904 (JSC::DFG::SpeculativeJIT::compile): 11905 * dfg/DFGSpeculativeJIT64.cpp: 11906 (JSC::DFG::SpeculativeJIT::compile): 11907 * runtime/WriteBarrier.h: 11908 (JSC::WriteBarrierBase::set): 11909 (JSC::WriteBarrier::WriteBarrier): 11910 119112013-08-15 Benjamin Poulain <benjamin@webkit.org> 11912 11913 Fix x86 32bits build after r154158 11914 11915 * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions. 11916 119172013-08-15 Ryosuke Niwa <rniwa@webkit.org> 11918 11919 Build fix attempt after r154156. 11920 11921 * jit/JITStubs.cpp: 11922 (JSC::cti_vm_handle_exception): encode! 11923 119242013-08-15 Benjamin Poulain <benjamin@webkit.org> 11925 11926 [JSC] x86: Use inc and dec when possible 11927 https://bugs.webkit.org/show_bug.cgi?id=119831 11928 11929 Reviewed by Geoffrey Garen. 11930 11931 When incrementing or decrementing by an immediate of 1, use the insctructions 11932 inc and dec instead of add and sub. 11933 The instructions have good timing and their encoding is smaller. 11934 11935 * assembler/MacroAssemblerX86Common.h: 11936 (JSC::MacroAssemblerX86_64::add32): 11937 (JSC::MacroAssemblerX86_64::sub32): 11938 * assembler/MacroAssemblerX86_64.h: 11939 (JSC::MacroAssemblerX86_64::add64): 11940 (JSC::MacroAssemblerX86_64::sub64): 11941 * assembler/X86Assembler.h: 11942 (JSC::X86Assembler::dec_r): 11943 (JSC::X86Assembler::decq_r): 11944 (JSC::X86Assembler::inc_r): 11945 (JSC::X86Assembler::incq_r): 11946 119472013-08-15 Filip Pizlo <fpizlo@apple.com> 11948 11949 Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access 11950 https://bugs.webkit.org/show_bug.cgi?id=119874 11951 11952 Reviewed by Oliver Hunt and Mark Hahnenberg. 11953 11954 It was a confusion between heuristics in DFG::ArrayMode that are assuming that 11955 you'll use ForceExit if array profiles are empty, the JIT creating empty profiles 11956 sometimes for typed array length accesses, and the FixupPhase assuming that a 11957 ForceExit ArrayMode means that it should continue using a generic GetById. 11958 11959 This fixes the confusion. 11960 11961 * dfg/DFGFixupPhase.cpp: 11962 (JSC::DFG::FixupPhase::fixupNode): 11963 119642013-08-15 Mark Lam <mark.lam@apple.com> 11965 11966 Fix crash when performing activation tearoff. 11967 https://bugs.webkit.org/show_bug.cgi?id=119848 11968 11969 Reviewed by Oliver Hunt. 11970 11971 The activation tearoff crash was due to a bug in the baseline JIT. 11972 If we have a scenario where the a baseline JIT frame calls a LLINT 11973 frame, an exception may be thrown while in the LLINT. 11974 11975 Interpreter::throwException() which handles the exception will unwind 11976 all frames until it finds a catcher or sees a host frame. When we 11977 return from the LLINT to the baseline JIT code, the baseline JIT code 11978 errorneously sets topCallFrame to the value in its call frame register, 11979 and starts unwinding the stack frames that have already been unwound. 11980 11981 The fix is: 11982 1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException. 11983 This is a more accurate description of what this runtime function 11984 is supposed to do i.e. it handles the exception which include doing 11985 nothing (if there are no more frames to unwind). 11986 2. Fix up topCallFrame values so that the HostCallFrameFlag is never 11987 set on it. 11988 3. Reloading the call frame register from topCallFrame when we're 11989 returning from a callee and detect exception handling in progress. 11990 11991 * interpreter/Interpreter.cpp: 11992 (JSC::Interpreter::unwindCallFrame): 11993 - Ensure that topCallFrame is not set with the HostCallFrameFlag. 11994 (JSC::Interpreter::getStackTrace): 11995 * interpreter/Interpreter.h: 11996 (JSC::TopCallFrameSetter::TopCallFrameSetter): 11997 (JSC::TopCallFrameSetter::~TopCallFrameSetter): 11998 (JSC::NativeCallFrameTracer::NativeCallFrameTracer): 11999 - Ensure that topCallFrame is not set with the HostCallFrameFlag. 12000 * jit/JIT.h: 12001 * jit/JITExceptions.cpp: 12002 (JSC::uncaughtExceptionHandler): 12003 - Convenience function to get the handler for uncaught exceptions. 12004 * jit/JITExceptions.h: 12005 * jit/JITInlines.h: 12006 (JSC::JIT::reloadCallFrameFromTopCallFrame): 12007 * jit/JITOpcodes32_64.cpp: 12008 (JSC::JIT::privateCompileCTINativeCall): 12009 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException. 12010 * jit/JITStubs.cpp: 12011 (JSC::throwExceptionFromOpCall): 12012 - Ensure that topCallFrame is not set with the HostCallFrameFlag. 12013 (JSC::cti_vm_handle_exception): 12014 - Check for the case when there are no more frames to unwind. 12015 * jit/JITStubs.h: 12016 * jit/JITStubsARM.h: 12017 * jit/JITStubsARMv7.h: 12018 * jit/JITStubsMIPS.h: 12019 * jit/JITStubsSH4.h: 12020 * jit/JITStubsX86.h: 12021 * jit/JITStubsX86_64.h: 12022 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException. 12023 * jit/SlowPathCall.h: 12024 (JSC::JITSlowPathCall::call): 12025 - reload cfr from topcallFrame when handling an exception. 12026 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException. 12027 * jit/ThunkGenerators.cpp: 12028 (JSC::nativeForGenerator): 12029 * llint/LowLevelInterpreter32_64.asm: 12030 * llint/LowLevelInterpreter64.asm: 12031 - reload cfr from topcallFrame when handling an exception. 12032 * runtime/VM.cpp: 12033 (JSC::VM::VM): 12034 - Ensure that topCallFrame is not set with the HostCallFrameFlag. 12035 120362013-08-15 Filip Pizlo <fpizlo@apple.com> 12037 12038 Remove some code duplication. 12039 12040 Rubber stamped by Mark Hahnenberg. 12041 12042 * runtime/JSDataViewPrototype.cpp: 12043 (JSC::getData): 12044 (JSC::setData): 12045 120462013-08-15 Julien Brianceau <jbrianceau@nds.com> 12047 12048 [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind. 12049 https://bugs.webkit.org/show_bug.cgi?id=119794 12050 12051 Reviewed by Filip Pizlo. 12052 12053 This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture. 12054 12055 * dfg/DFGUseKind.h: 12056 (JSC::DFG::isNumerical): 12057 (JSC::DFG::isDouble): 12058 120592013-08-15 Filip Pizlo <fpizlo@apple.com> 12060 12061 http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3. 12062 12063 Rubber stamped by Oliver Hunt. 12064 12065 This was causing some test crashes for me. 12066 12067 * dfg/DFGCapabilities.cpp: 12068 (JSC::DFG::capabilityLevel): 12069 120702013-08-15 Brent Fulgham <bfulgham@apple.com> 12071 12072 [Windows] Clear up improper export declaration. 12073 12074 * runtime/ArrayBufferView.h: 12075 120762013-08-15 Filip Pizlo <fpizlo@apple.com> 12077 12078 Unreviewed, remove some unnecessary periods from exceptions. 12079 12080 * runtime/JSDataViewPrototype.cpp: 12081 (JSC::getData): 12082 (JSC::setData): 12083 120842013-08-15 Filip Pizlo <fpizlo@apple.com> 12085 12086 Unreviewed, fix 32-bit build. 12087 12088 * dfg/DFGSpeculativeJIT32_64.cpp: 12089 (JSC::DFG::SpeculativeJIT::compile): 12090 120912013-08-14 Filip Pizlo <fpizlo@apple.com> 12092 12093 Typed arrays should be rewritten 12094 https://bugs.webkit.org/show_bug.cgi?id=119064 12095 12096 Reviewed by Oliver Hunt. 12097 12098 Typed arrays were previously deficient in several major ways: 12099 12100 - They were defined separately in WebCore and in the jsc shell. The two 12101 implementations were different, and the jsc shell one was basically wrong. 12102 The WebCore one was quite awful, also. 12103 12104 - Typed arrays were not visible to the JIT except through some weird hooks. 12105 For example, the JIT could not ask "what is the Structure that this typed 12106 array would have if I just allocated it from this global object". Also, 12107 it was difficult to wire any of the typed array intrinsics, because most 12108 of the functionality wasn't visible anywhere in JSC. 12109 12110 - Typed array allocation was brain-dead. Allocating a typed array involved 12111 two JS objects, two GC weak handles, and three malloc allocations. 12112 12113 - Neutering. It involved keeping tabs on all native views but not the view 12114 wrappers, even though the native views can autoneuter just by asking the 12115 buffer if it was neutered anytime you touch them; while the JS view 12116 wrappers are the ones that you really want to reach out to. 12117 12118 - Common case-ing. Most typed arrays have one buffer and one view, and 12119 usually nobody touches the buffer. Yet we created all of that stuff 12120 anyway, using data structures optimized for the case where you had a lot 12121 of views. 12122 12123 - Semantic goofs. Typed arrays should, in the future, behave like ES 12124 features rather than DOM features, for example when it comes to exceptions. 12125 Firefox already does this and I agree with them. 12126 12127 This patch cleanses our codebase of these sins: 12128 12129 - Typed arrays are almost entirely defined in JSC. Only the lifecycle 12130 management of native references to buffers is left to WebCore. 12131 12132 - Allocating a typed array requires either two GC allocations (a cell and a 12133 copied storage vector) or one GC allocation, a malloc allocation, and a 12134 weak handle (a cell and a malloc'd storage vector, plus a finalizer for the 12135 latter). The latter is only used for oversize arrays. Remember that before 12136 it was 7 allocations no matter what. 12137 12138 - Typed arrays require just 4 words of overhead: Structure*, Butterfly*, 12139 mode/length, void* vector. Before it was a lot more than that - remember, 12140 there were five additional objects that did absolutely nothing for anybody. 12141 12142 - Native views aren't tracked by the buffer, or by the wrappers. They are 12143 transient. In the future we'll probably switch to not even having them be 12144 malloc'd. 12145 12146 - Native array buffers have an efficient way of tracking all of their JS view 12147 wrappers, both for neutering, and for lifecycle management. The GC 12148 special-cases native array buffers. This saves a bunch of grief; for example 12149 it means that a JS view wrapper can refer to its buffer via the butterfly, 12150 which would be dead by the time we went to finalize. 12151 12152 - Typed array semantics now match Firefox, which also happens to be where the 12153 standards are going. The discussion on webkit-dev seemed to confirm that 12154 Chrome is also heading in this direction. This includes making 12155 Uint8ClampedArray not a subtype of Uint8Array, and getting rid of 12156 ArrayBufferView as a JS-visible construct. 12157 12158 This is up to a 10x speed-up on programs that allocate a lot of typed arrays. 12159 It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for 12160 further typed array optimizations in the JSC JITs, including inlining typed 12161 array allocation, inlining more of the accessors, reducing the cost of type 12162 checks, etc. 12163 12164 An additional property of this patch is that typed arrays are mostly 12165 implemented using templates. This deduplicates a bunch of code, but does mean 12166 that we need some hacks for exporting s_info's of template classes. See 12167 JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly 12168 low-impact compared to code duplication. 12169 12170 Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>. 12171 12172 * CMakeLists.txt: 12173 * DerivedSources.make: 12174 * GNUmakefile.list.am: 12175 * JSCTypedArrayStubs.h: Removed. 12176 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 12177 * JavaScriptCore.xcodeproj/project.pbxproj: 12178 * Target.pri: 12179 * bytecode/ByValInfo.h: 12180 (JSC::hasOptimizableIndexingForClassInfo): 12181 (JSC::jitArrayModeForClassInfo): 12182 (JSC::typedArrayTypeForJITArrayMode): 12183 * bytecode/SpeculatedType.cpp: 12184 (JSC::speculationFromClassInfo): 12185 * dfg/DFGArrayMode.cpp: 12186 (JSC::DFG::toTypedArrayType): 12187 * dfg/DFGArrayMode.h: 12188 (JSC::DFG::ArrayMode::typedArrayType): 12189 * dfg/DFGSpeculativeJIT.cpp: 12190 (JSC::DFG::SpeculativeJIT::checkArray): 12191 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 12192 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 12193 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): 12194 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): 12195 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): 12196 (JSC::DFG::SpeculativeJIT::compileGetArrayLength): 12197 * dfg/DFGSpeculativeJIT.h: 12198 * dfg/DFGSpeculativeJIT32_64.cpp: 12199 (JSC::DFG::SpeculativeJIT::compile): 12200 * dfg/DFGSpeculativeJIT64.cpp: 12201 (JSC::DFG::SpeculativeJIT::compile): 12202 * heap/CopyToken.h: 12203 * heap/DeferGC.h: 12204 (JSC::DeferGCForAWhile::DeferGCForAWhile): 12205 (JSC::DeferGCForAWhile::~DeferGCForAWhile): 12206 * heap/GCIncomingRefCounted.h: Added. 12207 (JSC::GCIncomingRefCounted::GCIncomingRefCounted): 12208 (JSC::GCIncomingRefCounted::~GCIncomingRefCounted): 12209 (JSC::GCIncomingRefCounted::numberOfIncomingReferences): 12210 (JSC::GCIncomingRefCounted::incomingReferenceAt): 12211 (JSC::GCIncomingRefCounted::singletonFlag): 12212 (JSC::GCIncomingRefCounted::hasVectorOfCells): 12213 (JSC::GCIncomingRefCounted::hasAnyIncoming): 12214 (JSC::GCIncomingRefCounted::hasSingleton): 12215 (JSC::GCIncomingRefCounted::singleton): 12216 (JSC::GCIncomingRefCounted::vectorOfCells): 12217 * heap/GCIncomingRefCountedInlines.h: Added. 12218 (JSC::::addIncomingReference): 12219 (JSC::::filterIncomingReferences): 12220 * heap/GCIncomingRefCountedSet.h: Added. 12221 (JSC::GCIncomingRefCountedSet::size): 12222 * heap/GCIncomingRefCountedSetInlines.h: Added. 12223 (JSC::::GCIncomingRefCountedSet): 12224 (JSC::::~GCIncomingRefCountedSet): 12225 (JSC::::addReference): 12226 (JSC::::sweep): 12227 (JSC::::removeAll): 12228 (JSC::::removeDead): 12229 * heap/Heap.cpp: 12230 (JSC::Heap::addReference): 12231 (JSC::Heap::extraSize): 12232 (JSC::Heap::size): 12233 (JSC::Heap::capacity): 12234 (JSC::Heap::collect): 12235 (JSC::Heap::decrementDeferralDepth): 12236 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): 12237 * heap/Heap.h: 12238 * interpreter/CallFrame.h: 12239 (JSC::ExecState::dataViewTable): 12240 * jit/JIT.h: 12241 * jit/JITPropertyAccess.cpp: 12242 (JSC::JIT::privateCompileGetByVal): 12243 (JSC::JIT::privateCompilePutByVal): 12244 (JSC::JIT::emitIntTypedArrayGetByVal): 12245 (JSC::JIT::emitFloatTypedArrayGetByVal): 12246 (JSC::JIT::emitIntTypedArrayPutByVal): 12247 (JSC::JIT::emitFloatTypedArrayPutByVal): 12248 * jsc.cpp: 12249 (GlobalObject::finishCreation): 12250 * runtime/ArrayBuffer.cpp: 12251 (JSC::ArrayBuffer::transfer): 12252 * runtime/ArrayBuffer.h: 12253 (JSC::ArrayBuffer::createAdopted): 12254 (JSC::ArrayBuffer::ArrayBuffer): 12255 (JSC::ArrayBuffer::gcSizeEstimateInBytes): 12256 (JSC::ArrayBuffer::pin): 12257 (JSC::ArrayBuffer::unpin): 12258 (JSC::ArrayBufferContents::tryAllocate): 12259 * runtime/ArrayBufferView.cpp: 12260 (JSC::ArrayBufferView::ArrayBufferView): 12261 (JSC::ArrayBufferView::~ArrayBufferView): 12262 (JSC::ArrayBufferView::setNeuterable): 12263 * runtime/ArrayBufferView.h: 12264 (JSC::ArrayBufferView::isNeutered): 12265 (JSC::ArrayBufferView::buffer): 12266 (JSC::ArrayBufferView::baseAddress): 12267 (JSC::ArrayBufferView::byteOffset): 12268 (JSC::ArrayBufferView::verifySubRange): 12269 (JSC::ArrayBufferView::clampOffsetAndNumElements): 12270 (JSC::ArrayBufferView::calculateOffsetAndLength): 12271 * runtime/ClassInfo.h: 12272 * runtime/CommonIdentifiers.h: 12273 * runtime/DataView.cpp: Added. 12274 (JSC::DataView::DataView): 12275 (JSC::DataView::create): 12276 (JSC::DataView::wrap): 12277 * runtime/DataView.h: Added. 12278 (JSC::DataView::byteLength): 12279 (JSC::DataView::getType): 12280 (JSC::DataView::get): 12281 (JSC::DataView::set): 12282 * runtime/Float32Array.h: 12283 * runtime/Float64Array.h: 12284 * runtime/GenericTypedArrayView.h: Added. 12285 (JSC::GenericTypedArrayView::data): 12286 (JSC::GenericTypedArrayView::set): 12287 (JSC::GenericTypedArrayView::setRange): 12288 (JSC::GenericTypedArrayView::zeroRange): 12289 (JSC::GenericTypedArrayView::zeroFill): 12290 (JSC::GenericTypedArrayView::length): 12291 (JSC::GenericTypedArrayView::byteLength): 12292 (JSC::GenericTypedArrayView::item): 12293 (JSC::GenericTypedArrayView::checkInboundData): 12294 (JSC::GenericTypedArrayView::getType): 12295 * runtime/GenericTypedArrayViewInlines.h: Added. 12296 (JSC::::GenericTypedArrayView): 12297 (JSC::::create): 12298 (JSC::::createUninitialized): 12299 (JSC::::subarray): 12300 (JSC::::wrap): 12301 * runtime/IndexingHeader.h: 12302 (JSC::IndexingHeader::arrayBuffer): 12303 (JSC::IndexingHeader::setArrayBuffer): 12304 * runtime/Int16Array.h: 12305 * runtime/Int32Array.h: 12306 * runtime/Int8Array.h: 12307 * runtime/JSArrayBuffer.cpp: Added. 12308 (JSC::JSArrayBuffer::JSArrayBuffer): 12309 (JSC::JSArrayBuffer::finishCreation): 12310 (JSC::JSArrayBuffer::create): 12311 (JSC::JSArrayBuffer::createStructure): 12312 (JSC::JSArrayBuffer::getOwnPropertySlot): 12313 (JSC::JSArrayBuffer::getOwnPropertyDescriptor): 12314 (JSC::JSArrayBuffer::put): 12315 (JSC::JSArrayBuffer::defineOwnProperty): 12316 (JSC::JSArrayBuffer::deleteProperty): 12317 (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames): 12318 * runtime/JSArrayBuffer.h: Added. 12319 (JSC::JSArrayBuffer::impl): 12320 (JSC::toArrayBuffer): 12321 * runtime/JSArrayBufferConstructor.cpp: Added. 12322 (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): 12323 (JSC::JSArrayBufferConstructor::finishCreation): 12324 (JSC::JSArrayBufferConstructor::create): 12325 (JSC::JSArrayBufferConstructor::createStructure): 12326 (JSC::constructArrayBuffer): 12327 (JSC::JSArrayBufferConstructor::getConstructData): 12328 (JSC::JSArrayBufferConstructor::getCallData): 12329 * runtime/JSArrayBufferConstructor.h: Added. 12330 * runtime/JSArrayBufferPrototype.cpp: Added. 12331 (JSC::arrayBufferProtoFuncSlice): 12332 (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype): 12333 (JSC::JSArrayBufferPrototype::finishCreation): 12334 (JSC::JSArrayBufferPrototype::create): 12335 (JSC::JSArrayBufferPrototype::createStructure): 12336 * runtime/JSArrayBufferPrototype.h: Added. 12337 * runtime/JSArrayBufferView.cpp: Added. 12338 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): 12339 (JSC::JSArrayBufferView::JSArrayBufferView): 12340 (JSC::JSArrayBufferView::finishCreation): 12341 (JSC::JSArrayBufferView::getOwnPropertySlot): 12342 (JSC::JSArrayBufferView::getOwnPropertyDescriptor): 12343 (JSC::JSArrayBufferView::put): 12344 (JSC::JSArrayBufferView::defineOwnProperty): 12345 (JSC::JSArrayBufferView::deleteProperty): 12346 (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames): 12347 (JSC::JSArrayBufferView::finalize): 12348 * runtime/JSArrayBufferView.h: Added. 12349 (JSC::JSArrayBufferView::sizeOf): 12350 (JSC::JSArrayBufferView::ConstructionContext::operator!): 12351 (JSC::JSArrayBufferView::ConstructionContext::structure): 12352 (JSC::JSArrayBufferView::ConstructionContext::vector): 12353 (JSC::JSArrayBufferView::ConstructionContext::length): 12354 (JSC::JSArrayBufferView::ConstructionContext::mode): 12355 (JSC::JSArrayBufferView::ConstructionContext::butterfly): 12356 (JSC::JSArrayBufferView::mode): 12357 (JSC::JSArrayBufferView::vector): 12358 (JSC::JSArrayBufferView::length): 12359 (JSC::JSArrayBufferView::offsetOfVector): 12360 (JSC::JSArrayBufferView::offsetOfLength): 12361 (JSC::JSArrayBufferView::offsetOfMode): 12362 * runtime/JSArrayBufferViewInlines.h: Added. 12363 (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary): 12364 (JSC::JSArrayBufferView::buffer): 12365 (JSC::JSArrayBufferView::impl): 12366 (JSC::JSArrayBufferView::neuter): 12367 (JSC::JSArrayBufferView::byteOffset): 12368 * runtime/JSCell.cpp: 12369 (JSC::JSCell::slowDownAndWasteMemory): 12370 (JSC::JSCell::getTypedArrayImpl): 12371 * runtime/JSCell.h: 12372 * runtime/JSDataView.cpp: Added. 12373 (JSC::JSDataView::JSDataView): 12374 (JSC::JSDataView::create): 12375 (JSC::JSDataView::createUninitialized): 12376 (JSC::JSDataView::set): 12377 (JSC::JSDataView::typedImpl): 12378 (JSC::JSDataView::getOwnPropertySlot): 12379 (JSC::JSDataView::getOwnPropertyDescriptor): 12380 (JSC::JSDataView::slowDownAndWasteMemory): 12381 (JSC::JSDataView::getTypedArrayImpl): 12382 (JSC::JSDataView::createStructure): 12383 * runtime/JSDataView.h: Added. 12384 * runtime/JSDataViewPrototype.cpp: Added. 12385 (JSC::JSDataViewPrototype::JSDataViewPrototype): 12386 (JSC::JSDataViewPrototype::create): 12387 (JSC::JSDataViewPrototype::createStructure): 12388 (JSC::JSDataViewPrototype::getOwnPropertySlot): 12389 (JSC::JSDataViewPrototype::getOwnPropertyDescriptor): 12390 (JSC::getData): 12391 (JSC::setData): 12392 (JSC::dataViewProtoFuncGetInt8): 12393 (JSC::dataViewProtoFuncGetInt16): 12394 (JSC::dataViewProtoFuncGetInt32): 12395 (JSC::dataViewProtoFuncGetUint8): 12396 (JSC::dataViewProtoFuncGetUint16): 12397 (JSC::dataViewProtoFuncGetUint32): 12398 (JSC::dataViewProtoFuncGetFloat32): 12399 (JSC::dataViewProtoFuncGetFloat64): 12400 (JSC::dataViewProtoFuncSetInt8): 12401 (JSC::dataViewProtoFuncSetInt16): 12402 (JSC::dataViewProtoFuncSetInt32): 12403 (JSC::dataViewProtoFuncSetUint8): 12404 (JSC::dataViewProtoFuncSetUint16): 12405 (JSC::dataViewProtoFuncSetUint32): 12406 (JSC::dataViewProtoFuncSetFloat32): 12407 (JSC::dataViewProtoFuncSetFloat64): 12408 * runtime/JSDataViewPrototype.h: Added. 12409 * runtime/JSFloat32Array.h: Added. 12410 * runtime/JSFloat64Array.h: Added. 12411 * runtime/JSGenericTypedArrayView.h: Added. 12412 (JSC::JSGenericTypedArrayView::byteLength): 12413 (JSC::JSGenericTypedArrayView::byteSize): 12414 (JSC::JSGenericTypedArrayView::typedVector): 12415 (JSC::JSGenericTypedArrayView::canGetIndexQuickly): 12416 (JSC::JSGenericTypedArrayView::canSetIndexQuickly): 12417 (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): 12418 (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): 12419 (JSC::JSGenericTypedArrayView::getIndexQuickly): 12420 (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): 12421 (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): 12422 (JSC::JSGenericTypedArrayView::setIndexQuickly): 12423 (JSC::JSGenericTypedArrayView::canAccessRangeQuickly): 12424 (JSC::JSGenericTypedArrayView::typedImpl): 12425 (JSC::JSGenericTypedArrayView::createStructure): 12426 (JSC::JSGenericTypedArrayView::info): 12427 (JSC::toNativeTypedView): 12428 * runtime/JSGenericTypedArrayViewConstructor.h: Added. 12429 * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added. 12430 (JSC::::JSGenericTypedArrayViewConstructor): 12431 (JSC::::finishCreation): 12432 (JSC::::create): 12433 (JSC::::createStructure): 12434 (JSC::constructGenericTypedArrayView): 12435 (JSC::::getConstructData): 12436 (JSC::::getCallData): 12437 * runtime/JSGenericTypedArrayViewInlines.h: Added. 12438 (JSC::::JSGenericTypedArrayView): 12439 (JSC::::create): 12440 (JSC::::createUninitialized): 12441 (JSC::::validateRange): 12442 (JSC::::setWithSpecificType): 12443 (JSC::::set): 12444 (JSC::::getOwnPropertySlot): 12445 (JSC::::getOwnPropertyDescriptor): 12446 (JSC::::put): 12447 (JSC::::defineOwnProperty): 12448 (JSC::::deleteProperty): 12449 (JSC::::getOwnPropertySlotByIndex): 12450 (JSC::::putByIndex): 12451 (JSC::::deletePropertyByIndex): 12452 (JSC::::getOwnNonIndexPropertyNames): 12453 (JSC::::getOwnPropertyNames): 12454 (JSC::::visitChildren): 12455 (JSC::::copyBackingStore): 12456 (JSC::::slowDownAndWasteMemory): 12457 (JSC::::getTypedArrayImpl): 12458 * runtime/JSGenericTypedArrayViewPrototype.h: Added. 12459 * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added. 12460 (JSC::genericTypedArrayViewProtoFuncSet): 12461 (JSC::genericTypedArrayViewProtoFuncSubarray): 12462 (JSC::::JSGenericTypedArrayViewPrototype): 12463 (JSC::::finishCreation): 12464 (JSC::::create): 12465 (JSC::::createStructure): 12466 * runtime/JSGlobalObject.cpp: 12467 (JSC::JSGlobalObject::reset): 12468 (JSC::JSGlobalObject::visitChildren): 12469 * runtime/JSGlobalObject.h: 12470 (JSC::JSGlobalObject::arrayBufferPrototype): 12471 (JSC::JSGlobalObject::arrayBufferStructure): 12472 (JSC::JSGlobalObject::typedArrayStructure): 12473 * runtime/JSInt16Array.h: Added. 12474 * runtime/JSInt32Array.h: Added. 12475 * runtime/JSInt8Array.h: Added. 12476 * runtime/JSTypedArrayConstructors.cpp: Added. 12477 * runtime/JSTypedArrayConstructors.h: Added. 12478 * runtime/JSTypedArrayPrototypes.cpp: Added. 12479 * runtime/JSTypedArrayPrototypes.h: Added. 12480 * runtime/JSTypedArrays.cpp: Added. 12481 * runtime/JSTypedArrays.h: Added. 12482 * runtime/JSUint16Array.h: Added. 12483 * runtime/JSUint32Array.h: Added. 12484 * runtime/JSUint8Array.h: Added. 12485 * runtime/JSUint8ClampedArray.h: Added. 12486 * runtime/Operations.h: 12487 * runtime/Options.h: 12488 * runtime/SimpleTypedArrayController.cpp: Added. 12489 (JSC::SimpleTypedArrayController::SimpleTypedArrayController): 12490 (JSC::SimpleTypedArrayController::~SimpleTypedArrayController): 12491 (JSC::SimpleTypedArrayController::toJS): 12492 * runtime/SimpleTypedArrayController.h: Added. 12493 * runtime/Structure.h: 12494 (JSC::Structure::couldHaveIndexingHeader): 12495 * runtime/StructureInlines.h: 12496 (JSC::Structure::hasIndexingHeader): 12497 * runtime/TypedArrayAdaptors.h: Added. 12498 (JSC::IntegralTypedArrayAdaptor::toNative): 12499 (JSC::IntegralTypedArrayAdaptor::toJSValue): 12500 (JSC::IntegralTypedArrayAdaptor::toDouble): 12501 (JSC::FloatTypedArrayAdaptor::toNative): 12502 (JSC::FloatTypedArrayAdaptor::toJSValue): 12503 (JSC::FloatTypedArrayAdaptor::toDouble): 12504 (JSC::Uint8ClampedAdaptor::toNative): 12505 (JSC::Uint8ClampedAdaptor::toJSValue): 12506 (JSC::Uint8ClampedAdaptor::toDouble): 12507 (JSC::Uint8ClampedAdaptor::clamp): 12508 * runtime/TypedArrayController.cpp: Added. 12509 (JSC::TypedArrayController::TypedArrayController): 12510 (JSC::TypedArrayController::~TypedArrayController): 12511 * runtime/TypedArrayController.h: Added. 12512 * runtime/TypedArrayDescriptor.h: Removed. 12513 * runtime/TypedArrayInlines.h: Added. 12514 * runtime/TypedArrayType.cpp: Added. 12515 (JSC::classInfoForType): 12516 (WTF::printInternal): 12517 * runtime/TypedArrayType.h: Added. 12518 (JSC::toIndex): 12519 (JSC::isTypedView): 12520 (JSC::elementSize): 12521 (JSC::isInt): 12522 (JSC::isFloat): 12523 (JSC::isSigned): 12524 (JSC::isClamped): 12525 * runtime/TypedArrays.h: Added. 12526 * runtime/Uint16Array.h: 12527 * runtime/Uint32Array.h: 12528 * runtime/Uint8Array.h: 12529 * runtime/Uint8ClampedArray.h: 12530 * runtime/VM.cpp: 12531 (JSC::VM::VM): 12532 (JSC::VM::~VM): 12533 * runtime/VM.h: 12534 125352013-08-15 Oliver Hunt <oliver@apple.com> 12536 12537 <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure 12538 12539 Reviewed by Filip Pizlo. 12540 12541 Make sure dfgCapabilities doesn't report a Dynamic put as 12542 being compilable when we don't actually support it. 12543 12544 * bytecode/CodeBlock.cpp: 12545 (JSC::CodeBlock::dumpBytecode): 12546 * dfg/DFGCapabilities.cpp: 12547 (JSC::DFG::capabilityLevel): 12548 125492013-08-15 Brent Fulgham <bfulgham@apple.com> 12550 12551 [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView 12552 https://bugs.webkit.org/show_bug.cgi?id=119847 12553 12554 Reviewed by Oliver Hunt. 12555 12556 * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE 12557 * runtime/ArrayBufferView.h: Ditto. 12558 125592013-08-15 Gavin Barraclough <barraclough@apple.com> 12560 12561 https://bugs.webkit.org/show_bug.cgi?id=119843 12562 PropertySlot::setValue is ambiguous 12563 12564 Reviewed by Geoff Garen. 12565 12566 There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently. 12567 The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property. 12568 Unify on always providing the object, and remove the version that just takes a value. 12569 This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access). 12570 Provide a version of setValue that takes a JSString as the owner of the property. 12571 We won't store this, but it makes it clear that this interface should only be used from JSString. 12572 12573 * API/JSCallbackObjectFunctions.h: 12574 (JSC::::getOwnPropertySlot): 12575 * JSCTypedArrayStubs.h: 12576 * runtime/Arguments.cpp: 12577 (JSC::Arguments::getOwnPropertySlotByIndex): 12578 (JSC::Arguments::getOwnPropertySlot): 12579 * runtime/JSActivation.cpp: 12580 (JSC::JSActivation::symbolTableGet): 12581 (JSC::JSActivation::getOwnPropertySlot): 12582 * runtime/JSArray.cpp: 12583 (JSC::JSArray::getOwnPropertySlot): 12584 * runtime/JSObject.cpp: 12585 (JSC::JSObject::getOwnPropertySlotByIndex): 12586 * runtime/JSString.h: 12587 (JSC::JSString::getStringPropertySlot): 12588 * runtime/JSSymbolTableObject.h: 12589 (JSC::symbolTableGet): 12590 * runtime/SparseArrayValueMap.cpp: 12591 (JSC::SparseArrayEntry::get): 12592 - Pass object containing property to PropertySlot::setValue 12593 * runtime/PropertySlot.h: 12594 (JSC::PropertySlot::setValue): 12595 - Logically, the base of a string property access is a temporary StringObject, but we optimize that away. 12596 (JSC::PropertySlot::setUndefined): 12597 - removed setValue(JSValue), added setValue(JSString*, JSValue) 12598 125992013-08-15 Oliver Hunt <oliver@apple.com> 12600 12601 Remove bogus assertion. 12602 12603 RS=Filip Pizlo 12604 12605 * dfg/DFGAbstractInterpreterInlines.h: 12606 (JSC::DFG::::executeEffects): 12607 126082013-08-15 Allan Sandfeld Jensen <allan.jensen@digia.com> 12609 12610 REGRESSION(r148790) Made 7 tests fail on x86 32bit 12611 https://bugs.webkit.org/show_bug.cgi?id=114913 12612 12613 Reviewed by Filip Pizlo. 12614 12615 The X87 register was not freed before some calls. Instead 12616 of inserting resetX87Registers to the last call sites, 12617 the two X87 registers are now freed in every call. 12618 12619 * llint/LowLevelInterpreter32_64.asm: 12620 * llint/LowLevelInterpreter64.asm: 12621 * offlineasm/instructions.rb: 12622 * offlineasm/x86.rb: 12623 126242013-08-14 Michael Saboff <msaboff@apple.com> 12625 12626 Fixed jit on Win64. 12627 https://bugs.webkit.org/show_bug.cgi?id=119601 12628 12629 Reviewed by Oliver Hunt. 12630 12631 * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation. 12632 * jit/JSInterfaceJIT.h: Added thirdArgumentRegister. 12633 * jit/SlowPathCall.h: 12634 (JSC::JITSlowPathCall::call): Added correct calling convention for Win64. 12635 126362013-08-14 Alex Christensen <achristensen@apple.com> 12637 12638 Compile fix for Win64 with jit disabled. 12639 https://bugs.webkit.org/show_bug.cgi?id=119804 12640 12641 Reviewed by Michael Saboff. 12642 12643 * offlineasm/cloop.rb: Added std:: before isnan. 12644 126452013-08-14 Julien Brianceau <jbrianceau@nds.com> 12646 12647 DFG_JIT implementation for sh4 architecture. 12648 https://bugs.webkit.org/show_bug.cgi?id=119737 12649 12650 Reviewed by Oliver Hunt. 12651 12652 * assembler/MacroAssemblerSH4.h: 12653 (JSC::MacroAssemblerSH4::invert): 12654 (JSC::MacroAssemblerSH4::add32): 12655 (JSC::MacroAssemblerSH4::and32): 12656 (JSC::MacroAssemblerSH4::lshift32): 12657 (JSC::MacroAssemblerSH4::mul32): 12658 (JSC::MacroAssemblerSH4::or32): 12659 (JSC::MacroAssemblerSH4::rshift32): 12660 (JSC::MacroAssemblerSH4::sub32): 12661 (JSC::MacroAssemblerSH4::xor32): 12662 (JSC::MacroAssemblerSH4::store32): 12663 (JSC::MacroAssemblerSH4::swapDouble): 12664 (JSC::MacroAssemblerSH4::storeDouble): 12665 (JSC::MacroAssemblerSH4::subDouble): 12666 (JSC::MacroAssemblerSH4::mulDouble): 12667 (JSC::MacroAssemblerSH4::divDouble): 12668 (JSC::MacroAssemblerSH4::negateDouble): 12669 (JSC::MacroAssemblerSH4::zeroExtend32ToPtr): 12670 (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32): 12671 (JSC::MacroAssemblerSH4::truncateDoubleToUint32): 12672 (JSC::MacroAssemblerSH4::swap): 12673 (JSC::MacroAssemblerSH4::jump): 12674 (JSC::MacroAssemblerSH4::branchNeg32): 12675 (JSC::MacroAssemblerSH4::branchAdd32): 12676 (JSC::MacroAssemblerSH4::branchMul32): 12677 (JSC::MacroAssemblerSH4::urshift32): 12678 * assembler/SH4Assembler.h: 12679 (JSC::SH4Assembler::SH4Assembler): 12680 (JSC::SH4Assembler::labelForWatchpoint): 12681 (JSC::SH4Assembler::label): 12682 (JSC::SH4Assembler::debugOffset): 12683 * dfg/DFGAssemblyHelpers.h: 12684 (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall): 12685 (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn): 12686 (JSC::DFG::AssemblyHelpers::debugCall): 12687 * dfg/DFGCCallHelpers.h: 12688 (JSC::DFG::CCallHelpers::setupArguments): 12689 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 12690 * dfg/DFGFPRInfo.h: 12691 (JSC::DFG::FPRInfo::toRegister): 12692 (JSC::DFG::FPRInfo::toIndex): 12693 (JSC::DFG::FPRInfo::debugName): 12694 * dfg/DFGGPRInfo.h: 12695 (JSC::DFG::GPRInfo::toRegister): 12696 (JSC::DFG::GPRInfo::toIndex): 12697 (JSC::DFG::GPRInfo::debugName): 12698 * dfg/DFGOperations.cpp: 12699 * dfg/DFGSpeculativeJIT.h: 12700 (JSC::DFG::SpeculativeJIT::callOperation): 12701 * jit/JITStubs.h: 12702 * jit/JITStubsSH4.h: 12703 127042013-08-13 Filip Pizlo <fpizlo@apple.com> 12705 12706 Unreviewed, fix build. 12707 12708 * API/JSValue.mm: 12709 (isDate): 12710 (isArray): 12711 * API/JSWrapperMap.mm: 12712 (tryUnwrapObjcObject): 12713 * API/ObjCCallbackFunction.mm: 12714 (tryUnwrapBlock): 12715 127162013-08-13 Filip Pizlo <fpizlo@apple.com> 12717 12718 Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked 12719 https://bugs.webkit.org/show_bug.cgi?id=119770 12720 12721 Reviewed by Mark Hahnenberg. 12722 12723 * API/JSCallbackConstructor.cpp: 12724 (JSC::JSCallbackConstructor::finishCreation): 12725 * API/JSCallbackConstructor.h: 12726 (JSC::JSCallbackConstructor::createStructure): 12727 * API/JSCallbackFunction.cpp: 12728 (JSC::JSCallbackFunction::finishCreation): 12729 * API/JSCallbackFunction.h: 12730 (JSC::JSCallbackFunction::createStructure): 12731 * API/JSCallbackObject.cpp: 12732 (JSC::::createStructure): 12733 * API/JSCallbackObject.h: 12734 (JSC::JSCallbackObject::visitChildren): 12735 * API/JSCallbackObjectFunctions.h: 12736 (JSC::::asCallbackObject): 12737 (JSC::::finishCreation): 12738 * API/JSObjectRef.cpp: 12739 (JSObjectGetPrivate): 12740 (JSObjectSetPrivate): 12741 (JSObjectGetPrivateProperty): 12742 (JSObjectSetPrivateProperty): 12743 (JSObjectDeletePrivateProperty): 12744 * API/JSValueRef.cpp: 12745 (JSValueIsObjectOfClass): 12746 * API/JSWeakObjectMapRefPrivate.cpp: 12747 * API/ObjCCallbackFunction.h: 12748 (JSC::ObjCCallbackFunction::createStructure): 12749 * JSCTypedArrayStubs.h: 12750 * bytecode/CallLinkStatus.cpp: 12751 (JSC::CallLinkStatus::CallLinkStatus): 12752 (JSC::CallLinkStatus::function): 12753 (JSC::CallLinkStatus::internalFunction): 12754 * bytecode/CodeBlock.h: 12755 (JSC::baselineCodeBlockForInlineCallFrame): 12756 * bytecode/SpeculatedType.cpp: 12757 (JSC::speculationFromClassInfo): 12758 * bytecode/UnlinkedCodeBlock.cpp: 12759 (JSC::UnlinkedFunctionExecutable::visitChildren): 12760 (JSC::UnlinkedCodeBlock::visitChildren): 12761 (JSC::UnlinkedProgramCodeBlock::visitChildren): 12762 * bytecode/UnlinkedCodeBlock.h: 12763 (JSC::UnlinkedFunctionExecutable::createStructure): 12764 (JSC::UnlinkedProgramCodeBlock::createStructure): 12765 (JSC::UnlinkedEvalCodeBlock::createStructure): 12766 (JSC::UnlinkedFunctionCodeBlock::createStructure): 12767 * debugger/Debugger.cpp: 12768 * debugger/DebuggerActivation.cpp: 12769 (JSC::DebuggerActivation::visitChildren): 12770 * debugger/DebuggerActivation.h: 12771 (JSC::DebuggerActivation::createStructure): 12772 * debugger/DebuggerCallFrame.cpp: 12773 (JSC::DebuggerCallFrame::functionName): 12774 * dfg/DFGAbstractInterpreterInlines.h: 12775 (JSC::DFG::::executeEffects): 12776 * dfg/DFGByteCodeParser.cpp: 12777 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): 12778 (JSC::DFG::ByteCodeParser::parseBlock): 12779 * dfg/DFGFixupPhase.cpp: 12780 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): 12781 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): 12782 * dfg/DFGGraph.cpp: 12783 (JSC::DFG::Graph::dump): 12784 * dfg/DFGGraph.h: 12785 (JSC::DFG::Graph::isInternalFunctionConstant): 12786 * dfg/DFGOperations.cpp: 12787 * dfg/DFGSpeculativeJIT.cpp: 12788 (JSC::DFG::SpeculativeJIT::checkArray): 12789 (JSC::DFG::SpeculativeJIT::compileNewStringObject): 12790 * dfg/DFGThunks.cpp: 12791 (JSC::DFG::virtualForThunkGenerator): 12792 * interpreter/Interpreter.cpp: 12793 (JSC::loadVarargs): 12794 * jsc.cpp: 12795 (GlobalObject::createStructure): 12796 * profiler/LegacyProfiler.cpp: 12797 (JSC::LegacyProfiler::createCallIdentifier): 12798 * runtime/Arguments.cpp: 12799 (JSC::Arguments::visitChildren): 12800 * runtime/Arguments.h: 12801 (JSC::Arguments::createStructure): 12802 (JSC::asArguments): 12803 (JSC::Arguments::finishCreation): 12804 * runtime/ArrayConstructor.cpp: 12805 (JSC::arrayConstructorIsArray): 12806 * runtime/ArrayConstructor.h: 12807 (JSC::ArrayConstructor::createStructure): 12808 * runtime/ArrayPrototype.cpp: 12809 (JSC::ArrayPrototype::finishCreation): 12810 (JSC::arrayProtoFuncConcat): 12811 (JSC::attemptFastSort): 12812 * runtime/ArrayPrototype.h: 12813 (JSC::ArrayPrototype::createStructure): 12814 * runtime/BooleanConstructor.h: 12815 (JSC::BooleanConstructor::createStructure): 12816 * runtime/BooleanObject.cpp: 12817 (JSC::BooleanObject::finishCreation): 12818 * runtime/BooleanObject.h: 12819 (JSC::BooleanObject::createStructure): 12820 (JSC::asBooleanObject): 12821 * runtime/BooleanPrototype.cpp: 12822 (JSC::BooleanPrototype::finishCreation): 12823 (JSC::booleanProtoFuncToString): 12824 (JSC::booleanProtoFuncValueOf): 12825 * runtime/BooleanPrototype.h: 12826 (JSC::BooleanPrototype::createStructure): 12827 * runtime/DateConstructor.cpp: 12828 (JSC::constructDate): 12829 * runtime/DateConstructor.h: 12830 (JSC::DateConstructor::createStructure): 12831 * runtime/DateInstance.cpp: 12832 (JSC::DateInstance::finishCreation): 12833 * runtime/DateInstance.h: 12834 (JSC::DateInstance::createStructure): 12835 (JSC::asDateInstance): 12836 * runtime/DatePrototype.cpp: 12837 (JSC::formateDateInstance): 12838 (JSC::DatePrototype::finishCreation): 12839 (JSC::dateProtoFuncToISOString): 12840 (JSC::dateProtoFuncToLocaleString): 12841 (JSC::dateProtoFuncToLocaleDateString): 12842 (JSC::dateProtoFuncToLocaleTimeString): 12843 (JSC::dateProtoFuncGetTime): 12844 (JSC::dateProtoFuncGetFullYear): 12845 (JSC::dateProtoFuncGetUTCFullYear): 12846 (JSC::dateProtoFuncGetMonth): 12847 (JSC::dateProtoFuncGetUTCMonth): 12848 (JSC::dateProtoFuncGetDate): 12849 (JSC::dateProtoFuncGetUTCDate): 12850 (JSC::dateProtoFuncGetDay): 12851 (JSC::dateProtoFuncGetUTCDay): 12852 (JSC::dateProtoFuncGetHours): 12853 (JSC::dateProtoFuncGetUTCHours): 12854 (JSC::dateProtoFuncGetMinutes): 12855 (JSC::dateProtoFuncGetUTCMinutes): 12856 (JSC::dateProtoFuncGetSeconds): 12857 (JSC::dateProtoFuncGetUTCSeconds): 12858 (JSC::dateProtoFuncGetMilliSeconds): 12859 (JSC::dateProtoFuncGetUTCMilliseconds): 12860 (JSC::dateProtoFuncGetTimezoneOffset): 12861 (JSC::dateProtoFuncSetTime): 12862 (JSC::setNewValueFromTimeArgs): 12863 (JSC::setNewValueFromDateArgs): 12864 (JSC::dateProtoFuncSetYear): 12865 (JSC::dateProtoFuncGetYear): 12866 * runtime/DatePrototype.h: 12867 (JSC::DatePrototype::createStructure): 12868 * runtime/Error.h: 12869 (JSC::StrictModeTypeErrorFunction::createStructure): 12870 * runtime/ErrorConstructor.h: 12871 (JSC::ErrorConstructor::createStructure): 12872 * runtime/ErrorInstance.cpp: 12873 (JSC::ErrorInstance::finishCreation): 12874 * runtime/ErrorInstance.h: 12875 (JSC::ErrorInstance::createStructure): 12876 * runtime/ErrorPrototype.cpp: 12877 (JSC::ErrorPrototype::finishCreation): 12878 * runtime/ErrorPrototype.h: 12879 (JSC::ErrorPrototype::createStructure): 12880 * runtime/ExceptionHelpers.cpp: 12881 (JSC::isTerminatedExecutionException): 12882 * runtime/ExceptionHelpers.h: 12883 (JSC::TerminatedExecutionError::createStructure): 12884 * runtime/Executable.cpp: 12885 (JSC::EvalExecutable::visitChildren): 12886 (JSC::ProgramExecutable::visitChildren): 12887 (JSC::FunctionExecutable::visitChildren): 12888 (JSC::ExecutableBase::hashFor): 12889 * runtime/Executable.h: 12890 (JSC::ExecutableBase::createStructure): 12891 (JSC::NativeExecutable::createStructure): 12892 (JSC::EvalExecutable::createStructure): 12893 (JSC::ProgramExecutable::createStructure): 12894 (JSC::FunctionExecutable::compileFor): 12895 (JSC::FunctionExecutable::compileOptimizedFor): 12896 (JSC::FunctionExecutable::createStructure): 12897 * runtime/FunctionConstructor.h: 12898 (JSC::FunctionConstructor::createStructure): 12899 * runtime/FunctionPrototype.cpp: 12900 (JSC::functionProtoFuncToString): 12901 (JSC::functionProtoFuncApply): 12902 (JSC::functionProtoFuncBind): 12903 * runtime/FunctionPrototype.h: 12904 (JSC::FunctionPrototype::createStructure): 12905 * runtime/GetterSetter.cpp: 12906 (JSC::GetterSetter::visitChildren): 12907 * runtime/GetterSetter.h: 12908 (JSC::GetterSetter::createStructure): 12909 * runtime/InternalFunction.cpp: 12910 (JSC::InternalFunction::finishCreation): 12911 * runtime/InternalFunction.h: 12912 (JSC::InternalFunction::createStructure): 12913 (JSC::asInternalFunction): 12914 * runtime/JSAPIValueWrapper.h: 12915 (JSC::JSAPIValueWrapper::createStructure): 12916 * runtime/JSActivation.cpp: 12917 (JSC::JSActivation::visitChildren): 12918 (JSC::JSActivation::argumentsGetter): 12919 * runtime/JSActivation.h: 12920 (JSC::JSActivation::createStructure): 12921 (JSC::asActivation): 12922 * runtime/JSArray.h: 12923 (JSC::JSArray::createStructure): 12924 (JSC::asArray): 12925 (JSC::isJSArray): 12926 * runtime/JSBoundFunction.cpp: 12927 (JSC::JSBoundFunction::finishCreation): 12928 (JSC::JSBoundFunction::visitChildren): 12929 * runtime/JSBoundFunction.h: 12930 (JSC::JSBoundFunction::createStructure): 12931 * runtime/JSCJSValue.cpp: 12932 (JSC::JSValue::dumpInContext): 12933 * runtime/JSCJSValueInlines.h: 12934 (JSC::JSValue::isFunction): 12935 * runtime/JSCell.h: 12936 (JSC::jsCast): 12937 (JSC::jsDynamicCast): 12938 * runtime/JSCellInlines.h: 12939 (JSC::allocateCell): 12940 * runtime/JSFunction.cpp: 12941 (JSC::JSFunction::finishCreation): 12942 (JSC::JSFunction::visitChildren): 12943 (JSC::skipOverBoundFunctions): 12944 (JSC::JSFunction::callerGetter): 12945 * runtime/JSFunction.h: 12946 (JSC::JSFunction::createStructure): 12947 * runtime/JSGlobalObject.cpp: 12948 (JSC::JSGlobalObject::visitChildren): 12949 (JSC::slowValidateCell): 12950 * runtime/JSGlobalObject.h: 12951 (JSC::JSGlobalObject::createStructure): 12952 * runtime/JSNameScope.cpp: 12953 (JSC::JSNameScope::visitChildren): 12954 * runtime/JSNameScope.h: 12955 (JSC::JSNameScope::createStructure): 12956 * runtime/JSNotAnObject.h: 12957 (JSC::JSNotAnObject::createStructure): 12958 * runtime/JSONObject.cpp: 12959 (JSC::JSONObject::finishCreation): 12960 (JSC::unwrapBoxedPrimitive): 12961 (JSC::Stringifier::Stringifier): 12962 (JSC::Stringifier::appendStringifiedValue): 12963 (JSC::Stringifier::Holder::Holder): 12964 (JSC::Walker::walk): 12965 (JSC::JSONProtoFuncStringify): 12966 * runtime/JSONObject.h: 12967 (JSC::JSONObject::createStructure): 12968 * runtime/JSObject.cpp: 12969 (JSC::getCallableObjectSlow): 12970 (JSC::JSObject::visitChildren): 12971 (JSC::JSObject::copyBackingStore): 12972 (JSC::JSFinalObject::visitChildren): 12973 (JSC::JSObject::ensureInt32Slow): 12974 (JSC::JSObject::ensureDoubleSlow): 12975 (JSC::JSObject::ensureContiguousSlow): 12976 (JSC::JSObject::ensureArrayStorageSlow): 12977 * runtime/JSObject.h: 12978 (JSC::JSObject::finishCreation): 12979 (JSC::JSObject::createStructure): 12980 (JSC::JSNonFinalObject::createStructure): 12981 (JSC::JSFinalObject::createStructure): 12982 (JSC::isJSFinalObject): 12983 * runtime/JSPropertyNameIterator.cpp: 12984 (JSC::JSPropertyNameIterator::visitChildren): 12985 * runtime/JSPropertyNameIterator.h: 12986 (JSC::JSPropertyNameIterator::createStructure): 12987 * runtime/JSProxy.cpp: 12988 (JSC::JSProxy::visitChildren): 12989 * runtime/JSProxy.h: 12990 (JSC::JSProxy::createStructure): 12991 * runtime/JSScope.cpp: 12992 (JSC::JSScope::visitChildren): 12993 * runtime/JSSegmentedVariableObject.cpp: 12994 (JSC::JSSegmentedVariableObject::visitChildren): 12995 * runtime/JSString.h: 12996 (JSC::JSString::createStructure): 12997 (JSC::isJSString): 12998 * runtime/JSSymbolTableObject.cpp: 12999 (JSC::JSSymbolTableObject::visitChildren): 13000 * runtime/JSVariableObject.h: 13001 * runtime/JSWithScope.cpp: 13002 (JSC::JSWithScope::visitChildren): 13003 * runtime/JSWithScope.h: 13004 (JSC::JSWithScope::createStructure): 13005 * runtime/JSWrapperObject.cpp: 13006 (JSC::JSWrapperObject::visitChildren): 13007 * runtime/JSWrapperObject.h: 13008 (JSC::JSWrapperObject::createStructure): 13009 * runtime/MathObject.cpp: 13010 (JSC::MathObject::finishCreation): 13011 * runtime/MathObject.h: 13012 (JSC::MathObject::createStructure): 13013 * runtime/NameConstructor.h: 13014 (JSC::NameConstructor::createStructure): 13015 * runtime/NameInstance.h: 13016 (JSC::NameInstance::createStructure): 13017 (JSC::NameInstance::finishCreation): 13018 * runtime/NamePrototype.cpp: 13019 (JSC::NamePrototype::finishCreation): 13020 (JSC::privateNameProtoFuncToString): 13021 * runtime/NamePrototype.h: 13022 (JSC::NamePrototype::createStructure): 13023 * runtime/NativeErrorConstructor.cpp: 13024 (JSC::NativeErrorConstructor::visitChildren): 13025 * runtime/NativeErrorConstructor.h: 13026 (JSC::NativeErrorConstructor::createStructure): 13027 (JSC::NativeErrorConstructor::finishCreation): 13028 * runtime/NumberConstructor.cpp: 13029 (JSC::NumberConstructor::finishCreation): 13030 * runtime/NumberConstructor.h: 13031 (JSC::NumberConstructor::createStructure): 13032 * runtime/NumberObject.cpp: 13033 (JSC::NumberObject::finishCreation): 13034 * runtime/NumberObject.h: 13035 (JSC::NumberObject::createStructure): 13036 * runtime/NumberPrototype.cpp: 13037 (JSC::NumberPrototype::finishCreation): 13038 * runtime/NumberPrototype.h: 13039 (JSC::NumberPrototype::createStructure): 13040 * runtime/ObjectConstructor.h: 13041 (JSC::ObjectConstructor::createStructure): 13042 * runtime/ObjectPrototype.cpp: 13043 (JSC::ObjectPrototype::finishCreation): 13044 * runtime/ObjectPrototype.h: 13045 (JSC::ObjectPrototype::createStructure): 13046 * runtime/PropertyMapHashTable.h: 13047 (JSC::PropertyTable::createStructure): 13048 * runtime/PropertyTable.cpp: 13049 (JSC::PropertyTable::visitChildren): 13050 * runtime/RegExp.h: 13051 (JSC::RegExp::createStructure): 13052 * runtime/RegExpConstructor.cpp: 13053 (JSC::RegExpConstructor::finishCreation): 13054 (JSC::RegExpConstructor::visitChildren): 13055 (JSC::constructRegExp): 13056 * runtime/RegExpConstructor.h: 13057 (JSC::RegExpConstructor::createStructure): 13058 (JSC::asRegExpConstructor): 13059 * runtime/RegExpMatchesArray.cpp: 13060 (JSC::RegExpMatchesArray::visitChildren): 13061 * runtime/RegExpMatchesArray.h: 13062 (JSC::RegExpMatchesArray::createStructure): 13063 * runtime/RegExpObject.cpp: 13064 (JSC::RegExpObject::finishCreation): 13065 (JSC::RegExpObject::visitChildren): 13066 * runtime/RegExpObject.h: 13067 (JSC::RegExpObject::createStructure): 13068 (JSC::asRegExpObject): 13069 * runtime/RegExpPrototype.cpp: 13070 (JSC::regExpProtoFuncTest): 13071 (JSC::regExpProtoFuncExec): 13072 (JSC::regExpProtoFuncCompile): 13073 (JSC::regExpProtoFuncToString): 13074 * runtime/RegExpPrototype.h: 13075 (JSC::RegExpPrototype::createStructure): 13076 * runtime/SparseArrayValueMap.cpp: 13077 (JSC::SparseArrayValueMap::createStructure): 13078 * runtime/SparseArrayValueMap.h: 13079 * runtime/StrictEvalActivation.h: 13080 (JSC::StrictEvalActivation::createStructure): 13081 * runtime/StringConstructor.h: 13082 (JSC::StringConstructor::createStructure): 13083 * runtime/StringObject.cpp: 13084 (JSC::StringObject::finishCreation): 13085 * runtime/StringObject.h: 13086 (JSC::StringObject::createStructure): 13087 (JSC::asStringObject): 13088 * runtime/StringPrototype.cpp: 13089 (JSC::StringPrototype::finishCreation): 13090 (JSC::stringProtoFuncReplace): 13091 (JSC::stringProtoFuncToString): 13092 (JSC::stringProtoFuncMatch): 13093 (JSC::stringProtoFuncSearch): 13094 (JSC::stringProtoFuncSplit): 13095 * runtime/StringPrototype.h: 13096 (JSC::StringPrototype::createStructure): 13097 * runtime/Structure.cpp: 13098 (JSC::Structure::Structure): 13099 (JSC::Structure::materializePropertyMap): 13100 (JSC::Structure::get): 13101 (JSC::Structure::visitChildren): 13102 * runtime/Structure.h: 13103 (JSC::Structure::typeInfo): 13104 (JSC::Structure::previousID): 13105 (JSC::Structure::outOfLineSize): 13106 (JSC::Structure::totalStorageCapacity): 13107 (JSC::Structure::materializePropertyMapIfNecessary): 13108 (JSC::Structure::materializePropertyMapIfNecessaryForPinning): 13109 * runtime/StructureChain.cpp: 13110 (JSC::StructureChain::visitChildren): 13111 * runtime/StructureChain.h: 13112 (JSC::StructureChain::createStructure): 13113 * runtime/StructureInlines.h: 13114 (JSC::Structure::get): 13115 * runtime/StructureRareData.cpp: 13116 (JSC::StructureRareData::createStructure): 13117 (JSC::StructureRareData::visitChildren): 13118 * runtime/StructureRareData.h: 13119 * runtime/SymbolTable.h: 13120 (JSC::SharedSymbolTable::createStructure): 13121 * runtime/VM.cpp: 13122 (JSC::VM::VM): 13123 (JSC::StackPreservingRecompiler::operator()): 13124 (JSC::VM::releaseExecutableMemory): 13125 * runtime/WriteBarrier.h: 13126 (JSC::validateCell): 13127 * testRegExp.cpp: 13128 (GlobalObject::createStructure): 13129 131302013-08-13 Arunprasad Rajkumar <arurajku@cisco.com> 13131 13132 [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places 13133 https://bugs.webkit.org/show_bug.cgi?id=119762 13134 13135 Reviewed by Geoffrey Garen. 13136 13137 * heap/Heap.cpp: 13138 (JSC::Heap::Heap): 13139 (JSC::Heap::markRoots): 13140 (JSC::Heap::collect): 13141 * jsc.cpp: 13142 (StopWatch::start): 13143 (StopWatch::stop): 13144 * testRegExp.cpp: 13145 (StopWatch::start): 13146 (StopWatch::stop): 13147 131482013-08-13 Julien Brianceau <jbrianceau@nds.com> 13149 13150 [sh4] Prepare LLINT for DFG_JIT implementation. 13151 https://bugs.webkit.org/show_bug.cgi?id=119755 13152 13153 Reviewed by Oliver Hunt. 13154 13155 * LLIntOffsetsExtractor.pro: Add sh4.rb dependency. 13156 * offlineasm/sh4.rb: 13157 - Handle storeb opcode. 13158 - Make relative jumps when possible using braf opcode. 13159 - Update bmulio implementation to be consistent with baseline JIT. 13160 - Remove useless code from leap opcode. 13161 - Fix incorrect comment. 13162 131632013-08-13 Julien Brianceau <jbrianceau@nds.com> 13164 13165 [sh4] Prepare baseline JIT for DFG_JIT implementation. 13166 https://bugs.webkit.org/show_bug.cgi?id=119758 13167 13168 Reviewed by Oliver Hunt. 13169 13170 * assembler/MacroAssemblerSH4.h: 13171 - Introduce a loadEffectiveAddress function to avoid code duplication. 13172 - Add ASSERTs and clean code. 13173 * assembler/SH4Assembler.h: 13174 - Prepare DFG_JIT implementation. 13175 - Add ASSERTs. 13176 * jit/JITStubs.cpp: 13177 - Add SH4 specific call for assertions. 13178 * jit/JITStubs.h: 13179 - Cosmetic change. 13180 * jit/JITStubsSH4.h: 13181 - Use constants to be more flexible with sh4 JIT stack frame. 13182 * jit/JSInterfaceJIT.h: 13183 - Cosmetic change. 13184 131852013-08-13 Oliver Hunt <oliver@apple.com> 13186 13187 Harden executeConstruct against incorrect return types from host functions 13188 https://bugs.webkit.org/show_bug.cgi?id=119757 13189 13190 Reviewed by Mark Hahnenberg. 13191 13192 Add logic to guard against bogus return types. There doesn't seem to be any 13193 class in webkit that does this wrong, but the typed array stubs in debug JSC 13194 do exhibit this bad behaviour. 13195 13196 * interpreter/Interpreter.cpp: 13197 (JSC::Interpreter::executeConstruct): 13198 131992013-08-13 Allan Sandfeld Jensen <allan.jensen@digia.com> 13200 13201 [Qt] Fix C++11 build with gcc 4.4 and 4.5 13202 https://bugs.webkit.org/show_bug.cgi?id=119736 13203 13204 Reviewed by Anders Carlsson. 13205 13206 Don't force C++11 mode off anymore. 13207 13208 * Target.pri: 13209 132102013-08-12 Oliver Hunt <oliver@apple.com> 13211 13212 Remove CodeBlock's notion of adding identifiers entirely 13213 https://bugs.webkit.org/show_bug.cgi?id=119708 13214 13215 Reviewed by Geoffrey Garen. 13216 13217 Remove addAdditionalIdentifier entirely, including the bogus assertion. 13218 Move the addition of identifiers to DFGPlan::reallyAdd 13219 13220 * bytecode/CodeBlock.h: 13221 * dfg/DFGDesiredIdentifiers.cpp: 13222 (JSC::DFG::DesiredIdentifiers::reallyAdd): 13223 * dfg/DFGDesiredIdentifiers.h: 13224 * dfg/DFGPlan.cpp: 13225 (JSC::DFG::Plan::reallyAdd): 13226 (JSC::DFG::Plan::finalize): 13227 * dfg/DFGPlan.h: 13228 132292013-08-12 Oliver Hunt <oliver@apple.com> 13230 13231 Build fix 13232 13233 * runtime/JSCell.h: 13234 132352013-08-12 Oliver Hunt <oliver@apple.com> 13236 13237 Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them 13238 https://bugs.webkit.org/show_bug.cgi?id=119705 13239 13240 Reviewed by Geoffrey Garen. 13241 13242 Relatively trivial refactoring 13243 13244 * bytecode/CodeBlock.h: 13245 (JSC::CodeBlock::numberOfAdditionalIdentifiers): 13246 (JSC::CodeBlock::addAdditionalIdentifier): 13247 (JSC::CodeBlock::identifier): 13248 (JSC::CodeBlock::numberOfIdentifiers): 13249 * dfg/DFGCommonData.h: 13250 132512013-08-12 Oliver Hunt <oliver@apple.com> 13252 13253 Stop making unnecessary copy of CodeBlock Identifier Vector 13254 https://bugs.webkit.org/show_bug.cgi?id=119702 13255 13256 Reviewed by Michael Saboff. 13257 13258 Make CodeBlock simply use a separate Vector for additional Identifiers 13259 and use the UnlinkedCodeBlock for the initial set of identifiers. 13260 13261 * bytecode/CodeBlock.cpp: 13262 (JSC::CodeBlock::printGetByIdOp): 13263 (JSC::dumpStructure): 13264 (JSC::dumpChain): 13265 (JSC::CodeBlock::printGetByIdCacheStatus): 13266 (JSC::CodeBlock::printPutByIdOp): 13267 (JSC::CodeBlock::dumpBytecode): 13268 (JSC::CodeBlock::CodeBlock): 13269 (JSC::CodeBlock::shrinkToFit): 13270 * bytecode/CodeBlock.h: 13271 (JSC::CodeBlock::numberOfIdentifiers): 13272 (JSC::CodeBlock::numberOfAdditionalIdentifiers): 13273 (JSC::CodeBlock::addAdditionalIdentifier): 13274 (JSC::CodeBlock::identifier): 13275 * dfg/DFGDesiredIdentifiers.cpp: 13276 (JSC::DFG::DesiredIdentifiers::reallyAdd): 13277 * jit/JIT.h: 13278 * jit/JITOpcodes.cpp: 13279 (JSC::JIT::emitSlow_op_get_arguments_length): 13280 * jit/JITPropertyAccess.cpp: 13281 (JSC::JIT::emit_op_get_by_id): 13282 (JSC::JIT::compileGetByIdHotPath): 13283 (JSC::JIT::emitSlow_op_get_by_id): 13284 (JSC::JIT::compileGetByIdSlowCase): 13285 (JSC::JIT::emitSlow_op_put_by_id): 13286 * jit/JITPropertyAccess32_64.cpp: 13287 (JSC::JIT::emit_op_get_by_id): 13288 (JSC::JIT::compileGetByIdHotPath): 13289 (JSC::JIT::compileGetByIdSlowCase): 13290 * jit/JITStubs.cpp: 13291 (JSC::DEFINE_STUB_FUNCTION): 13292 * llint/LLIntSlowPaths.cpp: 13293 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 13294 132952013-08-08 Mark Lam <mark.lam@apple.com> 13296 13297 Restoring use of StackIterator instead of Interpreter::getStacktrace(). 13298 https://bugs.webkit.org/show_bug.cgi?id=119575. 13299 13300 Reviewed by Oliver Hunt. 13301 13302 * interpreter/Interpreter.h: 13303 - Made getStackTrace() private. 13304 * interpreter/StackIterator.cpp: 13305 (JSC::StackIterator::StackIterator): 13306 (JSC::StackIterator::numberOfFrames): 13307 - Computes the number of frames by iterating through the whole stack 13308 from the starting frame. The iterator will save its current frame 13309 position before counting the frames, and then restoring it after 13310 the counting. 13311 (JSC::StackIterator::gotoFrameAtIndex): 13312 (JSC::StackIterator::gotoNextFrame): 13313 (JSC::StackIterator::resetIterator): 13314 - Points the iterator to the starting frame. 13315 * interpreter/StackIteratorPrivate.h: 13316 133172013-08-08 Mark Lam <mark.lam@apple.com> 13318 13319 Moved ErrorConstructor and NativeErrorConstructor helper functions into 13320 the Interpreter class. 13321 https://bugs.webkit.org/show_bug.cgi?id=119576. 13322 13323 Reviewed by Oliver Hunt. 13324 13325 This change is needed to prepare for making Interpreter::getStackTrace() 13326 private. It does not change the behavior of the code, only the lexical 13327 scoping. 13328 13329 * interpreter/Interpreter.h: 13330 - Added helper functions for ErrorConstructor and NativeErrorConstructor. 13331 * runtime/ErrorConstructor.cpp: 13332 (JSC::Interpreter::constructWithErrorConstructor): 13333 (JSC::ErrorConstructor::getConstructData): 13334 (JSC::Interpreter::callErrorConstructor): 13335 (JSC::ErrorConstructor::getCallData): 13336 - Don't want ErrorConstructor to call Interpreter::getStackTrace() 13337 directly. So, we moved the helper functions into the Interpreter 13338 class. 13339 * runtime/NativeErrorConstructor.cpp: 13340 (JSC::Interpreter::constructWithNativeErrorConstructor): 13341 (JSC::NativeErrorConstructor::getConstructData): 13342 (JSC::Interpreter::callNativeErrorConstructor): 13343 (JSC::NativeErrorConstructor::getCallData): 13344 - Don't want NativeErrorConstructor to call Interpreter::getStackTrace() 13345 directly. So, we moved the helper functions into the Interpreter 13346 class. 13347 133482013-08-07 Mark Hahnenberg <mhahnenberg@apple.com> 13349 13350 32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state 13351 https://bugs.webkit.org/show_bug.cgi?id=119555 13352 13353 Reviewed by Geoffrey Garen. 13354 13355 It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does. 13356 This was causing crashes on maps.google.com in 32-bit debug builds. 13357 13358 * dfg/DFGSpeculativeJIT32_64.cpp: 13359 (JSC::DFG::SpeculativeJIT::compile): 13360 133612013-08-06 Michael Saboff <msaboff@apple.com> 13362 13363 REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT 13364 https://bugs.webkit.org/show_bug.cgi?id=119405 13365 13366 Reviewed by Geoffrey Garen. 13367 13368 * dfg/DFGSpeculativeJIT.cpp: 13369 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address 13370 ourselves to save a register and then load from it. 13371 133722013-08-06 Filip Pizlo <fpizlo@apple.com> 13373 13374 DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants 13375 https://bugs.webkit.org/show_bug.cgi?id=119528 13376 13377 Reviewed by Geoffrey Garen. 13378 13379 Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double 13380 uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want 13381 the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original 13382 format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int 13383 from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing. 13384 13385 This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays. 13386 13387 * bytecode/CodeBlock.cpp: 13388 (JSC::CodeBlock::finalizeUnconditionally): 13389 * dfg/DFGDriver.cpp: 13390 (JSC::DFG::compile): 13391 * dfg/DFGFixupPhase.cpp: 13392 (JSC::DFG::FixupPhase::fixupNode): 13393 * dfg/DFGGraph.cpp: 13394 (JSC::DFG::Graph::dump): 13395 * dfg/DFGSpeculativeJIT64.cpp: 13396 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 13397 * runtime/JSObject.h: 13398 (JSC::JSObject::getIndexQuickly): 13399 (JSC::JSObject::tryGetIndexQuickly): 13400 134012013-08-08 Stephanie Lewis <slewis@apple.com> 13402 13403 <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file 13404 13405 Unreviewed. 13406 13407 Ensure llint symbols are in source order. 13408 13409 * JavaScriptCore.order: 13410 134112013-08-06 Mark Lam <mark.lam@apple.com> 13412 13413 Assertion failure in emitExpressionInfo when reloading with Web Inspector open. 13414 https://bugs.webkit.org/show_bug.cgi?id=119532. 13415 13416 Reviewed by Oliver Hunt. 13417 13418 * parser/Parser.cpp: 13419 (JSC::::Parser): 13420 - Just need to initialize the Parser's JSTokenLocation's initial line and 13421 startOffset as well during Parser construction. 13422 134232013-08-06 Stephanie Lewis <slewis@apple.com> 13424 13425 Update Order Files for Safari 13426 <rdar://problem/14517392> 13427 13428 Unreviewed. 13429 13430 * JavaScriptCore.order: 13431 134322013-08-04 Sam Weinig <sam@webkit.org> 13433 13434 Remove support for HTML5 MicroData 13435 https://bugs.webkit.org/show_bug.cgi?id=119480 13436 13437 Reviewed by Anders Carlsson. 13438 13439 * Configurations/FeatureDefines.xcconfig: 13440 134412013-08-05 Oliver Hunt <oliver@apple.com> 13442 13443 Delay Arguments creation in strict mode 13444 https://bugs.webkit.org/show_bug.cgi?id=119505 13445 13446 Reviewed by Geoffrey Garen. 13447 13448 Make use of the write tracking performed by the parser to 13449 allow us to know if we're modifying the parameters to a function. 13450 Then use that information to make strict mode function opt out 13451 of eager arguments creation. 13452 13453 * bytecompiler/BytecodeGenerator.cpp: 13454 (JSC::BytecodeGenerator::BytecodeGenerator): 13455 (JSC::BytecodeGenerator::createArgumentsIfNecessary): 13456 (JSC::BytecodeGenerator::emitReturn): 13457 * bytecompiler/BytecodeGenerator.h: 13458 (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): 13459 * parser/Nodes.h: 13460 (JSC::ScopeNode::modifiesParameter): 13461 * parser/Parser.cpp: 13462 (JSC::::parseInner): 13463 * parser/Parser.h: 13464 (JSC::Scope::declareParameter): 13465 (JSC::Scope::getCapturedVariables): 13466 (JSC::Parser::declareWrite): 13467 * parser/ParserModes.h: 13468 134692013-08-06 Patrick Gansterer <paroga@webkit.org> 13470 13471 Remove useless code from COMPILER(RVCT) JITStubs 13472 https://bugs.webkit.org/show_bug.cgi?id=119521 13473 13474 Reviewed by Geoffrey Garen. 13475 13476 * jit/JITStubsARMv7.h: 13477 (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice. 13478 (JSC::ctiOpThrowNotCaught): Ditto. 13479 134802013-07-23 David Farler <dfarler@apple.com> 13481 13482 Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN 13483 https://bugs.webkit.org/show_bug.cgi?id=117762 13484 13485 Reviewed by Mark Rowe. 13486 13487 * Configurations/DebugRelease.xcconfig: 13488 Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS. 13489 * Configurations/JavaScriptCore.xcconfig: 13490 Add ASAN_OTHER_LDFLAGS. 13491 * Configurations/ToolExecutable.xcconfig: 13492 Don't use ASAN for build tools. 13493 134942013-08-06 Patrick Gansterer <paroga@webkit.org> 13495 13496 Build fix for ARM MSVC after r153222 and r153648. 13497 13498 * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath. 13499 135002013-08-06 Patrick Gansterer <paroga@webkit.org> 13501 13502 Build fix for ARM MSVC after r150109. 13503 13504 Read the stub template from a header files instead of the JITStubs.cpp. 13505 13506 * CMakeLists.txt: 13507 * DerivedSources.pri: 13508 * create_jit_stubs: 13509 135102013-08-05 Oliver Hunt <oliver@apple.com> 13511 13512 Move TypedArray implementation into JSC 13513 https://bugs.webkit.org/show_bug.cgi?id=119489 13514 13515 Reviewed by Filip Pizlo. 13516 13517 Move TypedArray implementation into JSC in advance of re-implementation 13518 13519 * GNUmakefile.list.am: 13520 * JSCTypedArrayStubs.h: 13521 * JavaScriptCore.xcodeproj/project.pbxproj: 13522 * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp. 13523 (JSC::ArrayBuffer::transfer): 13524 (JSC::ArrayBuffer::addView): 13525 (JSC::ArrayBuffer::removeView): 13526 * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h. 13527 (JSC::ArrayBufferContents::ArrayBufferContents): 13528 (JSC::ArrayBufferContents::data): 13529 (JSC::ArrayBufferContents::sizeInBytes): 13530 (JSC::ArrayBufferContents::transfer): 13531 (JSC::ArrayBufferContents::copyTo): 13532 (JSC::ArrayBuffer::isNeutered): 13533 (JSC::ArrayBuffer::~ArrayBuffer): 13534 (JSC::ArrayBuffer::clampValue): 13535 (JSC::ArrayBuffer::create): 13536 (JSC::ArrayBuffer::createUninitialized): 13537 (JSC::ArrayBuffer::ArrayBuffer): 13538 (JSC::ArrayBuffer::data): 13539 (JSC::ArrayBuffer::byteLength): 13540 (JSC::ArrayBuffer::slice): 13541 (JSC::ArrayBuffer::sliceImpl): 13542 (JSC::ArrayBuffer::clampIndex): 13543 (JSC::ArrayBufferContents::tryAllocate): 13544 (JSC::ArrayBufferContents::~ArrayBufferContents): 13545 * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp. 13546 (JSC::ArrayBufferView::ArrayBufferView): 13547 (JSC::ArrayBufferView::~ArrayBufferView): 13548 (JSC::ArrayBufferView::neuter): 13549 * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h. 13550 (JSC::ArrayBufferView::buffer): 13551 (JSC::ArrayBufferView::baseAddress): 13552 (JSC::ArrayBufferView::byteOffset): 13553 (JSC::ArrayBufferView::setNeuterable): 13554 (JSC::ArrayBufferView::isNeuterable): 13555 (JSC::ArrayBufferView::verifySubRange): 13556 (JSC::ArrayBufferView::clampOffsetAndNumElements): 13557 (JSC::ArrayBufferView::setImpl): 13558 (JSC::ArrayBufferView::setRangeImpl): 13559 (JSC::ArrayBufferView::zeroRangeImpl): 13560 (JSC::ArrayBufferView::calculateOffsetAndLength): 13561 * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h. 13562 (JSC::Float32Array::set): 13563 (JSC::Float32Array::getType): 13564 (JSC::Float32Array::create): 13565 (JSC::Float32Array::createUninitialized): 13566 (JSC::Float32Array::Float32Array): 13567 (JSC::Float32Array::subarray): 13568 * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h. 13569 (JSC::Float64Array::set): 13570 (JSC::Float64Array::getType): 13571 (JSC::Float64Array::create): 13572 (JSC::Float64Array::createUninitialized): 13573 (JSC::Float64Array::Float64Array): 13574 (JSC::Float64Array::subarray): 13575 * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h. 13576 (JSC::Int16Array::getType): 13577 (JSC::Int16Array::create): 13578 (JSC::Int16Array::createUninitialized): 13579 (JSC::Int16Array::Int16Array): 13580 (JSC::Int16Array::subarray): 13581 * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h. 13582 (JSC::Int32Array::getType): 13583 (JSC::Int32Array::create): 13584 (JSC::Int32Array::createUninitialized): 13585 (JSC::Int32Array::Int32Array): 13586 (JSC::Int32Array::subarray): 13587 * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h. 13588 (JSC::Int8Array::getType): 13589 (JSC::Int8Array::create): 13590 (JSC::Int8Array::createUninitialized): 13591 (JSC::Int8Array::Int8Array): 13592 (JSC::Int8Array::subarray): 13593 * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h. 13594 (JSC::IntegralTypedArrayBase::set): 13595 (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase): 13596 * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h. 13597 (JSC::TypedArrayBase::data): 13598 (JSC::TypedArrayBase::set): 13599 (JSC::TypedArrayBase::setRange): 13600 (JSC::TypedArrayBase::zeroRange): 13601 (JSC::TypedArrayBase::length): 13602 (JSC::TypedArrayBase::byteLength): 13603 (JSC::TypedArrayBase::item): 13604 (JSC::TypedArrayBase::checkInboundData): 13605 (JSC::TypedArrayBase::TypedArrayBase): 13606 (JSC::TypedArrayBase::create): 13607 (JSC::TypedArrayBase::createUninitialized): 13608 (JSC::TypedArrayBase::subarrayImpl): 13609 (JSC::TypedArrayBase::neuter): 13610 * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h. 13611 (JSC::Uint16Array::getType): 13612 (JSC::Uint16Array::create): 13613 (JSC::Uint16Array::createUninitialized): 13614 (JSC::Uint16Array::Uint16Array): 13615 (JSC::Uint16Array::subarray): 13616 * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h. 13617 (JSC::Uint32Array::getType): 13618 (JSC::Uint32Array::create): 13619 (JSC::Uint32Array::createUninitialized): 13620 (JSC::Uint32Array::Uint32Array): 13621 (JSC::Uint32Array::subarray): 13622 * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h. 13623 (JSC::Uint8Array::getType): 13624 (JSC::Uint8Array::create): 13625 (JSC::Uint8Array::createUninitialized): 13626 (JSC::Uint8Array::Uint8Array): 13627 (JSC::Uint8Array::subarray): 13628 * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h. 13629 (JSC::Uint8ClampedArray::getType): 13630 (JSC::Uint8ClampedArray::create): 13631 (JSC::Uint8ClampedArray::createUninitialized): 13632 (JSC::Uint8ClampedArray::zeroFill): 13633 (JSC::Uint8ClampedArray::set): 13634 (JSC::Uint8ClampedArray::Uint8ClampedArray): 13635 (JSC::Uint8ClampedArray::subarray): 13636 * runtime/VM.h: 13637 136382013-08-03 Filip Pizlo <fpizlo@apple.com> 13639 13640 Copied space should be able to handle more than one copied backing store per JSCell 13641 https://bugs.webkit.org/show_bug.cgi?id=119471 13642 13643 Reviewed by Mark Hahnenberg. 13644 13645 This allows a cell to call copyLater() multiple times for multiple different 13646 backing stores, and then have copyBackingStore() called exactly once for each 13647 of those. A token tells it which backing store to copy. All backing stores 13648 must be named using the CopyToken, an enumeration which currently cannot 13649 exceed eight entries. 13650 13651 When copyBackingStore() is called, it's up to the callee to (a) use the token 13652 to decide what to copy and (b) call its base class's copyBackingStore() in 13653 case the base class had something that needed copying. The only exception is 13654 that JSCell never asks anything to be copied, and so if your base is JSCell 13655 then you don't have to do anything. 13656 13657 * GNUmakefile.list.am: 13658 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 13659 * JavaScriptCore.xcodeproj/project.pbxproj: 13660 * heap/CopiedBlock.h: 13661 * heap/CopiedBlockInlines.h: 13662 (JSC::CopiedBlock::reportLiveBytes): 13663 * heap/CopyToken.h: Added. 13664 * heap/CopyVisitor.cpp: 13665 (JSC::CopyVisitor::copyFromShared): 13666 * heap/CopyVisitor.h: 13667 * heap/CopyVisitorInlines.h: 13668 (JSC::CopyVisitor::visitItem): 13669 * heap/CopyWorkList.h: 13670 (JSC::CopyWorklistItem::CopyWorklistItem): 13671 (JSC::CopyWorklistItem::cell): 13672 (JSC::CopyWorklistItem::token): 13673 (JSC::CopyWorkListSegment::get): 13674 (JSC::CopyWorkListSegment::append): 13675 (JSC::CopyWorkListSegment::data): 13676 (JSC::CopyWorkListIterator::get): 13677 (JSC::CopyWorkListIterator::operator*): 13678 (JSC::CopyWorkListIterator::operator->): 13679 (JSC::CopyWorkList::append): 13680 * heap/SlotVisitor.h: 13681 * heap/SlotVisitorInlines.h: 13682 (JSC::SlotVisitor::copyLater): 13683 * runtime/ClassInfo.h: 13684 * runtime/JSCell.cpp: 13685 (JSC::JSCell::copyBackingStore): 13686 * runtime/JSCell.h: 13687 * runtime/JSObject.cpp: 13688 (JSC::JSObject::visitButterfly): 13689 (JSC::JSObject::copyBackingStore): 13690 * runtime/JSObject.h: 13691 136922013-08-05 Zan Dobersek <zdobersek@igalia.com> 13693 13694 [Automake] Define ENABLE_JIT through the Autoconf header 13695 https://bugs.webkit.org/show_bug.cgi?id=119445 13696 13697 Reviewed by Martin Robinson. 13698 13699 * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library. 13700 137012013-08-03 Filip Pizlo <fpizlo@apple.com> 13702 13703 hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure 13704 https://bugs.webkit.org/show_bug.cgi?id=119470 13705 13706 Reviewed by Oliver Hunt. 13707 13708 Structure can still tell you if the object "could" (in the conservative sense) 13709 have an indexing header; that's used by the compiler. 13710 13711 Most of the time if you want to know if there's an indexing header, you ask the 13712 JSObject. 13713 13714 In some cases, the JSObject wants to know if it would have an indexing header if 13715 it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*). 13716 13717 * dfg/DFGRepatch.cpp: 13718 (JSC::DFG::tryCachePutByID): 13719 (JSC::DFG::tryBuildPutByIdList): 13720 * dfg/DFGSpeculativeJIT.cpp: 13721 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): 13722 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): 13723 * runtime/ButterflyInlines.h: 13724 (JSC::Butterfly::create): 13725 (JSC::Butterfly::growPropertyStorage): 13726 (JSC::Butterfly::growArrayRight): 13727 (JSC::Butterfly::resizeArray): 13728 * runtime/JSObject.cpp: 13729 (JSC::JSObject::copyButterfly): 13730 (JSC::JSObject::visitButterfly): 13731 * runtime/JSObject.h: 13732 (JSC::JSObject::hasIndexingHeader): 13733 (JSC::JSObject::setButterfly): 13734 * runtime/Structure.h: 13735 (JSC::Structure::couldHaveIndexingHeader): 13736 (JSC::Structure::hasIndexingHeader): 13737 137382013-08-02 Chris Curtis <chris_curtis@apple.com> 13739 13740 Give the error object's stack property accessor attributes. 13741 https://bugs.webkit.org/show_bug.cgi?id=119404 13742 13743 Reviewed by Geoffrey Garen. 13744 13745 Changed the attributes of error object's stack property to allow developers to write 13746 and delete the stack property. This will match the functionality of Chrome. Firefox 13747 allows developers to write the error's stack, but not delete it. 13748 13749 * interpreter/Interpreter.cpp: 13750 (JSC::Interpreter::addStackTraceIfNecessary): 13751 * runtime/ErrorInstance.cpp: 13752 (JSC::ErrorInstance::finishCreation): 13753 137542013-08-02 Oliver Hunt <oliver@apple.com> 13755 13756 Incorrect type speculation reported by ToPrimitive 13757 https://bugs.webkit.org/show_bug.cgi?id=119458 13758 13759 Reviewed by Mark Hahnenberg. 13760 13761 Make sure that we report the correct type possibilities for the output 13762 from ToPrimitive 13763 13764 * dfg/DFGAbstractInterpreterInlines.h: 13765 (JSC::DFG::::executeEffects): 13766 137672013-08-02 Gavin Barraclough <barraclough@apple.com> 13768 13769 Remove no-arguments constructor to PropertySlot 13770 https://bugs.webkit.org/show_bug.cgi?id=119460 13771 13772 Reviewed by Geoff Garen. 13773 13774 This constructor was unsafe if getValue is subsequently called, 13775 and the property is a getter. Simplest to just remove it. 13776 13777 * runtime/Arguments.cpp: 13778 (JSC::Arguments::defineOwnProperty): 13779 * runtime/JSActivation.cpp: 13780 (JSC::JSActivation::getOwnPropertyDescriptor): 13781 * runtime/JSFunction.cpp: 13782 (JSC::JSFunction::getOwnPropertyDescriptor): 13783 (JSC::JSFunction::getOwnNonIndexPropertyNames): 13784 (JSC::JSFunction::put): 13785 (JSC::JSFunction::defineOwnProperty): 13786 * runtime/JSGlobalObject.cpp: 13787 (JSC::JSGlobalObject::defineOwnProperty): 13788 * runtime/JSGlobalObject.h: 13789 (JSC::JSGlobalObject::hasOwnPropertyForWrite): 13790 * runtime/JSNameScope.cpp: 13791 (JSC::JSNameScope::put): 13792 * runtime/JSONObject.cpp: 13793 (JSC::Stringifier::Holder::appendNextProperty): 13794 (JSC::Walker::walk): 13795 * runtime/JSObject.cpp: 13796 (JSC::JSObject::hasProperty): 13797 (JSC::JSObject::hasOwnProperty): 13798 (JSC::JSObject::reifyStaticFunctionsForDelete): 13799 * runtime/Lookup.h: 13800 (JSC::getStaticPropertyDescriptor): 13801 (JSC::getStaticFunctionDescriptor): 13802 (JSC::getStaticValueDescriptor): 13803 * runtime/ObjectConstructor.cpp: 13804 (JSC::defineProperties): 13805 * runtime/PropertySlot.h: 13806 138072013-08-02 Mark Hahnenberg <mhahnenberg@apple.com> 13808 13809 DFG validation can cause assertion failures due to dumping 13810 https://bugs.webkit.org/show_bug.cgi?id=119456 13811 13812 Reviewed by Geoffrey Garen. 13813 13814 * bytecode/CodeBlock.cpp: 13815 (JSC::CodeBlock::hasHash): 13816 (JSC::CodeBlock::isSafeToComputeHash): 13817 (JSC::CodeBlock::hash): 13818 (JSC::CodeBlock::dumpAssumingJITType): 13819 * bytecode/CodeBlock.h: 13820 138212013-08-02 Chris Curtis <chris_curtis@apple.com> 13822 13823 Have vm's exceptionStack match java's vm's exceptionStack. 13824 https://bugs.webkit.org/show_bug.cgi?id=119362 13825 13826 Reviewed by Geoffrey Garen. 13827 13828 The error object's stack is only updated if it does not exist yet. This matches 13829 the functionality of other browsers, and Java VMs. 13830 13831 * interpreter/Interpreter.cpp: 13832 (JSC::Interpreter::addStackTraceIfNecessary): 13833 (JSC::Interpreter::throwException): 13834 * runtime/VM.cpp: 13835 (JSC::VM::clearExceptionStack): 13836 * runtime/VM.h: 13837 (JSC::VM::lastExceptionStack): 13838 138392013-08-02 Julien Brianceau <jbrianceau@nds.com> 13840 13841 REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath. 13842 https://bugs.webkit.org/show_bug.cgi?id=119447 13843 13844 Reviewed by Geoffrey Garen. 13845 13846 Fix .cpload, update call frame and do not restore registers from JIT stack frame in 13847 mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to 13848 r153583 (sh4) and r153648 (ARM). 13849 13850 * jit/JITStubsMIPS.h: 13851 138522013-08-01 Filip Pizlo <fpizlo@apple.com> 13853 13854 hasIndexingHeader should be a property of the Structure, not just the IndexingType 13855 https://bugs.webkit.org/show_bug.cgi?id=119422 13856 13857 Reviewed by Oliver Hunt. 13858 13859 This simplifies some code and also allows Structure to claim that an object 13860 has an indexing header even if it doesn't have indexed properties. 13861 13862 I also changed some calls to use hasIndexedProperties() since in some cases, 13863 that's what we actually meant. Currently the two are synonyms. 13864 13865 * dfg/DFGRepatch.cpp: 13866 (JSC::DFG::tryCachePutByID): 13867 (JSC::DFG::tryBuildPutByIdList): 13868 * dfg/DFGSpeculativeJIT.cpp: 13869 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): 13870 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): 13871 * runtime/ButterflyInlines.h: 13872 (JSC::Butterfly::create): 13873 (JSC::Butterfly::growPropertyStorage): 13874 (JSC::Butterfly::growArrayRight): 13875 (JSC::Butterfly::resizeArray): 13876 * runtime/IndexingType.h: 13877 * runtime/JSObject.cpp: 13878 (JSC::JSObject::copyButterfly): 13879 (JSC::JSObject::visitButterfly): 13880 (JSC::JSObject::setPrototype): 13881 * runtime/JSObject.h: 13882 (JSC::JSObject::setButterfly): 13883 * runtime/JSPropertyNameIterator.cpp: 13884 (JSC::JSPropertyNameIterator::create): 13885 * runtime/Structure.h: 13886 (JSC::Structure::hasIndexingHeader): 13887 138882013-08-02 Julien Brianceau <jbrianceau@nds.com> 13889 13890 REGRESSION: ARM still crashes after change set r153612. 13891 https://bugs.webkit.org/show_bug.cgi?id=119433 13892 13893 Reviewed by Michael Saboff. 13894 13895 Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7 13896 implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583 13897 for sh4 architecture. 13898 13899 * jit/JITStubsARM.h: 13900 * jit/JITStubsARMv7.h: 13901 139022013-08-02 Michael Saboff <msaboff@apple.com> 13903 13904 REGRESSION(r153612): It made jsc and layout tests crash 13905 https://bugs.webkit.org/show_bug.cgi?id=119440 13906 13907 Reviewed by Csaba Osztrogonác. 13908 13909 Made the changes if changeset r153612 only apply to 32 bit builds. 13910 13911 * jit/JITExceptions.cpp: 13912 * jit/JITExceptions.h: 13913 * jit/JITStubs.cpp: 13914 (JSC::cti_vm_throw_slowpath): 13915 * jit/JITStubs.h: 13916 139172013-08-02 Patrick Gansterer <paroga@webkit.org> 13918 13919 Add JSCTestRunnerUtils to the list of forwarding headers to fix build. 13920 13921 * CMakeLists.txt: 13922 139232013-08-01 Ruth Fong <ruth_fong@apple.com> 13924 13925 [Forms: color] <input type='color'> popover color well implementation 13926 <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356 13927 13928 Reviewed by Benjamin Poulain. 13929 13930 * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER. 13931 139322013-08-01 Oliver Hunt <oliver@apple.com> 13933 13934 DFG is not enforcing correct ordering of ToString conversion in MakeRope 13935 https://bugs.webkit.org/show_bug.cgi?id=119408 13936 13937 Reviewed by Filip Pizlo. 13938 13939 Construct ToString and Phantom nodes in advance of MakeRope 13940 nodes to ensure that ordering is ensured, and correct values 13941 will be reified on OSR exit. 13942 13943 * dfg/DFGByteCodeParser.cpp: 13944 (JSC::DFG::ByteCodeParser::parseBlock): 13945 139462013-08-01 Michael Saboff <msaboff@apple.com> 13947 13948 REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer 13949 https://bugs.webkit.org/show_bug.cgi?id=119140 13950 13951 Reviewed by Filip Pizlo. 13952 13953 Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int. 13954 13955 * jit/JITExceptions.cpp: 13956 (JSC::encode): 13957 * jit/JITExceptions.h: 13958 * jit/JITStubs.cpp: 13959 (JSC::cti_vm_throw_slowpath): 13960 * jit/JITStubs.h: 13961 139622013-08-01 Julien Brianceau <jbrianceau@nds.com> 13963 13964 REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath. 13965 https://bugs.webkit.org/show_bug.cgi?id=119391 13966 13967 Reviewed by Csaba Osztrogonác. 13968 13969 * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation: 13970 - Call frame is in r14 register. 13971 - Do not restore registers from JIT stack frame here. 13972 139732013-07-31 Gavin Barraclough <barraclough@apple.com> 13974 13975 More cleanup in PropertySlot 13976 https://bugs.webkit.org/show_bug.cgi?id=119359 13977 13978 Reviewed by Geoff Garen. 13979 13980 m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property, 13981 This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject). 13982 13983 * dfg/DFGRepatch.cpp: 13984 (JSC::DFG::tryCacheGetByID): 13985 (JSC::DFG::tryBuildGetByIDList): 13986 - No need to ASSERT slotBase is an object. 13987 * jit/JITStubs.cpp: 13988 (JSC::tryCacheGetByID): 13989 (JSC::DEFINE_STUB_FUNCTION): 13990 - No need to ASSERT slotBase is an object. 13991 * runtime/JSObject.cpp: 13992 (JSC::JSObject::getOwnPropertySlotByIndex): 13993 (JSC::JSObject::fillGetterPropertySlot): 13994 - Pass an object through to setGetterSlot. 13995 * runtime/JSObject.h: 13996 (JSC::PropertySlot::getValue): 13997 - Moved from PropertySlot (need to know anout JSObject). 13998 * runtime/PropertySlot.cpp: 13999 (JSC::PropertySlot::functionGetter): 14000 - update per member name changes 14001 * runtime/PropertySlot.h: 14002 (JSC::PropertySlot::PropertySlot): 14003 - Argument to constructor set to 'thisValue'. 14004 (JSC::PropertySlot::slotBase): 14005 - This returns a JSObject*. 14006 (JSC::PropertySlot::setValue): 14007 (JSC::PropertySlot::setCustom): 14008 (JSC::PropertySlot::setCacheableCustom): 14009 (JSC::PropertySlot::setCustomIndex): 14010 (JSC::PropertySlot::setGetterSlot): 14011 (JSC::PropertySlot::setCacheableGetterSlot): 14012 - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency. 14013 * runtime/SparseArrayValueMap.cpp: 14014 (JSC::SparseArrayEntry::get): 14015 - Pass an object through to setGetterSlot. 14016 * runtime/SparseArrayValueMap.h: 14017 - Pass an object through to setGetterSlot. 14018 140192013-07-31 Yi Shen <max.hong.shen@gmail.com> 14020 14021 Reduce JSC API static value setter/getter overhead. 14022 https://bugs.webkit.org/show_bug.cgi?id=119277 14023 14024 Reviewed by Geoffrey Garen. 14025 14026 Add property name to the static value entry, so that OpaqueJSString::create() doesn't 14027 need to get called every time when set or get the static value. 14028 14029 * API/JSCallbackObjectFunctions.h: 14030 (JSC::::put): 14031 (JSC::::putByIndex): 14032 (JSC::::getStaticValue): 14033 * API/JSClassRef.cpp: 14034 (OpaqueJSClassContextData::OpaqueJSClassContextData): 14035 * API/JSClassRef.h: 14036 (StaticValueEntry::StaticValueEntry): 14037 140382013-07-31 Kwang Yul Seo <skyul@company100.net> 14039 14040 Use emptyString instead of String("") 14041 https://bugs.webkit.org/show_bug.cgi?id=119335 14042 14043 Reviewed by Darin Adler. 14044 14045 Use emptyString() instead of String("") because it is better style and 14046 faster. This is a followup to r116908, removing all occurrences of 14047 String("") from WebKit. 14048 14049 * runtime/RegExpConstructor.cpp: 14050 (JSC::constructRegExp): 14051 * runtime/RegExpPrototype.cpp: 14052 (JSC::regExpProtoFuncCompile): 14053 * runtime/StringPrototype.cpp: 14054 (JSC::stringProtoFuncMatch): 14055 (JSC::stringProtoFuncSearch): 14056 140572013-07-31 Ruth Fong <ruth_fong@apple.com> 14058 14059 <input type=color> Mac UI behaviour 14060 <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276 14061 14062 Reviewed by Brady Eidson. 14063 14064 * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR. 14065 140662013-07-31 Mark Hahnenberg <mhahnenberg@apple.com> 14067 14068 DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT 14069 https://bugs.webkit.org/show_bug.cgi?id=119349 14070 14071 Reviewed by Geoffrey Garen. 14072 14073 Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 14074 SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied 14075 on code it compiled with any switch statements to have been run in the baseline JIT first. 14076 However, if the DFG chooses to inline a function that has never been compiled by the baseline 14077 JIT then this resizing never happens and we crash at link time in the DFG. 14078 14079 We can fix this by also doing the resize in the DFG to catch this case. 14080 14081 * dfg/DFGJITCompiler.cpp: 14082 (JSC::DFG::JITCompiler::link): 14083 140842013-07-31 Gavin Barraclough <barraclough@apple.com> 14085 14086 Speculative Windows build fix. 14087 14088 Reviewed by NOBODY 14089 14090 * runtime/JSString.cpp: 14091 (JSC::JSRopeString::getIndexSlowCase): 14092 * runtime/JSString.h: 14093 140942013-07-30 Gavin Barraclough <barraclough@apple.com> 14095 14096 Some cleanup in JSValue::get 14097 https://bugs.webkit.org/show_bug.cgi?id=119343 14098 14099 Reviewed by Geoff Garen. 14100 14101 JSValue::get is implemented to: 14102 1) Check if the value is a cell – if not, synthesize a prototype to search, 14103 2) call getOwnPropertySlot on the cell, 14104 3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain. 14105 By all rights this should crash when passed a string and accessing a property that does not exist, because 14106 the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe. 14107 To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the 14108 prototype chain, and faking out a return value of undefined if no property is found. 14109 14110 This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells 14111 from elsewhere would introduce bugs. Fortunately it is only ever called in this one place. 14112 14113 The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property 14114 slots anyway. 14115 14116 Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject. 14117 141182013-07-31 Michael Saboff <msaboff@apple.com> 14119 14120 [Win] JavaScript crash. 14121 https://bugs.webkit.org/show_bug.cgi?id=119339 14122 14123 Reviewed by Mark Hahnenberg. 14124 14125 * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and 14126 ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does. 14127 141282013-07-30 Mark Hahnenberg <mhahnenberg@apple.com> 14129 14130 GetByVal on Arguments does the wrong size load when checking the Arguments object length 14131 https://bugs.webkit.org/show_bug.cgi?id=119281 14132 14133 Reviewed by Geoffrey Garen. 14134 14135 This leads to out of bounds accesses and subsequent crashes. 14136 14137 * dfg/DFGSpeculativeJIT.cpp: 14138 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): 14139 * dfg/DFGSpeculativeJIT64.cpp: 14140 (JSC::DFG::SpeculativeJIT::compile): 14141 141422013-07-30 Oliver Hunt <oliver@apple.com> 14143 14144 Add an assertion to SpeculateCellOperand 14145 https://bugs.webkit.org/show_bug.cgi?id=119276 14146 14147 Reviewed by Michael Saboff. 14148 14149 More assertions are better 14150 14151 * dfg/DFGSpeculativeJIT64.cpp: 14152 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 14153 (JSC::DFG::SpeculativeJIT::compile): 14154 141552013-07-30 Mark Lam <mark.lam@apple.com> 14156 14157 Fix problems with divot and lineStart mismatches. 14158 https://bugs.webkit.org/show_bug.cgi?id=118662. 14159 14160 Reviewed by Oliver Hunt. 14161 14162 r152494 added the recording of lineStart values for divot positions. 14163 This is needed for the computation of column numbers. Similarly, it also 14164 added the recording of line numbers for the divot positions. One problem 14165 with the approach taken was that the line and lineStart values were 14166 recorded independently, and hence were not always guaranteed to be 14167 sampled at the same place that the divot position is recorded. This 14168 resulted in potential mismatches that cause some assertions to fail. 14169 14170 The solution is to introduce a JSTextPosition abstraction that records 14171 the divot position, line, and lineStart as a single quantity. Wherever 14172 we record the divot position as an unsigned int previously, we now record 14173 its JSTextPosition which captures all 3 values in one go. This ensures 14174 that the captured line and lineStart will always match the captured divot 14175 position. 14176 14177 * bytecompiler/BytecodeGenerator.cpp: 14178 (JSC::BytecodeGenerator::emitCall): 14179 (JSC::BytecodeGenerator::emitCallEval): 14180 (JSC::BytecodeGenerator::emitCallVarargs): 14181 (JSC::BytecodeGenerator::emitConstruct): 14182 (JSC::BytecodeGenerator::emitDebugHook): 14183 - Use JSTextPosition instead of passing line and lineStart explicitly. 14184 * bytecompiler/BytecodeGenerator.h: 14185 (JSC::BytecodeGenerator::emitExpressionInfo): 14186 - Use JSTextPosition instead of passing line and lineStart explicitly. 14187 * bytecompiler/NodesCodegen.cpp: 14188 (JSC::ThrowableExpressionData::emitThrowReferenceError): 14189 (JSC::ResolveNode::emitBytecode): 14190 (JSC::BracketAccessorNode::emitBytecode): 14191 (JSC::DotAccessorNode::emitBytecode): 14192 (JSC::NewExprNode::emitBytecode): 14193 (JSC::EvalFunctionCallNode::emitBytecode): 14194 (JSC::FunctionCallValueNode::emitBytecode): 14195 (JSC::FunctionCallResolveNode::emitBytecode): 14196 (JSC::FunctionCallBracketNode::emitBytecode): 14197 (JSC::FunctionCallDotNode::emitBytecode): 14198 (JSC::CallFunctionCallDotNode::emitBytecode): 14199 (JSC::ApplyFunctionCallDotNode::emitBytecode): 14200 (JSC::PostfixNode::emitResolve): 14201 (JSC::PostfixNode::emitBracket): 14202 (JSC::PostfixNode::emitDot): 14203 (JSC::DeleteResolveNode::emitBytecode): 14204 (JSC::DeleteBracketNode::emitBytecode): 14205 (JSC::DeleteDotNode::emitBytecode): 14206 (JSC::PrefixNode::emitResolve): 14207 (JSC::PrefixNode::emitBracket): 14208 (JSC::PrefixNode::emitDot): 14209 (JSC::UnaryOpNode::emitBytecode): 14210 (JSC::BinaryOpNode::emitStrcat): 14211 (JSC::BinaryOpNode::emitBytecode): 14212 (JSC::ThrowableBinaryOpNode::emitBytecode): 14213 (JSC::InstanceOfNode::emitBytecode): 14214 (JSC::emitReadModifyAssignment): 14215 (JSC::ReadModifyResolveNode::emitBytecode): 14216 (JSC::AssignResolveNode::emitBytecode): 14217 (JSC::AssignDotNode::emitBytecode): 14218 (JSC::ReadModifyDotNode::emitBytecode): 14219 (JSC::AssignBracketNode::emitBytecode): 14220 (JSC::ReadModifyBracketNode::emitBytecode): 14221 (JSC::ForInNode::emitBytecode): 14222 (JSC::WithNode::emitBytecode): 14223 (JSC::ThrowNode::emitBytecode): 14224 - Use JSTextPosition instead of passing line and lineStart explicitly. 14225 * parser/ASTBuilder.h: 14226 - Replaced ASTBuilder::PositionInfo with JSTextPosition. 14227 (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo): 14228 (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo): 14229 (JSC::ASTBuilder::createResolve): 14230 (JSC::ASTBuilder::createBracketAccess): 14231 (JSC::ASTBuilder::createDotAccess): 14232 (JSC::ASTBuilder::createRegExp): 14233 (JSC::ASTBuilder::createNewExpr): 14234 (JSC::ASTBuilder::createAssignResolve): 14235 (JSC::ASTBuilder::createExprStatement): 14236 (JSC::ASTBuilder::createForInLoop): 14237 (JSC::ASTBuilder::createReturnStatement): 14238 (JSC::ASTBuilder::createBreakStatement): 14239 (JSC::ASTBuilder::createContinueStatement): 14240 (JSC::ASTBuilder::createLabelStatement): 14241 (JSC::ASTBuilder::createWithStatement): 14242 (JSC::ASTBuilder::createThrowStatement): 14243 (JSC::ASTBuilder::appendBinaryExpressionInfo): 14244 (JSC::ASTBuilder::appendUnaryToken): 14245 (JSC::ASTBuilder::unaryTokenStackLastStart): 14246 (JSC::ASTBuilder::assignmentStackAppend): 14247 (JSC::ASTBuilder::createAssignment): 14248 (JSC::ASTBuilder::setExceptionLocation): 14249 (JSC::ASTBuilder::makeDeleteNode): 14250 (JSC::ASTBuilder::makeFunctionCallNode): 14251 (JSC::ASTBuilder::makeBinaryNode): 14252 (JSC::ASTBuilder::makeAssignNode): 14253 (JSC::ASTBuilder::makePrefixNode): 14254 (JSC::ASTBuilder::makePostfixNode): 14255 - Use JSTextPosition instead of passing line and lineStart explicitly. 14256 * parser/Lexer.cpp: 14257 (JSC::::lex): 14258 - Added support for capturing the appropriate JSTextPositions instead 14259 of just the character offset. 14260 * parser/Lexer.h: 14261 (JSC::Lexer::currentPosition): 14262 (JSC::::lexExpectIdentifier): 14263 - Added support for capturing the appropriate JSTextPositions instead 14264 of just the character offset. 14265 * parser/NodeConstructors.h: 14266 (JSC::Node::Node): 14267 (JSC::ResolveNode::ResolveNode): 14268 (JSC::EvalFunctionCallNode::EvalFunctionCallNode): 14269 (JSC::FunctionCallValueNode::FunctionCallValueNode): 14270 (JSC::FunctionCallResolveNode::FunctionCallResolveNode): 14271 (JSC::FunctionCallBracketNode::FunctionCallBracketNode): 14272 (JSC::FunctionCallDotNode::FunctionCallDotNode): 14273 (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode): 14274 (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode): 14275 (JSC::PostfixNode::PostfixNode): 14276 (JSC::DeleteResolveNode::DeleteResolveNode): 14277 (JSC::DeleteBracketNode::DeleteBracketNode): 14278 (JSC::DeleteDotNode::DeleteDotNode): 14279 (JSC::PrefixNode::PrefixNode): 14280 (JSC::ReadModifyResolveNode::ReadModifyResolveNode): 14281 (JSC::ReadModifyBracketNode::ReadModifyBracketNode): 14282 (JSC::AssignBracketNode::AssignBracketNode): 14283 (JSC::AssignDotNode::AssignDotNode): 14284 (JSC::ReadModifyDotNode::ReadModifyDotNode): 14285 (JSC::AssignErrorNode::AssignErrorNode): 14286 (JSC::WithNode::WithNode): 14287 (JSC::ForInNode::ForInNode): 14288 - Use JSTextPosition instead of passing line and lineStart explicitly. 14289 * parser/Nodes.cpp: 14290 (JSC::StatementNode::setLoc): 14291 - Use JSTextPosition instead of passing line and lineStart explicitly. 14292 * parser/Nodes.h: 14293 (JSC::Node::lineNo): 14294 (JSC::Node::startOffset): 14295 (JSC::Node::lineStartOffset): 14296 (JSC::Node::position): 14297 (JSC::ThrowableExpressionData::ThrowableExpressionData): 14298 (JSC::ThrowableExpressionData::setExceptionSourceCode): 14299 (JSC::ThrowableExpressionData::divot): 14300 (JSC::ThrowableExpressionData::divotStart): 14301 (JSC::ThrowableExpressionData::divotEnd): 14302 (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData): 14303 (JSC::ThrowableSubExpressionData::setSubexpressionInfo): 14304 (JSC::ThrowableSubExpressionData::subexpressionDivot): 14305 (JSC::ThrowableSubExpressionData::subexpressionStart): 14306 (JSC::ThrowableSubExpressionData::subexpressionEnd): 14307 (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData): 14308 (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo): 14309 (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot): 14310 (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart): 14311 (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd): 14312 - Use JSTextPosition instead of passing line and lineStart explicitly. 14313 * parser/Parser.cpp: 14314 (JSC::::Parser): 14315 (JSC::::parseInner): 14316 - Use JSTextPosition instead of passing line and lineStart explicitly. 14317 (JSC::::didFinishParsing): 14318 - Remove setting of m_lastLine value. We always pass in the value from 14319 m_lastLine anyway. So, this assignment is effectively a nop. 14320 (JSC::::parseVarDeclaration): 14321 (JSC::::parseVarDeclarationList): 14322 (JSC::::parseForStatement): 14323 (JSC::::parseBreakStatement): 14324 (JSC::::parseContinueStatement): 14325 (JSC::::parseReturnStatement): 14326 (JSC::::parseThrowStatement): 14327 (JSC::::parseWithStatement): 14328 (JSC::::parseTryStatement): 14329 (JSC::::parseBlockStatement): 14330 (JSC::::parseFunctionDeclaration): 14331 (JSC::LabelInfo::LabelInfo): 14332 (JSC::::parseExpressionOrLabelStatement): 14333 (JSC::::parseExpressionStatement): 14334 (JSC::::parseAssignmentExpression): 14335 (JSC::::parseBinaryExpression): 14336 (JSC::::parseProperty): 14337 (JSC::::parsePrimaryExpression): 14338 (JSC::::parseMemberExpression): 14339 (JSC::::parseUnaryExpression): 14340 - Use JSTextPosition instead of passing line and lineStart explicitly. 14341 * parser/Parser.h: 14342 (JSC::Parser::next): 14343 (JSC::Parser::nextExpectIdentifier): 14344 (JSC::Parser::getToken): 14345 (JSC::Parser::tokenStartPosition): 14346 (JSC::Parser::tokenEndPosition): 14347 (JSC::Parser::lastTokenEndPosition): 14348 (JSC::::parse): 14349 - Use JSTextPosition instead of passing line and lineStart explicitly. 14350 * parser/ParserTokens.h: 14351 (JSC::JSTextPosition::JSTextPosition): 14352 (JSC::JSTextPosition::operator+): 14353 (JSC::JSTextPosition::operator-): 14354 (JSC::JSTextPosition::operator int): 14355 - Added JSTextPosition. 14356 * parser/SyntaxChecker.h: 14357 (JSC::SyntaxChecker::makeFunctionCallNode): 14358 (JSC::SyntaxChecker::makeAssignNode): 14359 (JSC::SyntaxChecker::makePrefixNode): 14360 (JSC::SyntaxChecker::makePostfixNode): 14361 (JSC::SyntaxChecker::makeDeleteNode): 14362 (JSC::SyntaxChecker::createResolve): 14363 (JSC::SyntaxChecker::createBracketAccess): 14364 (JSC::SyntaxChecker::createDotAccess): 14365 (JSC::SyntaxChecker::createRegExp): 14366 (JSC::SyntaxChecker::createNewExpr): 14367 (JSC::SyntaxChecker::createAssignResolve): 14368 (JSC::SyntaxChecker::createForInLoop): 14369 (JSC::SyntaxChecker::createReturnStatement): 14370 (JSC::SyntaxChecker::createBreakStatement): 14371 (JSC::SyntaxChecker::createContinueStatement): 14372 (JSC::SyntaxChecker::createWithStatement): 14373 (JSC::SyntaxChecker::createLabelStatement): 14374 (JSC::SyntaxChecker::createThrowStatement): 14375 (JSC::SyntaxChecker::appendBinaryExpressionInfo): 14376 (JSC::SyntaxChecker::operatorStackPop): 14377 - Use JSTextPosition instead of passing line and lineStart explicitly. 14378 143792013-07-29 Carlos Garcia Campos <cgarcia@igalia.com> 14380 14381 Unreviewed. Fix make distcheck. 14382 14383 * GNUmakefile.list.am: Add missing files to compilation. 14384 * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to 14385 include FTL header files not included in the compilation. 14386 * dfg/DFGDriver.cpp: Ditto. 14387 * dfg/DFGPlan.cpp: Ditto. 14388 143892013-07-29 Chris Curtis <chris_curtis@apple.com> 14390 14391 Eager stack trace for error objects. 14392 https://bugs.webkit.org/show_bug.cgi?id=118918 14393 14394 Reviewed by Geoffrey Garen. 14395 14396 Chrome and Firefox give error objects the stack property and we wanted to match 14397 that functionality. This allows developers to see the stack without throwing an object. 14398 14399 * runtime/ErrorInstance.cpp: 14400 (JSC::ErrorInstance::finishCreation): 14401 For error objects that are not thrown as an exception, we pass the stackTrace in 14402 as a parameter. This allows the error object to have the stack property. 14403 14404 * interpreter/Interpreter.cpp: 14405 (JSC::stackTraceAsString): 14406 Helper function used to eliminate duplicate code. 14407 14408 (JSC::Interpreter::addStackTraceIfNecessary): 14409 When an error object is created by the user the vm->exceptionStack is not set. 14410 If the user throws this error object later the stack that is in the error object 14411 may not be the correct stack for the throw, so when we set the vm->exception stack, 14412 the stack property on the error object is set as well. 14413 14414 * runtime/ErrorConstructor.cpp: 14415 (JSC::constructWithErrorConstructor): 14416 (JSC::callErrorConstructor): 14417 * runtime/NativeErrorConstructor.cpp: 14418 (JSC::constructWithNativeErrorConstructor): 14419 (JSC::callNativeErrorConstructor): 14420 These functions indicate that the user created an error object. For all error objects 14421 that the user explicitly creates, the topCallFrame is at a new frame created to 14422 handle the user's call. In this case though, the error object needs the caller's 14423 frame to create the stack trace correctly. 14424 14425 * interpreter/Interpreter.h: 14426 * runtime/ErrorInstance.h: 14427 (JSC::ErrorInstance::create): 14428 144292013-07-29 Gavin Barraclough <barraclough@apple.com> 14430 14431 Some cleanup in PropertySlot 14432 https://bugs.webkit.org/show_bug.cgi?id=119189 14433 14434 Reviewed by Geoff Garen. 14435 14436 PropertySlot represents a property in one of four states - value, getter, custom, or custom-index. 14437 The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue) 14438 is set to a special value to indicate the type (other than custom), and the type is also tracked by 14439 an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset 14440 (this is invalidOffset if not cacheable). 14441 14442 * Internally, always track the type of the property using an enum value, PropertyType. 14443 * Use m_offset to indicate cacheable. 14444 * Keep the external interface (CachedPropertyType) unchanged. 14445 * Better pack data into the m_data union. 14446 14447 Performance neutral. 14448 14449 * dfg/DFGRepatch.cpp: 14450 (JSC::DFG::tryCacheGetByID): 14451 (JSC::DFG::tryBuildGetByIDList): 14452 - cachedPropertyType() -> isCacheable*() 14453 * jit/JITPropertyAccess.cpp: 14454 (JSC::JIT::privateCompileGetByIdProto): 14455 (JSC::JIT::privateCompileGetByIdSelfList): 14456 (JSC::JIT::privateCompileGetByIdProtoList): 14457 (JSC::JIT::privateCompileGetByIdChainList): 14458 (JSC::JIT::privateCompileGetByIdChain): 14459 - cachedPropertyType() -> isCacheable*() 14460 * jit/JITPropertyAccess32_64.cpp: 14461 (JSC::JIT::privateCompileGetByIdProto): 14462 (JSC::JIT::privateCompileGetByIdSelfList): 14463 (JSC::JIT::privateCompileGetByIdProtoList): 14464 (JSC::JIT::privateCompileGetByIdChainList): 14465 (JSC::JIT::privateCompileGetByIdChain): 14466 - cachedPropertyType() -> isCacheable*() 14467 * jit/JITStubs.cpp: 14468 (JSC::tryCacheGetByID): 14469 - cachedPropertyType() -> isCacheable*() 14470 * llint/LLIntSlowPaths.cpp: 14471 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 14472 - cachedPropertyType() -> isCacheable*() 14473 * runtime/PropertySlot.cpp: 14474 (JSC::PropertySlot::functionGetter): 14475 - refactoring described above. 14476 * runtime/PropertySlot.h: 14477 (JSC::PropertySlot::PropertySlot): 14478 (JSC::PropertySlot::getValue): 14479 (JSC::PropertySlot::isCacheable): 14480 (JSC::PropertySlot::isCacheableValue): 14481 (JSC::PropertySlot::isCacheableGetter): 14482 (JSC::PropertySlot::isCacheableCustom): 14483 (JSC::PropertySlot::cachedOffset): 14484 (JSC::PropertySlot::customGetter): 14485 (JSC::PropertySlot::setValue): 14486 (JSC::PropertySlot::setCustom): 14487 (JSC::PropertySlot::setCacheableCustom): 14488 (JSC::PropertySlot::setCustomIndex): 14489 (JSC::PropertySlot::setGetterSlot): 14490 (JSC::PropertySlot::setCacheableGetterSlot): 14491 (JSC::PropertySlot::setUndefined): 14492 (JSC::PropertySlot::slotBase): 14493 (JSC::PropertySlot::setBase): 14494 - refactoring described above. 14495 144962013-07-28 Oliver Hunt <oliver@apple.com> 14497 14498 REGRESSION: Crash when opening Facebook.com 14499 https://bugs.webkit.org/show_bug.cgi?id=119155 14500 14501 Reviewed by Andreas Kling. 14502 14503 Scope nodes are always objects, so we should be using SpecObjectOther 14504 rather than SpecCellOther. Marking Scopes as CellOther leads to a 14505 contradiction in the CFA, resulting in bogus codegen. 14506 14507 * dfg/DFGAbstractInterpreterInlines.h: 14508 (JSC::DFG::::executeEffects): 14509 * dfg/DFGPredictionPropagationPhase.cpp: 14510 (JSC::DFG::PredictionPropagationPhase::propagate): 14511 145122013-07-26 Oliver Hunt <oliver@apple.com> 14513 14514 REGRESSION(FTL?): Crashes in plugin tests 14515 https://bugs.webkit.org/show_bug.cgi?id=119141 14516 14517 Reviewed by Michael Saboff. 14518 14519 Re-export getStackTrace 14520 14521 * interpreter/Interpreter.h: 14522 145232013-07-26 Filip Pizlo <fpizlo@apple.com> 14524 14525 REGRESSION: Crash when opening a message on Gmail 14526 https://bugs.webkit.org/show_bug.cgi?id=119105 14527 14528 Reviewed by Oliver Hunt and Mark Hahnenberg. 14529 14530 - GetById patching in the DFG needs to be more disciplined about how it derives the 14531 slow path. 14532 14533 - Fix some dumping code thread safety issues. 14534 14535 * bytecode/CallLinkStatus.cpp: 14536 (JSC::CallLinkStatus::dump): 14537 * bytecode/CodeBlock.cpp: 14538 (JSC::CodeBlock::dumpBytecode): 14539 * dfg/DFGRepatch.cpp: 14540 (JSC::DFG::getPolymorphicStructureList): 14541 (JSC::DFG::tryBuildGetByIDList): 14542 145432013-07-26 Balazs Kilvady <kilvadyb@homejinni.com> 14544 14545 [mips] Fix LLINT build for mips backend 14546 https://bugs.webkit.org/show_bug.cgi?id=119152 14547 14548 Reviewed by Oliver Hunt. 14549 14550 * offlineasm/mips.rb: 14551 145522013-07-19 Mark Hahnenberg <mhahnenberg@apple.com> 14553 14554 Setting a large numeric property on an object causes it to allocate a huge backing store 14555 https://bugs.webkit.org/show_bug.cgi?id=118914 14556 14557 Reviewed by Geoffrey Garen. 14558 14559 There are two distinct actions that we're trying to optimize for: 14560 14561 new Array(100000); 14562 14563 and: 14564 14565 a = []; 14566 a[100000] = 42; 14567 14568 In the first case, the programmer has indicated that they expect this Array to be very big, 14569 so they should get a contiguous array up until some threshold, above which we perform density 14570 calculations to see if it is indeed dense enough to warrant being contiguous. 14571 14572 In the second case, the programmer hasn't indicated anything about the size of the Array, so 14573 we should be more conservative and assume it should be sparse until we've proven otherwise. 14574 14575 Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 14576 between them for the purposes of not over-allocating large backing stores like we see on 14577 http://www.peekanalytics.com/burgerjoints/ 14578 14579 The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 14580 introduce a new heuristic for the second case. If we are putting to an index above a certain 14581 threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 14582 map instead. So for example, in the second case above the empty array has a blank indexing 14583 type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map. 14584 14585 This fix is ~800x speedup on the accompanying regression test :-o 14586 14587 * runtime/ArrayConventions.h: 14588 (JSC::indexIsSufficientlyBeyondLengthForSparseMap): 14589 * runtime/JSObject.cpp: 14590 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): 14591 (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage): 14592 (JSC::JSObject::putByIndexBeyondVectorLength): 14593 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): 14594 145952013-07-26 Julien Brianceau <jbrianceau@nds.com> 14596 14597 REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT. 14598 https://bugs.webkit.org/show_bug.cgi?id=119148 14599 14600 Reviewed by Csaba Osztrogonác. 14601 14602 * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4. 14603 * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing 14604 in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid 14605 code duplication. 14606 146072013-07-26 Julien Brianceau <jbrianceau@nds.com> 14608 14609 REGRESSION(FTL): Crash in sh4 baseline JIT. 14610 https://bugs.webkit.org/show_bug.cgi?id=119138 14611 14612 Reviewed by Csaba Osztrogonác. 14613 14614 This crash is due to incomplete report of r150146 and r148474. 14615 14616 * jit/JITStubsSH4.h: 14617 146182013-07-26 Zan Dobersek <zdobersek@igalia.com> 14619 14620 Unreviewed. 14621 14622 * Target.pri: Adding missing DFG files to the Qt build. 14623 146242013-07-25 Csaba Osztrogonác <ossy@webkit.org> 14625 14626 GTK and Qt buildfix after the intrusive win buildfix r153360. 14627 14628 * GNUmakefile.list.am: 14629 * Target.pri: 14630 146312013-07-25 Gyuyoung Kim <gyuyoung.kim@samsung.com> 14632 14633 Unreviewed, fix build break after r153360. 14634 14635 * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp. 14636 146372013-07-25 Roger Fong <roger_fong@apple.com> 14638 14639 Unreviewed build fix, AppleWin port. 14640 14641 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 14642 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 14643 * JavaScriptCore.vcxproj/copy-files.cmd: 14644 146452013-07-25 Roger Fong <roger_fong@apple.com> 14646 14647 Unreviewed. Followup to r153360. 14648 14649 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 14650 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 14651 146522013-07-25 Michael Saboff <msaboff@apple.com> 14653 14654 [Windows] Speculative build fix. 14655 14656 Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp 14657 that is always compiled. Made LLInt::returnToThrow() conditional on LLINT being enabled. 14658 14659 * JavaScriptCore.xcodeproj/project.pbxproj: 14660 * llint/LLIntExceptions.cpp: 14661 * llint/LLIntExceptions.h: 14662 * llint/LLIntSlowPaths.cpp: 14663 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 14664 * runtime/CommonSlowPaths.cpp: 14665 (JSC::SLOW_PATH_DECL): 14666 * runtime/CommonSlowPathsExceptions.cpp: Added. 14667 (JSC::CommonSlowPaths::interpreterThrowInCaller): 14668 * runtime/CommonSlowPathsExceptions.h: Added. 14669 146702013-07-25 Brent Fulgham <bfulgham@apple.com> 14671 14672 [Windows] Unreviewed build fix. 14673 14674 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and 14675 parser/SourceCode.h,.cpp. 14676 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. 14677 146782013-07-25 Anders Carlsson <andersca@apple.com> 14679 14680 ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT 14681 https://bugs.webkit.org/show_bug.cgi?id=119108 14682 14683 Reviewed by Mark Hahnenberg. 14684 14685 Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread. 14686 14687 * heap/CopiedSpace.cpp: 14688 (JSC::CopiedSpace::tryAllocateSlowCase): 14689 * heap/Heap.cpp: 14690 (JSC::Heap::protect): 14691 (JSC::Heap::unprotect): 14692 (JSC::Heap::collect): 14693 * heap/MarkedAllocator.cpp: 14694 (JSC::MarkedAllocator::allocateSlowCase): 14695 * runtime/JSGlobalObject.cpp: 14696 (JSC::JSGlobalObject::init): 14697 * runtime/VM.h: 14698 (JSC::VM::currentThreadIsHoldingAPILock): 14699 147002013-07-25 Zan Dobersek <zdobersek@igalia.com> 14701 14702 REGRESSION(FTL): Most layout tests crashes 14703 https://bugs.webkit.org/show_bug.cgi?id=119089 14704 14705 Reviewed by Oliver Hunt. 14706 14707 * runtime/ExecutionHarness.h: 14708 (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled 14709 code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode 14710 RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call. 14711 Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in 14712 JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile. 14713 (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl. 14714 147152013-07-25 Brent Fulgham <bfulgham@apple.com> 14716 14717 [Windows] Unreviewed build fix. 14718 14719 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl' 14720 include path. 14721 147222013-07-25 Brent Fulgham <bfulgham@apple.com> 14723 14724 [Windows] Unreviewed build fix. 14725 14726 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files: 14727 runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp. 14728 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. 14729 147302013-07-25 Oliver Hunt <oliver@apple.com> 14731 14732 Make all jit & non-jit combos build cleanly 14733 https://bugs.webkit.org/show_bug.cgi?id=119102 14734 14735 Reviewed by Anders Carlsson. 14736 14737 * bytecode/CodeBlock.cpp: 14738 (JSC::CodeBlock::counterValueForOptimizeSoon): 14739 * bytecode/CodeBlock.h: 14740 (JSC::CodeBlock::optimizeAfterWarmUp): 14741 (JSC::CodeBlock::numberOfDFGCompiles): 14742 147432013-07-25 Oliver Hunt <oliver@apple.com> 14744 14745 32 bit portion of load validation logic 14746 https://bugs.webkit.org/show_bug.cgi?id=118878 14747 14748 Reviewed by NOBODY (Build fix). 14749 14750 * dfg/DFGSpeculativeJIT32_64.cpp: 14751 (JSC::DFG::SpeculativeJIT::compile): 14752 147532013-07-25 Oliver Hunt <oliver@apple.com> 14754 14755 More 32bit build fixes 14756 14757 - Apparnetly some compilers don't track the fastcall directive everywhere we expect 14758 14759 * API/APICallbackFunction.h: 14760 (JSC::APICallbackFunction::call): 14761 * bytecode/CodeBlock.cpp: 14762 * runtime/Structure.cpp: 14763 147642013-07-25 Yi Shen <max.hong.shen@gmail.com> 14765 14766 Optimize the thread locks for API Shims 14767 https://bugs.webkit.org/show_bug.cgi?id=118573 14768 14769 Reviewed by Geoffrey Garen. 14770 14771 Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 14772 only used by WebCore's main thread). 14773 14774 * API/APIShims.h: 14775 (JSC::APIEntryShim::APIEntryShim): 14776 (JSC::APICallbackShim::APICallbackShim): 14777 * runtime/JSLock.cpp: 14778 (JSC::JSLockHolder::JSLockHolder): 14779 (JSC::JSLockHolder::init): 14780 (JSC::JSLockHolder::~JSLockHolder): 14781 (JSC::JSLock::DropAllLocks::DropAllLocks): 14782 (JSC::JSLock::DropAllLocks::~DropAllLocks): 14783 * runtime/VM.cpp: 14784 (JSC::VM::VM): 14785 * runtime/VM.h: 14786 147872013-07-25 Christophe Dumez <ch.dumez@sisa.samsung.com> 14788 14789 Unreviewed build fix after r153218. 14790 14791 Broke the EFL port build with gcc 4.7. 14792 14793 * interpreter/StackIterator.cpp: 14794 (JSC::printif): 14795 147962013-07-25 Julien Brianceau <jbrianceau@nds.com> 14797 14798 Build fix: add missing #include. 14799 https://bugs.webkit.org/show_bug.cgi?id=119087 14800 14801 Reviewed by Allan Sandfeld Jensen. 14802 14803 * bytecode/ArrayProfile.cpp: 14804 148052013-07-25 Ryuan Choi <ryuan.choi@samsung.com> 14806 14807 Unreviewed, build fix on the EFL port. 14808 14809 * CMakeLists.txt: Added JSCTestRunnerUtils.cpp. 14810 148112013-07-25 Julien Brianceau <jbrianceau@nds.com> 14812 14813 [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT. 14814 https://bugs.webkit.org/show_bug.cgi?id=119083 14815 14816 Reviewed by Allan Sandfeld Jensen. 14817 14818 * assembler/MacroAssemblerSH4.h: 14819 (JSC::MacroAssemblerSH4::store8): 14820 148212013-07-25 Allan Sandfeld Jensen <allan.jensen@digia.com> 14822 14823 [Qt] Fix test build after FTL upstream 14824 14825 Unreviewed build fix. 14826 14827 * Target.pri: 14828 148292013-07-25 Allan Sandfeld Jensen <allan.jensen@digia.com> 14830 14831 [Qt] Build fix after FTL. 14832 14833 Un Reviewed build fix. 14834 14835 * Target.pri: 14836 * interpreter/StackIterator.cpp: 14837 (JSC::StackIterator::Frame::print): 14838 148392013-07-25 Gabor Rapcsanyi <rgabor@webkit.org> 14840 14841 Unreviewed build fix after FTL upstream. 14842 14843 * dfg/DFGWorklist.cpp: 14844 (JSC::DFG::Worklist::~Worklist): 14845 148462013-07-25 Ryuan Choi <ryuan.choi@samsung.com> 14847 14848 Unreviewed, build fix on the EFL port. 14849 14850 * CMakeLists.txt: 14851 Added SourceCode.cpp and removed BlackBerry file. 14852 * jit/JITCode.h: 14853 (JSC::JITCode::nextTierJIT): 14854 Fixed to build break because of -Werror=return-type 14855 * parser/Lexer.cpp: Includes JSFunctionInlines.h 14856 * runtime/JSScope.h: 14857 (JSC::makeType): 14858 Fixed to build break because of -Werror=return-type 14859 148602013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu> 14861 14862 Unreviewed build fixing after FTL upstream. 14863 14864 * runtime/Executable.cpp: 14865 (JSC::FunctionExecutable::produceCodeBlockFor): 14866 148672013-07-25 Julien Brianceau <jbrianceau@nds.com> 14868 14869 Add missing implementation of bxxxnz in sh4 LLINT. 14870 https://bugs.webkit.org/show_bug.cgi?id=119079 14871 14872 Reviewed by Allan Sandfeld Jensen. 14873 14874 * offlineasm/sh4.rb: 14875 148762013-07-25 Gabor Rapcsanyi <rgabor@webkit.org> 14877 14878 Unreviewed, build fix on the Qt port. 14879 14880 * Target.pri: Add additional build files for the FTL. 14881 148822013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu> 14883 14884 Unreviewed buildfix after FTL upstream.. 14885 14886 * interpreter/StackIterator.cpp: 14887 (JSC::StackIterator::Frame::codeType): 14888 (JSC::StackIterator::Frame::functionName): 14889 (JSC::StackIterator::Frame::sourceURL): 14890 (JSC::StackIterator::Frame::logicalFrame): 14891 148922013-07-25 Zan Dobersek <zdobersek@igalia.com> 14893 14894 Unreviewed. 14895 14896 * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock 14897 method is not left undefined, causing build failures on (at least) the GTK port. 14898 148992013-07-25 Zan Dobersek <zdobersek@igalia.com> 14900 14901 Unreviewed, further build fixing on the GTK port. 14902 14903 * GNUmakefile.list.am: Add CompilationResult source files to the build. 14904 149052013-07-25 Zan Dobersek <zdobersek@igalia.com> 14906 14907 Unreviewed GTK build fixing. 14908 14909 * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list. 14910 * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge. 14911 149122013-07-25 Csaba Osztrogonác <ossy@webkit.org> 14913 14914 Buildfix after this error: 14915 error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized] 14916 14917 * dfg/DFGPlan.cpp: 14918 (JSC::DFG::Plan::compileInThread): 14919 149202013-07-25 Csaba Osztrogonác <ossy@webkit.org> 14921 14922 One more buildfix after FTL upstream. 14923 14924 Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy. 14925 14926 * dfg/DFGLazyJSValue.cpp: 14927 (JSC::DFG::LazyJSValue::getValue): 14928 (JSC::DFG::LazyJSValue::strictEqual): 14929 149302013-07-25 Julien Brianceau <jbrianceau@nds.com> 14931 14932 Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT. 14933 https://bugs.webkit.org/show_bug.cgi?id=119076 14934 14935 Reviewed by Allan Sandfeld Jensen. 14936 14937 * offlineasm/mips.rb: 14938 * offlineasm/sh4.rb: 14939 149402013-07-25 Zan Dobersek <zdobersek@igalia.com> 14941 14942 Unreviewed GTK build fix. 14943 14944 * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build. 14945 149462013-07-25 Zan Dobersek <zdobersek@igalia.com> 14947 14948 Unreviewed. Further build fixing for the GTK port. Adding the forwarding header 14949 for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation. 14950 14951 * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added. 14952 149532013-07-25 Zan Dobersek <zdobersek@igalia.com> 14954 14955 Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list. 14956 14957 * GNUmakefile.am: 14958 * GNUmakefile.list.am: 14959 149602013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu> 14961 14962 Unreviewed buildfix after FTL upstream. 14963 14964 * runtime/JSScope.h: 14965 (JSC::needsVarInjectionChecks): 14966 149672013-07-25 Csaba Osztrogonác <ossy@webkit.org> 14968 14969 One more fix after FTL upstream. 14970 14971 * Target.pri: 14972 * bytecode/CodeBlock.h: 14973 * bytecode/GetByIdStatus.h: 14974 (JSC::GetByIdStatus::GetByIdStatus): 14975 149762013-07-24 Csaba Osztrogonác <ossy@webkit.org> 14977 14978 Unreviewed buildfix after FTL upstream. 14979 14980 Add ftl directory as include path. 14981 14982 * CMakeLists.txt: 14983 * JavaScriptCore.pri: 14984 149852013-07-24 Csaba Osztrogonác <ossy@webkit.org> 14986 14987 Unreviewed buildfix after FTL upstream for non C++11 builds. 14988 14989 * interpreter/CallFrame.h: 14990 * interpreter/StackIteratorPrivate.h: 14991 (JSC::StackIterator::end): 14992 149932013-07-24 Oliver Hunt <oliver@apple.com> 14994 14995 Endeavour to fix CMakelist builds 14996 14997 * CMakeLists.txt: 14998 149992013-07-24 Filip Pizlo <fpizlo@apple.com> 15000 15001 fourthTier: DFG IR dumps should be easier to read 15002 https://bugs.webkit.org/show_bug.cgi?id=119050 15003 15004 Reviewed by Mark Hahnenberg. 15005 15006 Added a DumpContext that includes support for printing an endnote 15007 that describes all structures in full, while the main flow of the 15008 dump just uses made-up names for the structures. This is helpful 15009 since Structure::dump() may print a lot. The stuff it prints is 15010 useful, but if it's all inline with the surrounding thing you're 15011 dumping (often, a node in the DFG), then you get a ridiculously 15012 long print-out. All classes that dump structures (including 15013 Structure itself) now have dumpInContext() methods that use 15014 inContext() for dumping anything that might transitively print a 15015 structure. If Structure::dumpInContext() is called with a NULL 15016 context, it just uses dump() like before. Hence you don't have to 15017 know anything about DumpContext unless you want to. 15018 15019 inContext(*structure, context) dumps something like %B4:Array, 15020 and the endnote will have something like: 15021 15022 %B4:Array = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0] 15023 15024 where B4 is the inferred name that StringHashDumpContext came up 15025 with. 15026 15027 Also shortened a bunch of other dumps, removing information that 15028 isn't so important. 15029 15030 * JavaScriptCore.xcodeproj/project.pbxproj: 15031 * bytecode/ArrayProfile.cpp: 15032 (JSC::dumpArrayModes): 15033 * bytecode/CodeBlockHash.cpp: 15034 (JSC): 15035 (JSC::CodeBlockHash::CodeBlockHash): 15036 (JSC::CodeBlockHash::dump): 15037 * bytecode/CodeOrigin.cpp: 15038 (JSC::CodeOrigin::dumpInContext): 15039 (JSC): 15040 (JSC::InlineCallFrame::dumpInContext): 15041 (JSC::InlineCallFrame::dump): 15042 * bytecode/CodeOrigin.h: 15043 (CodeOrigin): 15044 (InlineCallFrame): 15045 * bytecode/Operands.h: 15046 (JSC::OperandValueTraits::isEmptyForDump): 15047 (Operands): 15048 (JSC::Operands::dump): 15049 (JSC): 15050 * bytecode/OperandsInlines.h: Added. 15051 (JSC): 15052 (JSC::::dumpInContext): 15053 * bytecode/StructureSet.h: 15054 (JSC::StructureSet::dumpInContext): 15055 (JSC::StructureSet::dump): 15056 (StructureSet): 15057 * dfg/DFGAbstractValue.cpp: 15058 (JSC::DFG::AbstractValue::dump): 15059 (DFG): 15060 (JSC::DFG::AbstractValue::dumpInContext): 15061 * dfg/DFGAbstractValue.h: 15062 (JSC::DFG::AbstractValue::operator!): 15063 (AbstractValue): 15064 * dfg/DFGCFAPhase.cpp: 15065 (JSC::DFG::CFAPhase::performBlockCFA): 15066 * dfg/DFGCommon.cpp: 15067 * dfg/DFGCommon.h: 15068 (JSC::DFG::NodePointerTraits::isEmptyForDump): 15069 * dfg/DFGDisassembler.cpp: 15070 (JSC::DFG::Disassembler::createDumpList): 15071 * dfg/DFGDisassembler.h: 15072 (Disassembler): 15073 * dfg/DFGFlushFormat.h: 15074 (WTF::inContext): 15075 (WTF): 15076 * dfg/DFGFlushLivenessAnalysisPhase.cpp: 15077 * dfg/DFGGraph.cpp: 15078 (JSC::DFG::Graph::dumpCodeOrigin): 15079 (JSC::DFG::Graph::dump): 15080 (JSC::DFG::Graph::dumpBlockHeader): 15081 * dfg/DFGGraph.h: 15082 (Graph): 15083 * dfg/DFGLazyJSValue.cpp: 15084 (JSC::DFG::LazyJSValue::dumpInContext): 15085 (JSC::DFG::LazyJSValue::dump): 15086 (DFG): 15087 * dfg/DFGLazyJSValue.h: 15088 (LazyJSValue): 15089 * dfg/DFGNode.h: 15090 (JSC::DFG::nodeMapDump): 15091 (WTF::inContext): 15092 (WTF): 15093 * dfg/DFGOSRExitCompiler32_64.cpp: 15094 (JSC::DFG::OSRExitCompiler::compileExit): 15095 * dfg/DFGOSRExitCompiler64.cpp: 15096 (JSC::DFG::OSRExitCompiler::compileExit): 15097 * dfg/DFGStructureAbstractValue.h: 15098 (JSC::DFG::StructureAbstractValue::dumpInContext): 15099 (JSC::DFG::StructureAbstractValue::dump): 15100 (StructureAbstractValue): 15101 * ftl/FTLExitValue.cpp: 15102 (JSC::FTL::ExitValue::dumpInContext): 15103 (JSC::FTL::ExitValue::dump): 15104 (FTL): 15105 * ftl/FTLExitValue.h: 15106 (ExitValue): 15107 * ftl/FTLLowerDFGToLLVM.cpp: 15108 * ftl/FTLValueSource.cpp: 15109 (JSC::FTL::ValueSource::dumpInContext): 15110 (FTL): 15111 * ftl/FTLValueSource.h: 15112 (ValueSource): 15113 * runtime/DumpContext.cpp: Added. 15114 (JSC): 15115 (JSC::DumpContext::DumpContext): 15116 (JSC::DumpContext::~DumpContext): 15117 (JSC::DumpContext::isEmpty): 15118 (JSC::DumpContext::dump): 15119 * runtime/DumpContext.h: Added. 15120 (JSC): 15121 (DumpContext): 15122 * runtime/JSCJSValue.cpp: 15123 (JSC::JSValue::dump): 15124 (JSC): 15125 (JSC::JSValue::dumpInContext): 15126 * runtime/JSCJSValue.h: 15127 (JSC): 15128 (JSValue): 15129 * runtime/Structure.cpp: 15130 (JSC::Structure::dumpInContext): 15131 (JSC): 15132 (JSC::Structure::dumpBrief): 15133 (JSC::Structure::dumpContextHeader): 15134 * runtime/Structure.h: 15135 (JSC): 15136 (Structure): 15137 151382013-07-22 Filip Pizlo <fpizlo@apple.com> 15139 15140 fourthTier: DFG should do a high-level LICM before going to FTL 15141 https://bugs.webkit.org/show_bug.cgi?id=118749 15142 15143 Reviewed by Oliver Hunt. 15144 15145 Implements LICM hoisting for nodes that never write anything and never read 15146 things that are clobbered by the loop. There are some other preconditions for 15147 hoisting, see DFGLICMPhase.cpp. 15148 15149 Also did a few fixes: 15150 15151 - ClobberSet::add was failing to switch Super entries to Direct entries in 15152 some cases. 15153 15154 - DFGClobberize.cpp needed to #include "Operations.h". 15155 15156 - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA. 15157 15158 - AbstractInterpreter can now execute a Node without knowing its indexInBlock. 15159 Knowing the indexInBlock is an optional optimization that all other clients 15160 of AI still opt into, but LICM doesn't. 15161 15162 This makes the FTL a 2.19x speed-up on imaging-gaussian-blur. 15163 15164 * JavaScriptCore.xcodeproj/project.pbxproj: 15165 * dfg/DFGAbstractInterpreter.h: 15166 (AbstractInterpreter): 15167 * dfg/DFGAbstractInterpreterInlines.h: 15168 (JSC::DFG::::executeEffects): 15169 (JSC::DFG::::execute): 15170 (DFG): 15171 (JSC::DFG::::clobberWorld): 15172 (JSC::DFG::::clobberStructures): 15173 * dfg/DFGAtTailAbstractState.cpp: Added. 15174 (DFG): 15175 (JSC::DFG::AtTailAbstractState::AtTailAbstractState): 15176 (JSC::DFG::AtTailAbstractState::~AtTailAbstractState): 15177 (JSC::DFG::AtTailAbstractState::createValueForNode): 15178 (JSC::DFG::AtTailAbstractState::forNode): 15179 * dfg/DFGAtTailAbstractState.h: Added. 15180 (DFG): 15181 (AtTailAbstractState): 15182 (JSC::DFG::AtTailAbstractState::initializeTo): 15183 (JSC::DFG::AtTailAbstractState::forNode): 15184 (JSC::DFG::AtTailAbstractState::variables): 15185 (JSC::DFG::AtTailAbstractState::block): 15186 (JSC::DFG::AtTailAbstractState::isValid): 15187 (JSC::DFG::AtTailAbstractState::setDidClobber): 15188 (JSC::DFG::AtTailAbstractState::setIsValid): 15189 (JSC::DFG::AtTailAbstractState::setBranchDirection): 15190 (JSC::DFG::AtTailAbstractState::setFoundConstants): 15191 (JSC::DFG::AtTailAbstractState::haveStructures): 15192 (JSC::DFG::AtTailAbstractState::setHaveStructures): 15193 * dfg/DFGBasicBlock.h: 15194 (JSC::DFG::BasicBlock::insertBeforeLast): 15195 * dfg/DFGBasicBlockInlines.h: 15196 (DFG): 15197 * dfg/DFGClobberSet.cpp: 15198 (JSC::DFG::ClobberSet::add): 15199 (JSC::DFG::ClobberSet::addAll): 15200 * dfg/DFGClobberize.cpp: 15201 (JSC::DFG::doesWrites): 15202 * dfg/DFGClobberize.h: 15203 (DFG): 15204 * dfg/DFGDCEPhase.cpp: 15205 (JSC::DFG::DCEPhase::DCEPhase): 15206 (JSC::DFG::DCEPhase::run): 15207 (JSC::DFG::DCEPhase::fixupBlock): 15208 (DCEPhase): 15209 * dfg/DFGEdgeDominates.h: Added. 15210 (DFG): 15211 (EdgeDominates): 15212 (JSC::DFG::EdgeDominates::EdgeDominates): 15213 (JSC::DFG::EdgeDominates::operator()): 15214 (JSC::DFG::EdgeDominates::result): 15215 (JSC::DFG::edgesDominate): 15216 * dfg/DFGFixupPhase.cpp: 15217 (JSC::DFG::FixupPhase::fixupNode): 15218 (JSC::DFG::FixupPhase::checkArray): 15219 * dfg/DFGLICMPhase.cpp: Added. 15220 (LICMPhase): 15221 (JSC::DFG::LICMPhase::LICMPhase): 15222 (JSC::DFG::LICMPhase::run): 15223 (JSC::DFG::LICMPhase::attemptHoist): 15224 (DFG): 15225 (JSC::DFG::performLICM): 15226 * dfg/DFGLICMPhase.h: Added. 15227 (DFG): 15228 * dfg/DFGPlan.cpp: 15229 (JSC::DFG::Plan::compileInThreadImpl): 15230 152312013-07-21 Filip Pizlo <fpizlo@apple.com> 15232 15233 fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write 15234 https://bugs.webkit.org/show_bug.cgi?id=118910 15235 15236 Reviewed by Sam Weinig. 15237 15238 Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in 15239 the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are 15240 engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to 15241 be inexpensive to use (they just give you a TBAA node) but expensive to create (you 15242 create them all up front). FTL AbstractHeaps also don't actually give you the 15243 ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA. 15244 The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use. 15245 They also give you aliasing machinery. The DFG AbstractHeaps are represented 15246 internally by a int64_t. Many comparisons between them are just integer comaprisons. 15247 AbstractHeaps form a three-level hierarchy (World is the supertype of everything, 15248 Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP 15249 payload is the direct subtype of its corresponding TOP Kind). 15250 15251 Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had 15252 clobbered. It represents the set that results from unifying a bunch of 15253 AbstractHeaps, and is intended to quickly answer overlap questions: does the given 15254 AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an 15255 AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of 15256 its ancestors. An AbstractHeap is said to overlap a set if any direct or super 15257 member is equal to it, or if any of its ancestors are equal to a direct member. 15258 15259 Example #1: 15260 15261 - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This 15262 is a subtype of Variables, which is a subtype of World. 15263 - You query Variables. I.e. Variables with a TOP payload, which is the 15264 supertype of Variables(X) for any X, and a subtype of World. 15265 15266 The set will have Variables(5) as a direct member, and Variables and World as 15267 super members. The Variables query will immediately return true, because 15268 Variables is indeed a super member. 15269 15270 Example #2: 15271 15272 - I add Variables(5) 15273 - You query NamedProperties 15274 15275 NamedProperties is not a member at all (neither direct or super). We next 15276 query World. World is a member, but it's a super member, so we return false. 15277 15278 Example #3: 15279 15280 - I add Variables 15281 - You query Variables(5) 15282 15283 The set will have Variables as a direct member, and World as a super member. 15284 The Variables(5) query will not find Variables(5) in the set, but then it 15285 will query Variables. Variables is a direct member, so we return true. 15286 15287 Example #4: 15288 15289 - I add Variables 15290 - You query NamedProperties(5) 15291 15292 Neither NamedProperties nor NamedProperties(5) are members. We next query 15293 World. World is a member, but it's a super member, so we return false. 15294 15295 Overlap queries require that either the heap being queried is in the set (either 15296 direct or super), or that one of its ancestors is a direct member. Another way to 15297 think about how this works is that two heaps A and B are said to overlap if 15298 A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a 15299 single-inheritance heirarchy. Consider that we wanted to implement a set that holds 15300 heaps and answers the question, "is any member in the set an ancestor (i.e. 15301 supertype) of some other heap". We would have the set contain the heaps themselves, 15302 and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor 15303 chain of A, and repeatedly querying its membership in the set. This is what the 15304 "direct" members of our set do. Now consider the other part, where we want to ask if 15305 any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We 15306 would implement this by implementing set.add(B) as adding not just B but also all of 15307 B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is 15308 in the set. With two such sets - one that answers isSubtypeOfAny() and another that 15309 answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your 15310 heap" question. ClobberSet does this, but combines the two sets into a single 15311 HashMap. The HashMap's value, "direct", means that the key is a member of both the 15312 supertype set and the subtype set; if it's false then it's only a member of one of 15313 them. 15314 15315 Finally, this adds a functorized clobberize() method that adds the read and write 15316 clobbers of a DFG::Node to read and write functors. Common functors for adding to 15317 ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers 15318 are also provided. This allows you to say things like: 15319 15320 ClobberSet set; 15321 addWrites(graph, node1, set); 15322 if (readsOverlap(graph, node2, set)) 15323 // We know that node1 may write to something that node2 may read from. 15324 15325 Currently this facility is only used to improve graph dumping, but it will be 15326 instrumental in both LICM and GVN. In the future, I want to completely kill the 15327 NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way 15328 of accomplishing almost exactly what AbstractHeap gives you. 15329 15330 * JavaScriptCore.xcodeproj/project.pbxproj: 15331 * dfg/DFGAbstractHeap.cpp: Added. 15332 (DFG): 15333 (JSC::DFG::AbstractHeap::Payload::dump): 15334 (JSC::DFG::AbstractHeap::dump): 15335 (WTF): 15336 (WTF::printInternal): 15337 * dfg/DFGAbstractHeap.h: Added. 15338 (DFG): 15339 (AbstractHeap): 15340 (Payload): 15341 (JSC::DFG::AbstractHeap::Payload::Payload): 15342 (JSC::DFG::AbstractHeap::Payload::top): 15343 (JSC::DFG::AbstractHeap::Payload::isTop): 15344 (JSC::DFG::AbstractHeap::Payload::value): 15345 (JSC::DFG::AbstractHeap::Payload::valueImpl): 15346 (JSC::DFG::AbstractHeap::Payload::operator==): 15347 (JSC::DFG::AbstractHeap::Payload::operator!=): 15348 (JSC::DFG::AbstractHeap::Payload::operator<): 15349 (JSC::DFG::AbstractHeap::Payload::isDisjoint): 15350 (JSC::DFG::AbstractHeap::Payload::overlaps): 15351 (JSC::DFG::AbstractHeap::AbstractHeap): 15352 (JSC::DFG::AbstractHeap::operator!): 15353 (JSC::DFG::AbstractHeap::kind): 15354 (JSC::DFG::AbstractHeap::payload): 15355 (JSC::DFG::AbstractHeap::isDisjoint): 15356 (JSC::DFG::AbstractHeap::overlaps): 15357 (JSC::DFG::AbstractHeap::supertype): 15358 (JSC::DFG::AbstractHeap::hash): 15359 (JSC::DFG::AbstractHeap::operator==): 15360 (JSC::DFG::AbstractHeap::operator!=): 15361 (JSC::DFG::AbstractHeap::operator<): 15362 (JSC::DFG::AbstractHeap::isHashTableDeletedValue): 15363 (JSC::DFG::AbstractHeap::payloadImpl): 15364 (JSC::DFG::AbstractHeap::encode): 15365 (JSC::DFG::AbstractHeapHash::hash): 15366 (JSC::DFG::AbstractHeapHash::equal): 15367 (AbstractHeapHash): 15368 (WTF): 15369 * dfg/DFGClobberSet.cpp: Added. 15370 (DFG): 15371 (JSC::DFG::ClobberSet::ClobberSet): 15372 (JSC::DFG::ClobberSet::~ClobberSet): 15373 (JSC::DFG::ClobberSet::add): 15374 (JSC::DFG::ClobberSet::addAll): 15375 (JSC::DFG::ClobberSet::contains): 15376 (JSC::DFG::ClobberSet::overlaps): 15377 (JSC::DFG::ClobberSet::clear): 15378 (JSC::DFG::ClobberSet::direct): 15379 (JSC::DFG::ClobberSet::super): 15380 (JSC::DFG::ClobberSet::dump): 15381 (JSC::DFG::ClobberSet::setOf): 15382 (JSC::DFG::addReads): 15383 (JSC::DFG::addWrites): 15384 (JSC::DFG::addReadsAndWrites): 15385 (JSC::DFG::readsOverlap): 15386 (JSC::DFG::writesOverlap): 15387 * dfg/DFGClobberSet.h: Added. 15388 (DFG): 15389 (ClobberSet): 15390 (JSC::DFG::ClobberSet::isEmpty): 15391 (ClobberSetAdd): 15392 (JSC::DFG::ClobberSetAdd::ClobberSetAdd): 15393 (JSC::DFG::ClobberSetAdd::operator()): 15394 (ClobberSetOverlaps): 15395 (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps): 15396 (JSC::DFG::ClobberSetOverlaps::operator()): 15397 (JSC::DFG::ClobberSetOverlaps::result): 15398 * dfg/DFGClobberize.cpp: Added. 15399 (DFG): 15400 (JSC::DFG::didWrites): 15401 * dfg/DFGClobberize.h: Added. 15402 (DFG): 15403 (JSC::DFG::clobberize): 15404 (NoOpClobberize): 15405 (JSC::DFG::NoOpClobberize::NoOpClobberize): 15406 (JSC::DFG::NoOpClobberize::operator()): 15407 (CheckClobberize): 15408 (JSC::DFG::CheckClobberize::CheckClobberize): 15409 (JSC::DFG::CheckClobberize::operator()): 15410 (JSC::DFG::CheckClobberize::result): 15411 * dfg/DFGGraph.cpp: 15412 (JSC::DFG::Graph::dump): 15413 154142013-07-21 Filip Pizlo <fpizlo@apple.com> 15415 15416 fourthTier: It should be easy to figure out which blocks nodes belong to 15417 https://bugs.webkit.org/show_bug.cgi?id=118957 15418 15419 Reviewed by Sam Weinig. 15420 15421 * dfg/DFGGraph.cpp: 15422 (DFG): 15423 (JSC::DFG::Graph::initializeNodeOwners): 15424 * dfg/DFGGraph.h: 15425 (Graph): 15426 * dfg/DFGNode.h: 15427 154282013-07-21 Filip Pizlo <fpizlo@apple.com> 15429 15430 fourthTier: NodeExitsForward shouldn't be duplicated in NodeType 15431 https://bugs.webkit.org/show_bug.cgi?id=118956 15432 15433 Reviewed by Sam Weinig. 15434 15435 We had two way of expressing that something exits forward: the NodeExitsForward 15436 flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch 15437 makes it just be a flag. 15438 15439 * dfg/DFGAbstractInterpreterInlines.h: 15440 (JSC::DFG::::executeEffects): 15441 * dfg/DFGArgumentsSimplificationPhase.cpp: 15442 (JSC::DFG::ArgumentsSimplificationPhase::run): 15443 * dfg/DFGCSEPhase.cpp: 15444 (JSC::DFG::CSEPhase::int32ToDoubleCSE): 15445 (JSC::DFG::CSEPhase::checkStructureElimination): 15446 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): 15447 (JSC::DFG::CSEPhase::putStructureStoreElimination): 15448 (JSC::DFG::CSEPhase::checkArrayElimination): 15449 (JSC::DFG::CSEPhase::performNodeCSE): 15450 * dfg/DFGConstantFoldingPhase.cpp: 15451 (JSC::DFG::ConstantFoldingPhase::foldConstants): 15452 * dfg/DFGFixupPhase.cpp: 15453 (JSC::DFG::FixupPhase::fixupNode): 15454 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 15455 * dfg/DFGMinifiedNode.h: 15456 (JSC::DFG::belongsInMinifiedGraph): 15457 (JSC::DFG::MinifiedNode::hasChild): 15458 * dfg/DFGNode.h: 15459 (JSC::DFG::Node::convertToStructureTransitionWatchpoint): 15460 (JSC::DFG::Node::hasStructureSet): 15461 (JSC::DFG::Node::hasStructure): 15462 (JSC::DFG::Node::hasArrayMode): 15463 (JSC::DFG::Node::willHaveCodeGenOrOSR): 15464 * dfg/DFGNodeType.h: 15465 (DFG): 15466 (JSC::DFG::needsOSRForwardRewiring): 15467 * dfg/DFGPredictionPropagationPhase.cpp: 15468 (JSC::DFG::PredictionPropagationPhase::propagate): 15469 * dfg/DFGSafeToExecute.h: 15470 (JSC::DFG::safeToExecute): 15471 * dfg/DFGSpeculativeJIT.cpp: 15472 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 15473 * dfg/DFGSpeculativeJIT32_64.cpp: 15474 (JSC::DFG::SpeculativeJIT::compile): 15475 * dfg/DFGSpeculativeJIT64.cpp: 15476 (JSC::DFG::SpeculativeJIT::compile): 15477 * dfg/DFGTypeCheckHoistingPhase.cpp: 15478 (JSC::DFG::TypeCheckHoistingPhase::run): 15479 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): 15480 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): 15481 * dfg/DFGVariableEventStream.cpp: 15482 (JSC::DFG::VariableEventStream::reconstruct): 15483 * ftl/FTLCapabilities.cpp: 15484 (JSC::FTL::canCompile): 15485 * ftl/FTLLowerDFGToLLVM.cpp: 15486 (JSC::FTL::LowerDFGToLLVM::compileNode): 15487 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 15488 154892013-07-21 Filip Pizlo <fpizlo@apple.com> 15490 15491 fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes 15492 https://bugs.webkit.org/show_bug.cgi?id=118946 15493 15494 Reviewed by Geoffrey Garen. 15495 15496 We want to decouple the exit target code origin of a node from the code origin 15497 for all other purposes. The purposes of code origins are: 15498 15499 - Where the node will exit, if it exits. The exit target should be consistent with 15500 the surrounding nodes, in that if you just looked at the code origins of nodes in 15501 the graph, they would be consistent with the code origins in bytecode. This is 15502 necessary for live-at-bytecode analyses to work, and to preserve the original 15503 bytecode semantics when exiting. 15504 15505 - What kind of code the node came from, for semantics thingies. For example, we 15506 might use the code origin to find the node's global object for doing an original 15507 array check. Or we might use it to determine if the code is in strict mode. Or 15508 other similar things. When we use the code origin in this way, we're basically 15509 using it as a way of describing the node's meta-data without putting it into the 15510 node directly, to save space. In the absurd extreme you could imagine nodes not 15511 even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine 15512 what bytecode the node originated from. We won't do that, but you can think of 15513 this use of code origins as just a way of compressing meta-data. 15514 15515 - What code origin we should supply profiling to, if we exit. This is closely 15516 related to the semantics thingies, in that the exit profiling is a persistent 15517 kind of semantic meta-data that survives between recompiles, and the only way to 15518 do that is to ascribe it to the original bytecode via the code origin. 15519 15520 If we hoist a node, we need to change the exit target code origin, but we must not 15521 change the code origin for other purposes. The best way to do this is to decouple 15522 the two kinds of code origin. 15523 15524 OSR exit data structures already do this, because they may edit the exit target 15525 code origin while keeping the code origin for profiling intact. This happens for 15526 forward exits. So, we just need to thread separation all the way back to DFG::Node. 15527 That's what this patch does. 15528 15529 * dfg/DFGNode.h: 15530 (JSC::DFG::Node::Node): 15531 (Node): 15532 * dfg/DFGOSRExit.cpp: 15533 (JSC::DFG::OSRExit::OSRExit): 15534 * dfg/DFGOSRExitBase.h: 15535 (JSC::DFG::OSRExitBase::OSRExitBase): 15536 * dfg/DFGSpeculativeJIT.cpp: 15537 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 15538 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 15539 * dfg/DFGSpeculativeJIT.h: 15540 (SpeculativeJIT): 15541 * ftl/FTLLowerDFGToLLVM.cpp: 15542 (JSC::FTL::LowerDFGToLLVM::compileNode): 15543 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 15544 (LowerDFGToLLVM): 15545 * ftl/FTLOSRExit.cpp: 15546 (JSC::FTL::OSRExit::OSRExit): 15547 * ftl/FTLOSRExit.h: 15548 (OSRExit): 15549 155502013-07-20 Filip Pizlo <fpizlo@apple.com> 15551 15552 fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened 15553 https://bugs.webkit.org/show_bug.cgi?id=118866 15554 15555 Reviewed by Sam Weinig. 15556 15557 Adds a safeToExecute() method that takes a node and an abstract state and tells you 15558 if the node will run without crashing under that state. 15559 15560 * JavaScriptCore.xcodeproj/project.pbxproj: 15561 * bytecode/CodeBlock.cpp: 15562 (JSC::CodeBlock::CodeBlock): 15563 * dfg/DFGCFAPhase.cpp: 15564 (CFAPhase): 15565 (JSC::DFG::CFAPhase::CFAPhase): 15566 (JSC::DFG::CFAPhase::run): 15567 (JSC::DFG::CFAPhase::performBlockCFA): 15568 (JSC::DFG::CFAPhase::performForwardCFA): 15569 * dfg/DFGSafeToExecute.h: Added. 15570 (DFG): 15571 (SafeToExecuteEdge): 15572 (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge): 15573 (JSC::DFG::SafeToExecuteEdge::operator()): 15574 (JSC::DFG::SafeToExecuteEdge::result): 15575 (JSC::DFG::safeToExecute): 15576 * dfg/DFGStructureAbstractValue.h: 15577 (JSC::DFG::StructureAbstractValue::isValidOffset): 15578 (StructureAbstractValue): 15579 * runtime/Options.h: 15580 (JSC): 15581 155822013-07-20 Filip Pizlo <fpizlo@apple.com> 15583 15584 fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit 15585 https://bugs.webkit.org/show_bug.cgi?id=118948 15586 15587 Reviewed by Sam Weinig. 15588 15589 - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true. 15590 This allows doing "what if" experiments with IR generation, even if the generated IR 15591 can't yet execute. 15592 15593 - Add an OSR exit path that just calls an intrinsic that combines the branch and the 15594 off-ramp. 15595 15596 * JavaScriptCore.xcodeproj/project.pbxproj: 15597 * dfg/DFGPlan.cpp: 15598 (JSC::DFG::Plan::compileInThreadImpl): 15599 * ftl/FTLFail.cpp: Added. 15600 (FTL): 15601 (JSC::FTL::fail): 15602 * ftl/FTLFail.h: Added. 15603 (FTL): 15604 * ftl/FTLIntrinsicRepository.h: 15605 (FTL): 15606 * ftl/FTLLowerDFGToLLVM.cpp: 15607 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 15608 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 15609 * runtime/Options.h: 15610 (JSC): 15611 156122013-07-19 Filip Pizlo <fpizlo@apple.com> 15613 15614 fourthTier: StringObjectUse uses structures, and CSE should know that 15615 https://bugs.webkit.org/show_bug.cgi?id=118940 15616 15617 Reviewed by Geoffrey Garen. 15618 15619 This is asymptomatic right now, but we should fix it. 15620 15621 * JavaScriptCore.xcodeproj/project.pbxproj: 15622 * dfg/DFGCSEPhase.cpp: 15623 (JSC::DFG::CSEPhase::putStructureStoreElimination): 15624 * dfg/DFGEdgeUsesStructure.h: Added. 15625 (DFG): 15626 (EdgeUsesStructure): 15627 (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure): 15628 (JSC::DFG::EdgeUsesStructure::operator()): 15629 (JSC::DFG::EdgeUsesStructure::result): 15630 (JSC::DFG::edgesUseStructure): 15631 * dfg/DFGUseKind.h: 15632 (DFG): 15633 (JSC::DFG::usesStructure): 15634 156352013-07-19 Filip Pizlo <fpizlo@apple.com> 15636 15637 fourthTier: String GetByVal out-of-bounds handling is so wrong 15638 https://bugs.webkit.org/show_bug.cgi?id=118935 15639 15640 Reviewed by Geoffrey Garen. 15641 15642 Bunch of String GetByVal out-of-bounds fixes: 15643 15644 - Even if the string proto chain is sane, we need to watch out for negative 15645 indices. They may get values or call getters in the prototypes, since proto 15646 sanity doesn't check for negative indexed properties, as they are not 15647 technically indexed properties. 15648 15649 - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be 15650 given this information. 15651 15652 - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be 15653 given this information. 15654 15655 Also fixed some other things: 15656 15657 - If the DFG is disabled, the testRunner should pretend that we've done a 15658 bunch of DFG compiles. That's necessary to prevent the tests from timing 15659 out. 15660 15661 - Disassembler shouldn't try to dump source code since it's not safe in the 15662 concurrent JIT. 15663 15664 * API/JSCTestRunnerUtils.cpp: 15665 (JSC::numberOfDFGCompiles): 15666 * JavaScriptCore.xcodeproj/project.pbxproj: 15667 * dfg/DFGAbstractInterpreterInlines.h: 15668 (JSC::DFG::::executeEffects): 15669 * dfg/DFGDisassembler.cpp: 15670 (JSC::DFG::Disassembler::dumpHeader): 15671 * dfg/DFGGraph.h: 15672 (JSC::DFG::Graph::byValIsPure): 15673 * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added. 15674 (DFG): 15675 (SaneStringGetByValSlowPathGenerator): 15676 (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator): 15677 (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal): 15678 * dfg/DFGSpeculativeJIT.cpp: 15679 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 15680 156812013-07-19 Filip Pizlo <fpizlo@apple.com> 15682 15683 fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing 15684 https://bugs.webkit.org/show_bug.cgi?id=118911 15685 15686 Reviewed by Geoffrey Garen. 15687 15688 We could also have a separate method like "willNotCrash(offset)", but that's not 15689 what isValidOffset() is intended to mean. 15690 15691 * runtime/Structure.h: 15692 (JSC::Structure::isValidOffset): 15693 156942013-07-19 Filip Pizlo <fpizlo@apple.com> 15695 15696 fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure 15697 https://bugs.webkit.org/show_bug.cgi?id=118878 15698 15699 Reviewed by Oliver Hunt. 15700 15701 - Change Structure::isValidOffset() to actually answer the question "If I attempted 15702 to load from an object of this structure, at this offset, would I commit suicide 15703 or would I get back some kind of value?" 15704 15705 - Change StorageAccessData::offset to use a PropertyOffset. It should have been that 15706 way from the start. 15707 15708 - Fix PutStructure so that it sets haveStructures in all of the cases that it should. 15709 15710 - Make GetByOffset also reference the base object in addition to the butterfly. 15711 15712 The future use of this power will be to answer questions like "If I hoisted this 15713 GetByOffset or PutByOffset to this point, would it cause crashes, or would it be 15714 fine?" 15715 15716 I don't currently plan to use this power to perform validation, since the CSE has 15717 the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to 15718 remove - both in the case of StructureSets where size >= 2 and in the case of 15719 CheckStructures that match across PutStructures. At first I tried to write a 15720 validator that was aware of this, but the validation code got way too complicated 15721 and I started having nightmares of spurious assertion bugs being filed against me. 15722 15723 This also changes some of the code for how we hash FunctionExecutable's for debug 15724 dumps, since that code still had some thread-safety issues. Basically, the 15725 concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything 15726 that could transitively try to compute the hash from the source code. The source 15727 code is a string that may be lazily computed, and that involves all manner of thread 15728 unsafe things. 15729 15730 * bytecode/CodeOrigin.cpp: 15731 (JSC::InlineCallFrame::hash): 15732 * dfg/DFGAbstractInterpreterInlines.h: 15733 (JSC::DFG::::executeEffects): 15734 * dfg/DFGByteCodeParser.cpp: 15735 (JSC::DFG::ByteCodeParser::handleGetByOffset): 15736 (JSC::DFG::ByteCodeParser::handlePutByOffset): 15737 (JSC::DFG::ByteCodeParser::parseBlock): 15738 * dfg/DFGCFAPhase.cpp: 15739 (JSC::DFG::CFAPhase::performBlockCFA): 15740 * dfg/DFGConstantFoldingPhase.cpp: 15741 (JSC::DFG::ConstantFoldingPhase::foldConstants): 15742 * dfg/DFGFixupPhase.cpp: 15743 (JSC::DFG::FixupPhase::fixupNode): 15744 * dfg/DFGGraph.h: 15745 (StorageAccessData): 15746 * dfg/DFGNode.h: 15747 (JSC::DFG::Node::convertToGetByOffset): 15748 * dfg/DFGSpeculativeJIT64.cpp: 15749 (JSC::DFG::SpeculativeJIT::compile): 15750 * ftl/FTLLowerDFGToLLVM.cpp: 15751 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset): 15752 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset): 15753 * runtime/FunctionExecutableDump.cpp: 15754 (JSC::FunctionExecutableDump::dump): 15755 * runtime/Structure.h: 15756 (Structure): 15757 (JSC::Structure::isValidOffset): 15758 157592013-07-18 Filip Pizlo <fpizlo@apple.com> 15760 15761 fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes 15762 https://bugs.webkit.org/show_bug.cgi?id=118880 15763 15764 Reviewed by Sam Weinig. 15765 15766 It should be possible to have an AbstractState that is backed by a HashMap. But to 15767 do this, the AbstractInterpreter should explicitly ask for new nodes to be added to 15768 the map, since otherwise the idiom of getting a reference to the AbstractValue 15769 returned by forNode() would cause really subtle memory corruption bugs. 15770 15771 * dfg/DFGAbstractInterpreterInlines.h: 15772 (JSC::DFG::::executeEffects): 15773 * dfg/DFGInPlaceAbstractState.h: 15774 (JSC::DFG::InPlaceAbstractState::createValueForNode): 15775 (InPlaceAbstractState): 15776 157772013-07-18 Filip Pizlo <fpizlo@apple.com> 15778 15779 fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation 15780 https://bugs.webkit.org/show_bug.cgi?id=118835 15781 15782 Reviewed by Oliver Hunt. 15783 15784 This separates AbstractState into two things: 15785 15786 - InPlaceAbstractState, which can tell you the abstract state of anything you 15787 might care about, and uses the old AbstractState's algorithms and data 15788 structures for doing so. 15789 15790 - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with 15791 respect to an AbstractStateType. Currently we always use 15792 AbstractStateType = InPlaceAbstractState. But we could drop in an other 15793 class that supports basic primitives like forNode() and variables(). 15794 15795 This is important because: 15796 15797 - We want to hoist things out of loops. 15798 15799 - We don't know what things rely on what type checks. 15800 15801 - We only want to hoist type checks out of loops if they aren't clobbered. 15802 15803 - We may want to still hoist things that depended on those type checks, if it's 15804 safe to do those things based on the CFA state at the tail of the loop 15805 pre-header. 15806 15807 - We don't want things to rely on their type checks by way of a token, because 15808 that's just weird. 15809 15810 So, we want to be able to have a special form of the CFA that can 15811 incrementally update a basic block's state-at-tail, and we want to be able to 15812 do this for multiple blocks simultaneously. This requires *not* storing the 15813 per-node state in the nodes themselves, but instead using the at-tail HashMap 15814 directly. 15815 15816 Hence we need to have a way of making the abstract interpreter (i.e. 15817 AbstractState::execute) polymorphic with respect to state representation. Put 15818 another way, we need to separate the way that abstract state is represented 15819 from the way DFG IR is abstractly interpreted. 15820 15821 * JavaScriptCore.xcodeproj/project.pbxproj: 15822 * dfg/DFGAbstractInterpreter.h: Added. 15823 (DFG): 15824 (AbstractInterpreter): 15825 (JSC::DFG::AbstractInterpreter::forNode): 15826 (JSC::DFG::AbstractInterpreter::variables): 15827 (JSC::DFG::AbstractInterpreter::needsTypeCheck): 15828 (JSC::DFG::AbstractInterpreter::filterEdgeByUse): 15829 (JSC::DFG::AbstractInterpreter::filter): 15830 (JSC::DFG::AbstractInterpreter::filterArrayModes): 15831 (JSC::DFG::AbstractInterpreter::filterByValue): 15832 (JSC::DFG::AbstractInterpreter::trySetConstant): 15833 (JSC::DFG::AbstractInterpreter::filterByType): 15834 * dfg/DFGAbstractInterpreterInlines.h: Added. 15835 (DFG): 15836 (JSC::DFG::::AbstractInterpreter): 15837 (JSC::DFG::::~AbstractInterpreter): 15838 (JSC::DFG::::booleanResult): 15839 (JSC::DFG::::startExecuting): 15840 (JSC::DFG::::executeEdges): 15841 (JSC::DFG::::verifyEdge): 15842 (JSC::DFG::::verifyEdges): 15843 (JSC::DFG::::executeEffects): 15844 (JSC::DFG::::execute): 15845 (JSC::DFG::::clobberWorld): 15846 (JSC::DFG::::clobberCapturedVars): 15847 (JSC::DFG::::clobberStructures): 15848 (JSC::DFG::::dump): 15849 (JSC::DFG::::filter): 15850 (JSC::DFG::::filterArrayModes): 15851 (JSC::DFG::::filterByValue): 15852 * dfg/DFGAbstractState.cpp: Removed. 15853 * dfg/DFGAbstractState.h: Removed. 15854 * dfg/DFGArgumentsSimplificationPhase.cpp: 15855 * dfg/DFGCFAPhase.cpp: 15856 (JSC::DFG::CFAPhase::CFAPhase): 15857 (JSC::DFG::CFAPhase::performBlockCFA): 15858 (CFAPhase): 15859 * dfg/DFGCFGSimplificationPhase.cpp: 15860 * dfg/DFGConstantFoldingPhase.cpp: 15861 (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase): 15862 (JSC::DFG::ConstantFoldingPhase::foldConstants): 15863 (ConstantFoldingPhase): 15864 * dfg/DFGInPlaceAbstractState.cpp: Added. 15865 (DFG): 15866 (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState): 15867 (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState): 15868 (JSC::DFG::InPlaceAbstractState::beginBasicBlock): 15869 (JSC::DFG::setLiveValues): 15870 (JSC::DFG::InPlaceAbstractState::initialize): 15871 (JSC::DFG::InPlaceAbstractState::endBasicBlock): 15872 (JSC::DFG::InPlaceAbstractState::reset): 15873 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): 15874 (JSC::DFG::InPlaceAbstractState::merge): 15875 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors): 15876 (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks): 15877 * dfg/DFGInPlaceAbstractState.h: Added. 15878 (DFG): 15879 (InPlaceAbstractState): 15880 (JSC::DFG::InPlaceAbstractState::forNode): 15881 (JSC::DFG::InPlaceAbstractState::variables): 15882 (JSC::DFG::InPlaceAbstractState::block): 15883 (JSC::DFG::InPlaceAbstractState::didClobber): 15884 (JSC::DFG::InPlaceAbstractState::isValid): 15885 (JSC::DFG::InPlaceAbstractState::setDidClobber): 15886 (JSC::DFG::InPlaceAbstractState::setIsValid): 15887 (JSC::DFG::InPlaceAbstractState::setBranchDirection): 15888 (JSC::DFG::InPlaceAbstractState::setFoundConstants): 15889 (JSC::DFG::InPlaceAbstractState::haveStructures): 15890 (JSC::DFG::InPlaceAbstractState::setHaveStructures): 15891 * dfg/DFGMergeMode.h: Added. 15892 (DFG): 15893 * dfg/DFGSpeculativeJIT.cpp: 15894 (JSC::DFG::SpeculativeJIT::SpeculativeJIT): 15895 (JSC::DFG::SpeculativeJIT::backwardTypeCheck): 15896 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 15897 (JSC::DFG::SpeculativeJIT::compileToStringOnCell): 15898 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): 15899 (JSC::DFG::SpeculativeJIT::speculateStringObject): 15900 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): 15901 * dfg/DFGSpeculativeJIT.h: 15902 (JSC::DFG::SpeculativeJIT::needsTypeCheck): 15903 (SpeculativeJIT): 15904 * dfg/DFGSpeculativeJIT32_64.cpp: 15905 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 15906 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 15907 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 15908 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 15909 * dfg/DFGSpeculativeJIT64.cpp: 15910 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 15911 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 15912 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 15913 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 15914 * ftl/FTLLowerDFGToLLVM.cpp: 15915 (FTL): 15916 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 15917 (JSC::FTL::LowerDFGToLLVM::compileNode): 15918 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck): 15919 (JSC::FTL::LowerDFGToLLVM::speculate): 15920 (JSC::FTL::LowerDFGToLLVM::speculateNumber): 15921 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): 15922 (LowerDFGToLLVM): 15923 159242013-07-18 Filip Pizlo <fpizlo@apple.com> 15925 15926 fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access 15927 https://bugs.webkit.org/show_bug.cgi?id=118867 15928 15929 Reviewed by Mark Hahnenberg. 15930 15931 This allows us to kill off a bunch of code in the parser, in fixup, and to simplify 15932 ArrayProfile. 15933 15934 It also makes it easier to ask any array-using node how to create its type check. 15935 15936 Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into 15937 an array profile, thinking that it was storing into a value profile. Reshuffling the 15938 fields in ArrayProfile revealed this. 15939 15940 * bytecode/ArrayProfile.cpp: 15941 (JSC::ArrayProfile::computeUpdatedPrediction): 15942 (JSC::ArrayProfile::briefDescriptionWithoutUpdating): 15943 * bytecode/ArrayProfile.h: 15944 (JSC::ArrayProfile::ArrayProfile): 15945 (ArrayProfile): 15946 * bytecode/CodeBlock.cpp: 15947 (JSC::CodeBlock::updateAllArrayPredictions): 15948 (JSC::CodeBlock::updateAllPredictions): 15949 * bytecode/CodeBlock.h: 15950 (CodeBlock): 15951 (JSC::CodeBlock::updateAllArrayPredictions): 15952 * dfg/DFGArrayMode.h: 15953 (ArrayMode): 15954 * dfg/DFGByteCodeParser.cpp: 15955 (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath): 15956 (JSC::DFG::ByteCodeParser::parseBlock): 15957 * dfg/DFGFixupPhase.cpp: 15958 (JSC::DFG::FixupPhase::fixupNode): 15959 (FixupPhase): 15960 (JSC::DFG::FixupPhase::checkArray): 15961 (JSC::DFG::FixupPhase::blessArrayOperation): 15962 * llint/LowLevelInterpreter64.asm: 15963 159642013-07-18 Filip Pizlo <fpizlo@apple.com> 15965 15966 fourthTier: CFA should consider live-at-head for clobbering and dumping 15967 https://bugs.webkit.org/show_bug.cgi?id=118857 15968 15969 Reviewed by Mark Hahnenberg. 15970 15971 - clobberStructures() was not considering nodes live-at-head when in SSA 15972 form. This means it would fail to clobber some structures. 15973 15974 - dump() was not considering nodes live-at-head when in SSA form. This 15975 means it wouldn't dump everything that you might be interested in. 15976 15977 - AbstractState::m_currentNode is a useless variable and we should get 15978 rid of it. 15979 15980 * dfg/DFGAbstractState.cpp: 15981 (JSC::DFG::AbstractState::AbstractState): 15982 (JSC::DFG::AbstractState::beginBasicBlock): 15983 (JSC::DFG::AbstractState::reset): 15984 (JSC::DFG::AbstractState::startExecuting): 15985 (JSC::DFG::AbstractState::clobberStructures): 15986 (JSC::DFG::AbstractState::dump): 15987 * dfg/DFGAbstractState.h: 15988 (AbstractState): 15989 159902013-07-16 Filip Pizlo <fpizlo@apple.com> 15991 15992 fourthTier: Add a phase to create loop pre-headers 15993 https://bugs.webkit.org/show_bug.cgi?id=118778 15994 15995 Reviewed by Oliver Hunt. 15996 15997 Add a loop pre-header creation phase. Any loop that doesn't already have 15998 just one predecessor that isn't part of the loop has a pre-header 15999 prepended. All non-loop predecessors then jump to that pre-header. 16000 16001 Also fix a handful of bugs: 16002 16003 - DFG::Analysis should set m_valid before running the analysis, since that 16004 makes it easier to use ASSERT(m_valid) in the analysis' methods, which 16005 may be called by the analysis before the analysis completes. NaturalLoops 16006 does this with loopsOf(). 16007 16008 - NaturalLoops::headerOf() was missing a check for innerMostLoopOf() 16009 returning 0, since that'll happen if the block isn't in any loop. 16010 16011 - Change BlockInsertionSet to dethread the graph, since anyone using it 16012 will want to do so. 16013 16014 - Change dethreading to ignore SSA form graphs. 16015 16016 This also adds NaturalLoops::belongsTo(), which I always used in the 16017 pre-header creation phase. I didn't end up using it but I'll probably use 16018 it in the near future. 16019 16020 * JavaScriptCore.xcodeproj/project.pbxproj: 16021 * dfg/DFGAnalysis.h: 16022 (JSC::DFG::Analysis::computeIfNecessary): 16023 * dfg/DFGBlockInsertionSet.cpp: 16024 (JSC::DFG::BlockInsertionSet::execute): 16025 * dfg/DFGCriticalEdgeBreakingPhase.cpp: 16026 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): 16027 * dfg/DFGGraph.cpp: 16028 (JSC::DFG::Graph::dethread): 16029 * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added. 16030 (DFG): 16031 (LoopPreHeaderCreationPhase): 16032 (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase): 16033 (JSC::DFG::LoopPreHeaderCreationPhase::run): 16034 (JSC::DFG::performLoopPreHeaderCreation): 16035 * dfg/DFGLoopPreHeaderCreationPhase.h: Added. 16036 (DFG): 16037 * dfg/DFGNaturalLoops.h: 16038 (NaturalLoop): 16039 (JSC::DFG::NaturalLoops::headerOf): 16040 (JSC::DFG::NaturalLoops::innerMostLoopOf): 16041 (JSC::DFG::NaturalLoops::innerMostOuterLoop): 16042 (JSC::DFG::NaturalLoops::belongsTo): 16043 (NaturalLoops): 16044 * dfg/DFGPlan.cpp: 16045 (JSC::DFG::Plan::compileInThreadImpl): 16046 160472013-07-16 Filip Pizlo <fpizlo@apple.com> 16048 16049 fourthTier: Rationalize Node::replacement 16050 https://bugs.webkit.org/show_bug.cgi?id=118774 16051 16052 Reviewed by Oliver Hunt. 16053 16054 - Clearing of replacements is now done in Graph::clearReplacements(). 16055 16056 - New nodes now have replacement set to 0. 16057 16058 - Node::replacement is now part of a 'misc' union. I'll be putting at least 16059 one other field into that union as part of LICM work (see 16060 https://bugs.webkit.org/show_bug.cgi?id=118749). 16061 16062 * dfg/DFGCPSRethreadingPhase.cpp: 16063 (JSC::DFG::CPSRethreadingPhase::run): 16064 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes): 16065 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): 16066 * dfg/DFGCSEPhase.cpp: 16067 (JSC::DFG::CSEPhase::run): 16068 (JSC::DFG::CSEPhase::setReplacement): 16069 (JSC::DFG::CSEPhase::performBlockCSE): 16070 * dfg/DFGGraph.cpp: 16071 (DFG): 16072 (JSC::DFG::Graph::clearReplacements): 16073 * dfg/DFGGraph.h: 16074 (JSC::DFG::Graph::performSubstitutionForEdge): 16075 (Graph): 16076 * dfg/DFGNode.h: 16077 (JSC::DFG::Node::Node): 16078 * dfg/DFGSSAConversionPhase.cpp: 16079 (JSC::DFG::SSAConversionPhase::run): 16080 160812013-07-16 Filip Pizlo <fpizlo@apple.com> 16082 16083 fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block" 16084 https://bugs.webkit.org/show_bug.cgi?id=118750 16085 16086 Reviewed by Mark Hahnenberg. 16087 16088 * dfg/DFGBasicBlock.h: 16089 (BasicBlock): 16090 * dfg/DFGNaturalLoops.cpp: 16091 (JSC::DFG::NaturalLoops::compute): 16092 (JSC::DFG::NaturalLoops::loopsOf): 16093 * dfg/DFGNaturalLoops.h: 16094 (DFG): 16095 (JSC::DFG::NaturalLoop::NaturalLoop): 16096 (NaturalLoop): 16097 (JSC::DFG::NaturalLoop::index): 16098 (JSC::DFG::NaturalLoop::isOuterMostLoop): 16099 (JSC::DFG::NaturalLoop::addBlock): 16100 (JSC::DFG::NaturalLoops::headerOf): 16101 (JSC::DFG::NaturalLoops::innerMostLoopOf): 16102 (NaturalLoops): 16103 (JSC::DFG::NaturalLoops::innerMostOuterLoop): 16104 * dfg/DFGPlan.cpp: 16105 (JSC::DFG::Plan::compileInThreadImpl): 16106 161072013-07-16 Filip Pizlo <fpizlo@apple.com> 16108 16109 fourthTier: don't GC when shutting down the VM 16110 https://bugs.webkit.org/show_bug.cgi?id=118751 16111 16112 Reviewed by Mark Hahnenberg. 16113 16114 * heap/Heap.h: 16115 (Heap): 16116 * runtime/VM.cpp: 16117 (JSC::VM::~VM): 16118 161192013-07-12 Filip Pizlo <fpizlo@apple.com> 16120 16121 fourthTier: DFG should have an SSA form for use by FTL 16122 https://bugs.webkit.org/show_bug.cgi?id=118338 16123 16124 Reviewed by Mark Hahnenberg. 16125 16126 Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form 16127 after breaking critical edges. The conversion algorithm follows Aycock and 16128 Horspool, and the SSA form itself follows something I've done before, where 16129 instead of having Phi functions specify input nodes corresponding to block 16130 predecessors, we instead have Upsilon functions in the predecessors that 16131 specify which value in that block goes into which subsequent Phi. Upsilons 16132 don't have to dominate Phis (usually they don't) and they correspond to a 16133 non-SSA "mov" into the Phi's "variable". This gives all of the good 16134 properties of SSA, while ensuring that a bunch of CFG transformations don't 16135 have to be SSA-aware. 16136 16137 So far the only DFG phases that are SSA-aware are DCE and CFA. CFG 16138 simplification is probably SSA-aware by default, though I haven't tried it. 16139 Constant folding probably needs a few tweaks, but is likely ready. Ditto 16140 for CSE, though it's not clear that we'd want to use block-local CSE when 16141 we could be doing GVN. 16142 16143 Currently only the FTL can generate code from the SSA form, and there is no 16144 way to convert from SSA to ThreadedCPS or LoadStore. There probably will 16145 never be such a capability. 16146 16147 In order to handle OSR exit state in the SSA, we place MovHints at Phi 16148 points. Other than that, you can reconstruct state-at-exit by forward 16149 propagating MovHints. Note that MovHint is the new SetLocal in SSA. 16150 SetLocal and GetLocal only survive into SSA if they are on captured 16151 variables, or in the case of flushes. A "live SetLocal" will be 16152 NodeMustGenerate and will always correspond to a flush. Computing the 16153 state-at-exit requires running SSA liveness analysis, OSR availability 16154 analysis, and flush liveness analysis. The FTL runs all of these prior to 16155 generating code. While OSR exit continues to be tricky, much of the logic 16156 is now factored into separate phases and the backend has to do less work 16157 to reason about what happened outside of the basic block that is being 16158 lowered. 16159 16160 Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate 16161 code in depth-first order, thus guaranteeing that a node will always be 16162 lowered (and hence have a LValue) before any of the blocks dominated by 16163 that node's block have code generated. For Upsilon/Phi, we just use 16164 alloca's. We could do something more clever there, but it's probably not 16165 worth it, at least not now. 16166 16167 Finally, while the SSA form is currently only being converted to LLVM IR, 16168 there is nothing that prevents us from considering other backends in the 16169 future - with the caveat that this form is designed to be first lowered to 16170 a lower-level SSA before actual machine code generation commences. So we 16171 ought to either use LLVM (the intended path) or we will have to write our 16172 own SSA low-level backend. 16173 16174 This runs all of the code that the FTL was known to run previously. No 16175 change in performance for now. But it does open some exciting 16176 possibilities! 16177 16178 * JavaScriptCore.xcodeproj/project.pbxproj: 16179 * bytecode/Operands.h: 16180 (JSC::OperandValueTraits::dump): 16181 (JSC::Operands::fill): 16182 (Operands): 16183 (JSC::Operands::clear): 16184 (JSC::Operands::operator==): 16185 * dfg/DFGAbstractState.cpp: 16186 (JSC::DFG::AbstractState::beginBasicBlock): 16187 (JSC::DFG::setLiveValues): 16188 (DFG): 16189 (JSC::DFG::AbstractState::initialize): 16190 (JSC::DFG::AbstractState::endBasicBlock): 16191 (JSC::DFG::AbstractState::executeEffects): 16192 (JSC::DFG::AbstractState::mergeStateAtTail): 16193 (JSC::DFG::AbstractState::merge): 16194 * dfg/DFGAbstractState.h: 16195 (AbstractState): 16196 * dfg/DFGAdjacencyList.h: 16197 (JSC::DFG::AdjacencyList::justOneChild): 16198 (AdjacencyList): 16199 * dfg/DFGBasicBlock.cpp: Added. 16200 (DFG): 16201 (JSC::DFG::BasicBlock::BasicBlock): 16202 (JSC::DFG::BasicBlock::~BasicBlock): 16203 (JSC::DFG::BasicBlock::ensureLocals): 16204 (JSC::DFG::BasicBlock::isInPhis): 16205 (JSC::DFG::BasicBlock::isInBlock): 16206 (JSC::DFG::BasicBlock::removePredecessor): 16207 (JSC::DFG::BasicBlock::replacePredecessor): 16208 (JSC::DFG::BasicBlock::dump): 16209 (JSC::DFG::BasicBlock::SSAData::SSAData): 16210 (JSC::DFG::BasicBlock::SSAData::~SSAData): 16211 * dfg/DFGBasicBlock.h: 16212 (BasicBlock): 16213 (JSC::DFG::BasicBlock::operator[]): 16214 (JSC::DFG::BasicBlock::successor): 16215 (JSC::DFG::BasicBlock::successorForCondition): 16216 (SSAData): 16217 * dfg/DFGBasicBlockInlines.h: 16218 (DFG): 16219 * dfg/DFGBlockInsertionSet.cpp: Added. 16220 (DFG): 16221 (JSC::DFG::BlockInsertionSet::BlockInsertionSet): 16222 (JSC::DFG::BlockInsertionSet::~BlockInsertionSet): 16223 (JSC::DFG::BlockInsertionSet::insert): 16224 (JSC::DFG::BlockInsertionSet::insertBefore): 16225 (JSC::DFG::BlockInsertionSet::execute): 16226 * dfg/DFGBlockInsertionSet.h: Added. 16227 (DFG): 16228 (BlockInsertionSet): 16229 * dfg/DFGCFAPhase.cpp: 16230 (JSC::DFG::CFAPhase::run): 16231 * dfg/DFGCFGSimplificationPhase.cpp: 16232 * dfg/DFGCPSRethreadingPhase.cpp: 16233 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): 16234 * dfg/DFGCommon.cpp: 16235 (WTF::printInternal): 16236 * dfg/DFGCommon.h: 16237 (JSC::DFG::doesKill): 16238 (DFG): 16239 (JSC::DFG::killStatusForDoesKill): 16240 * dfg/DFGConstantFoldingPhase.cpp: 16241 (JSC::DFG::ConstantFoldingPhase::foldConstants): 16242 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter): 16243 * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added. 16244 (DFG): 16245 (CriticalEdgeBreakingPhase): 16246 (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase): 16247 (JSC::DFG::CriticalEdgeBreakingPhase::run): 16248 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): 16249 (JSC::DFG::performCriticalEdgeBreaking): 16250 * dfg/DFGCriticalEdgeBreakingPhase.h: Added. 16251 (DFG): 16252 * dfg/DFGDCEPhase.cpp: 16253 (JSC::DFG::DCEPhase::run): 16254 (JSC::DFG::DCEPhase::findTypeCheckRoot): 16255 (JSC::DFG::DCEPhase::countNode): 16256 (DCEPhase): 16257 (JSC::DFG::DCEPhase::countEdge): 16258 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren): 16259 * dfg/DFGDriver.cpp: 16260 (JSC::DFG::compile): 16261 * dfg/DFGEdge.cpp: 16262 (JSC::DFG::Edge::dump): 16263 * dfg/DFGEdge.h: 16264 (JSC::DFG::Edge::Edge): 16265 (JSC::DFG::Edge::setNode): 16266 (JSC::DFG::Edge::useKindUnchecked): 16267 (JSC::DFG::Edge::setUseKind): 16268 (JSC::DFG::Edge::setProofStatus): 16269 (JSC::DFG::Edge::willNotHaveCheck): 16270 (JSC::DFG::Edge::willHaveCheck): 16271 (Edge): 16272 (JSC::DFG::Edge::killStatusUnchecked): 16273 (JSC::DFG::Edge::killStatus): 16274 (JSC::DFG::Edge::setKillStatus): 16275 (JSC::DFG::Edge::doesKill): 16276 (JSC::DFG::Edge::doesNotKill): 16277 (JSC::DFG::Edge::shift): 16278 (JSC::DFG::Edge::makeWord): 16279 * dfg/DFGFixupPhase.cpp: 16280 (JSC::DFG::FixupPhase::fixupNode): 16281 * dfg/DFGFlushFormat.cpp: Added. 16282 (WTF): 16283 (WTF::printInternal): 16284 * dfg/DFGFlushFormat.h: Added. 16285 (DFG): 16286 (JSC::DFG::resultFor): 16287 (JSC::DFG::useKindFor): 16288 (WTF): 16289 * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added. 16290 (DFG): 16291 (FlushLivenessAnalysisPhase): 16292 (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase): 16293 (JSC::DFG::FlushLivenessAnalysisPhase::run): 16294 (JSC::DFG::FlushLivenessAnalysisPhase::process): 16295 (JSC::DFG::FlushLivenessAnalysisPhase::setForNode): 16296 (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat): 16297 (JSC::DFG::performFlushLivenessAnalysis): 16298 * dfg/DFGFlushLivenessAnalysisPhase.h: Added. 16299 (DFG): 16300 * dfg/DFGGraph.cpp: 16301 (JSC::DFG::Graph::dump): 16302 (JSC::DFG::Graph::dumpBlockHeader): 16303 (DFG): 16304 (JSC::DFG::Graph::addForDepthFirstSort): 16305 (JSC::DFG::Graph::getBlocksInDepthFirstOrder): 16306 * dfg/DFGGraph.h: 16307 (JSC::DFG::Graph::convertToConstant): 16308 (JSC::DFG::Graph::valueProfileFor): 16309 (Graph): 16310 * dfg/DFGInsertionSet.h: 16311 (DFG): 16312 (JSC::DFG::InsertionSet::execute): 16313 * dfg/DFGLivenessAnalysisPhase.cpp: Added. 16314 (DFG): 16315 (LivenessAnalysisPhase): 16316 (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase): 16317 (JSC::DFG::LivenessAnalysisPhase::run): 16318 (JSC::DFG::LivenessAnalysisPhase::process): 16319 (JSC::DFG::LivenessAnalysisPhase::addChildUse): 16320 (JSC::DFG::performLivenessAnalysis): 16321 * dfg/DFGLivenessAnalysisPhase.h: Added. 16322 (DFG): 16323 * dfg/DFGNode.cpp: 16324 (JSC::DFG::Node::hasVariableAccessData): 16325 (DFG): 16326 * dfg/DFGNode.h: 16327 (DFG): 16328 (Node): 16329 (JSC::DFG::Node::hasLocal): 16330 (JSC::DFG::Node::variableAccessData): 16331 (JSC::DFG::Node::hasPhi): 16332 (JSC::DFG::Node::phi): 16333 (JSC::DFG::Node::takenBlock): 16334 (JSC::DFG::Node::notTakenBlock): 16335 (JSC::DFG::Node::successor): 16336 (JSC::DFG::Node::successorForCondition): 16337 (JSC::DFG::nodeComparator): 16338 (JSC::DFG::nodeListDump): 16339 (JSC::DFG::nodeMapDump): 16340 * dfg/DFGNodeFlags.cpp: 16341 (JSC::DFG::dumpNodeFlags): 16342 * dfg/DFGNodeType.h: 16343 (DFG): 16344 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added. 16345 (DFG): 16346 (OSRAvailabilityAnalysisPhase): 16347 (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase): 16348 (JSC::DFG::OSRAvailabilityAnalysisPhase::run): 16349 (JSC::DFG::performOSRAvailabilityAnalysis): 16350 * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added. 16351 (DFG): 16352 * dfg/DFGPlan.cpp: 16353 (JSC::DFG::Plan::compileInThreadImpl): 16354 * dfg/DFGPredictionInjectionPhase.cpp: 16355 (JSC::DFG::PredictionInjectionPhase::run): 16356 * dfg/DFGPredictionPropagationPhase.cpp: 16357 (JSC::DFG::PredictionPropagationPhase::propagate): 16358 * dfg/DFGSSAConversionPhase.cpp: Added. 16359 (DFG): 16360 (SSAConversionPhase): 16361 (JSC::DFG::SSAConversionPhase::SSAConversionPhase): 16362 (JSC::DFG::SSAConversionPhase::run): 16363 (JSC::DFG::SSAConversionPhase::forwardPhiChildren): 16364 (JSC::DFG::SSAConversionPhase::forwardPhi): 16365 (JSC::DFG::SSAConversionPhase::forwardPhiEdge): 16366 (JSC::DFG::SSAConversionPhase::deduplicateChildren): 16367 (JSC::DFG::SSAConversionPhase::addFlushedLocalOp): 16368 (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge): 16369 (JSC::DFG::performSSAConversion): 16370 * dfg/DFGSSAConversionPhase.h: Added. 16371 (DFG): 16372 * dfg/DFGSpeculativeJIT32_64.cpp: 16373 (JSC::DFG::SpeculativeJIT::compile): 16374 * dfg/DFGSpeculativeJIT64.cpp: 16375 (JSC::DFG::SpeculativeJIT::compile): 16376 * dfg/DFGValidate.cpp: 16377 (JSC::DFG::Validate::validate): 16378 (Validate): 16379 (JSC::DFG::Validate::validateCPS): 16380 * dfg/DFGVariableAccessData.h: 16381 (JSC::DFG::VariableAccessData::flushFormat): 16382 (VariableAccessData): 16383 * ftl/FTLCapabilities.cpp: 16384 (JSC::FTL::canCompile): 16385 * ftl/FTLLowerDFGToLLVM.cpp: 16386 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 16387 (JSC::FTL::LowerDFGToLLVM::lower): 16388 (JSC::FTL::LowerDFGToLLVM::createPhiVariables): 16389 (JSC::FTL::LowerDFGToLLVM::compileBlock): 16390 (JSC::FTL::LowerDFGToLLVM::compileNode): 16391 (JSC::FTL::LowerDFGToLLVM::compileUpsilon): 16392 (LowerDFGToLLVM): 16393 (JSC::FTL::LowerDFGToLLVM::compilePhi): 16394 (JSC::FTL::LowerDFGToLLVM::compileJSConstant): 16395 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): 16396 (JSC::FTL::LowerDFGToLLVM::compileGetArgument): 16397 (JSC::FTL::LowerDFGToLLVM::compileGetLocal): 16398 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 16399 (JSC::FTL::LowerDFGToLLVM::compileAdd): 16400 (JSC::FTL::LowerDFGToLLVM::compileArithSub): 16401 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 16402 (JSC::FTL::LowerDFGToLLVM::compileArithDiv): 16403 (JSC::FTL::LowerDFGToLLVM::compileArithMod): 16404 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): 16405 (JSC::FTL::LowerDFGToLLVM::compileArithAbs): 16406 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 16407 (JSC::FTL::LowerDFGToLLVM::compileBitAnd): 16408 (JSC::FTL::LowerDFGToLLVM::compileBitOr): 16409 (JSC::FTL::LowerDFGToLLVM::compileBitXor): 16410 (JSC::FTL::LowerDFGToLLVM::compileBitRShift): 16411 (JSC::FTL::LowerDFGToLLVM::compileBitLShift): 16412 (JSC::FTL::LowerDFGToLLVM::compileBitURShift): 16413 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber): 16414 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): 16415 (JSC::FTL::LowerDFGToLLVM::compileGetButterfly): 16416 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): 16417 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 16418 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset): 16419 (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar): 16420 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant): 16421 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): 16422 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant): 16423 (JSC::FTL::LowerDFGToLLVM::compileCompareLess): 16424 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq): 16425 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater): 16426 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq): 16427 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot): 16428 (JSC::FTL::LowerDFGToLLVM::speculateBackward): 16429 (JSC::FTL::LowerDFGToLLVM::lowInt32): 16430 (JSC::FTL::LowerDFGToLLVM::lowCell): 16431 (JSC::FTL::LowerDFGToLLVM::lowBoolean): 16432 (JSC::FTL::LowerDFGToLLVM::lowDouble): 16433 (JSC::FTL::LowerDFGToLLVM::lowJSValue): 16434 (JSC::FTL::LowerDFGToLLVM::lowStorage): 16435 (JSC::FTL::LowerDFGToLLVM::speculate): 16436 (JSC::FTL::LowerDFGToLLVM::speculateBoolean): 16437 (JSC::FTL::LowerDFGToLLVM::isLive): 16438 (JSC::FTL::LowerDFGToLLVM::use): 16439 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): 16440 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 16441 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 16442 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 16443 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks): 16444 (JSC::FTL::LowerDFGToLLVM::setInt32): 16445 (JSC::FTL::LowerDFGToLLVM::setJSValue): 16446 (JSC::FTL::LowerDFGToLLVM::setBoolean): 16447 (JSC::FTL::LowerDFGToLLVM::setStorage): 16448 (JSC::FTL::LowerDFGToLLVM::setDouble): 16449 (JSC::FTL::LowerDFGToLLVM::isValid): 16450 * ftl/FTLLoweredNodeValue.h: Added. 16451 (FTL): 16452 (LoweredNodeValue): 16453 (JSC::FTL::LoweredNodeValue::LoweredNodeValue): 16454 (JSC::FTL::LoweredNodeValue::isSet): 16455 (JSC::FTL::LoweredNodeValue::operator!): 16456 (JSC::FTL::LoweredNodeValue::value): 16457 (JSC::FTL::LoweredNodeValue::block): 16458 * ftl/FTLValueFromBlock.h: 16459 (JSC::FTL::ValueFromBlock::ValueFromBlock): 16460 (ValueFromBlock): 16461 * ftl/FTLValueSource.cpp: 16462 (JSC::FTL::ValueSource::dump): 16463 * ftl/FTLValueSource.h: 16464 164652013-07-11 Mark Lam <mark.lam@apple.com> 16466 16467 Resurrect the CLoop LLINT on the FTL branch. 16468 https://bugs.webkit.org/show_bug.cgi?id=118144. 16469 16470 Reviewed by Mark Hahnenberg. 16471 16472 * bytecode/CodeBlock.h: 16473 (JSC::CodeBlock::jitType): 16474 - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT. 16475 * bytecode/JumpTable.h: 16476 (JSC::SimpleJumpTable::clear): 16477 * interpreter/StackIterator.cpp: 16478 (JSC::StackIterator::Frame::bytecodeOffset): 16479 (JSC::StackIterator::Frame::print): 16480 * jit/JITCode.cpp: 16481 (JSC): 16482 * jit/JITExceptions.cpp: 16483 (JSC::getExceptionLocation): 16484 * llint/LowLevelInterpreter.cpp: 16485 * offlineasm/cloop.rb: 16486 * runtime/Structure.cpp: 16487 164882013-07-08 Filip Pizlo <fpizlo@apple.com> 16489 16490 NaturalLoops + Profiler = Crash 16491 https://bugs.webkit.org/show_bug.cgi?id=118486 16492 16493 Reviewed by Geoffrey Garen. 16494 16495 I borked dominators in: 16496 http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGDominators.h 16497 16498 This patch also adds some debug support, and fixes the loop that adds a block to 16499 an already-existing natural loop. Note that we currently don't take that path in 16500 most programs, but it will arise, for example if you use 'continue' - though you'd 16501 have to use it rather cleverly since the bytecode will not jump to the loop header 16502 in most uses of 'continue'. 16503 16504 * dfg/DFGDominators.cpp: 16505 (JSC::DFG::Dominators::dump): 16506 (DFG): 16507 * dfg/DFGDominators.h: 16508 (JSC::DFG::Dominators::dominates): 16509 (Dominators): 16510 * dfg/DFGNaturalLoops.cpp: 16511 (JSC::DFG::NaturalLoops::compute): 16512 165132013-07-08 Filip Pizlo <fpizlo@apple.com> 16514 16515 fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes 16516 https://bugs.webkit.org/show_bug.cgi?id=118489 16517 16518 Reviewed by Mark Hahnenberg. 16519 16520 * bytecode/ArrayProfile.h: 16521 (JSC::arrayModesAreClearOrTop): 16522 (JSC): 16523 * dfg/DFGAbstractState.cpp: 16524 (JSC::DFG::AbstractState::beginBasicBlock): 16525 * dfg/DFGAbstractValue.h: 16526 (JSC::DFG::AbstractValue::hasClobberableState): 16527 (AbstractValue): 16528 165292013-07-08 Mark Hahnenberg <mhahnenberg@apple.com> 16530 16531 CheckArray should call the right version of filterArrayModes 16532 https://bugs.webkit.org/show_bug.cgi?id=118488 16533 16534 Reviewed by Filip Pizlo. 16535 16536 Currently in the CFA CheckArray doesn't call the right filterArrayMode which can cause 16537 the CFA to ignore when it sees a contradiction. 16538 16539 * dfg/DFGAbstractState.cpp: 16540 (JSC::DFG::AbstractState::executeEffects): 16541 165422013-07-07 Filip Pizlo <fpizlo@apple.com> 16543 16544 fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop 16545 https://bugs.webkit.org/show_bug.cgi?id=118452 16546 16547 Reviewed by Sam Weinig. 16548 16549 Noticed that ArgumentsSimplificationPhase was converting something to a Nop and then 16550 resetting its children using clearAndDerefChild(). Using Nop instead of Phantom is a 16551 holdover from back when we needed a no-MustGenerate no-op. We don't anymore. Using 16552 clearAndDerefChild() was necessary back when we did eager reference counting. We 16553 don't need to do that anymore, and in fact clearAndDerefChild() appeared to not do 16554 any reference counting, so it was badly named to begin with. 16555 16556 * dfg/DFGAbstractState.cpp: 16557 (JSC::DFG::AbstractState::executeEffects): 16558 * dfg/DFGArgumentsSimplificationPhase.cpp: 16559 (JSC::DFG::ArgumentsSimplificationPhase::run): 16560 * dfg/DFGCPSRethreadingPhase.cpp: 16561 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes): 16562 * dfg/DFGCSEPhase.cpp: 16563 (JSC::DFG::CSEPhase::performNodeCSE): 16564 * dfg/DFGFixupPhase.cpp: 16565 (JSC::DFG::FixupPhase::fixupNode): 16566 * dfg/DFGGraph.h: 16567 (Graph): 16568 * dfg/DFGNode.h: 16569 (JSC::DFG::Node::willHaveCodeGenOrOSR): 16570 * dfg/DFGNodeType.h: 16571 (DFG): 16572 * dfg/DFGPredictionPropagationPhase.cpp: 16573 (JSC::DFG::PredictionPropagationPhase::propagate): 16574 * dfg/DFGSpeculativeJIT32_64.cpp: 16575 (JSC::DFG::SpeculativeJIT::compile): 16576 * dfg/DFGSpeculativeJIT64.cpp: 16577 (JSC::DFG::SpeculativeJIT::compile): 16578 165792013-07-04 Filip Pizlo <fpizlo@apple.com> 16580 16581 fourthTier: FTL should better report its compile-times and it should be able to run in a mode where it doesn't spend time generating OSR exits 16582 https://bugs.webkit.org/show_bug.cgi?id=118401 16583 16584 Reviewed by Sam Weinig. 16585 16586 Add two new OSR exit modes, which are useful only for playing with compile times: 16587 16588 - All OSR exits are llvm.trap(). 16589 16590 - OSR exits don't take arguments and have no exit value marshaling. 16591 16592 * dfg/DFGPlan.cpp: 16593 (JSC::DFG::Plan::compileInThread): 16594 (JSC::DFG::Plan::compileInThreadImpl): 16595 * dfg/DFGPlan.h: 16596 (Plan): 16597 * ftl/FTLIntrinsicRepository.h: 16598 (FTL): 16599 * ftl/FTLLowerDFGToLLVM.cpp: 16600 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 16601 (LowerDFGToLLVM): 16602 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall): 16603 * ftl/FTLOutput.h: 16604 (JSC::FTL::Output::trap): 16605 * runtime/Options.h: 16606 (JSC): 16607 166082013-07-04 Filip Pizlo <fpizlo@apple.com> 16609 16610 fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex 16611 https://bugs.webkit.org/show_bug.cgi?id=118339 16612 16613 Reviewed by Michael Saboff. 16614 16615 This accomplishes two goals: 16616 16617 1) Simplifies a bunch of code. You can now much more directly get to a successor 16618 or predecessor, since you just get the pointer directly. The backend(s) always 16619 hold onto a pointer to the block they're on, so you don't have to do work to 16620 get the block from the index. 16621 16622 2) It allows for the possibility of inserting blocks into the program. 16623 Previously, if you did that, you'd have to edit all references to blocks since 16624 those references would have outdated indexing after an insertion. Now, if you 16625 change the indexing, you just have to invalidate some analyses and make sure 16626 that you change each block's BasicBlock::index accordingly. 16627 16628 * dfg/DFGAbstractState.cpp: 16629 (JSC::DFG::AbstractState::initialize): 16630 (JSC::DFG::AbstractState::endBasicBlock): 16631 (JSC::DFG::AbstractState::mergeToSuccessors): 16632 * dfg/DFGAbstractState.h: 16633 (AbstractState): 16634 * dfg/DFGArgumentsSimplificationPhase.cpp: 16635 (JSC::DFG::ArgumentsSimplificationPhase::run): 16636 * dfg/DFGBackwardsPropagationPhase.cpp: 16637 (JSC::DFG::BackwardsPropagationPhase::run): 16638 * dfg/DFGBasicBlock.h: 16639 (DFG): 16640 (JSC::DFG::BasicBlock::BasicBlock): 16641 (JSC::DFG::BasicBlock::size): 16642 (JSC::DFG::BasicBlock::isEmpty): 16643 (JSC::DFG::BasicBlock::at): 16644 (JSC::DFG::BasicBlock::operator[]): 16645 (JSC::DFG::BasicBlock::last): 16646 (JSC::DFG::BasicBlock::resize): 16647 (JSC::DFG::BasicBlock::grow): 16648 (BasicBlock): 16649 (JSC::DFG::BasicBlock::append): 16650 (JSC::DFG::BasicBlock::numSuccessors): 16651 (JSC::DFG::BasicBlock::successor): 16652 (JSC::DFG::BasicBlock::successorForCondition): 16653 (JSC::DFG::BasicBlock::dump): 16654 (UnlinkedBlock): 16655 (JSC::DFG::UnlinkedBlock::UnlinkedBlock): 16656 (JSC::DFG::getBytecodeBeginForBlock): 16657 (JSC::DFG::blockForBytecodeOffset): 16658 * dfg/DFGByteCodeParser.cpp: 16659 (ByteCodeParser): 16660 (InlineStackEntry): 16661 (JSC::DFG::ByteCodeParser::handleInlining): 16662 (JSC::DFG::ByteCodeParser::parseBlock): 16663 (JSC::DFG::ByteCodeParser::linkBlock): 16664 (JSC::DFG::ByteCodeParser::linkBlocks): 16665 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 16666 (JSC::DFG::ByteCodeParser::parseCodeBlock): 16667 (JSC::DFG::ByteCodeParser::parse): 16668 * dfg/DFGCFAPhase.cpp: 16669 (JSC::DFG::CFAPhase::performBlockCFA): 16670 (JSC::DFG::CFAPhase::performForwardCFA): 16671 * dfg/DFGCFGSimplificationPhase.cpp: 16672 (JSC::DFG::CFGSimplificationPhase::run): 16673 (JSC::DFG::CFGSimplificationPhase::convertToJump): 16674 * dfg/DFGCPSRethreadingPhase.cpp: 16675 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes): 16676 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks): 16677 (JSC::DFG::CPSRethreadingPhase::propagatePhis): 16678 (CPSRethreadingPhase): 16679 * dfg/DFGCSEPhase.cpp: 16680 (JSC::DFG::CSEPhase::run): 16681 * dfg/DFGConstantFoldingPhase.cpp: 16682 (JSC::DFG::ConstantFoldingPhase::run): 16683 (JSC::DFG::ConstantFoldingPhase::foldConstants): 16684 * dfg/DFGDCEPhase.cpp: 16685 (JSC::DFG::DCEPhase::run): 16686 * dfg/DFGDisassembler.cpp: 16687 (JSC::DFG::Disassembler::Disassembler): 16688 (JSC::DFG::Disassembler::createDumpList): 16689 * dfg/DFGDisassembler.h: 16690 (JSC::DFG::Disassembler::setForBlockIndex): 16691 * dfg/DFGDominators.cpp: 16692 (JSC::DFG::Dominators::compute): 16693 (JSC::DFG::Dominators::iterateForBlock): 16694 * dfg/DFGDominators.h: 16695 (JSC::DFG::Dominators::dominates): 16696 * dfg/DFGFixupPhase.cpp: 16697 (JSC::DFG::FixupPhase::run): 16698 (JSC::DFG::FixupPhase::fixupNode): 16699 * dfg/DFGGraph.cpp: 16700 (JSC::DFG::Graph::dump): 16701 (JSC::DFG::Graph::dumpBlockHeader): 16702 (JSC::DFG::Graph::handleSuccessor): 16703 (JSC::DFG::Graph::determineReachability): 16704 (JSC::DFG::Graph::resetReachability): 16705 * dfg/DFGGraph.h: 16706 (JSC::DFG::Graph::numBlocks): 16707 (JSC::DFG::Graph::block): 16708 (JSC::DFG::Graph::lastBlock): 16709 (Graph): 16710 (JSC::DFG::Graph::appendBlock): 16711 (JSC::DFG::Graph::killBlock): 16712 (DFG): 16713 * dfg/DFGJITCompiler.cpp: 16714 (JSC::DFG::JITCompiler::JITCompiler): 16715 (JSC::DFG::JITCompiler::link): 16716 * dfg/DFGJITCompiler.h: 16717 (JSC::DFG::JITCompiler::setForBlockIndex): 16718 * dfg/DFGNaturalLoops.cpp: 16719 (JSC::DFG::NaturalLoop::dump): 16720 (JSC::DFG::NaturalLoops::compute): 16721 (JSC::DFG::NaturalLoops::loopsOf): 16722 * dfg/DFGNaturalLoops.h: 16723 (JSC::DFG::NaturalLoop::NaturalLoop): 16724 (JSC::DFG::NaturalLoop::addBlock): 16725 (JSC::DFG::NaturalLoop::header): 16726 (JSC::DFG::NaturalLoop::at): 16727 (JSC::DFG::NaturalLoop::operator[]): 16728 (JSC::DFG::NaturalLoop::contains): 16729 (NaturalLoop): 16730 (JSC::DFG::NaturalLoops::headerOf): 16731 (NaturalLoops): 16732 * dfg/DFGNode.h: 16733 (DFG): 16734 (JSC::DFG::SwitchCase::SwitchCase): 16735 (JSC::DFG::SwitchCase::withBytecodeIndex): 16736 (SwitchCase): 16737 (JSC::DFG::SwitchCase::targetBytecodeIndex): 16738 (JSC::DFG::SwitchData::SwitchData): 16739 (JSC::DFG::SwitchData::setFallThroughBytecodeIndex): 16740 (JSC::DFG::SwitchData::fallThroughBytecodeIndex): 16741 (SwitchData): 16742 (JSC::DFG::Node::setTakenBlock): 16743 (JSC::DFG::Node::setNotTakenBlock): 16744 (JSC::DFG::Node::takenBlock): 16745 (JSC::DFG::Node::notTakenBlock): 16746 (JSC::DFG::Node::successor): 16747 (JSC::DFG::Node::successorForCondition): 16748 * dfg/DFGPredictionInjectionPhase.cpp: 16749 (JSC::DFG::PredictionInjectionPhase::run): 16750 * dfg/DFGPredictionPropagationPhase.cpp: 16751 (JSC::DFG::PredictionPropagationPhase::propagateForward): 16752 (JSC::DFG::PredictionPropagationPhase::propagateBackward): 16753 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): 16754 * dfg/DFGSpeculativeJIT.cpp: 16755 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 16756 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): 16757 (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq): 16758 (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch): 16759 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): 16760 (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): 16761 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 16762 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): 16763 (JSC::DFG::SpeculativeJIT::compile): 16764 (JSC::DFG::SpeculativeJIT::createOSREntries): 16765 (JSC::DFG::SpeculativeJIT::linkOSREntries): 16766 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant): 16767 (JSC::DFG::SpeculativeJIT::compileStrictEq): 16768 (JSC::DFG::SpeculativeJIT::compileRegExpExec): 16769 (JSC::DFG::SpeculativeJIT::addBranch): 16770 (JSC::DFG::SpeculativeJIT::linkBranches): 16771 * dfg/DFGSpeculativeJIT.h: 16772 (JSC::DFG::SpeculativeJIT::nextBlock): 16773 (SpeculativeJIT): 16774 (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch): 16775 (JSC::DFG::SpeculativeJIT::branchDouble): 16776 (JSC::DFG::SpeculativeJIT::branchDoubleNonZero): 16777 (JSC::DFG::SpeculativeJIT::branch32): 16778 (JSC::DFG::SpeculativeJIT::branchTest32): 16779 (JSC::DFG::SpeculativeJIT::branch64): 16780 (JSC::DFG::SpeculativeJIT::branch8): 16781 (JSC::DFG::SpeculativeJIT::branchPtr): 16782 (JSC::DFG::SpeculativeJIT::branchTestPtr): 16783 (JSC::DFG::SpeculativeJIT::branchTest8): 16784 (JSC::DFG::SpeculativeJIT::jump): 16785 (JSC::DFG::SpeculativeJIT::addBranch): 16786 (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase): 16787 (StringSwitchCase): 16788 (JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord): 16789 (BranchRecord): 16790 * dfg/DFGSpeculativeJIT32_64.cpp: 16791 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 16792 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): 16793 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 16794 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): 16795 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 16796 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 16797 (JSC::DFG::SpeculativeJIT::emitBranch): 16798 (JSC::DFG::SpeculativeJIT::compile): 16799 * dfg/DFGSpeculativeJIT64.cpp: 16800 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 16801 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): 16802 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 16803 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): 16804 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 16805 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 16806 (JSC::DFG::SpeculativeJIT::emitBranch): 16807 (JSC::DFG::SpeculativeJIT::compile): 16808 * dfg/DFGTypeCheckHoistingPhase.cpp: 16809 (JSC::DFG::TypeCheckHoistingPhase::run): 16810 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): 16811 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): 16812 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries): 16813 * dfg/DFGUnificationPhase.cpp: 16814 (JSC::DFG::UnificationPhase::run): 16815 * dfg/DFGValidate.cpp: 16816 (JSC::DFG::Validate::validate): 16817 (JSC::DFG::Validate::checkOperand): 16818 (JSC::DFG::Validate::reportValidationContext): 16819 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 16820 (JSC::DFG::VirtualRegisterAllocationPhase::run): 16821 * ftl/FTLCapabilities.cpp: 16822 (JSC::FTL::canCompile): 16823 * ftl/FTLLowerDFGToLLVM.cpp: 16824 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 16825 (JSC::FTL::LowerDFGToLLVM::lower): 16826 (JSC::FTL::LowerDFGToLLVM::compileBlock): 16827 (JSC::FTL::LowerDFGToLLVM::compileJump): 16828 (JSC::FTL::LowerDFGToLLVM::compileBranch): 16829 (JSC::FTL::LowerDFGToLLVM::lowBlock): 16830 168312013-07-04 Filip Pizlo <fpizlo@apple.com> 16832 16833 Unreviewed, add a helpful comment for why DCE is needed in the FTL. 16834 16835 I believe I've now twice down the experiment of disabling DCE in the FTL, 16836 only to realize that this can't work, and that DCE is needed. I'd kind of 16837 like to not make that mistake again. 16838 16839 * dfg/DFGPlan.cpp: 16840 (JSC::DFG::Plan::compileInThreadImpl): 16841 168422013-07-02 Filip Pizlo <fpizlo@apple.com> 16843 16844 fourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t 16845 https://bugs.webkit.org/show_bug.cgi?id=118340 16846 16847 Reviewed by Sam Weinig. 16848 16849 * dfg/DFGNode.h: 16850 (JSC::DFG::Node::Node): 16851 168522013-07-02 Filip Pizlo <fpizlo@apple.com> 16853 16854 Unreviewed, fix 32-bit build. 16855 16856 * assembler/MacroAssembler.h: 16857 (JSC::MacroAssembler::comparePtr): 16858 (MacroAssembler): 16859 * dfg/DFGBinarySwitch.cpp: 16860 (JSC::DFG::BinarySwitch::advance): 16861 * dfg/DFGBinarySwitch.h: 16862 (JSC::DFG::BinarySwitch::caseValue): 16863 168642013-07-02 Filip Pizlo <fpizlo@apple.com> 16865 16866 fourthTier: Have fewer Arrayify's 16867 https://bugs.webkit.org/show_bug.cgi?id=118335 16868 16869 Reviewed by Mark Hahnenberg. 16870 16871 A lot of Arrayify's arise because some program saw Int32 arrays early on in 16872 execution, but then they all got converted to Double arrays and the program 16873 will never see Int32 arrays ever again. Prior to this change you would always 16874 have an Arrayify in this case. But with this change, the first time that an 16875 ArrayProfile is about to go polymorphic in computeUpdatedPrediction(), it 16876 instead forcibly monomorphises itself to the latest-seen structure. 16877 Thereafter it will never again perform this monomorphisation. This is 16878 controlled by ArrayProfile::m_didPerformFirstRunPruning. This is a 5% 16879 speed-up on Kraken/imaging-gaussian-blur with the FTL enabled, and it 16880 unblocks a bunch of stuff we want to do in the future because it makes a 16881 bunch of loops effect-free. 16882 16883 We will still want to implement Arrayify hoisting in the future, but this is 16884 great anyway because it's better to not have Arrayifications than it is to 16885 have hoisted Arrayifications. 16886 16887 * bytecode/ArrayProfile.cpp: 16888 (JSC::ArrayProfile::computeUpdatedPrediction): 16889 (JSC::ArrayProfile::briefDescription): 16890 (JSC): 16891 (JSC::ArrayProfile::briefDescriptionWithoutUpdating): 16892 * bytecode/ArrayProfile.h: 16893 (JSC::ArrayProfile::ArrayProfile): 16894 (ArrayProfile): 16895 168962013-07-02 Filip Pizlo <fpizlo@apple.com> 16897 16898 fourthTier: add option to disable OSR entry in loops 16899 https://bugs.webkit.org/show_bug.cgi?id=118329 16900 16901 Reviewed by Mark Hahnenberg. 16902 16903 This adds that option, and also makes the OSR exit reoptimization trigger rely less on 16904 OSR entry failing. Now even if we never attempt OSR entry but our execution counter gets 16905 high after a small number of OSR exits, we will recompile. 16906 16907 * dfg/DFGOSRExitCompilerCommon.cpp: 16908 (JSC::DFG::handleExitCounts): 16909 * dfg/DFGOperations.cpp: 16910 * jit/JITOpcodes.cpp: 16911 (JSC::JIT::emit_op_loop_hint): 16912 (JSC::JIT::emitSlow_op_loop_hint): 16913 * runtime/Options.h: 16914 (JSC): 16915 169162013-07-02 Filip Pizlo <fpizlo@apple.com> 16917 16918 fourthTier: since the FTL disassembly hacks cannot distinguish between code and data, the LLVM disassembler symbol table callback should be able to deal gracefully with arbitrary garbage 16919 https://bugs.webkit.org/show_bug.cgi?id=118313 16920 16921 Reviewed by Mark Hahnenberg. 16922 16923 Give it a mode where we can still crash on unrecognized reference types, so that we might 16924 implement them in the future, but by default just print some stuff and keep going. 16925 16926 * disassembler/LLVMDisassembler.cpp: 16927 (JSC): 16928 (JSC::symbolLookupCallback): 16929 169302013-07-02 Filip Pizlo <fpizlo@apple.com> 16931 16932 fourthTier: FTL should use the equivalent of llvm opt -O2 by default 16933 https://bugs.webkit.org/show_bug.cgi?id=118311 16934 16935 Reviewed by Mark Hahnenberg. 16936 16937 Use a PassManagerBuilder instead of rolling our own. 16938 16939 This boosts our speed-up by another 5% or so. 16940 16941 * ftl/FTLCompile.cpp: 16942 (JSC::FTL::compile): 16943 * runtime/Options.h: 16944 (JSC): 16945 169462013-07-01 Filip Pizlo <fpizlo@apple.com> 16947 16948 fourthTier: FTL should run LICM after AA setup 16949 https://bugs.webkit.org/show_bug.cgi?id=118277 16950 16951 Reviewed by Maciej Stachowiak. 16952 16953 LICM queries alias analysis. Hence, just like GVN, it should run after 16954 we have set up the alias analysis. 16955 16956 * ftl/FTLCompile.cpp: 16957 (JSC::FTL::compile): 16958 169592013-07-01 Filip Pizlo <fpizlo@apple.com> 16960 16961 fourthTier: FTL should run AA passes before GVN 16962 https://bugs.webkit.org/show_bug.cgi?id=118276 16963 16964 Rubber stamped by Geoffrey Garen. 16965 16966 These enable load elimination in GVN. 16967 16968 Immediately gives us a speed-up on a bunch of benchmarks I hacked to run 16969 properly in the FTL. One example is 20% on imaging-gaussian-blur. (Fair 16970 warning: the stock version of that benchmark won't see speed-ups - 16971 probably slow-downs instead - because the FTL can't do OSR entry yet.) 16972 Another example is the findGraphNode function, which now sees a 7% 16973 speed-up, and that's without even doing LICM or other good things. 16974 16975 * ftl/FTLCompile.cpp: 16976 (JSC::FTL::compile): 16977 169782013-06-27 Filip Pizlo <fpizlo@apple.com> 16979 16980 Make Graph::substituteGetLocal() out-of-line 16981 16982 Rubber stamped by Geoffrey Garen. 16983 16984 * dfg/DFGGraph.cpp: 16985 (JSC::DFG::Graph::substituteGetLocal): 16986 (DFG): 16987 * dfg/DFGGraph.h: 16988 (Graph): 16989 169902013-06-27 Filip Pizlo <fpizlo@apple.com> 16991 16992 fourthTier: DFG should know how to find natural loops 16993 https://bugs.webkit.org/show_bug.cgi?id=118152 16994 16995 Reviewed by Mark Hahnenberg. 16996 16997 There are a bunch of things we can do when we know where the loops are. 16998 Previously we didn't. With this patch, we do. 16999 17000 This patch adds the classic dominator based natural loop finder. 17001 17002 The only client of this right now is the DFG::Disassembler. It prints out 17003 a summary of the analysis for each block. 17004 17005 This will become more important when I do 17006 https://bugs.webkit.org/show_bug.cgi?id=118151, which definitely requires 17007 this kind of analysis, at least if we want to do the optimization over 17008 DFG IR (and I'm pretty sure we do). 17009 17010 * JavaScriptCore.xcodeproj/project.pbxproj: 17011 * dfg/DFGAnalysis.h: Added. 17012 (DFG): 17013 (Analysis): 17014 (JSC::DFG::Analysis::Analysis): 17015 (JSC::DFG::Analysis::invalidate): 17016 (JSC::DFG::Analysis::computeIfNecessary): 17017 (JSC::DFG::Analysis::isValid): 17018 * dfg/DFGCFGSimplificationPhase.cpp: 17019 (JSC::DFG::CFGSimplificationPhase::run): 17020 * dfg/DFGDisassembler.cpp: 17021 (JSC::DFG::Disassembler::createDumpList): 17022 * dfg/DFGDominators.cpp: 17023 (JSC::DFG::Dominators::Dominators): 17024 (JSC::DFG::Dominators::compute): 17025 * dfg/DFGDominators.h: 17026 (Dominators): 17027 * dfg/DFGGraph.cpp: 17028 (JSC::DFG::Graph::dumpBlockHeader): 17029 (JSC::DFG::Graph::invalidateCFG): 17030 (DFG): 17031 * dfg/DFGGraph.h: 17032 (Graph): 17033 * dfg/DFGNaturalLoops.cpp: Added. 17034 (DFG): 17035 (JSC::DFG::NaturalLoop::dump): 17036 (JSC::DFG::NaturalLoops::NaturalLoops): 17037 (JSC::DFG::NaturalLoops::~NaturalLoops): 17038 (JSC::DFG::NaturalLoops::compute): 17039 (JSC::DFG::NaturalLoops::loopsOf): 17040 (JSC::DFG::NaturalLoops::dump): 17041 * dfg/DFGNaturalLoops.h: Added. 17042 (DFG): 17043 (NaturalLoop): 17044 (JSC::DFG::NaturalLoop::NaturalLoop): 17045 (JSC::DFG::NaturalLoop::addBlock): 17046 (JSC::DFG::NaturalLoop::header): 17047 (JSC::DFG::NaturalLoop::size): 17048 (JSC::DFG::NaturalLoop::at): 17049 (JSC::DFG::NaturalLoop::operator[]): 17050 (JSC::DFG::NaturalLoop::contains): 17051 (NaturalLoops): 17052 (JSC::DFG::NaturalLoops::numLoops): 17053 (JSC::DFG::NaturalLoops::loop): 17054 (JSC::DFG::NaturalLoops::headerOf): 17055 170562013-06-27 Filip Pizlo <fpizlo@apple.com> 17057 17058 fourthTier: JSC's disassembly infrastructure should be able to disassemble the code that LLVM generates 17059 https://bugs.webkit.org/show_bug.cgi?id=118148 17060 17061 Reviewed by Anders Carlsson. 17062 17063 Oh boy. UDis86 cannot disassemble the AVX (or whatever it's called) stuff 17064 that LLVM generates for floating point. So the right decision is to 17065 switch to the LLVM disassembler, right? Wrong!! LLVM's disassembler 17066 cannot disassemble the load-from-absolute-address-into-%rax instructions 17067 that our JIT generates quite a lot of. 17068 17069 So, this keeps the UDis86 disassembler, but adds the LLVM disassembler, 17070 and requires the caller of disassemble() to hint which one is likely to 17071 be less wrong for the given code. 17072 17073 Maybe in the future LLVM will catch up to UDis86, but it's definitely not 17074 there right now. 17075 17076 This now allows us to disassemble all of the code that LLVM generates. 17077 17078 * JavaScriptCore.xcodeproj/project.pbxproj: 17079 * disassembler/Disassembler.cpp: 17080 (JSC::disassemble): 17081 * disassembler/Disassembler.h: 17082 (JSC::tryToDisassemble): 17083 (JSC): 17084 * disassembler/LLVMDisassembler.cpp: Added. 17085 (JSC): 17086 (JSC::symbolLookupCallback): 17087 (JSC::tryToDisassembleWithLLVM): 17088 * disassembler/LLVMDisassembler.h: Added. 17089 (JSC): 17090 (JSC::tryToDisassembleWithLLVM): 17091 * disassembler/UDis86Disassembler.cpp: 17092 (JSC::tryToDisassembleWithUDis86): 17093 * disassembler/UDis86Disassembler.h: Added. 17094 (JSC): 17095 (JSC::tryToDisassembleWithUDis86): 17096 * disassembler/X86Disassembler.cpp: Added. 17097 (JSC): 17098 (JSC::tryToDisassemble): 17099 * ftl/FTLAbbreviatedTypes.h: 17100 * ftl/FTLCompile.cpp: 17101 (JSC::FTL::compile): 17102 * ftl/FTLJITCode.h: 17103 * ftl/FTLJITFinalizer.h: 17104 * ftl/FTLLLVMHeaders.h: Removed. 17105 * ftl/FTLLink.cpp: 17106 * runtime/InitializeThreading.cpp: 17107 (JSC::initializeThreadingOnce): 17108 * runtime/Options.h: 17109 (JSC): 17110 171112013-06-27 Filip Pizlo <fpizlo@apple.com> 17112 17113 fourthTier: FTL should be able to dump disassembly 17114 https://bugs.webkit.org/show_bug.cgi?id=118141 17115 17116 Reviewed by Geoffrey Garen. 17117 17118 * ftl/FTLCompile.cpp: 17119 (JSC::FTL::compile): 17120 171212013-06-27 Filip Pizlo <fpizlo@apple.com> 17122 17123 Unreviewed, fix build for LLVM ToT. 17124 17125 This doesn't affect those using the binary drops, but if you're building from 17126 LLVM ToT you'll get link errors. These arise because we expect there to be a 17127 libLLVMArchive, but that is no longer built by LLVM ToT. This casues the linker 17128 to fall back on the system's libLLVMArchive, which is incompatible with the 17129 other LLVM libs we pull in. 17130 17131 Also, we didn't need that library anyway and shouldn't have been linking 17132 against it. 17133 17134 * Configurations/JavaScriptCore.xcconfig: 17135 171362013-06-26 Filip Pizlo <fpizlo@apple.com> 17137 17138 fourthTier: FTL should support hole/OOB PutByVal's 17139 https://bugs.webkit.org/show_bug.cgi?id=118112 17140 17141 Reviewed by Geoffrey Garen. 17142 17143 Added a common code generator for the out-of-bounds case that is reused by 17144 all contiguous-like arrays (Int32, Double, Contiguous). 17145 17146 This is relatively straight-forward, except that it's the first time that 17147 the FTL has to call DFG operations that take more than two arguments. 17148 17149 * ftl/FTLAbbreviations.h: 17150 (JSC::FTL::functionType): 17151 (JSC::FTL::buildCall): 17152 * ftl/FTLAbstractHeapRepository.h: 17153 (FTL): 17154 * ftl/FTLCapabilities.cpp: 17155 (JSC::FTL::canCompile): 17156 * ftl/FTLIntrinsicRepository.h: 17157 (FTL): 17158 * ftl/FTLLowerDFGToLLVM.cpp: 17159 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 17160 (LowerDFGToLLVM): 17161 (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds): 17162 (JSC::FTL::LowerDFGToLLVM::vmCall): 17163 * ftl/FTLOutput.h: 17164 (JSC::FTL::Output::call): 17165 171662013-06-26 Filip Pizlo <fpizlo@apple.com> 17167 17168 fourthTier: FTL::canCompile(Graph&) should not consider nodes that won't be compiled 17169 https://bugs.webkit.org/show_bug.cgi?id=118097 17170 17171 Reviewed by Mark Hahnenberg. 17172 17173 This increases coverage to include programs that have unprofiled paths. Those paths will 17174 often have nodes that appear to do untyped speculations, and the FTL sometimes doesn't 17175 support those; except that it doesn't matter since the reason why they were untyped is 17176 that they were unprofiled and anyway we won't run them because we'll exit before them. 17177 17178 * ftl/FTLCapabilities.cpp: 17179 (JSC::FTL::canCompile): 17180 171812013-06-26 Filip Pizlo <fpizlo@apple.com> 17182 17183 fourthTier: FTL should support ArrayifyToStructure 17184 https://bugs.webkit.org/show_bug.cgi?id=118095 17185 17186 Reviewed by Mark Hahnenberg. 17187 17188 * ftl/FTLCapabilities.cpp: 17189 (JSC::FTL::canCompile): 17190 * ftl/FTLIntrinsicRepository.h: 17191 (FTL): 17192 * ftl/FTLLowerDFGToLLVM.cpp: 17193 (JSC::FTL::LowerDFGToLLVM::compileNode): 17194 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): 17195 (LowerDFGToLLVM): 17196 171972013-06-26 Filip Pizlo <fpizlo@apple.com> 17198 17199 fourthTier: FTL should support ForwardCheckStructure/ForwardStructureTransitionWatchpoint and doing so shouldn't break V8/crypto 17200 https://bugs.webkit.org/show_bug.cgi?id=118091 17201 17202 Reviewed by Mark Hahnenberg. 17203 17204 I was going to just add ForwardCheckStructure/ForwardStructureTransitionWatchpoint support, 17205 which is trivial. But doing so increases coverage a lot, and revealed long-standing bugs in 17206 the FTL. I then fixed those bugs, also: 17207 17208 - The FTL should not attempt to compile a block that is not reachable according to the CFA. 17209 This is analogous to terminating basic block compilation if the CFA becomes !isValid(). 17210 Attempting to compile such a block means that you're running on broken CFA state, and the 17211 CFA will become inconsistent with the code you're generating, leading to some 17212 strangeness. For example, the FTL relies on the CFA to tell it that we gave up compiling 17213 a node and hence don't have LValue's for that node (by virtue of us giving up due to 17214 !isValid()). But the CFA's isValid() bit will not be set correctly for blocks that 17215 weren't visited by the CFA at all, and the CFA expects you to know this because it 17216 expects that you already checked BasicBlock::cfaHasVisited. 17217 17218 - SetLocal needs to change the ValueSource of the operand to indicate that its value has 17219 been stashed in the local (i.e. the "reference" corresponding to the operand in FTL 17220 speak). This is because although OSR exit already knows that the value of the operand is 17221 stored in the Node, and it already knows what LValue corresponds to the node, OSR exit 17222 will also assume that if the Node dies then the value-at-exit for that operand should be 17223 Dead (i.e. jsUndefined). But the Node dying, and the local dying, are two distinct 17224 things; in particular the local always outlives the Node in the case of a SetLocal. So, 17225 we just need to have SetLocal have the ValueSource be BlahInLocal rather than HaveNode, 17226 to ensure that OSR exit knows that the darn thing is really live until the end of the 17227 basic block, as opposed to until whenever the Node dies (which could be at any time). 17228 17229 - PutByOffset was erroneously storing to an offset from the base object, rather than an 17230 offset from the storage. Note that the storage will be the base object (exactly - i.e. 17231 same node, same value) for inline stores, but will be a distinct thing for out-of-line 17232 stores. 17233 17234 - At-head set-up of OSR exit state was using ValueInLocals for variables forced double, 17235 when it should have been using DoubleInLocals. 17236 17237 * ftl/FTLCapabilities.cpp: 17238 (JSC::FTL::canCompile): 17239 * ftl/FTLLowerDFGToLLVM.cpp: 17240 (JSC::FTL::LowerDFGToLLVM::compileBlock): 17241 (JSC::FTL::LowerDFGToLLVM::compileNode): 17242 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 17243 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset): 17244 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): 17245 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 17246 172472013-06-26 Filip Pizlo <fpizlo@apple.com> 17248 17249 fourthTier: FTL should support PutByVal 17250 https://bugs.webkit.org/show_bug.cgi?id=118075 17251 17252 Reviewed by Mark Hahnenberg. 17253 17254 * ftl/FTLCapabilities.cpp: 17255 (JSC::FTL::canCompile): 17256 * ftl/FTLLowerDFGToLLVM.cpp: 17257 (JSC::FTL::LowerDFGToLLVM::lower): 17258 (JSC::FTL::LowerDFGToLLVM::compileNode): 17259 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 17260 (LowerDFGToLLVM): 17261 (JSC::FTL::LowerDFGToLLVM::compilePutByVal): 17262 172632013-06-25 Filip Pizlo <fpizlo@apple.com> 17264 17265 fourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneChain optimization for double array GetByVals 17266 https://bugs.webkit.org/show_bug.cgi?id=118028 17267 17268 Reviewed by Sam Weinig. 17269 17270 The SaneChain optimization allows us to get rid of the NaN check on loading from 17271 a double array, if the result is used in an arithmetic op that wouldn't 17272 distinguish between NaN and undefined. Normally the NaN check would be needed 17273 because NaN is the hole marker. 17274 17275 The SaneChain optimization definitely requires that you're an Original array, 17276 since we need to watchpoint the array prototype chain. And so it also needs to 17277 be a JSArray, and not an object that has indexed double properties. We also 17278 require an in-bounds access, since the backend is only capable of the 17279 optimization in the in-bounds case (though we could extend it to OOB in the 17280 future). But whether the array is being converted or is as-is isn't relevant. 17281 Either way, if it's a double original array in-bounds access by the time that 17282 the array check (or conversion!) completes, we can do the optimization. 17283 17284 Ever-so-slight speed-up on Kraken/imaging-gaussian-blur. 17285 17286 * dfg/DFGFixupPhase.cpp: 17287 (JSC::DFG::FixupPhase::fixupNode): 17288 172892013-06-25 Filip Pizlo <fpizlo@apple.com> 17290 17291 fourthTier: DFG should support switch_string 17292 https://bugs.webkit.org/show_bug.cgi?id=117967 17293 17294 Reviewed by Sam Weinig. 17295 17296 Add a reusable binary switch creator. 17297 17298 Implement switch on string using three modes: 17299 17300 - Binary switch on StringImpl* in the case of identifiers. 17301 17302 - Trie of binary switches on characters in the case of a not-too-big 17303 switch over not-too-big 8-bit strings. 17304 17305 - Hash lookup if all else fails. 17306 17307 Anywhere from a 2x to 3x speed-up on microbenchmarks that stress 17308 string switches. 25-35% speed-up on HashMap tests. 4% speed-up on 17309 pdfjs. 17310 17311 * JavaScriptCore.xcodeproj/project.pbxproj: 17312 * bytecode/JumpTable.h: 17313 (StringJumpTable): 17314 (JSC::StringJumpTable::clear): 17315 * dfg/DFGBackwardsPropagationPhase.cpp: 17316 (JSC::DFG::BackwardsPropagationPhase::propagate): 17317 * dfg/DFGBinarySwitch.cpp: Added. 17318 (DFG): 17319 (JSC::DFG::BinarySwitch::BinarySwitch): 17320 (JSC::DFG::BinarySwitch::advance): 17321 (JSC::DFG::BinarySwitch::build): 17322 * dfg/DFGBinarySwitch.h: Added. 17323 (DFG): 17324 (BinarySwitch): 17325 (JSC::DFG::BinarySwitch::caseIndex): 17326 (JSC::DFG::BinarySwitch::caseValue): 17327 (JSC::DFG::BinarySwitch::fallThrough): 17328 (JSC::DFG::BinarySwitch::Case::Case): 17329 (Case): 17330 (JSC::DFG::BinarySwitch::Case::operator<): 17331 (JSC::DFG::BinarySwitch::BranchCode::BranchCode): 17332 (BranchCode): 17333 * dfg/DFGByteCodeParser.cpp: 17334 (JSC::DFG::ByteCodeParser::parseBlock): 17335 * dfg/DFGCapabilities.cpp: 17336 (JSC::DFG::capabilityLevel): 17337 * dfg/DFGFixupPhase.cpp: 17338 (JSC::DFG::FixupPhase::fixupNode): 17339 * dfg/DFGJITCompiler.cpp: 17340 (JSC::DFG::JITCompiler::link): 17341 * dfg/DFGLazyJSValue.cpp: 17342 (JSC::DFG::LazyJSValue::getValue): 17343 (JSC::DFG::equalToStringImpl): 17344 (DFG): 17345 (JSC::DFG::LazyJSValue::strictEqual): 17346 (JSC::DFG::LazyJSValue::dump): 17347 * dfg/DFGLazyJSValue.h: 17348 (JSC::DFG::LazyJSValue::knownStringImpl): 17349 (LazyJSValue): 17350 (JSC::DFG::LazyJSValue::stringImpl): 17351 (JSC::DFG::LazyJSValue::switchLookupValue): 17352 * dfg/DFGNode.cpp: 17353 (WTF::printInternal): 17354 * dfg/DFGNode.h: 17355 * dfg/DFGOperations.cpp: 17356 * dfg/DFGOperations.h: 17357 * dfg/DFGSpeculativeJIT.cpp: 17358 (JSC::DFG::SpeculativeJIT::emitSwitchChar): 17359 (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<): 17360 (DFG): 17361 (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse): 17362 (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): 17363 (JSC::DFG::SpeculativeJIT::emitSwitchString): 17364 (JSC::DFG::SpeculativeJIT::emitSwitch): 17365 (JSC::DFG::SpeculativeJIT::addBranch): 17366 * dfg/DFGSpeculativeJIT.h: 17367 (JSC::DFG::SpeculativeJIT::callOperation): 17368 (JSC::DFG::SpeculativeJIT::branch8): 17369 (SpeculativeJIT): 17370 (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase): 17371 (StringSwitchCase): 17372 * ftl/FTLLowerDFGToLLVM.cpp: 17373 (JSC::FTL::LowerDFGToLLVM::compileSwitch): 17374 * runtime/Options.h: 17375 (JSC): 17376 173772013-06-24 Filip Pizlo <fpizlo@apple.com> 17378 17379 fourthTier: Count external memory usage towards heap footprint 17380 https://bugs.webkit.org/show_bug.cgi?id=117948 17381 17382 Reviewed by Geoffrey Garen. 17383 17384 Currently just count strings. Strings get counted in such a way that we won't re-count strings 17385 that are aliased, by dividing by the reference count. This then ups the GC footprint and allows 17386 the collector to appropriately amortize itself. 17387 17388 * heap/Heap.cpp: 17389 (JSC::Heap::Heap): 17390 (JSC::Heap::size): 17391 (JSC::Heap::collect): 17392 * heap/Heap.h: 17393 (Heap): 17394 * heap/SlotVisitor.h: 17395 * heap/SlotVisitorInlines.h: 17396 (JSC::SlotVisitor::reportExtraMemoryUsage): 17397 (JSC): 17398 * runtime/JSString.cpp: 17399 (JSC::JSString::visitChildren): 17400 174012013-06-23 Filip Pizlo <fpizlo@apple.com> 17402 17403 fourthTier: DFG should optimize identifier string equality 17404 https://bugs.webkit.org/show_bug.cgi?id=117920 17405 17406 Reviewed by Sam Weinig. 17407 17408 This is a 20% speed-up for string equality comparisons when both strings are 17409 identifiers. 17410 17411 This is important for two reasons: 17412 17413 1) Using strings as enumerations is an idiom. A great example is typeof. It 17414 would be great if this performed better. 17415 17416 2) When I implement switch_string in the DFG, it would be great to optimize 17417 the case where the switched-on value is an identifier. That would involve 17418 a simple binary switch rather than a more complicated trie-switch over 17419 characters. 17420 17421 * bytecode/SpeculatedType.cpp: 17422 (JSC::dumpSpeculation): 17423 (JSC::speculationToAbbreviatedString): 17424 (JSC::speculationFromCell): 17425 * bytecode/SpeculatedType.h: 17426 (JSC): 17427 (JSC::isStringIdentSpeculation): 17428 (JSC::isStringSpeculation): 17429 * dfg/DFGAbstractState.cpp: 17430 (JSC::DFG::AbstractState::executeEffects): 17431 * dfg/DFGFixupPhase.cpp: 17432 (JSC::DFG::FixupPhase::fixupNode): 17433 * dfg/DFGNode.h: 17434 (JSC::DFG::Node::shouldSpeculateStringIdent): 17435 (Node): 17436 * dfg/DFGSpeculativeJIT.cpp: 17437 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 17438 (JSC::DFG::SpeculativeJIT::compare): 17439 (JSC::DFG::SpeculativeJIT::compileStrictEq): 17440 (JSC::DFG::SpeculativeJIT::compileStringEquality): 17441 (JSC::DFG::SpeculativeJIT::compileStringIdentEquality): 17442 (DFG): 17443 (JSC::DFG::SpeculativeJIT::speculateString): 17444 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): 17445 (JSC::DFG::SpeculativeJIT::speculateStringIdent): 17446 (JSC::DFG::SpeculativeJIT::speculate): 17447 * dfg/DFGSpeculativeJIT.h: 17448 (SpeculativeJIT): 17449 * dfg/DFGUseKind.cpp: 17450 (WTF::printInternal): 17451 * dfg/DFGUseKind.h: 17452 (JSC::DFG::typeFilterFor): 17453 (JSC::DFG::isCell): 17454 174552013-06-22 Filip Pizlo <fpizlo@apple.com> 17456 17457 fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds 17458 https://bugs.webkit.org/show_bug.cgi?id=117906 17459 17460 Reviewed by Mark Hahnenberg. 17461 17462 This does the obvious thing, but also makes sure that out-of-bounds accesses 17463 don't fall off into a C call, but try to do the fast thing if the prototype 17464 chain is sane. We ought to probably do this for other array accesses in the 17465 future, as well, since it's so darn easy. 17466 17467 * dfg/DFGAbstractState.cpp: 17468 (JSC::DFG::AbstractState::executeEffects): 17469 * dfg/DFGFixupPhase.cpp: 17470 (JSC::DFG::FixupPhase::fixupNode): 17471 * dfg/DFGOperations.cpp: 17472 * dfg/DFGOperations.h: 17473 * dfg/DFGSpeculativeJIT.cpp: 17474 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 17475 * dfg/DFGSpeculativeJIT.h: 17476 (JSC::DFG::SpeculativeJIT::callOperation): 17477 * runtime/JSGlobalObject.cpp: 17478 (JSC::JSGlobalObject::objectPrototypeIsSane): 17479 (JSC): 17480 (JSC::JSGlobalObject::arrayPrototypeChainIsSane): 17481 (JSC::JSGlobalObject::stringPrototypeChainIsSane): 17482 * runtime/JSGlobalObject.h: 17483 (JSGlobalObject): 17484 174852013-06-22 Filip Pizlo <fpizlo@apple.com> 17486 17487 fourthTier: GC's put_by_id transition fixpoint should converge more quickly 17488 https://bugs.webkit.org/show_bug.cgi?id=117912 17489 17490 Reviewed by Mark Hahnenberg. 17491 17492 This was a rookie mistake. The GC does a classic forward data flow fixpoint. These work well so long as you 17493 iterate the program in program order, or at least something close to program order. Because I enjoy reverse 17494 loops ("while (n--) blah"), I ended up iterating in *reverse* of program order which ensured worst-case 17495 pathologies every single time. And unsurprisingly, this slowed down a program, namely pdfjs. 17496 17497 Flipping the loops to iterate forward fixes a 90% regression in Octane/pdfjs and is otherwise neutral. 17498 17499 * bytecode/CodeBlock.cpp: 17500 (JSC::CodeBlock::propagateTransitions): 17501 175022013-06-21 Filip Pizlo <fpizlo@apple.com> 17503 17504 fourthTier: DFG should CSE MakeRope 17505 https://bugs.webkit.org/show_bug.cgi?id=117905 17506 17507 Reviewed by Geoffrey Garen. 17508 17509 Adds MakeRope to the CSE phase and removes the comment that says that 17510 we could do it but aren't doing it. 17511 17512 Also fixed SpeculatedType dumping so that if you have a Cell type then 17513 it just prints "Cell" and if you just have Object then it just prints 17514 "Object", instead of printing the long list of types. 17515 17516 * bytecode/SpeculatedType.cpp: 17517 (JSC::dumpSpeculation): 17518 * dfg/DFGCSEPhase.cpp: 17519 (JSC::DFG::CSEPhase::performNodeCSE): 17520 175212013-06-21 Filip Pizlo <fpizlo@apple.com> 17522 17523 fourthTier: DFG should't exit just because it GetByVal'd a big character 17524 https://bugs.webkit.org/show_bug.cgi?id=117899 17525 17526 Reviewed by Mark Hahnenberg. 17527 17528 Add a slow path. Also clarify handling of GetByVal in PutStructure elimination. 17529 Previously it would fail due to canExit() but now we can also fail because 17530 GetByVal(String) can allocate. Just make it so GetByVal is totally poisoned, in 17531 a very explicit way. 17532 17533 * dfg/DFGCSEPhase.cpp: 17534 (JSC::DFG::CSEPhase::putStructureStoreElimination): 17535 * dfg/DFGOperations.cpp: 17536 * dfg/DFGOperations.h: 17537 * dfg/DFGSpeculativeJIT.cpp: 17538 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 17539 * dfg/DFGSpeculativeJIT.h: 17540 (JSC::DFG::SpeculativeJIT::callOperation): 17541 (SpeculativeJIT): 17542 175432013-06-21 Filip Pizlo <fpizlo@apple.com> 17544 17545 fourthTier: Small strings shouldn't get GC'd 17546 https://bugs.webkit.org/show_bug.cgi?id=117897 17547 17548 Reviewed by Mark Hahnenberg. 17549 17550 Kill off the code needed to allocate them lazily and finalize them. 17551 17552 * dfg/DFGSpeculativeJIT.cpp: 17553 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 17554 * heap/Heap.cpp: 17555 (JSC::Heap::collect): 17556 * runtime/JSString.h: 17557 (JSC::jsSingleCharacterString): 17558 (JSC::jsSingleCharacterSubstring): 17559 (JSC::jsString): 17560 (JSC::jsSubstring8): 17561 (JSC::jsSubstring): 17562 (JSC::jsOwnedString): 17563 * runtime/NumberPrototype.cpp: 17564 (JSC::integerValueToString): 17565 * runtime/SmallStrings.cpp: 17566 (JSC): 17567 (JSC::SmallStrings::initializeCommonStrings): 17568 (JSC::SmallStrings::visitStrongReferences): 17569 * runtime/SmallStrings.h: 17570 (JSC::SmallStrings::singleCharacterString): 17571 (SmallStrings): 17572 175732013-06-20 Filip Pizlo <fpizlo@apple.com> 17574 17575 fourthTier: Structure should have a dump() 17576 https://bugs.webkit.org/show_bug.cgi?id=117859 17577 17578 Reviewed by Geoffrey Garen. 17579 17580 This is pretty cool. Anywhere we previously printed Structure pointers in dumps, 17581 we now print a bunch of other info as well. For example, for an object literal 17582 like "{f:42, g:64, h:24}", when we print the structure we'll now get: 17583 17584 0x107a0af80:[Object, {f:0, g:1, h:2}, NonArray, Proto:0x107a8fff0] 17585 17586 This also changes a bunch of places to use the dump method. 17587 17588 * bytecode/StructureSet.h: 17589 (JSC::StructureSet::dump): 17590 * dfg/DFGGraph.cpp: 17591 (JSC::DFG::Graph::dump): 17592 * dfg/DFGStructureAbstractValue.h: 17593 (JSC::DFG::StructureAbstractValue::dump): 17594 * runtime/JSCJSValue.cpp: 17595 (JSC::JSValue::dump): 17596 * runtime/Structure.cpp: 17597 (JSC::Structure::dump): 17598 (JSC): 17599 * runtime/Structure.h: 17600 (Structure): 17601 176022013-06-20 Filip Pizlo <fpizlo@apple.com> 17603 17604 fourthTier: There should only be one table of SimpleJumpTables 17605 https://bugs.webkit.org/show_bug.cgi?id=117856 17606 17607 Reviewed by Geoffrey Garen. 17608 17609 Having multiple tables of SimpleJumpTables just means we have to duplicate a 17610 ton of code. This patch deduplicates all of it. 17611 17612 * bytecode/CodeBlock.cpp: 17613 (JSC::CodeBlock::dumpBytecode): 17614 (JSC): 17615 (JSC::CodeBlock::CodeBlock): 17616 (JSC::CodeBlock::shrinkToFit): 17617 * bytecode/CodeBlock.h: 17618 (JSC::CodeBlock::numberOfSwitchJumpTables): 17619 (JSC::CodeBlock::addSwitchJumpTable): 17620 (JSC::CodeBlock::switchJumpTable): 17621 (JSC::CodeBlock::clearSwitchJumpTables): 17622 (RareData): 17623 * bytecode/PreciseJumpTargets.cpp: 17624 (JSC): 17625 (JSC::computePreciseJumpTargets): 17626 * bytecode/UnlinkedCodeBlock.h: 17627 (JSC::UnlinkedCodeBlock::shrinkToFit): 17628 (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables): 17629 (JSC::UnlinkedCodeBlock::addSwitchJumpTable): 17630 (JSC::UnlinkedCodeBlock::switchJumpTable): 17631 (RareData): 17632 * bytecompiler/BytecodeGenerator.cpp: 17633 (JSC): 17634 (JSC::prepareJumpTableForSwitch): 17635 (JSC::BytecodeGenerator::endSwitch): 17636 * dfg/DFGByteCodeParser.cpp: 17637 (InlineStackEntry): 17638 (JSC::DFG::ByteCodeParser::parseBlock): 17639 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 17640 * dfg/DFGJITCompiler.cpp: 17641 (JSC::DFG::JITCompiler::link): 17642 * dfg/DFGJITCompiler.h: 17643 (JITCompiler): 17644 * dfg/DFGOperations.cpp: 17645 * dfg/DFGSpeculativeJIT.cpp: 17646 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): 17647 (DFG): 17648 (JSC::DFG::SpeculativeJIT::emitSwitchImm): 17649 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump): 17650 * dfg/DFGSpeculativeJIT.h: 17651 (SpeculativeJIT): 17652 * ftl/FTLLink.cpp: 17653 (JSC::FTL::link): 17654 * jit/JITOpcodes.cpp: 17655 (JSC::JIT::emit_op_switch_imm): 17656 (JSC::JIT::emit_op_switch_char): 17657 * jit/JITOpcodes32_64.cpp: 17658 (JSC::JIT::emit_op_switch_imm): 17659 (JSC::JIT::emit_op_switch_char): 17660 * jit/JITStubs.cpp: 17661 (JSC::DEFINE_STUB_FUNCTION): 17662 * llint/LLIntSlowPaths.cpp: 17663 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 17664 * llint/LowLevelInterpreter32_64.asm: 17665 * llint/LowLevelInterpreter64.asm: 17666 176672013-06-20 Filip Pizlo <fpizlo@apple.com> 17668 17669 fourthTier: FTL should clear character switch jump tables 17670 https://bugs.webkit.org/show_bug.cgi?id=117852 17671 17672 Reviewed by Sam Weinig. 17673 17674 The FTL just uses LLVM's switch, which results in LLVM allocating its own switch 17675 jump tables as needed. 17676 17677 * bytecode/CodeBlock.h: 17678 (JSC::CodeBlock::clearCharacterSwitchJumpTables): 17679 * ftl/FTLLink.cpp: 17680 (JSC::FTL::link): 17681 176822013-06-20 Filip Pizlo <fpizlo@apple.com> 17683 17684 fourthTier: FTL should support SwitchChar 17685 https://bugs.webkit.org/show_bug.cgi?id=117849 17686 17687 Reviewed by Geoffrey Garen. 17688 17689 This adds Switch(SwitchChar) to the FTL and also implicitly does some other things. 17690 SwitchChar requires calling a slow path to resolve ropes. Previously the FTL had no 17691 support for calling slow paths, and we avoided adding coverage that would require 17692 that. Well, this patch adds the ability to call slow paths and just uses that for 17693 resolving ropes for SwitchChar. Also SwitchChar required adding awareness of strings, 17694 so I did that, too. 17695 17696 * bytecode/CodeBlock.h: 17697 (CodeBlock): 17698 (JSC::CodeBlock::addCodeOrigin): 17699 * dfg/DFGBackwardsPropagationPhase.cpp: 17700 (JSC::DFG::BackwardsPropagationPhase::propagate): 17701 * dfg/DFGGraph.cpp: 17702 (JSC::DFG::Graph::dump): 17703 * dfg/DFGNode.cpp: 17704 (WTF): 17705 (WTF::printInternal): 17706 * dfg/DFGNode.h: 17707 (WTF): 17708 * dfg/DFGOperations.h: 17709 * dfg/DFGSpeculativeJIT.h: 17710 (JSC::DFG::SpeculativeJIT::callOperation): 17711 * ftl/FTLAbbreviations.h: 17712 (JSC::FTL::int16Type): 17713 (JSC::FTL::constInt): 17714 * ftl/FTLAbstractHeapRepository.h: 17715 (FTL): 17716 * ftl/FTLCapabilities.cpp: 17717 (JSC::FTL::canCompile): 17718 * ftl/FTLCommonValues.cpp: 17719 (JSC::FTL::CommonValues::CommonValues): 17720 * ftl/FTLCommonValues.h: 17721 (CommonValues): 17722 * ftl/FTLIntrinsicRepository.cpp: 17723 (JSC::FTL::IntrinsicRepository::IntrinsicRepository): 17724 (FTL): 17725 * ftl/FTLIntrinsicRepository.h: 17726 (FTL): 17727 (IntrinsicRepository): 17728 * ftl/FTLLowerDFGToLLVM.cpp: 17729 (JSC::FTL::LowerDFGToLLVM::lower): 17730 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments): 17731 (JSC::FTL::LowerDFGToLLVM::compileJump): 17732 (JSC::FTL::LowerDFGToLLVM::compileBranch): 17733 (JSC::FTL::LowerDFGToLLVM::compileSwitch): 17734 (JSC::FTL::LowerDFGToLLVM::buildSwitch): 17735 (LowerDFGToLLVM): 17736 (JSC::FTL::LowerDFGToLLVM::lowString): 17737 (JSC::FTL::LowerDFGToLLVM::speculate): 17738 (JSC::FTL::LowerDFGToLLVM::isObject): 17739 (JSC::FTL::LowerDFGToLLVM::isNotString): 17740 (JSC::FTL::LowerDFGToLLVM::isString): 17741 (JSC::FTL::LowerDFGToLLVM::isNotObject): 17742 (JSC::FTL::LowerDFGToLLVM::speculateObject): 17743 (JSC::FTL::LowerDFGToLLVM::speculateString): 17744 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject): 17745 (JSC::FTL::LowerDFGToLLVM::vmCall): 17746 (JSC::FTL::LowerDFGToLLVM::callPreflight): 17747 (JSC::FTL::LowerDFGToLLVM::callCheck): 17748 (JSC::FTL::LowerDFGToLLVM::lowBlock): 17749 * ftl/FTLOutput.h: 17750 (JSC::FTL::Output::constBool): 17751 (JSC::FTL::Output::constInt8): 17752 (JSC::FTL::Output::constInt32): 17753 (JSC::FTL::Output::constIntPtr): 17754 (JSC::FTL::Output::constInt64): 17755 (JSC::FTL::Output::load16): 17756 (JSC::FTL::Output::isNull): 17757 (JSC::FTL::Output::notNull): 17758 (JSC::FTL::Output::testIsZero32): 17759 (JSC::FTL::Output::testNonZero32): 17760 (Output): 17761 (JSC::FTL::Output::operation): 17762 (JSC::FTL::Output::crash): 17763 177642013-06-18 Filip Pizlo <fpizlo@apple.com> 17765 17766 fourthTier: DFG should have switch_char 17767 https://bugs.webkit.org/show_bug.cgi?id=117710 17768 17769 Reviewed by Michael Saboff. 17770 17771 Add op_switch_char. Most of this is fairly simple, except for the whole 17772 LazyJSValue thing. 17773 17774 It's long been the case that anytime you wanted the DFG to speak of a string 17775 that didn't appear in the constant pool, you would have a hard time since 17776 the DFG isn't allowed to allocate in the GC heap. For example, if you know 17777 that you want to speak of a single character string, you might find that 17778 the one you wanted to speak of had been GC'd. Another example is if you 17779 wanted to add constant folding for string concatenation - something we don't 17780 have yet but will want eventually. 17781 17782 I solve this by finally adding the notion of LazyJSValue. In the future I 17783 anticipate using this for a variety of string-related things. The idea here 17784 is that the DFG can either say that it already knows what the value is, or 17785 it can describe the value. For example, in this patch I needed to be able to 17786 describe single-character strings. 17787 17788 * JavaScriptCore.xcodeproj/project.pbxproj: 17789 * bytecode/CodeBlock.cpp: 17790 (JSC::CodeBlock::dumpBytecode): 17791 (JSC::CodeBlock::CodeBlock): 17792 * bytecode/JumpTable.h: 17793 * dfg/DFGBackwardsPropagationPhase.cpp: 17794 (JSC::DFG::BackwardsPropagationPhase::propagate): 17795 * dfg/DFGByteCodeParser.cpp: 17796 (InlineStackEntry): 17797 (JSC::DFG::ByteCodeParser::parseBlock): 17798 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 17799 * dfg/DFGCFGSimplificationPhase.cpp: 17800 (JSC::DFG::CFGSimplificationPhase::run): 17801 * dfg/DFGCapabilities.cpp: 17802 (JSC::DFG::capabilityLevel): 17803 * dfg/DFGDriver.cpp: 17804 (JSC::DFG::compile): 17805 * dfg/DFGFixupPhase.cpp: 17806 (JSC::DFG::FixupPhase::fixupNode): 17807 * dfg/DFGGPRInfo.h: 17808 (JSC::DFG::JSValueRegs::payloadGPR): 17809 * dfg/DFGJITCompiler.cpp: 17810 (JSC::DFG::JITCompiler::jumpTable): 17811 (DFG): 17812 (JSC::DFG::JITCompiler::numberOfJumpTables): 17813 (JSC::DFG::JITCompiler::linkSwitches): 17814 (JSC::DFG::JITCompiler::link): 17815 * dfg/DFGJITCompiler.h: 17816 (JITCompiler): 17817 * dfg/DFGLazyJSValue.cpp: Added. 17818 (DFG): 17819 (JSC::DFG::LazyJSValue::getValue): 17820 (JSC::DFG::equalToSingleCharacter): 17821 (JSC::DFG::LazyJSValue::strictEqual): 17822 (JSC::DFG::LazyJSValue::dump): 17823 * dfg/DFGLazyJSValue.h: Added. 17824 (DFG): 17825 (LazyJSValue): 17826 (JSC::DFG::LazyJSValue::LazyJSValue): 17827 (JSC::DFG::LazyJSValue::singleCharacterString): 17828 (JSC::DFG::LazyJSValue::tryGetValue): 17829 (JSC::DFG::LazyJSValue::value): 17830 (JSC::DFG::LazyJSValue::character): 17831 (JSC::DFG::LazyJSValue::switchLookupValue): 17832 * dfg/DFGNode.h: 17833 (JSC::DFG::SwitchCase::SwitchCase): 17834 (SwitchCase): 17835 * dfg/DFGSpeculativeJIT.cpp: 17836 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): 17837 (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump): 17838 (DFG): 17839 (JSC::DFG::SpeculativeJIT::emitSwitchImm): 17840 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump): 17841 (JSC::DFG::SpeculativeJIT::emitSwitchChar): 17842 (JSC::DFG::SpeculativeJIT::emitSwitch): 17843 * dfg/DFGSpeculativeJIT.h: 17844 (SpeculativeJIT): 17845 178462013-06-19 Mark Hahnenberg <mhahnenberg@apple.com> 17847 17848 Refactor ObjCCallbackFunction to inherit directly from InternalFunction 17849 https://bugs.webkit.org/show_bug.cgi?id=117595 17850 17851 Reviewed by Geoffrey Garen. 17852 17853 * API/APICallbackFunction.h: Added. New struct that allows JSCallbackFunction and 17854 ObjCCallbackFunction to share their host call() implementation through the magic of 17855 templates. 17856 (JSC::APICallbackFunction::call): 17857 * API/JSCallbackFunction.cpp: 17858 (JSC::JSCallbackFunction::getCallData): Changed to get the template-ized version of 17859 the host function. 17860 * API/JSCallbackFunction.h: 17861 * API/ObjCCallbackFunction.h: Now inherits directly from InternalFunction. 17862 * API/ObjCCallbackFunction.mm: 17863 (JSC::ObjCCallbackFunction::ObjCCallbackFunction): 17864 (JSC::ObjCCallbackFunction::getCallData): Ditto. 17865 * GNUmakefile.list.am: Build files! 17866 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 17867 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 17868 * JavaScriptCore.xcodeproj/project.pbxproj: 17869 178702013-06-19 Michael Saboff <msaboff@apple.com> 17871 17872 fourthTier: Arity fixup should be done while on same stack 17873 https://bugs.webkit.org/show_bug.cgi?id=117102 17874 17875 Reviewed by Oliver Hunt. 17876 17877 Removed the fixup part of op_call_arityCheck() and op_construct_arityCheck() and moved it to 17878 a thunk for the JITs and as assembly for the llint. This patch provides the plumbing needed to 17879 move to the C stack for JS execution. The fixup thunk and llint code would need to be change to 17880 work with a stack that grows down when we do move to the C stack. 17881 17882 Due to an issue with the offline assembler, I moved the const at the top of LowLevelInterpreter64.asm 17883 and LowLevelInterpreter32_64.asm to LowLevelInterpreter.asm. The problem is that a const defined in 17884 one file that are used in a macro doesn't resolve the const if the macro is used in another file. This 17885 seemed like the quickest path. 17886 17887 * dfg/DFGJITCompiler.cpp: 17888 (JSC::DFG::JITCompiler::compileFunction): 17889 (JSC::DFG::JITCompiler::linkFunction): 17890 * dfg/DFGJITCompiler.h: 17891 (JITCompiler): 17892 * ftl/FTLLink.cpp: 17893 (JSC::FTL::link): 17894 * jit/JIT.cpp: 17895 (JSC::JIT::privateCompile): 17896 * jit/JITStubs.cpp: 17897 (JSC::DEFINE_STUB_FUNCTION): 17898 * jit/JITStubs.h: 17899 * jit/ThunkGenerators.cpp: 17900 (JSC::arityFixup): 17901 * jit/ThunkGenerators.h: 17902 * llint/LowLevelInterpreter.asm: 17903 * llint/LowLevelInterpreter32_64.asm: 17904 * llint/LowLevelInterpreter64.asm: 17905 * runtime/CommonSlowPaths.cpp: 17906 (JSC::SLOW_PATH_DECL): 17907 * runtime/CommonSlowPaths.h: 17908 (JSC::CommonSlowPaths::arityCheckFor): 17909 179102013-06-19 Michael Saboff <msaboff@apple.com> 17911 17912 FTL: arm build is broken in ToT 17913 https://bugs.webkit.org/show_bug.cgi?id=117800 17914 17915 Unreviewed build fixes. 17916 17917 * assembler/ARMv7Assembler.h: 17918 (ARMv7Assembler): Merge of r147941 17919 * jit/JITArithmetic32_64.cpp: 17920 (JSC::JIT::emit_op_mod): Moved variable declaration back inside #ifdef where used. 17921 179222013-06-17 Michael Saboff <msaboff@apple.com> 17923 17924 FTL: Add another temp register regT4 to JSInterfaceJIT 17925 https://bugs.webkit.org/show_bug.cgi?id=117719 17926 17927 Reviewed by Geoffrey Garen. 17928 17929 Made the dedicated bucketCounterRegister to be regT4 and then used regT4 wherever 17930 bucketCounterRegister had been used. Since it is masked whenever it is used and 17931 we are looking for some randomness in the register anyway, we can use it without 17932 any issues. 17933 17934 * jit/JIT.cpp: 17935 (JSC::JIT::privateCompile): 17936 * jit/JIT.h: 17937 (JSC::JIT::emitValueProfilingSite): 17938 * jit/JITCall.cpp: 17939 (JSC::JIT::emitPutCallResult): 17940 * jit/JITCall32_64.cpp: 17941 (JSC::JIT::emitPutCallResult): 17942 * jit/JITInlines.h: 17943 (JSC::JIT::emitValueProfilingSite): 17944 * jit/JITOpcodes.cpp: 17945 (JSC::JIT::emit_op_to_this): 17946 (JSC::JIT::emit_op_get_callee): 17947 (JSC::JIT::emit_op_get_argument_by_val): 17948 * jit/JITOpcodes32_64.cpp: 17949 (JSC::JIT::emit_op_get_callee): 17950 (JSC::JIT::emit_op_to_this): 17951 (JSC::JIT::emit_op_get_argument_by_val): 17952 * jit/JITPropertyAccess.cpp: 17953 (JSC::JIT::emit_op_get_by_val): 17954 (JSC::JIT::emitSlow_op_get_by_val): 17955 (JSC::JIT::emit_op_get_by_id): 17956 (JSC::JIT::emitSlow_op_get_by_id): 17957 (JSC::JIT::emit_op_get_from_scope): 17958 (JSC::JIT::emitSlow_op_get_from_scope): 17959 * jit/JITPropertyAccess32_64.cpp: 17960 (JSC::JIT::emit_op_get_by_val): 17961 (JSC::JIT::emitSlow_op_get_by_val): 17962 (JSC::JIT::emit_op_get_by_id): 17963 (JSC::JIT::emitSlow_op_get_by_id): 17964 (JSC::JIT::emit_op_get_from_scope): 17965 (JSC::JIT::emitSlow_op_get_from_scope): 17966 * jit/JITStubCall.h: 17967 (JSC::JITStubCall::callWithValueProfiling): 17968 * jit/JSInterfaceJIT.h: 17969 (JSInterfaceJIT): 17970 179712013-06-17 Filip Pizlo <fpizlo@apple.com> 17972 17973 fourthTier: FTL should support Switch 17974 https://bugs.webkit.org/show_bug.cgi?id=117704 17975 17976 Reviewed by Oliver Hunt. 17977 17978 * bytecode/CodeBlock.h: 17979 (JSC::CodeBlock::clearImmediateSwitchJumpTables): 17980 * ftl/FTLAbbreviations.h: 17981 (JSC::FTL::buildFPToSI): 17982 (JSC::FTL::buildSwitch): 17983 (JSC::FTL::addCase): 17984 (FTL): 17985 * ftl/FTLCapabilities.cpp: 17986 (JSC::FTL::canCompile): 17987 * ftl/FTLLink.cpp: 17988 (JSC::FTL::link): 17989 * ftl/FTLLowerDFGToLLVM.cpp: 17990 (JSC::FTL::LowerDFGToLLVM::compileNode): 17991 (JSC::FTL::LowerDFGToLLVM::compileSwitch): 17992 (LowerDFGToLLVM): 17993 * ftl/FTLOutput.h: 17994 (JSC::FTL::Output::fpToInt): 17995 (JSC::FTL::Output::fpToInt32): 17996 (Output): 17997 (JSC::FTL::Output::switchInstruction): 17998 * ftl/FTLSwitchCase.h: Added. 17999 (FTL): 18000 (SwitchCase): 18001 (JSC::FTL::SwitchCase::SwitchCase): 18002 (JSC::FTL::SwitchCase::value): 18003 (JSC::FTL::SwitchCase::target): 18004 180052013-06-15 Filip Pizlo <fpizlo@apple.com> 18006 18007 fourthTier: Add CFG simplification for Switch 18008 https://bugs.webkit.org/show_bug.cgi?id=117677 18009 18010 Reviewed by Mark Hahnenberg. 18011 18012 This is for completeness. It only speeds up a microbenchmark at this point. 18013 Broadly, we want all control constructs to be known to the CFG simplifier. 18014 18015 * dfg/DFGCFGSimplificationPhase.cpp: 18016 (JSC::DFG::CFGSimplificationPhase::run): 18017 (JSC::DFG::CFGSimplificationPhase::convertToJump): 18018 (CFGSimplificationPhase): 18019 (JSC::DFG::CFGSimplificationPhase::noBlocks): 18020 (JSC::DFG::CFGSimplificationPhase::oneBlock): 18021 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 18022 * runtime/JSCJSValue.h: 18023 (JSValue): 18024 * runtime/JSCJSValueInlines.h: 18025 (JSC::JSValue::pureStrictEqual): 18026 (JSC): 18027 180282013-06-13 Filip Pizlo <fpizlo@apple.com> 18029 18030 fourthTier: DFG should support op_switch_imm 18031 https://bugs.webkit.org/show_bug.cgi?id=117559 18032 18033 Reviewed by Oliver Hunt. 18034 18035 Implement integer (i.e. immediate) switches in the DFG. Reduce the minimum 18036 threshold for using op_switch. 18037 18038 Also get rid of edge code support, since we haven't used it in the year since 18039 I introduced it. It was supposed to allow us to break critical edges late in 18040 the backend, thus enabling global register allocation from an SSA-form graph. 18041 But we aren't doing that so I figure we should just kill the code for now. It 18042 would have made implementing switch harder. 18043 18044 * assembler/AbstractMacroAssembler.h: 18045 (JSC::AbstractMacroAssembler::timesPtr): 18046 * assembler/MacroAssemblerCodeRef.h: 18047 (JSC::MacroAssemblerCodePtr::dumpWithName): 18048 (MacroAssemblerCodePtr): 18049 (JSC::MacroAssemblerCodePtr::dump): 18050 (MacroAssemblerCodeRef): 18051 (JSC::MacroAssemblerCodeRef::dump): 18052 * bytecode/CodeBlock.cpp: 18053 (JSC::CodeBlock::shrinkToFit): 18054 * bytecode/JumpTable.h: 18055 (SimpleJumpTable): 18056 (JSC::SimpleJumpTable::clear): 18057 * dfg/DFGAbstractState.cpp: 18058 (JSC::DFG::AbstractState::executeEffects): 18059 (JSC::DFG::AbstractState::mergeToSuccessors): 18060 * dfg/DFGBackwardsPropagationPhase.cpp: 18061 (JSC::DFG::BackwardsPropagationPhase::propagate): 18062 * dfg/DFGByteCodeParser.cpp: 18063 (InlineStackEntry): 18064 (JSC::DFG::ByteCodeParser::parseBlock): 18065 (JSC::DFG::ByteCodeParser::linkBlock): 18066 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 18067 * dfg/DFGCapabilities.cpp: 18068 (JSC::DFG::capabilityLevel): 18069 * dfg/DFGCommon.h: 18070 * dfg/DFGFixupPhase.cpp: 18071 (JSC::DFG::FixupPhase::fixupNode): 18072 * dfg/DFGGraph.cpp: 18073 (JSC::DFG::Graph::dump): 18074 (JSC::DFG::Graph::determineReachability): 18075 * dfg/DFGGraph.h: 18076 (Graph): 18077 * dfg/DFGJITCompiler.cpp: 18078 (JSC::DFG::JITCompiler::JITCompiler): 18079 (JSC::DFG::JITCompiler::link): 18080 * dfg/DFGJITCompiler.h: 18081 (JITCompiler): 18082 (JSC::DFG::JITCompiler::blockHeads): 18083 * dfg/DFGNode.h: 18084 (DFG): 18085 (JSC::DFG::SwitchCase::SwitchCase): 18086 (SwitchCase): 18087 (SwitchData): 18088 (JSC::DFG::SwitchData::SwitchData): 18089 (Node): 18090 (JSC::DFG::Node::isSwitch): 18091 (JSC::DFG::Node::isTerminal): 18092 (JSC::DFG::Node::switchData): 18093 (JSC::DFG::Node::numSuccessors): 18094 (JSC::DFG::Node::successor): 18095 * dfg/DFGNodeType.h: 18096 (DFG): 18097 * dfg/DFGOperations.cpp: 18098 * dfg/DFGOperations.h: 18099 * dfg/DFGPredictionPropagationPhase.cpp: 18100 (JSC::DFG::PredictionPropagationPhase::propagate): 18101 * dfg/DFGSpeculativeJIT.cpp: 18102 (JSC::DFG::SpeculativeJIT::SpeculativeJIT): 18103 (JSC::DFG::SpeculativeJIT::compile): 18104 (JSC::DFG::SpeculativeJIT::createOSREntries): 18105 (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump): 18106 (DFG): 18107 (JSC::DFG::SpeculativeJIT::emitSwitchImm): 18108 (JSC::DFG::SpeculativeJIT::emitSwitch): 18109 (JSC::DFG::SpeculativeJIT::linkBranches): 18110 * dfg/DFGSpeculativeJIT.h: 18111 (JSC::DFG::SpeculativeJIT::callOperation): 18112 (SpeculativeJIT): 18113 (JSC::DFG::SpeculativeJIT::branchDouble): 18114 (JSC::DFG::SpeculativeJIT::branchDoubleNonZero): 18115 (JSC::DFG::SpeculativeJIT::branch32): 18116 (JSC::DFG::SpeculativeJIT::branchTest32): 18117 (JSC::DFG::SpeculativeJIT::branch64): 18118 (JSC::DFG::SpeculativeJIT::branchPtr): 18119 (JSC::DFG::SpeculativeJIT::branchTestPtr): 18120 (JSC::DFG::SpeculativeJIT::branchTest8): 18121 (JSC::DFG::SpeculativeJIT::jump): 18122 * dfg/DFGSpeculativeJIT32_64.cpp: 18123 (JSC::DFG::SpeculativeJIT::compile): 18124 * dfg/DFGSpeculativeJIT64.cpp: 18125 (JSC::DFG::SpeculativeJIT::compile): 18126 * jit/JITStubs.cpp: 18127 (JSC::DEFINE_STUB_FUNCTION): 18128 * parser/Nodes.h: 18129 (CaseBlockNode): 18130 181312013-06-15 Filip Pizlo <fpizlo@apple.com> 18132 18133 Concurrent JIT shouldn't try to recompute the CodeBlockHash as part of debug dumps, since doing so may fail if dealing with a CachedScript that doesn't have its script string handy 18134 https://bugs.webkit.org/show_bug.cgi?id=117676 18135 18136 Reviewed by Sam Weinig. 18137 18138 CodeBlock now caches m_hash, and the DFG Driver will force its computation if we're doing debug dumps of any kind. 18139 18140 Also made sure that CodeBlock::CodeBlock initializes all of its fields; it was previously missing the 18141 initialization of m_capabilityLevelState. 18142 18143 * bytecode/CodeBlock.cpp: 18144 (JSC::CodeBlock::hash): 18145 (JSC::CodeBlock::CodeBlock): 18146 * bytecode/CodeBlock.h: 18147 (CodeBlock): 18148 * bytecode/CodeBlockHash.cpp: 18149 (JSC::CodeBlockHash::CodeBlockHash): 18150 * bytecode/CodeBlockHash.h: 18151 (CodeBlockHash): 18152 (JSC::CodeBlockHash::isSet): 18153 (JSC::CodeBlockHash::operator!): 18154 * dfg/DFGDriver.cpp: 18155 (JSC::DFG::compile): 18156 181572013-06-11 Filip Pizlo <fpizlo@apple.com> 18158 18159 fourthTier: DFG should support op_in and it should use patching to make it fast 18160 https://bugs.webkit.org/show_bug.cgi?id=117385 18161 18162 Reviewed by Geoffrey Garen. 18163 18164 Implement op_in in the DFG and give it patching. The code we generate is just 18165 a jump on the hot path, and the slow paths generate stubs and link the jump to 18166 them. I didn't want to bother with patching structures and load offsets and 18167 the like, although I probably could have. 18168 18169 This is a ginormous speed-up on microbenchmarks for "in", obviously. 18170 18171 * bytecode/CodeBlock.cpp: 18172 (JSC::CodeBlock::dumpAssumingJITType): 18173 (JSC::CodeBlock::resetStubInternal): 18174 (JSC::structureStubInfoLessThan): 18175 (JSC): 18176 (JSC::CodeBlock::sortStructureStubInfos): 18177 * bytecode/CodeBlock.h: 18178 (CodeBlock): 18179 * bytecode/StructureStubInfo.cpp: 18180 (JSC::StructureStubInfo::deref): 18181 (JSC::StructureStubInfo::visitWeakReferences): 18182 * bytecode/StructureStubInfo.h: 18183 (JSC::isInAccess): 18184 (JSC): 18185 (StructureStubInfo): 18186 (JSC::StructureStubInfo::initInList): 18187 * dfg/DFGAbstractState.cpp: 18188 (JSC::DFG::AbstractState::executeEffects): 18189 * dfg/DFGByteCodeParser.cpp: 18190 (JSC::DFG::ByteCodeParser::parseBlock): 18191 * dfg/DFGCCallHelpers.h: 18192 (JSC::DFG::CCallHelpers::setupResults): 18193 * dfg/DFGCapabilities.cpp: 18194 (JSC::DFG::capabilityLevel): 18195 * dfg/DFGFixupPhase.cpp: 18196 (JSC::DFG::FixupPhase::fixupNode): 18197 * dfg/DFGGPRInfo.h: 18198 (JSC::DFG::JSValueRegs::payloadOnly): 18199 (JSValueRegs): 18200 (JSC::DFG::JSValueRegs::JSValueRegs): 18201 (JSC::DFG::JSValueRegs::operator!): 18202 (JSC::DFG::JSValueSource::operator!): 18203 * dfg/DFGJITCompiler.cpp: 18204 (JSC::DFG::JITCompiler::link): 18205 * dfg/DFGJITCompiler.h: 18206 (JSC::DFG::InRecord::InRecord): 18207 (InRecord): 18208 (DFG): 18209 (JITCompiler): 18210 (JSC::DFG::JITCompiler::addIn): 18211 * dfg/DFGNodeType.h: 18212 (DFG): 18213 * dfg/DFGOperations.cpp: 18214 * dfg/DFGOperations.h: 18215 * dfg/DFGPredictionPropagationPhase.cpp: 18216 (JSC::DFG::PredictionPropagationPhase::propagate): 18217 * dfg/DFGRepatch.cpp: 18218 (JSC::DFG::tryRepatchIn): 18219 (DFG): 18220 (JSC::DFG::dfgRepatchIn): 18221 (JSC::DFG::dfgResetIn): 18222 * dfg/DFGRepatch.h: 18223 (DFG): 18224 (JSC::DFG::dfgResetIn): 18225 * dfg/DFGSlowPathGenerator.h: 18226 (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator): 18227 (JSC::DFG::CallSlowPathGenerator::tearDown): 18228 (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::generateInternal): 18229 (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::generateInternal): 18230 (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::generateInternal): 18231 (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::generateInternal): 18232 (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::generateInternal): 18233 (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::generateInternal): 18234 * dfg/DFGSpeculativeJIT.cpp: 18235 (JSC::DFG::SpeculativeJIT::compileIn): 18236 (DFG): 18237 * dfg/DFGSpeculativeJIT.h: 18238 (JSC::DFG::extractResult): 18239 (DFG): 18240 (SpeculativeJIT): 18241 (JSC::DFG::SpeculativeJIT::callOperation): 18242 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult): 18243 (JSC::DFG::SpeculativeJIT::appendCallSetResult): 18244 (JSC::DFG::JSValueOperand::tagGPR): 18245 * dfg/DFGSpeculativeJIT32_64.cpp: 18246 (JSC::DFG::SpeculativeJIT::compile): 18247 * dfg/DFGSpeculativeJIT64.cpp: 18248 (JSC::DFG::SpeculativeJIT::compile): 18249 * runtime/JSCJSValue.cpp: 18250 (JSC::JSValue::dump): 18251 * runtime/JSString.h: 18252 (JSString): 18253 (JSC::JSString::tryGetValueImpl): 18254 (JSC): 18255 * runtime/Operations.h: 18256 (JSC::normalizePrototypeChainForChainAccess): 18257 182582013-06-12 Geoffrey Garen <ggaren@apple.com> 18259 18260 The Math object should not be polymorphic 18261 https://bugs.webkit.org/show_bug.cgi?id=117576 18262 18263 Reviewed by Oliver Hunt. 18264 18265 Fill in the Math object eagerly, to avoid its structure changing during 18266 execution. There are lots of ways to skin this cat; this one seemed 18267 easiest, and justified given the relative hotness of math operations. 18268 18269 20% speedup on DSP-filtrr tests, small speedups on a few Kraken tests. 18270 18271 * DerivedSources.make: 18272 * JavaScriptCore.order: 18273 * create_hash_table: 18274 * interpreter/CallFrame.h: 18275 (JSC::ExecState::jsonTable): Removed the Math object's static table. 18276 18277 * runtime/JSObject.cpp: 18278 (JSC::JSObject::putDirectNativeFunctionWithoutTransition): 18279 * runtime/JSObject.h: 18280 * runtime/MathObject.cpp: 18281 (JSC::MathObject::finishCreation): 18282 * runtime/MathObject.h: 18283 (JSC::MathObject::create): Set up the Math object at construction time. 18284 18285 * runtime/VM.cpp: 18286 (JSC::VM::VM): 18287 (JSC::VM::~VM): 18288 * runtime/VM.h: Removed the Math object's static table. 18289 182902013-06-09 Geoffrey Garen <ggaren@apple.com> 18291 18292 Unreviewed, rolled back in http://trac.webkit.org/changeset/151342. 18293 18294 I filled in the missing return register loads, and tests 18295 seem to pass now. 18296 18297 2013-06-07 Michael Saboff <msaboff@apple.com> 18298 18299 fourthTier: The baseline jit and LLint should use common slow paths 18300 https://bugs.webkit.org/show_bug.cgi?id=116889 18301 183022013-06-07 Filip Pizlo <fpizlo@apple.com> 18303 18304 Unreviewed, roll out http://trac.webkit.org/changeset/151342 18305 It broke Kraken crypto tests in debug build. That results in a pretty bad 18306 loss of test coverage. 18307 18308 * JavaScriptCore.xcodeproj/project.pbxproj: 18309 * jit/JIT.cpp: 18310 (JSC): 18311 (JSC::JIT::privateCompileMainPass): 18312 * jit/JIT.h: 18313 (JIT): 18314 * jit/JITArithmetic.cpp: 18315 (JSC::JIT::emitSlow_op_negate): 18316 (JSC::JIT::emitSlow_op_lshift): 18317 (JSC::JIT::emitSlow_op_rshift): 18318 (JSC::JIT::emitSlow_op_urshift): 18319 (JSC::JIT::emitSlow_op_bitand): 18320 (JSC::JIT::emitSlow_op_inc): 18321 (JSC::JIT::emitSlow_op_dec): 18322 (JSC::JIT::emitSlow_op_mod): 18323 (JSC::JIT::emit_op_mod): 18324 (JSC::JIT::compileBinaryArithOpSlowCase): 18325 (JSC::JIT::emit_op_add): 18326 (JSC::JIT::emitSlow_op_add): 18327 (JSC::JIT::emitSlow_op_mul): 18328 (JSC::JIT::emitSlow_op_div): 18329 (JSC::JIT::emitSlow_op_sub): 18330 * jit/JITArithmetic32_64.cpp: 18331 (JSC::JIT::emitSlow_op_negate): 18332 (JSC::JIT::emitSlow_op_lshift): 18333 (JSC::JIT::emitRightShiftSlowCase): 18334 (JSC::JIT::emitSlow_op_bitand): 18335 (JSC::JIT::emitSlow_op_bitor): 18336 (JSC::JIT::emitSlow_op_bitxor): 18337 (JSC::JIT::emitSlow_op_inc): 18338 (JSC::JIT::emitSlow_op_dec): 18339 (JSC::JIT::emit_op_add): 18340 (JSC::JIT::emitSlow_op_add): 18341 (JSC::JIT::emitSlow_op_sub): 18342 (JSC::JIT::emitSlow_op_mul): 18343 (JSC::JIT::emitSlow_op_div): 18344 (JSC::JIT::emit_op_mod): 18345 (JSC::JIT::emitSlow_op_mod): 18346 * jit/JITExceptions.cpp: 18347 (JSC): 18348 (JSC::genericThrow): 18349 * jit/JITExceptions.h: 18350 (ExceptionHandler): 18351 (JSC): 18352 * jit/JITOpcodes.cpp: 18353 (JSC::JIT::emit_op_strcat): 18354 (JSC::JIT::emitSlow_op_create_this): 18355 (JSC::JIT::emitSlow_op_to_this): 18356 (JSC::JIT::emitSlow_op_to_primitive): 18357 (JSC::JIT::emitSlow_op_not): 18358 (JSC::JIT::emitSlow_op_bitxor): 18359 (JSC::JIT::emitSlow_op_bitor): 18360 (JSC::JIT::emitSlow_op_stricteq): 18361 (JSC::JIT::emitSlow_op_nstricteq): 18362 (JSC::JIT::emitSlow_op_to_number): 18363 * jit/JITOpcodes32_64.cpp: 18364 (JSC::JIT::privateCompileCTINativeCall): 18365 (JSC::JIT::emitSlow_op_to_primitive): 18366 (JSC::JIT::emit_op_strcat): 18367 (JSC::JIT::emitSlow_op_not): 18368 (JSC::JIT::emitSlow_op_stricteq): 18369 (JSC::JIT::emitSlow_op_nstricteq): 18370 (JSC::JIT::emitSlow_op_to_number): 18371 (JSC::JIT::emit_op_create_arguments): 18372 (JSC::JIT::emitSlow_op_create_this): 18373 (JSC::JIT::emitSlow_op_to_this): 18374 (JSC::JIT::emitSlow_op_get_argument_by_val): 18375 * jit/JITStubs.cpp: 18376 (JSC::DEFINE_STUB_FUNCTION): 18377 (JSC): 18378 * jit/JITStubs.h: 18379 (JSC): 18380 * jit/JITStubsARM.h: 18381 (JSC): 18382 * jit/JITStubsARMv7.h: 18383 (JSC): 18384 * jit/JITStubsMIPS.h: 18385 (JSC): 18386 * jit/JITStubsSH4.h: 18387 (JSC): 18388 * jit/JITStubsX86.h: 18389 (JSC): 18390 * jit/JITStubsX86_64.h: 18391 (JSC): 18392 * jit/JSInterfaceJIT.h: 18393 (JSInterfaceJIT): 18394 * jit/SlowPathCall.h: Removed. 18395 * jit/ThunkGenerators.cpp: 18396 (JSC::nativeForGenerator): 18397 * llint/LLIntSlowPaths.cpp: 18398 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 18399 (LLInt): 18400 * llint/LLIntSlowPaths.h: 18401 (LLInt): 18402 (SlowPathReturnType): 18403 (JSC::LLInt::encodeResult): 18404 (JSC::LLInt::decodeResult): 18405 * llint/LowLevelInterpreter.asm: 18406 * llint/LowLevelInterpreter.cpp: 18407 * llint/LowLevelInterpreter32_64.asm: 18408 * llint/LowLevelInterpreter64.asm: 18409 * runtime/CommonSlowPaths.cpp: Removed. 18410 * runtime/CommonSlowPaths.h: 18411 * runtime/JSCJSValue.h: 18412 (JSValue): 18413 184142013-06-07 Michael Saboff <msaboff@apple.com> 18415 18416 fourthTier: The baseline jit and LLint should use common slow paths 18417 https://bugs.webkit.org/show_bug.cgi?id=116889 18418 18419 Reviewed by Filip Pizlo. 18420 18421 Moved the llint_slow_paths that return JSValue along with several others to CommonSlowPaths.cpp. 18422 Eliminated the related JIT stubs. Changes the baseline JIT to call these new common stubs. 18423 Added a simple slow path call class that uses argument registers or the stack instead of 18424 JITStackFrame. Changes the exception mechanism for to check for an exception after making 18425 a slowpath call instead of returning to the handler directly form the slowpath function. 18426 18427 * JavaScriptCore.xcodeproj/project.pbxproj: 18428 * jit/JIT.cpp: 18429 (JSC::JIT::privateCompileMainPass): 18430 * jit/JIT.h: 18431 (JIT): 18432 * jit/JITArithmetic.cpp: 18433 (JSC::JIT::emitSlow_op_negate): 18434 (JSC::JIT::emitSlow_op_lshift): 18435 (JSC::JIT::emitSlow_op_rshift): 18436 (JSC::JIT::emitSlow_op_urshift): 18437 (JSC::JIT::emitSlow_op_bitand): 18438 (JSC::JIT::emitSlow_op_inc): 18439 (JSC::JIT::emitSlow_op_dec): 18440 (JSC::JIT::emitSlow_op_mod): 18441 (JSC::JIT::emit_op_mod): 18442 (JSC::JIT::compileBinaryArithOpSlowCase): 18443 (JSC::JIT::emit_op_add): 18444 (JSC::JIT::emitSlow_op_add): 18445 (JSC::JIT::emitSlow_op_mul): 18446 (JSC::JIT::emitSlow_op_div): 18447 (JSC::JIT::emitSlow_op_sub): 18448 * jit/JITArithmetic32_64.cpp: 18449 (JSC::JIT::emitSlow_op_negate): 18450 (JSC::JIT::emitSlow_op_lshift): 18451 (JSC::JIT::emitRightShiftSlowCase): 18452 (JSC::JIT::emitSlow_op_bitand): 18453 (JSC::JIT::emitSlow_op_bitor): 18454 (JSC::JIT::emitSlow_op_bitxor): 18455 (JSC::JIT::emitSlow_op_inc): 18456 (JSC::JIT::emitSlow_op_dec): 18457 (JSC::JIT::emit_op_add): 18458 (JSC::JIT::emitSlow_op_add): 18459 (JSC::JIT::emitSlow_op_sub): 18460 (JSC::JIT::emitSlow_op_mul): 18461 (JSC::JIT::emitSlow_op_div): 18462 (JSC::JIT::emit_op_mod): 18463 (JSC::JIT::emitSlow_op_mod): 18464 * jit/JITExceptions.cpp: 18465 (JSC::getExceptionLocation): 18466 (JSC::genericThrow): 18467 (JSC::jitThrowNew): 18468 * jit/JITExceptions.h: 18469 (ExceptionHandler): 18470 * jit/JITOpcodes.cpp: 18471 (JSC::JIT::emit_op_strcat): 18472 (JSC::JIT::emitSlow_op_create_this): 18473 (JSC::JIT::emitSlow_op_to_this): 18474 (JSC::JIT::emitSlow_op_to_primitive): 18475 (JSC::JIT::emitSlow_op_not): 18476 (JSC::JIT::emitSlow_op_bitxor): 18477 (JSC::JIT::emitSlow_op_bitor): 18478 (JSC::JIT::emitSlow_op_stricteq): 18479 (JSC::JIT::emitSlow_op_nstricteq): 18480 (JSC::JIT::emitSlow_op_to_number): 18481 * jit/JITOpcodes32_64.cpp: 18482 (JSC::JIT::privateCompileCTINativeCall): 18483 (JSC::JIT::emitSlow_op_to_primitive): 18484 (JSC::JIT::emit_op_strcat): 18485 (JSC::JIT::emitSlow_op_not): 18486 (JSC::JIT::emitSlow_op_stricteq): 18487 (JSC::JIT::emitSlow_op_nstricteq): 18488 (JSC::JIT::emitSlow_op_to_number): 18489 (JSC::JIT::emit_op_create_arguments): 18490 (JSC::JIT::emitSlow_op_create_this): 18491 (JSC::JIT::emitSlow_op_to_this): 18492 (JSC::JIT::emitSlow_op_get_argument_by_val): 18493 * jit/JITStubs.cpp: 18494 (JSC::DEFINE_STUB_FUNCTION): 18495 (JSC::cti_vm_throw_slowpath): 18496 * jit/JITStubs.h: 18497 * jit/JITStubsARM.h: 18498 * jit/JITStubsARMv7.h: 18499 * jit/JITStubsMIPS.h: 18500 * jit/JITStubsSH4.h: 18501 * jit/JITStubsX86.h: 18502 * jit/JITStubsX86_64.h: 18503 * jit/JSInterfaceJIT.h: 18504 (JSInterfaceJIT): 18505 * jit/SlowPathCall.h: Added. 18506 (JITSlowPathCall): 18507 (JSC::JITSlowPathCall::JITSlowPathCall): 18508 (JSC::JITSlowPathCall::call): 18509 * jit/ThunkGenerators.cpp: 18510 (JSC::nativeForGenerator): 18511 * llint/LLIntSlowPaths.cpp: 18512 (LLInt): 18513 * llint/LLIntSlowPaths.h: 18514 (LLInt): 18515 * llint/LowLevelInterpreter.asm: 18516 * llint/LowLevelInterpreter.cpp: 18517 * llint/LowLevelInterpreter32_64.asm: 18518 * llint/LowLevelInterpreter64.asm: 18519 * runtime/CommonSlowPaths.cpp: Added. 18520 (JSC::SLOW_PATH_DECL): 18521 * runtime/CommonSlowPaths.h: 18522 (SlowPathReturnType): 18523 (JSC::encodeResult): 18524 (JSC::decodeResult): 18525 * runtime/JSCJSValue.h: 18526 (JSValue): 18527 185282013-06-11 Geoffrey Garen <ggaren@apple.com> 18529 18530 Rolled back in <http://trac.webkit.org/changeset/151363>. 18531 18532 Rubber stamped by Phil Pizlo. 18533 18534 The ASSERTs were due to the bytecode parser performing a 18535 StructureTransitionWatchpoint optimization in a case where the CFA 18536 wouldn't because the CFA could prove that the watchpoint would contradict 18537 a preceding CheckStructure. 18538 18539 I fixed this by removing the bytecode parser optimization: now, we fully 18540 rely on CFA and constant folding to optimize structure checks when 18541 possible. 18542 18543 I verified that there's no performance change vs doing the optimization 18544 in the bytecode parser. (The optimization is very simple, so this is not 18545 surprising.) 18546 185472013-06-10 Mark Hahnenberg <mhahnenberg@apple.com> 18548 18549 isContravenedByStructure is backwards 18550 https://bugs.webkit.org/show_bug.cgi?id=117366 18551 18552 We should be checking if arrayModeForStructure(structure) is a 18553 subset of arrayModesThatPassFiltering(), not the other way around. 18554 Also renamed isContravenedByStructure to better reflect what the 18555 function is trying to determine. 18556 18557 Rubber stamped by Filip Pizlo. 18558 18559 * dfg/DFGArrayMode.h: 18560 (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering): 18561 * dfg/DFGTypeCheckHoistingPhase.cpp: 18562 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode): 18563 (JSC::DFG::ArrayTypeCheck::isContravenedByValue): 18564 185652013-06-10 Mark Hahnenberg <mhahnenberg@apple.com> 18566 18567 isContravenedByStructure is backwards 18568 https://bugs.webkit.org/show_bug.cgi?id=117366 18569 18570 We should be checking if arrayModeForStructure(structure) is a 18571 subset of arrayModesThatPassFiltering(), not the other way around. 18572 Also renamed isContravenedByStructure to better reflect what the 18573 function is trying to determine. 18574 18575 Rubber stamped by Filip Pizlo. 18576 18577 * dfg/DFGArrayMode.h: 18578 (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering): 18579 * dfg/DFGTypeCheckHoistingPhase.cpp: 18580 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode): 18581 (JSC::DFG::ArrayTypeCheck::isContravenedByValue): 18582 185832013-06-11 Filip Pizlo <fpizlo@apple.com> 18584 18585 fourthTier: Type check hoisting phase has a dead if statement 18586 https://bugs.webkit.org/show_bug.cgi?id=117510 18587 18588 Reviewed by Geoffrey Garen. 18589 18590 * dfg/DFGTypeCheckHoistingPhase.cpp: 18591 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): 18592 185932013-06-10 Mark Lam <mark.lam@apple.com> 18594 18595 Introducing the StackIterator class. 18596 https://bugs.webkit.org/show_bug.cgi?id=117390. 18597 18598 Reviewed by Geoffrey Garen. 18599 18600 The StackIterator class is meant to unify the way we iterate the JS 18601 stack. It also makes it so that we don't have to copy the frame data 18602 into the intermediate StackFrame struct before processing it. 18603 Unfortunately we still can't get rid of StackFrame because it is used 18604 to record frame information for the Exception stack that is expected 18605 to persist beyond when the frames have been popped off the JS stack. 18606 18607 The StackIterator will iterate over all "logical" frames (i.e. including 18608 inlined frames). As it iterates the JS stack, if it encounters a DFG 18609 frame that has inlined frames, the iterator will canonicalize the 18610 inlined frames before returning. Once canonicalized, the frame can be 18611 read like any other frame. 18612 18613 The StackIterator implements a Frame class that inherits from CallFrame. 18614 The StackIterator::Frame serves as reader of the CallFrame that makes 18615 it easier to access information about the frame. The StackIterator::Frame 18616 only adds functions, and no additional data fields. 18617 18618 * API/JSContextRef.cpp: 18619 (JSContextCreateBacktrace): 18620 * CMakeLists.txt: 18621 * GNUmakefile.list.am: 18622 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 18623 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 18624 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 18625 * JavaScriptCore.xcodeproj/project.pbxproj: 18626 * Target.pri: 18627 * interpreter/CallFrame.cpp: 18628 (JSC::CallFrame::begin): 18629 (JSC::CallFrame::beginAt): 18630 * interpreter/CallFrame.h: 18631 (JSC::ExecState::setInlineCallFrame): 18632 (ExecState): 18633 (JSC::ExecState::end): 18634 * interpreter/Interpreter.cpp: 18635 (JSC::Interpreter::dumpRegisters): 18636 (JSC::Interpreter::unwindCallFrame): 18637 (JSC::Interpreter::getStackTrace): 18638 (JSC::Interpreter::throwException): 18639 (JSC::Interpreter::debug): 18640 * interpreter/Interpreter.h: 18641 (Interpreter): 18642 * interpreter/StackIterator.cpp: Added. 18643 (JSC::StackIterator::StackIterator): 18644 (JSC::StackIterator::beginAt): 18645 (JSC::StackIterator::gotoNextFrame): 18646 - Based on the deleted Interpreter::findFunctionCallFrameFromVMCode(). 18647 (JSC::StackIterator::findFrameForFunction): 18648 - Based on the deleted Interpreter::retrieveCallerFromVMCode(). 18649 (JSC::StackIterator::Frame::codeType): 18650 - Based on the deleted getStackFrameCodeType(). 18651 (JSC::StackIterator::Frame::functionName): 18652 - Based on StackFrame::friendlyFunctionName(). 18653 (JSC::StackIterator::Frame::sourceURL): 18654 - Based on StackFrame::friendlySourceURL(). 18655 (JSC::StackIterator::Frame::toString): 18656 - Based on StackFrame::toString(). 18657 (JSC::StackIterator::Frame::bytecodeOffset): 18658 (JSC::StackIterator::Frame::line): 18659 - Based on StackFrame::line(). 18660 (JSC::StackIterator::Frame::column): 18661 - Based on StackFrame::column(). 18662 (JSC::StackIterator::Frame::arguments): 18663 - Based on the deleted Interpreter::retrieveArgumentsFromVMCode(). 18664 (JSC::StackIterator::Frame::retrieveExpressionInfo): 18665 - Based on StackFrame::expressionInfo(). 18666 (JSC::StackIterator::Frame::logicalFrame): 18667 - Based on the now deleted CallFrame::trueCallFrame(). 18668 (JSC::StackIterator::Frame::logicalCallerFrame): 18669 - Based on the now deleted CallFrame::trueCallerFrame(). 18670 (JSC::jitTypeName): 18671 (JSC::printIndents): 18672 (JSC::printif): 18673 (JSC::StackIterator::Frame::print): 18674 (debugPrintCallFrame): 18675 - Prints the contents of the frame for debugging purposes. 18676 There are 2 versions that can be used as follows: 18677 18678 1. When you have a valid StackIterator, you can print 18679 the current frame's content using the print instance 18680 method: 18681 iter->print(indentLevel); 18682 18683 2. When you have a CallFrame* that you want to dump from a debugger 18684 console, you can print its content as follows: 18685 (gdb) call debugPrintCallFrame(callFrame) 18686 18687 A sample of the output looks like this: 18688 18689 frame 0x1510c70b0 { 18690 name 'shouldBe' 18691 sourceURL 'testapi.js' 18692 hostFlag 0 18693 isInlinedFrame 0 18694 callee 0x15154efb0 18695 returnPC 0x10ed0786d 18696 callerFrame 0x1510c7058 18697 logicalCallerFrame 0x1510c7058 18698 rawLocationBits 27 0x1b 18699 codeBlock 0x7fe79b037200 18700 bytecodeOffset 27 0x1b / 210 18701 line 46 18702 column 20 18703 jitType 3 <BaselineJIT> isOptimizingJIT 0 18704 hasCodeOrigins 0 18705 } 18706 18707 * interpreter/StackIterator.h: Added. 18708 (StackIterator::Frame): 18709 (JSC::StackIterator::Frame::create): 18710 (JSC::StackIterator::Frame::isJSFrame): 18711 (JSC::StackIterator::Frame::callFrame): 18712 * interpreter/StackIteratorPrivate.h: Added. 18713 (StackIterator): 18714 (JSC::StackIterator::operator*): 18715 (JSC::StackIterator::operator->): 18716 (JSC::StackIterator::operator==): 18717 (JSC::StackIterator::operator!=): 18718 (JSC::StackIterator::operator++): 18719 (JSC::StackIterator::end): 18720 (JSC::StackIterator::empty): 18721 * jsc.cpp: 18722 (functionJSCStack): 18723 * profiler/ProfileGenerator.cpp: 18724 (JSC::ProfileGenerator::addParentForConsoleStart): 18725 * profiler/ProfileNode.h: 18726 (ProfileNode): 18727 * runtime/JSFunction.cpp: 18728 (JSC::retrieveArguments): 18729 (JSC::JSFunction::argumentsGetter): 18730 (JSC::skipOverBoundFunctions): 18731 (JSC::retrieveCallerFunction): 18732 (JSC::JSFunction::callerGetter): 18733 (JSC::JSFunction::getOwnPropertyDescriptor): 18734 (JSC::JSFunction::defineOwnProperty): 18735 * runtime/JSGlobalObjectFunctions.cpp: 18736 (JSC::globalFuncProtoGetter): 18737 (JSC::globalFuncProtoSetter): 18738 * runtime/ObjectConstructor.cpp: 18739 (JSC::objectConstructorGetPrototypeOf): 18740 * runtime/Operations.h: 18741 187422013-06-09 Filip Pizlo <fpizlo@apple.com> 18743 18744 Marge trunk r146653. 18745 18746 2013-03-22 Filip Pizlo <fpizlo@apple.com> 18747 18748 DFG folding of PutById to SimpleReplace should consider the specialized function case 18749 https://bugs.webkit.org/show_bug.cgi?id=113093 18750 18751 Reviewed by Geoffrey Garen and Mark Hahnenberg. 18752 18753 * bytecode/PutByIdStatus.cpp: 18754 (JSC::PutByIdStatus::computeFor): 18755 187562013-06-09 Filip Pizlo <fpizlo@apple.com> 18757 18758 fourthTier: DFG GetById patching shouldn't distinguish between self lists and proto lists 18759 https://bugs.webkit.org/show_bug.cgi?id=117377 18760 18761 Reviewed by Geoffrey Garen. 18762 18763 Previously if you did self accesses and then wanted to do a prototype access, you'd 18764 have a bad time: the prototype accesses would be forced to take slow path because 18765 the self list wouldn't allow prototype accesses. Likewise if you did prototype (or 18766 chain) accesses and then wanted to do a self access, similar stupidity would ensue. 18767 18768 This fixes the stupidity. 18769 18770 I believe that this was introduced way back in the days of the old interpreter, 18771 where distinguishing between self lists, proto lists, and chain lists was meaningful 18772 for interpreter performance: it meant fewer branches to evaluate those lists. Then 18773 it got mostly carried over to the old JIT since the old JIT was just initially an 18774 optimized version of the old interpreter, and then later it got carried over to the 18775 DFG because I didn't know any better at the time. Now I do know better and I'm 18776 fixing it. 18777 18778 * bytecode/PolymorphicAccessStructureList.h: 18779 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set): 18780 * bytecode/StructureStubInfo.h: 18781 (JSC::StructureStubInfo::initGetByIdSelfList): 18782 * dfg/DFGOperations.cpp: 18783 * dfg/DFGOperations.h: 18784 * dfg/DFGRepatch.cpp: 18785 (JSC::DFG::tryCacheGetByID): 18786 (JSC::DFG::getPolymorphicStructureList): 18787 (DFG): 18788 (JSC::DFG::patchJumpToGetByIdStub): 18789 (JSC::DFG::tryBuildGetByIDList): 18790 (JSC::DFG::dfgBuildGetByIDList): 18791 187922013-06-09 Mark Lam <mark.lam@apple.com> 18793 18794 Fix broken no-DFG build. 18795 https://bugs.webkit.org/show_bug.cgi?id=117381. 18796 18797 Reviewed by Geoffrey Garen. 18798 18799 * bytecode/CodeBlock.cpp: 18800 * bytecode/CodeBlock.h: 18801 (CodeBlock): 18802 (ProgramCodeBlock): 18803 (EvalCodeBlock): 18804 (FunctionCodeBlock): 18805 * dfg/DFGCapabilities.h: 18806 * dfg/DFGDriver.h: 18807 (JSC::DFG::tryCompile): 18808 (JSC::DFG::tryCompileFunction): 18809 * dfg/DFGJITCode.cpp: 18810 * dfg/DFGRepatch.h: 18811 (JSC::DFG::dfgResetGetByID): 18812 (JSC::DFG::dfgResetPutByID): 18813 * heap/DFGCodeBlocks.cpp: 18814 (JSC::DFGCodeBlocks::jettison): 18815 * interpreter/CallFrame.h: 18816 (ExecState): 18817 (JSC::ExecState::trueCallFrame): 18818 * interpreter/Interpreter.cpp: 18819 (JSC::getCallerInfo): 18820 * runtime/Executable.cpp: 18821 * runtime/Executable.h: 18822 (EvalExecutable): 18823 (ProgramExecutable): 18824 (FunctionExecutable): 18825 * runtime/ExecutionHarness.h: 18826 * runtime/VM.cpp: 18827 (JSC::VM::~VM): 18828 188292013-06-08 Filip Pizlo <fpizlo@apple.com> 18830 18831 fourthTier: Recursive deadlock in DFG::ByteCodeParser 18832 https://bugs.webkit.org/show_bug.cgi?id=117376 18833 18834 Reviewed by Mark Hahnenberg. 18835 18836 Leave the lock early to prevent a deadlock beneath get(). 18837 18838 * dfg/DFGByteCodeParser.cpp: 18839 (JSC::DFG::ByteCodeParser::parseBlock): 18840 188412013-06-08 Mark Lam <mark.lam@apple.com> 18842 18843 Removed bogus assertion in CallFrame::setLocationAsBytecodeOffset(). 18844 https://bugs.webkit.org/show_bug.cgi?id=117373. 18845 18846 Reviewed by Oliver Hunt. 18847 18848 The assertion wrongly assumes that the incoming offset argument is in 18849 units of bytes. This is not true. It is in units of Instruction*. Hence, 18850 the assertion which checks for the low 2 bits to be clear can fail. 18851 18852 * interpreter/CallFrame.cpp: 18853 (JSC::CallFrame::setLocationAsBytecodeOffset): 18854 188552013-06-07 Filip Pizlo <fpizlo@apple.com> 18856 18857 fourthTier: don't insert ForceOSRExits except for inadequate coverage 18858 https://bugs.webkit.org/show_bug.cgi?id=117363 18859 18860 Reviewed by Mark Hahnenberg. 18861 18862 Previously (in http://trac.webkit.org/changeset/151303) I made it so that we 18863 inserted ForceOSRExits more eagerly. I now think it's better to have 18864 contradictions execute normally and exit with full OSR exit profiling. It's 18865 better at catching the few cases where the DFG will end up with different 18866 types than the baseline engines. 18867 18868 This simplifies a bunch of code. For example it gets rid of 18869 ConstantFoldingPhase::paintUnreachableCode(). 18870 18871 You can think of this as a partial roll-out of r151303, except that it uses 18872 the facilities introduced by that patch to give us run-time assertions that 18873 check the CFA's correctness: if the CFA thought that something was a 18874 contradiction but the code didn't exit, we'll now trap. 18875 18876 * dfg/DFGAbstractState.cpp: 18877 (JSC::DFG::AbstractState::AbstractState): 18878 (JSC::DFG::AbstractState::startExecuting): 18879 (JSC::DFG::AbstractState::executeEffects): 18880 (JSC::DFG::AbstractState::execute): 18881 (JSC::DFG::AbstractState::filter): 18882 (JSC::DFG::AbstractState::filterArrayModes): 18883 (JSC::DFG::AbstractState::filterByValue): 18884 (DFG): 18885 * dfg/DFGAbstractState.h: 18886 (AbstractState): 18887 (JSC::DFG::AbstractState::filter): 18888 (JSC::DFG::AbstractState::filterArrayModes): 18889 (JSC::DFG::AbstractState::filterByValue): 18890 * dfg/DFGCFAPhase.cpp: 18891 (JSC::DFG::CFAPhase::performBlockCFA): 18892 * dfg/DFGConstantFoldingPhase.cpp: 18893 (JSC::DFG::ConstantFoldingPhase::run): 18894 (JSC::DFG::ConstantFoldingPhase::foldConstants): 18895 (ConstantFoldingPhase): 18896 * dfg/DFGSpeculativeJIT.cpp: 18897 (JSC::DFG::SpeculativeJIT::compile): 18898 * ftl/FTLLowerDFGToLLVM.cpp: 18899 (JSC::FTL::LowerDFGToLLVM::compileNode): 18900 189012013-06-07 Filip Pizlo <fpizlo@apple.com> 18902 18903 Unreviewed, fix release build. 18904 18905 * ftl/FTLLink.cpp: 18906 189072013-06-06 Filip Pizlo <fpizlo@apple.com> 18908 18909 fourthTier: Reenable the DFG optimization fixpoint now that it's profitable to do so with concurrent compilation 18910 https://bugs.webkit.org/show_bug.cgi?id=117331 18911 18912 Rubber stamped by Sam Weinig. 18913 18914 * dfg/DFGPlan.cpp: 18915 (JSC::DFG::Plan::compileInThreadImpl): 18916 189172013-06-05 Filip Pizlo <fpizlo@apple.com> 18918 18919 fourthTier: DFG CFA should know when it hits a contradiction 18920 https://bugs.webkit.org/show_bug.cgi?id=117272 18921 18922 Reviewed by Oliver Hunt. 18923 18924 This makes the DFG CFA immediately detect when it hit a contradiction. Previously 18925 we might not know this: for example if we did an int32 type check on a known string; 18926 the code would definitely always exit but the CFA would think that we wouldn't have 18927 even though it would have computed a BOTTOM (i.e. contradictory) value for that 18928 variable. 18929 18930 This requires two other changes: 18931 18932 - CFA must report contradictions as if they are frequent exit sites, since 18933 contradictory speculations will subsequently get replaced with ForceOSRExit. 18934 ForceOSRExit cannot itself report profiling data back to the DFG::ExitProfile. So, 18935 we do this on behalf of the speculation, eagerly, within the CFA. This also has 18936 the effect of speeding convergence somewhat. We may want to revisit this later; 18937 for example we might want to instead have the notion of a ForceOSRExit that knows 18938 the set of speculations that got folded into it. 18939 18940 - This revealed a bug where the CFA was modeling CheckStructure on a node that had 18941 a known singleton m_futurePossibleStructure set somewhat differently than the 18942 constant folder. If the CheckStructure was checking a structure set with two or 18943 more structures in it, it would not filter the abstract value. But the constant 18944 folder would turn this into a watchpoint on the singleton structure, thereby 18945 filtering the value. This discrepancy meant that we wouldn't realize the 18946 contradiction until the backend, and the AbstractState::bail() method asserts that 18947 we always realize contradictions in the constant folder. 18948 18949 * JavaScriptCore.xcodeproj/project.pbxproj: 18950 * bytecode/CodeBlock.h: 18951 (JSC::CodeBlock::addFrequentExitSite): 18952 (JSC::CodeBlock::hasExitSite): 18953 (CodeBlock): 18954 * bytecode/DFGExitProfile.cpp: 18955 (JSC::DFG::ExitProfile::add): 18956 (JSC::DFG::ExitProfile::hasExitSite): 18957 (JSC::DFG::QueryableExitProfile::QueryableExitProfile): 18958 (JSC::DFG::QueryableExitProfile::~QueryableExitProfile): 18959 (DFG): 18960 (JSC::DFG::QueryableExitProfile::initialize): 18961 * bytecode/DFGExitProfile.h: 18962 (JSC::DFG::FrequentExitSite::FrequentExitSite): 18963 (ExitProfile): 18964 (JSC::DFG::ExitProfile::hasExitSite): 18965 (QueryableExitProfile): 18966 * bytecode/ExitKind.cpp: 18967 (JSC::exitKindToString): 18968 * dfg/DFGAbstractState.cpp: 18969 (JSC::DFG::AbstractState::AbstractState): 18970 (JSC::DFG::AbstractState::beginBasicBlock): 18971 (JSC::DFG::AbstractState::reset): 18972 (JSC::DFG::AbstractState::startExecuting): 18973 (JSC::DFG::AbstractState::executeEffects): 18974 (JSC::DFG::AbstractState::execute): 18975 (JSC::DFG::AbstractState::filter): 18976 (DFG): 18977 (JSC::DFG::AbstractState::filterArrayModes): 18978 (JSC::DFG::AbstractState::filterByValue): 18979 (JSC::DFG::AbstractState::bail): 18980 * dfg/DFGAbstractState.h: 18981 (AbstractState): 18982 (JSC::DFG::AbstractState::filter): 18983 (JSC::DFG::AbstractState::filterArrayModes): 18984 (JSC::DFG::AbstractState::filterByValue): 18985 (JSC::DFG::AbstractState::filterByType): 18986 * dfg/DFGAbstractValue.cpp: 18987 (JSC::DFG::AbstractValue::filter): 18988 (JSC::DFG::AbstractValue::filterArrayModes): 18989 (DFG): 18990 (JSC::DFG::AbstractValue::filterByValue): 18991 (JSC::DFG::AbstractValue::normalizeClarity): 18992 * dfg/DFGAbstractValue.h: 18993 (AbstractValue): 18994 * dfg/DFGByteCodeParser.cpp: 18995 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 18996 * dfg/DFGCFAPhase.cpp: 18997 (JSC::DFG::CFAPhase::performBlockCFA): 18998 * dfg/DFGCapabilities.cpp: 18999 (JSC::DFG::debugFail): 19000 (JSC::DFG::capabilityLevel): 19001 * dfg/DFGConstantFoldingPhase.cpp: 19002 (JSC::DFG::ConstantFoldingPhase::foldConstants): 19003 (ConstantFoldingPhase): 19004 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode): 19005 * dfg/DFGFiltrationResult.h: Added. 19006 (DFG): 19007 * dfg/DFGFixupPhase.cpp: 19008 (JSC::DFG::FixupPhase::fixupNode): 19009 * dfg/DFGNodeType.h: 19010 (DFG): 19011 * dfg/DFGOSRExitBase.cpp: 19012 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow): 19013 * dfg/DFGOSRExitBase.h: 19014 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite): 19015 * dfg/DFGPredictionPropagationPhase.cpp: 19016 (JSC::DFG::PredictionPropagationPhase::propagate): 19017 * dfg/DFGSpeculativeJIT.cpp: 19018 (JSC::DFG::SpeculativeJIT::backwardTypeCheck): 19019 (JSC::DFG::SpeculativeJIT::bail): 19020 (DFG): 19021 (JSC::DFG::SpeculativeJIT::compile): 19022 (JSC::DFG::SpeculativeJIT::compileToStringOnCell): 19023 (JSC::DFG::SpeculativeJIT::speculateStringObject): 19024 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): 19025 * dfg/DFGSpeculativeJIT.h: 19026 (SpeculativeJIT): 19027 * dfg/DFGSpeculativeJIT32_64.cpp: 19028 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 19029 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 19030 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 19031 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 19032 (JSC::DFG::SpeculativeJIT::compile): 19033 * dfg/DFGSpeculativeJIT64.cpp: 19034 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 19035 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 19036 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 19037 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 19038 (JSC::DFG::SpeculativeJIT::compile): 19039 * ftl/FTLCapabilities.cpp: 19040 (JSC::FTL::canCompile): 19041 * ftl/FTLLowerDFGToLLVM.cpp: 19042 (JSC::FTL::LowerDFGToLLVM::compileNode): 19043 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck): 19044 190452013-06-07 Mark Lam <mark.lam@apple.com> 19046 19047 32-bit CallFrame::Location should use Instruction* for BytecodeLocation, not bytecodeOffset. 19048 https://bugs.webkit.org/show_bug.cgi?id=117327. 19049 19050 Reviewed by Michael Saboff. 19051 19052 - Renamed CallFrame::Location's Type to TypeTag. 19053 - Made the CallFrame::Location::TypeTag private, and provided type 19054 specific encoder functions. This reduces verbosity in client code. 19055 - Fixed the DFG's reifyInlinedCallFrames() on 32-bit ports to store a 19056 bytecode Instruction* in the CallFrame location instead of a bytecode 19057 offset. 19058 - Fixed places in JIT and FTL code which populate the CallFrame location 19059 (i.e. ArgumentCount tag) to use a Location encoder instead of storing 19060 the bytecodeOffset directly. This doesn't make any semantic difference, 19061 but it does assert that the stored value does not have bits where we 19062 would expect Location TypeTags to be. 19063 19064 * dfg/DFGJITCompiler.h: 19065 (JSC::DFG::JITCompiler::beginCall): 19066 * dfg/DFGOSRExitCompilerCommon.cpp: 19067 (JSC::DFG::reifyInlinedCallFrames): 19068 * ftl/FTLLink.cpp: 19069 (JSC::FTL::link): 19070 * interpreter/CallFrame.cpp: 19071 (JSC::CallFrame::setLocationAsBytecodeOffset): 19072 * interpreter/CallFrame.h: 19073 (Location): 19074 * interpreter/CallFrameInlines.h: 19075 (JSC::CallFrame::Location::encodeAsBytecodeOffset): 19076 (JSC::CallFrame::Location::encodeAsBytecodeInstruction): 19077 (JSC::CallFrame::Location::encodeAsCodeOriginIndex): 19078 (JSC::CallFrame::Location::encodeAsInlinedCode): 19079 (JSC::CallFrame::Location::isBytecodeLocation): 19080 (JSC::CallFrame::setIsInlinedFrame): 19081 (JSC::CallFrame::hasLocationAsBytecodeOffset): 19082 (JSC::CallFrame::setLocationAsBytecodeOffset): 19083 * jit/JITCall.cpp: 19084 (JSC::JIT::compileOpCall): 19085 * jit/JITCall32_64.cpp: 19086 (JSC::JIT::compileOpCall): 19087 * jit/JITInlines.h: 19088 (JSC::JIT::updateTopCallFrame): 19089 190902013-06-06 Mark Lam <mark.lam@apple.com> 19091 19092 Encode CallFrame::Location flags in the low bits when USE(JSVALUE32_64). 19093 https://bugs.webkit.org/show_bug.cgi?id=117312. 19094 19095 Reviewed by Michael Saboff. 19096 19097 For USE(JSVALUE32_64), we store the location flags in the low 2 bits of 19098 the word because we need the high bits for address bits. 19099 19100 * interpreter/CallFrame.cpp: 19101 (JSC::CallFrame::setLocationAsBytecodeOffset): 19102 * interpreter/CallFrame.h: 19103 * interpreter/CallFrameInlines.h: 19104 (JSC::CallFrame::Location::encode): 19105 (JSC::CallFrame::Location::decode): 19106 (JSC::CallFrame::Location::isCodeOriginIndex): 19107 (JSC::CallFrame::Location::isInlinedCode): 19108 191092013-06-06 Mark Lam <mark.lam@apple.com> 19110 19111 CallFrame::trueCallFrame() should populate the bytecodeOffset field 19112 when reifying inlined frames.. 19113 https://bugs.webkit.org/show_bug.cgi?id=117209. 19114 19115 Reviewed by Geoffrey Garen. 19116 19117 When reifying an inlined frame, we fill in its CodeBlock, and 19118 bytecodeOffset. We also set the InlinedFrame bit in the location field. 19119 This is needed in order to iterate the stack correctly. Here's why: 19120 19121 Let's say we have the following stack trace: 19122 X calls A inlines B inlines C calls D 19123 19124 Based on the above scenario, 19125 1. D's callerFrame points to A (not C). 19126 2. A has a codeOriginIndex that points to C. 19127 19128 When iterating the stack (from D back towards X), we will encounter A 19129 twice: 19130 19131 t1. when trying to find C as D's caller. 19132 This is the time when we reify B and C using the 19133 codeOriginIndex in A, and return C as the caller frame of D. 19134 19135 t2. when getting's the reified B's caller. 19136 This time, we don't run the reification process, and 19137 just take A as the caller frame of B. 19138 19139 To discern which treatment of the DFG frame (i.e. A) we need to apply, 19140 we check if the callee is an inlined frame: 19141 19142 If callee is NOT an inlined frame (e.g. frame D), apply treatment t1. 19143 If callee is an inlined frame (e.g. frame B), apply treatment t2. 19144 19145 Why not just reify A by replacing its codeOriginIndex with A's 19146 bytecodeOffset? 19147 19148 We can't do this because D's callerFrame pointer still points to A, and 19149 needs to remain that way because we did not deopt A. It remains a DFG 19150 frame which inlined B and C. 19151 19152 If we replace the codeOriginIndex in A with A's bytecodeOffset, we will 19153 only get to iterate the stack correctly once. If we try to iterate the 19154 stack a second time, we will not have the information from the 19155 codeOriginIndex to tell us that D's caller is actually the inlined C, 19156 and not A. 19157 19158 To recap, when reifying frames for stack iteration purposes, the DFG 19159 frame needs to hold on to its codeOriginIndex. This in turn means the 19160 DFG frame will need to be treated in 2 possible ways, and we need to 19161 know if a callee frame is an inlined frame in order to choose the 19162 correct treatment for the DFG frame. 19163 19164 Other changes: 19165 - Simplified Interpreter::getCallerInfo(). 19166 - Removed CodeBlock::codeOriginForReturn() and supporting code 19167 which is now unneeded. 19168 - Moved CallFrame location bit encoding from the CodeOrigin to the 19169 new CallFrame::Location class. 19170 - Explicitly tagged inlined frames. This is necessary in order to 19171 iterate the stack correctly as explained above. 19172 19173 * bytecode/CodeBlock.cpp: 19174 * bytecode/CodeBlock.h: 19175 (JSC::CodeBlock::codeOrigins): 19176 (CodeBlock): 19177 (JSC::CodeBlock::codeOrigin): 19178 (RareData): 19179 * bytecode/CodeOrigin.h: 19180 (CodeOrigin): 19181 * dfg/DFGJITCompiler.cpp: 19182 (JSC::DFG::JITCompiler::link): 19183 * dfg/DFGJITCompiler.h: 19184 (JSC::DFG::JITCompiler::beginCall): 19185 * interpreter/CallFrame.cpp: 19186 (JSC::CallFrame::trueCallFrame): 19187 (JSC::CallFrame::trueCallerFrame): 19188 (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex): 19189 * interpreter/CallFrame.h: 19190 (Location): 19191 (ExecState): 19192 (JSC::ExecState::trueCallerFrame): 19193 (JSC::ExecState::callerFrameNoFlags): 19194 * interpreter/CallFrameInlines.h: 19195 (JSC::CallFrame::Location::encode): 19196 (JSC::CallFrame::Location::decode): 19197 (JSC::CallFrame::Location::isBytecodeOffset): 19198 (JSC::CallFrame::Location::isCodeOriginIndex): 19199 (JSC::CallFrame::Location::isInlinedFrame): 19200 (JSC::CallFrame::isInlinedFrame): 19201 (JSC::CallFrame::setIsInlinedFrame): 19202 (JSC::CallFrame::hasLocationAsBytecodeOffset): 19203 (JSC::CallFrame::hasLocationAsCodeOriginIndex): 19204 (JSC::CallFrame::locationAsBytecodeOffset): 19205 (JSC::CallFrame::setLocationAsBytecodeOffset): 19206 (JSC::CallFrame::locationAsCodeOriginIndex): 19207 * interpreter/Interpreter.cpp: 19208 (JSC::getCallerInfo): 19209 (JSC::Interpreter::getStackTrace): 19210 (JSC::Interpreter::findFunctionCallFrameFromVMCode): 19211 * runtime/Arguments.cpp: 19212 (JSC::Arguments::tearOff): 19213 192142013-06-05 Filip Pizlo <fpizlo@apple.com> 19215 19216 DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray 19217 https://bugs.webkit.org/show_bug.cgi?id=117279 19218 19219 Reviewed by Mark Hahnenberg. 19220 19221 The normalization of abstract value clarity introduced in r151229 revealed a 19222 long-standing bug where we filtered ArrayModes incorrectly and sometimes ended 19223 up with BOTTOM incorrectly. 19224 19225 This patch fixes that bug, and cleans up a bunch of debugging infrastructure 19226 that I needed to resurrect to track this down. 19227 19228 * bytecode/CodeBlock.cpp: 19229 (JSC::CodeBlock::resetStubInternal): 19230 (JSC::CodeBlock::noticeIncomingCall): 19231 * dfg/DFGAbstractValue.cpp: 19232 (JSC::DFG::AbstractValue::filterArrayModesByType): 19233 * dfg/DFGCFAPhase.cpp: 19234 (CFAPhase): 19235 (JSC::DFG::CFAPhase::run): 19236 (JSC::DFG::CFAPhase::performBlockCFA): 19237 (JSC::DFG::CFAPhase::performForwardCFA): 19238 * runtime/Options.h: 19239 (JSC): 19240 192412013-06-05 Filip Pizlo <fpizlo@apple.com> 19242 19243 Unreviewed, fix release build. 19244 19245 * interpreter/Interpreter.cpp: 19246 * jit/JITStubs.cpp: 19247 192482013-06-05 Mark Lam <mark.lam@apple.com> 19249 19250 Disambiguate between CallFrame bytecodeOffset and codeOriginIndex. 19251 https://bugs.webkit.org/show_bug.cgi?id=117262. 19252 19253 Reviewed by Geoffrey Garen. 19254 19255 When writing to the ArgumentCount tag in CallFrame, we will set the high 19256 bit if the written value is a codeOriginIndex. 19257 19258 * GNUmakefile.list.am: 19259 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 19260 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 19261 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 19262 * JavaScriptCore.xcodeproj/project.pbxproj: 19263 * bytecode/CodeOrigin.h: 19264 (CodeOrigin): 19265 (JSC::CodeOrigin::isHandle): 19266 (JSC::CodeOrigin::encodeHandle): 19267 (JSC::CodeOrigin::decodeHandle): 19268 * dfg/DFGJITCompiler.h: 19269 (JSC::DFG::JITCompiler::beginCall): 19270 * dfg/DFGRepatch.cpp: 19271 (JSC::DFG::tryBuildGetByIDList): 19272 * interpreter/CallFrame.cpp: 19273 (JSC::CallFrame::locationAsBytecodeOffset): 19274 (JSC::CallFrame::setLocationAsBytecodeOffset): 19275 (JSC::CallFrame::currentVPC): 19276 (JSC::CallFrame::setCurrentVPC): 19277 (JSC::CallFrame::trueCallFrame): 19278 * interpreter/CallFrame.h: 19279 (ExecState): 19280 (JSC::ExecState::inlineCallFrame): 19281 * interpreter/CallFrameInlines.h: Added. 19282 (JSC::CallFrame::hasLocationAsBytecodeOffset): 19283 (JSC::CallFrame::hasLocationAsCodeOriginIndex): 19284 (JSC::CallFrame::locationAsRawBits): 19285 (JSC::CallFrame::setLocationAsRawBits): 19286 (JSC::CallFrame::locationAsBytecodeOffset): 19287 (JSC::CallFrame::setLocationAsBytecodeOffset): 19288 (JSC::CallFrame::locationAsCodeOriginIndex): 19289 * interpreter/Interpreter.cpp: 19290 (JSC::getBytecodeOffsetForCallFrame): 19291 (JSC::getCallerInfo): 19292 * jit/JITStubs.cpp: 19293 (JSC::DEFINE_STUB_FUNCTION): 19294 192952013-06-05 Filip Pizlo <fpizlo@apple.com> 19296 19297 Unreviewed, fix release build. 19298 19299 * interpreter/Interpreter.cpp: 19300 * jit/JITStubs.cpp: 19301 193022013-06-04 Filip Pizlo <fpizlo@apple.com> 19303 19304 fourthTier: Clean up AbstractValue 19305 https://bugs.webkit.org/show_bug.cgi?id=117217 19306 19307 Reviewed by Oliver Hunt. 19308 19309 This started as an attempt to make it so that when AbstractValue becomes empty, 19310 its m_type always becomes SpecNone. I wanted this to happen naturally. That turns 19311 out to be basically impossible, since AbstractValue is a set that is dynamically 19312 computed from the intersection of several internal sets: so the value becomes 19313 empty when any of the sets go empty. It's OK if we're imprecise here because it's 19314 always safe for the AbstractValue to seem to overapproximate the set of values 19315 that we see. So I mostly gave up on cleaning up that aspect of AbstractValue. But 19316 while trying to make this happen, I encountered two bugs: 19317 19318 - filterValueByType() ignores the case when m_type contravenes m_value. Namely, 19319 we might filter the AbstractValue against a SpeculatedType leading to m_value 19320 becoming inconsistent with the new m_type. This change fixes that case. This 19321 wasn't a symptomatic bug but it was a silly oversight. 19322 19323 - filterFuturePossibleStructure() was never right. The one call to this method, 19324 in filter(Graph&, const StructureSet&), assumed that the previous notions of 19325 what structures the value could have in the future were still relevant. This 19326 could lead to a bug where we: 19327 19328 1) CheckStructure(@foo, S1) 19329 19330 Where S1 has a valid watchpoint. Now @foo's abstract value will have current 19331 and future structure = S1. 19332 19333 2) Clobber the world. 19334 19335 Now @foo's abstract value will have current structure = TOP, and future 19336 possible structure = S1. 19337 19338 3) CheckStructure(@foo, S2) 19339 19340 Now @foo's abstract value will have current structure = S2 and future 19341 possible structure = S1 intersect S2 = BOTTOM. 19342 19343 Now we will think that any subsequent watchpoint on @foo is valid because the 19344 value is effectively BOTTOM. That would only be correct if we had actually set 19345 a watchpoint on S1. If we had done so, then (3) would only pass (i.e. @foo 19346 would only have structure S2) if S1's watchpoint fired, in which case (3) 19347 wouldn't have been reachable. But we didn't actually set a watchpoint on S1: 19348 we just observed that we *could* have set the watchpoint. Hence future possible 19349 structure should only be set to either the known structure at compile-time, or 19350 it should be the structure we just checked; in both cases it should only be set 19351 if the structure is watchable. 19352 19353 Then, in addition to all of this, I changed AbstractValue's filtering methods to 19354 call clear() if the AbstractValue is effectively clear. This is just meant to 19355 simplify the recognition of truly empty AbstractValues, but doesn't actually have 19356 any other implications. 19357 19358 * bytecode/StructureSet.h: 19359 (JSC::StructureSet::dump): 19360 * dfg/DFGAbstractValue.cpp: 19361 (JSC::DFG::AbstractValue::filter): 19362 (DFG): 19363 (JSC::DFG::AbstractValue::filterArrayModes): 19364 (JSC::DFG::AbstractValue::filterValueByType): 19365 (JSC::DFG::AbstractValue::filterArrayModesByType): 19366 (JSC::DFG::AbstractValue::shouldBeClear): 19367 (JSC::DFG::AbstractValue::normalizeClarity): 19368 (JSC::DFG::AbstractValue::checkConsistency): 19369 * dfg/DFGAbstractValue.h: 19370 (JSC::DFG::AbstractValue::isClear): 19371 (AbstractValue): 19372 193732013-06-04 Mark Lam <mark.lam@apple.com> 19374 19375 The DFG JIT should populate frame bytecodeOffsets on OSR exit. 19376 https://bugs.webkit.org/show_bug.cgi?id=117103. 19377 19378 Reviewed by Geoffrey Garen. 19379 19380 * dfg/DFGOSRExitCompilerCommon.cpp: 19381 (JSC::DFG::reifyInlinedCallFrames): 19382 193832013-06-03 Filip Pizlo <fpizlo@apple.com> 19384 19385 fourthTier: all cached put_by_id transitions, even ones that weren't inlined by the DFG, should be propagated by the GC 19386 https://bugs.webkit.org/show_bug.cgi?id=117170 19387 19388 Reviewed by Mark Hahnenberg. 19389 19390 * bytecode/CodeBlock.cpp: 19391 (JSC::CodeBlock::visitAggregate): 19392 (JSC::CodeBlock::propagateTransitions): 19393 (JSC): 19394 (JSC::CodeBlock::determineLiveness): 19395 (JSC::CodeBlock::visitWeakReferences): 19396 (JSC::CodeBlock::finalizeUnconditionally): 19397 * bytecode/CodeBlock.h: 19398 (CodeBlock): 19399 * bytecode/PolymorphicPutByIdList.h: 19400 (JSC): 19401 (PutByIdAccess): 19402 (PolymorphicPutByIdList): 19403 * bytecode/StructureStubInfo.h: 19404 (StructureStubInfo): 19405 * jit/JITCode.h: 19406 (JSC::JITCode::couldBeInterpreted): 19407 (JITCode): 19408 194092013-06-02 Filip Pizlo <fpizlo@apple.com> 19410 19411 fourthTier: Get rid of StructureStubInfo::bytecodeIndex 19412 https://bugs.webkit.org/show_bug.cgi?id=117127 19413 19414 Reviewed by Mark Hahnenberg. 19415 19416 StructureStubInfo already has a CodeOrigin field, which also has a bytecodeIndex. 19417 It makes sense to just always use the CodeOrigin. 19418 19419 * bytecode/StructureStubInfo.h: 19420 (StructureStubInfo): 19421 (JSC::getStructureStubInfoBytecodeIndex): 19422 * jit/JIT.cpp: 19423 (JSC::PropertyStubCompilationInfo::copyToStubInfo): 19424 * jit/JIT.h: 19425 (JSC::JIT::compileGetByIdProto): 19426 (JSC::JIT::compileGetByIdSelfList): 19427 (JSC::JIT::compileGetByIdProtoList): 19428 (JSC::JIT::compileGetByIdChainList): 19429 (JSC::JIT::compileGetByIdChain): 19430 (JSC::JIT::compilePutByIdTransition): 19431 * jit/JITPropertyAccess.cpp: 19432 (JSC::JIT::privateCompilePutByIdTransition): 19433 * jit/JITPropertyAccess32_64.cpp: 19434 (JSC::JIT::privateCompilePutByIdTransition): 19435 194362013-06-01 Filip Pizlo <fpizlo@apple.com> 19437 19438 Fix some minor issues in the DFG's profiling of heap accesses 19439 https://bugs.webkit.org/show_bug.cgi?id=113010 19440 19441 Reviewed by Goeffrey Garen. 19442 19443 Carefully merge r146669 from trunk. This required some fiddling since it 19444 wasn't a clean apply. 19445 19446 Original changelog: 19447 19448 1) If a CodeBlock gets jettisoned by GC, we should count the exit sites. 19449 19450 2) If a CodeBlock clears a structure stub during GC, it should record this, and 19451 the DFG should prefer to not inline that access (i.e. treat it as if it had an 19452 exit site). 19453 19454 3) If a PutById was seen by the baseline JIT, and the JIT attempted to cache it, 19455 but it chose not to, then assume that it will take slow path. 19456 19457 4) If we frequently exited because of a structure check on a weak constant, 19458 don't try to inline that access in the future. 19459 19460 5) Treat all exits that were counted as being frequent. 19461 19462 81% speed-up on Octane/gbemu. Small speed-ups elsewhere, and no regressions. 19463 19464 * bytecode/CodeBlock.cpp: 19465 (JSC::CodeBlock::finalizeUnconditionally): 19466 (JSC): 19467 (JSC::CodeBlock::resetStubDuringGCInternal): 19468 (JSC::CodeBlock::reoptimize): 19469 (JSC::CodeBlock::jettison): 19470 (JSC::ProgramCodeBlock::jettisonImpl): 19471 (JSC::EvalCodeBlock::jettisonImpl): 19472 (JSC::FunctionCodeBlock::jettisonImpl): 19473 (JSC::CodeBlock::tallyFrequentExitSites): 19474 * bytecode/CodeBlock.h: 19475 (CodeBlock): 19476 (JSC::CodeBlock::tallyFrequentExitSites): 19477 (ProgramCodeBlock): 19478 (EvalCodeBlock): 19479 (FunctionCodeBlock): 19480 * bytecode/GetByIdStatus.cpp: 19481 (JSC::GetByIdStatus::computeFor): 19482 * bytecode/PutByIdStatus.cpp: 19483 (JSC::PutByIdStatus::computeFor): 19484 * bytecode/StructureStubInfo.h: 19485 (JSC::StructureStubInfo::StructureStubInfo): 19486 (StructureStubInfo): 19487 * dfg/DFGByteCodeParser.cpp: 19488 (JSC::DFG::ByteCodeParser::handleGetById): 19489 (JSC::DFG::ByteCodeParser::parseBlock): 19490 * dfg/DFGOSRExitBase.cpp: 19491 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow): 19492 * dfg/DFGOSRExitBase.h: 19493 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite): 19494 (OSRExitBase): 19495 * jit/JITStubs.cpp: 19496 (JSC::DEFINE_STUB_FUNCTION): 19497 * runtime/Options.h: 19498 (JSC): 19499 195002013-05-31 Filip Pizlo <fpizlo@apple.com> 19501 19502 Remove CodeOrigin::valueProfileOffset since it was only needed for op_call_put_result. 19503 19504 Rubber stamped by Mark Hahnenberg. 19505 19506 * bytecode/CodeOrigin.h: 19507 (CodeOrigin): 19508 (JSC::CodeOrigin::CodeOrigin): 19509 (JSC::CodeOrigin::isSet): 19510 * dfg/DFGByteCodeParser.cpp: 19511 (JSC::DFG::ByteCodeParser::currentCodeOrigin): 19512 * dfg/DFGGraph.h: 19513 (JSC::DFG::Graph::valueProfileFor): 19514 195152013-05-31 Filip Pizlo <fpizlo@apple.com> 19516 19517 Remove finalDestinationOrIgnored since it isn't called anymore. 19518 19519 Rubber stamped by Mark Hahnenberg. 19520 19521 * bytecompiler/BytecodeGenerator.h: 19522 (BytecodeGenerator): 19523 195242013-05-31 Filip Pizlo <fpizlo@apple.com> 19525 19526 fourthTier: get rid of op_call_put_result 19527 https://bugs.webkit.org/show_bug.cgi?id=117047 19528 19529 Reviewed by Gavin Barraclough. 19530 19531 op_call_put_result is an oddball. Its semantics are that it takes the return 19532 value of a call instruction, which is set aside in regT0/regT1, and places them 19533 into some stack slot. This is weird since there is an implicit contract with the 19534 preceding bytecode instruction, and it's even weirder since it means that it 19535 doesn't make sense to jump to it; for example OSR exit from the preceding call 19536 instruction must make sure to jump over the op_call_put_result. 19537 19538 So this patch gets rid of op_call_put_result: 19539 19540 - In bytecode, all calls return a value and we always allocate a temporary for 19541 that value even if it isn't used. 19542 19543 - The LLInt does the return value saving as part of dispatchAfterCall(). 19544 19545 - The JIT and DFG do the return value saving as part of normal code generation. 19546 The DFG already did the right thing. 19547 19548 - DFG->JIT OSR exit in the case of inlining will make the return PC's point at 19549 the CallLinkInfo::callReturnLocation, rather than the machine PC associated 19550 with the op_call_put_result instruction. 19551 19552 - Tons of code gets removed. The DFG had to track whether or not a call had a 19553 return value in a bunch of places. It had to track the fact that we would 19554 exit to after the op_call_put_result. It was a mess. That mess is now gone. 19555 19556 * bytecode/CallLinkStatus.cpp: 19557 (JSC::CallLinkStatus::computeFromLLInt): 19558 * bytecode/CodeBlock.cpp: 19559 (JSC::CodeBlock::printCallOp): 19560 (JSC::CodeBlock::dumpArrayProfiling): 19561 (JSC::CodeBlock::dumpBytecode): 19562 (JSC::CodeBlock::CodeBlock): 19563 * bytecode/CodeBlock.h: 19564 * bytecode/Opcode.h: 19565 (JSC): 19566 (JSC::padOpcodeName): 19567 * bytecompiler/BytecodeGenerator.cpp: 19568 (JSC::BytecodeGenerator::emitCall): 19569 (JSC::BytecodeGenerator::emitCallVarargs): 19570 (JSC::BytecodeGenerator::emitConstruct): 19571 * bytecompiler/NodesCodegen.cpp: 19572 (JSC::NewExprNode::emitBytecode): 19573 (JSC::FunctionCallValueNode::emitBytecode): 19574 (JSC::FunctionCallResolveNode::emitBytecode): 19575 (JSC::FunctionCallBracketNode::emitBytecode): 19576 (JSC::FunctionCallDotNode::emitBytecode): 19577 (JSC::CallFunctionCallDotNode::emitBytecode): 19578 (JSC::ApplyFunctionCallDotNode::emitBytecode): 19579 * dfg/DFGByteCodeParser.cpp: 19580 (JSC::DFG::ByteCodeParser::ByteCodeParser): 19581 (ByteCodeParser): 19582 (JSC::DFG::ByteCodeParser::currentCodeOrigin): 19583 (JSC::DFG::ByteCodeParser::addCall): 19584 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit): 19585 (JSC::DFG::ByteCodeParser::getPrediction): 19586 (JSC::DFG::ByteCodeParser::handleCall): 19587 (JSC::DFG::ByteCodeParser::handleInlining): 19588 (JSC::DFG::ByteCodeParser::handleMinMax): 19589 (JSC::DFG::ByteCodeParser::handleIntrinsic): 19590 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): 19591 (JSC::DFG::ByteCodeParser::parseBlock): 19592 * dfg/DFGCapabilities.cpp: 19593 (JSC::DFG::capabilityLevel): 19594 * dfg/DFGOSRExitCompiler.cpp: 19595 * dfg/DFGOSRExitCompilerCommon.cpp: 19596 (JSC::DFG::reifyInlinedCallFrames): 19597 * jit/JIT.cpp: 19598 (JSC::JIT::privateCompileMainPass): 19599 * jit/JIT.h: 19600 (JIT): 19601 * jit/JITCall.cpp: 19602 (JSC::JIT::emitPutCallResult): 19603 (JSC::JIT::compileLoadVarargs): 19604 (JSC::JIT::compileCallEval): 19605 (JSC::JIT::compileCallEvalSlowCase): 19606 (JSC::JIT::compileOpCall): 19607 (JSC::JIT::compileOpCallSlowCase): 19608 (JSC::JIT::emit_op_call): 19609 (JSC): 19610 (JSC::JIT::emit_op_call_eval): 19611 (JSC::JIT::emit_op_call_varargs): 19612 (JSC::JIT::emit_op_construct): 19613 (JSC::JIT::emitSlow_op_call): 19614 (JSC::JIT::emitSlow_op_call_eval): 19615 (JSC::JIT::emitSlow_op_call_varargs): 19616 (JSC::JIT::emitSlow_op_construct): 19617 * jit/JITCall32_64.cpp: 19618 (JSC::JIT::emitPutCallResult): 19619 (JSC::JIT::compileLoadVarargs): 19620 (JSC::JIT::compileCallEval): 19621 (JSC::JIT::compileCallEvalSlowCase): 19622 (JSC::JIT::compileOpCall): 19623 (JSC::JIT::compileOpCallSlowCase): 19624 * jit/JITOpcodes.cpp: 19625 (JSC): 19626 * llint/LLIntSlowPaths.cpp: 19627 (JSC::LLInt::genericCall): 19628 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 19629 * llint/LowLevelInterpreter.cpp: 19630 (JSC::CLoop::execute): 19631 * llint/LowLevelInterpreter32_64.asm: 19632 * llint/LowLevelInterpreter64.asm: 19633 196342013-05-30 Filip Pizlo <fpizlo@apple.com> 19635 19636 fourthTier: LLInt shouldn't store an offset call PC during op_call-like calls 19637 https://bugs.webkit.org/show_bug.cgi?id=117048 19638 19639 Reviewed by Mark Hahnenberg. 19640 19641 This just makes everything consistent in the LLInt: anytime any op calls out, 19642 it stores its PC and never the next op's PC. 19643 19644 * bytecode/CodeBlock.cpp: 19645 (JSC::CodeBlock::dumpBytecode): 19646 (JSC::CodeBlock::linkIncomingCall): 19647 (JSC::CodeBlock::bytecodeOffset): 19648 * bytecode/CodeBlock.h: 19649 * bytecode/Opcode.h: 19650 (JSC::padOpcodeName): 19651 * bytecompiler/BytecodeGenerator.cpp: 19652 (JSC::BytecodeGenerator::emitCallVarargs): 19653 * llint/LLIntExceptions.cpp: 19654 (JSC::LLInt::interpreterThrowInCaller): 19655 (JSC::LLInt::returnToThrow): 19656 (JSC::LLInt::callToThrow): 19657 * llint/LLIntSlowPaths.cpp: 19658 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 19659 * llint/LowLevelInterpreter.asm: 19660 * llint/LowLevelInterpreter.cpp: 19661 (JSC::CLoop::execute): 19662 * llint/LowLevelInterpreter32_64.asm: 19663 * llint/LowLevelInterpreter64.asm: 19664 196652013-05-28 Filip Pizlo <fpizlo@apple.com> 19666 19667 fourthTier: FTL should support ArithAbs 19668 https://bugs.webkit.org/show_bug.cgi?id=116890 19669 19670 Reviewed by Oliver Hunt. 19671 19672 Implements ArithAbs in the FTL, and cleans up the DFG implementation. The 19673 DFG implementation was previously doing zero extensions manually when it 19674 is probably better to just use StrictInt32Operand instead. 19675 19676 * dfg/DFGSpeculativeJIT32_64.cpp: 19677 (JSC::DFG::SpeculativeJIT::compile): 19678 * dfg/DFGSpeculativeJIT64.cpp: 19679 (JSC::DFG::SpeculativeJIT::compile): 19680 * ftl/FTLCapabilities.cpp: 19681 (JSC::FTL::canCompile): 19682 * ftl/FTLIntrinsicRepository.h: 19683 (FTL): 19684 * ftl/FTLLowerDFGToLLVM.cpp: 19685 (JSC::FTL::LowerDFGToLLVM::compileNode): 19686 (JSC::FTL::LowerDFGToLLVM::compileArithAbs): 19687 (LowerDFGToLLVM): 19688 * ftl/FTLOutput.h: 19689 (JSC::FTL::Output::doubleAbs): 19690 196912013-05-28 Mark Lam <mark.lam@apple.com> 19692 19693 Misc JIT probe enhacements. 19694 https://bugs.webkit.org/show_bug.cgi?id=116586. 19695 19696 Reviewed by Michael Saboff. 19697 19698 1. Added JIT probe support for ARMv7 and traditional ARM. 19699 Built and tested on ARMv7. ARM version not tested nor built. 19700 2. Fix the following bugs in the X86 and X86_64 probes: 19701 a. Cannot assume that the stack pointer is already aligned when 19702 we push args for the probe. Instead, we ensure the stack 19703 alignment at runtime when we set up the probe call. 19704 This is now done in the ctiMasmProbeTrampoline. 19705 b. On return, the user probe function may have altered the stack 19706 pointer value to be restored. Previously, if the sp restore value 19707 points to some of the other register restore values in the 19708 ProbeContext record, we will fail to return from the probe having 19709 those user specified value as we're expected to do. 19710 This is now fixed. 19711 3. Rearranged the X86/X86_64 registers order to organize them like gdb 19712 expects on X86_64. 19713 4. We also now preserve the condition code registers. 19714 19715 * JavaScriptCore.xcodeproj/project.pbxproj: 19716 * assembler/ARMAssembler.h: 19717 * assembler/ARMv7Assembler.h: 19718 (ARMRegisters): 19719 * assembler/MacroAssemblerARM.cpp: 19720 (JSC::isVFPPresent): 19721 (JSC::MacroAssemblerARM::ProbeContext::dumpCPURegisters): 19722 (JSC::MacroAssemblerARM::ProbeContext::dump): 19723 (JSC::MacroAssemblerARM::probe): 19724 * assembler/MacroAssemblerARM.h: 19725 (MacroAssemblerARM): 19726 (CPUState): 19727 (ProbeContext): 19728 (JSC::MacroAssemblerARM::trustedImm32FromPtr): 19729 * assembler/MacroAssemblerARMv7.h: 19730 (MacroAssemblerARMv7): 19731 (CPUState): 19732 (ProbeContext): 19733 (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): 19734 * assembler/MacroAssemblerX86.h: 19735 (MacroAssemblerX86): 19736 (JSC::MacroAssemblerX86::probe): 19737 * assembler/MacroAssemblerX86Common.cpp: 19738 (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters): 19739 * assembler/MacroAssemblerX86_64.h: 19740 (JSC::MacroAssemblerX86_64::probe): 19741 * assembler/X86Assembler.h: 19742 * config.h: 19743 * jit/JITStubsARM.h: 19744 * jit/JITStubsARMv7.h: 19745 * jit/JITStubsX86.h: 19746 * jit/JITStubsX86Common.h: 19747 * jit/JITStubsX86_64.h: 19748 197492013-05-28 Filip Pizlo <fpizlo@apple.com> 19750 19751 fourthTier: FTL should call masqueradesAsUndefinedWatchpointIfIsStillValid() in all of the places where it currently calls masqueradesAsUndefinedWatchpointIsStillValid() 19752 https://bugs.webkit.org/show_bug.cgi?id=116892 19753 19754 Reviewed by Oliver Hunt. 19755 19756 All of those places mean to plant the watchpoint if it's still valid. 19757 19758 * ftl/FTLLowerDFGToLLVM.cpp: 19759 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): 19760 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject): 19761 197622013-05-28 Filip Pizlo <fpizlo@apple.com> 19763 19764 fourthTier: FTL should support ArithMin/ArithMax 19765 https://bugs.webkit.org/show_bug.cgi?id=116885 19766 19767 Reviewed by Oliver Hunt. 19768 19769 * ftl/FTLCapabilities.cpp: 19770 (JSC::FTL::canCompile): 19771 * ftl/FTLLowerDFGToLLVM.cpp: 19772 (JSC::FTL::LowerDFGToLLVM::compileNode): 19773 (LowerDFGToLLVM): 19774 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): 19775 197762013-05-28 Filip Pizlo <fpizlo@apple.com> 19777 19778 testRunner should have a way of disabling inlining of functions 19779 https://bugs.webkit.org/show_bug.cgi?id=116875 19780 19781 Reviewed by Mark Hahnenberg. 19782 19783 * API/JSCTestRunnerUtils.cpp: 19784 (JSC::getExecutable): 19785 (JSC): 19786 (JSC::numberOfDFGCompiles): 19787 (JSC::setNeverInline): 19788 * API/JSCTestRunnerUtils.h: 19789 (JSC): 19790 * bytecode/CodeBlock.cpp: 19791 (JSC::CodeBlock::dumpAssumingJITType): 19792 * dfg/DFGCapabilities.cpp: 19793 (JSC::DFG::mightInlineFunctionForCall): 19794 (JSC::DFG::mightInlineFunctionForClosureCall): 19795 (JSC::DFG::mightInlineFunctionForConstruct): 19796 * runtime/Executable.h: 19797 (JSC::ScriptExecutable::ScriptExecutable): 19798 (ScriptExecutable): 19799 (JSC::ScriptExecutable::setNeverInline): 19800 (JSC::ScriptExecutable::neverInline): 19801 (JSC::ScriptExecutable::isInliningCandidate): 19802 198032013-05-27 Filip Pizlo <fpizlo@apple.com> 19804 19805 fourthTier: FTL should support ArithMod 19806 https://bugs.webkit.org/show_bug.cgi?id=116792 19807 19808 Reviewed by Oliver Hunt. 19809 19810 * ftl/FTLAbbreviations.h: 19811 (JSC::FTL::buildFRem): 19812 * ftl/FTLCapabilities.cpp: 19813 (JSC::FTL::canCompile): 19814 * ftl/FTLLowerDFGToLLVM.cpp: 19815 (JSC::FTL::LowerDFGToLLVM::compileNode): 19816 (JSC::FTL::LowerDFGToLLVM::compileArithMod): 19817 (LowerDFGToLLVM): 19818 * ftl/FTLOutput.h: 19819 (JSC::FTL::Output::doubleRem): 19820 198212013-05-27 Filip Pizlo <fpizlo@apple.com> 19822 19823 It should be possible to record heap operations (both FastMalloc and JSC GC) 19824 https://bugs.webkit.org/show_bug.cgi?id=116848 19825 19826 Reviewed by Mark Hahnenberg. 19827 19828 Record GC heap operations if ENABLE(ALLOCATION_LOGGING). 19829 19830 * API/JSManagedValue.mm: 19831 * dfg/DFGOperations.cpp: 19832 * heap/Heap.cpp: 19833 (JSC::Heap::collect): 19834 * heap/Heap.h: 19835 (Heap): 19836 (JSC::Heap::allocateWithNormalDestructor): 19837 (JSC::Heap::allocateWithImmortalStructureDestructor): 19838 (JSC::Heap::allocateWithoutDestructor): 19839 (JSC::Heap::tryAllocateStorage): 19840 (JSC::Heap::tryReallocateStorage): 19841 (JSC): 19842 (JSC::Heap::ascribeOwner): 19843 * heap/SlotVisitor.cpp: 19844 (JSC::SlotVisitor::append): 19845 (JSC::SlotVisitor::internalAppend): 19846 * heap/SlotVisitor.h: 19847 (SlotVisitor): 19848 * heap/SlotVisitorInlines.h: 19849 (JSC::SlotVisitor::append): 19850 (JSC::SlotVisitor::appendUnbarrieredPointer): 19851 (JSC::SlotVisitor::appendUnbarrieredValue): 19852 (JSC::SlotVisitor::appendUnbarrieredWeak): 19853 (JSC::SlotVisitor::internalAppend): 19854 (JSC): 19855 (JSC::SlotVisitor::appendValues): 19856 * jit/JITWriteBarrier.h: 19857 (JSC::SlotVisitor::append): 19858 * llint/LLIntCommon.h: 19859 * runtime/Butterfly.h: 19860 (Butterfly): 19861 * runtime/ButterflyInlines.h: 19862 (JSC::Butterfly::createUninitialized): 19863 (JSC::Butterfly::create): 19864 (JSC::Butterfly::growPropertyStorage): 19865 (JSC::Butterfly::createOrGrowArrayRight): 19866 (JSC): 19867 (JSC::Butterfly::growArrayRight): 19868 (JSC::Butterfly::resizeArray): 19869 * runtime/JSArray.cpp: 19870 (JSC::createArrayButterflyInDictionaryIndexingMode): 19871 (JSC::JSArray::unshiftCountSlowCase): 19872 * runtime/JSArray.h: 19873 (JSC::createContiguousArrayButterfly): 19874 (JSC::createArrayButterfly): 19875 (JSC): 19876 (JSC::JSArray::create): 19877 (JSC::JSArray::tryCreateUninitialized): 19878 * runtime/JSObject.cpp: 19879 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): 19880 (JSC::JSObject::createInitialIndexedStorage): 19881 (JSC::JSObject::createArrayStorage): 19882 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): 19883 (JSC::JSObject::increaseVectorLength): 19884 (JSC::JSObject::ensureLengthSlow): 19885 (JSC::JSObject::growOutOfLineStorage): 19886 * runtime/JSObject.h: 19887 (JSC::JSObject::JSObject): 19888 * runtime/Operations.h: 19889 * runtime/RegExpMatchesArray.cpp: 19890 (JSC::RegExpMatchesArray::create): 19891 * runtime/StructureInlines.h: 19892 (JSC): 19893 * runtime/WriteBarrier.h: 19894 (JSC): 19895 198962013-05-27 Filip Pizlo <fpizlo@apple.com> 19897 19898 testRunner should be able to tell you if a function is DFG compiled 19899 https://bugs.webkit.org/show_bug.cgi?id=116847 19900 19901 Reviewed by Mark Hahnenberg. 19902 19903 * API/JSCTestRunnerUtils.cpp: Added. 19904 (JSC): 19905 (JSC::numberOfDFGCompiles): 19906 * API/JSCTestRunnerUtils.h: Added. 19907 (JSC): 19908 * JavaScriptCore.xcodeproj/project.pbxproj: 19909 * bytecode/CodeBlock.cpp: 19910 (JSC::CodeBlock::numberOfDFGCompiles): 19911 (JSC): 19912 * bytecode/CodeBlock.h: 19913 (CodeBlock): 19914 * dfg/DFGWorklist.cpp: 19915 (JSC::DFG::Worklist::runThread): 19916 * runtime/Executable.h: 19917 (JSC): 19918 * runtime/JSFunctionInlines.h: Added. 19919 (JSC): 19920 (JSC::JSFunction::JSFunction): 19921 (JSC::JSFunction::jsExecutable): 19922 (JSC::JSFunction::isHostFunction): 19923 (JSC::JSFunction::nativeFunction): 19924 (JSC::JSFunction::nativeConstructor): 19925 * runtime/Operations.h: 19926 199272013-05-27 Filip Pizlo <fpizlo@apple.com> 19928 19929 fourthTier: DFG ArithMod should have the !nodeUsedAsNumber optimizations that ArithDiv has 19930 https://bugs.webkit.org/show_bug.cgi?id=116841 19931 19932 Reviewed by Mark Hahnenberg. 19933 19934 * dfg/DFGSpeculativeJIT.cpp: 19935 (JSC::DFG::SpeculativeJIT::compileArithMod): 19936 199372013-05-26 Filip Pizlo <fpizlo@apple.com> 19938 19939 fourthTier: clean up ArithDiv/ArithMod in the DFG 19940 https://bugs.webkit.org/show_bug.cgi?id=116793 19941 19942 Reviewed by Mark Hahnenberg. 19943 19944 This makes ArithDiv and ArithMod behave similarly, and moves both of their 19945 implementations entirely into DFGSpeculativeJIT.cpp into methods named like 19946 the ones for ArithSub/ArithMul. 19947 19948 Specifically, ArithMod now uses the wrap-in-conversion-nodes idiom that 19949 ArithDiv used for platforms that don't support integer division. Previously 19950 ArithMod had its own int-to-double and double-to-int conversions for this 19951 purpose. 19952 19953 As well, this gets rid of confusing methods like compileSoftModulo() (which 19954 did no such thing, there wasn't anything "soft" about it) and 19955 compileIntegerArithDivForX86() (which is accurately named but we don't use 19956 the platform-specific method convention anywhere else). 19957 19958 Finally, this takes the optimized power-of-two modulo operation that was 19959 previously only for ARMv7s, and makes it available for all platforms. Well, 19960 sort of: I actually rewrote it to do what latest LLVM appears to do, which 19961 is a crazy straight-line power-of-2 modulo based on a combination of shifts, 19962 ands, additions, and subtractions. I can kind of understand it well enough 19963 to see that it complies with both C and JS power-of-2 modulo semantics. I've 19964 also confirmed that it does by testing (hence the corresponding improvements 19965 to one of the division tests). But, I don't claim to know exactly how this 19966 code works other than to observe that it is super leet. 19967 19968 Overall, this patch has the effect of killing some code (no more hackish 19969 int-to-double conversions in ArithMod), making some optimization work on 19970 more platforms, and making the compiler less confusing by doing more things 19971 with the same idiom. 19972 19973 * dfg/DFGAbstractState.cpp: 19974 (JSC::DFG::AbstractState::executeEffects): 19975 * dfg/DFGFixupPhase.cpp: 19976 (JSC::DFG::FixupPhase::fixupNode): 19977 * dfg/DFGSpeculativeJIT.cpp: 19978 (DFG): 19979 (JSC::DFG::SpeculativeJIT::compileArithDiv): 19980 (JSC::DFG::SpeculativeJIT::compileArithMod): 19981 * dfg/DFGSpeculativeJIT.h: 19982 (SpeculativeJIT): 19983 * dfg/DFGSpeculativeJIT32_64.cpp: 19984 (JSC::DFG::SpeculativeJIT::compile): 19985 * dfg/DFGSpeculativeJIT64.cpp: 19986 (JSC::DFG::SpeculativeJIT::compile): 19987 199882013-05-25 Filip Pizlo <fpizlo@apple.com> 19989 19990 fourthTier: cti_optimize shouldn't allow GCs to get in the way of it seeing the state of its CodeBlock 19991 https://bugs.webkit.org/show_bug.cgi?id=116748 19992 19993 Reviewed by Geoffrey Garen. 19994 19995 This fixes the following race: an optimized version of our code block could be installed 19996 by the GC just as we return from completeAllReadyPlansForVM(), leading us to believe 19997 that the code block isn't ready yet even though it is. Currently this triggers a 19998 RELEASE_ASSERT. We could remove that assertion, but then this case would lead to the 19999 code in question entering into optimizeAfterWarmUp mode. That seems pretty wasteful. 20000 20001 Fix the bug, and hopefully close the door on these bugs for a while, by wrapping 20002 cti_optimize in a DeferGC. There is little downside to doing so since the only 20003 "allocations" in cti_optimize are the ones where we inform the GC about extra memory 20004 usage. 20005 20006 I had a more comprehensive solution (see the bug, "work in progress" patch) but that 20007 one involved adding *more* raciness to cti_optimize. I decided that was a less good 20008 approach once I came to appreciate the simplicity of just using DeferGC. 20009 20010 * jit/JITStubs.cpp: 20011 (JSC::DEFINE_STUB_FUNCTION): 20012 200132013-05-25 Filip Pizlo <fpizlo@apple.com> 20014 20015 fourthTier: FTL should support ArithDiv 20016 https://bugs.webkit.org/show_bug.cgi?id=116771 20017 20018 Reviewed by Oliver Hunt. 20019 20020 * ftl/FTLAbbreviations.h: 20021 (JSC::FTL::buildDiv): 20022 (JSC::FTL::buildRem): 20023 (JSC::FTL::buildFDiv): 20024 * ftl/FTLCapabilities.cpp: 20025 (JSC::FTL::canCompile): 20026 * ftl/FTLCommonValues.cpp: 20027 (JSC::FTL::CommonValues::CommonValues): 20028 * ftl/FTLCommonValues.h: 20029 (CommonValues): 20030 * ftl/FTLLowerDFGToLLVM.cpp: 20031 (JSC::FTL::LowerDFGToLLVM::compileNode): 20032 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 20033 (JSC::FTL::LowerDFGToLLVM::compileArithDiv): 20034 (LowerDFGToLLVM): 20035 * ftl/FTLOutput.h: 20036 (JSC::FTL::Output::div): 20037 (JSC::FTL::Output::rem): 20038 (JSC::FTL::Output::doubleDiv): 20039 200402013-05-25 Mark Lam <mark.lam@apple.com> 20041 20042 Remove Interpreter::retrieveLastCaller(). 20043 https://bugs.webkit.org/show_bug.cgi?id=116753. 20044 20045 Reviewed by Geoffrey Garen. 20046 20047 This is part of the refactoring effort to get rid of functions walking 20048 the JS stack in their own way. 20049 20050 * API/JSContextRef.cpp: 20051 (JSContextCreateBacktrace): 20052 * interpreter/CallFrame.cpp: 20053 * interpreter/Interpreter.cpp: 20054 (JSC::Interpreter::Interpreter): 20055 (JSC::Interpreter::getStackTrace): 20056 (JSC::Interpreter::addStackTraceIfNecessary): 20057 * interpreter/Interpreter.h: 20058 (StackFrame): 20059 (JSC::StackFrame::StackFrame): 20060 (Interpreter): 20061 * jsc.cpp: 20062 (functionJSCStack): 20063 * profiler/ProfileGenerator.cpp: 20064 (JSC::ProfileGenerator::addParentForConsoleStart): 20065 200662013-05-24 Filip Pizlo <fpizlo@apple.com> 20067 20068 fourthTier: FTL boolify should support ObjectOrOtherUse 20069 https://bugs.webkit.org/show_bug.cgi?id=116741 20070 20071 Reviewed by Geoffrey Garen. 20072 20073 Just reusing what was already there in equalNullOrUndefined(). Note that we will 20074 sometimes generate some redundant IR - like having some spurious bitNot's in 20075 places - but it's safe to assume that LLVM will simplify those, and that it won't 20076 be the longest pole in the tent for compile times. 20077 20078 * ftl/FTLCapabilities.cpp: 20079 (JSC::FTL::canCompile): 20080 * ftl/FTLLowerDFGToLLVM.cpp: 20081 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant): 20082 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant): 20083 (JSC::FTL::LowerDFGToLLVM::boolify): 20084 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): 20085 200862013-05-24 Filip Pizlo <fpizlo@apple.com> 20087 20088 fourthTier: FTL should support LogicalNot and Branch on Int32 and Number 20089 https://bugs.webkit.org/show_bug.cgi?id=116739 20090 20091 Reviewed by Gavin Barraclough. 20092 20093 * ftl/FTLCapabilities.cpp: 20094 (JSC::FTL::canCompile): 20095 * ftl/FTLLowerDFGToLLVM.cpp: 20096 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot): 20097 (JSC::FTL::LowerDFGToLLVM::compileBranch): 20098 (JSC::FTL::LowerDFGToLLVM::boolify): 20099 (LowerDFGToLLVM): 20100 * ftl/FTLOutput.h: 20101 (JSC::FTL::Output::isZero32): 20102 (JSC::FTL::Output::notZero32): 20103 201042013-05-23 Filip Pizlo <fpizlo@apple.com> 20105 20106 fourthTier: add heuristics to reduce the likelihood of a trivially inlineable function being independently compiled by the concurrent JIT 20107 https://bugs.webkit.org/show_bug.cgi?id=116557 20108 20109 Reviewed by Geoffrey Garen. 20110 20111 This introduces a fairly comprehensive mechanism for preventing trivially inlineable 20112 functions from being compiled independently of all of the things into which they end 20113 up being inlined. 20114 20115 The trick is CodeBlock::m_shouldAlwaysBeInlined, or SABI for short (that's what the 20116 debug logging calls it). A SABI function is one that we currently believe should 20117 never be DFG optimized because it should always be inlined into the functions that 20118 call it. SABI follows "innocent until proven guilty": all functions start out SABI 20119 and have SABI set to false if we see proof that that function may be called in some 20120 possibly non-inlineable way. So long as a function is SABI, it will not tier up to 20121 the DFG: cti_optimize will perpetually postpone its optimization. Because SABI has 20122 such a severe effect, we make the burden of proof of guilt quite low. SABI gets 20123 cleared if any of the following happen: 20124 20125 - You get called from native code (either through CallData or CachedCall). 20126 20127 - You get called from an eval, since eval code takes a long time to get DFG 20128 optimized. 20129 20130 - You get called from global code, since often global code doesn't tier-up since 20131 it's run-once. 20132 20133 - You get called recursively, where recursion is detected by a stack walk of depth 20134 Options::maximumInliningDepth(). 20135 20136 - You get called through an unlinked virtual call. 20137 20138 - You get called from DFG code, since if the caller was already DFG optimized and 20139 didn't inline you then obviously, you might not get inlined. 20140 20141 - You've tiered up to the baseline JIT and you get called from the interpreter. 20142 The idea here is that this kind of ensures that you stay SABI only if you're 20143 called no more frequently than any of your callers. 20144 20145 - You get called from a code block that isn't a DFG candidate. 20146 20147 - You aren't an inlining candidate. 20148 20149 Most of the heuristics for SABI are in CodeBlock::noticeIncomingCall(). 20150 20151 This is neutral on SunSpider and V8Spider, and appears to be a slight speed-up on 20152 V8v7, which was previously adversely affected by concurrent compilation. I also 20153 confirmed that for example on V8/richards, it dramatically reduces the number of 20154 code blocks that get DFG compiled. It is a speed-up on those V8v7 benchmarks that 20155 saw regressions from concurrent compilation. 20156 20157 * bytecode/CodeBlock.cpp: 20158 (JSC::CodeBlock::dumpAssumingJITType): 20159 (JSC::CodeBlock::CodeBlock): 20160 (JSC::CodeBlock::linkIncomingCall): 20161 (JSC): 20162 (JSC::CodeBlock::noticeIncomingCall): 20163 * bytecode/CodeBlock.h: 20164 (CodeBlock): 20165 * dfg/DFGCapabilities.h: 20166 (JSC::DFG::mightInlineFunction): 20167 (DFG): 20168 * dfg/DFGPlan.cpp: 20169 (JSC::DFG::Plan::compileInThread): 20170 * dfg/DFGRepatch.cpp: 20171 (JSC::DFG::dfgLinkFor): 20172 * interpreter/Interpreter.cpp: 20173 (JSC::Interpreter::executeCall): 20174 (JSC::Interpreter::executeConstruct): 20175 (JSC::Interpreter::prepareForRepeatCall): 20176 * jit/JIT.cpp: 20177 (JSC::JIT::privateCompile): 20178 (JSC::JIT::linkFor): 20179 * jit/JIT.h: 20180 (JIT): 20181 * jit/JITStubs.cpp: 20182 (JSC::DEFINE_STUB_FUNCTION): 20183 (JSC::lazyLinkFor): 20184 * llint/LLIntSlowPaths.cpp: 20185 (JSC::LLInt::setUpCall): 20186 201872013-05-23 Filip Pizlo <fpizlo@apple.com> 20188 20189 fourthTier: rationalize DFG::CapabilityLevel and DFGCapabilities.[h|cpp] 20190 https://bugs.webkit.org/show_bug.cgi?id=116696 20191 20192 Reviewed by Sam Weinig. 20193 20194 Make it so that all capability calculation is funneled through one function, which tells 20195 you everything you wanted to know: can it be inlined, and can it be compiled. 20196 20197 This work will help with https://bugs.webkit.org/show_bug.cgi?id=116557, since now the 20198 JIT has a fairly authoritative answer to the "can it be inlined" question. 20199 20200 * bytecode/CodeBlock.cpp: 20201 (JSC::CodeBlock::CodeBlock): 20202 (JSC::ProgramCodeBlock::capabilityLevelInternal): 20203 (JSC::EvalCodeBlock::capabilityLevelInternal): 20204 (JSC::FunctionCodeBlock::capabilityLevelInternal): 20205 * bytecode/CodeBlock.h: 20206 (CodeBlock): 20207 (JSC::CodeBlock::capabilityLevel): 20208 (JSC::CodeBlock::capabilityLevelState): 20209 (ProgramCodeBlock): 20210 (EvalCodeBlock): 20211 (FunctionCodeBlock): 20212 * dfg/DFGCapabilities.cpp: 20213 (JSC::DFG::debugFail): 20214 (DFG): 20215 (JSC::DFG::canInlineResolveOperations): 20216 (JSC::DFG::capabilityLevel): 20217 * dfg/DFGCapabilities.h: 20218 (DFG): 20219 (JSC::DFG::capabilityLevel): 20220 (JSC::DFG::evalCapabilityLevel): 20221 (JSC::DFG::programCapabilityLevel): 20222 (JSC::DFG::functionForCallCapabilityLevel): 20223 (JSC::DFG::functionForConstructCapabilityLevel): 20224 (JSC::DFG::canInlineFunctionForCall): 20225 (JSC::DFG::canInlineFunctionForClosureCall): 20226 (JSC::DFG::canInlineFunctionForConstruct): 20227 * dfg/DFGCommon.h: 20228 (JSC::DFG::canCompile): 20229 (DFG): 20230 (JSC::DFG::canInline): 20231 (JSC::DFG::leastUpperBound): 20232 * dfg/DFGDriver.cpp: 20233 (JSC::DFG::compile): 20234 * jit/JIT.cpp: 20235 (JSC::JIT::privateCompile): 20236 * jit/JITPropertyAccess.cpp: 20237 (JSC::JIT::privateCompilePutByIdTransition): 20238 * jit/JITPropertyAccess32_64.cpp: 20239 (JSC::JIT::privateCompilePutByIdTransition): 20240 * tools/CodeProfile.cpp: 20241 (JSC::CodeProfile::sample): 20242 202432013-05-22 Filip Pizlo <fpizlo@apple.com> 20244 20245 Rename getJITCode and getJITType to jitCode and jitType. 20246 20247 Rubber stampted by Mark Hahnenberg. 20248 20249 * assembler/RepatchBuffer.h: 20250 (JSC::RepatchBuffer::RepatchBuffer): 20251 * bytecode/CodeBlock.cpp: 20252 (JSC::CodeBlock::dump): 20253 (JSC::CodeBlock::visitAggregate): 20254 (JSC::CodeBlock::finalizeUnconditionally): 20255 (JSC::CodeBlock::resetStubInternal): 20256 (JSC::CodeBlock::stronglyVisitWeakReferences): 20257 (JSC::CodeBlock::baselineVersion): 20258 (JSC::CodeBlock::hasOptimizedReplacement): 20259 (JSC::CodeBlock::bytecodeOffset): 20260 (JSC::CodeBlock::codeOriginForReturn): 20261 (JSC::ProgramCodeBlock::compileOptimized): 20262 (JSC::EvalCodeBlock::compileOptimized): 20263 (JSC::FunctionCodeBlock::compileOptimized): 20264 (JSC::ProgramCodeBlock::jettison): 20265 (JSC::EvalCodeBlock::jettison): 20266 (JSC::FunctionCodeBlock::jettison): 20267 (JSC::ProgramCodeBlock::jitCompileImpl): 20268 (JSC::EvalCodeBlock::jitCompileImpl): 20269 (JSC::FunctionCodeBlock::jitCompileImpl): 20270 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): 20271 (JSC::CodeBlock::adjustedExitCountThreshold): 20272 (JSC::CodeBlock::tallyFrequentExitSites): 20273 * bytecode/CodeBlock.h: 20274 (JSC::CodeBlock::getCallLinkInfo): 20275 (JSC::CodeBlock::jitCode): 20276 (JSC::CodeBlock::jitCodeWithArityCheck): 20277 (JSC::CodeBlock::jitType): 20278 (JSC::CodeBlock::hasBaselineJITProfiling): 20279 (JSC::CodeBlock::jitCompile): 20280 (JSC::CodeBlock::addFrequentExitSite): 20281 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): 20282 (JSC::ExecState::isInlineCallFrame): 20283 * dfg/DFGAssemblyHelpers.cpp: 20284 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor): 20285 * dfg/DFGAssemblyHelpers.h: 20286 (JSC::DFG::AssemblyHelpers::AssemblyHelpers): 20287 * dfg/DFGDriver.cpp: 20288 (JSC::DFG::compile): 20289 * dfg/DFGOSREntry.cpp: 20290 (JSC::DFG::prepareOSREntry): 20291 * dfg/DFGOSRExit.cpp: 20292 (JSC::DFG::OSRExit::codeLocationForRepatch): 20293 * dfg/DFGOSRExitCompiler.cpp: 20294 * dfg/DFGOSRExitCompilerCommon.cpp: 20295 (JSC::DFG::reifyInlinedCallFrames): 20296 (JSC::DFG::adjustAndJumpToTarget): 20297 * dfg/DFGOperations.cpp: 20298 * dfg/DFGVariableEventStream.cpp: 20299 (JSC::DFG::VariableEventStream::reconstruct): 20300 * ftl/FTLOSRExit.cpp: 20301 (JSC::FTL::OSRExit::codeLocationForRepatch): 20302 * ftl/FTLOSRExitCompiler.cpp: 20303 (JSC::FTL::compileFTLOSRExit): 20304 * heap/DFGCodeBlocks.cpp: 20305 (JSC::DFGCodeBlocks::~DFGCodeBlocks): 20306 (JSC::DFGCodeBlocks::jettison): 20307 (JSC::DFGCodeBlocks::clearMarks): 20308 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks): 20309 (JSC::DFGCodeBlocks::traceMarkedCodeBlocks): 20310 * interpreter/Interpreter.cpp: 20311 (JSC::getLineNumberForCallFrame): 20312 (JSC::getCallerInfo): 20313 * jit/JITDriver.h: 20314 (JSC::jitCompileIfAppropriateImpl): 20315 (JSC::jitCompileFunctionIfAppropriateImpl): 20316 * jit/JITStubs.cpp: 20317 (JSC::DEFINE_STUB_FUNCTION): 20318 * llint/LLIntSlowPaths.cpp: 20319 (JSC::LLInt::entryOSR): 20320 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 20321 * runtime/Executable.cpp: 20322 (JSC::jettisonCodeBlock): 20323 (JSC::EvalExecutable::compileOptimized): 20324 (JSC::EvalExecutable::jettisonOptimizedCode): 20325 (JSC::ProgramExecutable::compileOptimized): 20326 (JSC::ProgramExecutable::jettisonOptimizedCode): 20327 (JSC::FunctionExecutable::baselineCodeBlockFor): 20328 (JSC::FunctionExecutable::compileOptimizedForCall): 20329 (JSC::FunctionExecutable::compileOptimizedForConstruct): 20330 (JSC::FunctionExecutable::jettisonOptimizedCodeForCall): 20331 (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct): 20332 * tools/CodeProfile.cpp: 20333 (JSC::CodeProfile::sample): 20334 203352013-05-22 Filip Pizlo <fpizlo@apple.com> 20336 20337 fourthTier: Race between LLInt->Baseline tier-up and DFG reading Baseline profiling data 20338 https://bugs.webkit.org/show_bug.cgi?id=116633 20339 20340 Reviewed by Mark Hahnenberg. 20341 20342 Previously we would check if we had Baseline JIT profiling data by seeing if the 20343 appropriate vector was non-empty. This is horrible if we're doing LLInt->Baseline 20344 tier-up at the same time. This will happen for code we are inlining, if we're 20345 deciding to inline it before the LLInt->Baseline tier-up happened for that code. 20346 20347 This changes things to take advantage of the fact that the very last thing that 20348 LLInt->Baseline tier-up will do (in JITDriver.h) is setJITCode(). We now precede 20349 the actual work in setJITCode() with a store-store fence to ensure that all 20350 stores to modify the CodeBlock happen before setting the JITCode, and we modify 20351 CodeBlock::getJITType() to use load-load fences to ensure that if you see 20352 JITCode::BaselineJIT then you will also see all of those vectors. Then this 20353 changes all of the code that scrapes Baseline JIT profiles to check if 20354 getJITType() returns JITCode::BaselineJIT instead of checking vector sizes. 20355 20356 The outcome is that for the non-racy cases we behave as we did before (we fall 20357 back on LLInt profiling if the tier-up hasn't happened) and for racy cases we 20358 use LLInt profiling conservatively. 20359 20360 Note that for some (but not all!) of the cases where we scrape Baseline JIT 20361 profiling, we would have anyway been holding the CodeBlock::m_lock so we can also 20362 fix those cases by just having setJITCode graph that lock. This patch does that 20363 also, mainly because although we only call setJITCode() from the main thread, in 20364 general it's dangerous to have a pointer to a ref-counted object being modified 20365 in a racy way. So, this patch just does the most conservative thing possible that 20366 does we can afford to do. 20367 20368 * bytecode/CallLinkStatus.cpp: 20369 (JSC::CallLinkStatus::computeFor): 20370 * bytecode/CodeBlock.h: 20371 (JSC::CodeBlock::setJITCode): 20372 (JSC::CodeBlock::getJITType): 20373 (JSC::CodeBlock::hasBaselineJITProfiling): 20374 (JSC::CodeBlock::likelyToTakeSlowCase): 20375 (JSC::CodeBlock::couldTakeSlowCase): 20376 (JSC::CodeBlock::likelyToTakeSpecialFastCase): 20377 (JSC::CodeBlock::couldTakeSpecialFastCase): 20378 (JSC::CodeBlock::likelyToTakeDeepestSlowCase): 20379 (JSC::CodeBlock::likelyToTakeAnySlowCase): 20380 * bytecode/GetByIdStatus.cpp: 20381 (JSC::GetByIdStatus::computeFor): 20382 * bytecode/PutByIdStatus.cpp: 20383 (JSC::PutByIdStatus::computeFor): 20384 203852013-05-22 Filip Pizlo <fpizlo@apple.com> 20386 20387 fourthTier: It should be possible to use more than one compiler thread 20388 https://bugs.webkit.org/show_bug.cgi?id=116630 20389 20390 Reviewed by Mark Hahnenberg. 20391 20392 This gives us the ability to use more compiler threads, but doesn't actually 20393 enable the functionality because it isn't a speed-up on any benchmark. It can 20394 even be a slow-down. This also adds the ability to disable concurrent 20395 compilation if we're on a uniprocessor machine, and adds more logging to the 20396 worklist code to allow us to investigate how many threads are active. It 20397 appears that even on the most compiler-heavy benchmarks, we never have enough 20398 work for more than 4 threads, and even then the 4 threads are all active for 20399 a short time. 20400 20401 Something that having more threads does accomplish is that it shakes out bugs. 20402 This patch fixes a bug with Watchpoint not being thread-safe ref-counted, 20403 which enabling 7 compilation threads did catch. 20404 20405 As it stands, this patch is performance-neutral and just fixes bugs and adds 20406 some options. 20407 20408 * bytecode/Watchpoint.h: 20409 * dfg/DFGCommon.h: 20410 (JSC::DFG::enableConcurrentJIT): 20411 * dfg/DFGWorklist.cpp: 20412 (JSC::DFG::Worklist::Worklist): 20413 (JSC::DFG::Worklist::~Worklist): 20414 (JSC::DFG::Worklist::finishCreation): 20415 (JSC::DFG::Worklist::create): 20416 (JSC::DFG::Worklist::enqueue): 20417 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady): 20418 (JSC::DFG::Worklist::dump): 20419 (JSC::DFG::Worklist::runThread): 20420 (JSC::DFG::initializeGlobalWorklistOnce): 20421 * dfg/DFGWorklist.h: 20422 * runtime/Options.cpp: 20423 (JSC::computeNumberOfWorkerThreads): 20424 (JSC): 20425 (JSC::computeNumberOfGCMarkers): 20426 * runtime/Options.h: 20427 (JSC): 20428 204292013-05-22 Filip Pizlo <fpizlo@apple.com> 20430 20431 fourthTier: FTL shouldn't use the LLVM global context, and should instead create its own context for each compilation 20432 https://bugs.webkit.org/show_bug.cgi?id=116631 20433 20434 Reviewed by Mark Hahnenberg. 20435 20436 In the future we might want to share contexts for multiple compilations, but for 20437 now using one context per compilation is a progression over just constantly using 20438 the global context. 20439 20440 * dfg/DFGPlan.cpp: 20441 (JSC::DFG::Plan::compileInThread): 20442 (DFG): 20443 (JSC::DFG::Plan::compileInThreadImpl): 20444 * dfg/DFGPlan.h: 20445 * ftl/FTLAbbreviatedTypes.h: 20446 (FTL): 20447 * ftl/FTLAbbreviations.h: 20448 (JSC::FTL::voidType): 20449 (JSC::FTL::int1Type): 20450 (JSC::FTL::int8Type): 20451 (JSC::FTL::int32Type): 20452 (JSC::FTL::int64Type): 20453 (JSC::FTL::intPtrType): 20454 (JSC::FTL::doubleType): 20455 (JSC::FTL::structType): 20456 (JSC::FTL::mdKindID): 20457 (JSC::FTL::mdString): 20458 (JSC::FTL::mdNode): 20459 (JSC::FTL::appendBasicBlock): 20460 (JSC::FTL::insertBasicBlock): 20461 * ftl/FTLAbstractHeap.cpp: 20462 (JSC::FTL::AbstractHeap::tbaaMetadataSlow): 20463 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap): 20464 (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap): 20465 (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap): 20466 * ftl/FTLAbstractHeap.h: 20467 (IndexedAbstractHeap): 20468 (NumberedAbstractHeap): 20469 (AbsoluteAbstractHeap): 20470 * ftl/FTLAbstractHeapRepository.cpp: 20471 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): 20472 * ftl/FTLAbstractHeapRepository.h: 20473 (AbstractHeapRepository): 20474 * ftl/FTLCommonValues.cpp: 20475 (JSC::FTL::CommonValues::CommonValues): 20476 * ftl/FTLCommonValues.h: 20477 (CommonValues): 20478 * ftl/FTLCompile.cpp: 20479 (JSC::FTL::mmAllocateCodeSection): 20480 * ftl/FTLIntrinsicRepository.cpp: 20481 (JSC::FTL::IntrinsicRepository::IntrinsicRepository): 20482 * ftl/FTLIntrinsicRepository.h: 20483 (FTL): 20484 (IntrinsicRepository): 20485 * ftl/FTLLowerDFGToLLVM.cpp: 20486 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 20487 (JSC::FTL::LowerDFGToLLVM::lower): 20488 * ftl/FTLOutput.cpp: 20489 (JSC::FTL::Output::Output): 20490 * ftl/FTLOutput.h: 20491 (Output): 20492 (JSC::FTL::Output::newBlock): 20493 * ftl/FTLState.cpp: 20494 (JSC::FTL::State::State): 20495 (JSC::FTL::State::~State): 20496 (FTL): 20497 * ftl/FTLState.h: 20498 (State): 20499 * runtime/Options.h: 20500 (JSC): 20501 205022013-05-18 Filip Pizlo <fpizlo@apple.com> 20503 20504 FTL should force LLVM to use our own JIT memory allocator, and we shouldn't have to keep around an LLVMExecutionEngineRef to keep code alive 20505 https://bugs.webkit.org/show_bug.cgi?id=113619 20506 20507 Reviewed by Geoffrey Garen. 20508 20509 This uses new API that I've exposed, which allows for memory manager callbacks 20510 from within LLVM. LLVM may allocate multiple independent chunks of memory for 20511 a module, and we track all of those in a Vector in FTL::JITCode. 20512 20513 * ftl/FTLCompile.cpp: 20514 (JSC::FTL::mmAllocateCodeSection): 20515 (FTL): 20516 (JSC::FTL::mmAllocateDataSection): 20517 (JSC::FTL::mmApplyPermissions): 20518 (JSC::FTL::mmDestroy): 20519 (JSC::FTL::compile): 20520 * ftl/FTLJITCode.cpp: 20521 (JSC::FTL::JITCode::JITCode): 20522 (JSC::FTL::JITCode::~JITCode): 20523 (JSC::FTL::JITCode::addHandle): 20524 (FTL): 20525 (JSC::FTL::JITCode::initializeCode): 20526 * ftl/FTLJITCode.h: 20527 (JITCode): 20528 (JSC::FTL::JITCode::handles): 20529 * ftl/FTLJITFinalizer.cpp: 20530 (JSC::FTL::JITFinalizer::~JITFinalizer): 20531 (JSC::FTL::JITFinalizer::finalizeFunction): 20532 * ftl/FTLJITFinalizer.h: 20533 (JSC::FTL::JITFinalizer::initializeEntrypointLinkBuffer): 20534 (JITFinalizer): 20535 * ftl/FTLLink.cpp: 20536 (JSC::FTL::link): 20537 * ftl/FTLState.cpp: 20538 (JSC::FTL::State::State): 20539 * ftl/FTLState.h: 20540 (State): 20541 205422013-05-12 Filip Pizlo <fpizlo@apple.com> 20543 20544 fourthTier: FTL shouldn't use FastISel and Small code model should be turned off for now 20545 https://bugs.webkit.org/show_bug.cgi?id=115998 20546 20547 Reviewed by Oliver Hunt. 20548 20549 This switches off FastISel and makes it possible to turn off Small code model. 20550 20551 * ftl/FTLCompile.cpp: 20552 (JSC::FTL::compile): 20553 * runtime/Options.h: 20554 (JSC): 20555 205562013-05-21 Filip Pizlo <fpizlo@apple.com> 20557 20558 fourthTier: should use ConcurrentJITLock[er] directly and not through typedef 20559 https://bugs.webkit.org/show_bug.cgi?id=116561 20560 20561 Rubber stamped by Geoffrey Garen. 20562 20563 * JavaScriptCore.xcodeproj/project.pbxproj: 20564 * bytecode/ArrayProfile.cpp: 20565 (JSC::ArrayProfile::computeUpdatedPrediction): 20566 (JSC::ArrayProfile::briefDescription): 20567 * bytecode/ArrayProfile.h: 20568 (ArrayProfile): 20569 (JSC::ArrayProfile::expectedStructure): 20570 (JSC::ArrayProfile::structureIsPolymorphic): 20571 (JSC::ArrayProfile::hasDefiniteStructure): 20572 (JSC::ArrayProfile::observedArrayModes): 20573 (JSC::ArrayProfile::mayInterceptIndexedAccesses): 20574 (JSC::ArrayProfile::mayStoreToHole): 20575 (JSC::ArrayProfile::outOfBounds): 20576 (JSC::ArrayProfile::usesOriginalArrayStructures): 20577 * bytecode/CallLinkStatus.cpp: 20578 (JSC::CallLinkStatus::computeFor): 20579 * bytecode/CodeBlock.cpp: 20580 (JSC::CodeBlock::dumpValueProfiling): 20581 (JSC::CodeBlock::dumpArrayProfiling): 20582 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): 20583 (JSC::CodeBlock::updateAllArrayPredictions): 20584 (JSC::CodeBlock::nameForRegister): 20585 * bytecode/CodeBlock.h: 20586 (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): 20587 (CodeBlock): 20588 * bytecode/CodeBlockLock.h: Removed. 20589 * bytecode/GetByIdStatus.cpp: 20590 (JSC::GetByIdStatus::computeFor): 20591 * bytecode/LazyOperandValueProfile.cpp: 20592 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions): 20593 (JSC::CompressedLazyOperandValueProfileHolder::add): 20594 (JSC::LazyOperandValueProfileParser::initialize): 20595 (JSC::LazyOperandValueProfileParser::prediction): 20596 * bytecode/LazyOperandValueProfile.h: 20597 (CompressedLazyOperandValueProfileHolder): 20598 (LazyOperandValueProfileParser): 20599 * bytecode/MethodOfGettingAValueProfile.cpp: 20600 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket): 20601 * bytecode/PutByIdStatus.cpp: 20602 (JSC::PutByIdStatus::computeFor): 20603 * bytecode/ResolveGlobalStatus.cpp: 20604 (JSC::ResolveGlobalStatus::computeFor): 20605 * bytecode/ValueProfile.h: 20606 (JSC::ValueProfileBase::briefDescription): 20607 (JSC::ValueProfileBase::computeUpdatedPrediction): 20608 * bytecompiler/BytecodeGenerator.cpp: 20609 (JSC::BytecodeGenerator::addVar): 20610 * dfg/DFGArrayMode.cpp: 20611 (JSC::DFG::ArrayMode::fromObserved): 20612 * dfg/DFGArrayMode.h: 20613 (ArrayMode): 20614 (JSC::DFG::ArrayMode::withProfile): 20615 * dfg/DFGByteCodeParser.cpp: 20616 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): 20617 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit): 20618 (JSC::DFG::ByteCodeParser::getArrayMode): 20619 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks): 20620 (JSC::DFG::ByteCodeParser::parseResolveOperations): 20621 (JSC::DFG::ByteCodeParser::parseBlock): 20622 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 20623 * dfg/DFGFixupPhase.cpp: 20624 (JSC::DFG::FixupPhase::fixupNode): 20625 * dfg/DFGPredictionInjectionPhase.cpp: 20626 (JSC::DFG::PredictionInjectionPhase::run): 20627 * jit/JITInlines.h: 20628 (JSC::JIT::chooseArrayMode): 20629 * jit/JITStubs.cpp: 20630 (JSC::tryCachePutByID): 20631 (JSC::tryCacheGetByID): 20632 (JSC::DEFINE_STUB_FUNCTION): 20633 (JSC::lazyLinkFor): 20634 * llint/LLIntSlowPaths.cpp: 20635 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 20636 (JSC::LLInt::setUpCall): 20637 * profiler/ProfilerBytecodeSequence.cpp: 20638 (JSC::Profiler::BytecodeSequence::BytecodeSequence): 20639 * runtime/Executable.cpp: 20640 (JSC::ProgramExecutable::addGlobalVar): 20641 * runtime/JSActivation.cpp: 20642 (JSC::JSActivation::getOwnNonIndexPropertyNames): 20643 (JSC::JSActivation::symbolTablePutWithAttributes): 20644 * runtime/JSScope.cpp: 20645 (JSC::JSScope::resolveContainingScopeInternal): 20646 (JSC::JSScope::resolvePut): 20647 * runtime/JSSegmentedVariableObject.cpp: 20648 (JSC::JSSegmentedVariableObject::findRegisterIndex): 20649 (JSC::JSSegmentedVariableObject::addRegisters): 20650 * runtime/JSSegmentedVariableObject.h: 20651 (JSSegmentedVariableObject): 20652 * runtime/JSSymbolTableObject.cpp: 20653 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): 20654 * runtime/JSSymbolTableObject.h: 20655 (JSC::symbolTableGet): 20656 (JSC::symbolTablePut): 20657 (JSC::symbolTablePutWithAttributes): 20658 * runtime/Structure.cpp: 20659 (JSC::Structure::materializePropertyMap): 20660 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): 20661 (JSC::Structure::addPropertyTransition): 20662 (JSC::Structure::takePropertyTableOrCloneIfPinned): 20663 (JSC::Structure::nonPropertyTransition): 20664 (JSC::Structure::putSpecificValue): 20665 (JSC::Structure::remove): 20666 (JSC::Structure::createPropertyMap): 20667 * runtime/Structure.h: 20668 (Structure): 20669 * runtime/SymbolTable.h: 20670 (SymbolTable): 20671 (JSC::SymbolTable::find): 20672 (JSC::SymbolTable::get): 20673 (JSC::SymbolTable::inlineGet): 20674 (JSC::SymbolTable::begin): 20675 (JSC::SymbolTable::end): 20676 (JSC::SymbolTable::size): 20677 (JSC::SymbolTable::add): 20678 (JSC::SymbolTable::set): 20679 (JSC::SymbolTable::contains): 20680 206812013-05-20 Filip Pizlo <fpizlo@apple.com> 20682 20683 fourthTier: DFG should be able to run on a separate thread 20684 https://bugs.webkit.org/show_bug.cgi?id=112839 20685 20686 Reviewed by Geoffrey Garen. 20687 20688 This is the final bit of concurrent JITing. The idea is that there is a 20689 single global worklist, and a single global thread, that does all 20690 optimizing compilation. This is the DFG::Worklist. It contains a queue of 20691 DFG::Plans, and a map from CodeBlock* (the baseline code block we're 20692 trying to optimize) to DFG::Plan. If the DFGDriver tries to concurrently 20693 compile something, it puts the Plan on the Worklist. The Worklist's 20694 thread will compile that Plan eventually, and when it's done, it will 20695 signal its completion by (1) notifying anyone waiting for the Worklist to 20696 be done, and (2) forcing the CodeBlock::m_jitExecuteCounter to take slow 20697 path. The next Baseline JIT cti_optimize call will then install all ready 20698 (i.e. compiled) Plans for that VM. Note that (1) is only for the GC and 20699 VM shutdown, which will want to ensure that there aren't any outstanding 20700 async compilations before proceeding. They do so by simply waiting for 20701 all of the plans for the current VM to complete. (2) is the actual way 20702 that code typically gets installed. 20703 20704 This is all very racy by design. For example, just as we try to force the 20705 execute counter to take slow path, the main thread may be setting the 20706 execute counter to some other value. The main thread must set it to 20707 another value because (a) JIT code is constantly incrementing the counter 20708 in a racy way, (b) the cti_optimize slow path will set it to some 20709 large-ish negative value to ensure that cti_optimize isn't called 20710 repeatedly, and (c) OSR exits from previously jettisoned code blocks may 20711 still want to reset the counter values. This "race" is made benign, by 20712 ensuring that while there is an asynchronous compilation, we at worse set 20713 the counter to optimizeAfterWarmUp and never to deferIndefinitely. Hence 20714 if the race happens then the worst case is that we wait another ~1000 20715 counts before installing the optimized code. Another defense is that if 20716 any CodeBlock calls into cti_optimize, then it will check for all ready 20717 plans for the VM - so even if a code block has to wait another ~1000 20718 executions before it calls cti_optimize to do the installation, it may 20719 actually end up being installed sooner because a different code block had 20720 called cti_optimize, potentially for an unrelated reason. 20721 20722 Special care is taken to ensure that installing plans informs the GC 20723 about the increased memory usage, but also ensures that we don't recurse 20724 infinitely - since at start of GC we try to install outstanding plans. 20725 This is done by introducing a new GC deferral mechanism (the DeferGC 20726 block-scoped thingy), which will ensure that GCs don't happen in the 20727 scope but are allowed to happen after. This still leaves the strange 20728 corner case that cti_optimize may install outstanding plans, then GC, and 20729 that GC may jettison the code block that was installed. This, and the 20730 fact that the plan that we took slow path to install could have been a 20731 failed or invalid compile, mean that we have to take special precautions 20732 in cti_optimize. 20733 20734 This patch also fixes a number of small concurrency bugs that I found 20735 when things started running. There are probably more of those bugs still 20736 left to fix. This patch just fixes the ones I know about. 20737 20738 Concurrent compilation is right now only enabled on X86_64 Mac. We need 20739 platforms that are sufficiently CAStastic so that we can do the various 20740 memory fence and CAS tricks that make this safe. We also need a platform 20741 that uses JSVALUE64. And we need pthread_once. So, that pretty much means 20742 just X64_64 for now. Enabling Linux-64_64 should be a breeze, but I'll 20743 leave that up to the Qt and GTK+ ports to do at their discretion. 20744 20745 This is a solid speed-up on SunSpider (8-9%) and V8Spider (16%), our two 20746 main compile-time benchmarks. Most peculiarly, this also appears to 20747 reduce measurement noise, rather than increasing it as you would have 20748 expected. I don't understand that result but I like it anyway. On the 20749 other hand, this is a slight (1%) slow-down on V8v7. I will continue to 20750 investigate this but I think that the results are already good enough 20751 that we should land this as-is. So far, it appears that the slow-down is 20752 due to this breaking the don't-compile-inlineables heuristics. See 20753 investigation in https://bugs.webkit.org/show_bug.cgi?id=116556 and the 20754 bug https://bugs.webkit.org/show_bug.cgi?id=116557. 20755 20756 * JavaScriptCore.xcodeproj/project.pbxproj: 20757 * bytecode/CodeBlock.cpp: 20758 (JSC): 20759 (JSC::CodeBlock::finalizeUnconditionally): 20760 (JSC::CodeBlock::resetStubInternal): 20761 (JSC::CodeBlock::baselineVersion): 20762 (JSC::CodeBlock::hasOptimizedReplacement): 20763 (JSC::CodeBlock::optimizationThresholdScalingFactor): 20764 (JSC::CodeBlock::checkIfOptimizationThresholdReached): 20765 (JSC::CodeBlock::optimizeNextInvocation): 20766 (JSC::CodeBlock::dontOptimizeAnytimeSoon): 20767 (JSC::CodeBlock::optimizeAfterWarmUp): 20768 (JSC::CodeBlock::optimizeAfterLongWarmUp): 20769 (JSC::CodeBlock::optimizeSoon): 20770 (JSC::CodeBlock::forceOptimizationSlowPathConcurrently): 20771 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): 20772 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): 20773 (JSC::CodeBlock::updateAllArrayPredictions): 20774 (JSC::CodeBlock::shouldOptimizeNow): 20775 * bytecode/CodeBlock.h: 20776 (CodeBlock): 20777 (JSC::CodeBlock::jitCompile): 20778 * bytecode/CodeBlockLock.h: 20779 (JSC): 20780 * bytecode/ExecutionCounter.cpp: 20781 (JSC::ExecutionCounter::forceSlowPathConcurrently): 20782 (JSC): 20783 (JSC::ExecutionCounter::setThreshold): 20784 * bytecode/ExecutionCounter.h: 20785 (ExecutionCounter): 20786 * debugger/Debugger.cpp: 20787 (JSC::Debugger::recompileAllJSFunctions): 20788 * dfg/DFGByteCodeParser.cpp: 20789 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): 20790 (JSC::DFG::ByteCodeParser::getArrayMode): 20791 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks): 20792 * dfg/DFGCommon.h: 20793 (JSC::DFG::enableConcurrentJIT): 20794 (DFG): 20795 * dfg/DFGDriver.cpp: 20796 (JSC::DFG::compile): 20797 * dfg/DFGGraph.cpp: 20798 (JSC::DFG::Graph::Graph): 20799 * dfg/DFGGraph.h: 20800 (Graph): 20801 * dfg/DFGOSREntry.cpp: 20802 (JSC::DFG::prepareOSREntry): 20803 * dfg/DFGOperations.cpp: 20804 * dfg/DFGPlan.cpp: 20805 (JSC::DFG::Plan::Plan): 20806 (JSC::DFG::Plan::compileInThread): 20807 (JSC::DFG::Plan::key): 20808 (DFG): 20809 * dfg/DFGPlan.h: 20810 (DFG): 20811 (Plan): 20812 * dfg/DFGWorklist.cpp: Added. 20813 (DFG): 20814 (JSC::DFG::Worklist::Worklist): 20815 (JSC::DFG::Worklist::~Worklist): 20816 (JSC::DFG::Worklist::finishCreation): 20817 (JSC::DFG::Worklist::create): 20818 (JSC::DFG::Worklist::enqueue): 20819 (JSC::DFG::Worklist::compilationState): 20820 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady): 20821 (JSC::DFG::Worklist::removeAllReadyPlansForVM): 20822 (JSC::DFG::Worklist::completeAllReadyPlansForVM): 20823 (JSC::DFG::Worklist::completeAllPlansForVM): 20824 (JSC::DFG::Worklist::queueLength): 20825 (JSC::DFG::Worklist::dump): 20826 (JSC::DFG::Worklist::runThread): 20827 (JSC::DFG::Worklist::threadFunction): 20828 (JSC::DFG::initializeGlobalWorklistOnce): 20829 (JSC::DFG::globalWorklist): 20830 * dfg/DFGWorklist.h: Added. 20831 (DFG): 20832 (Worklist): 20833 * heap/CopiedSpaceInlines.h: 20834 (JSC::CopiedSpace::allocateBlock): 20835 * heap/DeferGC.h: Added. 20836 (JSC): 20837 (DeferGC): 20838 (JSC::DeferGC::DeferGC): 20839 (JSC::DeferGC::~DeferGC): 20840 * heap/Heap.cpp: 20841 (JSC::Heap::Heap): 20842 (JSC::Heap::reportExtraMemoryCostSlowCase): 20843 (JSC::Heap::collectAllGarbage): 20844 (JSC::Heap::collect): 20845 (JSC::Heap::collectIfNecessaryOrDefer): 20846 (JSC): 20847 (JSC::Heap::incrementDeferralDepth): 20848 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): 20849 * heap/Heap.h: 20850 (Heap): 20851 (JSC::Heap::isCollecting): 20852 (JSC): 20853 * heap/MarkedAllocator.cpp: 20854 (JSC::MarkedAllocator::allocateSlowCase): 20855 * jit/JIT.cpp: 20856 (JSC::JIT::privateCompile): 20857 * jit/JIT.h: 20858 * jit/JITStubs.cpp: 20859 (JSC::DEFINE_STUB_FUNCTION): 20860 * llint/LLIntSlowPaths.cpp: 20861 (JSC::LLInt::jitCompileAndSetHeuristics): 20862 (JSC::LLInt::entryOSR): 20863 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 20864 * profiler/ProfilerBytecodes.h: 20865 * runtime/ConcurrentJITLock.h: Added. 20866 (JSC): 20867 * runtime/ExecutionHarness.h: 20868 (JSC::replaceWithDeferredOptimizedCode): 20869 * runtime/JSSegmentedVariableObject.cpp: 20870 (JSC::JSSegmentedVariableObject::findRegisterIndex): 20871 (JSC::JSSegmentedVariableObject::addRegisters): 20872 * runtime/JSSegmentedVariableObject.h: 20873 (JSSegmentedVariableObject): 20874 * runtime/Options.h: 20875 (JSC): 20876 * runtime/Structure.h: 20877 (Structure): 20878 * runtime/StructureInlines.h: 20879 (JSC::Structure::propertyTable): 20880 * runtime/SymbolTable.h: 20881 (SymbolTable): 20882 * runtime/VM.cpp: 20883 (JSC::VM::VM): 20884 (JSC::VM::~VM): 20885 (JSC::VM::prepareToDiscardCode): 20886 (JSC): 20887 (JSC::VM::discardAllCode): 20888 (JSC::VM::releaseExecutableMemory): 20889 * runtime/VM.h: 20890 (DFG): 20891 (VM): 20892 208932013-05-17 Mark Hahnenberg <mhahnenberg@apple.com> 20894 20895 CheckArrays should be hoisted 20896 https://bugs.webkit.org/show_bug.cgi?id=116353 20897 20898 Performance neutral. This will be more important when we start depending on CheckArray for flat arrays. 20899 20900 Reviewed by Filip Pizlo. 20901 20902 * dfg/DFGAbstractState.cpp: Add ForwardCheckArray to wherever we had a CheckArray before. 20903 (JSC::DFG::AbstractState::executeEffects): 20904 * dfg/DFGArgumentsSimplificationPhase.cpp: 20905 (JSC::DFG::ArgumentsSimplificationPhase::run): 20906 * dfg/DFGArrayMode.h: 20907 (JSC::DFG::ArrayMode::isContravenedByStructure): Checks if the ArrayMode derived from a specific Structure 20908 would contradict the ArrayModes that would be filtered by the current ArrayMode. This is used to detect 20909 if any specific CheckStructures would contradict our CheckArray so that we can defer to the CheckStructure's 20910 judgment. 20911 * dfg/DFGByteCodeParser.cpp: Fill in checkArrayHoistingFailed where we previously exited due to a BadIndexingType. 20912 (JSC::DFG::ByteCodeParser::setLocal): 20913 (JSC::DFG::ByteCodeParser::setArgument): 20914 (JSC::DFG::ByteCodeParser::parseBlock): 20915 * dfg/DFGCSEPhase.cpp: 20916 (JSC::DFG::CSEPhase::checkArrayElimination): 20917 (JSC::DFG::CSEPhase::performNodeCSE): 20918 * dfg/DFGConstantFoldingPhase.cpp: 20919 (JSC::DFG::ConstantFoldingPhase::foldConstants): 20920 * dfg/DFGFixupPhase.cpp: 20921 (JSC::DFG::FixupPhase::fixupNode): 20922 * dfg/DFGNode.h: 20923 (JSC::DFG::Node::hasArrayMode): 20924 * dfg/DFGNodeType.h: New ForwardCheckArray node type. 20925 * dfg/DFGPredictionPropagationPhase.cpp: 20926 (JSC::DFG::PredictionPropagationPhase::propagate): 20927 * dfg/DFGSpeculativeJIT32_64.cpp: 20928 (JSC::DFG::SpeculativeJIT::compile): 20929 * dfg/DFGSpeculativeJIT64.cpp: 20930 (JSC::DFG::SpeculativeJIT::compile): 20931 * dfg/DFGTypeCheckHoistingPhase.cpp: Refactored most of TypeCheckHoistingPhase into separate functions, some 20932 of which are now generic to both CheckStructure and CheckArray hoisting while others are specific to one or the 20933 other. Both of the non-zero CheckBallot values must be 1 because we use them as an index into an array of 20934 length 2 inside the VariableAccessData. 20935 (CheckData): Moved structure outside of TypeCheckHoistingPhase so that ArrayTypeCheck and StructureTypeCheck 20936 can access it. Also added new fields for tracking ArrayModes. We need the m_arrayModeIsValid because there 20937 isn't a good sentinel value for "this ArrayMode is invalid and meaningless" like there is for m_structure. 20938 We need m_arrayModeHoistingOkay for when we want to permanently disable hoisting for that particular variable. 20939 (JSC::DFG::CheckData::CheckData): 20940 (JSC::DFG::CheckData::disableCheckArrayHoisting): Helper function for disabling CheckArray hoisting for a 20941 specific CheckData. 20942 (JSC::DFG::TypeCheckHoistingPhase::run): We now do both CheckStructure and CheckArray hoisting, although we prefer 20943 CheckStructure hoisting when given the possibility to do both. 20944 (TypeCheckHoistingPhase): 20945 (JSC::DFG::TypeCheckHoistingPhase::clearVariableVotes): Clears all of the VariableAccessData votes since they 20946 can only have two types of votes at any particular time. 20947 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): 20948 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): Very similar to identifyRedundantStructureChecks, 20949 but with a few different nodes that are important, namely CheckArray (instead of CheckStructure) and the Arrayify-like 20950 nodes always disable hoisting since they always change the IndexingType. 20951 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingForVariablesWithInsufficientVotes): 20952 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries): 20953 (JSC::DFG::TypeCheckHoistingPhase::disableCheckArrayHoisting): Helper that looks up the CheckData for the 20954 specified variable and disables CheckArray hoisting on it. 20955 (JSC::DFG::TypeCheckHoistingPhase::shouldConsiderForHoisting): 20956 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck): 20957 (JSC::DFG::TypeCheckHoistingPhase::noticeCheckArray): 20958 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode): We want to take CheckStructure nodes 20959 into account when hoisting CheckArrays, so we make sure that if we contradict what a CheckStructure says then we 20960 give up on hoisting the CheckArray. 20961 (JSC::DFG::ArrayTypeCheck::isValidToHoist): 20962 (ArrayTypeCheck): Structure that houses some of the specifics on how to hoist CheckArrays. This structure 20963 is used a template argument to allow some of the very similar code to statically parameterized and reused 20964 for both CheckStructure and CheckArray hoisting. 20965 (JSC::DFG::ArrayTypeCheck::disableHoisting): 20966 (JSC::DFG::ArrayTypeCheck::isContravenedByValue): 20967 (JSC::DFG::ArrayTypeCheck::hasEnoughVotesToHoist): 20968 (JSC::DFG::ArrayTypeCheck::hoistingPreviouslyFailed): 20969 (JSC::DFG::StructureTypeCheck::isValidToHoist): 20970 (StructureTypeCheck): Same as ArrayTypeCheck, but specific to CheckStructure hoisting. 20971 (JSC::DFG::StructureTypeCheck::disableHoisting): 20972 (JSC::DFG::StructureTypeCheck::isContravenedByValue): 20973 (JSC::DFG::StructureTypeCheck::hasEnoughVotesToHoist): 20974 (JSC::DFG::StructureTypeCheck::hoistingPreviouslyFailed): 20975 * dfg/DFGUnificationPhase.cpp: Added merging of whether or not CheckArray hoisting failed. 20976 (JSC::DFG::UnificationPhase::run): 20977 * dfg/DFGVariableAccessData.h: 20978 (JSC::DFG::VariableAccessData::VariableAccessData): 20979 (JSC::DFG::VariableAccessData::mergeCheckArrayHoistingFailed): 20980 (VariableAccessData): 20981 (JSC::DFG::VariableAccessData::checkArrayHoistingFailed): 20982 * runtime/Options.h: 20983 209842013-05-17 Filip Pizlo <fpizlo@apple.com> 20985 20986 fourthTier: getCTIStub should be thread-safe 20987 https://bugs.webkit.org/show_bug.cgi?id=116126 20988 20989 Reviewed by Dan Bernstein. 20990 20991 It's called from the compilation thread. Give it locks. 20992 20993 * jit/JITThunks.cpp: 20994 (JSC::JITThunks::ctiStub): 20995 (JSC::JITThunks::hostFunctionStub): 20996 * jit/JITThunks.h: 20997 (JITThunks): 20998 209992013-05-17 Filip Pizlo <fpizlo@apple.com> 21000 21001 fourthTier: Executable and CodeBlock should be aware of DFG::Plans that complete asynchronously 21002 https://bugs.webkit.org/show_bug.cgi?id=116350 21003 21004 Reviewed by Oliver Hunt. 21005 21006 This refactors compilation so that: 21007 21008 - JITStubs knows exactly what the result of compilation was. For example, if 21009 compilation was deferred, it will now know this. 21010 21011 - The set of things that has to happen to install compiled code is now factored 21012 out into JSC::installOptimizedCode(). 21013 21014 - A bunch of the code in Executable.cpp is now made more common to reduce code 21015 duplication. For example, the heap heuristics stuff is now in one place. 21016 21017 * JavaScriptCore.xcodeproj/project.pbxproj: 21018 * bytecode/CodeBlock.cpp: 21019 (JSC::ProgramCodeBlock::compileOptimized): 21020 (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode): 21021 (JSC): 21022 (JSC::EvalCodeBlock::compileOptimized): 21023 (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode): 21024 (JSC::FunctionCodeBlock::compileOptimized): 21025 (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode): 21026 (JSC::ProgramCodeBlock::jitCompileImpl): 21027 (JSC::EvalCodeBlock::jitCompileImpl): 21028 (JSC::FunctionCodeBlock::jitCompileImpl): 21029 * bytecode/CodeBlock.h: 21030 (CodeBlock): 21031 (JSC::CodeBlock::jitCompile): 21032 (ProgramCodeBlock): 21033 (EvalCodeBlock): 21034 (FunctionCodeBlock): 21035 * dfg/DFGDesiredIdentifiers.cpp: 21036 (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers): 21037 (DFG): 21038 (JSC::DFG::DesiredIdentifiers::at): 21039 * dfg/DFGDesiredIdentifiers.h: 21040 (JSC): 21041 (DesiredIdentifiers): 21042 * dfg/DFGDriver.cpp: 21043 (JSC::DFG::compile): 21044 (JSC::DFG::tryCompile): 21045 (JSC::DFG::tryCompileFunction): 21046 (JSC::DFG::tryFinalizePlan): 21047 (DFG): 21048 * dfg/DFGDriver.h: 21049 (DFG): 21050 (JSC::DFG::tryCompile): 21051 (JSC::DFG::tryCompileFunction): 21052 (JSC::DFG::tryFinalizePlan): 21053 * dfg/DFGGraph.cpp: 21054 (JSC::DFG::Graph::Graph): 21055 * dfg/DFGJITFinalizer.cpp: 21056 (JSC::DFG::JITFinalizer::finalizeCommon): 21057 * dfg/DFGPlan.cpp: 21058 (JSC::DFG::Plan::Plan): 21059 (JSC::DFG::Plan::compileInThread): 21060 (JSC::DFG::Plan::reallyAdd): 21061 * dfg/DFGPlan.h: 21062 (JSC): 21063 (Plan): 21064 (DFG): 21065 * ftl/FTLJITFinalizer.cpp: 21066 (JSC::FTL::JITFinalizer::finalizeFunction): 21067 * jit/JITDriver.h: 21068 (JSC::jitCompileIfAppropriateImpl): 21069 (JSC::jitCompileFunctionIfAppropriateImpl): 21070 (JSC): 21071 (JSC::jitCompileIfAppropriate): 21072 (JSC::jitCompileFunctionIfAppropriate): 21073 * jit/JITStubs.cpp: 21074 (JSC::DEFINE_STUB_FUNCTION): 21075 * llint/LLIntSlowPaths.cpp: 21076 (JSC::LLInt::jitCompileAndSetHeuristics): 21077 * runtime/CompilationResult.cpp: Added. 21078 (WTF): 21079 (WTF::printInternal): 21080 * runtime/CompilationResult.h: Added. 21081 (JSC): 21082 (WTF): 21083 * runtime/Executable.cpp: 21084 (JSC::EvalExecutable::compileOptimized): 21085 (JSC::EvalExecutable::jitCompile): 21086 (JSC::EvalExecutable::compileInternal): 21087 (JSC::EvalExecutable::replaceWithDeferredOptimizedCode): 21088 (JSC): 21089 (JSC::ProgramExecutable::compileOptimized): 21090 (JSC::ProgramExecutable::jitCompile): 21091 (JSC::ProgramExecutable::compileInternal): 21092 (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode): 21093 (JSC::FunctionExecutable::compileOptimizedForCall): 21094 (JSC::FunctionExecutable::compileOptimizedForConstruct): 21095 (JSC::FunctionExecutable::jitCompileForCall): 21096 (JSC::FunctionExecutable::jitCompileForConstruct): 21097 (JSC::FunctionExecutable::compileForCallInternal): 21098 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall): 21099 (JSC::FunctionExecutable::compileForConstructInternal): 21100 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct): 21101 * runtime/Executable.h: 21102 (ScriptExecutable): 21103 (EvalExecutable): 21104 (ProgramExecutable): 21105 (FunctionExecutable): 21106 (JSC::FunctionExecutable::compileOptimizedFor): 21107 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor): 21108 (JSC::FunctionExecutable::jitCompileFor): 21109 * runtime/ExecutionHarness.h: 21110 (JSC::prepareForExecutionImpl): 21111 (JSC::prepareFunctionForExecutionImpl): 21112 (JSC): 21113 (JSC::installOptimizedCode): 21114 (JSC::prepareForExecution): 21115 (JSC::prepareFunctionForExecution): 21116 (JSC::replaceWithDeferredOptimizedCode): 21117 211182013-05-16 Mark Hahnenberg <mhahnenberg@apple.com> 21119 21120 observeUseKindOnNode doesn't contain a case for KnownCellUse 21121 https://bugs.webkit.org/show_bug.cgi?id=116130 21122 21123 This would just lead to us being overly conservative when deciding 21124 whether we should unbox GetLocals with KnownCellUse UseKinds. 21125 21126 Reviewed by Filip Pizlo. 21127 21128 * dfg/DFGFixupPhase.cpp: 21129 (JSC::DFG::FixupPhase::observeUseKindOnNode): 21130 211312013-05-16 Mark Hahnenberg <mhahnenberg@apple.com> 21132 21133 fourthTier: infrequent segfault in DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks() 21134 https://bugs.webkit.org/show_bug.cgi?id=116134 21135 21136 CodeBlock and JITCode should be ThreadSafeRefCounted. We're going to 21137 start using them on more threads very soon (with concurrent 21138 compilation). This patch also fixes the specific place where we were 21139 superfluously creating a RefPtr. 21140 21141 Reviewed by Oliver Hunt. 21142 21143 * bytecode/CodeBlock.h: 21144 (JSC::CodeBlock::getJITType): 21145 * jit/JITCode.h: 21146 211472013-05-16 Mark Lam <mark.lam@apple.com> 21148 21149 Implement a probe mechanism for JIT generated code. 21150 https://bugs.webkit.org/show_bug.cgi?id=115705. 21151 21152 Reviewed by Geoffrey Garen. 21153 21154 Edit: For C++ code, you can do debugging by adding printfs to your 21155 code. For JIT generated code, you can now do the equivalent by 21156 inserting a probe and have it emit a call to your probe function. 21157 21158 The probe is in the form of a MacroAssembler pseudo instruction. 21159 It takes 3 arguments: a ProbeFunction, and 2 void* args. 21160 21161 When inserted into the JIT at some code generation site, the probe 21162 pseudo "instruction" will emit a minimal amount of code to save the 21163 stack pointer, 1 (or more) scratch register(s), and the probe 21164 arguments into a ProbeContext record on the stack. The emitted code 21165 will then call a probe trampoline to do the rest of the work, which 21166 consists of: 21167 1. saving the remaining registers into the ProbeContext. 21168 2. calling the ProbeFunction, and passing it the ProbeContext pointer. 21169 3. restoring the registers from the ProbeContext after the ProbeFunction 21170 returns, and then returning to the JIT generated code. 21171 21172 The ProbeContext is stack allocated and is only valid for the duration 21173 that the ProbeFunction is executing. 21174 21175 If the user supplied ProbeFunction alters the register values in the 21176 ProbeContext, the new values will be installed into the registers upon 21177 returning from the probe. This can be useful for some debugging or 21178 testing purposes. 21179 21180 The probe mechanism is built conditional on USE(MASM_PROBE) which is 21181 defined in config.h. USE(MASM_PROBE) will off by default. 21182 21183 This changeset only implements the probe mechanism for X86 and X86_64. 21184 21185 * CMakeLists.txt: 21186 * GNUmakefile.list.am: 21187 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 21188 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 21189 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 21190 * JavaScriptCore.xcodeproj/project.pbxproj: 21191 * Target.pri: 21192 * assembler/MacroAssembler.h: 21193 (MacroAssembler): 21194 (JSC::MacroAssembler::shouldBlind): 21195 (JSC::MacroAssembler::store32): 21196 * assembler/MacroAssemblerX86.h: 21197 (MacroAssemblerX86): 21198 (JSC::MacroAssemblerX86::trustedImm32FromPtr): 21199 (JSC::MacroAssemblerX86::probe): 21200 * assembler/MacroAssemblerX86Common.cpp: Added. 21201 (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters): 21202 - CPU specific register dumper called by ProbeContext::dump(). 21203 (JSC::MacroAssemblerX86Common::ProbeContext::dump): 21204 - Prints the ProbeContext to the DataLog. 21205 * assembler/MacroAssemblerX86Common.h: 21206 (MacroAssemblerX86Common): 21207 (CPUState): Added. 21208 (ProbeContext): Added. 21209 * assembler/MacroAssemblerX86_64.h: 21210 (MacroAssemblerX86_64): 21211 (JSC::MacroAssemblerX86_64::trustedImm64FromPtr): 21212 (JSC::MacroAssemblerX86_64::probe): 21213 * assembler/X86Assembler.h: 21214 * config.h: Added WTF_USE_MASM_PROBE flag. 21215 * jit/JITStubs.cpp: 21216 * jit/JITStubs.h: 21217 * jit/JITStubsX86.h: 21218 * jit/JITStubsX86Common.h: Added. 21219 * jit/JITStubsX86_64.h: 21220 212212013-05-15 Mark Lam <mark.lam@apple.com> 21222 21223 Fix for broken 32-bit build in SpeculativeJIT::checkArray(). 21224 https://bugs.webkit.org/show_bug.cgi?id=116184. 21225 21226 Rubber stamped by Mark Hahnenberg. 21227 21228 * dfg/DFGSpeculativeJIT.cpp: 21229 (JSC::DFG::SpeculativeJIT::checkArray): 21230 212312013-05-15 Filip Pizlo <fpizlo@apple.com> 21232 21233 fourthTier: DFG should separate link phase into things that must be done concurrently and things that must be done synchronously, and have a way of passing data from one to the other 21234 https://bugs.webkit.org/show_bug.cgi?id=116060 21235 21236 Reviewed by Gavin Barraclough. 21237 21238 This introduces the concept of a DFG::Plan, which corresponds to: 21239 21240 - The data that the concurrent DFG or FTL need to start compiling a CodeBlock. 21241 This mostly includes basic things like CodeBlock*, but also a list of 21242 must-handle values for OSR entry. 21243 21244 - The data that the synchronous linker need to link in code compiled by a 21245 concurrent compilation thread. This is further encapsulated by DFG::Finalizer, 21246 since the data, and the actions that need to be taken, are different in DFG 21247 versus FTL. This patch also institutes the policy that the concurrent 21248 compilation thread shall not use LinkBuffer::performFinalization(), since that 21249 code assumes that it's running on the same thread that will actually run the 21250 code. 21251 21252 - The actions that need to be taken to compile code. In other words, most of the 21253 code that previously lived in DFGDriver.cpp now lives in 21254 DFG::Plan::compileInThread(). 21255 21256 - The actions that need to be taken when synchronously linking the code. This 21257 includes "really" adding watchpoints and identifiers, checking watchpoint and 21258 chain validity, and running the DFG::Finalizer. 21259 21260 Currently, DFGDriver just creates a Plan and runs it synchronously. But in the 21261 future, we will be able to malloc some Plans and enqueue them, and have the 21262 concurrent thread dequeue them and call Plan::compileInThread(). 21263 21264 For now, this has no behavior or performance change. 21265 21266 * JavaScriptCore.xcodeproj/project.pbxproj: 21267 * assembler/LinkBuffer.cpp: 21268 (JSC::LinkBuffer::performFinalization): 21269 * assembler/LinkBuffer.h: 21270 (LinkBuffer): 21271 (JSC::LinkBuffer::LinkBuffer): 21272 (JSC::LinkBuffer::~LinkBuffer): 21273 * dfg/DFGAbstractState.cpp: 21274 (JSC::DFG::AbstractState::initialize): 21275 (JSC::DFG::AbstractState::executeEffects): 21276 * dfg/DFGAbstractValue.cpp: 21277 (JSC::DFG::AbstractValue::setFuturePossibleStructure): 21278 (JSC::DFG::AbstractValue::filterFuturePossibleStructure): 21279 * dfg/DFGByteCodeParser.cpp: 21280 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck): 21281 (JSC::DFG::ByteCodeParser::handleGetById): 21282 (JSC::DFG::ByteCodeParser::parseResolveOperations): 21283 (JSC::DFG::ByteCodeParser::parseBlock): 21284 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 21285 (JSC::DFG::ByteCodeParser::parseCodeBlock): 21286 * dfg/DFGConstantFoldingPhase.cpp: 21287 (JSC::DFG::ConstantFoldingPhase::foldConstants): 21288 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): 21289 * dfg/DFGDriver.cpp: 21290 (DFG): 21291 (JSC::DFG::compile): 21292 * dfg/DFGFailedFinalizer.cpp: Added. 21293 (DFG): 21294 (JSC::DFG::FailedFinalizer::FailedFinalizer): 21295 (JSC::DFG::FailedFinalizer::~FailedFinalizer): 21296 (JSC::DFG::FailedFinalizer::finalize): 21297 (JSC::DFG::FailedFinalizer::finalizeFunction): 21298 * dfg/DFGFailedFinalizer.h: Added. 21299 (DFG): 21300 (FailedFinalizer): 21301 * dfg/DFGFinalizer.cpp: Added. 21302 (DFG): 21303 (JSC::DFG::Finalizer::Finalizer): 21304 (JSC::DFG::Finalizer::~Finalizer): 21305 * dfg/DFGFinalizer.h: Added. 21306 (DFG): 21307 (Finalizer): 21308 * dfg/DFGFixupPhase.cpp: 21309 (JSC::DFG::FixupPhase::fixupNode): 21310 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): 21311 * dfg/DFGGraph.cpp: 21312 (JSC::DFG::Graph::Graph): 21313 (JSC::DFG::Graph::dump): 21314 (DFG): 21315 * dfg/DFGGraph.h: 21316 (Graph): 21317 (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid): 21318 (JSC::DFG::Graph::compilation): 21319 (JSC::DFG::Graph::identifiers): 21320 (JSC::DFG::Graph::watchpoints): 21321 (JSC::DFG::Graph::chains): 21322 * dfg/DFGJITCompiler.cpp: 21323 (JSC::DFG::JITCompiler::linkOSRExits): 21324 (JSC::DFG::JITCompiler::link): 21325 (JSC::DFG::JITCompiler::compile): 21326 (JSC::DFG::JITCompiler::compileFunction): 21327 (JSC::DFG::JITCompiler::linkFunction): 21328 (DFG): 21329 (JSC::DFG::JITCompiler::disassemble): 21330 * dfg/DFGJITCompiler.h: 21331 (JITCompiler): 21332 (JSC::DFG::JITCompiler::addLazily): 21333 * dfg/DFGJITFinalizer.cpp: Added. 21334 (DFG): 21335 (JSC::DFG::JITFinalizer::JITFinalizer): 21336 (JSC::DFG::JITFinalizer::~JITFinalizer): 21337 (JSC::DFG::JITFinalizer::finalize): 21338 (JSC::DFG::JITFinalizer::finalizeFunction): 21339 (JSC::DFG::JITFinalizer::finalizeCommon): 21340 * dfg/DFGJITFinalizer.h: Added. 21341 (DFG): 21342 (JITFinalizer): 21343 * dfg/DFGPlan.cpp: Added. 21344 (DFG): 21345 (JSC::DFG::dumpAndVerifyGraph): 21346 (JSC::DFG::Plan::Plan): 21347 (JSC::DFG::Plan::~Plan): 21348 (JSC::DFG::Plan::compileInThread): 21349 (JSC::DFG::Plan::isStillValid): 21350 (JSC::DFG::Plan::reallyAdd): 21351 (JSC::DFG::Plan::finalize): 21352 * dfg/DFGPlan.h: Added. 21353 (DFG): 21354 (Plan): 21355 (JSC::DFG::Plan::vm): 21356 * dfg/DFGPredictionInjectionPhase.cpp: 21357 (JSC::DFG::PredictionInjectionPhase::run): 21358 * dfg/DFGSpeculativeJIT.h: 21359 (JSC::DFG::SpeculativeJIT::identifierUID): 21360 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): 21361 * dfg/DFGTypeCheckHoistingPhase.cpp: 21362 (JSC::DFG::TypeCheckHoistingPhase::run): 21363 * ftl/FTLGeneratedFunction.h: Added. 21364 (FTL): 21365 * ftl/FTLJITFinalizer.cpp: Added. 21366 (FTL): 21367 (JSC::FTL::JITFinalizer::JITFinalizer): 21368 (JSC::FTL::JITFinalizer::~JITFinalizer): 21369 (JSC::FTL::JITFinalizer::finalize): 21370 (JSC::FTL::JITFinalizer::finalizeFunction): 21371 * ftl/FTLJITFinalizer.h: Added. 21372 (FTL): 21373 (JITFinalizer): 21374 (JSC::FTL::JITFinalizer::initializeExitThunksLinkBuffer): 21375 (JSC::FTL::JITFinalizer::initializeEntrypointLinkBuffer): 21376 (JSC::FTL::JITFinalizer::initializeCode): 21377 (JSC::FTL::JITFinalizer::initializeFunction): 21378 (JSC::FTL::JITFinalizer::initializeArityCheck): 21379 (JSC::FTL::JITFinalizer::initializeJITCode): 21380 * ftl/FTLLink.cpp: 21381 (JSC::FTL::link): 21382 * ftl/FTLLink.h: 21383 (FTL): 21384 * ftl/FTLLowerDFGToLLVM.cpp: 21385 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks): 21386 * ftl/FTLState.cpp: 21387 (JSC::FTL::State::State): 21388 * ftl/FTLState.h: 21389 (FTL): 21390 (State): 21391 213922013-05-14 Mark Lam <mark.lam@apple.com> 21393 21394 Refactor JITStubs.cpp to move CPU specific parts out into their own files. 21395 https://bugs.webkit.org/show_bug.cgi?id=116135. 21396 21397 Reviewed by Michael Saboff. 21398 21399 This mod only moves the CPU specific parts out. There is no code change. 21400 Tested on debug builds of X86, X86_64, ARM and ARMv7. The SH4 and MIPS 21401 ports are untested. Windows port also not tested. 21402 21403 * GNUmakefile.list.am: 21404 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 21405 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 21406 * JavaScriptCore.xcodeproj/project.pbxproj: 21407 * jit/JITStubs.cpp: 21408 (JSC::performPlatformSpecificJITAssertions): 21409 * jit/JITStubsARM.h: Added. 21410 (JSC::ctiTrampoline): 21411 (JSC::ctiTrampolineEnd): 21412 (JSC::ctiVMThrowTrampoline): 21413 (JSC::ctiOpThrowNotCaught): 21414 (JSC::performARMJITAssertions): 21415 * jit/JITStubsARMv7.h: Added. 21416 (JSC::ctiTrampoline): 21417 (JSC::ctiVMThrowTrampoline): 21418 (JSC::ctiOpThrowNotCaught): 21419 (JSC::performARMv7JITAssertions): 21420 * jit/JITStubsMIPS.h: Added. 21421 (JSC::performMIPSJITAssertions): 21422 * jit/JITStubsSH4.h: Added. 21423 * jit/JITStubsX86.h: Added. 21424 * jit/JITStubsX86_64.h: Added. 21425 214262013-05-14 Mark Hahnenberg <mhahnenberg@apple.com> 21427 21428 fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled 21429 https://bugs.webkit.org/show_bug.cgi?id=116082 21430 21431 It's crashing because CodeBlock::baselineVersion() doesn't know how to handle the case where 'this' is the 21432 baseline version but it hasn't been assigned to the m_blahCodeBlock field in BlahExecutable. The fix is to 21433 check if we're the baseline version in baselineVersion() and return this if so. 21434 21435 Reviewed by Filip Pizlo. 21436 21437 * bytecode/CodeBlock.h: 21438 (JSC::CodeBlock::baselineVersion): 21439 214402013-05-11 Mark Hahnenberg <mhahnenberg@apple.com> 21441 21442 Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase 21443 https://bugs.webkit.org/show_bug.cgi?id=115938 21444 21445 We're going to add some more types of check hoisting soon, so let's have 21446 the right name here. 21447 21448 Rubber stamped by Filip Pizlo. 21449 21450 * CMakeLists.txt: 21451 * GNUmakefile.list.am: 21452 * JavaScriptCore.xcodeproj/project.pbxproj: 21453 * Target.pri: 21454 * dfg/DFGDriver.cpp: 21455 (JSC::DFG::compile): 21456 * dfg/DFGStructureCheckHoistingPhase.cpp: Removed. 21457 * dfg/DFGStructureCheckHoistingPhase.h: Removed. 21458 * dfg/DFGTypeCheckHoistingPhase.cpp: Added. 21459 (DFG): 21460 (TypeCheckHoistingPhase): 21461 (JSC::DFG::TypeCheckHoistingPhase::TypeCheckHoistingPhase): 21462 (JSC::DFG::TypeCheckHoistingPhase::run): 21463 (JSC::DFG::TypeCheckHoistingPhase::shouldConsiderForHoisting): 21464 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck): 21465 (CheckData): 21466 (JSC::DFG::TypeCheckHoistingPhase::CheckData::CheckData): 21467 (JSC::DFG::performTypeCheckHoisting): 21468 * dfg/DFGTypeCheckHoistingPhase.h: Added. 21469 214702013-05-10 Mark Hahnenberg <mhahnenberg@apple.com> 21471 21472 SpeculativeJIT::checkArray should use the correct ExitKind 21473 https://bugs.webkit.org/show_bug.cgi?id=115943 21474 21475 Currently it uses Uncountable, which gives us no information if we end up exiting due to a 21476 mismatched ClassInfo pointer. It should instead use BadType and should pass the correct 21477 JSValueSource and Node instead of passing empty values. 21478 21479 Reviewed by Filip Pizlo. 21480 21481 * dfg/DFGSpeculativeJIT.cpp: 21482 (JSC::DFG::SpeculativeJIT::checkArray): 21483 214842013-05-11 Filip Pizlo <fpizlo@apple.com> 21485 21486 fourthTier: FTL should support Jump and ForceOSRExit 21487 https://bugs.webkit.org/show_bug.cgi?id=115942 21488 21489 Reviewed by Oliver Hunt. 21490 21491 Added two obvious nodes: Jump and ForceOSRExit. We already had everything we needed 21492 to support them. 21493 21494 Adding these increases our coverage a fair bit, and revealed a bug: LLVM's full 21495 instruction selector currently appears to mishandle doubles in constant pools (or 21496 just constant pools in general) with the small code model in the MCJIT. But switching 21497 to FastISel "fixes" it. That's what this patch does, for now. This will probably 21498 actually be permanent; the FastISel does pretty much everything we would ever want, 21499 at least in the foreseeable future. 21500 21501 * ftl/FTLCapabilities.cpp: 21502 (JSC::FTL::canCompile): 21503 (FTL): 21504 * ftl/FTLCompile.cpp: 21505 (JSC::FTL::compile): 21506 * ftl/FTLLowerDFGToLLVM.cpp: 21507 (JSC::FTL::LowerDFGToLLVM::compileBlock): 21508 (JSC::FTL::LowerDFGToLLVM::compileNode): 21509 (JSC::FTL::LowerDFGToLLVM::compileJSConstant): 21510 (LowerDFGToLLVM): 21511 (JSC::FTL::LowerDFGToLLVM::compileJump): 21512 (JSC::FTL::LowerDFGToLLVM::compileReturn): 21513 (JSC::FTL::LowerDFGToLLVM::compileForceOSRExit): 21514 * runtime/Options.h: 21515 (JSC): 21516 215172013-05-10 Filip Pizlo <fpizlo@apple.com> 21518 21519 fourthTier: FTL should support CompareStrictEqConstant 21520 https://bugs.webkit.org/show_bug.cgi?id=115941 21521 21522 Reviewed by Mark Hahnenberg. 21523 21524 Pretty simple, but factors out the craziness of comparing against null or undefined 21525 in a way that is reusable for both == and ===. 21526 21527 * ftl/FTLCapabilities.cpp: 21528 (JSC::FTL::canCompile): 21529 * ftl/FTLLowerDFGToLLVM.cpp: 21530 (JSC::FTL::LowerDFGToLLVM::compileNode): 21531 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant): 21532 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant): 21533 (LowerDFGToLLVM): 21534 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): 21535 215362013-05-10 Filip Pizlo <fpizlo@apple.com> 21537 21538 fourthTier: FTL should support CompareEqConstant 21539 https://bugs.webkit.org/show_bug.cgi?id=115939 21540 21541 Reviewed by Oliver Hunt and Mark Hahnenberg. 21542 21543 The most interesting part of this patch is the way I make it easier to deal with 21544 the inputs to Phi functions. This adds the notion of ValueFromBlock, which you 21545 can get by doing m_out.anchor(value). You can build up a vector of these, and then 21546 pass them to m_out.phi(type, vector) in one go. 21547 21548 * JavaScriptCore.xcodeproj/project.pbxproj: 21549 * ftl/FTLAbbreviatedTypes.h: Added. 21550 (FTL): 21551 * ftl/FTLAbbreviations.h: 21552 (FTL): 21553 (JSC::FTL::addIncoming): 21554 (JSC::FTL::buildPhi): 21555 * ftl/FTLAbstractHeapRepository.h: 21556 (FTL): 21557 * ftl/FTLCapabilities.cpp: 21558 (JSC::FTL::canCompile): 21559 * ftl/FTLLowerDFGToLLVM.cpp: 21560 (JSC::FTL::LowerDFGToLLVM::compileNode): 21561 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant): 21562 (LowerDFGToLLVM): 21563 (JSC::FTL::LowerDFGToLLVM::lowDouble): 21564 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIfIsStillValid): 21565 * ftl/FTLOutput.h: 21566 (JSC::FTL::Output::phi): 21567 (Output): 21568 (JSC::FTL::Output::anchor): 21569 * ftl/FTLValueFromBlock.h: Added. 21570 (FTL): 21571 (ValueFromBlock): 21572 (JSC::FTL::ValueFromBlock::ValueFromBlock): 21573 (JSC::FTL::ValueFromBlock::value): 21574 (JSC::FTL::ValueFromBlock::block): 21575 215762013-05-10 Filip Pizlo <fpizlo@apple.com> 21577 21578 fourthTier: FTL should support CompareStrictEq 21579 https://bugs.webkit.org/show_bug.cgi?id=115927 21580 21581 Reviewed by Mark Hahnenberg. 21582 21583 Do the sensible thing, and make it so that for common cases, CompareEq is 21584 implemented in terms of CompareStrictEq in the FTL backend. All of the cases 21585 we currently support can be done this way. 21586 21587 * ftl/FTLCapabilities.cpp: 21588 (JSC::FTL::canCompile): 21589 * ftl/FTLLowerDFGToLLVM.cpp: 21590 (JSC::FTL::LowerDFGToLLVM::compileNode): 21591 (JSC::FTL::LowerDFGToLLVM::compileCompareEq): 21592 (LowerDFGToLLVM): 21593 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): 21594 215952013-05-10 Filip Pizlo <fpizlo@apple.com> 21596 21597 fourthTier: FTL should support Int32ToDouble 21598 https://bugs.webkit.org/show_bug.cgi?id=115926 21599 21600 Reviewed by Mark Hahnenberg. 21601 21602 This node exists mainly to help the DFG see that a node may have both an int 21603 and a double representation. But in the FTL, nodes already have multiple 21604 representations. So this is just a no-op for the FTL. 21605 21606 I considered making it so that the node isn't even inserted if we're doing 21607 FTL compilation, but that would have required a bunch of conditionalizing in 21608 the DFG's optimization phases, which sort of expect this node to be present 21609 and necessary. 21610 21611 * ftl/FTLCapabilities.cpp: 21612 (JSC::FTL::canCompile): 21613 * ftl/FTLLowerDFGToLLVM.cpp: 21614 (JSC::FTL::LowerDFGToLLVM::compileNode): 21615 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): 21616 (LowerDFGToLLVM): 21617 216182013-05-10 Filip Pizlo <fpizlo@apple.com> 21619 21620 fourthTier: FTL should support LogicalNot 21621 https://bugs.webkit.org/show_bug.cgi?id=115924 21622 21623 Reviewed by Mark Hahnenberg. 21624 21625 * ftl/FTLAbbreviations.h: 21626 (JSC::FTL::buildNot): 21627 * ftl/FTLCapabilities.cpp: 21628 (JSC::FTL::canCompile): 21629 * ftl/FTLLowerDFGToLLVM.cpp: 21630 (JSC::FTL::LowerDFGToLLVM::compileNode): 21631 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot): 21632 (LowerDFGToLLVM): 21633 * ftl/FTLOutput.h: 21634 (JSC::FTL::Output::bitNot): 21635 216362013-05-10 Filip Pizlo <fpizlo@apple.com> 21637 21638 fourthTier: FTL should support CompareGreater, CompareLessEq, and CompareGreaterEq 21639 https://bugs.webkit.org/show_bug.cgi?id=115923 21640 21641 Reviewed by Mark Hahnenberg. 21642 21643 Also fixed a bug where double CompareLess would assert. 21644 21645 * ftl/FTLCapabilities.cpp: 21646 (JSC::FTL::canCompile): 21647 * ftl/FTLLowerDFGToLLVM.cpp: 21648 (JSC::FTL::LowerDFGToLLVM::compileNode): 21649 (JSC::FTL::LowerDFGToLLVM::compileCompareLess): 21650 (LowerDFGToLLVM): 21651 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq): 21652 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater): 21653 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq): 21654 216552013-05-10 Filip Pizlo <fpizlo@apple.com> 21656 21657 fourthTier: FTL CompareEq ObjectUse should handle masquerading 21658 https://bugs.webkit.org/show_bug.cgi?id=115920 21659 21660 Reviewed by Mark Hahnenberg. 21661 21662 We don't yet support watchpoints, but this does all the wiring right up to the 21663 part where we would have emitted watchpoints. I've also written this in a way that 21664 makes it easy to use the case where you would have anyway speculated non-masquerading 21665 even if the watchpoint was invalidated. 21666 21667 This is inherently racy, of course: but the only race here is that you might first 21668 set the watchpoint, and then the watchpoint is invalidated, and then you compile rest 21669 of the code in a way that doesn't need the watchpoint. That's fine, since the FTL 21670 will remember that it had set the watchpoint and then cancel the compilation. 21671 21672 * ftl/FTLAbbreviations.h: 21673 (JSC::FTL::int8Type): 21674 * ftl/FTLAbstractHeapRepository.h: 21675 (FTL): 21676 * ftl/FTLCommonValues.cpp: 21677 (JSC::FTL::CommonValues::CommonValues): 21678 * ftl/FTLCommonValues.h: 21679 (CommonValues): 21680 * ftl/FTLLowerDFGToLLVM.cpp: 21681 (JSC::FTL::LowerDFGToLLVM::compileCompareEq): 21682 (JSC::FTL::LowerDFGToLLVM::lowNonNullObject): 21683 (LowerDFGToLLVM): 21684 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject): 21685 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid): 21686 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIfIsStillValid): 21687 * ftl/FTLOutput.h: 21688 (JSC::FTL::Output::constInt8): 21689 (JSC::FTL::Output::load8): 21690 (JSC::FTL::Output::isZero8): 21691 (JSC::FTL::Output::notZero8): 21692 (JSC::FTL::Output::testIsZero8): 21693 (JSC::FTL::Output::testNonZero8): 21694 216952013-05-09 Filip Pizlo <fpizlo@apple.com> 21696 21697 fourthTier: DFG shouldn't allocate in the GC heap 21698 https://bugs.webkit.org/show_bug.cgi?id=115598 21699 21700 Reviewed by Geoffrey Garen. 21701 21702 I believe that we've now fixed this, and this patch just adds the relevant assertion. 21703 21704 * runtime/JSCellInlines.h: 21705 (JSC::JSCell::JSCell): 21706 217072013-05-09 Filip Pizlo <fpizlo@apple.com> 21708 21709 fourthTier: CodeBlock should be RefCounted 21710 https://bugs.webkit.org/show_bug.cgi?id=115594 21711 21712 Reviewed by Geoffrey Garen. 21713 21714 This makes it possible to have the currently-being-compiled CodeBlock not be 21715 installed in Executable, while also allowing it to point to its intended 21716 alternative(). So long as we were using ownership and not reference counting, it 21717 would have been difficult to have both CodeBlock::m_alternative and 21718 Executable::m_codeBlockForBlah point to the previous CodeBlock. 21719 21720 I also took the opportunity to clean up a bunch of code that appears to have 21721 rotted. 21722 21723 * assembler/MacroAssemblerCodeRef.h: 21724 (MacroAssemblerCodePtr): 21725 (JSC::MacroAssemblerCodePtr::operator==): 21726 * bytecode/CodeBlock.cpp: 21727 (JSC::CodeBlock::CodeBlock): 21728 * bytecode/CodeBlock.h: 21729 (JSC::CodeBlock::releaseAlternative): 21730 (JSC::CodeBlock::setAlternative): 21731 (CodeBlock): 21732 (JSC::GlobalCodeBlock::GlobalCodeBlock): 21733 (JSC::ProgramCodeBlock::ProgramCodeBlock): 21734 (JSC::EvalCodeBlock::EvalCodeBlock): 21735 (JSC::FunctionCodeBlock::FunctionCodeBlock): 21736 * heap/DFGCodeBlocks.cpp: 21737 (JSC::DFGCodeBlocks::~DFGCodeBlocks): 21738 (JSC::DFGCodeBlocks::jettison): 21739 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks): 21740 * heap/DFGCodeBlocks.h: 21741 (DFGCodeBlocks): 21742 * heap/Heap.cpp: 21743 (JSC::Heap::jettisonDFGCodeBlock): 21744 * heap/Heap.h: 21745 * jit/JITDriver.h: 21746 (JSC::jitCompileIfAppropriate): 21747 (JSC::jitCompileFunctionIfAppropriate): 21748 * runtime/Executable.cpp: 21749 (JSC::jettisonCodeBlock): 21750 (JSC::EvalExecutable::jitCompile): 21751 (JSC::EvalExecutable::compileInternal): 21752 (JSC::ProgramExecutable::jitCompile): 21753 (JSC::ProgramExecutable::compileInternal): 21754 (JSC::FunctionExecutable::jitCompileForCall): 21755 (JSC::FunctionExecutable::jitCompileForConstruct): 21756 (JSC::FunctionExecutable::produceCodeBlockFor): 21757 (JSC::FunctionExecutable::compileForCallInternal): 21758 (JSC::FunctionExecutable::compileForConstructInternal): 21759 * runtime/Executable.h: 21760 (EvalExecutable): 21761 (FunctionExecutable): 21762 (JSC::FunctionExecutable::codeBlockFor): 21763 * runtime/ExecutionHarness.h: 21764 (JSC::prepareForExecution): 21765 (JSC::prepareFunctionForExecution): 21766 217672013-05-09 Filip Pizlo <fpizlo@apple.com> 21768 21769 fourthTier: DFG should have its own notion of StructureChain, and it should be possible to validate it after compilation finishes 21770 https://bugs.webkit.org/show_bug.cgi?id=115841 21771 21772 Reviewed by Oliver Hunt. 21773 21774 This adds IntendedStructureChain, which is like StructureChain, except that it holds a bit 21775 more information and can be validated independantly of its owning Structure and lexical 21776 GlobalObject, since it remembers both of those things. It's also malloc'd and RefCounted 21777 rather than GC'd, so it can be allocated in a concurrent compilation thread. 21778 21779 Gave this class a bunch of methods to allow the following idiom: 21780 21781 - Snapshot a structure chain concurrently. This structure chain may end up being 21782 wrong in case of races, but in that case we will find out when we try to validate 21783 it. 21784 21785 - Perform validation on the structure chain itself, without recomputing the chain. 21786 Previously, many chain validation methods (prototypeChainMayInterceptStoreTo() for 21787 example) recomputed the chain, and hence, were inherently racy: you could build one 21788 chain and then validate against a different chain, and hence not realize that the 21789 chain you did build was actually broken for your purposes, because the chain you 21790 checked was a different one. 21791 21792 - Validate that the chain is still the right one at any time, allowing the cancellation 21793 of compilation if there was a race. 21794 21795 Also added DFG::DesiredStructureChains, which tracks those intended structure chains that 21796 the compiler had already chosen to use. If any of those are invalid at link time, throw 21797 out the compilation. 21798 21799 * JavaScriptCore.xcodeproj/project.pbxproj: 21800 * bytecode/GetByIdStatus.cpp: 21801 (JSC::GetByIdStatus::computeForChain): 21802 (JSC::GetByIdStatus::computeFor): 21803 * bytecode/GetByIdStatus.h: 21804 (JSC::GetByIdStatus::GetByIdStatus): 21805 (JSC::GetByIdStatus::chain): 21806 (GetByIdStatus): 21807 * bytecode/PutByIdStatus.cpp: 21808 (JSC::PutByIdStatus::computeFromLLInt): 21809 (JSC::PutByIdStatus::computeFor): 21810 * bytecode/PutByIdStatus.h: 21811 (JSC::PutByIdStatus::PutByIdStatus): 21812 (JSC::PutByIdStatus::structureChain): 21813 (PutByIdStatus): 21814 * dfg/DFGAbstractState.cpp: 21815 (JSC::DFG::AbstractState::executeEffects): 21816 * dfg/DFGByteCodeParser.cpp: 21817 (JSC::DFG::ByteCodeParser::handleGetById): 21818 (JSC::DFG::ByteCodeParser::parseBlock): 21819 * dfg/DFGConstantFoldingPhase.cpp: 21820 (JSC::DFG::ConstantFoldingPhase::foldConstants): 21821 * dfg/DFGDesiredStructureChains.cpp: Added. 21822 (DFG): 21823 (JSC::DFG::DesiredStructureChains::DesiredStructureChains): 21824 (JSC::DFG::DesiredStructureChains::~DesiredStructureChains): 21825 (JSC::DFG::DesiredStructureChains::areStillValid): 21826 * dfg/DFGDesiredStructureChains.h: Added. 21827 (DFG): 21828 (DesiredStructureChains): 21829 (JSC::DFG::DesiredStructureChains::addLazily): 21830 * dfg/DFGGraph.cpp: 21831 (JSC::DFG::Graph::isStillValid): 21832 (DFG): 21833 * dfg/DFGGraph.h: 21834 (Graph): 21835 * dfg/DFGJITCompiler.cpp: 21836 (JSC::DFG::JITCompiler::link): 21837 (JSC::DFG::JITCompiler::linkFunction): 21838 * ftl/FTLLink.cpp: 21839 (JSC::FTL::link): 21840 * runtime/IntendedStructureChain.cpp: Added. 21841 (JSC): 21842 (JSC::IntendedStructureChain::IntendedStructureChain): 21843 (JSC::IntendedStructureChain::~IntendedStructureChain): 21844 (JSC::IntendedStructureChain::isStillValid): 21845 (JSC::IntendedStructureChain::matches): 21846 (JSC::IntendedStructureChain::chain): 21847 (JSC::IntendedStructureChain::mayInterceptStoreTo): 21848 (JSC::IntendedStructureChain::isNormalized): 21849 (JSC::IntendedStructureChain::terminalPrototype): 21850 * runtime/IntendedStructureChain.h: Added. 21851 (JSC): 21852 (IntendedStructureChain): 21853 (JSC::IntendedStructureChain::head): 21854 (JSC::IntendedStructureChain::size): 21855 (JSC::IntendedStructureChain::at): 21856 (JSC::IntendedStructureChain::operator[]): 21857 (JSC::IntendedStructureChain::last): 21858 * runtime/Structure.cpp: 21859 (JSC::Structure::prototypeChainMayInterceptStoreTo): 21860 * runtime/Structure.h: 21861 (Structure): 21862 * runtime/StructureInlines.h: 21863 (JSC::Structure::storedPrototypeObject): 21864 (JSC): 21865 (JSC::Structure::storedPrototypeStructure): 21866 218672013-05-06 Mark Lam <mark.lam@apple.com> 21868 21869 Fix broken 32-bit build + some clean up in JITStubs.cpp. 21870 https://bugs.webkit.org/show_bug.cgi?id=115684. 21871 21872 Reviewed by Geoffrey Garen. 21873 21874 * dfg/DFGSpeculativeJIT32_64.cpp: 21875 (JSC::DFG::SpeculativeJIT::compile): 21876 * jit/JITStubs.cpp: 21877 - removed unneeded stubs for CPU(X86_64) && USE(JSVALUE32_64). 21878 - added some line breaks to more clearly delineate between 21879 ports/configurations of stub code. 21880 218812013-05-05 Geoffrey Garen <ggaren@apple.com> 21882 21883 Rolled back in r149527 with crash fixed. 21884 21885 Reviewed by Oliver Hunt. 21886 21887 Rationalized 'this' value conversion 21888 https://bugs.webkit.org/show_bug.cgi?id=115542 21889 21890 This fixes a bunch of Sputnik tests, and some bad pointer access. 21891 21892 The new model is that the callee always performs 'this' value conversion. 21893 21894 My ultimate goal is to break up resolve_with_this into single-result 21895 opcodes. This step avoids having to add a special form of convert_this 21896 that distinguishes callers vs callees. 21897 21898 Only the callee knows whether it uses 'this' and/or whether 'this' 21899 conversion should use StrictMode, so it's most natural to perform 21900 convert_this in the callee. 21901 21902 * API/JSCallbackFunction.cpp: 21903 (JSC::JSCallbackFunction::call): Perform 'this' value conversion for 21904 our callee, since it may observe 'this'. 21905 21906 * API/JSCallbackObjectFunctions.h: 21907 (JSC::::call): Ditto. 21908 21909 * API/JSContextRef.cpp: 21910 (JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope 21911 even when we're not in the browser. This eliminates some odd cases where 21912 API clients used to be able to get a direct reference to an environment 21913 record. Now, any reference to an environment record unambiguously means 21914 that the VM resolved that record in the scope chain. 21915 21916 (JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC 21917 participates in the proxy 'this' object scheme, the behavior is not 21918 WebCore-only. 21919 21920 * API/JSObjectRef.cpp: 21921 (JSObjectSetPrototype): 21922 (JSObjectCallAsFunction): Don't perform 'this' value conversion in the 21923 caller; the callee will do it if needed. 21924 21925 * JavaScriptCore.order: Order! 21926 21927 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 21928 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 21929 What are the chances that this will work? 21930 21931 * bytecode/CodeBlock.cpp: 21932 (JSC::CodeBlock::dumpBytecode): 21933 (JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our 21934 other conversion opcodes. 21935 21936 * bytecode/CodeOrigin.h: 21937 (CodeOrigin): 21938 (InlineCallFrame): 21939 (JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our 21940 executable, so compilation can discover where we're in strict mode. 21941 21942 * bytecode/Opcode.h: 21943 (JSC::padOpcodeName): Updated for rename. 21944 21945 * bytecompiler/BytecodeGenerator.cpp: 21946 (JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when 21947 'this' is in use -- strict mode still needs to convert environment 21948 records to 'undefined'. 21949 21950 * dfg/DFGAbstractState.cpp: 21951 (JSC::DFG::AbstractState::executeEffects): 21952 * dfg/DFGByteCodeParser.cpp: 21953 (JSC::DFG::ByteCodeParser::parseBlock): 21954 * dfg/DFGCapabilities.h: 21955 (JSC::DFG::canCompileOpcode): Updated for renames. 21956 21957 * dfg/DFGFixupPhase.cpp: 21958 (JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider 21959 strict mode (a new requirement) and to consider the global object (which 21960 was always a requirement). 21961 21962 * dfg/DFGGraph.h: 21963 (JSC::DFG::Graph::globalThisObjectFor): 21964 (JSC::DFG::Graph::executableFor): 21965 * dfg/DFGNodeType.h: 21966 * dfg/DFGOperations.cpp: 21967 * dfg/DFGOperations.h: 21968 * dfg/DFGPredictionPropagationPhase.cpp: 21969 (JSC::DFG::PredictionPropagationPhase::propagate): 21970 * dfg/DFGSpeculativeJIT32_64.cpp: 21971 (JSC::DFG::SpeculativeJIT::compile): 21972 * dfg/DFGSpeculativeJIT64.cpp: 21973 (JSC::DFG::SpeculativeJIT::compile): Ditto. 21974 21975 * interpreter/Interpreter.cpp: 21976 (JSC::eval): 21977 (JSC::Interpreter::execute): 21978 (JSC::Interpreter::executeCall): 21979 * interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job 21980 to fix it up if needed. 21981 21982 * jit/JIT.cpp: 21983 (JSC::JIT::privateCompileMainPass): 21984 (JSC::JIT::privateCompileSlowCases): 21985 * jit/JIT.h: 21986 (JIT): 21987 * jit/JITOpcodes.cpp: 21988 (JSC::JIT::emit_op_to_this): 21989 (JSC::JIT::emitSlow_op_to_this): 21990 * jit/JITOpcodes32_64.cpp: 21991 (JSC::JIT::emit_op_to_this): 21992 (JSC::JIT::emitSlow_op_to_this): 21993 * jit/JITStubs.cpp: 21994 (JSC::DEFINE_STUB_FUNCTION): 21995 * jit/JITStubs.h: Removed special-case code for various kinds of 21996 conversions. The baseline fast path is now final objects only. It hurt 21997 my brain to think through how to keep the other fast paths working, and 21998 our benchmarks do not object. 21999 22000 * llint/LLIntData.cpp: 22001 (JSC::LLInt::Data::performAssertions): 22002 * llint/LLIntSlowPaths.cpp: 22003 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 22004 * llint/LLIntSlowPaths.h: 22005 (LLInt): 22006 * llint/LowLevelInterpreter.asm: 22007 * llint/LowLevelInterpreter32_64.asm: 22008 * llint/LowLevelInterpreter64.asm: Updated for renames. Removed some 22009 special case code, as in the JIT above. 22010 22011 * profiler/ProfileGenerator.cpp: 22012 (JSC::ProfileGenerator::addParentForConsoleStart): 22013 * runtime/CallData.cpp: 22014 (JSC::call): 22015 * runtime/ClassInfo.h: 22016 (MethodTable): 22017 * runtime/Completion.cpp: 22018 (JSC::evaluate): 22019 * runtime/DatePrototype.cpp: 22020 (JSC::dateProtoFuncToJSON): The callee performs 'this' conversion, not 22021 the caller. 22022 22023 * runtime/GetterSetter.cpp: 22024 (JSC::callGetter): 22025 (JSC::callSetter): 22026 * runtime/GetterSetter.h: Added helper functions for invoking getters 22027 and setters from C++ code, since this was duplicated in a bunch of 22028 places. 22029 22030 * runtime/JSActivation.cpp: 22031 (JSC::JSActivation::toThis): 22032 * runtime/JSActivation.h: 22033 (JSActivation): 22034 * runtime/JSCJSValue.cpp: 22035 (JSC::JSValue::toThisSlowCase): 22036 (JSC::JSValue::putToPrimitive): 22037 * runtime/JSCJSValue.h: 22038 (JSValue): 22039 * runtime/JSCJSValueInlines.h: 22040 (JSC::JSValue::toThis): 22041 * runtime/JSCell.cpp: 22042 (JSC::JSCell::toThis): 22043 * runtime/JSCell.h: 22044 (JSCell): 22045 * runtime/JSGlobalObject.cpp: 22046 (JSC::JSGlobalObject::toThis): 22047 * runtime/JSGlobalObject.h: 22048 (JSGlobalObject): Filled out runtime support for converting 'this' 22049 values as needed, according to the appropriate strictness, using 22050 helper functions where getter/setter code was duplicated. 22051 22052 * runtime/JSGlobalObjectFunctions.cpp: 22053 (JSC::globalFuncProtoGetter): 22054 (JSC::globalFuncProtoSetter): Perform 'this' value conversion, since we 22055 observe 'this'. 22056 22057 * runtime/JSNameScope.cpp: 22058 (JSC::JSNameScope::toThis): 22059 * runtime/JSNameScope.h: 22060 (JSNameScope): Same as JSActivation. 22061 22062 * runtime/JSObject.cpp: 22063 (JSC::JSObject::put): 22064 (JSC::JSObject::setPrototypeWithCycleCheck): Bug fix. Don't peform 22065 'this' value conversion in this helper function. The __proto__ 22066 setter does this for us, since it's the function that logically observes 22067 'this' -- and we can ASSERT so. Also, the previous code used 22068 "globalExec()->thisValue()", which is a read past the beginning of a 22069 buffer! I don't think this ever worked on purpose. 22070 22071 (JSC::JSObject::toThis): 22072 (JSC::JSObject::fillGetterPropertySlot): 22073 * runtime/JSObject.h: 22074 (JSC::JSObject::inlineGetOwnPropertySlot): 22075 * runtime/JSScope.cpp: 22076 (JSC::JSScope::resolveWithThis): 22077 * runtime/JSString.cpp: 22078 (JSC::JSString::toThis): 22079 * runtime/JSString.h: 22080 (JSString): 22081 * runtime/PropertySlot.cpp: 22082 (JSC::PropertySlot::functionGetter): 22083 * runtime/PropertySlot.h: 22084 (JSC): 22085 (JSC::PropertySlot::setGetterSlot): 22086 (JSC::PropertySlot::setCacheableGetterSlot): 22087 * runtime/SparseArrayValueMap.cpp: 22088 (JSC::SparseArrayEntry::get): 22089 (JSC::SparseArrayEntry::put): 22090 * runtime/StrictEvalActivation.cpp: 22091 (JSC::StrictEvalActivation::toThis): 22092 * runtime/StrictEvalActivation.h: 22093 (StrictEvalActivation): Ditto. 22094 220952013-05-03 Filip Pizlo <fpizlo@apple.com> 22096 22097 fourthTier: DFG::ByteCodeParser doesn't need ExecState* 22098 https://bugs.webkit.org/show_bug.cgi?id=115582 22099 22100 Reviewed by Geoffrey Garen. 22101 22102 * dfg/DFGByteCodeParser.cpp: 22103 (JSC::DFG::ByteCodeParser::ByteCodeParser): 22104 (ByteCodeParser): 22105 (JSC::DFG::parse): 22106 * dfg/DFGByteCodeParser.h: 22107 (DFG): 22108 * dfg/DFGDriver.cpp: 22109 (JSC::DFG::compile): 22110 221112013-05-02 Filip Pizlo <fpizlo@apple.com> 22112 22113 fourthTier: Profiler should be thread-safe 22114 https://bugs.webkit.org/show_bug.cgi?id=115445 22115 22116 Reviewed by Geoffrey Garen. 22117 22118 Change the Profiler::Database API for Compilation creation so that we don't add 22119 it to the Database until it's completely constructed. This prevents the Database 22120 from seeing Compilations that are being concurrently constructed. 22121 22122 Change the Profiler::Database itself to do locking for creation of Bytecodes and 22123 for modifying the map. This map may be consulted by both the main thread and the 22124 concurrent thread. 22125 22126 * dfg/DFGGraph.cpp: 22127 (JSC::DFG::Graph::Graph): 22128 * dfg/DFGJITCompiler.cpp: 22129 (JSC::DFG::JITCompiler::link): 22130 (JSC::DFG::JITCompiler::linkFunction): 22131 * jit/JIT.cpp: 22132 (JSC::JIT::privateCompile): 22133 * profiler/ProfilerBytecodes.h: 22134 * profiler/ProfilerDatabase.cpp: 22135 (JSC::Profiler::Database::ensureBytecodesFor): 22136 (JSC::Profiler::Database::notifyDestruction): 22137 (JSC::Profiler::Database::addCompilation): 22138 * profiler/ProfilerDatabase.h: 22139 (Database): 22140 221412013-05-02 Filip Pizlo <fpizlo@apple.com> 22142 22143 fourthTier: DFG tries to ref/deref StringImpls in a ton of places 22144 https://bugs.webkit.org/show_bug.cgi?id=115300 22145 22146 Reviewed by Geoffrey Garen. 22147 22148 Change any code transitively called from DFG compilation to use StringImpl* 22149 directly instead of String, Identifier, or PropertyName. I use the convention 22150 of passing "StringImpl* uid" instead of an Identifier or PropertyName. 22151 22152 Switch over any code transitively called from DFG compilation to use CStrings 22153 whenever possible for all of its debug dumping. 22154 22155 This makes it possible to compile things without hitting the ref/deref 22156 assertion in StringImpl. 22157 22158 * JavaScriptCore.xcodeproj/project.pbxproj: 22159 * bytecode/CodeBlock.cpp: 22160 (JSC::CodeBlock::inferredName): 22161 (JSC::CodeBlock::sourceCodeForTools): 22162 (JSC::CodeBlock::sourceCodeOnOneLine): 22163 (JSC::constantName): 22164 (JSC::idName): 22165 (JSC::CodeBlock::registerName): 22166 (JSC::regexpToSourceString): 22167 (JSC::regexpName): 22168 (JSC::pointerToSourceString): 22169 (JSC::CodeBlock::printUnaryOp): 22170 (JSC::CodeBlock::printBinaryOp): 22171 (JSC::CodeBlock::printConditionalJump): 22172 (JSC::CodeBlock::printGetByIdOp): 22173 (JSC::dumpStructure): 22174 (JSC::CodeBlock::printCallOp): 22175 (JSC::CodeBlock::printPutByIdOp): 22176 (JSC::CodeBlock::printStructure): 22177 (JSC::CodeBlock::printStructures): 22178 (JSC::CodeBlock::dumpBytecode): 22179 * bytecode/CodeBlock.h: 22180 (CodeBlock): 22181 * bytecode/CodeBlockHash.cpp: 22182 (JSC::CodeBlockHash::CodeBlockHash): 22183 * bytecode/CodeOrigin.cpp: 22184 (JSC::InlineCallFrame::inferredName): 22185 * bytecode/CodeOrigin.h: 22186 (InlineCallFrame): 22187 * bytecode/GetByIdStatus.cpp: 22188 (JSC::GetByIdStatus::computeFromLLInt): 22189 (JSC::GetByIdStatus::computeForChain): 22190 (JSC::GetByIdStatus::computeFor): 22191 * bytecode/GetByIdStatus.h: 22192 (JSC): 22193 (GetByIdStatus): 22194 * bytecode/PutByIdStatus.cpp: 22195 (JSC::PutByIdStatus::computeFromLLInt): 22196 (JSC::PutByIdStatus::computeFor): 22197 * bytecode/PutByIdStatus.h: 22198 (JSC): 22199 (PutByIdStatus): 22200 * bytecode/ReduceWhitespace.cpp: 22201 (JSC::reduceWhitespace): 22202 * bytecode/ReduceWhitespace.h: 22203 (JSC): 22204 * bytecode/ResolveGlobalStatus.cpp: 22205 (JSC::computeForStructure): 22206 (JSC::ResolveGlobalStatus::computeFor): 22207 * bytecode/ResolveGlobalStatus.h: 22208 (JSC): 22209 (ResolveGlobalStatus): 22210 * dfg/DFGAbstractState.cpp: 22211 (JSC::DFG::AbstractState::executeEffects): 22212 * dfg/DFGByteCodeParser.cpp: 22213 (ByteCodeParser): 22214 (JSC::DFG::ByteCodeParser::parseResolveOperations): 22215 (JSC::DFG::ByteCodeParser::parseBlock): 22216 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 22217 * dfg/DFGConstantFoldingPhase.cpp: 22218 (JSC::DFG::ConstantFoldingPhase::foldConstants): 22219 * dfg/DFGDesiredIdentifiers.cpp: Added. 22220 (DFG): 22221 (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers): 22222 (JSC::DFG::DesiredIdentifiers::~DesiredIdentifiers): 22223 (JSC::DFG::DesiredIdentifiers::addLazily): 22224 (JSC::DFG::DesiredIdentifiers::reallyAdd): 22225 * dfg/DFGDesiredIdentifiers.h: Added. 22226 (DFG): 22227 (DesiredIdentifiers): 22228 (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers): 22229 (JSC::DFG::DesiredIdentifiers::at): 22230 (JSC::DFG::DesiredIdentifiers::operator[]): 22231 * dfg/DFGFixupPhase.cpp: 22232 (JSC::DFG::FixupPhase::fixupNode): 22233 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): 22234 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): 22235 * dfg/DFGGraph.cpp: 22236 (JSC::DFG::Graph::Graph): 22237 (JSC::DFG::Graph::dump): 22238 * dfg/DFGGraph.h: 22239 (Graph): 22240 * dfg/DFGJITCompiler.cpp: 22241 (JSC::DFG::JITCompiler::link): 22242 * dfg/DFGOperations.cpp: 22243 * dfg/DFGOperations.h: 22244 * dfg/DFGRepatch.cpp: 22245 (JSC::DFG::tryBuildGetByIDList): 22246 * dfg/DFGSpeculativeJIT.h: 22247 (JSC::DFG::SpeculativeJIT::identifierUID): 22248 (JSC::DFG::SpeculativeJIT::callOperation): 22249 * dfg/DFGSpeculativeJIT32_64.cpp: 22250 (JSC::DFG::SpeculativeJIT::cachedGetById): 22251 (JSC::DFG::SpeculativeJIT::cachedPutById): 22252 (JSC::DFG::SpeculativeJIT::compile): 22253 * dfg/DFGSpeculativeJIT64.cpp: 22254 (JSC::DFG::SpeculativeJIT::cachedGetById): 22255 (JSC::DFG::SpeculativeJIT::cachedPutById): 22256 (JSC::DFG::SpeculativeJIT::compile): 22257 * parser/SourceCode.cpp: Added. 22258 (JSC): 22259 (JSC::SourceCode::toUTF8): 22260 * parser/SourceCode.h: 22261 (SourceCode): 22262 * profiler/ProfilerBytecodes.cpp: 22263 (JSC::Profiler::Bytecodes::toJS): 22264 * profiler/ProfilerBytecodes.h: 22265 (JSC::Profiler::Bytecodes::inferredName): 22266 (JSC::Profiler::Bytecodes::sourceCode): 22267 (Bytecodes): 22268 * runtime/Identifier.h: 22269 (JSC::Identifier::utf8): 22270 (JSC): 22271 * runtime/Structure.cpp: 22272 (JSC::Structure::addPropertyTransitionToExistingStructureImpl): 22273 (JSC::Structure::addPropertyTransitionToExistingStructure): 22274 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): 22275 (JSC::Structure::getConcurrently): 22276 (JSC::Structure::prototypeChainMayInterceptStoreTo): 22277 (JSC): 22278 * runtime/Structure.h: 22279 (Structure): 22280 * runtime/StructureInlines.h: 22281 (JSC::Structure::getConcurrently): 22282 222832013-05-02 Filip Pizlo <fpizlo@apple.com> 22284 22285 fourthTier: Structure transition table keys don't have to ref their StringImpl's 22286 https://bugs.webkit.org/show_bug.cgi?id=115525 22287 22288 Reviewed by Geoffrey Garen. 22289 22290 The structure transition table basically maps string to structure. The string is 22291 always also stored, and ref'd, in the structure in Structure::m_nameInPrevious. 22292 m_nameInPrevious is never mutated, and never cleared. The string cannot die unless 22293 the structure dies. If the structure dies, then that entry in the transition map 22294 becomes a zombie anyway and we will detect this separately. 22295 22296 So, we don't need to use RefPtr<StringImpl>. We can just use StringImpl*. 22297 22298 This also fixes a goof where we were getting the StringImpl's hash rather than 22299 using a pointer hash. Not only is the latter faster, but it prevents my change 22300 from leading to crashes: with my change we can have zombie keys, not just zombie 22301 values. They will exist only until the next map mutation, which will clear them. 22302 Lookups will work fine because the lookup routine will reject zombies. But it 22303 does mean that the HashMap will have to deal with dangling StringImpl*'s; all it 22304 takes to make this work is to ensure that the HashMap itself never dereferences 22305 them. Using a pointer hash rather than StringImpl::existingHash() accomplishes 22306 this. 22307 22308 This also ensures that we don't accidentally call ref() or deref() from the 22309 compilation thread, if the compilation thread inspects the transition table. 22310 22311 And no, we wouldn't have been able to use the HashMap<RefPtr<...>, ...> 22312 specialization, because the transition table is actually 22313 HashMap<pair<RefPtr<StringImpl>, unsigned>, ...>: hence that specialization 22314 doesn't kick in. We could have written a new specialization or something, but 22315 that seemed like a lot of work given that we don't need the table to be ref'ing 22316 the strings anyways. 22317 22318 * runtime/Structure.cpp: 22319 (JSC::StructureTransitionTable::add): 22320 * runtime/StructureTransitionTable.h: 22321 (StructureTransitionTable): 22322 (Hash): 22323 (JSC::StructureTransitionTable::Hash::hash): 22324 223252013-05-01 Filip Pizlo <fpizlo@apple.com> 22326 22327 fourthTier: Structure::addPropertyTransitionToExistingStructure should be thread-safe 22328 https://bugs.webkit.org/show_bug.cgi?id=115468 22329 22330 Reviewed by Geoffrey Garen. 22331 22332 This makes the main thread modify the transition table while holding a lock. Note 22333 that the GC might modify its weak pointers without locking, but the GC will lock out 22334 the compilation thread anyway. The map will then only reshape in response to add() 22335 and set(), which happen while holding a lock. 22336 22337 This allows the compilation thread to now query transition tables safely, provided it 22338 holds a lock when doing so. 22339 22340 Also changed LLVM asm printer initialization to just initialize the X86 one. It makes 22341 sense for us to just initialize the asm printer(s) that we actually use; you could 22342 imagine us being linked to a system LLVM that has cross-compilation support; there is 22343 no point in the WebKit or JSC process doing work to initialize all of those targets. 22344 That part was rubber stamped by Mark Hahnenberg. 22345 22346 * bytecode/PutByIdStatus.cpp: 22347 (JSC::PutByIdStatus::computeFor): 22348 * runtime/InitializeThreading.cpp: 22349 (JSC::initializeThreadingOnce): 22350 * runtime/Structure.cpp: 22351 (JSC::Structure::addPropertyTransitionToExistingStructureImpl): 22352 (JSC::Structure::addPropertyTransitionToExistingStructure): 22353 (JSC): 22354 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): 22355 (JSC::Structure::addPropertyTransition): 22356 (JSC::Structure::nonPropertyTransition): 22357 * runtime/Structure.h: 22358 (Structure): 22359 223602013-04-30 Filip Pizlo <fpizlo@apple.com> 22361 22362 fourthTier: Structure::getConcurrently() may be called from for uncacheable dictionaries, and this is safe 22363 https://bugs.webkit.org/show_bug.cgi?id=115464 22364 22365 Reviewed by Oliver Hunt and Geoffrey Garen. 22366 22367 This can happen for example transitively from JSObject::put(). getCurrently() does 22368 work for uncacheable dictionaries; it just has the obvious race that right after it 22369 returns, the result it returned may no longer be right. This isn't an issue if it was 22370 called on the main thread, and may not be an issue in some other situations. 22371 22372 So, we should just remove the assertion, since the only thing it buys us is crashes. 22373 22374 * runtime/Structure.cpp: 22375 (JSC::Structure::getConcurrently): 22376 223772013-04-30 Filip Pizlo <fpizlo@apple.com> 22378 22379 fourthTier: Don't link gtest into JavaScriptCore 22380 22381 Rubber stamped by Mark Rowe. 22382 22383 * Configurations/JavaScriptCore.xcconfig: 22384 223852013-04-29 Filip Pizlo <fpizlo@apple.com> 22386 22387 fourthTier: String::utf8() should also be available as StringImpl::utf8() so that you don't have to ref() a StringImpl just to get its utf8() 22388 https://bugs.webkit.org/show_bug.cgi?id=115393 22389 22390 Reviewed by Geoffrey Garen. 22391 22392 * runtime/JSGlobalObjectFunctions.cpp: 22393 (JSC::encode): 22394 223952013-07-16 Oliver Hunt <oliver@apple.com> 22396 22397 Merge dfgFourthTier r149301 22398 22399 2013-04-28 Filip Pizlo <fpizlo@apple.com> 22400 22401 fourthTier: ASSERT that commonly used not-thread-safe methods in the runtime are not being called during compilation 22402 https://bugs.webkit.org/show_bug.cgi?id=115297 22403 22404 Reviewed by Geoffrey Garen. 22405 22406 Put in assertions that we're not doing bad things in compilation threads. Also 22407 factored compilation into compile+link so that even though we don't yet have 22408 concurrent compilation, we can be explicit about which parts of DFG work are 22409 meant to be concurrent, and which aren't. 22410 22411 Also fix a handful of bugs found by these assertions. 22412 22413 * JavaScriptCore.xcodeproj/project.pbxproj: 22414 * bytecode/ResolveGlobalStatus.cpp: 22415 (JSC::computeForStructure): 22416 * bytecode/Watchpoint.cpp: 22417 (JSC::WatchpointSet::add): 22418 (JSC::InlineWatchpointSet::inflateSlow): 22419 * dfg/DFGDriver.cpp: 22420 (JSC::DFG::compile): 22421 * dfg/DFGJITCompiler.cpp: 22422 (JSC::DFG::JITCompiler::~JITCompiler): 22423 (DFG): 22424 (JSC::DFG::JITCompiler::compileBody): 22425 (JSC::DFG::JITCompiler::compile): 22426 (JSC::DFG::JITCompiler::link): 22427 (JSC::DFG::JITCompiler::compileFunction): 22428 (JSC::DFG::JITCompiler::linkFunction): 22429 * dfg/DFGJITCompiler.h: 22430 (JITCompiler): 22431 * ftl/FTLCompile.cpp: 22432 (JSC::FTL::compile): 22433 * ftl/FTLCompile.h: 22434 (FTL): 22435 * ftl/FTLLink.cpp: Added. 22436 (FTL): 22437 (JSC::FTL::compileEntry): 22438 (JSC::FTL::link): 22439 * ftl/FTLLink.h: Added. 22440 (FTL): 22441 * ftl/FTLState.cpp: 22442 (JSC::FTL::State::State): 22443 * ftl/FTLState.h: 22444 (FTL): 22445 (State): 22446 * runtime/Structure.cpp: 22447 (JSC::Structure::get): 22448 (JSC::Structure::prototypeChainMayInterceptStoreTo): 22449 * runtime/Structure.h: 22450 (JSC::Structure::materializePropertyMapIfNecessary): 22451 * runtime/StructureInlines.h: 22452 (JSC::Structure::get): 22453 224542013-04-27 Filip Pizlo <fpizlo@apple.com> 22455 22456 FTL should support double variables 22457 https://bugs.webkit.org/show_bug.cgi?id=113624 22458 22459 Reviewed by Geoffrey Garen. 22460 22461 Made all of the operations that the FTL already supports, also support doubles. 22462 OSR exit already basically had everything it needed, so no changes there. This 22463 mostly just glues together bits of DFG IR to LLVM IR, in a straight-forward way. 22464 22465 * ftl/FTLAbbreviations.h: 22466 (FTL): 22467 (JSC::FTL::doubleType): 22468 (JSC::FTL::constReal): 22469 (JSC::FTL::buildPhi): 22470 (JSC::FTL::addIncoming): 22471 (JSC::FTL::buildFAdd): 22472 (JSC::FTL::buildFSub): 22473 (JSC::FTL::buildFMul): 22474 (JSC::FTL::buildFNeg): 22475 (JSC::FTL::buildSIToFP): 22476 (JSC::FTL::buildUIToFP): 22477 (JSC::FTL::buildBitCast): 22478 (JSC::FTL::buildFCmp): 22479 * ftl/FTLCapabilities.cpp: 22480 (JSC::FTL::canCompile): 22481 * ftl/FTLCommonValues.cpp: 22482 (JSC::FTL::CommonValues::CommonValues): 22483 * ftl/FTLCommonValues.h: 22484 (CommonValues): 22485 * ftl/FTLLowerDFGToLLVM.cpp: 22486 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 22487 (JSC::FTL::LowerDFGToLLVM::lower): 22488 (JSC::FTL::LowerDFGToLLVM::compileGetLocal): 22489 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 22490 (JSC::FTL::LowerDFGToLLVM::compileAdd): 22491 (JSC::FTL::LowerDFGToLLVM::compileArithSub): 22492 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 22493 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 22494 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber): 22495 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 22496 (JSC::FTL::LowerDFGToLLVM::compileCompareEq): 22497 (JSC::FTL::LowerDFGToLLVM::compileCompareLess): 22498 (JSC::FTL::LowerDFGToLLVM::lowDouble): 22499 (LowerDFGToLLVM): 22500 (JSC::FTL::LowerDFGToLLVM::lowJSValue): 22501 (JSC::FTL::LowerDFGToLLVM::isCellOrMisc): 22502 (JSC::FTL::LowerDFGToLLVM::unboxDouble): 22503 (JSC::FTL::LowerDFGToLLVM::boxDouble): 22504 (JSC::FTL::LowerDFGToLLVM::speculate): 22505 (JSC::FTL::LowerDFGToLLVM::speculateNumber): 22506 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): 22507 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 22508 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 22509 * ftl/FTLOutput.h: 22510 (JSC::FTL::Output::constDouble): 22511 (Output): 22512 (JSC::FTL::Output::phi): 22513 (JSC::FTL::Output::doubleAdd): 22514 (JSC::FTL::Output::doubleSub): 22515 (JSC::FTL::Output::doubleMul): 22516 (JSC::FTL::Output::doubleNeg): 22517 (JSC::FTL::Output::intToFP): 22518 (JSC::FTL::Output::intToDouble): 22519 (JSC::FTL::Output::unsignedToFP): 22520 (JSC::FTL::Output::unsignedToDouble): 22521 (JSC::FTL::Output::bitCast): 22522 (JSC::FTL::Output::loadDouble): 22523 (JSC::FTL::Output::storeDouble): 22524 (JSC::FTL::Output::doubleEqual): 22525 (JSC::FTL::Output::doubleNotEqualOrUnordered): 22526 (JSC::FTL::Output::doubleLessThan): 22527 (JSC::FTL::Output::doubleLessThanOrEqual): 22528 (JSC::FTL::Output::doubleGreaterThan): 22529 (JSC::FTL::Output::doubleGreaterThanOrEqual): 22530 (JSC::FTL::Output::doubleEqualOrUnordered): 22531 (JSC::FTL::Output::doubleNotEqual): 22532 (JSC::FTL::Output::doubleLessThanOrUnordered): 22533 (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered): 22534 (JSC::FTL::Output::doubleGreaterThanOrUnordered): 22535 (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered): 22536 (JSC::FTL::Output::testIsZero64): 22537 225382013-04-27 Filip Pizlo <fpizlo@apple.com> 22539 22540 fourthTier: SymbolTable should be thread-safe 22541 https://bugs.webkit.org/show_bug.cgi?id=115301 22542 22543 Reviewed by Geoffrey Garen. 22544 22545 Makes SymbolTable thread-safe. Relies on SymbolTableEntry already being immutable, 22546 other than the WatchpointSet; but the WatchpointSet already has a righteous 22547 concurrency protocol. So, this patch just protects the SymbolTable's HashMap. 22548 22549 * bytecode/CodeBlock.cpp: 22550 (JSC::CodeBlock::nameForRegister): 22551 * bytecompiler/BytecodeGenerator.cpp: 22552 (JSC::BytecodeGenerator::addVar): 22553 * runtime/Executable.cpp: 22554 (JSC::ProgramExecutable::addGlobalVar): 22555 * runtime/JSActivation.cpp: 22556 (JSC::JSActivation::getOwnNonIndexPropertyNames): 22557 (JSC::JSActivation::symbolTablePutWithAttributes): 22558 * runtime/JSSymbolTableObject.cpp: 22559 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): 22560 * runtime/JSSymbolTableObject.h: 22561 (JSC::symbolTableGet): 22562 (JSC::symbolTablePut): 22563 (JSC::symbolTablePutWithAttributes): 22564 * runtime/SymbolTable.cpp: 22565 (JSC::SymbolTable::SymbolTable): 22566 (JSC::SymbolTable::~SymbolTable): 22567 * runtime/SymbolTable.h: 22568 (JSC::SymbolTable::find): 22569 (JSC::SymbolTable::get): 22570 (JSC::SymbolTable::inlineGet): 22571 (JSC::SymbolTable::begin): 22572 (JSC::SymbolTable::end): 22573 (JSC::SymbolTable::size): 22574 (JSC::SymbolTable::add): 22575 (JSC::SymbolTable::set): 22576 (JSC::SymbolTable::contains): 22577 225782013-04-26 Filip Pizlo <fpizlo@apple.com> 22579 22580 fourthTier: WatchpointSet should make racy uses easier to reason about 22581 https://bugs.webkit.org/show_bug.cgi?id=115299 22582 22583 Reviewed by Anders Carlsson. 22584 22585 The compiler often does things like: 22586 22587 1c) Observe something that would imply that a WatchpointSet ought to be invalid 22588 22589 2c) Check that it is invalid 22590 22591 The main thread often does things like: 22592 22593 1m) Fire the watchpoint set 22594 22595 2m) Do some other thing that would cause the compiler to assume that the WatchpointSet 22596 ought to be invalid 22597 22598 An example is structure transitions, where (1c) is the compiler noticing that a 22599 put_by_id inline cache is in a transition state, with the source structure being S; 22600 (2c) is the compiler asserting that S's watchpoint set is invalid; (1m) is the main 22601 thread firing S's watchpoint set before it does the first transition away from S; and 22602 (2m) is the main thread caching the put_by_id transition away from S. 22603 22604 This is totally fine, except that (1c) and (2c), and (1m) and (2m) could be reordered. 22605 Probably, in most cases, this ought to do enough things that the main thread probably 22606 already has some fencing. But the compiler thread definitely doesn't have fencing. In 22607 any case, we should play it safe and just have additional fencing in all of the 22608 relevant places. 22609 22610 We already have some idioms to put load-load and store-store fences in the right 22611 places. But this change just makes WatchpointSet take care of this for us, thus 22612 reducing the chances of us getting this wrong. 22613 22614 * bytecode/Watchpoint.cpp: 22615 (JSC::WatchpointSet::notifyWriteSlow): 22616 * bytecode/Watchpoint.h: 22617 (WatchpointSet): 22618 (JSC::WatchpointSet::isStillValid): 22619 (JSC::WatchpointSet::hasBeenInvalidated): 22620 (JSC::InlineWatchpointSet::hasBeenInvalidated): 22621 (JSC::InlineWatchpointSet::notifyWrite): 22622 * dfg/DFGByteCodeParser.cpp: 22623 (JSC::DFG::ByteCodeParser::parseBlock): 22624 * dfg/DFGDesiredWatchpoints.h: 22625 (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): 22626 226272013-07-16 Oliver Hunt <oliver@apple.com> 22628 22629 Merge dfgFourthTier r149233 22630 22631 2013-04-26 Filip Pizlo <fpizlo@apple.com> 22632 22633 fourthTier: CFA should defend against results seeming inconsistent due to a watchpoint firing during compilation 22634 https://bugs.webkit.org/show_bug.cgi?id=115083 22635 22636 Reviewed by Geoffrey Garen. 22637 22638 This ruggedizes our racyness with respect to watchpoints. We want to be able to assert, 22639 in some places, that a watchpoint-based optimization has only occurred if the 22640 watchpoint set was still valid. But currently we *can* soundly do watchpoint-based 22641 optimizations even for invalid watchpoints, so long as we recorded in the IR that we 22642 had done so; this will then lead to the code being insta-jettisoned after compilation 22643 completes. Obviously, we don't want this to happen often - but we do want to allow it 22644 precisely in the case of watchpoint races. 22645 22646 This adds the ability to assert that we hadn't over-watchpointed ourselves, with and 22647 exemption for races. 22648 22649 * dfg/DFGAbstractState.cpp: 22650 (JSC::DFG::AbstractState::executeEffects): 22651 * dfg/DFGAbstractValue.cpp: 22652 (JSC::DFG::AbstractValue::setFuturePossibleStructure): 22653 (JSC::DFG::AbstractValue::filterFuturePossibleStructure): 22654 * dfg/DFGByteCodeParser.cpp: 22655 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck): 22656 (JSC::DFG::ByteCodeParser::parseResolveOperations): 22657 (JSC::DFG::ByteCodeParser::parseBlock): 22658 * dfg/DFGConstantFoldingPhase.cpp: 22659 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): 22660 * dfg/DFGDesiredWatchpoints.h: 22661 (GenericDesiredWatchpoints): 22662 (JSC::DFG::GenericDesiredWatchpoints::isStillValid): 22663 (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): 22664 (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): 22665 (JSC::DFG::DesiredWatchpoints::isStillValid): 22666 (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): 22667 (JSC::DFG::DesiredWatchpoints::isValidOrMixed): 22668 (DesiredWatchpoints): 22669 * dfg/DFGFixupPhase.cpp: 22670 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): 22671 * dfg/DFGGraph.h: 22672 (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid): 22673 (Graph): 22674 * dfg/DFGJITCompiler.cpp: 22675 (JSC::DFG::JITCompiler::link): 22676 (JSC::DFG::JITCompiler::compile): 22677 (JSC::DFG::JITCompiler::compileFunction): 22678 * dfg/DFGJITCompiler.h: 22679 (JSC::DFG::JITCompiler::addLazily): 22680 (JITCompiler): 22681 * dfg/DFGSpeculativeJIT.cpp: 22682 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): 22683 * dfg/DFGSpeculativeJIT.h: 22684 (SpeculativeJIT): 22685 (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid): 22686 (JSC::DFG::SpeculativeJIT::speculationWatchpointForMasqueradesAsUndefined): 22687 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): 22688 * dfg/DFGSpeculativeJIT32_64.cpp: 22689 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 22690 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 22691 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 22692 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 22693 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 22694 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 22695 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 22696 (JSC::DFG::SpeculativeJIT::compile): 22697 * dfg/DFGSpeculativeJIT64.cpp: 22698 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 22699 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 22700 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 22701 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 22702 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 22703 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 22704 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 22705 (JSC::DFG::SpeculativeJIT::compile): 22706 * ftl/FTLCompile.cpp: 22707 (JSC::FTL::compile): 22708 * ftl/FTLState.h: 22709 (State): 22710 227112013-04-23 Filip Pizlo <fpizlo@apple.com> 22712 22713 fourthTier: AbstractValue methods that deal with watchpoints should have access to Graph, so that in debug mode, Graph can track the history of watchpoint states and detect races 22714 https://bugs.webkit.org/show_bug.cgi?id=115084 22715 22716 Reviewed by Geoffrey Garen. 22717 22718 The idea is that as part of https://bugs.webkit.org/show_bug.cgi?id=115083, I'll have 22719 Graph record the initial state of a watchpoint at the time that we decide to take 22720 advantage of it; then I will use this to disable any watchpoint-related assertions 22721 in debug mode. Note that this "watchpoint cache" will only be maintained in debug 22722 mode, so there will be no release performance implications. But to do this, I need to 22723 ensure that all of the places that reason about watchpoints have access to Graph. 22724 For example, I'll want AbstractValue::setFuturePossibleStructure to record the state 22725 of the watchpoint in Graph so that subsequent assertions can check if the watchpoint's 22726 state had changed since that decision was made. 22727 22728 * JavaScriptCore.xcodeproj/project.pbxproj: 22729 * dfg/DFGAbstractState.cpp: 22730 (JSC::DFG::AbstractState::initialize): 22731 (JSC::DFG::AbstractState::executeEffects): 22732 (JSC::DFG::AbstractState::mergeStateAtTail): 22733 * dfg/DFGAbstractState.h: 22734 (JSC::DFG::AbstractState::trySetConstant): 22735 * dfg/DFGAbstractValue.cpp: Added. 22736 (DFG): 22737 (JSC::DFG::AbstractValue::setMostSpecific): 22738 (JSC::DFG::AbstractValue::set): 22739 (JSC::DFG::AbstractValue::filter): 22740 (JSC::DFG::AbstractValue::setFuturePossibleStructure): 22741 (JSC::DFG::AbstractValue::filterFuturePossibleStructure): 22742 (JSC::DFG::AbstractValue::dump): 22743 * dfg/DFGAbstractValue.h: 22744 (DFG): 22745 (AbstractValue): 22746 (JSC::DFG::AbstractValue::setType): 22747 (JSC::DFG::AbstractValue::filterByValue): 22748 227492013-07-16 Oliver Hunt <oliver@apple.com> 22750 22751 Merge dfgFourthTier r148936 22752 22753 2013-04-22 Filip Pizlo <fpizlo@apple.com> 22754 22755 fourthTier: Create an equivalent of Structure::get() that can work from a compilation thread 22756 https://bugs.webkit.org/show_bug.cgi?id=114987 22757 22758 Reviewed by Geoffrey Garen. 22759 22760 This completes the work started by r148570. That patch made it possible to do 22761 Structure::get() without modifying Structure. This patch takes this further, and 22762 makes this thread-safe (for non-uncacheable-dictionaries) via 22763 Structure::getConcurrently(). This method not only doesn't modify Structure, but 22764 also ensures that any concurrent attempts to add to, remove from, or steal the 22765 table from that structure doesn't mess up the result of the call. The call may 22766 return invalidOffset even if a property is *just* about to be added, but it will 22767 never do the reverse: if it returns a property then you can be sure that the 22768 structure really does have that property and always will have it. 22769 22770 * bytecode/GetByIdStatus.cpp: 22771 (JSC::GetByIdStatus::computeFromLLInt): 22772 (JSC::GetByIdStatus::computeForChain): 22773 (JSC::GetByIdStatus::computeFor): 22774 * bytecode/PutByIdStatus.cpp: 22775 (JSC::PutByIdStatus::computeFromLLInt): 22776 (JSC::PutByIdStatus::computeFor): 22777 * dfg/DFGFixupPhase.cpp: 22778 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): 22779 * runtime/PropertyMapHashTable.h: 22780 (PropertyTable): 22781 (JSC::PropertyTable::findConcurrently): 22782 (JSC): 22783 (JSC::PropertyTable::add): 22784 (JSC::PropertyTable::remove): 22785 (JSC::PropertyTable::reinsert): 22786 (JSC::PropertyTable::rehash): 22787 * runtime/PropertyTable.cpp: 22788 (JSC::PropertyTable::PropertyTable): 22789 * runtime/Structure.cpp: 22790 (JSC::Structure::findStructuresAndMapForMaterialization): 22791 (JSC::Structure::getConcurrently): 22792 * runtime/Structure.h: 22793 (Structure): 22794 * runtime/StructureInlines.h: 22795 (JSC::Structure::getConcurrently): 22796 227972013-07-16 Oliver Hunt <oliver@apple.com> 22798 22799 Merge dfgFourthTier r148850 22800 22801 2013-04-21 Filip Pizlo <fpizlo@apple.com> 22802 22803 fourthTier: WebKit's build system should relink JavaScriptCore if LLVM's libraries changed but its headers didn't 22804 https://bugs.webkit.org/show_bug.cgi?id=114926 22805 22806 Reviewed by Geoffrey Garen. 22807 22808 Use a phony file that includes a phony header to force JavaScriptCore to be relinked 22809 if necessary. The external LLVM-importing scripts will touch the header if the libraries 22810 are known to have changed. 22811 22812 * JavaScriptCore.xcodeproj/project.pbxproj: 22813 * ftl/WebKitLLVMLibraryAnchor.cpp: Added. 22814 228152013-07-16 Oliver Hunt <oliver@apple.com> 22816 22817 Merge dfgFourthTier r148836 22818 22819 2013-04-21 Filip Pizlo <fpizlo@apple.com> 22820 22821 fourthTier: It should be possible to query WatchpointSets, and add Watchpoints, even if the compiler is running in another thread 22822 https://bugs.webkit.org/show_bug.cgi?id=114909 22823 22824 Reviewed by Oliver Hunt. 22825 22826 The idea here is that a concurrent compiler will use watchpoint sets as follows: 22827 22828 During concurrent compilation: It will create Watchpoints, and query WatchpointSets only 22829 for the purpose of profiling. That is, it will use decide whether it is profitable to 22830 compile the code "as if" the watchpoint sets are valid. 22831 22832 During synchronous linking: By "linking" I don't necessarily mean the LinkBuffer stuff, 22833 but just the very bitter end of compilation where we make the JIT code callable. This 22834 can happen after LinkBuffer stuff. Anyway, this will have to happen synchronously, and 22835 at that point we can (a) check that all WatchpointSets that we assumed were valid are 22836 still valid and (b) if they are then we add the watchpoints to those sets. If any of the 22837 sets are invalid, we give up on this compilation and try again later. 22838 22839 The querying of WatchpointSets is engineered to say that the set is still valid if it 22840 is so *right now*, but this is done in a racy way and so it may say so spuriously: we 22841 may, with hopefully low probability, have a set that says it is valid even though it was 22842 just invalidated. The goal is only to ensure that (i) a set never claims to be invalid 22843 if it is actually valid, (ii) a set doesn't claim to be valid if it was invalidated 22844 before compilation even began, and (iii) querying the validity of a set doesn't cause us 22845 to crash. 22846 22847 * JavaScriptCore.xcodeproj/project.pbxproj: 22848 * bytecode/Watchpoint.cpp: 22849 (JSC::InlineWatchpointSet::inflateSlow): 22850 * bytecode/Watchpoint.h: 22851 (WatchpointSet): 22852 (InlineWatchpointSet): 22853 (JSC::InlineWatchpointSet::hasBeenInvalidated): 22854 (JSC::InlineWatchpointSet::isThin): 22855 (JSC::InlineWatchpointSet::isFat): 22856 (JSC::InlineWatchpointSet::fat): 22857 * dfg/DFGDesiredWatchpoints.cpp: Added. 22858 (DFG): 22859 (JSC::DFG::DesiredWatchpoints::DesiredWatchpoints): 22860 (JSC::DFG::DesiredWatchpoints::~DesiredWatchpoints): 22861 (JSC::DFG::DesiredWatchpoints::addLazily): 22862 (JSC::DFG::DesiredWatchpoints::reallyAdd): 22863 (JSC::DFG::DesiredWatchpoints::areStillValid): 22864 * dfg/DFGDesiredWatchpoints.h: Added. 22865 (DFG): 22866 (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): 22867 (WatchpointForGenericWatchpointSet): 22868 (GenericDesiredWatchpoints): 22869 (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints): 22870 (JSC::DFG::GenericDesiredWatchpoints::addLazily): 22871 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): 22872 (JSC::DFG::GenericDesiredWatchpoints::areStillValid): 22873 (DesiredWatchpoints): 22874 * dfg/DFGDriver.cpp: 22875 (JSC::DFG::compile): 22876 * dfg/DFGJITCompiler.cpp: 22877 (JSC::DFG::JITCompiler::link): 22878 (JSC::DFG::JITCompiler::compile): 22879 (JSC::DFG::JITCompiler::compileFunction): 22880 * dfg/DFGJITCompiler.h: 22881 (JSC::DFG::JITCompiler::addLazily): 22882 (JITCompiler): 22883 * dfg/DFGSpeculativeJIT.cpp: 22884 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): 22885 * dfg/DFGSpeculativeJIT32_64.cpp: 22886 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 22887 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 22888 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 22889 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 22890 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 22891 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 22892 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 22893 (JSC::DFG::SpeculativeJIT::compile): 22894 * dfg/DFGSpeculativeJIT64.cpp: 22895 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 22896 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 22897 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 22898 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 22899 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 22900 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 22901 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 22902 (JSC::DFG::SpeculativeJIT::compile): 22903 * ftl/FTLCompile.cpp: 22904 (JSC::FTL::compile): 22905 * ftl/FTLCompile.h: 22906 (FTL): 22907 * ftl/FTLState.h: 22908 (State): 22909 * runtime/JSFunction.h: 22910 (JSFunction): 22911 (JSC::JSFunction::allocationProfileWatchpointSet): 22912 * runtime/Structure.h: 22913 (Structure): 22914 (JSC::Structure::transitionWatchpointSet): 22915 229162013-07-16 Oliver Hunt <oliver@apple.com> 22917 22918 Merge dfgFourthTier r148804 22919 22920 2013-04-20 Filip Pizlo <fpizlo@apple.com> 22921 22922 fourthTier: value profiles and array profiles should be thread-safe enough to be accessible in a concurrent compilation thread 22923 https://bugs.webkit.org/show_bug.cgi?id=114906 22924 22925 Reviewed by Oliver Hunt. 22926 22927 This introduces thread safety to value profiles, array profiles, and 22928 array allocation profiles. 22929 22930 We already have three separate operations that happen on profiles: 22931 (1) writing, which the JIT, LLInt, and OSR exit do; (2) updating, 22932 which happens during GC, from OSR entry slow-paths, and in the DFG; 22933 and (3) reading, which happens in the DFG. For example, the JIT/LLInt 22934 and OSR exit write to ValueProfile::m_buckets, which gets synthesized 22935 into ValueProfile::m_prediction (and other fields) during update, and 22936 the latter gets read by the DFG. Note that (2) must also happen in 22937 the DFG since only the DFG knows which code blocks it will inline, 22938 and those blocks' profiles may not have otherwise been updated via 22939 any other mechanism. 22940 22941 I refer to these three operations as writing, updating, and reading. 22942 22943 Consequently, both profile updating and profile reading may happen 22944 asynchronously, if the JIT is asynchronous. 22945 22946 The locking protocol for profiles works as follows: 22947 22948 - Writing does not require locking, but is only allowed on the main 22949 thread. We require that these fields can be stored atomically by 22950 the profiling code, even without locks. For value profiles, this 22951 only works on 64-bit platforms, currently. For array profiles, 22952 which consist of multiple separate fields, this means that an 22953 asynchronous update of the profile may see slight inconsistencies 22954 (like a structure that doesn't quite match the array modes bits), 22955 but these should be harmless: at worst, the DFG will specialize 22956 too much and we'll have OSR exits. 22957 22958 - Updating a value profile requires holding a lock, but must assume 22959 that the fields written by the profiling code in JIT/LLInt may 22960 be written to without locking. 22961 22962 - Reading a value profile requires holding a lock. 22963 22964 The one major exception to these rules is the ArrayAllocationProfile, 22965 which requires no locking. We do this because it's used so often and 22966 in places where we don't necessarily have access to the owning 22967 CodeBlock, so if we did want it to be locked it would have to have 22968 its own lock. Also, I believe that it is sound to just make this 22969 profile racy and not worry about locking at all. All that was needed 22970 were some changes to ensure that we explicitly read some raced-over 22971 fields only once. 22972 22973 Two additional interesting things in this change: 22974 22975 - To make it easy to see which profile methods require locking, they 22976 take a const CodeBlockLocker& as an argument. I saw this idiom for 22977 identifying which methods require which locks to be held being used 22978 in LLVM, and I quite like it. 22979 22980 - Lazy operand value profiles, which are created lazily and at any 22981 time, require the CodeBlockLock to be held when they are being 22982 created. Writes to them are lockless and main-thread-only, but as 22983 with other profiles, updates and reads require locking. 22984 22985 * JavaScriptCore.xcodeproj/project.pbxproj: 22986 * bytecode/ArrayAllocationProfile.cpp: 22987 (JSC::ArrayAllocationProfile::updateIndexingType): 22988 * bytecode/ArrayAllocationProfile.h: 22989 (JSC::ArrayAllocationProfile::selectIndexingType): 22990 * bytecode/ArrayProfile.cpp: 22991 (JSC::ArrayProfile::computeUpdatedPrediction): 22992 (JSC::ArrayProfile::briefDescription): 22993 * bytecode/ArrayProfile.h: 22994 (ArrayProfile): 22995 (JSC::ArrayProfile::expectedStructure): 22996 (JSC::ArrayProfile::structureIsPolymorphic): 22997 (JSC::ArrayProfile::hasDefiniteStructure): 22998 (JSC::ArrayProfile::observedArrayModes): 22999 (JSC::ArrayProfile::mayInterceptIndexedAccesses): 23000 (JSC::ArrayProfile::mayStoreToHole): 23001 (JSC::ArrayProfile::outOfBounds): 23002 (JSC::ArrayProfile::usesOriginalArrayStructures): 23003 * bytecode/CallLinkStatus.cpp: 23004 (JSC::CallLinkStatus::computeFor): 23005 * bytecode/CodeBlock.cpp: 23006 (JSC::CodeBlock::dumpValueProfiling): 23007 (JSC::CodeBlock::dumpArrayProfiling): 23008 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): 23009 (JSC::CodeBlock::updateAllArrayPredictions): 23010 * bytecode/CodeBlock.h: 23011 (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset): 23012 (JSC::CodeBlock::updateAllPredictionsAndCheckIfShouldOptimizeNow): 23013 (CodeBlock): 23014 * bytecode/CodeBlockLock.h: Added. 23015 (JSC): 23016 * bytecode/GetByIdStatus.cpp: 23017 (JSC::GetByIdStatus::computeFor): 23018 * bytecode/LazyOperandValueProfile.cpp: 23019 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions): 23020 (JSC::CompressedLazyOperandValueProfileHolder::add): 23021 (JSC::LazyOperandValueProfileParser::LazyOperandValueProfileParser): 23022 (JSC::LazyOperandValueProfileParser::~LazyOperandValueProfileParser): 23023 (JSC): 23024 (JSC::LazyOperandValueProfileParser::initialize): 23025 (JSC::LazyOperandValueProfileParser::prediction): 23026 * bytecode/LazyOperandValueProfile.h: 23027 (CompressedLazyOperandValueProfileHolder): 23028 (LazyOperandValueProfileParser): 23029 * bytecode/MethodOfGettingAValueProfile.cpp: 23030 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket): 23031 * bytecode/PutByIdStatus.cpp: 23032 (JSC::PutByIdStatus::computeFor): 23033 * bytecode/ResolveGlobalStatus.cpp: 23034 (JSC::ResolveGlobalStatus::computeFor): 23035 * bytecode/ValueProfile.h: 23036 (JSC::ValueProfileBase::briefDescription): 23037 (ValueProfileBase): 23038 (JSC::ValueProfileBase::computeUpdatedPrediction): 23039 * dfg/DFGArrayMode.cpp: 23040 (JSC::DFG::ArrayMode::fromObserved): 23041 * dfg/DFGArrayMode.h: 23042 (ArrayMode): 23043 (JSC::DFG::ArrayMode::withProfile): 23044 * dfg/DFGByteCodeParser.cpp: 23045 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): 23046 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit): 23047 (JSC::DFG::ByteCodeParser::getArrayMode): 23048 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks): 23049 (JSC::DFG::ByteCodeParser::parseResolveOperations): 23050 (JSC::DFG::ByteCodeParser::parseBlock): 23051 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 23052 * dfg/DFGFixupPhase.cpp: 23053 (JSC::DFG::FixupPhase::fixupNode): 23054 * dfg/DFGOSRExitPreparation.cpp: 23055 (JSC::DFG::prepareCodeOriginForOSRExit): 23056 * dfg/DFGPredictionInjectionPhase.cpp: 23057 (JSC::DFG::PredictionInjectionPhase::run): 23058 * jit/JITInlines.h: 23059 (JSC::JIT::chooseArrayMode): 23060 * jit/JITStubs.cpp: 23061 (JSC::tryCachePutByID): 23062 (JSC::tryCacheGetByID): 23063 (JSC::DEFINE_STUB_FUNCTION): 23064 (JSC::lazyLinkFor): 23065 * llint/LLIntSlowPaths.cpp: 23066 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 23067 (JSC::LLInt::setUpCall): 23068 * profiler/ProfilerBytecodeSequence.cpp: 23069 (JSC::Profiler::BytecodeSequence::BytecodeSequence): 23070 * runtime/JSScope.cpp: 23071 (JSC::JSScope::resolveContainingScopeInternal): 23072 (JSC::JSScope::resolvePut): 23073 230742013-04-17 Filip Pizlo <fpizlo@apple.com> 23075 23076 fourthTier: all inline caches should thread-safe enough to allow a concurrent compilation thread to read them safely 23077 https://bugs.webkit.org/show_bug.cgi?id=114762 23078 23079 Reviewed by Mark Hahnenberg. 23080 23081 For most inline caches this is easy: the inline cache has a clean temporal 23082 separation between doing the requested action (which may take an unbounded 23083 amount of time, may recurse, and may do arbitrary things) and recording the 23084 relevant information in the cache. So, we just put locks around the 23085 recording bit. That part is always O(1) and does not recurse. The lock we 23086 use is per-CodeBlock to achieve a good balance between locking granularity 23087 and low space overhead. So a concurrent compilation thread will only block 23088 if an inline cache ping-pongs in the code block being compiled (or inlined) 23089 and never when other inline caches do things. 23090 23091 For resolve operations, it's a bit tricky. The global resolve bit works 23092 like any other IC in that it has the clean temporal separation. But the 23093 operations vector itself doesn't have this separation, since we will be 23094 filling it in tandem with actions that may take a long time. This patch 23095 gets around this by having a m_ready bit in the ResolveOperations and 23096 PutToBaseOperation. This is set while holding the CodeBlock's lock. If the 23097 DFG observes the m_ready bit not set (while holding the lock) then it 23098 conservatively assumes that the resolve hasn't happened yet and just 23099 plants a ForceOSRExit. 23100 23101 * bytecode/CallLinkStatus.cpp: 23102 (JSC::CallLinkStatus::computeFor): 23103 * bytecode/CodeBlock.h: 23104 (CodeBlock): 23105 * bytecode/GetByIdStatus.cpp: 23106 (JSC::GetByIdStatus::computeFor): 23107 * bytecode/PutByIdStatus.cpp: 23108 (JSC::PutByIdStatus::computeFor): 23109 * bytecode/ResolveGlobalStatus.cpp: 23110 (JSC::ResolveGlobalStatus::computeFor): 23111 * bytecode/ResolveOperation.h: 23112 (JSC::ResolveOperations::ResolveOperations): 23113 (ResolveOperations): 23114 (JSC::PutToBaseOperation::PutToBaseOperation): 23115 * dfg/DFGByteCodeParser.cpp: 23116 (JSC::DFG::ByteCodeParser::parseResolveOperations): 23117 (JSC::DFG::ByteCodeParser::parseBlock): 23118 * jit/JITStubs.cpp: 23119 (JSC::tryCachePutByID): 23120 (JSC::tryCacheGetByID): 23121 (JSC::DEFINE_STUB_FUNCTION): 23122 (JSC::lazyLinkFor): 23123 * llint/LLIntSlowPaths.cpp: 23124 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 23125 (JSC::LLInt::setUpCall): 23126 * runtime/JSScope.cpp: 23127 (JSC::JSScope::resolveContainingScopeInternal): 23128 (JSC::JSScope::resolveContainingScope): 23129 (JSC::JSScope::resolvePut): 23130 231312013-04-16 Filip Pizlo <fpizlo@apple.com> 23132 23133 fourthTier: DFG should be able to query Structure without modifying it 23134 https://bugs.webkit.org/show_bug.cgi?id=114708 23135 23136 Reviewed by Oliver Hunt. 23137 23138 This is work towards allowing the DFG, and FTL, to run on a separate thread. 23139 The idea is that the most evil thing that the DFG does that has thread-safety 23140 issues is fiddling with Structures by calling Structure::get(). This can lead 23141 to rematerialization of property tables, which is definitely not thread-safe 23142 due to how StringImpl works. So, this patch completely side-steps the problem 23143 by creating a new version of Structure::get, called 23144 Structure::getWithoutMaterializing, which may choose to do an O(n) search if 23145 necessary to avoid materialization. I believe this should be fine - the DFG 23146 does't call into these code path often enough for this to matter, and most of 23147 the time, the Structure that we call this on will already have a property 23148 table because some inline cache would have already called ::get() on that 23149 Structure. 23150 23151 Also cleaned up the materialization logic: we can stop the search as soon as 23152 we find any Structure with a property table rather than searching all the way 23153 for a pinned one. 23154 23155 * bytecode/GetByIdStatus.cpp: 23156 (JSC::GetByIdStatus::computeFor): 23157 * bytecode/PutByIdStatus.cpp: 23158 (JSC::PutByIdStatus::computeFromLLInt): 23159 (JSC::PutByIdStatus::computeFor): 23160 * runtime/Structure.cpp: 23161 (JSC::Structure::findStructuresAndMapForMaterialization): 23162 (JSC::Structure::materializePropertyMap): 23163 (JSC::Structure::getWithoutMaterializing): 23164 (JSC): 23165 * runtime/Structure.h: 23166 (Structure): 23167 * runtime/StructureInlines.h: 23168 (JSC::Structure::getWithoutMaterializing): 23169 (JSC): 23170 231712013-04-13 Filip Pizlo <fpizlo@apple.com> 23172 23173 fourthTier: Fix release build. 23174 23175 * dfg/DFGOSRExitCompilerCommon.cpp: 23176 * ftl/FTLExitValue.cpp: 23177 * ftl/FTLOSRExitCompiler.cpp: 23178 231792013-04-13 Filip Pizlo <fpizlo@apple.com> 23180 23181 fourthTier: FTL should have OSR exit 23182 https://bugs.webkit.org/show_bug.cgi?id=113623 23183 23184 Reviewed by Oliver Hunt. 23185 23186 This implements OSR exit, and hilariously, it actually works. The idea is to have 23187 LLVM call a no-return function on the off-ramp, passing it everything we know about 23188 bytecode state that isn't already flushed to the call frame. Our own JIT takes care 23189 of the rest. 23190 23191 We can now run all of SunSpider, V8, and Kraken with the FTL enabled. 23192 23193 The details are described in FTLOSRExit.h. 23194 23195 * CMakeLists.txt: 23196 * GNUmakefile.list.am: 23197 * JavaScriptCore.xcodeproj/project.pbxproj: 23198 * Target.pri: 23199 * assembler/AbstractMacroAssembler.h: 23200 (Address): 23201 (JSC::AbstractMacroAssembler::Address::withOffset): 23202 * assembler/LinkBuffer.h: 23203 (JSC::LinkBuffer::offsetOf): 23204 (LinkBuffer): 23205 * assembler/MacroAssemblerX86Common.h: 23206 * assembler/RepatchBuffer.h: 23207 (JSC::RepatchBuffer::RepatchBuffer): 23208 (JSC::RepatchBuffer::~RepatchBuffer): 23209 (RepatchBuffer): 23210 * bytecode/CodeBlock.cpp: 23211 (JSC::CodeBlock::tallyFrequentExitSites): 23212 * bytecode/Operands.h: 23213 (Operands): 23214 (JSC): 23215 (JSC::::dump): 23216 * dfg/DFGAbstractState.cpp: 23217 (JSC::DFG::AbstractState::initialize): 23218 * dfg/DFGGPRInfo.h: 23219 (DFG): 23220 (GPRInfo): 23221 * dfg/DFGMinifiedNode.h: 23222 (JSC::DFG::belongsInMinifiedGraph): 23223 * dfg/DFGNodeType.h: 23224 (JSC::DFG::needsOSRBackwardRewiring): 23225 (DFG): 23226 (JSC::DFG::needsOSRForwardRewiring): 23227 * dfg/DFGOSRExit.cpp: 23228 (JSC::DFG::OSRExit::OSRExit): 23229 (DFG): 23230 (JSC::DFG::OSRExit::convertToForward): 23231 * dfg/DFGOSRExit.h: 23232 (OSRExit): 23233 * dfg/DFGOSRExitBase.cpp: Added. 23234 (DFG): 23235 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow): 23236 (JSC::DFG::OSRExitBase::doSearchForForwardConversion): 23237 * dfg/DFGOSRExitBase.h: Added. 23238 (DFG): 23239 (JSC::DFG::OSRExitBase::OSRExitBase): 23240 (OSRExitBase): 23241 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite): 23242 * dfg/DFGOSRExitCompiler.cpp: 23243 * dfg/DFGOSRExitCompiler64.cpp: 23244 (JSC::DFG::OSRExitCompiler::compileExit): 23245 * dfg/DFGOSRExitCompilerCommon.cpp: 23246 (JSC::DFG::handleExitCounts): 23247 (JSC::DFG::reifyInlinedCallFrames): 23248 (JSC::DFG::adjustAndJumpToTarget): 23249 * dfg/DFGOSRExitCompilerCommon.h: 23250 (DFG): 23251 * dfg/DFGOSRExitPreparation.cpp: Added. 23252 (DFG): 23253 (JSC::DFG::prepareCodeOriginForOSRExit): 23254 * dfg/DFGOSRExitPreparation.h: Added. 23255 (DFG): 23256 * dfg/DFGOperations.cpp: 23257 * dfg/DFGSpeculativeJIT.cpp: 23258 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 23259 * dfg/DFGValueSource.h: 23260 (JSC::DFG::ValueSource::forSpeculation): 23261 * dfg/DFGVariableEventStream.cpp: 23262 (JSC::DFG::VariableEventStream::reconstruct): 23263 * ftl/FTLAbbreviations.h: 23264 (JSC::FTL::functionType): 23265 (FTL): 23266 (JSC::FTL::typeOf): 23267 (JSC::FTL::appendBasicBlock): 23268 (JSC::FTL::insertBasicBlock): 23269 (JSC::FTL::buildCall): 23270 (JSC::FTL::setTailCall): 23271 * ftl/FTLCArgumentGetter.cpp: Added. 23272 (FTL): 23273 (JSC::FTL::CArgumentGetter::loadNextAndBox): 23274 * ftl/FTLCArgumentGetter.h: Added. 23275 (FTL): 23276 (JSC::FTL::isArgumentRegister): 23277 (CArgumentGetter): 23278 (JSC::FTL::CArgumentGetter::CArgumentGetter): 23279 (JSC::FTL::CArgumentGetter::loadNext8): 23280 (JSC::FTL::CArgumentGetter::loadNext32): 23281 (JSC::FTL::CArgumentGetter::loadNext64): 23282 (JSC::FTL::CArgumentGetter::loadNextPtr): 23283 (JSC::FTL::CArgumentGetter::loadNextDouble): 23284 (JSC::FTL::CArgumentGetter::nextAddress): 23285 * ftl/FTLCompile.cpp: 23286 (JSC::FTL::compile): 23287 * ftl/FTLExitArgument.cpp: Added. 23288 (FTL): 23289 (JSC::FTL::ExitArgument::dump): 23290 * ftl/FTLExitArgument.h: Added. 23291 (FTL): 23292 (ExitArgumentRepresentation): 23293 (ExitArgument): 23294 (JSC::FTL::ExitArgument::ExitArgument): 23295 (JSC::FTL::ExitArgument::operator!): 23296 (JSC::FTL::ExitArgument::format): 23297 (JSC::FTL::ExitArgument::argument): 23298 (JSC::FTL::ExitArgument::withFormat): 23299 (JSC::FTL::ExitArgument::representation): 23300 * ftl/FTLExitArgumentForOperand.cpp: Added. 23301 (FTL): 23302 (JSC::FTL::ExitArgumentForOperand::dump): 23303 * ftl/FTLExitArgumentForOperand.h: Added. 23304 (FTL): 23305 (ExitArgumentForOperand): 23306 (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand): 23307 (JSC::FTL::ExitArgumentForOperand::operator!): 23308 (JSC::FTL::ExitArgumentForOperand::exitArgument): 23309 (JSC::FTL::ExitArgumentForOperand::operand): 23310 (JSC::FTL::lesserArgumentIndex): 23311 * ftl/FTLExitArgumentList.h: Added. 23312 (FTL): 23313 * ftl/FTLExitThunkGenerator.cpp: Added. 23314 (FTL): 23315 (JSC::FTL::ExitThunkGenerator::ExitThunkGenerator): 23316 (JSC::FTL::ExitThunkGenerator::~ExitThunkGenerator): 23317 (JSC::FTL::ExitThunkGenerator::emitThunk): 23318 * ftl/FTLExitThunkGenerator.h: Added. 23319 (FTL): 23320 (ExitThunkGenerator): 23321 (JSC::FTL::ExitThunkGenerator::didThings): 23322 * ftl/FTLExitValue.cpp: Added. 23323 (FTL): 23324 (JSC::FTL::ExitValue::dump): 23325 * ftl/FTLExitValue.h: Added. 23326 (FTL): 23327 (ExitValue): 23328 (JSC::FTL::ExitValue::ExitValue): 23329 (JSC::FTL::ExitValue::operator!): 23330 (JSC::FTL::ExitValue::dead): 23331 (JSC::FTL::ExitValue::inJSStack): 23332 (JSC::FTL::ExitValue::inJSStackAsInt32): 23333 (JSC::FTL::ExitValue::inJSStackAsDouble): 23334 (JSC::FTL::ExitValue::constant): 23335 (JSC::FTL::ExitValue::exitArgument): 23336 (JSC::FTL::ExitValue::kind): 23337 (JSC::FTL::ExitValue::isDead): 23338 (JSC::FTL::ExitValue::isInJSStackSomehow): 23339 (JSC::FTL::ExitValue::isConstant): 23340 (JSC::FTL::ExitValue::isArgument): 23341 * ftl/FTLFormattedValue.h: 23342 (FTL): 23343 (JSC::FTL::noValue): 23344 (JSC::FTL::int32Value): 23345 (JSC::FTL::uInt32Value): 23346 (JSC::FTL::booleanValue): 23347 (JSC::FTL::jsValueValue): 23348 (JSC::FTL::doubleValue): 23349 * ftl/FTLJITCode.cpp: 23350 (JSC::FTL::JITCode::initializeExitThunks): 23351 (FTL): 23352 (JSC::FTL::JITCode::exitThunks): 23353 * ftl/FTLJITCode.h: 23354 (JITCode): 23355 * ftl/FTLLowerDFGToLLVM.cpp: 23356 (FTL): 23357 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 23358 (JSC::FTL::LowerDFGToLLVM::lower): 23359 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments): 23360 (JSC::FTL::LowerDFGToLLVM::compileBlock): 23361 (JSC::FTL::LowerDFGToLLVM::compileNode): 23362 (JSC::FTL::LowerDFGToLLVM::compileGetLocal): 23363 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 23364 (LowerDFGToLLVM): 23365 (JSC::FTL::LowerDFGToLLVM::compileMovHint): 23366 (JSC::FTL::LowerDFGToLLVM::compileZombieHint): 23367 (JSC::FTL::LowerDFGToLLVM::compileMovHintAndCheck): 23368 (JSC::FTL::LowerDFGToLLVM::compileAdd): 23369 (JSC::FTL::LowerDFGToLLVM::compileArithSub): 23370 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 23371 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 23372 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber): 23373 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): 23374 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 23375 (JSC::FTL::LowerDFGToLLVM::speculateBackward): 23376 (JSC::FTL::LowerDFGToLLVM::speculateForward): 23377 (JSC::FTL::LowerDFGToLLVM::speculate): 23378 (JSC::FTL::LowerDFGToLLVM::terminate): 23379 (JSC::FTL::LowerDFGToLLVM::backwardTypeCheck): 23380 (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck): 23381 (JSC::FTL::LowerDFGToLLVM::typeCheck): 23382 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck): 23383 (JSC::FTL::LowerDFGToLLVM::lowInt32): 23384 (JSC::FTL::LowerDFGToLLVM::lowCell): 23385 (JSC::FTL::LowerDFGToLLVM::lowBoolean): 23386 (JSC::FTL::LowerDFGToLLVM::speculateObject): 23387 (JSC::FTL::LowerDFGToLLVM::isLive): 23388 (JSC::FTL::LowerDFGToLLVM::use): 23389 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): 23390 (JSC::FTL::LowerDFGToLLVM::appendOSRExit): 23391 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): 23392 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): 23393 (JSC::FTL::LowerDFGToLLVM::addExitArgument): 23394 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks): 23395 (JSC::FTL::LowerDFGToLLVM::observeMovHint): 23396 * ftl/FTLOSRExit.cpp: Added. 23397 (FTL): 23398 (JSC::FTL::OSRExit::OSRExit): 23399 (JSC::FTL::OSRExit::codeLocationForRepatch): 23400 (JSC::FTL::OSRExit::convertToForward): 23401 * ftl/FTLOSRExit.h: Added. 23402 (FTL): 23403 (OSRExit): 23404 * ftl/FTLOSRExitCompilationInfo.h: Added. 23405 (FTL): 23406 (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo): 23407 (OSRExitCompilationInfo): 23408 * ftl/FTLOSRExitCompiler.cpp: Added. 23409 (FTL): 23410 (JSC::FTL::compileStub): 23411 (JSC::FTL::compileFTLOSRExit): 23412 * ftl/FTLOSRExitCompiler.h: Added. 23413 (FTL): 23414 * ftl/FTLOutput.h: 23415 (JSC::FTL::Output::newBlock): 23416 (JSC::FTL::Output::intToPtr): 23417 (JSC::FTL::Output::load): 23418 (JSC::FTL::Output::store): 23419 (Output): 23420 (JSC::FTL::Output::call): 23421 (JSC::FTL::Output::convertToTailCall): 23422 (FTL): 23423 * ftl/FTLState.h: 23424 (State): 23425 * ftl/FTLThunks.cpp: Added. 23426 (FTL): 23427 (JSC::FTL::osrExitGenerationThunkGenerator): 23428 * ftl/FTLThunks.h: Added. 23429 (JSC): 23430 (FTL): 23431 * ftl/FTLValueFormat.cpp: Added. 23432 (WTF): 23433 (WTF::printInternal): 23434 * ftl/FTLValueFormat.h: Added. 23435 (FTL): 23436 (WTF): 23437 * ftl/FTLValueSource.cpp: Added. 23438 (FTL): 23439 (JSC::FTL::ValueSource::dump): 23440 * ftl/FTLValueSource.h: Added. 23441 (FTL): 23442 (ValueSource): 23443 (JSC::FTL::ValueSource::ValueSource): 23444 (JSC::FTL::ValueSource::kind): 23445 (JSC::FTL::ValueSource::operator!): 23446 (JSC::FTL::ValueSource::node): 23447 234482013-04-12 Filip Pizlo <fpizlo@apple.com> 23449 23450 fourthTier: switch to using MCJIT and disable frame pointer elimination 23451 https://bugs.webkit.org/show_bug.cgi?id=114542 23452 23453 Reviewed by Oliver Hunt and Michael Saboff. 23454 23455 * ftl/FTLCompile.cpp: 23456 (JSC::FTL::compile): 23457 * runtime/InitializeThreading.cpp: 23458 (JSC::initializeThreadingOnce): 23459 234602013-04-09 Filip Pizlo <fpizlo@apple.com> 23461 23462 fourthTier: DFG should provide utilities for common OSR exit tasks 23463 https://bugs.webkit.org/show_bug.cgi?id=114306 23464 23465 Reviewed by Mark Hahnenberg. 23466 23467 Just abstract out some things that the FTL will want to use as well. 23468 23469 * CMakeLists.txt: 23470 * GNUmakefile.list.am: 23471 * JavaScriptCore.xcodeproj/project.pbxproj: 23472 * Target.pri: 23473 * dfg/DFGDriver.cpp: 23474 (JSC::DFG::compile): 23475 * dfg/DFGOSRExitCompiler.cpp: 23476 * dfg/DFGOSRExitCompiler.h: 23477 (OSRExitCompiler): 23478 * dfg/DFGOSRExitCompiler32_64.cpp: 23479 (JSC::DFG::OSRExitCompiler::compileExit): 23480 * dfg/DFGOSRExitCompiler64.cpp: 23481 (JSC::DFG::OSRExitCompiler::compileExit): 23482 * dfg/DFGOSRExitCompilerCommon.cpp: Added. 23483 (DFG): 23484 (JSC::DFG::handleExitCounts): 23485 (JSC::DFG::reifyInlinedCallFrames): 23486 (JSC::DFG::adjustAndJumpToTarget): 23487 * dfg/DFGOSRExitCompilerCommon.h: Added. 23488 (DFG): 23489 234902013-04-09 Filip Pizlo <fpizlo@apple.com> 23491 23492 fourthTier: DFG should better abstract floating point arguments 23493 https://bugs.webkit.org/show_bug.cgi?id=114300 23494 23495 Reviewed by Mark Hahnenberg. 23496 23497 * dfg/DFGFPRInfo.h: 23498 (FPRInfo): 23499 (JSC::DFG::FPRInfo::toArgumentRegister): 23500 235012013-04-05 Filip Pizlo <fpizlo@apple.com> 23502 23503 fourthTier: DFG should better abstract arguments 23504 https://bugs.webkit.org/show_bug.cgi?id=114073 23505 23506 Reviewed by Mark Hahnenberg. 23507 23508 * dfg/DFGGPRInfo.h: 23509 (GPRInfo): 23510 (JSC::DFG::GPRInfo::toArgumentRegister): 23511 235122013-04-03 Filip Pizlo <fpizlo@apple.com> 23513 23514 fourthTier: put DFG data into a DFG::JITCode, and put common DFG and FTL data into something accessible from both DFG::JITCode and FTL::JITCode 23515 https://bugs.webkit.org/show_bug.cgi?id=113905 23516 23517 Reviewed by Geoffrey Garen. 23518 23519 This removes one pointer from CodeBlock. 23520 23521 It also gives us a framework for having JITType-specific data in CodeBlock, by 23522 putting it into the appropriate JITCode class (either DFG::JITCode or 23523 FTL::JITCode). And it allows us to have DFG and FTL share some common data, 23524 via DFG::CommonData, which is stored in both DFG::JITCode and FTL::JITCode and 23525 always accessible via JITCode::dfgCommon(). 23526 23527 * CMakeLists.txt: 23528 * GNUmakefile.list.am: 23529 * JavaScriptCore.xcodeproj/project.pbxproj: 23530 * Target.pri: 23531 * bytecode/CodeBlock.cpp: 23532 (JSC): 23533 (JSC::CodeBlock::dumpBytecode): 23534 (JSC::CodeBlock::visitAggregate): 23535 (JSC::CodeBlock::performTracingFixpointIteration): 23536 (JSC::CodeBlock::finalizeUnconditionally): 23537 (JSC::CodeBlock::stronglyVisitWeakReferences): 23538 (JSC::CodeBlock::shrinkToFit): 23539 (JSC::CodeBlock::tallyFrequentExitSites): 23540 * bytecode/CodeBlock.h: 23541 (CodeBlock): 23542 (JSC::CodeBlock::setJITCode): 23543 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): 23544 (JSC::DFGCodeBlocks::mark): 23545 * dfg/DFGAssemblyHelpers.h: 23546 * dfg/DFGCommonData.cpp: Added. 23547 (DFG): 23548 (JSC::DFG::CommonData::notifyCompilingStructureTransition): 23549 (JSC::DFG::CommonData::shrinkToFit): 23550 * dfg/DFGCommonData.h: Added. 23551 (JSC): 23552 (DFG): 23553 (JSC::DFG::WeakReferenceTransition::WeakReferenceTransition): 23554 (WeakReferenceTransition): 23555 (CommonData): 23556 (JSC::DFG::CommonData::CommonData): 23557 * dfg/DFGDriver.cpp: 23558 (JSC::DFG::compile): 23559 (JSC::DFG::tryCompile): 23560 (JSC::DFG::tryCompileFunction): 23561 * dfg/DFGDriver.h: 23562 (DFG): 23563 (JSC::DFG::tryCompile): 23564 (JSC::DFG::tryCompileFunction): 23565 * dfg/DFGGraph.h: 23566 (Graph): 23567 * dfg/DFGJITCode.cpp: Added. 23568 (DFG): 23569 (JSC::DFG::JITCode::JITCode): 23570 (JSC::DFG::JITCode::~JITCode): 23571 (JSC::DFG::JITCode::dfgCommon): 23572 (JSC::DFG::JITCode::dfg): 23573 (JSC::DFG::JITCode::shrinkToFit): 23574 * dfg/DFGJITCode.h: Added. 23575 (DFG): 23576 (JITCode): 23577 (JSC::DFG::JITCode::appendOSREntryData): 23578 (JSC::DFG::JITCode::osrEntryDataForBytecodeIndex): 23579 (JSC::DFG::JITCode::appendOSRExit): 23580 (JSC::DFG::JITCode::lastOSRExit): 23581 (JSC::DFG::JITCode::appendSpeculationRecovery): 23582 (JSC::DFG::JITCode::appendWatchpoint): 23583 * dfg/DFGJITCompiler.cpp: 23584 (JSC::DFG::JITCompiler::JITCompiler): 23585 (JSC::DFG::JITCompiler::linkOSRExits): 23586 (JSC::DFG::JITCompiler::link): 23587 (JSC::DFG::JITCompiler::compile): 23588 (JSC::DFG::JITCompiler::compileFunction): 23589 * dfg/DFGJITCompiler.h: 23590 (JITCompiler): 23591 (JSC::DFG::JITCompiler::addWeakReference): 23592 (JSC::DFG::JITCompiler::noticeOSREntry): 23593 (JSC::DFG::JITCompiler::jitCode): 23594 * dfg/DFGOSREntry.cpp: 23595 (JSC::DFG::prepareOSREntry): 23596 * dfg/DFGOSRExit.h: 23597 (OSRExit): 23598 * dfg/DFGOSRExitCompiler.cpp: 23599 * dfg/DFGSpeculativeJIT.cpp: 23600 (JSC::DFG::SpeculativeJIT::SpeculativeJIT): 23601 (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck): 23602 (JSC::DFG::SpeculativeJIT::speculationWatchpoint): 23603 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 23604 * dfg/DFGSpeculativeJIT32_64.cpp: 23605 (JSC::DFG::SpeculativeJIT::compile): 23606 * dfg/DFGSpeculativeJIT64.cpp: 23607 (JSC::DFG::SpeculativeJIT::compile): 23608 * dfg/DFGVariableEventStream.cpp: 23609 * ftl/FTLCompile.cpp: 23610 (JSC::FTL::compile): 23611 * ftl/FTLJITCode.cpp: 23612 (JSC::FTL::JITCode::JITCode): 23613 (JSC::FTL::JITCode::~JITCode): 23614 (FTL): 23615 (JSC::FTL::JITCode::initializeCode): 23616 (JSC::FTL::JITCode::addressForCall): 23617 (JSC::FTL::JITCode::executableAddressAtOffset): 23618 (JSC::FTL::JITCode::dataAddressAtOffset): 23619 (JSC::FTL::JITCode::offsetOf): 23620 (JSC::FTL::JITCode::size): 23621 (JSC::FTL::JITCode::contains): 23622 (JSC::FTL::JITCode::ftl): 23623 (JSC::FTL::JITCode::dfgCommon): 23624 * ftl/FTLJITCode.h: 23625 (JITCode): 23626 * ftl/FTLLowerDFGToLLVM.cpp: 23627 (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): 23628 (JSC::FTL::LowerDFGToLLVM::compilePutStructure): 23629 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): 23630 (JSC::FTL::LowerDFGToLLVM::addWeakReference): 23631 (LowerDFGToLLVM): 23632 (JSC::FTL::LowerDFGToLLVM::weakPointer): 23633 * ftl/FTLState.cpp: 23634 (FTL): 23635 (JSC::FTL::State::State): 23636 (JSC::FTL::State::dumpState): 23637 * ftl/FTLState.h: 23638 (State): 23639 * heap/DFGCodeBlocks.cpp: 23640 (JSC::DFGCodeBlocks::~DFGCodeBlocks): 23641 (JSC::DFGCodeBlocks::jettison): 23642 (JSC::DFGCodeBlocks::clearMarks): 23643 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks): 23644 (JSC::DFGCodeBlocks::traceMarkedCodeBlocks): 23645 * jit/JITCode.cpp: 23646 (JSC::JITCode::dfgCommon): 23647 (JSC): 23648 (JSC::JITCode::dfg): 23649 (JSC::JITCode::ftl): 23650 (JSC::DirectJITCode::DirectJITCode): 23651 (JSC::DirectJITCode::initializeCodeRef): 23652 (JSC::DirectJITCode::addressForCall): 23653 (JSC::DirectJITCode::executableAddressAtOffset): 23654 (JSC::DirectJITCode::dataAddressAtOffset): 23655 (JSC::DirectJITCode::offsetOf): 23656 (JSC::DirectJITCode::size): 23657 (JSC::DirectJITCode::contains): 23658 * jit/JITCode.h: 23659 (DFG): 23660 (FTL): 23661 (JSC): 23662 (JITCode): 23663 (DirectJITCode): 23664 236652013-04-03 Filip Pizlo <fpizlo@apple.com> 23666 23667 fourthTier: Include LLVM headers with surrounding #pragmas instead of using my #define 23668 https://bugs.webkit.org/show_bug.cgi?id=113921 23669 23670 Reviewed by Oliver Hunt. 23671 23672 The LLVM community wants us to continue including all of LLVM's C++ headers. Change 23673 to using #pragma's to disable warnings that they cannot handle. 23674 23675 * ftl/FTLLLVMHeaders.h: 23676 236772013-04-03 Filip Pizlo <fpizlo@apple.com> 23678 23679 fourthTier: Everyone should know about the FTL 23680 https://bugs.webkit.org/show_bug.cgi?id=113897 23681 23682 Reviewed by Mark Hahnenberg. 23683 23684 In order to get OSR exit to work right, we need the distinction between DFG and 23685 FTL to be clear even after compilation finishes, since they will have subtly 23686 different OSR stories and likely use different data structures. 23687 23688 * bytecode/CodeBlock.cpp: 23689 (JSC::CodeBlock::resetStubInternal): 23690 (JSC::ProgramCodeBlock::compileOptimized): 23691 (JSC::EvalCodeBlock::compileOptimized): 23692 (JSC::FunctionCodeBlock::compileOptimized): 23693 (JSC::CodeBlock::adjustedExitCountThreshold): 23694 (JSC::CodeBlock::tallyFrequentExitSites): 23695 * bytecode/CodeBlock.h: 23696 (JSC::CodeBlock::setJITCode): 23697 (JSC::CodeBlock::hasOptimizedReplacement): 23698 (JSC::ExecState::isInlineCallFrame): 23699 * ftl/FTLCompile.cpp: 23700 (JSC::FTL::compile): 23701 * ftl/FTLJITCode.cpp: 23702 (JSC::FTL::JITCode::JITCode): 23703 * ftl/FTLState.cpp: 23704 (JSC::FTL::State::dumpState): 23705 * heap/DFGCodeBlocks.cpp: 23706 (JSC::DFGCodeBlocks::jettison): 23707 * interpreter/Interpreter.cpp: 23708 (JSC::getLineNumberForCallFrame): 23709 (JSC::getCallerInfo): 23710 * jit/JITCode.cpp: 23711 (WTF::printInternal): 23712 * jit/JITCode.h: 23713 (JSC::JITCode::topTierJIT): 23714 (JSC::JITCode::nextTierJIT): 23715 (JITCode): 23716 (JSC::JITCode::isJIT): 23717 (JSC::JITCode::isLowerTier): 23718 (JSC::JITCode::isHigherTier): 23719 (JSC::JITCode::isLowerOrSameTier): 23720 (JSC::JITCode::isHigherOrSameTier): 23721 (JSC::JITCode::isOptimizingJIT): 23722 * jit/JITDriver.h: 23723 (JSC::jitCompileIfAppropriate): 23724 (JSC::jitCompileFunctionIfAppropriate): 23725 * jit/JITStubs.cpp: 23726 (JSC::DEFINE_STUB_FUNCTION): 23727 * runtime/Executable.cpp: 23728 (JSC::EvalExecutable::compileOptimized): 23729 (JSC::samplingDescription): 23730 (JSC::ProgramExecutable::compileOptimized): 23731 (JSC::FunctionExecutable::compileOptimizedForCall): 23732 (JSC::FunctionExecutable::compileOptimizedForConstruct): 23733 237342013-04-03 Filip Pizlo <fpizlo@apple.com> 23735 23736 fourthTier: DFG should abstract out how it does forward exits, and that code should be simplified 23737 https://bugs.webkit.org/show_bug.cgi?id=113894 23738 23739 Reviewed by Mark Hahnenberg. 23740 23741 1) We previously had two different ways of convertingToForward, one path for 23742 where we had a ValueRecovery for the current node and one where we didn't. 23743 But the paths were doing exactly the same thing except that if you have a 23744 ValueRecovery, you also find the last applicable mov hint and do some 23745 extra things. This patch combines the two paths and bases both of them on 23746 the previous no-ValueRecovery path, which was simpler to begin with. 23747 23748 2) This moves the logic into DFG::OSRExit, which further simplifies the code 23749 and makes the logic available to the FTL. 23750 23751 * dfg/DFGOSRExit.cpp: 23752 (JSC::DFG::OSRExit::convertToForward): 23753 (DFG): 23754 * dfg/DFGOSRExit.h: 23755 (DFG): 23756 (OSRExit): 23757 * dfg/DFGSpeculativeJIT.cpp: 23758 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 23759 237602013-04-02 Filip Pizlo <fpizlo@apple.com> 23761 23762 fourthTier: FTL should have the equivalent of a ValueRecovery 23763 https://bugs.webkit.org/show_bug.cgi?id=113819 23764 23765 Reviewed by Mark Hahnenberg. 23766 23767 This adds a way of saying that we have a value, we don't want to say what 23768 node the value came from, but we know specifics of how the value is 23769 formatted. This is the LLVM equivalent of DFG's ValueRecovery. 23770 23771 * JavaScriptCore.xcodeproj/project.pbxproj: 23772 * ftl/FTLFormattedValue.h: Added. 23773 (FTL): 23774 (FormattedValue): 23775 (JSC::FTL::FormattedValue::FormattedValue): 23776 (JSC::FTL::FormattedValue::operator!): 23777 (JSC::FTL::FormattedValue::format): 23778 (JSC::FTL::FormattedValue::value): 23779 * ftl/FTLLowerDFGToLLVM.cpp: 23780 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber): 23781 (JSC::FTL::LowerDFGToLLVM::speculateForward): 23782 (JSC::FTL::LowerDFGToLLVM::weakPointer): 23783 237842013-04-02 Filip Pizlo <fpizlo@apple.com> 23785 23786 fourthTier: FTL should use the right abstract heap for Int32 array accesses 23787 https://bugs.webkit.org/show_bug.cgi?id=113759 23788 23789 Reviewed by Mark Hahnenberg. 23790 23791 * ftl/FTLLowerDFGToLLVM.cpp: 23792 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 23793 237942013-04-02 Filip Pizlo <fpizlo@apple.com> 23795 23796 fourthTier: FTL should support fast property stores 23797 https://bugs.webkit.org/show_bug.cgi?id=113757 23798 23799 Reviewed by Oliver Hunt. 23800 23801 Simplified the task of handling property transitions and reduced amount of code 23802 duplication between the JITs. 23803 23804 Added PutByOffset, PutStructure, PhantomPutStructure, WeakJSConstant, and a 23805 stub form of StructureTransitionWatchpoint to the FTL. 23806 23807 Also simplified the creation of pointer constants, and fixed a bug in 23808 speculateObject(). 23809 23810 * dfg/DFGGraph.h: 23811 (JSC::DFG::Graph::notifyCompilingStructureTransition): 23812 (Graph): 23813 * dfg/DFGJITCompiler.h: 23814 (JITCompiler): 23815 * dfg/DFGSpeculativeJIT32_64.cpp: 23816 (JSC::DFG::SpeculativeJIT::compile): 23817 * dfg/DFGSpeculativeJIT64.cpp: 23818 (JSC::DFG::SpeculativeJIT::compile): 23819 * ftl/FTLCapabilities.cpp: 23820 (JSC::FTL::canCompile): 23821 * ftl/FTLLowerDFGToLLVM.cpp: 23822 (JSC::FTL::LowerDFGToLLVM::lower): 23823 (JSC::FTL::LowerDFGToLLVM::compileNode): 23824 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): 23825 (LowerDFGToLLVM): 23826 (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): 23827 (JSC::FTL::LowerDFGToLLVM::compilePutStructure): 23828 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): 23829 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset): 23830 (JSC::FTL::LowerDFGToLLVM::speculateObject): 23831 (JSC::FTL::LowerDFGToLLVM::weakPointer): 23832 * ftl/FTLOutput.h: 23833 (Output): 23834 (JSC::FTL::Output::constIntPtr): 23835 (JSC::FTL::Output::absolute): 23836 238372013-04-01 Filip Pizlo <fpizlo@apple.com> 23838 23839 fourthTier: FTL should support some more integer arithmetic ops (negate, xor, urshift) 23840 https://bugs.webkit.org/show_bug.cgi?id=113740 23841 23842 Reviewed by Geoffrey Garen. 23843 23844 * ftl/FTLAbbreviations.h: 23845 (JSC::FTL::buildNeg): 23846 (JSC::FTL::buildLShr): 23847 * ftl/FTLCapabilities.cpp: 23848 (JSC::FTL::canCompile): 23849 * ftl/FTLLowerDFGToLLVM.cpp: 23850 (JSC::FTL::LowerDFGToLLVM::compileNode): 23851 (JSC::FTL::LowerDFGToLLVM::compileArithNegate): 23852 (LowerDFGToLLVM): 23853 (JSC::FTL::LowerDFGToLLVM::compileBitXor): 23854 (JSC::FTL::LowerDFGToLLVM::compileBitURShift): 23855 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber): 23856 * ftl/FTLOutput.h: 23857 (JSC::FTL::Output::neg): 23858 (JSC::FTL::Output::lShr): 23859 238602013-04-01 Filip Pizlo <fpizlo@apple.com> 23861 23862 fourthTier: FTL should support GetGlobalVar/PutGlobalVar 23863 https://bugs.webkit.org/show_bug.cgi?id=113728 23864 23865 Reviewed by Gavin Barraclough. 23866 23867 Removed the macro magic for the globals absolute abstract heap, since for anything 23868 with absolute addresses we can just share a common absolute abstract heap. It 23869 would only be a problem if we for example were emitting an access to a global but 23870 not using an absolute address, and then wanted to say that this access was 23871 constrained to global variables. I don't believe we do that, and I don't believe we 23872 ever will. 23873 23874 Then added Output::absolute(), a convenient way of building a typed pointer for an 23875 absolute address. 23876 23877 Then added GetGlobalVar/PutGlobalVar. 23878 23879 * ftl/FTLAbstractHeapRepository.cpp: 23880 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): 23881 * ftl/FTLAbstractHeapRepository.h: 23882 (FTL): 23883 (AbstractHeapRepository): 23884 * ftl/FTLCapabilities.cpp: 23885 (JSC::FTL::canCompile): 23886 * ftl/FTLLowerDFGToLLVM.cpp: 23887 (JSC::FTL::LowerDFGToLLVM::compileNode): 23888 (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar): 23889 (LowerDFGToLLVM): 23890 (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar): 23891 * ftl/FTLOutput.h: 23892 (JSC::FTL::Output::absolute): 23893 (Output): 23894 238952013-03-31 Filip Pizlo <fpizlo@apple.com> 23896 23897 fourthTier: FTL should support ArithSub 23898 https://bugs.webkit.org/show_bug.cgi?id=113675 23899 23900 Reviewed by Oliver Hunt. 23901 23902 This does the obvious bit of implementing ArithSub, but it also takes this 23903 as an opportunity to clean up how intrinsics and common values (common types 23904 and constants) are handled. Previously they were all lumped together in 23905 FTL::Output. Now, in an effort to split up the files and make FTL::Output 23906 less big, I created a thing called FTL::CommonValues which just tracks the 23907 common values, and a thing called FTL::IntrinsicRepository which just tracks 23908 intrinsics. These and FTL::Output are all related to each other in a linear 23909 hierarchy. Moreover, IntrinsicRepository uses macro-fu to make it easy to 23910 declare new intrinsics in the future. 23911 23912 I also out-of-lined some things and made .cpp files for each of these classes. 23913 Initialize I wasn't going to do this but then I realized that FTL::Output is 23914 already included in multiple places. Probably it's better if some of its guts 23915 are not inline, and it's also good to now have .cpp "landing pads" if we ever 23916 want to add more things to that class. 23917 23918 Note that a lot of how these things are designed has to do with the fact 23919 that pretty soon here I'll have to switch us from using the LLVM global 23920 context to using a context that we create. When that happens, anyone who 23921 creates anything will have to know the context; that's why FTL::CommonValues 23922 already knows the module but doesn't use it - in the future it will have to 23923 do things with it. 23924 23925 * JavaScriptCore.xcodeproj/project.pbxproj: 23926 * ftl/FTLAbbreviations.h: 23927 (JSC::FTL::buildSub): 23928 * ftl/FTLAbstractHeapRepository.cpp: 23929 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): 23930 * ftl/FTLCapabilities.cpp: 23931 (JSC::FTL::canCompile): 23932 * ftl/FTLCommonValues.cpp: Added. 23933 (FTL): 23934 (JSC::FTL::CommonValues::CommonValues): 23935 * ftl/FTLCommonValues.h: Added. 23936 (FTL): 23937 (CommonValues): 23938 (JSC::FTL::CommonValues::initialize): 23939 * ftl/FTLIntrinsicRepository.cpp: Added. 23940 (FTL): 23941 (JSC::FTL::IntrinsicRepository::IntrinsicRepository): 23942 * ftl/FTLIntrinsicRepository.h: Added. 23943 (FTL): 23944 (IntrinsicRepository): 23945 * ftl/FTLLowerDFGToLLVM.cpp: 23946 (JSC::FTL::LowerDFGToLLVM::compileNode): 23947 (JSC::FTL::LowerDFGToLLVM::compileArithSub): 23948 (LowerDFGToLLVM): 23949 * ftl/FTLOutput.cpp: Added. 23950 (FTL): 23951 (JSC::FTL::Output::Output): 23952 (JSC::FTL::Output::~Output): 23953 * ftl/FTLOutput.h: 23954 (Output): 23955 (JSC::FTL::Output::initialize): 23956 (JSC::FTL::Output::sub): 23957 (JSC::FTL::Output::addWithOverflow32): 23958 (JSC::FTL::Output::subWithOverflow32): 23959 (JSC::FTL::Output::mulWithOverflow32): 23960 239612013-03-31 Filip Pizlo <fpizlo@apple.com> 23962 23963 fourthTier: FTL doesn't need virtual register allocation 23964 https://bugs.webkit.org/show_bug.cgi?id=113679 23965 23966 Reviewed by Mark Hahnenberg. 23967 23968 * dfg/DFGDriver.cpp: 23969 (JSC::DFG::dumpAndVerifyGraph): 23970 (DFG): 23971 (JSC::DFG::compile): 23972 239732013-03-31 Filip Pizlo <fpizlo@apple.com> 23974 23975 https://bugs.webkit.org/show_bug.cgi?id=113656 23976 Fix Sam's nits. 23977 23978 Unreviewed. 23979 23980 * ftl/FTLAbstractHeap.cpp: 23981 (JSC::FTL::IndexedAbstractHeap::initialize): 23982 * ftl/FTLAbstractHeap.h: 23983 (IndexedAbstractHeap): 23984 (AbsoluteAbstractHeap): 23985 * ftl/FTLAbstractHeapRepository.h: 23986 (AbstractHeapRepository): 23987 239882013-03-31 Filip Pizlo <fpizlo@apple.com> 23989 23990 fourthTier: FTL JIT should support GetByVal on Int32 arrays 23991 https://bugs.webkit.org/show_bug.cgi?id=113668 23992 23993 Reviewed by Sam Weinig. 23994 23995 It actually already supported this, but needed to be told that it did. 23996 23997 Also adds an option to enable LICM (loop-invariant code motion, i.e. 23998 http://llvm.org/docs/Passes.html#licm-loop-invariant-code-motion). LICM 23999 isn't doing me any good right now, but I guess I'll have to play with 24000 it more. And this adds the ability to tweak the LLVM optimization level 24001 from the command-line. 24002 24003 * ftl/FTLCapabilities.cpp: 24004 (JSC::FTL::canCompile): 24005 * ftl/FTLCompile.cpp: 24006 (JSC::FTL::compile): 24007 * ftl/FTLLowerDFGToLLVM.cpp: 24008 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 24009 * runtime/Options.h: 24010 (JSC): 24011 240122013-03-31 Filip Pizlo <fpizlo@apple.com> 24013 24014 fourthTier: FTL JIT should supply TBAA meta-data to LLVM 24015 https://bugs.webkit.org/show_bug.cgi?id=113656 24016 24017 Reviewed by Oliver Hunt. 24018 24019 This adds support for performing strong typing on the LLVM IR that the FTL 24020 generates, by using TBAA meta-data. This will permit LLVM to do aggressive 24021 GVN, load elimination, and LICM optimization even if it sees pointer store 24022 side-effects. The goal is to precisely model all loads and stores we emit, 24023 except for the super crazy ones (GetById that can go all-out polymorphic, 24024 or for example a Call where we know nothing). 24025 24026 This is accomplished by introducing the notion of an AbstractHeap 24027 typesystem. An AbstractHeap is a subset of all possible memory locations 24028 that we might store to. For example, JSCell::m_structure and 24029 JSObject::m_butterfly are two disjoint AbstractHeaps because we know that 24030 a store to one cannot clobber the other. AbstractHeaps follow a 24031 single-inheritance hierarchy. There is the root heap, which corresponds to 24032 any possible memory location accessible to the JS engine, and then there 24033 are heaps for all internal object fields, a heap for each global object, 24034 and so on. 24035 24036 There are three other tidbits here that make this somewhat more interesting. 24037 We have a notion of an AbstractHeap-with-offset, called AbstractField. 24038 JSCell::m_structure is actually an AbstractField. This allows us to say 24039 things like m_out.loadPtr(base, m_heaps.JSCell_structure); this both 24040 gives you the offset of JSCell::m_structure and ascribes TBAA meta-data for 24041 the JSCell::m_structure heap to the generated load instrction. 24042 24043 Another fun tidbit is the notion of Indexed, Numbered, and Absolute abstract 24044 heaps. An indexed abstract heap corresponds to a set of locations that you 24045 might access by index from some base. Virtual registers are a great example. 24046 Though I call them just "variables" in the FTL. When we access a virtual 24047 register, we know that we aren't interfering with accesses to 24048 Structure-managed named properties, or with JSCell::m_structure, or with 24049 other such disjoint heaps. But we also know that if we access a variable at 24050 offset X and then another variable at offset Y and we know that X and Y are 24051 unequal, then these two accesses are on disjoint subheaps of the variables 24052 heap. This works out naturally for interference between, say, scoped variable 24053 access and local variable access: if you access scoped variable r5 and then 24054 access a local variable r5, these might interfere - and they will get the 24055 same abstract subheap of the variables heap. IndexedAbstractHeaps 24056 conveniently remember the size of the elements and will give you an 24057 AbstractField (i.e. heap-with-offset) if you give it an index. This is great 24058 for conveniently writing code that accesses contiguous arrays of well-typed 24059 things. This allows you to literally do things like 24060 m_out.load64(callFrameRegister, m_heaps.variables[operand]) and the right 24061 thing will happen. You can also get the heap variables.atAnyIndex(), if 24062 you're doing an access with an unknown index. 24063 24064 Numbered and Absolute abstract heaps are related except that they don't 24065 assume that the value used to get the abstract subheap corresponds to any 24066 meaningful offset from any base. Numbered heaps, like the properties heap 24067 (for named properties tracked by Structure), are "numbered" (not indexed) 24068 by the propertyNumber. So you can emit a GetByOffset by separately 24069 computing the offset and the propertyNumber (both values are stored in the 24070 StorageAccessData), and passing the offset directly to Output::address() 24071 and passing m_heaps.properties[propertyNumber] as the field. Absolute heaps 24072 are similar, but are keyed on absolute address. This is appropriate for 24073 global variables, and possibly other things. 24074 24075 Finally, FTL::Output understands the notion of a pointer-with-TBAA-data, 24076 and calls it a TypedPointer. TypedPointer is a tuple of a LLVMValueRef 24077 referencing an intptr value and a pointer to an AbstractHeap. All load() 24078 and store() operations now take a TypedPointer, and will perform the access 24079 by casting the intptr to a pointer of the right type and then ascribing the 24080 TBAA meta-data from the AbstractHeap. 24081 24082 * JavaScriptCore.xcodeproj/project.pbxproj: 24083 * ftl/FTLAbbreviations.h: 24084 (JSC::FTL::mdKindID): 24085 (JSC::FTL::mdString): 24086 (JSC::FTL::mdNode): 24087 (FTL): 24088 (JSC::FTL::setMetadata): 24089 * ftl/FTLAbstractHeap.cpp: Added. 24090 (FTL): 24091 (JSC::FTL::AbstractHeap::tbaaMetadataSlow): 24092 (JSC::FTL::AbstractHeap::decorateInstruction): 24093 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap): 24094 (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap): 24095 (JSC::FTL::IndexedAbstractHeap::baseIndex): 24096 (JSC::FTL::IndexedAbstractHeap::atSlow): 24097 (JSC::FTL::IndexedAbstractHeap::initialize): 24098 (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap): 24099 (JSC::FTL::NumberedAbstractHeap::~NumberedAbstractHeap): 24100 (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap): 24101 (JSC::FTL::AbsoluteAbstractHeap::~AbsoluteAbstractHeap): 24102 * ftl/FTLAbstractHeap.h: Added. 24103 (FTL): 24104 (AbstractHeap): 24105 (JSC::FTL::AbstractHeap::AbstractHeap): 24106 (JSC::FTL::AbstractHeap::isInitialized): 24107 (JSC::FTL::AbstractHeap::initialize): 24108 (JSC::FTL::AbstractHeap::parent): 24109 (JSC::FTL::AbstractHeap::heapName): 24110 (JSC::FTL::AbstractHeap::tbaaMetadata): 24111 (AbstractField): 24112 (JSC::FTL::AbstractField::AbstractField): 24113 (JSC::FTL::AbstractField::initialize): 24114 (JSC::FTL::AbstractField::offset): 24115 (IndexedAbstractHeap): 24116 (JSC::FTL::IndexedAbstractHeap::atAnyIndex): 24117 (JSC::FTL::IndexedAbstractHeap::at): 24118 (JSC::FTL::IndexedAbstractHeap::operator[]): 24119 (JSC::FTL::IndexedAbstractHeap::returnInitialized): 24120 (JSC::FTL::IndexedAbstractHeap::MyHashTraits::constructDeletedValue): 24121 (JSC::FTL::IndexedAbstractHeap::MyHashTraits::isDeletedValue): 24122 (NumberedAbstractHeap): 24123 (JSC::FTL::NumberedAbstractHeap::atAnyNumber): 24124 (JSC::FTL::NumberedAbstractHeap::at): 24125 (JSC::FTL::NumberedAbstractHeap::operator[]): 24126 (AbsoluteAbstractHeap): 24127 (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress): 24128 (JSC::FTL::AbsoluteAbstractHeap::at): 24129 (JSC::FTL::AbsoluteAbstractHeap::operator[]): 24130 * ftl/FTLAbstractHeapRepository.cpp: Added. 24131 (FTL): 24132 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): 24133 (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository): 24134 * ftl/FTLAbstractHeapRepository.h: Added. 24135 (FTL): 24136 (AbstractHeapRepository): 24137 * ftl/FTLLowerDFGToLLVM.cpp: 24138 (JSC::FTL::LowerDFGToLLVM::lower): 24139 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): 24140 (JSC::FTL::LowerDFGToLLVM::compileGetButterfly): 24141 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): 24142 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 24143 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset): 24144 (JSC::FTL::LowerDFGToLLVM::speculateObject): 24145 (JSC::FTL::LowerDFGToLLVM::addressFor): 24146 (JSC::FTL::LowerDFGToLLVM::payloadFor): 24147 (JSC::FTL::LowerDFGToLLVM::tagFor): 24148 (LowerDFGToLLVM): 24149 * ftl/FTLOutput.h: 24150 (FTL): 24151 (JSC::FTL::Output::Output): 24152 (JSC::FTL::Output::initialize): 24153 (JSC::FTL::Output::set): 24154 (JSC::FTL::Output::load): 24155 (JSC::FTL::Output::store): 24156 (Output): 24157 (JSC::FTL::Output::load32): 24158 (JSC::FTL::Output::load64): 24159 (JSC::FTL::Output::loadPtr): 24160 (JSC::FTL::Output::store32): 24161 (JSC::FTL::Output::store64): 24162 (JSC::FTL::Output::storePtr): 24163 (JSC::FTL::Output::addPtr): 24164 (JSC::FTL::Output::address): 24165 (JSC::FTL::Output::baseIndex): 24166 * ftl/FTLTypedPointer.h: Added. 24167 (FTL): 24168 (TypedPointer): 24169 (JSC::FTL::TypedPointer::TypedPointer): 24170 (JSC::FTL::TypedPointer::operator!): 24171 (JSC::FTL::TypedPointer::heap): 24172 (JSC::FTL::TypedPointer::value): 24173 * runtime/Options.h: 24174 (JSC): 24175 241762013-03-30 Filip Pizlo <fpizlo@apple.com> 24177 24178 fourthTier: FTL JIT should be able to compile the Array.prototype.findGraphNode function in Kraken/ai-astar 24179 https://bugs.webkit.org/show_bug.cgi?id=113646 24180 24181 Reviewed by Oliver Hunt. 24182 24183 This adds enough FTL support to compile Array.prototype.findGraphNode. This isn't 24184 a speed-up, yet, because findGraphNode tends to be aggressively inlined by the DFG, 24185 and the FTL can't yet compile the things into which it was inlined. In future 24186 patches we will get to a point where we can compile the callers, and then we'll be 24187 able to see what the performance effects are. 24188 24189 But the interesting thing is that it isn't a slow-down, either. This implies that 24190 even if we FTL compile a CodeBlock that we shouldn't have (the fact that we 24191 compiling things that end up being inlined is dumb, and the fact that the current 24192 FTL tiering strategy launches LLVM for those things is even dumber), we still run 24193 at OK performance. 24194 24195 * ftl/FTLCapabilities.cpp: 24196 (JSC::FTL::canCompile): 24197 * ftl/FTLLowerDFGToLLVM.cpp: 24198 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments): 24199 (JSC::FTL::LowerDFGToLLVM::compileNode): 24200 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): 24201 (LowerDFGToLLVM): 24202 (JSC::FTL::LowerDFGToLLVM::compileGetButterfly): 24203 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): 24204 (JSC::FTL::LowerDFGToLLVM::compileGetByVal): 24205 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset): 24206 (JSC::FTL::LowerDFGToLLVM::compileCompareEq): 24207 (JSC::FTL::LowerDFGToLLVM::lowInt32): 24208 (JSC::FTL::LowerDFGToLLVM::lowCell): 24209 (JSC::FTL::LowerDFGToLLVM::lowObject): 24210 (JSC::FTL::LowerDFGToLLVM::lowBoolean): 24211 (JSC::FTL::LowerDFGToLLVM::lowJSValue): 24212 (JSC::FTL::LowerDFGToLLVM::lowStorage): 24213 (JSC::FTL::LowerDFGToLLVM::isNotInt32): 24214 (JSC::FTL::LowerDFGToLLVM::isNotCell): 24215 (JSC::FTL::LowerDFGToLLVM::isNotBoolean): 24216 (JSC::FTL::LowerDFGToLLVM::speculate): 24217 (JSC::FTL::LowerDFGToLLVM::speculateCell): 24218 (JSC::FTL::LowerDFGToLLVM::speculateObject): 24219 (JSC::FTL::LowerDFGToLLVM::accountedPointer): 24220 (JSC::FTL::LowerDFGToLLVM::weakPointer): 24221 * ftl/FTLOutput.h: 24222 (JSC::FTL::Output::Output): 24223 (JSC::FTL::Output::insertNewBlocksBefore): 24224 (JSC::FTL::Output::appendTo): 24225 (Output): 24226 (JSC::FTL::Output::baseIndex): 24227 242282013-03-29 Filip Pizlo <fpizlo@apple.com> 24229 24230 fourthTier: FTL JIT should be able to compile the Marsaglia random number generator 24231 https://bugs.webkit.org/show_bug.cgi?id=113635 24232 24233 Reviewed by Oliver Hunt. 24234 24235 Just adding missing functionality. 24236 24237 Also "fixed" OSR exit to use a call to abort() in addition to using Unreachable 24238 since the latter doesn't actually mean trap - quite the opposite, it tells LLVM 24239 that the code can never be reached. 24240 24241 The Marsaglia function runs ~60% faster with FTL, than DFG. Not a terrible start. 24242 24243 * JavaScriptCore.xcodeproj/project.pbxproj: 24244 * ftl/FTLAbbreviations.h: 24245 (FTL): 24246 (JSC::FTL::voidType): 24247 (JSC::FTL::structType): 24248 (JSC::FTL::functionType): 24249 (JSC::FTL::addFunction): 24250 (JSC::FTL::setLinkage): 24251 (JSC::FTL::setFunctionCallingConv): 24252 (JSC::FTL::addExternFunction): 24253 (JSC::FTL::constIntToPtr): 24254 (JSC::FTL::constBitCast): 24255 (JSC::FTL::buildMul): 24256 (JSC::FTL::buildOr): 24257 (JSC::FTL::buildShl): 24258 (JSC::FTL::buildAShr): 24259 (JSC::FTL::buildCall): 24260 (JSC::FTL::buildExtractValue): 24261 (JSC::FTL::dumpModule): 24262 (JSC::FTL::verifyModule): 24263 * ftl/FTLCapabilities.cpp: 24264 (JSC::FTL::canCompile): 24265 * ftl/FTLCompile.cpp: 24266 (JSC::FTL::compile): 24267 * ftl/FTLLowerDFGToLLVM.cpp: 24268 (JSC::FTL::LowerDFGToLLVM::lower): 24269 (JSC::FTL::LowerDFGToLLVM::compileBlock): 24270 (JSC::FTL::LowerDFGToLLVM::compileNode): 24271 (JSC::FTL::LowerDFGToLLVM::compileAdd): 24272 (LowerDFGToLLVM): 24273 (JSC::FTL::LowerDFGToLLVM::compileArithMul): 24274 (JSC::FTL::LowerDFGToLLVM::compileBitAnd): 24275 (JSC::FTL::LowerDFGToLLVM::compileBitOr): 24276 (JSC::FTL::LowerDFGToLLVM::compileBitRShift): 24277 (JSC::FTL::LowerDFGToLLVM::compileBitLShift): 24278 (JSC::FTL::LowerDFGToLLVM::compileCompareLess): 24279 (JSC::FTL::LowerDFGToLLVM::compileBranch): 24280 (JSC::FTL::LowerDFGToLLVM::speculateBackward): 24281 (JSC::FTL::LowerDFGToLLVM::lowBoolean): 24282 * ftl/FTLOutput.h: 24283 (JSC::FTL::Output::Output): 24284 (JSC::FTL::Output::initialize): 24285 (JSC::FTL::Output::appendTo): 24286 (Output): 24287 (JSC::FTL::Output::mul): 24288 (JSC::FTL::Output::bitOr): 24289 (JSC::FTL::Output::shl): 24290 (JSC::FTL::Output::aShr): 24291 (JSC::FTL::Output::addWithOverflow32): 24292 (JSC::FTL::Output::mulWithOverflow32): 24293 (JSC::FTL::Output::extractValue): 24294 (JSC::FTL::Output::call): 24295 (JSC::FTL::Output::addWithOverflow32Function): 24296 (JSC::FTL::Output::mulWithOverflow32Function): 24297 * ftl/FTLState.cpp: Added. 24298 (FTL): 24299 (JSC::FTL::State::dumpState): 24300 * ftl/FTLState.h: 24301 (State): 24302 243032013-03-29 Filip Pizlo <fpizlo@apple.com> 24304 24305 Unreviewed, release mode build fix. 24306 24307 * ftl/FTLLowerDFGToLLVM.cpp: 24308 (JSC::FTL::LowerDFGToLLVM::lowInt32): 24309 (JSC::FTL::LowerDFGToLLVM::lowCell): 24310 (JSC::FTL::LowerDFGToLLVM::lowBoolean): 24311 (JSC::FTL::LowerDFGToLLVM::lowJSValue): 24312 243132013-03-29 Filip Pizlo <fpizlo@apple.com> 24314 24315 fourthTier: Change DO_NOT_INCLUDE_LLVM_CPP_HEADERS to LLVM_DO_NOT_INCLUDE_CPP_HEADERS 24316 https://bugs.webkit.org/show_bug.cgi?id=113634 24317 24318 Reviewed by Dan Bernstein. 24319 24320 * ftl/FTLLLVMHeaders.h: 24321 243222013-03-29 Filip Pizlo <fpizlo@apple.com> 24323 24324 fourthTier: FTL JIT should be able run some simple function 24325 https://bugs.webkit.org/show_bug.cgi?id=113481 24326 24327 Reviewed by Geoffrey Garen. 24328 24329 I forgot to make a couple of the requested review changes, so I'm making 24330 them now! 24331 24332 * ftl/FTLCompile.cpp: 24333 (JSC::FTL::compile): 24334 * ftl/FTLJITCode.h: 24335 243362013-03-29 Filip Pizlo <fpizlo@apple.com> 24337 24338 fourthTier: FTL JIT should be able run some simple function 24339 https://bugs.webkit.org/show_bug.cgi?id=113481 24340 24341 Reviewed by Geoffrey Garen. 24342 24343 This is the initial version of the FTL JIT (Fourth Tier LLVM JIT). 24344 It includes a lowering from the DFG IR to LLVM IR (FTL::lowerDFGToLLVM) 24345 and a "backend" step that invokes the LLVM and wraps the resulting 24346 function in a thunk (FTL::compile). 24347 24348 All LLVM IR building functions are wrapped up into a nicer FTL API. 24349 First they're wrapped in an abbreviated API (FTLAbbreviations.h) and 24350 then again into an object-oriented IR builder (FTLOutput.h). 24351 24352 This runs things. I don't know how fast it runs things. And I don't 24353 make any claims of stability. The FTL is runtime-disabled by default; 24354 you will enable it by doing --useExperimentalFTL=true. Probably if you 24355 do this, you will run slower, because of the heavy thunking we do, the 24356 fact that we don't have anything resembling a sensible tiering story, 24357 and because we only compile ridiculously tiny functions. 24358 24359 Finally, this still requires a custom set of LLVM headers to build. 24360 I am working on getting that up-streamed to LLVM, and separately I'll 24361 make sure that we have a build checked into this branch. 24362 24363 * Configurations/JavaScriptCore.xcconfig: 24364 * JavaScriptCore.xcodeproj/project.pbxproj: 24365 * bytecode/Operands.h: 24366 (Operands): 24367 (JSC::Operands::Operands): 24368 * dfg/DFGAbstractState.h: 24369 (JSC::DFG::AbstractState::needsTypeCheck): 24370 (AbstractState): 24371 (JSC::DFG::AbstractState::filterEdgeByUse): 24372 * dfg/DFGDriver.cpp: 24373 (JSC::DFG::compile): 24374 * dfg/DFGSpeculativeJIT.cpp: 24375 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 24376 * dfg/DFGSpeculativeJIT.h: 24377 (JSC::DFG::SpeculativeJIT::needsTypeCheck): 24378 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand): 24379 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand): 24380 (DFG): 24381 * dfg/DFGUseKind.h: 24382 (JSC::DFG::shouldNotHaveTypeCheck): 24383 (DFG): 24384 (JSC::DFG::mayHaveTypeCheck): 24385 (JSC::DFG::isDouble): 24386 (JSC::DFG::isCell): 24387 * ftl: Added. 24388 * ftl/FTLAbbreviations.h: Added. 24389 (FTL): 24390 (JSC::FTL::int1Type): 24391 (JSC::FTL::int32Type): 24392 (JSC::FTL::int64Type): 24393 (JSC::FTL::intPtrType): 24394 (JSC::FTL::pointerType): 24395 (JSC::FTL::getParam): 24396 (JSC::FTL::constInt): 24397 (JSC::FTL::appendBasicBlock): 24398 (JSC::FTL::insertBasicBlock): 24399 (JSC::FTL::buildAlloca): 24400 (JSC::FTL::buildAdd): 24401 (JSC::FTL::buildAnd): 24402 (JSC::FTL::buildXor): 24403 (JSC::FTL::buildLoad): 24404 (JSC::FTL::buildStore): 24405 (JSC::FTL::buildZExt): 24406 (JSC::FTL::buildIntCast): 24407 (JSC::FTL::buildIntToPtr): 24408 (JSC::FTL::buildPtrToInt): 24409 (JSC::FTL::buildICmp): 24410 (JSC::FTL::buildSelect): 24411 (JSC::FTL::buildBr): 24412 (JSC::FTL::buildCondBr): 24413 (JSC::FTL::buildRet): 24414 (JSC::FTL::buildUnreachable): 24415 * ftl/FTLCapabilities.cpp: Added. 24416 (FTL): 24417 (JSC::FTL::canCompile): 24418 * ftl/FTLCapabilities.h: Added. 24419 (FTL): 24420 * ftl/FTLCompile.cpp: Added. 24421 (FTL): 24422 (JSC::FTL::compileEntry): 24423 (JSC::FTL::compile): 24424 * ftl/FTLCompile.h: Added. 24425 (FTL): 24426 * ftl/FTLJITCode.cpp: Added. 24427 (FTL): 24428 (JSC::FTL::JITCode::JITCode): 24429 (JSC::FTL::JITCode::~JITCode): 24430 (JSC::FTL::JITCode::addressForCall): 24431 (JSC::FTL::JITCode::executableAddressAtOffset): 24432 (JSC::FTL::JITCode::dataAddressAtOffset): 24433 (JSC::FTL::JITCode::offsetOf): 24434 (JSC::FTL::JITCode::size): 24435 (JSC::FTL::JITCode::contains): 24436 * ftl/FTLJITCode.h: Added. 24437 (FTL): 24438 (JITCode): 24439 * ftl/FTLLLVMHeaders.h: Added. 24440 * ftl/FTLLowerDFGToLLVM.cpp: Added. 24441 (FTL): 24442 (LowerDFGToLLVM): 24443 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): 24444 (JSC::FTL::LowerDFGToLLVM::lower): 24445 (JSC::FTL::LowerDFGToLLVM::addFlushedLocalOpRoots): 24446 (JSC::FTL::LowerDFGToLLVM::closeOverFlushedLocalOps): 24447 (JSC::FTL::LowerDFGToLLVM::addFlushedLocalOp): 24448 (JSC::FTL::LowerDFGToLLVM::addFlushedLocalEdge): 24449 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments): 24450 (JSC::FTL::LowerDFGToLLVM::compileBlock): 24451 (JSC::FTL::LowerDFGToLLVM::compileNode): 24452 (JSC::FTL::LowerDFGToLLVM::compileJSConstant): 24453 (JSC::FTL::LowerDFGToLLVM::compileGetLocal): 24454 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): 24455 (JSC::FTL::LowerDFGToLLVM::compileMovHintAndCheck): 24456 (JSC::FTL::LowerDFGToLLVM::compilePhantom): 24457 (JSC::FTL::LowerDFGToLLVM::compileReturn): 24458 (JSC::FTL::LowerDFGToLLVM::speculateBackward): 24459 (JSC::FTL::LowerDFGToLLVM::speculateForward): 24460 (JSC::FTL::LowerDFGToLLVM::speculate): 24461 (JSC::FTL::LowerDFGToLLVM::terminate): 24462 (JSC::FTL::LowerDFGToLLVM::backwardTypeCheck): 24463 (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck): 24464 (JSC::FTL::LowerDFGToLLVM::typeCheck): 24465 (JSC::FTL::LowerDFGToLLVM::lowInt32): 24466 (JSC::FTL::LowerDFGToLLVM::lowCell): 24467 (JSC::FTL::LowerDFGToLLVM::lowBoolean): 24468 (JSC::FTL::LowerDFGToLLVM::lowJSValue): 24469 (JSC::FTL::LowerDFGToLLVM::checkNotInt32): 24470 (JSC::FTL::LowerDFGToLLVM::unboxInt32): 24471 (JSC::FTL::LowerDFGToLLVM::boxInt32): 24472 (JSC::FTL::LowerDFGToLLVM::checkNotCell): 24473 (JSC::FTL::LowerDFGToLLVM::checkNotBoolean): 24474 (JSC::FTL::LowerDFGToLLVM::unboxBoolean): 24475 (JSC::FTL::LowerDFGToLLVM::boxBoolean): 24476 (JSC::FTL::LowerDFGToLLVM::speculateInt32): 24477 (JSC::FTL::LowerDFGToLLVM::addressFor): 24478 (JSC::FTL::LowerDFGToLLVM::payloadFor): 24479 (JSC::FTL::LowerDFGToLLVM::tagFor): 24480 (JSC::FTL::LowerDFGToLLVM::globalData): 24481 (JSC::FTL::LowerDFGToLLVM::codeBlock): 24482 (JSC::FTL::lowerDFGToLLVM): 24483 * ftl/FTLLowerDFGToLLVM.h: Added. 24484 (FTL): 24485 * ftl/FTLOutput.h: Added. 24486 (FTL): 24487 (Output): 24488 (JSC::FTL::Output::Output): 24489 (JSC::FTL::Output::~Output): 24490 (JSC::FTL::Output::initialize): 24491 (JSC::FTL::Output::appendTo): 24492 (JSC::FTL::Output::newBlock): 24493 (JSC::FTL::Output::param): 24494 (JSC::FTL::Output::constBool): 24495 (JSC::FTL::Output::constInt32): 24496 (JSC::FTL::Output::constIntPtr): 24497 (JSC::FTL::Output::constInt64): 24498 (JSC::FTL::Output::add): 24499 (JSC::FTL::Output::bitAnd): 24500 (JSC::FTL::Output::bitXor): 24501 (JSC::FTL::Output::zeroExt): 24502 (JSC::FTL::Output::intCast): 24503 (JSC::FTL::Output::castToInt32): 24504 (JSC::FTL::Output::get): 24505 (JSC::FTL::Output::set): 24506 (JSC::FTL::Output::load): 24507 (JSC::FTL::Output::store): 24508 (JSC::FTL::Output::load32): 24509 (JSC::FTL::Output::load64): 24510 (JSC::FTL::Output::loadPtr): 24511 (JSC::FTL::Output::store32): 24512 (JSC::FTL::Output::store64): 24513 (JSC::FTL::Output::storePtr): 24514 (JSC::FTL::Output::equal): 24515 (JSC::FTL::Output::notEqual): 24516 (JSC::FTL::Output::above): 24517 (JSC::FTL::Output::aboveOrEqual): 24518 (JSC::FTL::Output::below): 24519 (JSC::FTL::Output::belowOrEqual): 24520 (JSC::FTL::Output::greaterThan): 24521 (JSC::FTL::Output::greaterThanOrEqual): 24522 (JSC::FTL::Output::lessThan): 24523 (JSC::FTL::Output::lessThanOrEqual): 24524 (JSC::FTL::Output::isZero64): 24525 (JSC::FTL::Output::notZero64): 24526 (JSC::FTL::Output::testNonZero64): 24527 (JSC::FTL::Output::select): 24528 (JSC::FTL::Output::jump): 24529 (JSC::FTL::Output::branch): 24530 (JSC::FTL::Output::ret): 24531 (JSC::FTL::Output::unreachable): 24532 * ftl/FTLState.h: Added. 24533 (FTL): 24534 (State): 24535 (JSC::FTL::State::State): 24536 * runtime/InitializeThreading.cpp: 24537 (JSC::initializeThreadingOnce): 24538 * runtime/Options.h: 24539 (JSC): 24540 245412013-03-27 Filip Pizlo <fpizlo@apple.com> 24542 24543 fourthTier: JITCode should abstract exactly how the JIT code is structured and where it was allocated 24544 https://bugs.webkit.org/show_bug.cgi?id=113437 24545 24546 Reviewed by Mark Hahnenberg. 24547 24548 JITCode is now a virtual base class, which will allow different JITs to have radically 24549 different memory allocation and management conventions in the future. It will also 24550 make it easier to store JIT-specific meta-data in CodeBlock just by putting it into 24551 an appropriate JITCode subclass. 24552 24553 For now there is one subclass, DirectJITCode, which just behaves like JITCode used to 24554 behave. 24555 24556 * assembler/RepatchBuffer.h: 24557 (JSC::RepatchBuffer::RepatchBuffer): 24558 * bytecode/CodeBlock.cpp: 24559 (JSC::CodeBlock::resetStubInternal): 24560 (JSC::CodeBlock::bytecodeOffset): 24561 (JSC::CodeBlock::codeOriginForReturn): 24562 * bytecode/CodeBlock.h: 24563 (JSC::CodeBlock::setJITCode): 24564 (JSC::CodeBlock::getJITCode): 24565 (JSC::CodeBlock::getJITType): 24566 (CodeBlock): 24567 * dfg/DFGDriver.cpp: 24568 (JSC::DFG::compile): 24569 (JSC::DFG::tryCompile): 24570 (JSC::DFG::tryCompileFunction): 24571 * dfg/DFGDriver.h: 24572 (DFG): 24573 (JSC::DFG::tryCompile): 24574 (JSC::DFG::tryCompileFunction): 24575 * dfg/DFGJITCompiler.cpp: 24576 (JSC::DFG::JITCompiler::compile): 24577 (JSC::DFG::JITCompiler::compileFunction): 24578 * dfg/DFGJITCompiler.h: 24579 (JITCompiler): 24580 * dfg/DFGOSREntry.cpp: 24581 (JSC::DFG::prepareOSREntry): 24582 * dfg/DFGOSRExit.cpp: 24583 (JSC::DFG::OSRExit::codeLocationForRepatch): 24584 * dfg/DFGOSRExitCompiler32_64.cpp: 24585 (JSC::DFG::OSRExitCompiler::compileExit): 24586 * dfg/DFGOSRExitCompiler64.cpp: 24587 (JSC::DFG::OSRExitCompiler::compileExit): 24588 * dfg/DFGOperations.cpp: 24589 * interpreter/Interpreter.cpp: 24590 (JSC::Interpreter::execute): 24591 (JSC::Interpreter::executeCall): 24592 (JSC::Interpreter::executeConstruct): 24593 * jit/JIT.cpp: 24594 (JSC::JIT::privateCompile): 24595 * jit/JIT.h: 24596 (JSC::JIT::compile): 24597 (JIT): 24598 * jit/JITCode.cpp: 24599 (JSC): 24600 (JSC::JITCode::JITCode): 24601 (JSC::JITCode::~JITCode): 24602 (JSC::JITCode::execute): 24603 (JSC::JITCode::hostFunction): 24604 (JSC::DirectJITCode::DirectJITCode): 24605 (JSC::DirectJITCode::~DirectJITCode): 24606 (JSC::DirectJITCode::addressForCall): 24607 (JSC::DirectJITCode::executableAddressAtOffset): 24608 (JSC::DirectJITCode::dataAddressAtOffset): 24609 (JSC::DirectJITCode::offsetOf): 24610 (JSC::DirectJITCode::size): 24611 (JSC::DirectJITCode::contains): 24612 * jit/JITCode.h: 24613 (JSC): 24614 (JITCode): 24615 (JSC::JITCode::bottomTierJIT): 24616 (JSC::JITCode::topTierJIT): 24617 (JSC::JITCode::nextTierJIT): 24618 (JSC::JITCode::isOptimizingJIT): 24619 (JSC::JITCode::isBaselineCode): 24620 (JSC::JITCode::jitType): 24621 (JSC::JITCode::jitTypeFor): 24622 (JSC::JITCode::executableAddress): 24623 (JSC::JITCode::start): 24624 (JSC::JITCode::end): 24625 (DirectJITCode): 24626 * jit/JITDriver.h: 24627 (JSC::jitCompileIfAppropriate): 24628 (JSC::jitCompileFunctionIfAppropriate): 24629 * jit/JITStubs.cpp: 24630 (JSC::lazyLinkFor): 24631 (JSC::DEFINE_STUB_FUNCTION): 24632 * jit/ThunkGenerators.cpp: 24633 (JSC::virtualForGenerator): 24634 * llint/LLIntEntrypoints.cpp: 24635 (JSC::LLInt::getFunctionEntrypoint): 24636 (JSC::LLInt::getEvalEntrypoint): 24637 (JSC::LLInt::getProgramEntrypoint): 24638 * llint/LLIntEntrypoints.h: 24639 (JSC): 24640 (LLInt): 24641 (JSC::LLInt::getEntrypoint): 24642 * llint/LLIntSlowPaths.cpp: 24643 (JSC::LLInt::jitCompileAndSetHeuristics): 24644 (JSC::LLInt::entryOSR): 24645 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 24646 * runtime/Executable.cpp: 24647 (JSC::EvalExecutable::compileInternal): 24648 (JSC::ProgramExecutable::compileInternal): 24649 (JSC::FunctionExecutable::compileForCallInternal): 24650 (JSC::FunctionExecutable::compileForConstructInternal): 24651 * runtime/Executable.h: 24652 (JSC::ExecutableBase::generatedJITCodeForCall): 24653 (JSC::ExecutableBase::generatedJITCodeForConstruct): 24654 (JSC::ExecutableBase::generatedJITCodeFor): 24655 (ExecutableBase): 24656 (JSC::ExecutableBase::hostCodeEntryFor): 24657 (JSC::ExecutableBase::jsCodeEntryFor): 24658 (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor): 24659 (JSC::NativeExecutable::create): 24660 (JSC::NativeExecutable::finishCreation): 24661 (JSC::EvalExecutable::generatedJITCode): 24662 (JSC::ProgramExecutable::generatedJITCode): 24663 * runtime/ExecutionHarness.h: 24664 (JSC::prepareForExecution): 24665 (JSC::prepareFunctionForExecution): 24666 246672013-07-16 Oliver Hunt <oliver@apple.com> 24668 24669 Merged dfgFourthTier r148570 24670 24671 2013-04-16 Filip Pizlo <fpizlo@apple.com> 24672 24673 fourthTier: DFG should be able to query Structure without modifying it 24674 https://bugs.webkit.org/show_bug.cgi?id=114708 24675 24676 Reviewed by Oliver Hunt. 24677 24678 This is work towards allowing the DFG, and FTL, to run on a separate thread. 24679 The idea is that the most evil thing that the DFG does that has thread-safety 24680 issues is fiddling with Structures by calling Structure::get(). This can lead 24681 to rematerialization of property tables, which is definitely not thread-safe 24682 due to how StringImpl works. So, this patch completely side-steps the problem 24683 by creating a new version of Structure::get, called 24684 Structure::getWithoutMaterializing, which may choose to do an O(n) search if 24685 necessary to avoid materialization. I believe this should be fine - the DFG 24686 does't call into these code path often enough for this to matter, and most of 24687 the time, the Structure that we call this on will already have a property 24688 table because some inline cache would have already called ::get() on that 24689 Structure. 24690 24691 Also cleaned up the materialization logic: we can stop the search as soon as 24692 we find any Structure with a property table rather than searching all the way 24693 for a pinned one. 24694 24695 * bytecode/GetByIdStatus.cpp: 24696 (JSC::GetByIdStatus::computeFor): 24697 * bytecode/PutByIdStatus.cpp: 24698 (JSC::PutByIdStatus::computeFromLLInt): 24699 (JSC::PutByIdStatus::computeFor): 24700 * runtime/Structure.cpp: 24701 (JSC::Structure::findStructuresAndMapForMaterialization): 24702 (JSC::Structure::materializePropertyMap): 24703 (JSC::Structure::getWithoutMaterializing): 24704 (JSC): 24705 * runtime/Structure.h: 24706 (Structure): 24707 * runtime/StructureInlines.h: 24708 (JSC::Structure::getWithoutMaterializing): 24709 (JSC): 24710 247112013-07-15 Oliver Hunt <oliver@apple.com> 24712 24713 Merged dfgFourthTier r148047 24714 24715 2013-04-09 Filip Pizlo <fpizlo@apple.com> 24716 24717 fourthTier: DFG should provide utilities for common OSR exit tasks 24718 https://bugs.webkit.org/show_bug.cgi?id=114306 24719 24720 Reviewed by Mark Hahnenberg. 24721 24722 Just abstract out some things that the FTL will want to use as well. 24723 24724 * CMakeLists.txt: 24725 * GNUmakefile.list.am: 24726 * JavaScriptCore.xcodeproj/project.pbxproj: 24727 * Target.pri: 24728 * dfg/DFGDriver.cpp: 24729 (JSC::DFG::compile): 24730 * dfg/DFGOSRExitCompiler.cpp: 24731 * dfg/DFGOSRExitCompiler.h: 24732 (OSRExitCompiler): 24733 * dfg/DFGOSRExitCompiler32_64.cpp: 24734 (JSC::DFG::OSRExitCompiler::compileExit): 24735 * dfg/DFGOSRExitCompiler64.cpp: 24736 (JSC::DFG::OSRExitCompiler::compileExit): 24737 * dfg/DFGOSRExitCompilerCommon.cpp: Added. 24738 (DFG): 24739 (JSC::DFG::handleExitCounts): 24740 (JSC::DFG::reifyInlinedCallFrames): 24741 (JSC::DFG::adjustAndJumpToTarget): 24742 * dfg/DFGOSRExitCompilerCommon.h: Added. 24743 (DFG): 24744 247452013-07-15 Oliver Hunt <oliver@apple.com> 24746 24747 Merged dfgFourthTier r148037 24748 24749 2013-04-09 Filip Pizlo <fpizlo@apple.com> 24750 24751 fourthTier: DFG should better abstract floating point arguments 24752 https://bugs.webkit.org/show_bug.cgi?id=114300 24753 24754 Reviewed by Mark Hahnenberg. 24755 24756 * dfg/DFGFPRInfo.h: 24757 (FPRInfo): 24758 (JSC::DFG::FPRInfo::toArgumentRegister): 24759 247602013-07-15 Oliver Hunt <oliver@apple.com> 24761 24762 Merged dfgFourthTier r147821 24763 24764 2013-04-05 Filip Pizlo <fpizlo@apple.com> 24765 24766 fourthTier: DFG should better abstract arguments 24767 https://bugs.webkit.org/show_bug.cgi?id=114073 24768 24769 Reviewed by Mark Hahnenberg. 24770 24771 * dfg/DFGGPRInfo.h: 24772 (GPRInfo): 24773 (JSC::DFG::GPRInfo::toArgumentRegister): 24774 247752013-07-15 Oliver Hunt <oliver@apple.com> 24776 24777 Merged dfgFourthTier r147609 24778 24779 2013-04-03 Filip Pizlo <fpizlo@apple.com> 24780 24781 fourthTier: put DFG data into a DFG::JITCode, and put common DFG and FTL data into something accessible from both DFG::JITCode and FTL::JITCode 24782 https://bugs.webkit.org/show_bug.cgi?id=113905 24783 24784 Reviewed by Geoffrey Garen. 24785 24786 This removes one pointer from CodeBlock. 24787 24788 It also gives us a framework for having JITType-specific data in CodeBlock, by 24789 putting it into the appropriate JITCode class (either DFG::JITCode or 24790 FTL::JITCode). And it allows us to have DFG and FTL share some common data, 24791 via DFG::CommonData, which is stored in both DFG::JITCode and FTL::JITCode and 24792 always accessible via JITCode::dfgCommon(). 24793 24794 * CMakeLists.txt: 24795 * GNUmakefile.list.am: 24796 * JavaScriptCore.xcodeproj/project.pbxproj: 24797 * Target.pri: 24798 * bytecode/CodeBlock.cpp: 24799 (JSC): 24800 (JSC::CodeBlock::dumpBytecode): 24801 (JSC::CodeBlock::visitAggregate): 24802 (JSC::CodeBlock::performTracingFixpointIteration): 24803 (JSC::CodeBlock::finalizeUnconditionally): 24804 (JSC::CodeBlock::stronglyVisitWeakReferences): 24805 (JSC::CodeBlock::shrinkToFit): 24806 (JSC::CodeBlock::tallyFrequentExitSites): 24807 * bytecode/CodeBlock.h: 24808 (CodeBlock): 24809 (JSC::CodeBlock::setJITCode): 24810 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): 24811 (JSC::DFGCodeBlocks::mark): 24812 * dfg/DFGAssemblyHelpers.h: 24813 * dfg/DFGCommonData.cpp: Added. 24814 (DFG): 24815 (JSC::DFG::CommonData::notifyCompilingStructureTransition): 24816 (JSC::DFG::CommonData::shrinkToFit): 24817 * dfg/DFGCommonData.h: Added. 24818 (JSC): 24819 (DFG): 24820 (JSC::DFG::WeakReferenceTransition::WeakReferenceTransition): 24821 (WeakReferenceTransition): 24822 (CommonData): 24823 (JSC::DFG::CommonData::CommonData): 24824 * dfg/DFGDriver.cpp: 24825 (JSC::DFG::compile): 24826 (JSC::DFG::tryCompile): 24827 (JSC::DFG::tryCompileFunction): 24828 * dfg/DFGDriver.h: 24829 (DFG): 24830 (JSC::DFG::tryCompile): 24831 (JSC::DFG::tryCompileFunction): 24832 * dfg/DFGGraph.h: 24833 (Graph): 24834 * dfg/DFGJITCode.cpp: Added. 24835 (DFG): 24836 (JSC::DFG::JITCode::JITCode): 24837 (JSC::DFG::JITCode::~JITCode): 24838 (JSC::DFG::JITCode::dfgCommon): 24839 (JSC::DFG::JITCode::dfg): 24840 (JSC::DFG::JITCode::shrinkToFit): 24841 * dfg/DFGJITCode.h: Added. 24842 (DFG): 24843 (JITCode): 24844 (JSC::DFG::JITCode::appendOSREntryData): 24845 (JSC::DFG::JITCode::osrEntryDataForBytecodeIndex): 24846 (JSC::DFG::JITCode::appendOSRExit): 24847 (JSC::DFG::JITCode::lastOSRExit): 24848 (JSC::DFG::JITCode::appendSpeculationRecovery): 24849 (JSC::DFG::JITCode::appendWatchpoint): 24850 * dfg/DFGJITCompiler.cpp: 24851 (JSC::DFG::JITCompiler::JITCompiler): 24852 (JSC::DFG::JITCompiler::linkOSRExits): 24853 (JSC::DFG::JITCompiler::link): 24854 (JSC::DFG::JITCompiler::compile): 24855 (JSC::DFG::JITCompiler::compileFunction): 24856 * dfg/DFGJITCompiler.h: 24857 (JITCompiler): 24858 (JSC::DFG::JITCompiler::addWeakReference): 24859 (JSC::DFG::JITCompiler::noticeOSREntry): 24860 (JSC::DFG::JITCompiler::jitCode): 24861 * dfg/DFGOSREntry.cpp: 24862 (JSC::DFG::prepareOSREntry): 24863 * dfg/DFGOSRExit.h: 24864 (OSRExit): 24865 * dfg/DFGOSRExitCompiler.cpp: 24866 * dfg/DFGSpeculativeJIT.cpp: 24867 (JSC::DFG::SpeculativeJIT::SpeculativeJIT): 24868 (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck): 24869 (JSC::DFG::SpeculativeJIT::speculationWatchpoint): 24870 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 24871 * dfg/DFGSpeculativeJIT32_64.cpp: 24872 (JSC::DFG::SpeculativeJIT::compile): 24873 * dfg/DFGSpeculativeJIT64.cpp: 24874 (JSC::DFG::SpeculativeJIT::compile): 24875 * dfg/DFGVariableEventStream.cpp: 24876 * heap/DFGCodeBlocks.cpp: 24877 (JSC::DFGCodeBlocks::~DFGCodeBlocks): 24878 (JSC::DFGCodeBlocks::jettison): 24879 (JSC::DFGCodeBlocks::clearMarks): 24880 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks): 24881 (JSC::DFGCodeBlocks::traceMarkedCodeBlocks): 24882 * jit/JITCode.cpp: 24883 (JSC::JITCode::dfgCommon): 24884 (JSC): 24885 (JSC::JITCode::dfg): 24886 (JSC::JITCode::ftl): 24887 (JSC::DirectJITCode::DirectJITCode): 24888 (JSC::DirectJITCode::initializeCodeRef): 24889 (JSC::DirectJITCode::addressForCall): 24890 (JSC::DirectJITCode::executableAddressAtOffset): 24891 (JSC::DirectJITCode::dataAddressAtOffset): 24892 (JSC::DirectJITCode::offsetOf): 24893 (JSC::DirectJITCode::size): 24894 (JSC::DirectJITCode::contains): 24895 * jit/JITCode.h: 24896 (DFG): 24897 (FTL): 24898 (JSC): 24899 (JITCode): 24900 (DirectJITCode): 24901 249022013-07-15 Oliver Hunt <oliver@apple.com> 24903 24904 Merge dfgFourthTier r147587 24905 24906 2013-04-03 Filip Pizlo <fpizlo@apple.com> 24907 24908 fourthTier: Everyone should know about the FTL 24909 https://bugs.webkit.org/show_bug.cgi?id=113897 24910 24911 Reviewed by Mark Hahnenberg. 24912 24913 In order to get OSR exit to work right, we need the distinction between DFG and 24914 FTL to be clear even after compilation finishes, since they will have subtly 24915 different OSR stories and likely use different data structures. 24916 24917 * bytecode/CodeBlock.cpp: 24918 (JSC::CodeBlock::resetStubInternal): 24919 (JSC::ProgramCodeBlock::compileOptimized): 24920 (JSC::EvalCodeBlock::compileOptimized): 24921 (JSC::FunctionCodeBlock::compileOptimized): 24922 (JSC::CodeBlock::adjustedExitCountThreshold): 24923 (JSC::CodeBlock::tallyFrequentExitSites): 24924 * bytecode/CodeBlock.h: 24925 (JSC::CodeBlock::setJITCode): 24926 (JSC::CodeBlock::hasOptimizedReplacement): 24927 (JSC::ExecState::isInlineCallFrame): 24928 * ftl/FTLCompile.cpp: 24929 (JSC::FTL::compile): 24930 * ftl/FTLJITCode.cpp: 24931 (JSC::FTL::JITCode::JITCode): 24932 * ftl/FTLState.cpp: 24933 (JSC::FTL::State::dumpState): 24934 * heap/DFGCodeBlocks.cpp: 24935 (JSC::DFGCodeBlocks::jettison): 24936 * interpreter/Interpreter.cpp: 24937 (JSC::getLineNumberForCallFrame): 24938 (JSC::getCallerInfo): 24939 * jit/JITCode.cpp: 24940 (WTF::printInternal): 24941 * jit/JITCode.h: 24942 (JSC::JITCode::topTierJIT): 24943 (JSC::JITCode::nextTierJIT): 24944 (JITCode): 24945 (JSC::JITCode::isJIT): 24946 (JSC::JITCode::isLowerTier): 24947 (JSC::JITCode::isHigherTier): 24948 (JSC::JITCode::isLowerOrSameTier): 24949 (JSC::JITCode::isHigherOrSameTier): 24950 (JSC::JITCode::isOptimizingJIT): 24951 * jit/JITDriver.h: 24952 (JSC::jitCompileIfAppropriate): 24953 (JSC::jitCompileFunctionIfAppropriate): 24954 * jit/JITStubs.cpp: 24955 (JSC::DEFINE_STUB_FUNCTION): 24956 * runtime/Executable.cpp: 24957 (JSC::EvalExecutable::compileOptimized): 24958 (JSC::samplingDescription): 24959 (JSC::ProgramExecutable::compileOptimized): 24960 (JSC::FunctionExecutable::compileOptimizedForCall): 24961 (JSC::FunctionExecutable::compileOptimizedForConstruct): 24962 249632013-04-03 Filip Pizlo <fpizlo@apple.com> 24964 24965 fourthTier: DFG should abstract out how it does forward exits, and that code should be simplified 24966 https://bugs.webkit.org/show_bug.cgi?id=113894 24967 24968 Reviewed by Mark Hahnenberg. 24969 24970 1) We previously had two different ways of convertingToForward, one path for 24971 where we had a ValueRecovery for the current node and one where we didn't. 24972 But the paths were doing exactly the same thing except that if you have a 24973 ValueRecovery, you also find the last applicable mov hint and do some 24974 extra things. This patch combines the two paths and bases both of them on 24975 the previous no-ValueRecovery path, which was simpler to begin with. 24976 24977 2) This moves the logic into DFG::OSRExit, which further simplifies the code 24978 and makes the logic available to the FTL. 24979 24980 * dfg/DFGOSRExit.cpp: 24981 (JSC::DFG::OSRExit::convertToForward): 24982 (DFG): 24983 * dfg/DFGOSRExit.h: 24984 (DFG): 24985 (OSRExit): 24986 * dfg/DFGSpeculativeJIT.cpp: 24987 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 24988 249892013-07-15 Oliver Hunt <oliver@apple.com> 24990 24991 Merge dfgFourthTier r147582 24992 249932013-07-15 Oliver Hunt <oliver@apple.com> 24994 24995 Merge dfgFourthTier r147014 24996 24997 2013-03-27 Filip Pizlo <fpizlo@apple.com> 24998 24999 fourthTier: JITCode should abstract exactly how the JIT code is structured and where it was allocated 25000 https://bugs.webkit.org/show_bug.cgi?id=113437 25001 25002 Reviewed by Mark Hahnenberg. 25003 25004 JITCode is now a virtual base class, which will allow different JITs to have radically 25005 different memory allocation and management conventions in the future. It will also 25006 make it easier to store JIT-specific meta-data in CodeBlock just by putting it into 25007 an appropriate JITCode subclass. 25008 25009 For now there is one subclass, DirectJITCode, which just behaves like JITCode used to 25010 behave. 25011 25012 * assembler/RepatchBuffer.h: 25013 (JSC::RepatchBuffer::RepatchBuffer): 25014 * bytecode/CodeBlock.cpp: 25015 (JSC::CodeBlock::resetStubInternal): 25016 (JSC::CodeBlock::bytecodeOffset): 25017 (JSC::CodeBlock::codeOriginForReturn): 25018 * bytecode/CodeBlock.h: 25019 (JSC::CodeBlock::setJITCode): 25020 (JSC::CodeBlock::getJITCode): 25021 (JSC::CodeBlock::getJITType): 25022 (CodeBlock): 25023 * dfg/DFGDriver.cpp: 25024 (JSC::DFG::compile): 25025 (JSC::DFG::tryCompile): 25026 (JSC::DFG::tryCompileFunction): 25027 * dfg/DFGDriver.h: 25028 (DFG): 25029 (JSC::DFG::tryCompile): 25030 (JSC::DFG::tryCompileFunction): 25031 * dfg/DFGJITCompiler.cpp: 25032 (JSC::DFG::JITCompiler::compile): 25033 (JSC::DFG::JITCompiler::compileFunction): 25034 * dfg/DFGJITCompiler.h: 25035 (JITCompiler): 25036 * dfg/DFGOSREntry.cpp: 25037 (JSC::DFG::prepareOSREntry): 25038 * dfg/DFGOSRExit.cpp: 25039 (JSC::DFG::OSRExit::codeLocationForRepatch): 25040 * dfg/DFGOSRExitCompiler32_64.cpp: 25041 (JSC::DFG::OSRExitCompiler::compileExit): 25042 * dfg/DFGOSRExitCompiler64.cpp: 25043 (JSC::DFG::OSRExitCompiler::compileExit): 25044 * dfg/DFGOperations.cpp: 25045 * interpreter/Interpreter.cpp: 25046 (JSC::Interpreter::execute): 25047 (JSC::Interpreter::executeCall): 25048 (JSC::Interpreter::executeConstruct): 25049 * jit/JIT.cpp: 25050 (JSC::JIT::privateCompile): 25051 * jit/JIT.h: 25052 (JSC::JIT::compile): 25053 (JIT): 25054 * jit/JITCode.cpp: 25055 (JSC): 25056 (JSC::JITCode::JITCode): 25057 (JSC::JITCode::~JITCode): 25058 (JSC::JITCode::execute): 25059 (JSC::JITCode::hostFunction): 25060 (JSC::DirectJITCode::DirectJITCode): 25061 (JSC::DirectJITCode::~DirectJITCode): 25062 (JSC::DirectJITCode::addressForCall): 25063 (JSC::DirectJITCode::executableAddressAtOffset): 25064 (JSC::DirectJITCode::dataAddressAtOffset): 25065 (JSC::DirectJITCode::offsetOf): 25066 (JSC::DirectJITCode::size): 25067 (JSC::DirectJITCode::contains): 25068 * jit/JITCode.h: 25069 (JSC): 25070 (JITCode): 25071 (JSC::JITCode::bottomTierJIT): 25072 (JSC::JITCode::topTierJIT): 25073 (JSC::JITCode::nextTierJIT): 25074 (JSC::JITCode::isOptimizingJIT): 25075 (JSC::JITCode::isBaselineCode): 25076 (JSC::JITCode::jitType): 25077 (JSC::JITCode::jitTypeFor): 25078 (JSC::JITCode::executableAddress): 25079 (JSC::JITCode::start): 25080 (JSC::JITCode::end): 25081 (DirectJITCode): 25082 * jit/JITDriver.h: 25083 (JSC::jitCompileIfAppropriate): 25084 (JSC::jitCompileFunctionIfAppropriate): 25085 * jit/JITStubs.cpp: 25086 (JSC::lazyLinkFor): 25087 (JSC::DEFINE_STUB_FUNCTION): 25088 * jit/ThunkGenerators.cpp: 25089 (JSC::virtualForGenerator): 25090 * llint/LLIntEntrypoints.cpp: 25091 (JSC::LLInt::getFunctionEntrypoint): 25092 (JSC::LLInt::getEvalEntrypoint): 25093 (JSC::LLInt::getProgramEntrypoint): 25094 * llint/LLIntEntrypoints.h: 25095 (JSC): 25096 (LLInt): 25097 (JSC::LLInt::getEntrypoint): 25098 * llint/LLIntSlowPaths.cpp: 25099 (JSC::LLInt::jitCompileAndSetHeuristics): 25100 (JSC::LLInt::entryOSR): 25101 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 25102 * runtime/Executable.cpp: 25103 (JSC::EvalExecutable::compileInternal): 25104 (JSC::ProgramExecutable::compileInternal): 25105 (JSC::FunctionExecutable::compileForCallInternal): 25106 (JSC::FunctionExecutable::compileForConstructInternal): 25107 * runtime/Executable.h: 25108 (JSC::ExecutableBase::generatedJITCodeForCall): 25109 (JSC::ExecutableBase::generatedJITCodeForConstruct): 25110 (JSC::ExecutableBase::generatedJITCodeFor): 25111 (ExecutableBase): 25112 (JSC::ExecutableBase::hostCodeEntryFor): 25113 (JSC::ExecutableBase::jsCodeEntryFor): 25114 (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor): 25115 (JSC::NativeExecutable::create): 25116 (JSC::NativeExecutable::finishCreation): 25117 (JSC::EvalExecutable::generatedJITCode): 25118 (JSC::ProgramExecutable::generatedJITCode): 25119 * runtime/ExecutionHarness.h: 25120 (JSC::prepareForExecution): 25121 (JSC::prepareFunctionForExecution): 25122 251232013-07-24 Filip Pizlo <fpizlo@apple.com> 25124 25125 It should be possible to hijack IndexingHeader for things other than lengths 25126 https://bugs.webkit.org/show_bug.cgi?id=119065 25127 25128 Reviewed by Mark Hahnenberg. 25129 25130 Made the body of IndexingHeader be a union. 25131 25132 Modified the offlineasm so that you can say IndexingHeader::u.lengths.publicLength. 25133 Previously those dots would cause parse errors. Now an identifier in offlineasm can 25134 have a dot anywhere except the first character. 25135 25136 * llint/LowLevelInterpreter32_64.asm: 25137 * llint/LowLevelInterpreter64.asm: 25138 * offlineasm/parser.rb: 25139 * runtime/IndexingHeader.h: 25140 (JSC::IndexingHeader::offsetOfPublicLength): 25141 (JSC::IndexingHeader::offsetOfVectorLength): 25142 (JSC::IndexingHeader::IndexingHeader): 25143 (JSC::IndexingHeader::vectorLength): 25144 (JSC::IndexingHeader::setVectorLength): 25145 (JSC::IndexingHeader::publicLength): 25146 (JSC::IndexingHeader::setPublicLength): 25147 251482013-07-24 Mark Hahnenberg <mhahnenberg@apple.com> 25149 25150 JIT::updateTopCallFrame doesn't update the CallFrame's bytecodeOffset if bytecodeOffset == 0 25151 https://bugs.webkit.org/show_bug.cgi?id=118923 25152 25153 Reviewed by Filip Pizlo. 25154 25155 This bug causes the CallFrame's bytecodeOffset to not be properly set when we 25156 enter, e.g., cti_optimize from an op_enter. 25157 25158 * jit/JITInlines.h: 25159 (JSC::JIT::updateTopCallFrame): 25160 251612013-07-23 Filip Pizlo <fpizlo@apple.com> 25162 25163 DFG string concatenation optimizations might emit speculative nodes after emitting nodes that kill the original inputs 25164 https://bugs.webkit.org/show_bug.cgi?id=119032 25165 25166 Reviewed by Oliver Hunt. 25167 25168 It just needs some Phantom action. 25169 25170 * dfg/DFGFixupPhase.cpp: 25171 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): 25172 251732013-07-10 Mark Lam <mark.lam@apple.com> 25174 25175 Need ExpressionRangeInfo before ResolveForPuts in strict mode. 25176 https://bugs.webkit.org/show_bug.cgi?id=118997. 25177 25178 Reviewed by Oliver Hunt. 25179 25180 If we add an assertion in UnlinkedCodeBlock::expressionRangeForBytecodeOffset() 25181 to ensure that we are able to find an ExpressionRangeInfo for any given bytecode 25182 offset, the following tests will fails: 25183 fast/js/basic-strict-mode.html 25184 fast/js/mozilla/strict/8.7.2.html 25185 With this fix, those tests will no longer fail. 25186 25187 * bytecompiler/NodesCodegen.cpp: 25188 (JSC::AssignResolveNode::emitBytecode): 25189 (JSC::ForInNode::emitBytecode): 25190 - Emit expression info before calls to emitResolveBaseForPut() when in strict mode. 25191 251922013-07-23 Mark Lam <mark.lam@apple.com> 25193 25194 Added ExpressionRangeInfo for BinaryOpNodes that can throw exceptions 25195 due to type coersion. 25196 https://bugs.webkit.org/show_bug.cgi?id=116853. 25197 25198 Reviewed by Geoffrey Garen. 25199 25200 * bytecompiler/NodesCodegen.cpp: 25201 (JSC::BinaryOpNode::emitBytecode): 25202 - Added expression info for the strcat and the general binary op cases. 25203 I did not add expression info for the "compare with null" case because 25204 that comparison cannot trigger type coersion, and hence it won't throw 25205 any exceptions and doesn't need the expression info. 25206 252072013-07-23 Mark Lam <mark.lam@apple.com> 25208 25209 Removed unused sourceOffset from JSTokenLocation. 25210 https://bugs.webkit.org/show_bug.cgi?id=118996. 25211 25212 Reviewed by Geoffrey Garen. 25213 25214 This also removes the assertion reported in the bug because it is now 25215 moot, thereby resolving the assertion failure issue on Windows. 25216 25217 * bytecompiler/NodesCodegen.cpp: 25218 (JSC::ArrayNode::toArgumentList): 25219 (JSC::ApplyFunctionCallDotNode::emitBytecode): 25220 * parser/Lexer.cpp: 25221 (JSC::::lex): 25222 * parser/Lexer.h: 25223 (JSC::::lexExpectIdentifier): 25224 * parser/Nodes.h: 25225 * parser/Parser.cpp: 25226 (JSC::::Parser): 25227 (JSC::::parseFunctionInfo): 25228 (JSC::::parseExpressionOrLabelStatement): 25229 (JSC::::parseMemberExpression): 25230 * parser/Parser.h: 25231 (JSC::::parse): 25232 * parser/ParserTokens.h: 25233 (JSC::JSTokenLocation::JSTokenLocation): 25234 252352013-07-22 Alex Christensen <achristensen@apple.com> 25236 25237 Added assembly files to Windows 64-bit builds. 25238 https://bugs.webkit.org/show_bug.cgi?id=118931 25239 25240 Reviewed by Brent Fulgham. 25241 25242 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm for x64 and enabled MASM. 25243 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added JITStubsMSVC64.asm. 25244 252452013-07-20 Brent Fulgham <bfulgham@apple.com> 25246 25247 [Windows] Remove unneeded custom stdint.h now that we build on VS2010. 25248 https://bugs.webkit.org/show_bug.cgi?id=118868. 25249 25250 Reviewed by Anders Carlsson. 25251 25252 * os-win32/stdint.h: Removed. 25253 * GNUmakefile.list.am: Removed reference to os-win32/stdint.h 25254 252552013-07-19 Alex Christensen <achristensen@apple.com> 25256 25257 Added x64 configuration to Visual Studio build. 25258 https://bugs.webkit.org/show_bug.cgi?id=118888 25259 25260 Reviewed by Brent Fulgham. 25261 25262 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 25263 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: 25264 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: 25265 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: 25266 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: 25267 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: 25268 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: 25269 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: 25270 252712013-07-18 Andreas Kling <akling@apple.com> 25272 25273 CodeBlock DFG entry list isn't getting shrunk-to-fit after linking. 25274 <http://webkit.org/b/118875> 25275 <rdar://problem/14488577> 25276 25277 Reviewed by Geoffrey Garen. 25278 25279 Move the CodeBlock::shrinkToFit() call out of JITCompiler::link() and to the call sites 25280 so SpeculativeJIT::linkOSREntries() can fill in CodeBlock::m_dfgData->osrEntry first. 25281 25282 886 kB progression on <http://twitter.com/awesomekling> 25283 25284 * dfg/DFGJITCompiler.cpp: 25285 (JSC::DFG::JITCompiler::link): 25286 (JSC::DFG::JITCompiler::compile): 25287 (JSC::DFG::JITCompiler::compileFunction): 25288 252892013-07-18 Chris Curtis <chris_curtis@apple.com> 25290 25291 Fixed ASSERTION FAILED: callFrame == globalData->topCallFrame in JSC::Interpreter::addStackTraceIfNecessary 25292 https://bugs.webkit.org/show_bug.cgi?id=118498 25293 25294 Reviewed by Geoffrey Garen. 25295 25296 * jit/JITStubs.cpp: 25297 (throwExceptionFromOpCall): 25298 Created new throwExceptionFromOpCall that takes in a functor that contains 25299 a function pointer (to create the errorObject) instead of a JSValue. Inside 25300 of throwExceptionFromOpCall the topCallFrame is being rolled back in order 25301 to handle the error throw. By passing the function pointer in, we can defer 25302 the creation of the error object until after topCallFrame has been rolled 25303 back. This allows the error object to be created with the appropriate top 25304 frame. 25305 25306 DEFINE_STUB_FUNCTION(void*, stack_check): 25307 DEFINE_STUB_FUNCTION(void*, op_call_arityCheck): 25308 DEFINE_STUB_FUNCTION(void*, op_construct_arityCheck): 25309 DEFINE_STUB_FUNCTION(EncodedJSValue, op_call_NotJSFunction): 25310 DEFINE_STUB_FUNCTION(EncodedJSValue, op_construct_NotJSConstruct): 25311 25312 (JSC::ErrorFunctor::~ErrorFunctor): 25313 (JSC::ErrorWithExecFunctor::ErrorWithExecFunctor): 25314 (JSC::ErrorWithExecFunctor::operator()): 25315 (JSC::ErrorWithExecAndCalleeFunctor::ErrorWithExecAndCalleeFunctor): 25316 (JSC::ErrorWithExecAndCalleeFunctor::operator()): 25317 (JSC::ErrorWithExceptionFunctor::ErrorWithExceptionFunctor): 25318 (JSC::ErrorWithExceptionFunctor::operator()): 25319 (JSC::throwExceptionFromOpCall): 25320 25321 In order to eliminate the need to duplicate code, an error functor was 25322 created for the 3 different throwExceptionFromOpCall handles. 25323 1. The exception needs to be created, and the function pointer takes 1 25324 parameter(callFrame->callerFrame()). 25325 2. The exception needs to be created, and the function pointer takes 2 25326 parameters (callFrame->callerFrame(), callFrame.calleeAsValue()). 25327 3. The exception is already created. In this case, At the time when 25328 the error functor is called, globalData.exception is returned. 25329 25330 * llint/LLIntSlowPaths.cpp: 25331 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 25332 * runtime/ExceptionHelpers.cpp: 25333 (JSC::errorDescriptionForValue): 25334 (JSC::createError): 25335 (JSC::createInvalidParameterError): 25336 (JSC::createNotAConstructorError): 25337 (JSC::createNotAFunctionError): 25338 (JSC::createNotAnObjectError): 25339 * runtime/ExceptionHelpers.h: 25340 25341 The function toString() was being used to stringify an object for an exception 25342 message. If the user wrote a toString() for that object, then the system would 25343 continue to evaluate that code. A new helper function was created to prevent 25344 the system to continue execution and exception creation from that execution. 25345 253462013-07-18 Filip Pizlo <fpizlo@apple.com> 25347 25348 LLInt get_argument_by_val for JSVALUE64 stores into the array profile when it meant to store into the value profile 25349 https://bugs.webkit.org/show_bug.cgi?id=118865 25350 25351 Reviewed by Mark Hahnenberg. 25352 25353 * llint/LowLevelInterpreter64.asm: 25354 253552013-07-18 Andreas Kling <akling@apple.com> 25356 25357 CodeBlock::m_argumentValueProfiles wastes a lot of memory. 25358 <http://webkit.org/b/118852> 25359 <rdar://problem/14481659> 25360 25361 Reviewed by Anders Carlsson. 25362 25363 Use Vector::resizeToFit() for CodeBlock::m_argumentValueProfiles. We don't need any padding 25364 for growth, since we won't be appending to it anyway. 25365 25366 921 KB progression on <http://twitter.com/awesomekling> 25367 25368 * bytecode/CodeBlock.cpp: 25369 (JSC::CodeBlock::setNumParameters): 25370 253712013-07-17 Filip Pizlo <fpizlo@apple.com> 25372 25373 Unreviewed, fix 32-bit after http://trac.webkit.org/changeset/152813 25374 25375 * dfg/DFGSpeculativeJIT.cpp: 25376 (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): 25377 * dfg/DFGSpeculativeJIT32_64.cpp: 25378 (JSC::DFG::SpeculativeJIT::compile): 25379 253802013-07-17 Geoffrey Garen <ggaren@apple.com> 25381 25382 API tests should test for JSStringCreateWithCFString with empty string 25383 https://bugs.webkit.org/show_bug.cgi?id=118819 25384 25385 Reviewed by Mark Hahnenberg. 25386 25387 * API/tests/testapi.c: 25388 (main): Test! 25389 253902013-07-17 Filip Pizlo <fpizlo@apple.com> 25391 25392 DFG assumes that NewFunction will never pass its input through 25393 https://bugs.webkit.org/show_bug.cgi?id=118798 25394 25395 Reviewed by Sam Weinig. 25396 25397 Previously the DFG was assuming that NewFunction always returns a function. That's not 25398 the case. It may return whatever was passed to it, if it wasn't passed SpecEmpty. 25399 25400 This fact needed to be wired through the compiler. 25401 25402 * dfg/DFGAbstractState.cpp: 25403 (JSC::DFG::AbstractState::executeEffects): 25404 * dfg/DFGAbstractValue.h: 25405 (JSC::DFG::AbstractValue::makeTop): 25406 * dfg/DFGGraph.cpp: 25407 (JSC::DFG::Graph::dump): 25408 * dfg/DFGOperations.cpp: 25409 * dfg/DFGOperations.h: 25410 * dfg/DFGPredictionPropagationPhase.cpp: 25411 (JSC::DFG::PredictionPropagationPhase::propagate): 25412 * dfg/DFGSpeculativeJIT.h: 25413 (JSC::DFG::SpeculativeJIT::callOperation): 25414 * dfg/DFGSpeculativeJIT32_64.cpp: 25415 (JSC::DFG::SpeculativeJIT::compile): 25416 * dfg/DFGSpeculativeJIT64.cpp: 25417 (JSC::DFG::SpeculativeJIT::compile): 25418 254192013-07-17 Geoffrey Garen <ggaren@apple.com> 25420 25421 JSStringCreateWithCFString should not convert the empty string into the NULL string 25422 https://bugs.webkit.org/show_bug.cgi?id=118816 25423 25424 Reviewed by Sam Weinig. 25425 25426 * API/JSStringRef.cpp: 25427 (JSStringCreateWithUTF8CString): Removed an extraneous comment, which 25428 a previous version of the patch made incorrect. 25429 25430 * API/JSStringRefCF.cpp: 25431 (JSStringCreateWithCFString): Don't convert the empty string into the 25432 null string. 25433 254342013-07-17 Chris Curtis <chris_curtis@apple.com> 25435 25436 Naming convention on createInvalidParamError is incorrect. 25437 https://bugs.webkit.org/show_bug.cgi?id=118756 25438 25439 Reviewed by Geoffrey Garen. 25440 25441 Changed the naming of createInvalidParamError to createInvalidParameterError. 25442 This corrects the naming convention for the function listed in the WebKit code styling. 25443 25444 * interpreter/Interpreter.cpp: 25445 (JSC::loadVarargs): 25446 * jit/JITStubs.cpp: 25447 (JSC::DEFINE_STUB_FUNCTION): 25448 * llint/LLIntSlowPaths.cpp: 25449 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 25450 * runtime/CommonSlowPaths.h: 25451 (JSC::CommonSlowPaths::opIn): 25452 * runtime/ExceptionHelpers.cpp: 25453 (JSC::createInvalidParameterError): 25454 * runtime/ExceptionHelpers.h: 25455 * runtime/JSObject.cpp: 25456 (JSC::JSObject::hasInstance): 25457 254582013-07-16 David Farler <dfarler@apple.com> 25459 25460 Typo in DFGInsertionSet.h header guard: "DFGInsectionSet_h" -> "DFGInsertionSet_h" 25461 https://bugs.webkit.org/show_bug.cgi?id=118753 25462 25463 Reviewed by Geoffrey Garen. 25464 25465 * dfg/DFGInsertionSet.h: 25466 "DFGInsectionSet_h" -> "DFGInsertionSet_h" 25467 254682013-07-16 Filip Pizlo <fpizlo@apple.com> 25469 25470 MakeRope fixup shouldn't lead to an Identity without kids 25471 https://bugs.webkit.org/show_bug.cgi?id=118745 25472 25473 Reviewed by Mark Hahnenberg. 25474 25475 Make the empty string pruning part of fixupMakeRope() stop if it's on the last child. 25476 25477 Make Node::convertToIdentity release-assert that it has exactly one kid. 25478 25479 * dfg/DFGFixupPhase.cpp: 25480 (JSC::DFG::FixupPhase::fixupMakeRope): 25481 * dfg/DFGNode.h: 25482 (JSC::DFG::Node::convertToIdentity): 25483 254842013-07-16 Mark Hahnenberg <mhahnenberg@apple.com> 25485 25486 Remove reference to JSValueStructSupport.h from JSExport.h 25487 https://bugs.webkit.org/show_bug.cgi?id=118746 25488 25489 Reviewed by Filip Pizlo. 25490 25491 * API/JSExport.h: No such header exists, so it doesn't make sense to reference it. 25492 254932013-07-13 Commit Queue <commit-queue@webkit.org> 25494 25495 Unreviewed, rolling out r151978. 25496 http://trac.webkit.org/changeset/151978 25497 https://bugs.webkit.org/show_bug.cgi?id=118651 25498 25499 Caused regressions at least 3 websites (Requested by rniwa on 25500 #webkit). 25501 25502 * runtime/JSCJSValue.h: 25503 * runtime/JSString.h: 25504 255052013-07-12 Chris Curtis <chris_curtis@apple.com> 25506 25507 Optimize addStrackTraceIfNecessary to be faster in the case when it's not necessary 25508 https://bugs.webkit.org/show_bug.cgi?id=118328 25509 25510 Reviewed by Geoffrey Garen. 25511 25512 Retrieving the stack is costly. We want to get it only once. By moving the check 25513 for the .stack property above the code to retrieve the stack, we ensure this. 25514 25515 * interpreter/Interpreter.cpp: 25516 (JSC::Interpreter::addStackTraceIfNecessary): 25517 255182013-07-12 Brent Fulgham <bfulgham@apple.com> 25519 25520 [Windows] Build correction after r152573/r152577. 25521 https://bugs.webkit.org/show_bug.cgi?id=118610 25522 25523 Reviewed by Oliver Hunt. 25524 25525 * jit/JITThunks.cpp: 25526 (JSC::JITThunks::hostFunctionStub): Hand-feed MSVC++ the fact that we want the second 25527 argument of the make_pair to be a function pointer. 25528 255292013-07-11 Oliver Hunt <oliver@apple.com> 25530 25531 Attempt to fix the windows build. 25532 25533 * jit/JITThunks.cpp: 25534 (JSC::JITThunks::hostFunctionStub): 25535 * jit/JITThunks.h: 25536 255372013-07-10 Oliver Hunt <oliver@apple.com> 25538 25539 NativeExecutable cache needs to use both call and construct functions for key 25540 https://bugs.webkit.org/show_bug.cgi?id=118545 25541 25542 Reviewed by Geoffrey Garen. 25543 25544 Make the native executable cache make use a key pair so we don't decide to 25545 treat all subsequent functions as not being constructors. 25546 25547 * jit/JITThunks.cpp: 25548 (JSC::JITThunks::hostFunctionStub): 25549 * jit/JITThunks.h: 25550 * runtime/JSBoundFunction.cpp: 25551 (JSC::JSBoundFunction::create): 25552 * runtime/JSCell.cpp: 25553 (JSC::JSCell::getCallData): 25554 (JSC::JSCell::getConstructData): 25555 255562013-07-09 Mark Lam <mark.lam@apple.com> 25557 25558 Gardening to unbreak builds on the Windows bot. 25559 25560 Not reviewed. 25561 25562 * parser/ParserTokens.h: 25563 255642013-07-09 Mark Lam <mark.lam@apple.com> 25565 25566 Fix 30% JSBench regression (caused by adding column numbers to stack traces). 25567 https://bugs.webkit.org/show_bug.cgi?id=118481. 25568 25569 Reviewed by Mark Hahnenberg and Geoffrey Garen. 25570 25571 Previously, we already capture ExpressionRangeInfo that provides a divot for 25572 each bytecode that can potentially throw an exception (and therefore generate 25573 a stack trace). On first attempt to compute column numbers, we then do a walk 25574 of the source string to record all line start positions in a table associated 25575 with the SourceProvider. The column number can then be computed as 25576 divot - lineStartFor(bytecodeOffset). 25577 25578 The computation of this lineStarts table is the source of the 30% JSBench 25579 performance regression. 25580 25581 The new code now records lineStarts as the lexer and parser scans the source 25582 code. These lineStarts are then used to compute the column number for the 25583 given divot, and stored in the ExpressionRangeInfo. Similarly, we also capture 25584 the line number at the divot point and store that in the ExpressionRangeInfo. 25585 Hence, to look up line and column numbers, we now lookup the ExpressionRangeInfo 25586 for the bytecodeOffset, and then compute the line and column from the values 25587 stored in the expression info. 25588 25589 The strategy: 25590 1. We want to minimize perturbations to the lexer and parser. Specifically, 25591 the changes added should not change how it scans code, and generate bytecode. 25592 2. We regard the divot as the source character position we are interested 25593 in. As such, we'll capture line and lineStart (for column) at the point 25594 when we capture the divot information. This ensures that the 3 values are 25595 consistent. 25596 25597 How the change is done: 25598 1. Change the lexer to track lineStarts. 25599 2. Change the parser to capture line and lineStarts at the point of capturing 25600 divots. 25601 3. Change the parser and associated code to plumb these values all the way to 25602 the point that the correspoinding ExpressionRangeInfo is emitted. 25603 4. Propagate and record SourceCode firstLine and firstLineColumnOffset to the 25604 the necessary places so that we can add them as needed when reifying 25605 UnlinkedCodeBlocks into CodeBlocks. 25606 5. Compress the line and column number values in the ExpressionRangeInfo. In 25607 practice, we seldom have both large line and column numbers. Hence, we can 25608 encode both in an uint32_t most of the time. For the times when we encounter 25609 both large line and column numbers, we have a fallback to store the "fat" 25610 position info. 25611 6. Emit an ExpressionRangeInfo for UnaryOp nodes to get more line and column 25612 number coverage. 25613 7. Change the interpreter to use the new way of computing line and column. 25614 8. Delete old line and column computation code that is now unused. 25615 25616 Misc details: 25617 - the old lexer was tracking both a startOffset and charPosition where 25618 charPosition equals startOffset - SourceCode.startOffset. We now use 25619 startOffset exclusively throughout the system for consistency. 25620 All offset values (including lineStart) are relative to the start of the 25621 SourceProvider string. These values will only be converted to be relative 25622 to the SourceCode.startOffset at the very last minute i.e. when the divot 25623 is stored into the ExpressionRangeInfo. 25624 25625 This change to use the same offset system everywhere reduces confusion 25626 from having to convert back and forth between the 2 systems. It also 25627 enables a lot of assertions to be used. 25628 25629 - Also fixed some bugs in the choice of divot positions to use. For example, 25630 both Eval and Function expressions previously used column numbers from 25631 the start of the expression but used the line number at the end of the 25632 expression. This is now fixed to use either the start or end positions 25633 as appropriate, but not a mix of line and columns from both. 25634 25635 - Why use ints instead of unsigneds for offsets and lineStarts inside the 25636 lexer and parser? 25637 Some tests (e.g. fast/js/call-base-resolution.html and 25638 fast/js/eval-cross-window.html) has shown that lineStart offsets can be 25639 prior to the SourceCode.startOffset. Keeping the lexer offsets as ints 25640 simplifies computations and makes it easier to maintain the assertions 25641 that (startOffset >= lineStartOffset). 25642 25643 However, column and line numbers are always unsigned when we publish 25644 them to the ExpressionRangeInfo. The ints are only used inside the 25645 lexer and parser ... well, and bytecode generator. 25646 25647 - For all cases, lineStart is always captured where the divot is captured. 25648 However, some sputnik conformance tests have shown that we cannot honor 25649 line breaks for assignment statements like the following: 25650 25651 eval("x\u000A*=\u000A-1;"); 25652 25653 In this case, the lineStart is expected to be captured at the start of 25654 the assignment expression instead of at the divot point in the middle. 25655 The assignment expression is the only special case for this. 25656 25657 This patch has been tested against the full layout tests both with release 25658 and debug builds with no regression. 25659 25660 * API/JSContextRef.cpp: 25661 (JSContextCreateBacktrace): 25662 - Updated to use the new StackFrame::computeLineAndColumn(). 25663 * bytecode/CodeBlock.cpp: 25664 (JSC::CodeBlock::CodeBlock): 25665 - Added m_firstLineColumnOffset initialization. 25666 - Plumbed the firstLineColumnOffset into the SourceCode. 25667 - Initialized column for op_debug using the new way. 25668 (JSC::CodeBlock::lineNumberForBytecodeOffset): 25669 - Changed to compute line number using the ExpressionRangeInfo. 25670 (JSC::CodeBlock::columnNumberForBytecodeOffset): Added 25671 - Changed to compute column number using the ExpressionRangeInfo. 25672 (JSC::CodeBlock::expressionRangeForBytecodeOffset): 25673 * bytecode/CodeBlock.h: 25674 (JSC::CodeBlock::firstLineColumnOffset): 25675 (JSC::GlobalCodeBlock::GlobalCodeBlock): 25676 - Plumbed firstLineColumnOffset through to the super class. 25677 (JSC::ProgramCodeBlock::ProgramCodeBlock): 25678 - Plumbed firstLineColumnOffset through to the super class. 25679 (JSC::EvalCodeBlock::EvalCodeBlock): 25680 - Plumbed firstLineColumnOffset through to the super class. 25681 But for EvalCodeBlocks, the firstLineColumnOffset is always 1 25682 because we're starting with a new source string with no start 25683 offset. 25684 (JSC::FunctionCodeBlock::FunctionCodeBlock): 25685 - Plumbed firstLineColumnOffset through to the super class. 25686 25687 * bytecode/ExpressionRangeInfo.h: 25688 - Added modes for encoding line and column into a single 30-bit 25689 unsigned. The encoding is in 1 of 3 modes: 25690 1. FatLineMode: 22-bit line, 8-bit column 25691 2. FatColumnMode: 8-bit line, 22-bit column 25692 3. FatLineAndColumnMode: 32-bit line, 32-bit column 25693 (JSC::ExpressionRangeInfo::encodeFatLineMode): Added. 25694 - Encodes line and column into the 30-bit position using FatLine mode. 25695 (JSC::ExpressionRangeInfo::encodeFatColumnMode): Added. 25696 - Encodes line and column into the 30-bit position using FatColumn mode. 25697 (JSC::ExpressionRangeInfo::decodeFatLineMode): Added. 25698 - Decodes the FatLine mode 30-bit position into line and column. 25699 (JSC::ExpressionRangeInfo::decodeFatColumnMode): Added. 25700 - Decodes the FatColumn mode 30-bit position into line and column. 25701 25702 * bytecode/UnlinkedCodeBlock.cpp: 25703 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): 25704 - Plumbed startColumn through. 25705 (JSC::UnlinkedFunctionExecutable::link): 25706 - Plumbed startColumn through. 25707 (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset): 25708 - Computes a line number using the new way. 25709 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset): 25710 - Added decoding of line and column. 25711 - Added handling of the case when we do not find a fitting expression 25712 range info for a specified bytecodeOffset. This only happens if the 25713 bytecodeOffset is below the first expression range info. In that 25714 case, we'll use the first expression range info entry. 25715 (JSC::UnlinkedCodeBlock::addExpressionInfo): 25716 - Added encoding of line and column. 25717 25718 * bytecode/UnlinkedCodeBlock.h: 25719 - Added m_expressionInfoFatPositions in RareData. 25720 (JSC::UnlinkedFunctionExecutable::functionStartColumn): 25721 (JSC::UnlinkedCodeBlock::shrinkToFit): 25722 - Removed obsoleted m_lineInfo. 25723 * bytecompiler/BytecodeGenerator.cpp: 25724 (JSC::BytecodeGenerator::emitCall): Plumbed line and lineStart through. 25725 (JSC::BytecodeGenerator::emitCallEval): Plumbed line and lineStart through. 25726 (JSC::BytecodeGenerator::emitCallVarargs): Plumbed line and lineStart through. 25727 (JSC::BytecodeGenerator::emitConstruct): Plumbed line and lineStart through. 25728 (JSC::BytecodeGenerator::emitDebugHook): Plumbed lineStart through. 25729 * bytecompiler/BytecodeGenerator.h: 25730 (JSC::BytecodeGenerator::emitNode): 25731 (JSC::BytecodeGenerator::emitNodeInConditionContext): 25732 - Removed obsoleted m_lineInfo. 25733 (JSC::BytecodeGenerator::emitExpressionInfo): 25734 - Plumbed line and lineStart through. 25735 - Compute the line and column to be added to the expression range info. 25736 * bytecompiler/NodesCodegen.cpp: 25737 (JSC::ThrowableExpressionData::emitThrowReferenceError): 25738 (JSC::ResolveNode::emitBytecode): 25739 (JSC::ArrayNode::toArgumentList): 25740 (JSC::BracketAccessorNode::emitBytecode): 25741 (JSC::DotAccessorNode::emitBytecode): 25742 (JSC::NewExprNode::emitBytecode): 25743 (JSC::EvalFunctionCallNode::emitBytecode): 25744 (JSC::FunctionCallValueNode::emitBytecode): 25745 (JSC::FunctionCallResolveNode::emitBytecode): 25746 (JSC::FunctionCallBracketNode::emitBytecode): 25747 (JSC::FunctionCallDotNode::emitBytecode): 25748 (JSC::CallFunctionCallDotNode::emitBytecode): 25749 (JSC::ApplyFunctionCallDotNode::emitBytecode): 25750 (JSC::PostfixNode::emitResolve): 25751 (JSC::PostfixNode::emitBracket): 25752 (JSC::PostfixNode::emitDot): 25753 (JSC::DeleteResolveNode::emitBytecode): 25754 (JSC::DeleteBracketNode::emitBytecode): 25755 (JSC::DeleteDotNode::emitBytecode): 25756 (JSC::PrefixNode::emitResolve): 25757 (JSC::PrefixNode::emitBracket): 25758 (JSC::PrefixNode::emitDot): 25759 - Plumbed line and lineStart through the above as needed. 25760 25761 (JSC::UnaryOpNode::emitBytecode): 25762 - Added emission of an ExpressionRangeInfo for the UnaryOp node. 25763 25764 (JSC::BinaryOpNode::emitStrcat): 25765 (JSC::ThrowableBinaryOpNode::emitBytecode): 25766 (JSC::InstanceOfNode::emitBytecode): 25767 (JSC::emitReadModifyAssignment): 25768 (JSC::ReadModifyResolveNode::emitBytecode): 25769 (JSC::AssignResolveNode::emitBytecode): 25770 (JSC::AssignDotNode::emitBytecode): 25771 (JSC::ReadModifyDotNode::emitBytecode): 25772 (JSC::AssignBracketNode::emitBytecode): 25773 (JSC::ReadModifyBracketNode::emitBytecode): 25774 - Plumbed line and lineStart through the above as needed. 25775 25776 (JSC::ConstStatementNode::emitBytecode): 25777 (JSC::EmptyStatementNode::emitBytecode): 25778 (JSC::DebuggerStatementNode::emitBytecode): 25779 (JSC::ExprStatementNode::emitBytecode): 25780 (JSC::VarStatementNode::emitBytecode): 25781 (JSC::IfElseNode::emitBytecode): 25782 (JSC::DoWhileNode::emitBytecode): 25783 (JSC::WhileNode::emitBytecode): 25784 (JSC::ForNode::emitBytecode): 25785 (JSC::ForInNode::emitBytecode): 25786 (JSC::ContinueNode::emitBytecode): 25787 (JSC::BreakNode::emitBytecode): 25788 (JSC::ReturnNode::emitBytecode): 25789 (JSC::WithNode::emitBytecode): 25790 (JSC::SwitchNode::emitBytecode): 25791 (JSC::LabelNode::emitBytecode): 25792 (JSC::ThrowNode::emitBytecode): 25793 (JSC::TryNode::emitBytecode): 25794 (JSC::ProgramNode::emitBytecode): 25795 (JSC::EvalNode::emitBytecode): 25796 (JSC::FunctionBodyNode::emitBytecode): 25797 - Plumbed line and lineStart through the above as needed. 25798 25799 * interpreter/Interpreter.cpp: 25800 (JSC::appendSourceToError): 25801 - Added line and column arguments for expressionRangeForBytecodeOffset(). 25802 (JSC::StackFrame::computeLineAndColumn): 25803 - Replaces StackFrame::line() and StackFrame::column(). 25804 (JSC::StackFrame::expressionInfo): 25805 - Added line and column arguments. 25806 (JSC::StackFrame::toString): 25807 - Changed to use the new StackFrame::computeLineAndColumn(). 25808 (JSC::Interpreter::getStackTrace): 25809 - Added the needed firstLineColumnOffset arg for the StackFrame. 25810 25811 * interpreter/Interpreter.h: 25812 * parser/ASTBuilder.h: 25813 (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo): 25814 (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo): 25815 (JSC::ASTBuilder::createResolve): 25816 (JSC::ASTBuilder::createBracketAccess): 25817 (JSC::ASTBuilder::createDotAccess): 25818 (JSC::ASTBuilder::createRegExp): 25819 (JSC::ASTBuilder::createNewExpr): 25820 (JSC::ASTBuilder::createAssignResolve): 25821 (JSC::ASTBuilder::createFunctionExpr): 25822 (JSC::ASTBuilder::createFunctionBody): 25823 (JSC::ASTBuilder::createGetterOrSetterProperty): 25824 (JSC::ASTBuilder::createFuncDeclStatement): 25825 (JSC::ASTBuilder::createBlockStatement): 25826 (JSC::ASTBuilder::createExprStatement): 25827 (JSC::ASTBuilder::createIfStatement): 25828 (JSC::ASTBuilder::createForLoop): 25829 (JSC::ASTBuilder::createForInLoop): 25830 (JSC::ASTBuilder::createVarStatement): 25831 (JSC::ASTBuilder::createReturnStatement): 25832 (JSC::ASTBuilder::createBreakStatement): 25833 (JSC::ASTBuilder::createContinueStatement): 25834 (JSC::ASTBuilder::createTryStatement): 25835 (JSC::ASTBuilder::createSwitchStatement): 25836 (JSC::ASTBuilder::createWhileStatement): 25837 (JSC::ASTBuilder::createDoWhileStatement): 25838 (JSC::ASTBuilder::createLabelStatement): 25839 (JSC::ASTBuilder::createWithStatement): 25840 (JSC::ASTBuilder::createThrowStatement): 25841 (JSC::ASTBuilder::createDebugger): 25842 (JSC::ASTBuilder::createConstStatement): 25843 (JSC::ASTBuilder::appendBinaryExpressionInfo): 25844 (JSC::ASTBuilder::appendUnaryToken): 25845 (JSC::ASTBuilder::unaryTokenStackLastStart): 25846 (JSC::ASTBuilder::unaryTokenStackLastLineStartPosition): Added. 25847 (JSC::ASTBuilder::assignmentStackAppend): 25848 (JSC::ASTBuilder::createAssignment): 25849 (JSC::ASTBuilder::setExceptionLocation): 25850 (JSC::ASTBuilder::makeDeleteNode): 25851 (JSC::ASTBuilder::makeFunctionCallNode): 25852 (JSC::ASTBuilder::makeBinaryNode): 25853 (JSC::ASTBuilder::makeAssignNode): 25854 (JSC::ASTBuilder::makePrefixNode): 25855 (JSC::ASTBuilder::makePostfixNode):. 25856 - Plumbed line, lineStart, and startColumn through the above as needed. 25857 25858 * parser/Lexer.cpp: 25859 (JSC::::currentSourcePtr): 25860 (JSC::::setCode): 25861 - Added tracking for sourceoffset and lineStart. 25862 (JSC::::internalShift): 25863 (JSC::::parseIdentifier): 25864 - Added tracking for lineStart. 25865 (JSC::::parseIdentifierSlowCase): 25866 (JSC::::parseString): 25867 - Added tracking for lineStart. 25868 (JSC::::parseStringSlowCase): 25869 (JSC::::lex): 25870 - Added tracking for sourceoffset. 25871 (JSC::::sourceCode): 25872 * parser/Lexer.h: 25873 (JSC::Lexer::currentOffset): 25874 (JSC::Lexer::currentLineStartOffset): 25875 (JSC::Lexer::setOffset): 25876 - Added tracking for lineStart. 25877 (JSC::Lexer::offsetFromSourcePtr): Added. conversion function. 25878 (JSC::Lexer::sourcePtrFromOffset): Added. conversion function. 25879 (JSC::Lexer::setOffsetFromSourcePtr): 25880 (JSC::::lexExpectIdentifier): 25881 - Added tracking for sourceoffset and lineStart. 25882 25883 * parser/NodeConstructors.h: 25884 (JSC::Node::Node): 25885 (JSC::ResolveNode::ResolveNode): 25886 (JSC::EvalFunctionCallNode::EvalFunctionCallNode): 25887 (JSC::FunctionCallValueNode::FunctionCallValueNode): 25888 (JSC::FunctionCallResolveNode::FunctionCallResolveNode): 25889 (JSC::FunctionCallBracketNode::FunctionCallBracketNode): 25890 (JSC::FunctionCallDotNode::FunctionCallDotNode): 25891 (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode): 25892 (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode): 25893 (JSC::PostfixNode::PostfixNode): 25894 (JSC::DeleteResolveNode::DeleteResolveNode): 25895 (JSC::DeleteBracketNode::DeleteBracketNode): 25896 (JSC::DeleteDotNode::DeleteDotNode): 25897 (JSC::PrefixNode::PrefixNode): 25898 (JSC::ReadModifyResolveNode::ReadModifyResolveNode): 25899 (JSC::ReadModifyBracketNode::ReadModifyBracketNode): 25900 (JSC::AssignBracketNode::AssignBracketNode): 25901 (JSC::AssignDotNode::AssignDotNode): 25902 (JSC::ReadModifyDotNode::ReadModifyDotNode): 25903 (JSC::AssignErrorNode::AssignErrorNode): 25904 (JSC::WithNode::WithNode): 25905 (JSC::ForInNode::ForInNode): 25906 - Plumbed line and lineStart through the above as needed. 25907 * parser/Nodes.cpp: 25908 (JSC::StatementNode::setLoc): Plumbed lineStart. 25909 (JSC::ScopeNode::ScopeNode): Plumbed lineStart. 25910 (JSC::ProgramNode::ProgramNode): Plumbed startColumn. 25911 (JSC::ProgramNode::create): Plumbed startColumn. 25912 (JSC::EvalNode::create): 25913 (JSC::FunctionBodyNode::FunctionBodyNode): Plumbed startColumn. 25914 (JSC::FunctionBodyNode::create): Plumbed startColumn. 25915 * parser/Nodes.h: 25916 (JSC::Node::startOffset): 25917 (JSC::Node::lineStartOffset): Added. 25918 (JSC::StatementNode::firstLine): 25919 (JSC::StatementNode::lastLine): 25920 (JSC::ThrowableExpressionData::ThrowableExpressionData): 25921 (JSC::ThrowableExpressionData::setExceptionSourceCode): 25922 (JSC::ThrowableExpressionData::divotStartOffset): 25923 (JSC::ThrowableExpressionData::divotEndOffset): 25924 (JSC::ThrowableExpressionData::divotLine): 25925 (JSC::ThrowableExpressionData::divotLineStart): 25926 (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData): 25927 (JSC::ThrowableSubExpressionData::setSubexpressionInfo): 25928 (JSC::ThrowableSubExpressionData::subexpressionDivot): 25929 (JSC::ThrowableSubExpressionData::subexpressionStartOffset): 25930 (JSC::ThrowableSubExpressionData::subexpressionEndOffset): 25931 (JSC::ThrowableSubExpressionData::subexpressionLine): 25932 (JSC::ThrowableSubExpressionData::subexpressionLineStart): 25933 (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData): 25934 (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo): 25935 (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot): 25936 (JSC::ThrowablePrefixedSubExpressionData::subexpressionStartOffset): 25937 (JSC::ThrowablePrefixedSubExpressionData::subexpressionEndOffset): 25938 (JSC::ThrowablePrefixedSubExpressionData::subexpressionLine): 25939 (JSC::ThrowablePrefixedSubExpressionData::subexpressionLineStart): 25940 (JSC::ScopeNode::startStartOffset): 25941 (JSC::ScopeNode::startLineStartOffset): 25942 (JSC::ProgramNode::startColumn): 25943 (JSC::EvalNode::startColumn): 25944 (JSC::FunctionBodyNode::startColumn): 25945 - Plumbed line and lineStart through the above as needed. 25946 * parser/Parser.cpp: 25947 (JSC::::Parser): 25948 (JSC::::parseSourceElements): 25949 (JSC::::parseVarDeclarationList): 25950 (JSC::::parseConstDeclarationList): 25951 (JSC::::parseForStatement): 25952 (JSC::::parseBreakStatement): 25953 (JSC::::parseContinueStatement): 25954 (JSC::::parseReturnStatement): 25955 (JSC::::parseThrowStatement): 25956 (JSC::::parseWithStatement): 25957 - Plumbed line and lineStart through the above as needed. 25958 (JSC::::parseFunctionBody): 25959 - Plumbed startColumn. 25960 (JSC::::parseFunctionInfo): 25961 (JSC::::parseFunctionDeclaration): 25962 (JSC::LabelInfo::LabelInfo): 25963 (JSC::::parseExpressionOrLabelStatement): 25964 (JSC::::parseAssignmentExpression): 25965 (JSC::::parseBinaryExpression): 25966 (JSC::::parseProperty): 25967 (JSC::::parseObjectLiteral): 25968 (JSC::::parsePrimaryExpression): 25969 (JSC::::parseMemberExpression): 25970 (JSC::::parseUnaryExpression): 25971 - Plumbed line, lineStart, startColumn through the above as needed. 25972 * parser/Parser.h: 25973 (JSC::Parser::next): 25974 (JSC::Parser::nextExpectIdentifier): 25975 (JSC::Parser::tokenStart): 25976 (JSC::Parser::tokenColumn): 25977 (JSC::Parser::tokenEnd): 25978 (JSC::Parser::tokenLineStart): 25979 (JSC::Parser::lastTokenLine): 25980 (JSC::Parser::lastTokenLineStart): 25981 (JSC::::parse): 25982 * parser/ParserTokens.h: 25983 (JSC::JSTokenLocation::JSTokenLocation): 25984 - Plumbed lineStart. 25985 (JSC::JSTokenLocation::lineStartPosition): 25986 (JSC::JSTokenLocation::startPosition): 25987 (JSC::JSTokenLocation::endPosition): 25988 * parser/SourceCode.h: 25989 (JSC::SourceCode::SourceCode): 25990 (JSC::SourceCode::startColumn): 25991 (JSC::makeSource): 25992 (JSC::SourceCode::subExpression): 25993 * parser/SourceProvider.cpp: delete old code. 25994 * parser/SourceProvider.h: delete old code. 25995 * parser/SourceProviderCacheItem.h: 25996 (JSC::SourceProviderCacheItem::closeBraceToken): 25997 (JSC::SourceProviderCacheItem::SourceProviderCacheItem): 25998 - Plumbed lineStart. 25999 * parser/SyntaxChecker.h: 26000 (JSC::SyntaxChecker::makeFunctionCallNode): 26001 (JSC::SyntaxChecker::makeAssignNode): 26002 (JSC::SyntaxChecker::makePrefixNode): 26003 (JSC::SyntaxChecker::makePostfixNode): 26004 (JSC::SyntaxChecker::makeDeleteNode): 26005 (JSC::SyntaxChecker::createResolve): 26006 (JSC::SyntaxChecker::createBracketAccess): 26007 (JSC::SyntaxChecker::createDotAccess): 26008 (JSC::SyntaxChecker::createRegExp): 26009 (JSC::SyntaxChecker::createNewExpr): 26010 (JSC::SyntaxChecker::createAssignResolve): 26011 (JSC::SyntaxChecker::createFunctionExpr): 26012 (JSC::SyntaxChecker::createFunctionBody): 26013 (JSC::SyntaxChecker::createFuncDeclStatement): 26014 (JSC::SyntaxChecker::createForInLoop): 26015 (JSC::SyntaxChecker::createReturnStatement): 26016 (JSC::SyntaxChecker::createBreakStatement): 26017 (JSC::SyntaxChecker::createContinueStatement): 26018 (JSC::SyntaxChecker::createWithStatement): 26019 (JSC::SyntaxChecker::createLabelStatement): 26020 (JSC::SyntaxChecker::createThrowStatement): 26021 (JSC::SyntaxChecker::createGetterOrSetterProperty): 26022 (JSC::SyntaxChecker::appendBinaryExpressionInfo): 26023 (JSC::SyntaxChecker::operatorStackPop): 26024 - Made SyntaxChecker prototype changes to match ASTBuilder due to new 26025 args added for plumbing line, lineStart, and startColumn. 26026 * runtime/CodeCache.cpp: 26027 (JSC::CodeCache::generateBytecode): 26028 (JSC::CodeCache::getCodeBlock): 26029 - Plumbed startColumn. 26030 * runtime/Executable.cpp: 26031 (JSC::FunctionExecutable::FunctionExecutable): 26032 (JSC::ProgramExecutable::compileInternal): 26033 (JSC::FunctionExecutable::produceCodeBlockFor): 26034 (JSC::FunctionExecutable::fromGlobalCode): 26035 - Plumbed startColumn. 26036 * runtime/Executable.h: 26037 (JSC::ScriptExecutable::startColumn): 26038 (JSC::ScriptExecutable::recordParse): 26039 (JSC::FunctionExecutable::create): 26040 - Plumbed startColumn. 26041 260422013-07-08 Carlos Garcia Campos <cgarcia@igalia.com> 26043 26044 Unreviewed. Fix make distcheck. 26045 26046 * GNUmakefile.list.am: Add missing header files. 26047 260482013-07-04 Patrick Gansterer <paroga@webkit.org> 26049 26050 [CMake] Add generation of JITStubs for x86_64 MSVC 26051 https://bugs.webkit.org/show_bug.cgi?id=116666 26052 26053 Reviewed by Laszlo Gombos. 26054 26055 Also move the generation for ARM CPU into the CMakeLists.txt, 26056 since it's compiler specific and not dedicated to Windows CE. 26057 26058 * CMakeLists.txt: 26059 * PlatformWinCE.cmake: Removed. 26060 260612013-07-04 Patrick Gansterer <paroga@webkit.org> 26062 26063 [CMake] Add STATICALLY_LINKED_WITH_WTF to JavaScriptCore project 26064 https://bugs.webkit.org/show_bug.cgi?id=118120 26065 26066 Reviewed by Gyuyoung Kim. 26067 26068 Since WTF is a static library linked to JavaScriptCore on all CMake ports 26069 we need to define STATICALLY_LINKED_WITH_WTF for all of them. 26070 This makes only a difference for Windows, since WTF_EXPORT and WTF_IMPORT 26071 are the same on all other platforms. 26072 26073 * CMakeLists.txt: 26074 260752013-07-02 Mark Hahnenberg <mhahnenberg@apple.com> 26076 26077 Replace RELEASE_ASSERT with ASSERT in CodeBlock:: bytecodeOffsetForCallAtIndex 26078 https://bugs.webkit.org/show_bug.cgi?id=118316 26079 26080 Reviewed by Geoffrey Garen. 26081 26082 This is causing some crashiness in release builds. We should replace it with an ASSERT 26083 until we track down all the places that need fixing in bug 118315. 26084 26085 * bytecode/CodeBlock.h: 26086 (JSC::CodeBlock::bytecodeOffsetForCallAtIndex): 26087 260882013-07-02 Brent Fulgham <bfulgham@apple.com> 26089 26090 [Windows] Unreviewed build correction for 'DebugSuffix' target. 26091 26092 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Must pass the 26093 DEBUGSUFFIX definition to the nmake instance to be available during script processing. 26094 260952013-07-01 Sergio Correia <sergio.correia@openbossa.org> 26096 26097 [JSC]: Fix maybe-uninitialized gcc 4.8 warning in DFGSpeculativeJIT.cpp 26098 https://bugs.webkit.org/show_bug.cgi?id=118278 26099 26100 Reviewed by Filip Pizlo. 26101 26102 * dfg/DFGSpeculativeJIT.cpp: 26103 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 26104 Initialize valueGPR with InvalidGPRReg. 26105 261062013-07-01 Csaba Osztrogonác <ossy@webkit.org> 26107 26108 Fix cast-align warnings in JavaScriptCore/heap/HandleBlockInlines.h 26109 https://bugs.webkit.org/show_bug.cgi?id=118242 26110 26111 Reviewed by Mark Hahnenberg. 26112 26113 * heap/HandleBlockInlines.h: 26114 (JSC::HandleBlock::nodes): 26115 261162013-06-29 Andreas Kling <akling@apple.com> 26117 26118 Follow-up to r152206: also update HashFlags8BitBuffer in the LLInt. 26119 26120 * llint/LowLevelInterpreter.asm: 26121 261222013-06-28 Andreas Kling <akling@apple.com> 26123 26124 Un-crashify JSC tests on debug bots after Anders had his way with StringImpl. 26125 26126 * llint/LLIntData.cpp: 26127 (JSC::LLInt::Data::performAssertions): 26128 261292013-06-28 Anders Carlsson <andersca@apple.com> 26130 26131 Remove String::deprecatedCharactersWithNullTermination() and related code 26132 https://bugs.webkit.org/show_bug.cgi?id=118211 26133 26134 Reviewed by Benjamin Poulain. 26135 26136 * API/JSStringRef.cpp: 26137 (JSStringCreateWithCharactersNoCopy): 26138 Update call to StringImpl::createWithoutCopying. 26139 261402013-06-27 Timothy Hatcher <timothy@apple.com> 26141 26142 Notify the debugger about functions created from source code via new Function() or WebCore::JSLazyEventListener. 26143 26144 https://bugs.webkit.org/show_bug.cgi?id=118063 26145 26146 Reviewed by Geoffrey Garen. 26147 26148 * bytecode/UnlinkedCodeBlock.cpp: 26149 (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Call Debugger::sourceParsed. 26150 261512013-06-26 Anders Carlsson <andersca@apple.com> 26152 26153 Add JSStringCreateWithCharactersNoCopy SPI 26154 https://bugs.webkit.org/show_bug.cgi?id=118074 26155 <rdar://problem/14279905> 26156 26157 Reviewed by Geoffrey Garen. 26158 26159 * API/JSStringRef.cpp: 26160 (JSStringCreateWithCharactersNoCopy): 26161 Create a new OpaqueJSString, using the newly added StringImpl::createWithoutCopying function. 26162 26163 * API/JSStringRefPrivate.h: Added. 26164 Add a home for the JSStringCreateWithCharactersNoCopy function. 26165 26166 * API/OpaqueJSString.h: 26167 (OpaqueJSString::OpaqueJSString): 26168 Just call isolatedCopy on the passed in string. 26169 26170 * API/tests/testapi.c: 26171 Add an API test for JSStringCreateWithCharactersNoCopy. 26172 26173 * JavaScriptCore.xcodeproj/project.pbxproj: 26174 Add new files. 26175 261762013-06-25 Ryosuke Niwa <rniwa@webkit.org> 26177 26178 JSString should remember AtomicString 26179 https://bugs.webkit.org/show_bug.cgi?id=117386 26180 26181 Reviewed by Geoffrey Garen. 26182 26183 Added JSValue::toAtomicString and JSString::atomicString. These two functions allow WebCore to update 26184 JSString's m_value to set isAtomic flag and avoid the AtomicStringTable lookups in subsequent attempts 26185 to obtain the AtomicString of the same value. 26186 26187 * runtime/JSCJSValue.h: 26188 * runtime/JSString.h: 26189 (JSC::JSString::atomicString): 26190 (JSC::JSValue::toAtomicString): 26191 261922013-06-24 Roger Fong <roger_fong@apple.com> 26193 26194 Unreviewed. Makefile build fix for AppleWindows. 26195 26196 * JavaScriptCore.vcxproj/JavaScriptCore.make: 26197 261982013-06-17 Darin Adler <darin@apple.com> 26199 26200 Sort all the Xcode project files 26201 https://bugs.webkit.org/show_bug.cgi?id=117696 26202 26203 Reviewed by Anders Carlsson. 26204 26205 * JavaScriptCore.xcodeproj/project.pbxproj: Ran the sort-Xcode-project-file script. 26206 262072013-06-21 Mark Lam <mark.lam@apple.com> 26208 26209 Introducing the VMStackBounds class. 26210 https://bugs.webkit.org/show_bug.cgi?id=117862. 26211 26212 Reviewed by Geoffrey Garen. 26213 26214 - Removed Interpreter::StackPolicy. 26215 - The new VMStackBounds will take over choosing the appropriate stack 26216 size requirements, and invoking the underlying WTF::StackBounds to 26217 to the real bounds check. 26218 - VMStackBounds will now be used universally throughout JSC instead of 26219 WTF::StackBounds. 26220 26221 * JavaScriptCore.xcodeproj/project.pbxproj: 26222 * bytecompiler/BytecodeGenerator.cpp: 26223 (JSC::BytecodeGenerator::BytecodeGenerator): 26224 * bytecompiler/BytecodeGenerator.h: 26225 * interpreter/Interpreter.cpp: 26226 (JSC::Interpreter::execute): 26227 (JSC::Interpreter::executeCall): 26228 (JSC::Interpreter::executeConstruct): 26229 (JSC::Interpreter::prepareForRepeatCall): 26230 * interpreter/Interpreter.h: 26231 (JSC::Interpreter::isInErrorHandlingMode): 26232 * parser/Parser.cpp: 26233 (JSC::::Parser): 26234 * parser/Parser.h: 26235 * runtime/StringRecursionChecker.h: 26236 (JSC::StringRecursionChecker::performCheck): 26237 * runtime/VMStackBounds.h: Added. 26238 (JSC::VMStackBounds::VMStackBounds): 26239 (JSC::VMStackBounds::isSafeToRecurse): 26240 (JSC::VMStackBounds::requiredCapacity): 26241 262422013-06-20 Mark Lam <mark.lam@apple.com> 26243 26244 Change stack capacity requirement to be more reasonable. 26245 https://bugs.webkit.org/show_bug.cgi?id=117801. 26246 26247 Reviewed by Geoffrey Garen. 26248 26249 Previously, the requiredStack in StackPolicy::StackPolicy() was set to 26250 to a high value like 256K to reduce the chances of encountering an 26251 undetected stack overflow in a scenario where we have a combination of 26252 deeply nested divs and a large amount recursive re-entries into the JSGlobalData. 26253 26254 However, this high value of requiredStack still does not completely 26255 ensure that we will never encounter an undetected stack overflow. It 26256 only lessens the probability of encountering it. 26257 26258 Secondly, on some platforms, the total stack size can be less than 256K 26259 to start with. Hence, this high value requiredStack renders the JSGlobalData 26260 unuseable on those platforms. 26261 26262 This patch will fix the requiredStack to be more reasonable based on 26263 real world stack usage by the JSGlobalData. We won't (and cannot) try to prevent 26264 undetected stack overflows outside of JSC as well. External code that 26265 do deep recursion (e.g. Documnet::updateLayout()) should do their own 26266 stack checks. 26267 26268 From a previous experiment, we measured the following: 26269 26270 On a debug build on OSX: 26271 1. Stack usage different between recursive calls to interpreter entry: 26272 7744 bytes 26273 On a release build on OSX: 26274 2. Stack usage difference between recursive calls to interpreter entry: 26275 6352 bytes 26276 26277 Using these as a guide, we'll pick the following values for the 26278 StackPolicy: 26279 requiredStack: 32K 26280 errorModeRequiredStack: 16K 26281 26282 The requiredStack is chosen to be 4x the measured usage above. The 26283 additional 3x is a conservative estimate to account for stack space 26284 that may be needed by other native functions called while in the 26285 interpreter. 26286 26287 The errorModeRequiredStack has to be less than the requiredStack or we 26288 won't be able to reenter the interpreter to do error handling work when 26289 an imminent stack overflow is detected. It is assumed that the error 26290 handling code will only do minimal work to allocate an exception and its 26291 stack trace, and not run any arbitrary JS code. As such, it is safe to 26292 allow re-entry into the interpreter with only 2x the measured usage in 26293 this case. 26294 26295 * interpreter/Interpreter.cpp: 26296 (JSC::Interpreter::StackPolicy::StackPolicy): 26297 262982013-06-20 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com> 26299 26300 HashSet: reverse the order of the template arguments at alternate 'find', 'contains' and 'add' methods 26301 https://bugs.webkit.org/show_bug.cgi?id=117830 26302 26303 Reviewed by Anders Carlsson. 26304 26305 The order of the template arguments at HashSet alternate 'find', 'contains' and 26306 'add' methods is reversed so that callers can just pass the translator 26307 and let the compiler deduce input argument type. 26308 26309 * runtime/Identifier.h: 26310 (JSC::IdentifierTable::add): 26311 263122013-06-20 Roger Fong <roger_fong@apple.com> 26313 26314 Make Windows makefile copy build output to a different folder. 26315 <rdar://problem/14219184>. 26316 26317 * JavaScriptCore.vcxproj/JavaScriptCore.make: 26318 263192013-06-20 Mark Hahnenberg <mhahnenberg@apple.com> 26320 26321 Improper deallocation of JSManagedValue causes crashes during autorelease pool draining 26322 https://bugs.webkit.org/show_bug.cgi?id=117840 26323 26324 Reviewed by Geoffrey Garen. 26325 26326 Improperly managing a JSManagedValue can cause a crash when the JSC::Weak inside the 26327 JSManagedValue is destroyed upon deallocation. We would rather have improperly maintained 26328 JSManagedValues cause memory leaks than take down the whole app. 26329 26330 The fix is to use the callback to the JSC::Weak on the destruction of the JSGlobalData so that we 26331 can safely null it out. This will prevent ~Weak from crashing. 26332 26333 * API/JSManagedValue.mm: 26334 (-[JSManagedValue JSC::JSC::]): 26335 (JSManagedValueHandleOwner::finalize): 26336 * API/tests/testapi.mm: Added a test that crashed prior to this fix due to a leaked 26337 managed reference. Also fixed a small style nit I noticed in another test. 26338 263392013-06-18 Oliver Hunt <oliver@apple.com> 26340 26341 Going to google.com/trends causes a crash 26342 https://bugs.webkit.org/show_bug.cgi?id=117602 26343 26344 Reviewed by Geoffrey Garen. 26345 26346 When handling op_throw, etc we need to flush the variables and arguments 26347 for the entire inline stack, not just the top frame. 26348 26349 * dfg/DFGByteCodeParser.cpp: 26350 (JSC::DFG::ByteCodeParser::flushAllArgumentsAndCapturedVariablesInInlineStack): 26351 (JSC::DFG::ByteCodeParser::parseBlock): 26352 263532013-06-18 Roger Fong <roger_fong@apple.com> 26354 26355 Replace tools32 folder with tools and update WebKit Windows solution accordingly. 26356 <rdar://problem/14118143>. 26357 26358 Rubberstamped by Brent Fulgham. 26359 26360 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 26361 * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: 26362 * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: 26363 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: 26364 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: 26365 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: 26366 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: 26367 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: 26368 * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: 26369 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: 26370 * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: 26371 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: 26372 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: 26373 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: 26374 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: 26375 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: 26376 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: 26377 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: 26378 * JavaScriptCore.vcxproj/jsc/jscDebug.props: 26379 * JavaScriptCore.vcxproj/jsc/jscProduction.props: 26380 * JavaScriptCore.vcxproj/jsc/jscRelease.props: 26381 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: 26382 * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: 26383 * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: 26384 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: 26385 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: 26386 * JavaScriptCore.vcxproj/testapi/testapiDebug.props: 26387 * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: 26388 * JavaScriptCore.vcxproj/testapi/testapiProduction.props: 26389 * JavaScriptCore.vcxproj/testapi/testapiRelease.props: 26390 * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: 26391 263922013-06-17 Roger Fong <roger_fong@apple.com> 26393 26394 Modify Windows makefiles to copy some bin output into Program Files. 26395 https://bugs.webkit.org/show_bug.cgi?id=117714. 26396 <rdar://problem/14179054> 26397 26398 Reviewed by Brent Fulgham. 26399 26400 * JavaScriptCore.vcxproj/JavaScriptCore.make: 26401 264022013-06-14 Ryosuke Niwa <rniwa@webkit.org> 26403 26404 Function names on Object.prototype should be common identifiers 26405 https://bugs.webkit.org/show_bug.cgi?id=117614 26406 26407 Reviewed by Darin Adler. 26408 26409 Patch written by Sam Weinig. Make Object's prototype function names common identififers since they're used frequently. 26410 26411 * runtime/CommonIdentifiers.h: 26412 * runtime/FunctionConstructor.cpp: 26413 (JSC::constructFunction): 26414 * runtime/JSGlobalObject.cpp: 26415 (JSC::JSGlobalObject::reset): 26416 * runtime/JSObject.h: 26417 * runtime/ObjectPrototype.cpp: 26418 (JSC::ObjectPrototype::finishCreation): 26419 * runtime/StringPrototype.cpp: 26420 (JSC::StringPrototype::finishCreation): 26421 264222013-06-13 Ryosuke Niwa <rniwa@webkit.org> 26423 26424 Remove LiteralIdentifierTable 26425 https://bugs.webkit.org/show_bug.cgi?id=117613 26426 26427 Reviewed by Geoffrey Garen. 26428 26429 Removed LiteralIdentifierTable since it doesn't seem to have any perf. impact now. 26430 26431 * runtime/Identifier.cpp: 26432 (JSC::Identifier::add): 26433 264342013-06-12 Conrad Shultz <conrad_shultz@apple.com> 26435 26436 JSExport header documentation substitutes "semicolon" for "colon" 26437 https://bugs.webkit.org/show_bug.cgi?id=117552 26438 26439 Reviewed by Mark Hahnenberg. 26440 26441 * API/JSExport.h: 26442 Fix a couple typos. 26443 264442013-06-10 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com> 26445 26446 [JSC] Remove a vestige of wxWidgets support. 26447 https://bugs.webkit.org/show_bug.cgi?id=117419 26448 26449 Reviewed by Benjamin Poulain. 26450 26451 * runtime/JSExportMacros.h: Remove a check for BUILDING_WX__ that 26452 seems to have gone unnoticed when the wxWidgets port was removed. 26453 264542013-06-06 Roger Fong <roger_fong@apple.com> 26455 26456 Stop copying AAS binaries into build folder. 26457 https://bugs.webkit.org/show_bug.cgi?id=117319. 26458 26459 Rubberstamped by Darin Adler. 26460 26461 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: 26462 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: 26463 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: 26464 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: 26465 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: 26466 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: 26467 264682013-06-05 Filip Pizlo <fpizlo@apple.com> 26469 26470 DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray 26471 https://bugs.webkit.org/show_bug.cgi?id=117279 26472 <rdar://problem/14078025> 26473 26474 Reviewed by Mark Hahnenberg. 26475 26476 * dfg/DFGAbstractValue.h: 26477 (JSC::DFG::AbstractValue::filterArrayModesByType): 26478 264792013-06-05 Michael Saboff <msaboff@apple.com> 26480 26481 JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com 26482 https://bugs.webkit.org/show_bug.cgi?id=117280 26483 26484 Reviewed by Filip Pizlo. 26485 26486 Updated the merging of VariableAccessData nodes in ArgumentPosition lists 26487 to find the unified VariableAccessData node that is the root of the 26488 current node instead of using the current node directly when merging 26489 attributes. 26490 Added new dump code to dump the ArgumentPosition list. 26491 26492 * dfg/DFGArgumentPosition.h: 26493 (JSC::DFG::rgumentPosition::mergeArgumentPredictionAwareness): 26494 (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness): 26495 (JSC::DFG::ArgumentPosition::dump): 26496 * dfg/DFGGraph.cpp: 26497 (JSC::DFG::Graph::dump): 26498 264992013-06-05 Bear Travis <betravis@adobe.com> 26500 26501 [CSS Exclusions][CSS Shapes] Split CSS Exclusions & Shapes compile & runtime flags 26502 https://bugs.webkit.org/show_bug.cgi?id=117172 26503 26504 Reviewed by Alexandru Chiculita. 26505 26506 Adding the CSS_SHAPES compile flag. 26507 26508 * Configurations/FeatureDefines.xcconfig: 26509 265102013-06-05 Balazs Kilvady <kilvadyb@homejinni.com> 26511 26512 JSC Assertion tests failures on MIPS. 26513 https://bugs.webkit.org/show_bug.cgi?id=116552 26514 26515 Reviewed by Geoffrey Garen. 26516 26517 Fix condition handlig in branchAdd32 implemetations. 26518 26519 * assembler/MacroAssemblerMIPS.h: 26520 (JSC::MacroAssemblerMIPS::branchAdd32): 26521 265222013-06-04 Julien Brianceau <jbrianceau@nds.com> 26523 26524 [sh4] Add floating point absolute function support in baseline JIT. 26525 https://bugs.webkit.org/show_bug.cgi?id=117147 26526 26527 Reviewed by Geoffrey Garen. 26528 26529 * assembler/MacroAssemblerSH4.h: 26530 (JSC::MacroAssemblerSH4::supportsFloatingPointAbs): 26531 (JSC::MacroAssemblerSH4::absDouble): 26532 * assembler/SH4Assembler.h: 26533 (JSC::SH4Assembler::dabs): 26534 (JSC::SH4Assembler::printInstr): 26535 265362013-06-04 Zan Dobersek <zdobersek@igalia.com> 26537 26538 [JSC] Test262 15.5.4.9_3 test is failing 26539 https://bugs.webkit.org/show_bug.cgi?id=116789 26540 26541 Reviewed by Geoffrey Garen. 26542 26543 Bring the String.prototype.localeCompare behavior in line wit ES5 15.9.4.9. 26544 If method is not given enough arguments, the minimal amount of arguments must be assumed, with their value being undefined. 26545 The first argument to localeCompare, in its string form, is used as the 'that' string that's used in the comparison. 26546 Therefor, when calling str.localeCompare() or str.localeCompare(undefined), the first argument is `undefined` and the 26547 string "undefined" is used as the string to which value of str is compared. 26548 26549 * runtime/StringPrototype.cpp: 26550 (JSC::stringProtoFuncLocaleCompare): Remove the early return in case of no given arguments to achieve the desired behavior. 26551 265522013-06-03 Hojong Han <hojong.han@samsung.com> 26553 26554 [EFL] Implement GCActivityCallback 26555 https://bugs.webkit.org/show_bug.cgi?id=95923 26556 26557 Reviewed by Geoffrey Garen. 26558 26559 Implements the activity triggered garbage collector. 26560 Additional GCs can be triggered by platfrom timer. 26561 It has sort of compaction effect not to make JSC heap grow fast 26562 so that memory usage becomes lower than usual. 26563 26564 * PlatformEfl.cmake: Added. 26565 * heap/HeapTimer.cpp: 26566 (JSC): 26567 (JSC::HeapTimer::HeapTimer): 26568 (JSC::HeapTimer::~HeapTimer): 26569 (JSC::HeapTimer::add): 26570 (JSC::HeapTimer::stop): 26571 (JSC::HeapTimer::timerEvent): 26572 * heap/HeapTimer.h: 26573 (HeapTimer): 26574 * jsc.cpp: 26575 (main): 26576 * runtime/GCActivityCallback.cpp: 26577 (JSC): 26578 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): 26579 (JSC::DefaultGCActivityCallback::scheduleTimer): 26580 (JSC::DefaultGCActivityCallback::cancelTimer): 26581 (JSC::DefaultGCActivityCallback::didAllocate): 26582 * runtime/GCActivityCallback.h: 26583 (GCActivityCallback): 26584 (JSC::GCActivityCallback::GCActivityCallback): 26585 (DefaultGCActivityCallback): 26586 265872013-06-03 Roger Fong <roger_fong@apple.com> 26588 26589 Nuke VS2005 files from the tree. 26590 <rdar://problem/14042021>. 26591 26592 Rubberstamped by Brent Fulgham. 26593 26594 * JavaScriptCore.vcproj: Removed. 26595 * JavaScriptCore.vcproj/JavaScriptCore: Removed. 26596 * JavaScriptCore.vcproj/JavaScriptCore.make: Removed. 26597 * JavaScriptCore.vcproj/JavaScriptCore.resources: Removed. 26598 * JavaScriptCore.vcproj/JavaScriptCore.resources/Info.plist: Removed. 26599 * JavaScriptCore.vcproj/JavaScriptCore.sln: Removed. 26600 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Removed. 26601 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCF.vsprops: Removed. 26602 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCFLite.vsprops: Removed. 26603 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: Removed. 26604 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebug.vsprops: Removed. 26605 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugAll.vsprops: Removed. 26606 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugCairoCFLite.vsprops: Removed. 26607 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Removed. 26608 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make: Removed. 26609 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj: Removed. 26610 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedCommon.vsprops: Removed. 26611 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops: Removed. 26612 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops: Removed. 26613 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops: Removed. 26614 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops: Removed. 26615 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops: Removed. 26616 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops: Removed. 26617 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleasePGO.vsprops: Removed. 26618 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePGOOptimize.vsprops: Removed. 26619 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePostBuild.cmd: Removed. 26620 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePreBuild.cmd: Removed. 26621 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePreLink.cmd: Removed. 26622 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreProduction.vsprops: Removed. 26623 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreRelease.vsprops: Removed. 26624 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseCairoCFLite.vsprops: Removed. 26625 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops: Removed. 26626 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops: Removed. 26627 * JavaScriptCore.vcproj/JavaScriptCore/build-generated-files.sh: Removed. 26628 * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: Removed. 26629 * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Removed. 26630 * JavaScriptCore.vcproj/LLIntAssembly: Removed. 26631 * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.make: Removed. 26632 * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.vcproj: Removed. 26633 * JavaScriptCore.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed. 26634 * JavaScriptCore.vcproj/LLIntDesiredOffsets: Removed. 26635 * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed. 26636 * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcproj: Removed. 26637 * JavaScriptCore.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed. 26638 * JavaScriptCore.vcproj/LLIntOffsetsExtractor: Removed. 26639 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcproj: Removed. 26640 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops: Removed. 26641 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.vsprops: Removed. 26642 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebugAll.vsprops: Removed. 26643 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebugCairoCFLite.vsprops: Removed. 26644 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.vsprops: Removed. 26645 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.vsprops: Removed. 26646 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorReleaseCairoCFLite.vsprops: Removed. 26647 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorReleasePGO.vsprops: Removed. 26648 * JavaScriptCore.vcproj/jsc: Removed. 26649 * JavaScriptCore.vcproj/jsc/jsc.vcproj: Removed. 26650 * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Removed. 26651 * JavaScriptCore.vcproj/jsc/jscDebug.vsprops: Removed. 26652 * JavaScriptCore.vcproj/jsc/jscDebugAll.vsprops: Removed. 26653 * JavaScriptCore.vcproj/jsc/jscDebugCairoCFLite.vsprops: Removed. 26654 * JavaScriptCore.vcproj/jsc/jscPostBuild.cmd: Removed. 26655 * JavaScriptCore.vcproj/jsc/jscPreBuild.cmd: Removed. 26656 * JavaScriptCore.vcproj/jsc/jscPreLink.cmd: Removed. 26657 * JavaScriptCore.vcproj/jsc/jscProduction.vsprops: Removed. 26658 * JavaScriptCore.vcproj/jsc/jscRelease.vsprops: Removed. 26659 * JavaScriptCore.vcproj/jsc/jscReleaseCairoCFLite.vsprops: Removed. 26660 * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops: Removed. 26661 * JavaScriptCore.vcproj/testRegExp: Removed. 26662 * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj: Removed. 26663 * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Removed. 26664 * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Removed. 26665 * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Removed. 26666 * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Removed. 26667 * JavaScriptCore.vcproj/testRegExp/testRegExpPostBuild.cmd: Removed. 26668 * JavaScriptCore.vcproj/testRegExp/testRegExpPreBuild.cmd: Removed. 26669 * JavaScriptCore.vcproj/testRegExp/testRegExpPreLink.cmd: Removed. 26670 * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Removed. 26671 * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Removed. 26672 * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Removed. 26673 * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Removed. 26674 * JavaScriptCore.vcproj/testapi: Removed. 26675 * JavaScriptCore.vcproj/testapi/testapi.vcproj: Removed. 26676 * JavaScriptCore.vcproj/testapi/testapiCommon.vsprops: Removed. 26677 * JavaScriptCore.vcproj/testapi/testapiDebug.vsprops: Removed. 26678 * JavaScriptCore.vcproj/testapi/testapiDebugAll.vsprops: Removed. 26679 * JavaScriptCore.vcproj/testapi/testapiDebugCairoCFLite.vsprops: Removed. 26680 * JavaScriptCore.vcproj/testapi/testapiPostBuild.cmd: Removed. 26681 * JavaScriptCore.vcproj/testapi/testapiPreBuild.cmd: Removed. 26682 * JavaScriptCore.vcproj/testapi/testapiPreLink.cmd: Removed. 26683 * JavaScriptCore.vcproj/testapi/testapiProduction.vsprops: Removed. 26684 * JavaScriptCore.vcproj/testapi/testapiRelease.vsprops: Removed. 26685 * JavaScriptCore.vcproj/testapi/testapiReleaseCairoCFLite.vsprops: Removed. 26686 266872013-05-31 Filip Pizlo <fpizlo@apple.com> 26688 26689 Incorrect assertion in DFG::Graph::uncheckedActivationRegisterFor() 26690 <rdar://problem/13989324> 26691 26692 Rubber stamped by Mark Hahnenberg. 26693 26694 This has a bogus assertion that checks that the passed CodeOrigin doesn't have 26695 an inline call frame. This was well intentioned in the sense that it is true 26696 that inlined call frames wouldn't have an activation register. But that doesn't 26697 mean that people won't ask. Removing the assertion fixes a debug-only crash and 26698 has no impact on production code. This change adds a comment to that effect. 26699 26700 * dfg/DFGGraph.h: 26701 (JSC::DFG::Graph::uncheckedActivationRegisterFor): 26702 267032013-05-31 Julien Brianceau <jbrianceau@nds.com> 26704 26705 [sh4] Fix Overflow case of branchMul32 in baseline JIT. 26706 https://bugs.webkit.org/show_bug.cgi?id=117057 26707 26708 Reviewed by Oliver Hunt. 26709 26710 Current implementation of Overflow case in branchMul32 performs an 26711 unsigned multiplication whereas a signed multiplication is expected. 26712 26713 * assembler/MacroAssemblerSH4.h: 26714 (JSC::MacroAssemblerSH4::branchMul32): 26715 267162013-05-31 Julien Brianceau <jbrianceau@nds.com> 26717 26718 [sh4] Fix floating point comparisons in baseline JIT. 26719 https://bugs.webkit.org/show_bug.cgi?id=117066. 26720 26721 Reviewed by Oliver Hunt. 26722 26723 Current implementation of branchDouble function in baseline JIT is wrong 26724 for some conditions and overkill for others. For instance: 26725 - With DoubleGreaterThanOrEqual condition, branch will be taken if either 26726 operand is NaN with current implementation whereras it should not. 26727 - With DoubleNotEqualOrUnordered condition, performed NaN checks are 26728 useless (because comparison result is false if either operand is NaN). 26729 26730 * assembler/MacroAssemblerSH4.h: 26731 (JSC::MacroAssemblerSH4::branchDouble): 26732 267332013-05-31 Julien Brianceau <jbrianceau@nds.com> 26734 26735 [sh4] Fix double floating point transfer in baseline JIT. 26736 https://bugs.webkit.org/show_bug.cgi?id=117054 26737 26738 Reviewed by Oliver Hunt. 26739 26740 In current implementation, dmovRegReg function transfers only one single 26741 FPRegister as PR=1 and SZ=0 in floating point status/control register. 26742 Double transfers must be performed with two fmov.s opcodes. 26743 26744 * assembler/MacroAssemblerSH4.h: 26745 (JSC::MacroAssemblerSH4::moveDouble): 26746 (JSC::MacroAssemblerSH4::addDouble): Handle (op2==dest) case properly. 26747 (JSC::MacroAssemblerSH4::sqrtDouble): 26748 * assembler/SH4Assembler.h: 26749 (JSC::SH4Assembler::fmovsRegReg): 26750 267512013-05-31 Julien Brianceau <jbrianceau@nds.com> 26752 26753 [sh4] Handle branchType properly in branchTruncateDoubleToInt32. 26754 https://bugs.webkit.org/show_bug.cgi?id=117062 26755 26756 Reviewed by Oliver Hunt. 26757 26758 Current implementation of branchTruncateDoubleToInt32 is incorrect 26759 when branchType == BranchIfTruncateSuccessful in sh4 baseline JIT. 26760 26761 * assembler/MacroAssemblerSH4.h: 26762 (JSC::MacroAssemblerSH4::branchTruncateDoubleToInt32): 26763 267642013-05-31 Brent Fulgham <bfulgham@apple.com> 26765 26766 [Windows] Unreviewed build fix for VS2005 builders. 26767 26768 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Add 26769 missing export for WTF::SHA1::computeHexDigest 26770 267712013-05-30 David Farler <dfarler@apple.com> 26772 26773 Fix jscore-test when not using --sdk option with jsDriver.pl 26774 https://bugs.webkit.org/show_bug.cgi?id=116339 26775 26776 Reviewed by Joe Pecoraro. 26777 26778 * tests/mozilla/jsDriver.pl: 26779 (execute_tests): 26780 With each test, the shell_command needs to be started from scratch. 26781 26782 This fix will clear the shell_command and start over as before with 26783 the opt_arch option when not using --sdk with jsDriver.pl. 26784 267852013-05-30 Roger Fong <roger_fong@apple.com> 26786 26787 Get rid of JavaScript exports file on AppleWin port. 26788 https://bugs.webkit.org/show_bug.cgi?id=117050. 26789 26790 Reviewed by Darin Adler. 26791 26792 Delete the JavaScriptCoreExportGenerator folder and remove dependencies. 26793 Start linking in WTF.lib now that it's a shared library. 26794 26795 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: 26796 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 26797 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 26798 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator: Removed. 26799 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: Removed. 26800 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: Removed. 26801 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: Removed. 26802 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: Removed. 26803 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: Removed. 26804 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: Removed. 26805 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: Removed. 26806 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: Removed. 26807 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: Removed. 26808 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Removed. 26809 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/make-export-file-generator: Removed. 26810 * JavaScriptCore.vcxproj/jsc/jscCommon.props: 26811 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: 26812 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: 26813 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: 26814 * JavaScriptCore.vcxproj/testapi/testapiCommon.props: 26815 268162013-05-22 David Farler <dfarler@apple.com> 26817 26818 Add --sdk option to jsDriver.pl to run with iOS Simulator 26819 https://bugs.webkit.org/show_bug.cgi?id=116339 26820 26821 Reviewed by David Kilzer. 26822 26823 * tests/mozilla/jsDriver.pl: 26824 (execute_tests): 26825 Prefix shell command with the path to the "sim" tool. 26826 (parse_args): 26827 Add -d / --sdk option. 26828 (usage): 26829 Help message for -d / --sdk option. 26830 268312013-05-30 Julien Brianceau <jbrianceau@nds.com> 26832 26833 [sh4] Optimize NaN checks in LLINT for floating point comparisons. 26834 https://bugs.webkit.org/show_bug.cgi?id=117049 26835 26836 Reviewed by Oliver Hunt. 26837 26838 Use the fcmp/eq opcode in sh4 LLINT to test if a double is NaN. 26839 This is more efficient, doesn't require two tmp registers and requires 26840 less code than current implementation (which converts double to float, 26841 then checks 'E = Emax + 1' and 'f != 0'). 26842 26843 * offlineasm/sh4.rb: 26844 268452013-05-30 Oliver Hunt <oliver@apple.com> 26846 26847 JSCallbackObject does not correctly initialise the PropertySlot for getOwnPropertyDescriptor 26848 https://bugs.webkit.org/show_bug.cgi?id=117053 26849 26850 Reviewed by Mark Hahnenberg. 26851 26852 Set appropriate thisValue on the PropertySlot 26853 26854 * API/JSCallbackObjectFunctions.h: 26855 (JSC::::getOwnPropertyDescriptor): 26856 * API/tests/testapi.mm: 26857 268582013-05-29 Jeffrey Pfau <jpfau@apple.com> 26859 26860 [Mac] Enable cache partitioning and the public suffix list on 10.8 26861 <rdar://problem/13679019> 26862 26863 Rubber-stamped by David Kilzer. 26864 26865 * Configurations/FeatureDefines.xcconfig: 26866 268672013-05-28 Brent Fulgham <bfulgham@apple.com> 26868 26869 [Windows] Put correct byteCompile symbol in file. Previous version 26870 had an extra 'i' appended to the end. 26871 26872 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 26873 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 26874 268752013-05-28 Brent Fulgham <bfulgham@apple.com> 26876 26877 [Windows] Unreviewed build fix. Remove ?byteCompile symbol that 26878 is no longer accessible during link. 26879 26880 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 26881 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 26882 268832013-05-28 Gavin Barraclough <barraclough@apple.com> 26884 26885 String(new Date(2010,10,1)) is wrong in KRAT, YAKT 26886 https://bugs.webkit.org/show_bug.cgi?id=106750 26887 26888 Reviewed by Darin Adler. 26889 26890 * runtime/JSDateMath.cpp: 26891 (JSC::msToGregorianDateTime): 26892 - Additional review comment fix. 26893 268942013-05-28 Brent Fulgham <bfulgham@apple.com> 26895 26896 [Windows] Unreviewed build fix after r150833 26897 26898 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 26899 A CR/LF combination was lost in the file, combining two symbols. 26900 269012013-05-27 Gavin Barraclough <barraclough@apple.com> 26902 26903 String(new Date(2010,10,1)) is wrong in KRAT, YAKT 26904 https://bugs.webkit.org/show_bug.cgi?id=106750 26905 26906 Reviewed by Darin Adler. 26907 26908 First part of a fix, simplfy date handling code, instead of operating separately 26909 on the UTC-standard and standard-DST offsets, just generate a combined UTC-local 26910 offset (this is what we actually need, and what the OS gives us). 26911 26912 * runtime/JSDateMath.cpp: 26913 (JSC::getLocalTimeOffset): 26914 - removed getUTCOffset, converted getDSTOffset -> getLocalTimeOffset 26915 (JSC::gregorianDateTimeToMS): 26916 (JSC::msToGregorianDateTime): 26917 (JSC::parseDateFromNullTerminatedCharacters): 26918 - call getLocalTimeOffset instead of getUTCOffset/getDSTOffset 26919 * runtime/JSGlobalData.cpp: 26920 (JSC::JSGlobalData::resetDateCache): 26921 - removed cachedUTCOffset, converted DSTOffsetCache -> LocalTimeOffsetCache 26922 * runtime/JSGlobalData.h: 26923 (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache): 26924 (JSC::LocalTimeOffsetCache::reset): 26925 (LocalTimeOffsetCache): 26926 - removed cachedUTCOffset, converted DSTOffsetCache -> LocalTimeOffsetCache 26927 269282013-05-28 Mark Hahnenberg <mhahnenberg@apple.com> 26929 26930 r150199 is very wrong 26931 https://bugs.webkit.org/show_bug.cgi?id=116876 26932 26933 JSValue needs to protect its internal JSValueRef. 26934 26935 Reviewed by Darin Adler. 26936 26937 * API/JSValue.mm: 26938 (-[JSValue initWithValue:inContext:]): 26939 (-[JSValue dealloc]): 26940 * API/tests/testapi.mm: Added a simple test to make sure that we protect the 26941 underlying JavaScript value across garbage collections. 26942 269432013-05-27 Patrick Gansterer <paroga@webkit.org> 26944 26945 Use ICU_INCLUDE_DIRS in BlackBerry CMake files 26946 https://bugs.webkit.org/show_bug.cgi?id=116210 26947 26948 Reviewed by Rob Buis. 26949 26950 Set and use the ICU_INCLUDE_DIRS variable to avoid 26951 duplicated adding of the ICU include directory. 26952 26953 * PlatformBlackBerry.cmake: 26954 269552013-05-27 Gabor Rapcsanyi <rgabor@webkit.org> 26956 26957 MacroAssemblerARM should use xor to swap registers instead of move 26958 https://bugs.webkit.org/show_bug.cgi?id=116306 26959 26960 Reviewed by Zoltan Herczeg. 26961 26962 Change register swapping to xor from move and this way we don't need 26963 temporary register anymore. 26964 26965 * assembler/MacroAssemblerARM.h: 26966 (JSC::MacroAssemblerARM::swap): 26967 269682013-05-25 Filip Pizlo <fpizlo@apple.com> 26969 26970 We broke (-2^31/-1)|0 in the DFG 26971 https://bugs.webkit.org/show_bug.cgi?id=116767 26972 26973 Reviewed by Andreas Kling. 26974 26975 The bug is that we were assuming that in the -2^31 case, we already had -2^31 26976 in the result register. This was a wrong assumption. 26977 26978 * dfg/DFGSpeculativeJIT.cpp: 26979 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86): 26980 269812013-05-24 Filip Pizlo <fpizlo@apple.com> 26982 26983 We broke !(0/0) 26984 https://bugs.webkit.org/show_bug.cgi?id=116736 26985 26986 Reviewed by Gavin Barraclough. 26987 26988 * parser/ASTBuilder.h: 26989 (JSC::ASTBuilder::createLogicalNot): 26990 * runtime/JSCJSValueInlines.h: 26991 (JSC::JSValue::pureToBoolean): 26992 269932013-05-24 Julien Brianceau <jbrianceau@nds.com> 26994 26995 [sh4] Optimize LLINT generated code and fix few bugs in baseline JIT. 26996 https://bugs.webkit.org/show_bug.cgi?id=116716 26997 26998 Reviewed by Geoffrey Garen. 26999 27000 * assembler/MacroAssemblerSH4.h: 27001 (JSC::MacroAssemblerSH4::mul32): Cosmetic changes. 27002 (JSC::MacroAssemblerSH4::convertInt32ToDouble): Absolute address was not dereferenced. 27003 (JSC::MacroAssemblerSH4::branch32): Absolute address was not dereferenced. 27004 (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch): Use all 32 bits of pointer for revertJump call. 27005 * assembler/SH4Assembler.h: 27006 (JSC::SH4Assembler::revertJump): Use changePCrelativeAddress to patch the whole pointer. 27007 (JSC::SH4Assembler::linkJump): Cosmetic change. 27008 * offlineasm/sh4.rb: Optimize LLINT generated code. 27009 270102013-05-23 Peter Wang <peter.wang@torchmobile.com.cn> 27011 27012 CLoop llint backend should not use the d8 register as scratch register 27013 https://bugs.webkit.org/show_bug.cgi?id=116019 27014 27015 Reviewed by Csaba Osztrogonác. 27016 27017 * offlineasm/cloop.rb: 27018 270192013-05-22 Peter Wang <peter.wang@torchmobile.com.cn> 27020 27021 Use uninitialized register in "JIT::emit_op_neq_null" and "emit_op_eq_null" 27022 https://bugs.webkit.org/show_bug.cgi?id=116593 27023 27024 Reviewed by Filip Pizlo. 27025 27026 Generated instructions using uninitialized register. It's caused by a mistake of r126494. 27027 27028 * jit/JITOpcodes32_64.cpp: 27029 (JSC::JIT::emit_op_eq_null): 27030 (JSC::JIT::emit_op_neq_null): 27031 270322013-05-22 Filip Pizlo <fpizlo@apple.com> 27033 27034 Fix indentation of CodeBlock.h 27035 27036 Rubber stampted by Mark Hahnenberg. 27037 27038 * bytecode/CodeBlock.h: 27039 270402013-05-22 Julien Brianceau <jbrianceau@nds.com> 27041 27042 [sh4] Remove MacroAssemblerSH4.cpp file. 27043 https://bugs.webkit.org/show_bug.cgi?id=116596. 27044 27045 Reviewed by Geoffrey Garen. 27046 27047 Move linkCall and repatchCall implementations from MacroAssemblerSH4.cpp 27048 to MacroAssemblerSH4.h and remove MacroAssemblerSH4.cpp, as it is done 27049 for other architectures. 27050 27051 * GNUmakefile.list.am: 27052 * JavaScriptCore.xcodeproj/project.pbxproj: 27053 * Target.pri: 27054 * assembler/MacroAssemblerSH4.cpp: Removed. 27055 * assembler/MacroAssemblerSH4.h: 27056 (JSC::MacroAssemblerSH4::linkCall): 27057 (MacroAssemblerSH4): 27058 (JSC::MacroAssemblerSH4::repatchCall): 27059 270602013-05-21 Brent Fulgham <bfulgham@apple.com> 27061 27062 [Windows] Unreviewed speculative fix for test-bots. 27063 27064 Add export declaration for WTFInvokeCrashHook to avoid runtime 27065 load error on test bots. 27066 27067 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 27068 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 27069 270702013-05-21 Mark Lam <mark.lam@apple.com> 27071 27072 Added missing assert condition for PositiveOrZero in ARM branch32(). 27073 https://bugs.webkit.org/show_bug.cgi?id=116538. 27074 27075 Reviewed by Geoffrey Garen. 27076 27077 * assembler/MacroAssemblerARM.h: 27078 (JSC::MacroAssemblerARM::branchAdd32): 27079 270802013-05-20 Mark Hahnenberg <mhahnenberg@apple.com> 27081 27082 Disable SuperRegion 27083 https://bugs.webkit.org/show_bug.cgi?id=116362 27084 27085 Rubber stamped by Geoff Garen. 27086 27087 * heap/Region.h: 27088 270892013-05-20 Oliver Hunt <oliver@apple.com> 27090 27091 Make C API more robust against null contexts 27092 https://bugs.webkit.org/show_bug.cgi?id=116462 27093 27094 Reviewed by Anders Carlsson. 27095 27096 Handle null contexts in a non-crashy way. It's a bug to ever call the 27097 API with a null context, and the absence of a context means we can't 27098 produce a meaningful result, so we still assert in debug builds. 27099 27100 Now where possible we detect and early return, returning null for any 27101 pointer type, NaN for doubles, and false for any boolean result. 27102 27103 * API/JSBase.cpp: 27104 (JSEvaluateScript): 27105 (JSCheckScriptSyntax): 27106 (JSReportExtraMemoryCost): 27107 * API/JSContextRef.cpp: 27108 (JSContextGetGlobalObject): 27109 (JSContextGetGroup): 27110 (JSContextGetGlobalContext): 27111 (JSContextCreateBacktrace): 27112 * API/JSObjectRef.cpp: 27113 (JSObjectMake): 27114 (JSObjectMakeFunctionWithCallback): 27115 (JSObjectMakeConstructor): 27116 (JSObjectMakeFunction): 27117 (JSObjectMakeArray): 27118 (JSObjectMakeDate): 27119 (JSObjectMakeError): 27120 (JSObjectMakeRegExp): 27121 (JSObjectGetPrototype): 27122 (JSObjectSetPrototype): 27123 (JSObjectHasProperty): 27124 (JSObjectGetProperty): 27125 (JSObjectSetProperty): 27126 (JSObjectGetPropertyAtIndex): 27127 (JSObjectSetPropertyAtIndex): 27128 (JSObjectDeleteProperty): 27129 (JSObjectCopyPropertyNames): 27130 * API/JSValueRef.cpp: 27131 (JSValueGetType): 27132 (JSValueIsUndefined): 27133 (JSValueIsNull): 27134 (JSValueIsBoolean): 27135 (JSValueIsNumber): 27136 (JSValueIsString): 27137 (JSValueIsObject): 27138 (JSValueIsObjectOfClass): 27139 (JSValueIsEqual): 27140 (JSValueIsStrictEqual): 27141 (JSValueIsInstanceOfConstructor): 27142 (JSValueMakeUndefined): 27143 (JSValueMakeNull): 27144 (JSValueMakeBoolean): 27145 (JSValueMakeNumber): 27146 (JSValueMakeString): 27147 (JSValueMakeFromJSONString): 27148 (JSValueCreateJSONString): 27149 (JSValueToBoolean): 27150 (JSValueToNumber): 27151 (JSValueToStringCopy): 27152 (JSValueToObject): 27153 (JSValueProtect): 27154 * API/JSWeakObjectMapRefPrivate.cpp: 27155 271562013-05-20 David Kilzer <ddkilzer@apple.com> 27157 27158 Synchronize FeatureDefines.xcconfig 27159 27160 * Configurations/FeatureDefines.xcconfig: Remove 27161 ENABLE_LINK_PRERENDER. This was missed in r150356. 27162 271632013-05-19 Anders Carlsson <andersca@apple.com> 27164 27165 Remove link prerendering code 27166 https://bugs.webkit.org/show_bug.cgi?id=116415 27167 27168 Reviewed by Darin Adler. 27169 27170 This code was only used by Chromium and is dead now. 27171 27172 * Configurations/FeatureDefines.xcconfig: 27173 271742013-05-18 Patrick Gansterer <paroga@webkit.org> 27175 27176 [CMake] Replace *_LIBRARY_NAME with *_OUTPUT_NAME 27177 https://bugs.webkit.org/show_bug.cgi?id=114554 27178 27179 Reviewed by Gyuyoung Kim. 27180 27181 Using variables as target names is very uncommon in CMake. 27182 The usual way to specify the name of the resulting binary 27183 is to set the OUTPUT_NAME target property. 27184 27185 * CMakeLists.txt: 27186 * shell/CMakeLists.txt: 27187 271882013-05-17 Patrick Gansterer <paroga@webkit.org> 27189 27190 [CMake] Remove invalid include paths 27191 https://bugs.webkit.org/show_bug.cgi?id=116213 27192 27193 Reviewed by Gyuyoung Kim. 27194 27195 Since "${JAVASCRIPTCORE_DIR}/wtf" does not exist, it is safe 27196 to remove them from the list of include directories. 27197 27198 * PlatformEfl.cmake: Removed. 27199 * PlatformGTK.cmake: Removed. 27200 272012013-05-16 Patrick Gansterer <paroga@webkit.org> 27202 27203 Consolidate lists in JavaScriptCore CMake files 27204 https://bugs.webkit.org/show_bug.cgi?id=115992 27205 27206 Reviewed by Gyuyoung Kim. 27207 27208 Move common files into the CMakeLists.txt to avoid duplicating the list of files. 27209 Also rebase the recently added GTK files to match the other CMake ports, since 27210 the submitted patch was based on an older version of the source tree. 27211 27212 * CMakeLists.txt: 27213 * PlatformEfl.cmake: 27214 * PlatformGTK.cmake: 27215 * shell/CMakeLists.txt: 27216 * shell/PlatformEfl.cmake: 27217 * shell/PlatformGTK.cmake: 27218 272192013-05-16 Geoffrey Garen <ggaren@apple.com> 27220 27221 JSValue shouldn't protect/unprotect its context 27222 https://bugs.webkit.org/show_bug.cgi?id=116234 27223 27224 Reviewed by Mark Hahnenberg. 27225 27226 Our retain on _context is sufficient. 27227 27228 * API/JSValue.mm: 27229 (-[JSValue initWithValue:inContext:]): 27230 (-[JSValue dealloc]): 27231 272322013-05-15 Ryosuke Niwa <rniwa@webkit.org> 27233 27234 Another Windows build fix attempt after r150160. 27235 27236 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 27237 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 27238 272392013-05-15 Oliver Hunt <oliver@apple.com> 27240 27241 RefCountedArray needs to use vector initialisers for its backing store 27242 https://bugs.webkit.org/show_bug.cgi?id=116194 27243 27244 Reviewed by Gavin Barraclough. 27245 27246 Use an out of line function to clear the exception stack to avoid 27247 needing to include otherwise unnecessary headers all over the place. 27248 27249 Everything else is just being updated to use that. 27250 27251 * bytecompiler/BytecodeGenerator.cpp: 27252 * interpreter/CallFrame.h: 27253 (JSC::ExecState::clearSupplementaryExceptionInfo): 27254 * interpreter/Interpreter.cpp: 27255 (JSC::Interpreter::addStackTraceIfNecessary): 27256 (JSC::Interpreter::throwException): 27257 * runtime/JSGlobalObject.cpp: 27258 (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): 27259 * runtime/JSGlobalData.cpp: 27260 (JSC): 27261 (JSC::JSGlobalData::clearExceptionStack): 27262 * runtime/JSGlobalData.h: 27263 (JSGlobalData): 27264 (JSC::JSGlobalData::exceptionStack): 27265 272662013-05-15 Commit Queue <commit-queue@webkit.org> 27267 27268 Unreviewed, rolling out r150051. 27269 http://trac.webkit.org/changeset/150051 27270 https://bugs.webkit.org/show_bug.cgi?id=116186 27271 27272 Broke all JSC tests on Mac and the author is unresponsive 27273 (Requested by rniwa on #webkit). 27274 27275 * JavaScriptCore.xcodeproj/project.pbxproj: 27276 272772013-05-15 Julien Brianceau <jbrianceau@nds.com> 27278 27279 Remove savedTimeoutReg from JITStackFrame for sh4 base JIT. 27280 https://bugs.webkit.org/show_bug.cgi?id=116143 27281 27282 Reviewed by Geoffrey Garen. 27283 27284 Since r148119, timeoutCheckRegister is removed from baseline JIT. 27285 So we don't need to save r8 register in JITStackFrame anymore for sh4. 27286 27287 * jit/JITStubs.cpp: 27288 * jit/JITStubs.h: 27289 (JITStackFrame): 27290 272912013-05-15 Nico Weber <thakis@chromium.org> 27292 27293 WebKit doesn't support MSVS2003 any more, remove preprocessor checks for older versions. 27294 https://bugs.webkit.org/show_bug.cgi?id=116157 27295 27296 Reviewed by Anders Carlsson. 27297 27298 Also remove a gcc3.2 workaround. 27299 27300 Merges parts of these two commits by the talented Nico Weber: 27301 https://chromium.googlesource.com/chromium/blink/+/3677e2f47348daeff405a40b6f90fbdf0654c2f5 27302 https://chromium.googlesource.com/chromium/blink/+/0fcd96c448dc30be1416dcc15713c53710c1a312 27303 27304 * os-win32/inttypes.h: 27305 273062013-05-13 Alvaro Lopez Ortega <alvaro@alobbs.com> 27307 27308 Nightly build's jsc doesn't work without DYLD_FRAMEWORK... 27309 https://bugs.webkit.org/show_bug.cgi?id=79065 27310 27311 Reviewed by Darin Adler. 27312 27313 Fixes the build process so the depencencies of the jsc binary are 27314 modified before its copied to its target directory. In this way 27315 jsc should always use relative reference to the JavaScriptCore 27316 libraries. 27317 27318 * JavaScriptCore.xcodeproj/project.pbxproj: Fixes the commands in 27319 the "Copy Into Framework" target. 27320 273212013-05-13 Mark Hahnenberg <mhahnenberg@apple.com> 27322 27323 Objective-C API: scanExternalObjectGraph should not create new JSVirtualMachine wrappers 27324 https://bugs.webkit.org/show_bug.cgi?id=116074 27325 27326 If scanExternalObjectGraph creates a new JSVirtualMachine wrapper during collection, when the 27327 scanExternalObjectGraph call finishes and the autorelease pool is drained we will dealloc the 27328 JSVirtualMachine which will cause us to try to take the API lock for the corresponding JSGlobalData. 27329 If this happens on a GC thread other than the "main" thread, we will deadlock. The solution 27330 is to just check the JSGlobalData cache, and if there is no JSVirtualMachine wrapper, return early. 27331 27332 Reviewed by Darin Adler. 27333 27334 * API/JSVirtualMachine.mm: 27335 (scanExternalObjectGraph): 27336 273372013-05-13 Benjamin Poulain <benjamin@webkit.org> 27338 27339 Improve stringProtoFuncLastIndexOf for the prefix case 27340 https://bugs.webkit.org/show_bug.cgi?id=115952 27341 27342 Reviewed by Geoffrey Garen. 27343 27344 * runtime/StringPrototype.cpp: 27345 (JSC::stringProtoFuncLastIndexOf): 27346 Use the optimized string search when possible. 27347 27348 On Joseph Pecoraro's tests, this gives a ~30% speed improvement. 27349 273502013-05-13 Zalan Bujtas <zalan@apple.com> 27351 27352 WebProcess consuming very high CPU on linkedin.com 27353 https://bugs.webkit.org/show_bug.cgi?id=115601 27354 27355 Reviewed by Andreas Kling. 27356 27357 Disable WEB_TIMING_MINIMAL. 27358 Turn off window.performance and performance.now(). Some JS frameworks expect 27359 additional Web Timing APIs, when performance.now() is available. 27360 27361 * Configurations/FeatureDefines.xcconfig: 27362 273632013-05-12 Anders Carlsson <andersca@apple.com> 27364 27365 Stop including UnusedParam.h 27366 https://bugs.webkit.org/show_bug.cgi?id=116003 27367 27368 Reviewed by Sam Weinig. 27369 27370 UnusedParam.h is empty now so there's no need to include it anymore. 27371 27372 * API/APICast.h: 27373 * API/tests/JSNode.c: 27374 * API/tests/JSNodeList.c: 27375 * API/tests/minidom.c: 27376 * API/tests/testapi.c: 27377 * assembler/AbstractMacroAssembler.h: 27378 * assembler/MacroAssemblerCodeRef.h: 27379 * bytecode/CodeBlock.cpp: 27380 * heap/HandleStack.h: 27381 * interpreter/JSStackInlines.h: 27382 * jit/CompactJITCodeMap.h: 27383 * jit/ExecutableAllocator.h: 27384 * parser/SourceProvider.h: 27385 * runtime/DatePrototype.cpp: 27386 * runtime/JSNotAnObject.cpp: 27387 * runtime/JSSegmentedVariableObject.h: 27388 * runtime/JSVariableObject.h: 27389 * runtime/Options.cpp: 27390 * runtime/PropertyOffset.h: 27391 273922013-05-11 Martin Robinson <mrobinson@igalia.com> 27393 27394 [GTK] Add a basic cmake build for WTF and JavaScriptCore 27395 https://bugs.webkit.org/show_bug.cgi?id=115967 27396 27397 Reviewed by Laszlo Gombos. 27398 27399 * PlatformGTK.cmake: Added. 27400 * shell/PlatformGTK.cmake: Added. 27401 274022013-05-10 Laszlo Gombos <l.gombos@samsung.com> 27403 27404 Remove USE(OS_RANDOMNESS) 27405 https://bugs.webkit.org/show_bug.cgi?id=108095 27406 27407 Reviewed by Darin Adler. 27408 27409 Remove the USE(OS_RANDOMNESS) guard as it is turned on for all 27410 ports. 27411 27412 * jit/JIT.cpp: 27413 (JSC::JIT::JIT): 27414 274152013-05-10 Mark Hahnenberg <mhahnenberg@apple.com> 27416 27417 Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase 27418 https://bugs.webkit.org/show_bug.cgi?id=115938 27419 27420 We're going to add some more types of check hoisting soon, so let's have the right name here. 27421 27422 Rubber stamped by Filip Pizlo. 27423 27424 * CMakeLists.txt: 27425 * GNUmakefile.list.am: 27426 * JavaScriptCore.xcodeproj/project.pbxproj: 27427 * Target.pri: 27428 * dfg/DFGDriver.cpp: 27429 (JSC::DFG::compile): 27430 * dfg/DFGStructureCheckHoistingPhase.cpp: Removed. 27431 * dfg/DFGStructureCheckHoistingPhase.h: Removed. 27432 * dfg/DFGTypeCheckHoistingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp. 27433 (JSC::DFG::TypeCheckHoistingPhase::TypeCheckHoistingPhase): 27434 (JSC::DFG::performTypeCheckHoisting): 27435 * dfg/DFGTypeCheckHoistingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.h. 27436 274372013-05-09 Christophe Dumez <ch.dumez@sisa.samsung.com> 27438 27439 Unreviewed build fix after r149836. 27440 27441 It broke at least EFL and GTK builds. Move new static members initialization 27442 outside the class. Those need to have a definition outside the class because 27443 their address is used (e.g. CodeCacheMap::nonGlobalWorkingSetMaxEntries). 27444 27445 * runtime/CodeCache.cpp: 27446 (JSC): 27447 * runtime/CodeCache.h: 27448 (CodeCacheMap): 27449 274502013-05-08 Oliver Hunt <oliver@apple.com> 27451 27452 Code cache stores bogus var references for functions in eval code 27453 https://bugs.webkit.org/show_bug.cgi?id=115747 27454 27455 Reviewed by Mark Hahnenberg. 27456 27457 Non-global eval now uses a per-CodeBlock cache, and only use it 27458 when we're at the top of a function's scope. This means that we 27459 will no longer cache the parsing of a single string across 27460 multiple functions, and we won't cache when we're nested inside 27461 constructs like |with| and |catch| where previously we would, which 27462 is good because caching in those cases is unsound. 27463 27464 * bytecode/EvalCodeCache.h: 27465 (JSC): 27466 (JSC::EvalCodeCache::getSlow): 27467 (JSC::EvalCodeCache::get): 27468 * bytecode/UnlinkedCodeBlock.h: 27469 (JSC::UnlinkedCodeBlock::codeCacheForEval): 27470 (UnlinkedCodeBlock): 27471 (RareData): 27472 * debugger/Debugger.cpp: 27473 (JSC::evaluateInGlobalCallFrame): 27474 * debugger/DebuggerCallFrame.cpp: 27475 (JSC::DebuggerCallFrame::evaluate): 27476 * interpreter/Interpreter.cpp: 27477 (JSC::eval): 27478 * runtime/CodeCache.cpp: 27479 (JSC::CodeCache::CodeCache): 27480 (JSC::CodeCache::generateBytecode): 27481 (JSC): 27482 (JSC::CodeCache::getCodeBlock): 27483 * runtime/CodeCache.h: 27484 (JSC::CodeCacheMap::CodeCacheMap): 27485 (CodeCacheMap): 27486 (JSC::CodeCacheMap::canPruneQuickly): 27487 (JSC::CodeCacheMap::prune): 27488 (JSC::CodeCache::create): 27489 (CodeCache): 27490 * runtime/Executable.cpp: 27491 (JSC::EvalExecutable::EvalExecutable): 27492 (JSC::EvalExecutable::compileInternal): 27493 * runtime/Executable.h: 27494 (JSC::EvalExecutable::create): 27495 (EvalExecutable): 27496 * runtime/JSGlobalObject.cpp: 27497 (JSC::JSGlobalObject::createEvalCodeBlock): 27498 * runtime/JSGlobalObject.h: 27499 (JSGlobalObject): 27500 * runtime/JSGlobalObjectFunctions.cpp: 27501 (JSC::globalFuncEval): 27502 * runtime/JSGlobalData.cpp: 27503 (JSC::JSGlobalData::JSGlobalData): 27504 * runtime/JSGlobalData.h: 27505 (JSGlobalData): 27506 275072013-05-08 Mark Hahnenberg <mhahnenberg@apple.com> 27508 27509 DFGArrayMode::fromObserved is too liberal when it sees different Array and NonArray shapes 27510 https://bugs.webkit.org/show_bug.cgi?id=115805 27511 27512 Reviewed by Geoffrey Garen. 27513 27514 It checks the observed ArrayModes to see if we have seen any ArrayWith* first. If so, it assumes it's 27515 an Array::Array, even if we've also observed any NonArrayWith* in the ArrayProfile. This leads to the 27516 code generated by jumpSlowForUnwantedArrayMode to check the indexing type against (shape | IsArray) 27517 instead of just shape, which can cause us to exit a lot in the case that we saw a NonArray. 27518 27519 To fix this we need to add a case that checks for both ArrayWith* and NonArrayWith* cases first, which 27520 should then use Array::PossiblyArray, then do the checks we were already doing. 27521 27522 * bytecode/ArrayProfile.h: 27523 (JSC::hasSeenArray): 27524 (JSC::hasSeenNonArray): 27525 * dfg/DFGArrayMode.cpp: 27526 (JSC::DFG::ArrayMode::fromObserved): 27527 275282013-05-09 Joe Mason <jmason@blackberry.com> 27529 27530 [BlackBerry] Set up logging buffer on start of jsc executable 27531 https://bugs.webkit.org/show_bug.cgi?id=114688 27532 27533 Reviewed by Rob Buis. 27534 27535 Internal PR: 322715 27536 Internally Reviewed By: Jeff Rogers 27537 27538 * jsc.cpp: 27539 (main): call BB::Platform::setupApplicationLogging 27540 275412013-05-08 Michael Saboff <msaboff@apple.com> 27542 27543 JSC: There should be a disassembler for ARM Thumb 2 27544 https://bugs.webkit.org/show_bug.cgi?id=115827 27545 27546 Reviewed by Filip Pizlo. 27547 27548 Added a new disassembler for ARMv7 Thumb2 instructions for use by the JSC debugging 27549 and profiling code. The opcode coverage is currently not complete. It covers all 27550 of the integer instructions JSC currently emits, but only a limited number of 27551 floating point opcodes. Currently that is just the 64 bit vmov and vmsr instructions. 27552 27553 The disassembler is structured as a base opcode class ARMv7DOpcode with sub-classes 27554 for each instruction group. There is a public format method that does the bulk of 27555 the disassembly work. There are two broad sub-classes, ARMv7D16BitOpcode and 27556 ARMv7D32BitOpcode, for the 16 bit and 32 bit opcodes. There are sub-classes under 27557 those two classes for individual and related groups of opcodes. Instructions are 27558 "dispatched" to the right subclass via two arrays of linked lists in the inner classes 27559 OpcodeGroup. There is one such inner class for each ARMv7D16BitOpcode and ARMv7D32BitOpcode. 27560 Each OpcodeGroup has a mask and a pattern that it applies to the instruction to determine 27561 that it matches a particular group. OpcodeGroup uses a static method to reinterpret_cast 27562 the Opcode object to the right base class for the instruction group for formatting. 27563 The cast eliminates the need of allocating an object for each decoded instruction. 27564 Unknown instructions are formatted as ".word 1234" or ".long 12345678" depending whether 27565 the instruction is 16 or 32 bit. 27566 27567 * JavaScriptCore.xcodeproj/project.pbxproj: 27568 * disassembler/ARMv7: Added. 27569 * disassembler/ARMv7/ARMv7DOpcode.cpp: Added. 27570 (ARMv7Disassembler): 27571 (OpcodeGroupInitializer): 27572 (JSC::ARMv7Disassembler::ARMv7DOpcode::init): 27573 (JSC::ARMv7Disassembler::ARMv7DOpcode::startITBlock): 27574 (JSC::ARMv7Disassembler::ARMv7DOpcode::saveITConditionAt): 27575 (JSC::ARMv7Disassembler::ARMv7DOpcode::fetchOpcode): 27576 (JSC::ARMv7Disassembler::ARMv7DOpcode::disassemble): 27577 (JSC::ARMv7Disassembler::ARMv7DOpcode::bufferPrintf): 27578 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendInstructionName): 27579 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterName): 27580 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList): 27581 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendFPRegisterName): 27582 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::init): 27583 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::doDisassemble): 27584 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::defaultFormat): 27585 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::format): 27586 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::format): 27587 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::format): 27588 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::format): 27589 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::format): 27590 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::format): 27591 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::format): 27592 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchT2::format): 27593 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::format): 27594 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT1::format): 27595 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::format): 27596 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::format): 27597 (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::format): 27598 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::format): 27599 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::format): 27600 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::format): 27601 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::format): 27602 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::format): 27603 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::format): 27604 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscBreakpointT1::format): 27605 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::format): 27606 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::format): 27607 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::format): 27608 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::format): 27609 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::format): 27610 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::format): 27611 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::format): 27612 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::init): 27613 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::doDisassemble): 27614 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::defaultFormat): 27615 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::format): 27616 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::format): 27617 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::appendModifiedImmediate): 27618 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::format): 27619 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::appendImmShift): 27620 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::format): 27621 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::format): 27622 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::appendFPRegister): 27623 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegShift::format): 27624 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::format): 27625 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegParallel::format): 27626 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegMisc::format): 27627 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::format): 27628 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadRegister::format): 27629 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::format): 27630 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadUnsignedImmediate::format): 27631 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::format): 27632 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::format): 27633 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::format): 27634 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate12::format): 27635 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::format): 27636 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleRegister::format): 27637 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::format): 27638 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::format): 27639 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::format): 27640 * disassembler/ARMv7/ARMv7DOpcode.h: Added. 27641 (ARMv7Disassembler): 27642 (ARMv7DOpcode): 27643 (JSC::ARMv7Disassembler::ARMv7DOpcode::ARMv7DOpcode): 27644 (JSC::ARMv7Disassembler::ARMv7DOpcode::is32BitInstruction): 27645 (JSC::ARMv7Disassembler::ARMv7DOpcode::isFPInstruction): 27646 (JSC::ARMv7Disassembler::ARMv7DOpcode::conditionName): 27647 (JSC::ARMv7Disassembler::ARMv7DOpcode::shiftName): 27648 (JSC::ARMv7Disassembler::ARMv7DOpcode::inITBlock): 27649 (JSC::ARMv7Disassembler::ARMv7DOpcode::startingITBlock): 27650 (JSC::ARMv7Disassembler::ARMv7DOpcode::endITBlock): 27651 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendInstructionNameNoITBlock): 27652 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendSeparator): 27653 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendCharacter): 27654 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendString): 27655 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendShiftType): 27656 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendSignedImmediate): 27657 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendUnsignedImmediate): 27658 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendPCRelativeOffset): 27659 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendShiftAmount): 27660 (ARMv7D16BitOpcode): 27661 (OpcodeGroup): 27662 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::OpcodeGroup): 27663 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::setNext): 27664 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::next): 27665 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::matches): 27666 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::format): 27667 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::rm): 27668 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::rd): 27669 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::opcodeGroupNumber): 27670 (ARMv7DOpcodeAddRegisterT2): 27671 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::rdn): 27672 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::rm): 27673 (ARMv7DOpcodeAddSPPlusImmediate): 27674 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::rd): 27675 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::immediate8): 27676 (ARMv7DOpcodeAddSubtract): 27677 (ARMv7DOpcodeAddSubtractT1): 27678 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::opName): 27679 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::op): 27680 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::rm): 27681 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::rn): 27682 (ARMv7DOpcodeAddSubtractImmediate3): 27683 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::opName): 27684 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::op): 27685 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::immediate3): 27686 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::rn): 27687 (ARMv7DOpcodeAddSubtractImmediate8): 27688 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::opName): 27689 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::op): 27690 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::rdn): 27691 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::immediate8): 27692 (ARMv7DOpcodeBranchConditionalT1): 27693 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::condition): 27694 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::offset): 27695 (ARMv7DOpcodeBranchExchangeT1): 27696 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::opName): 27697 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::rm): 27698 (ARMv7DOpcodeBranchT2): 27699 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchT2::immediate11): 27700 (ARMv7DOpcodeCompareImmediateT1): 27701 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::rn): 27702 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::immediate8): 27703 (ARMv7DOpcodeCompareRegisterT1): 27704 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT1::rn): 27705 (ARMv7DOpcodeCompareRegisterT2): 27706 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::rn): 27707 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::rm): 27708 (ARMv7DOpcodeDataProcessingRegisterT1): 27709 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::opName): 27710 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::op): 27711 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::rm): 27712 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::rdn): 27713 (ARMv7DOpcodeGeneratePCRelativeAddress): 27714 (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::rd): 27715 (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::immediate8): 27716 (ARMv7DOpcodeLoadFromLiteralPool): 27717 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::rt): 27718 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::immediate8): 27719 (ARMv7DOpcodeLoadStoreRegisterImmediate): 27720 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::opName): 27721 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::op): 27722 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::immediate5): 27723 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::rn): 27724 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::rt): 27725 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale): 27726 (ARMv7DOpcodeLoadStoreRegisterImmediateWordAndByte): 27727 (ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord): 27728 (ARMv7DOpcodeLoadStoreRegisterOffsetT1): 27729 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::opName): 27730 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::opB): 27731 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rm): 27732 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rn): 27733 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rt): 27734 (ARMv7DOpcodeLoadStoreRegisterSPRelative): 27735 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::opName): 27736 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::op): 27737 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::rt): 27738 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::immediate8): 27739 (ARMv7DOpcodeLogicalImmediateT1): 27740 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::opName): 27741 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::op): 27742 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::immediate5): 27743 (ARMv7DOpcodeMiscAddSubSP): 27744 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::opName): 27745 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::op): 27746 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::immediate7): 27747 (ARMv7DOpcodeMiscByteHalfwordOps): 27748 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::opName): 27749 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::op): 27750 (ARMv7DOpcodeMiscBreakpointT1): 27751 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscBreakpointT1::immediate8): 27752 (ARMv7DOpcodeMiscCompareAndBranch): 27753 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::opName): 27754 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::op): 27755 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::immediate6): 27756 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::rn): 27757 (ARMv7DOpcodeMiscHint16): 27758 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::opName): 27759 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::opA): 27760 (ARMv7DOpcodeMiscIfThenT1): 27761 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::firstCondition): 27762 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::mask): 27763 (ARMv7DOpcodeMiscPushPop): 27764 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::opName): 27765 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::op): 27766 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask): 27767 (ARMv7DOpcodeMoveImmediateT1): 27768 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::rd): 27769 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::immediate8): 27770 (ARMv7DOpcodeMoveRegisterT1): 27771 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::rd): 27772 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::rm): 27773 (ARMv7D32BitOpcode): 27774 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::OpcodeGroup): 27775 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::setNext): 27776 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::next): 27777 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::matches): 27778 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::format): 27779 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rd): 27780 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rm): 27781 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rn): 27782 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rt): 27783 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::opcodeGroupNumber): 27784 (ARMv7DOpcodeBranchRelative): 27785 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::sBit): 27786 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::j1): 27787 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::j2): 27788 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::immediate11): 27789 (ARMv7DOpcodeConditionalBranchT3): 27790 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::offset): 27791 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::condition): 27792 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::immediate6): 27793 (ARMv7DOpcodeBranchOrBranchLink): 27794 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::offset): 27795 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::immediate10): 27796 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::isBL): 27797 (ARMv7DOpcodeDataProcessingLogicalAndRithmetic): 27798 (ARMv7DOpcodeDataProcessingModifiedImmediate): 27799 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::opName): 27800 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::op): 27801 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::sBit): 27802 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::immediate12): 27803 (ARMv7DOpcodeDataProcessingShiftedReg): 27804 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::opName): 27805 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::sBit): 27806 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::op): 27807 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::immediate5): 27808 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::type): 27809 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::tbBit): 27810 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::tBit): 27811 (ARMv7DOpcodeDataProcessingReg): 27812 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingReg::op1): 27813 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingReg::op2): 27814 (ARMv7DOpcodeDataProcessingRegShift): 27815 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegShift::opName): 27816 (ARMv7DOpcodeDataProcessingRegExtend): 27817 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::opExtendName): 27818 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::opExtendAndAddName): 27819 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::rotate): 27820 (ARMv7DOpcodeDataProcessingRegParallel): 27821 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegParallel::opName): 27822 (ARMv7DOpcodeDataProcessingRegMisc): 27823 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegMisc::opName): 27824 (ARMv7DOpcodeHint32): 27825 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::opName): 27826 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::isDebugHint): 27827 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::debugOption): 27828 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::op): 27829 (ARMv7DOpcodeFPTransfer): 27830 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opH): 27831 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opL): 27832 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::rt): 27833 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opC): 27834 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opB): 27835 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::vd): 27836 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::vn): 27837 (ARMv7DOpcodeDataLoad): 27838 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataLoad::opName): 27839 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataLoad::op): 27840 (ARMv7DOpcodeLoadRegister): 27841 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadRegister::immediate2): 27842 (ARMv7DOpcodeLoadSignedImmediate): 27843 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::pBit): 27844 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::uBit): 27845 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::wBit): 27846 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::immediate8): 27847 (ARMv7DOpcodeLoadUnsignedImmediate): 27848 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadUnsignedImmediate::immediate12): 27849 (ARMv7DOpcodeLongMultipleDivide): 27850 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::opName): 27851 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlalOpName): 27852 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlaldOpName): 27853 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlsldOpName): 27854 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::rdLo): 27855 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::rdHi): 27856 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::op1): 27857 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::op2): 27858 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::nBit): 27859 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::mBit): 27860 (ARMv7DOpcodeDataPushPopSingle): 27861 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::opName): 27862 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::op): 27863 (ARMv7DOpcodeDataStoreSingle): 27864 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataStoreSingle::opName): 27865 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataStoreSingle::op): 27866 (ARMv7DOpcodeStoreSingleImmediate12): 27867 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate12::immediate12): 27868 (ARMv7DOpcodeStoreSingleImmediate8): 27869 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::pBit): 27870 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::uBit): 27871 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::wBit): 27872 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::immediate8): 27873 (ARMv7DOpcodeStoreSingleRegister): 27874 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleRegister::immediate2): 27875 (ARMv7DOpcodeUnmodifiedImmediate): 27876 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::opName): 27877 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::op): 27878 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::shBit): 27879 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::bitNumOrSatImmediate): 27880 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate5): 27881 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate12): 27882 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate16): 27883 (ARMv7DOpcodeVMOVDoublePrecision): 27884 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::op): 27885 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt2): 27886 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt): 27887 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::globalData): 27888 (ARMv7DOpcodeVMOVSinglePrecision): 27889 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::op): 27890 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt2): 27891 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt): 27892 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::globalData): 27893 (ARMv7DOpcodeVMSR): 27894 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::opL): 27895 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::rt): 27896 * disassembler/ARMv7Disassembler.cpp: Added. 27897 (JSC::tryToDisassemble): 27898 278992013-05-07 Julien Brianceau <jbrianceau@nds.com> 27900 27901 Take advantage of pre-decrement and post-increment opcodes for sh4 base JIT. 27902 https://bugs.webkit.org/show_bug.cgi?id=115722 27903 27904 Reviewed by Oliver Hunt. 27905 27906 * assembler/MacroAssemblerSH4.h: 27907 (JSC::MacroAssemblerSH4::load8PostInc): 27908 (MacroAssemblerSH4): 27909 (JSC::MacroAssemblerSH4::load16Unaligned): 27910 (JSC::MacroAssemblerSH4::load16PostInc): 27911 (JSC::MacroAssemblerSH4::storeDouble): 27912 (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords): 27913 * assembler/SH4Assembler.h: 27914 (JSC::SH4Assembler::movwMemRegIn): 27915 (SH4Assembler): 27916 (JSC::SH4Assembler::movbMemRegIn): 27917 (JSC::SH4Assembler::printInstr): 27918 279192013-05-07 Anders Carlsson <andersca@apple.com> 27920 27921 Remove AlwaysInline.h from WTF 27922 https://bugs.webkit.org/show_bug.cgi?id=115727 27923 27924 Reviewed by Brent Fulgham. 27925 27926 The macro that used to be in AlwaysInline.h is now in Compiler.h so there's no reason 27927 to keep AlwaysInline.h around anymore. 27928 27929 * jit/JSInterfaceJIT.h: 27930 * parser/Lexer.h: 27931 * runtime/JSCJSValue.h: 27932 * runtime/SymbolTable.h: 27933 279342013-05-07 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com> 27935 27936 HashTraits<RefPtr<P> >::PeekType should be raw pointer for better performance 27937 https://bugs.webkit.org/show_bug.cgi?id=115646 27938 27939 Reviewed by Darin Adler. 27940 27941 * bytecompiler/StaticPropertyAnalyzer.h: 27942 (JSC::StaticPropertyAnalyzer::putById): 27943 Updated accordingly to new HashMap<.., RefPtr>::get() semantics. 27944 279452013-05-06 Julien Brianceau <jbrianceau@nds.com> 27946 27947 Misc bugfix and cleaning in sh4 base JIT. 27948 https://bugs.webkit.org/show_bug.cgi?id=115627 27949 27950 Reviewed by Oliver Hunt. 27951 27952 Get rid of loadX(RegisterID r0, RegisterID src, RegisterID dest) functions. 27953 Remove misplaced extuw() implementation from MacroAssemblerSH4. 27954 Add movbRegMemr0 and movwRegMemr0 functions in SH4Assembler. 27955 27956 * assembler/MacroAssemblerSH4.h: 27957 (JSC::MacroAssemblerSH4::add32): Skip operation when first operand is a zero immediate. 27958 (JSC::MacroAssemblerSH4::sub32): Skip operation when first operand is a zero immediate. 27959 (JSC::MacroAssemblerSH4::load32): Fix wrong usage of r0 register. 27960 (JSC::MacroAssemblerSH4::load8Signed): Handle "base == r0" case. 27961 (MacroAssemblerSH4): 27962 (JSC::MacroAssemblerSH4::load16): Handle "base == r0" case. 27963 (JSC::MacroAssemblerSH4::load16Unaligned): Use extuw() implementation from SH4Assembler. 27964 (JSC::MacroAssemblerSH4::load16Signed): Cosmetic change. 27965 (JSC::MacroAssemblerSH4::store8): Fix unhandled BaseIndex offset and handle (base == r0) case. 27966 (JSC::MacroAssemblerSH4::store16): Fix unhandled BaseIndex offset and handle (base == r0) case. 27967 (JSC::MacroAssemblerSH4::store32): 27968 * assembler/SH4Assembler.h: 27969 (JSC::SH4Assembler::movwRegMemr0): 27970 (SH4Assembler): 27971 (JSC::SH4Assembler::movbRegMemr0): 27972 (JSC::SH4Assembler::placeConstantPoolBarrier): Cosmetic change. 27973 (JSC::SH4Assembler::maxJumpReplacementSize): 27974 (JSC::SH4Assembler::replaceWithJump): Correct branch range and save an opcode. 27975 (JSC::SH4Assembler::printInstr): 27976 279772013-05-06 Anders Carlsson <andersca@apple.com> 27978 27979 Stop using WTF::deleteAllValues in JavaScriptCore 27980 https://bugs.webkit.org/show_bug.cgi?id=115670 27981 27982 Reviewed by Oliver Hunt. 27983 27984 Change the Vectors used to Vectors of OwnPtrs instead. 27985 27986 * heap/DFGCodeBlocks.cpp: 27987 (JSC::DFGCodeBlocks::~DFGCodeBlocks): 27988 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks): 27989 279902013-05-06 Andras Becsi <andras.becsi@digia.com> 27991 27992 Build with GCC 4.8 fails because of -Wmaybe-uninitialized 27993 https://bugs.webkit.org/show_bug.cgi?id=115648 27994 27995 Reviewed by Michael Saboff. 27996 27997 Initialize values in Options::setOption since from 27998 there we end up calling OptionRange::init with 27999 uninitialized members. 28000 28001 * runtime/Options.cpp: 28002 280032013-05-06 Gabor Rapcsanyi <rgabor@webkit.org> 28004 28005 JSC ARM traditional failing on Octane NavierStokes test 28006 https://bugs.webkit.org/show_bug.cgi?id=115626 28007 28008 Reviewed by Zoltan Herczeg. 28009 28010 Change the ARM traditional assembler to use double precision on value 28011 conversions. 28012 28013 * assembler/ARMAssembler.h: 28014 280152013-05-03 Michael Saboff <msaboff@apple.com> 28016 28017 There should be a runtime option to constrain what functions get DFG compiled 28018 https://bugs.webkit.org/show_bug.cgi?id=115576 28019 28020 Reviewed by Mark Hahnenberg. 28021 28022 Added OptionRange to Options to allow checking that something is within an option 28023 or not. The new OptionClass supports range strings in the form of [!]<low>[:<high>]. 28024 If only one value is given, then it will be used for both low and high. A leading 28025 '!' inverts the check. If no range is given, then checking for a value within a range 28026 will always return true. Added the option "bytecodeRangeToDFGCompile" that takes an 28027 OptionRange string to select the bytecode range of code blocks to DFG compile. 28028 28029 * dfg/DFGDriver.cpp: 28030 (JSC::DFG::compile): Added new check for bytecode count within bytecodeRangeToDFGCompile 28031 range. 28032 * runtime/Options.cpp: 28033 (JSC::parse): Added overloaded parse() for OptionRange. 28034 (JSC::OptionRange::init): Parse range string and then initialize the range. 28035 (JSC::OptionRange::isInRange): Function used by consumer to check if a value is within 28036 the specified range. 28037 (JSC::Options::dumpOption): Added code to dump OptionRange options. 28038 * runtime/Options.h: 28039 (OptionRange): New class. 28040 (JSC::OptionRange::operator= ): This is really used as a default ctor for use within 28041 the Option static array initialization. 28042 (JSC::OptionRange::rangeString): This is used for debug. It assumes that the char* 28043 passed into OptionRange::init is valid when this function is called. 28044 280452013-05-02 Oliver Hunt <oliver@apple.com> 28046 28047 Fix potential bug in lookup logic 28048 https://bugs.webkit.org/show_bug.cgi?id=115522 28049 28050 Reviewed by Mark Hahnenberg. 28051 28052 Though not a problem in practise, it is technically possible 28053 to inject an un-proxied global object into the scope chain 28054 via the C API. This change makes sure that the scope walk 28055 in BytecodeGenerator actually limits itself to scopes that 28056 are statically bindable. 28057 28058 * bytecompiler/BytecodeGenerator.cpp: 28059 (JSC::BytecodeGenerator::resolve): 28060 * runtime/JSObject.h: 28061 (JSObject): 28062 (JSC): 28063 (JSC::JSObject::isStaticScopeObject): 28064 280652013-05-01 Roger Fong <roger_fong@apple.com> 28066 28067 Set Path in makefile for AppleWin. 28068 28069 * JavaScriptCore.vcxproj/JavaScriptCore.make: 28070 280712013-05-01 Benjamin Poulain <benjamin@webkit.org> 28072 28073 Remove the remaining wscript 28074 https://bugs.webkit.org/show_bug.cgi?id=115459 28075 28076 Reviewed by Andreas Kling. 28077 28078 * wscript: Removed. 28079 280802013-04-30 Mark Lam <mark.lam@apple.com> 28081 28082 JSContextGroupSetExecutionTimeLimit() should not pass a callback to the 28083 JSGlobalData watchdog if its client did not pass one in. 28084 https://bugs.webkit.org/show_bug.cgi?id=115461. 28085 28086 Reviewed by Geoffrey Garen. 28087 28088 * API/JSContextRef.cpp: 28089 (internalScriptTimeoutCallback): 28090 (JSContextGroupSetExecutionTimeLimit): 28091 * API/tests/testapi.c: 28092 (main): 28093 - Added test case when the time limit callback is 0. 28094 - Also updated a check to verify that a TerminatedExecutionException is 28095 thrown when the time out is cancelled. 28096 - Also fixed some cosmetic typos. 28097 280982013-04-30 Geoffrey Garen <ggaren@apple.com> 28099 28100 Removed op_ensure_property_exists 28101 https://bugs.webkit.org/show_bug.cgi?id=115460 28102 28103 Reviewed by Mark Hahnenberg. 28104 28105 It was unused, and whatever it was once used for was not optimized. 28106 28107 * JavaScriptCore.order: 28108 * bytecode/CodeBlock.cpp: 28109 (JSC::CodeBlock::dumpBytecode): 28110 * bytecode/Opcode.h: 28111 (JSC::padOpcodeName): 28112 * jit/JIT.cpp: 28113 (JSC::JIT::privateCompileMainPass): 28114 * jit/JIT.h: 28115 * jit/JITOpcodes.cpp: 28116 * jit/JITOpcodes32_64.cpp: 28117 * jit/JITStubs.cpp: 28118 * jit/JITStubs.h: 28119 * llint/LLIntSlowPaths.cpp: 28120 * llint/LLIntSlowPaths.h: 28121 * llint/LowLevelInterpreter.asm: 28122 281232013-04-30 Oliver Hunt <oliver@apple.com> 28124 28125 JSC Stack walking logic craches in the face of inlined functions triggering JSGlobalData re-entry 28126 https://bugs.webkit.org/show_bug.cgi?id=115449 28127 28128 Reviewed by Geoffrey Garen. 28129 28130 Rename callframeishost to something that makes sense, and fix 28131 getCallerInfo to correctly handle inline functions calling into 28132 the JSGlobalData. 28133 28134 * bytecode/CodeBlock.cpp: 28135 (JSC::CodeBlock::codeOriginForReturn): 28136 Make this more robust in the face of incorrect stack walking 28137 * interpreter/CallFrame.cpp: 28138 (JSC::CallFrame::trueCallerFrame): 28139 Everyone has to perform a codeblock() check before calling this 28140 so we might as well just do it here. 28141 * interpreter/Interpreter.cpp: 28142 (JSC::getCallerInfo): 28143 281442013-04-30 Julien Brianceau <jbrianceau@nds.com> 28145 28146 Bug fixing in sh4 base JIT and LLINT. 28147 https://bugs.webkit.org/show_bug.cgi?id=115420 28148 28149 Reviewed by Oliver Hunt. 28150 28151 * assembler/MacroAssemblerSH4.h: 28152 (JSC::MacroAssemblerSH4::lshift32): 28153 (JSC::MacroAssemblerSH4::rshift32): 28154 (JSC::MacroAssemblerSH4::branchMul32): 28155 (JSC::MacroAssemblerSH4::urshift32): 28156 (JSC::MacroAssemblerSH4::replaceWithJump): 28157 (JSC::MacroAssemblerSH4::maxJumpReplacementSize): 28158 * assembler/SH4Assembler.h: 28159 (JSC::SH4Assembler::shldRegReg): 28160 (JSC::SH4Assembler::shadRegReg): 28161 (JSC::SH4Assembler::shalImm8r): 28162 (SH4Assembler): 28163 (JSC::SH4Assembler::sharImm8r): 28164 (JSC::SH4Assembler::maxJumpReplacementSize): 28165 (JSC::SH4Assembler::replaceWithJump): 28166 * offlineasm/sh4.rb: 28167 281682013-04-30 Geoffrey Garen <ggaren@apple.com> 28169 28170 Objective-C JavaScriptCore API should publicly support bridging to C 28171 https://bugs.webkit.org/show_bug.cgi?id=115447 28172 28173 Reviewed by Mark Hahnenberg. 28174 28175 For consistency, I renamed 28176 28177 +[JSValue valueWithValue:] => +[JSValue valueWithJSValueRef] 28178 +[JSContext contextWithGlobalContextRef] => +[JSContext contextWithJSGlobalContextRef] 28179 -[JSContext globalContext] => -[JSContext JSGlobalContextRef] 28180 28181 I searched svn to verify that these functions don't have clients yet, 28182 so we won't break anything. 28183 28184 I also exported as public API 28185 28186 +[JSValue valueWithJSValueRef:] 28187 +[JSContext contextWithJSGlobalContextRef:] 28188 28189 It's hard to integrate with the C API without these. 28190 281912013-04-30 Commit Queue <rniwa@webkit.org> 28192 28193 Unreviewed, rolling out r149349 and r149354. 28194 http://trac.webkit.org/changeset/149349 28195 http://trac.webkit.org/changeset/149354 28196 https://bugs.webkit.org/show_bug.cgi?id=115444 28197 28198 The Thumb version of compileSoftModulo make invalid use of 28199 registers (Requested by benjaminp on #webkit). 28200 28201 * CMakeLists.txt: 28202 * GNUmakefile.list.am: 28203 * JavaScriptCore.xcodeproj/project.pbxproj: 28204 * assembler/ARMv7Assembler.h: 28205 (ARMv7Assembler): 28206 * assembler/AbstractMacroAssembler.h: 28207 (JSC::isARMv7s): 28208 (JSC): 28209 * assembler/MacroAssemblerARMv7.cpp: Removed. 28210 * assembler/MacroAssemblerARMv7.h: 28211 (MacroAssemblerARMv7): 28212 * dfg/DFGFixupPhase.cpp: 28213 (JSC::DFG::FixupPhase::fixupNode): 28214 * dfg/DFGOperations.cpp: 28215 * dfg/DFGOperations.h: 28216 * dfg/DFGSpeculativeJIT.cpp: 28217 (JSC::DFG::SpeculativeJIT::compileSoftModulo): 28218 (DFG): 28219 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s): 28220 * dfg/DFGSpeculativeJIT.h: 28221 (JSC::DFG::SpeculativeJIT::callOperation): 28222 (SpeculativeJIT): 28223 * dfg/DFGSpeculativeJIT32_64.cpp: 28224 (JSC::DFG::SpeculativeJIT::compile): 28225 282262013-04-30 Zalan Bujtas <zalan@apple.com> 28227 28228 Animations fail to start on http://www.google.com/insidesearch/howsearchworks/thestory/ 28229 https://bugs.webkit.org/show_bug.cgi?id=111244 28230 28231 Reviewed by David Kilzer. 28232 28233 Enable performance.now() as a minimal subset of Web Timing API. 28234 It returns DOMHighResTimeStamp, a monotonically increasing value representing the 28235 number of milliseconds from the start of the navigation of the current document. 28236 JS libraries use this API to check against the requestAnimationFrame() timestamp. 28237 28238 * Configurations/FeatureDefines.xcconfig: 28239 282402013-04-30 Zoltan Arvai <zarvai@inf.u-szeged.hu> 28241 28242 Unreviewed. Speculative build fix on Qt Arm and Mips after r149349. 28243 28244 * dfg/DFGSpeculativeJIT.cpp: 28245 (JSC::DFG::SpeculativeJIT::compileSoftModulo): 28246 282472013-04-29 Cosmin Truta <ctruta@blackberry.com> 28248 28249 [ARM] Expand the use of integer division 28250 https://bugs.webkit.org/show_bug.cgi?id=115138 28251 28252 Reviewed by Benjamin Poulain. 28253 28254 If availability of hardware integer division isn't known at compile 28255 time, check the CPU flags and decide at runtime whether to fall back 28256 to software. Currently, this OS-specific check is implemented on QNX. 28257 28258 Moreover, use operator % instead of fmod() in the calculation of the 28259 software modulo. Even when it's software-emulated, operator % is faster 28260 than fmod(): on ARM v7 QNX, without hardware division, we noticed 28261 >3% speedup on SunSpider. 28262 28263 * CMakeLists.txt: 28264 * GNUmakefile.list.am: 28265 * JavaScriptCore.xcodeproj/project.pbxproj: 28266 * assembler/ARMv7Assembler.h: 28267 (JSC::ARMv7Assembler::sdiv): Did not compile conditionally. 28268 (JSC::ARMv7Assembler::udiv): Ditto. 28269 * assembler/AbstractMacroAssembler.h: 28270 (JSC::isARMv7s): Removed. 28271 * assembler/MacroAssemblerARMv7.cpp: Added. 28272 (JSC::isIntegerDivSupported): Added. 28273 * assembler/MacroAssemblerARMv7.h: 28274 (JSC::MacroAssemblerARMv7::supportsIntegerDiv): Added. 28275 * dfg/DFGFixupPhase.cpp: 28276 (JSC::DFG::FixupPhase::fixupNode): Checked MacroAssembler::supportsIntegerDiv() in ArithDiv case. 28277 * dfg/DFGOperations.cpp: 28278 (JSC::DFG::operationModOnInts): Added. 28279 * dfg/DFGOperations.h: 28280 (JSC::DFG::Z_DFGOperation_ZZ): Added. 28281 * dfg/DFGSpeculativeJIT.cpp: 28282 (JSC::DFG::SpeculativeJIT::compileSoftModulo): Separated the X86-specific and ARM-specific codegen 28283 from the common implementation; used operationModOnInts on ARM. 28284 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARM): Renamed from compileIntegerArithDivForARMv7. 28285 (JSC::DFG::SpeculativeJIT::compileArithMod): Allowed run-time detection of integer div on ARM. 28286 * dfg/DFGSpeculativeJIT.h: 28287 (JSC::DFG::SpeculativeJIT::callOperation): Added overloads with Z_DFGOperation_ZZ arguments. 28288 * dfg/DFGSpeculativeJIT32_64.cpp: 28289 (JSC::DFG::SpeculativeJIT::compile): Used compileIntegerArithDivForARM. 28290 282912013-04-29 Benjamin Poulain <benjamin@webkit.org> 28292 28293 Unify the data access of StringImpl members from JavaScriptCore 28294 https://bugs.webkit.org/show_bug.cgi?id=115320 28295 28296 Reviewed by Andreas Kling. 28297 28298 DFG accesses the member infos by directly calling the methods on StringImpl, 28299 while the baseline JIT was using helper methods on ThunkHelpers. 28300 28301 Cut the middle man, and use StringImpl directly everywhere. 28302 28303 * jit/JITInlines.h: 28304 (JSC::JIT::emitLoadCharacterString): 28305 * jit/JITPropertyAccess.cpp: 28306 (JSC::JIT::stringGetByValStubGenerator): 28307 * jit/JITPropertyAccess32_64.cpp: 28308 (JSC::JIT::stringGetByValStubGenerator): 28309 * jit/JSInterfaceJIT.h: 28310 * jit/ThunkGenerators.cpp: 28311 (JSC::stringCharLoad): 28312 283132013-04-29 Benjamin Poulain <bpoulain@apple.com> 28314 28315 Use push and pop for iOS math function thunks 28316 https://bugs.webkit.org/show_bug.cgi?id=115215 28317 28318 Reviewed by Filip Pizlo. 28319 28320 The iOS ABI is a little different than regular ARM ABI regarding stack alignment. 28321 The requirement is 4 bytes: 28322 "The ARM environment uses a stack that—at the point of function calls—is 4-byte aligned, 28323 grows downward, and contains local variables and a function’s parameters." 28324 28325 Subsequently, we can just use push and pop to preserve the link register. 28326 28327 * jit/ThunkGenerators.cpp: 28328 283292013-04-29 Brent Fulgham <bfulgham@webkit.org> 28330 28331 [Windows, WinCairo] Get rid of last few pthread include/link references. 28332 https://bugs.webkit.org/show_bug.cgi?id=115375 28333 28334 Reviewed by Tim Horton. 28335 28336 * JavaScriptCore.vcproj/jsc/jscPostBuild.cmd: 28337 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 28338 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: 28339 * JavaScriptCore.vcxproj/jsc/jscCommon.props: 28340 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: 28341 * JavaScriptCore.vcxproj/testapi/testapiCommon.props: 28342 283432013-04-29 Roger Fong <roger_fong@apple.com> 28344 28345 Unreviewed. AppleWin VS2010 build fix. 28346 28347 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 28348 283492013-04-26 Mark Hahnenberg <mhahnenberg@apple.com> 28350 28351 ~BlockAllocator should ASSERT that it has no more Regions left 28352 https://bugs.webkit.org/show_bug.cgi?id=115287 28353 28354 Reviewed by Andreas Kling. 28355 28356 * heap/BlockAllocator.cpp: 28357 (JSC::BlockAllocator::~BlockAllocator): 28358 (JSC::BlockAllocator::allRegionSetsAreEmpty): 28359 * heap/BlockAllocator.h: 28360 (RegionSet): 28361 (JSC::BlockAllocator::RegionSet::isEmpty): 28362 (BlockAllocator): 28363 283642013-04-29 Mark Hahnenberg <mhahnenberg@apple.com> 28365 28366 IndexingTypes should use hex 28367 https://bugs.webkit.org/show_bug.cgi?id=115286 28368 28369 Decimal is kind of confusing/hard to read because they're used as bit masks. Hex seems more appropriate. 28370 28371 Reviewed by Geoffrey Garen. 28372 28373 * runtime/IndexingType.h: 28374 283752013-04-29 Carlos Garcia Campos <cgarcia@igalia.com> 28376 28377 Unreviewed. Fix make distcheck. 28378 28379 * GNUmakefile.list.am: Add missing headers files to compilation 28380 and offlineasm/sh4.rb script. 28381 283822013-04-28 Dean Jackson <dino@apple.com> 28383 28384 [Mac] Disable canvas backing store scaling (HIGH_DPI_CANVAS) 28385 https://bugs.webkit.org/show_bug.cgi?id=115310 28386 28387 Reviewed by Simon Fraser. 28388 28389 Remove ENABLE_HIGH_DPI_CANVAS_macosx. 28390 28391 * Configurations/FeatureDefines.xcconfig: 28392 283932013-04-27 Darin Adler <darin@apple.com> 28394 28395 Move from constructor and member function adoptCF/NS to free function adoptCF/NS. 28396 https://bugs.webkit.org/show_bug.cgi?id=115307 28397 28398 Reviewed by Geoffrey Garen. 28399 28400 * heap/HeapTimer.cpp: 28401 (JSC::HeapTimer::HeapTimer): 28402 * runtime/JSGlobalData.cpp: 28403 (JSC::enableAssembler): 28404 Use adoptCF free function. 28405 284062013-04-27 Anders Carlsson <andersca@apple.com> 28407 28408 Try to fix the Windows build. 28409 28410 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 28411 284122013-04-25 Geoffrey Garen <ggaren@apple.com> 28413 28414 Cleaned up pre/post inc/dec in bytecode 28415 https://bugs.webkit.org/show_bug.cgi?id=115222 28416 28417 Reviewed by Filip Pizlo. 28418 28419 A few related changes here: 28420 28421 (*) Removed post_inc and post_dec. The two-result form was awkward to 28422 reason about. Being explicit about the intermediate mov and to_number 28423 reduces DFG overhead, removes some fragile ASSERTs from the DFG, and 28424 fixes a const bug. Plus, we get to blow away 262 lines of code. 28425 28426 (*) Renamed pre_inc and pre_dec to inc and dec, since there's only one 28427 version now. 28428 28429 (*) Renamed to_jsnumber to to_number, to match the ECMA name. 28430 28431 (*) Tightened up the codegen and runtime support for to_number. 28432 28433 28434 * JavaScriptCore.order: Order! 28435 28436 * bytecode/CodeBlock.cpp: 28437 (JSC::CodeBlock::dumpBytecode): 28438 * bytecode/Opcode.h: 28439 (JSC::padOpcodeName): 28440 * bytecompiler/BytecodeGenerator.cpp: 28441 (JSC::BytecodeGenerator::emitInc): 28442 (JSC::BytecodeGenerator::emitDec): 28443 * bytecompiler/BytecodeGenerator.h: 28444 (JSC::BytecodeGenerator::emitToNumber): 28445 (BytecodeGenerator): Removed post_inc and post_dec. 28446 28447 * bytecompiler/NodesCodegen.cpp: 28448 (JSC::emitPreIncOrDec): Updated for rename. 28449 28450 (JSC::emitPostIncOrDec): Issue an explicit mov and to_number when needed. 28451 These are rare, and they boil away in the DFG. 28452 28453 (JSC::PostfixNode::emitResolve): 28454 (JSC::PrefixNode::emitResolve): For const, use an explicit mov instead 28455 of any special forms. This fixes a bug where we would do string 28456 add/subtract instead of number. 28457 28458 * dfg/DFGByteCodeParser.cpp: 28459 (JSC::DFG::ByteCodeParser::parseBlock): 28460 * dfg/DFGCapabilities.h: 28461 (JSC::DFG::canCompileOpcode): 28462 * jit/JIT.cpp: 28463 (JSC::JIT::privateCompileMainPass): 28464 (JSC::JIT::privateCompileSlowCases): 28465 * jit/JIT.h: 28466 * jit/JITArithmetic.cpp: 28467 (JSC::JIT::emit_op_inc): 28468 (JSC::JIT::emitSlow_op_inc): 28469 (JSC::JIT::emit_op_dec): 28470 (JSC::JIT::emitSlow_op_dec): 28471 * jit/JITArithmetic32_64.cpp: 28472 (JSC::JIT::emit_op_inc): 28473 (JSC::JIT::emitSlow_op_inc): 28474 (JSC::JIT::emit_op_dec): 28475 (JSC::JIT::emitSlow_op_dec): Removed post_inc/dec, and updated for renames. 28476 28477 * jit/JITOpcodes.cpp: 28478 (JSC::JIT::emit_op_to_number): 28479 (JSC::JIT::emitSlow_op_to_number): Removed a test for number cells. There's 28480 no such thing! 28481 28482 * jit/JITOpcodes32_64.cpp: 28483 (JSC::JIT::emit_op_to_number): Use LowestTag to avoid making assumptions 28484 about the lowest valued tag. 28485 28486 (JSC::JIT::emitSlow_op_to_number): Updated for renames. 28487 28488 * jit/JITStubs.cpp: 28489 (JSC::DEFINE_STUB_FUNCTION): 28490 * jit/JITStubs.h: 28491 * llint/LLIntSlowPaths.cpp: 28492 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 28493 * llint/LLIntSlowPaths.h: 28494 * llint/LowLevelInterpreter32_64.asm: 28495 * llint/LowLevelInterpreter64.asm: 28496 * parser/NodeConstructors.h: 28497 (JSC::UnaryPlusNode::UnaryPlusNode): Removed post_inc/dec, and updated for renames. 28498 28499 * runtime/Operations.cpp: 28500 (JSC::jsIsObjectType): Removed a test for number cells. There's 28501 no such thing! 28502 285032013-04-27 Julien Brianceau <jbrianceau@nds.com> 28504 28505 REGRESSION(r149114): cache flush for SH4 arch may flush an extra page. 28506 https://bugs.webkit.org/show_bug.cgi?id=115305 28507 28508 Reviewed by Andreas Kling. 28509 28510 * assembler/SH4Assembler.h: 28511 (JSC::SH4Assembler::cacheFlush): 28512 285132013-04-26 Geoffrey Garen <ggaren@apple.com> 28514 28515 Re-landing <http://trac.webkit.org/changeset/148999> 28516 28517 Filled out more cases of branch folding in bytecode when emitting 28518 expressions into a branching context 28519 https://bugs.webkit.org/show_bug.cgi?id=115057 28520 28521 Reviewed by Phil Pizlo. 28522 28523 We can't fold the number == 1 case to boolean because all non-zero numbers 28524 down-cast to true, but only 1 is == to true. 28525 285262013-04-26 Filip Pizlo <fpizlo@apple.com> 28527 28528 Correct indentation of SymbolTable.h 28529 28530 Rubber stamped by Mark Hahnenberg. 28531 28532 * runtime/SymbolTable.h: 28533 285342013-04-26 Roger Fong <roger_fong@apple.com> 28535 28536 Make Apple Windows VS2010 build results into and get dependencies from __32 suffixed folders. 28537 Make the DebugSuffix configuration use _debug dependencies. 28538 28539 * JavaScriptCore.vcxproj/JavaScriptCore.make: 28540 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 28541 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 28542 * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: 28543 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 28544 * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: 28545 * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: 28546 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: 28547 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: 28548 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: 28549 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: 28550 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: 28551 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: 28552 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: 28553 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: 28554 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: 28555 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: 28556 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: 28557 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: 28558 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: 28559 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: 28560 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: 28561 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: 28562 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: 28563 * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: 28564 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: 28565 * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: 28566 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: 28567 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: 28568 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 28569 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: 28570 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: 28571 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: 28572 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: 28573 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: 28574 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: 28575 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: 28576 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: 28577 * JavaScriptCore.vcxproj/build-generated-files.sh: 28578 * JavaScriptCore.vcxproj/copy-files.cmd: 28579 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: 28580 * JavaScriptCore.vcxproj/jsc/jscCommon.props: 28581 * JavaScriptCore.vcxproj/jsc/jscDebug.props: 28582 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: 28583 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: 28584 * JavaScriptCore.vcxproj/jsc/jscProduction.props: 28585 * JavaScriptCore.vcxproj/jsc/jscRelease.props: 28586 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: 28587 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: 28588 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: 28589 * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: 28590 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: 28591 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: 28592 * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: 28593 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: 28594 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: 28595 * JavaScriptCore.vcxproj/testapi/testapiCommon.props: 28596 * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: 28597 * JavaScriptCore.vcxproj/testapi/testapiDebug.props: 28598 * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: 28599 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: 28600 * JavaScriptCore.vcxproj/testapi/testapiProduction.props: 28601 * JavaScriptCore.vcxproj/testapi/testapiRelease.props: 28602 * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: 28603 286042013-04-26 Roger Fong <roger_fong@apple.com> 28605 28606 Disable sub-pixel layout on mac. 28607 https://bugs.webkit.org/show_bug.cgi?id=114999. 28608 28609 Reviewed by Simon Fraser. 28610 28611 * Configurations/FeatureDefines.xcconfig: 28612 286132013-04-26 Oliver Hunt <oliver@apple.com> 28614 28615 Make stack tracing more robust 28616 https://bugs.webkit.org/show_bug.cgi?id=115272 28617 28618 Reviewed by Geoffrey Garen. 28619 28620 CallFrame already handles stack walking confusion robustly, 28621 so we should make sure that the actual walk handles that as well. 28622 28623 * interpreter/Interpreter.cpp: 28624 (JSC::getCallerInfo): 28625 286262013-04-26 Mark Hahnenberg <mhahnenberg@apple.com> 28627 28628 REGRESSION(r149165): It made many tests crash on 32 bit 28629 https://bugs.webkit.org/show_bug.cgi?id=115227 28630 28631 Reviewed by Csaba Osztrogonác. 28632 28633 m_reservation is uninitialized when ENABLE(SUPER_REGION) is false. 28634 28635 * heap/SuperRegion.cpp: 28636 (JSC::SuperRegion::~SuperRegion): 28637 286382013-04-26 Julien Brianceau <jbrianceau@nds.com> 28639 28640 Fix SH4 build broken since r149159. 28641 https://bugs.webkit.org/show_bug.cgi?id=115229 28642 28643 Add BranchTruncateType enum in SH4 port and handle it in branchTruncateDoubleToInt32. 28644 28645 Reviewed by Allan Sandfeld Jensen. 28646 28647 * assembler/MacroAssemblerSH4.h: 28648 (JSC::MacroAssemblerSH4::branchTruncateDoubleToInt32): 28649 286502013-04-25 Mark Hahnenberg <mhahnenberg@apple.com> 28651 28652 SuperRegion doesn't call deallocate() on its PageReservation 28653 https://bugs.webkit.org/show_bug.cgi?id=115208 28654 28655 Reviewed by Geoffrey Garen. 28656 28657 It should. This doesn't cause us to leak physical memory, but it does cause us to leak virtual 28658 address space (and probably mach ports), which is also bad :-( FixedVMPoolExecutableAllocator 28659 also has this bug, but it doesn't matter much because there's only one instance of that class 28660 throughout the entire lifetime of the process, whereas each JSGlobalData has its own SuperRegion. 28661 28662 * heap/SuperRegion.cpp: 28663 (JSC::SuperRegion::~SuperRegion): 28664 * heap/SuperRegion.h: 28665 (SuperRegion): 28666 * jit/ExecutableAllocatorFixedVMPool.cpp: 28667 (FixedVMPoolExecutableAllocator): 28668 (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator): 28669 286702013-04-25 Filip Pizlo <fpizlo@apple.com> 28671 28672 DFG doesn't support to_jsnumber 28673 https://bugs.webkit.org/show_bug.cgi?id=115129 28674 28675 Reviewed by Geoffrey Garen. 28676 28677 Based on Oliver's patch. Implements to_jsnumber as Identity(Number:@thingy), and then does 28678 an optimization in Fixup to turn Identity(Number:) into Identity(Int32:) if the predictions 28679 tell us to. Identity is later turned into Phantom. 28680 28681 Also fixed BackPropMask, which appeared to have NodeDoesNotExit included in it. That's 28682 wrong; NodeDoesNotExit is not a backward propagation property. 28683 28684 Also fixed Identity to be marked as CanExit (i.e. not NodeDoesNotExit). 28685 28686 This more than doubles the FPS on ammo. 28687 28688 * dfg/DFGByteCodeParser.cpp: 28689 (JSC::DFG::ByteCodeParser::parseBlock): 28690 * dfg/DFGCapabilities.h: 28691 (JSC::DFG::canCompileOpcode): 28692 * dfg/DFGFixupPhase.cpp: 28693 (JSC::DFG::FixupPhase::fixupNode): 28694 (FixupPhase): 28695 (JSC::DFG::FixupPhase::observeUseKindOnNode): 28696 (JSC::DFG::FixupPhase::observeUseKindOnEdge): 28697 * dfg/DFGNodeFlags.h: 28698 (DFG): 28699 * dfg/DFGNodeType.h: 28700 (DFG): 28701 * dfg/DFGPredictionPropagationPhase.cpp: 28702 (JSC::DFG::PredictionPropagationPhase::propagate): 28703 287042013-04-24 Oliver Hunt <oliver@apple.com> 28705 28706 Add support for Math.imul 28707 https://bugs.webkit.org/show_bug.cgi?id=115143 28708 28709 Reviewed by Filip Pizlo. 28710 28711 Add support for Math.imul, a thunk generator for Math.imul, 28712 and an intrinsic. 28713 28714 Fairly self explanatory set of changes, DFG intrinsics simply 28715 leverages the existing ValueToInt32 nodes. 28716 28717 * create_hash_table: 28718 * dfg/DFGAbstractState.cpp: 28719 (JSC::DFG::AbstractState::executeEffects): 28720 * dfg/DFGBackwardsPropagationPhase.cpp: 28721 (JSC::DFG::BackwardsPropagationPhase::propagate): 28722 * dfg/DFGByteCodeParser.cpp: 28723 (JSC::DFG::ByteCodeParser::handleIntrinsic): 28724 * dfg/DFGCSEPhase.cpp: 28725 (JSC::DFG::CSEPhase::performNodeCSE): 28726 * dfg/DFGFixupPhase.cpp: 28727 (JSC::DFG::FixupPhase::fixupNode): 28728 * dfg/DFGNodeType.h: 28729 (DFG): 28730 * dfg/DFGPredictionPropagationPhase.cpp: 28731 (JSC::DFG::PredictionPropagationPhase::propagate): 28732 * dfg/DFGSpeculativeJIT.cpp: 28733 (JSC::DFG::SpeculativeJIT::compileArithIMul): 28734 * dfg/DFGSpeculativeJIT.h: 28735 (SpeculativeJIT): 28736 * dfg/DFGSpeculativeJIT32_64.cpp: 28737 (JSC::DFG::SpeculativeJIT::compile): 28738 * dfg/DFGSpeculativeJIT64.cpp: 28739 (JSC::DFG::SpeculativeJIT::compile): 28740 * jit/ThunkGenerators.cpp: 28741 (JSC::imulThunkGenerator): 28742 (JSC): 28743 * jit/ThunkGenerators.h: 28744 (JSC): 28745 * runtime/Intrinsic.h: 28746 * runtime/MathObject.cpp: 28747 (JSC): 28748 (JSC::mathProtoFuncIMul): 28749 * runtime/JSGlobalData.cpp: 28750 (JSC::thunkGeneratorForIntrinsic): 28751 287522013-04-25 Filip Pizlo <fpizlo@apple.com> 28753 28754 Unreviewed, roll out http://trac.webkit.org/changeset/148999 28755 It broke http://kripken.github.io/ammo.js/examples/new/ammo.html 28756 28757 * JavaScriptCore.order: 28758 * bytecompiler/BytecodeGenerator.cpp: 28759 (JSC::BytecodeGenerator::emitNewArray): 28760 (JSC::BytecodeGenerator::emitThrowReferenceError): 28761 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): 28762 * bytecompiler/BytecodeGenerator.h: 28763 (JSC::BytecodeGenerator::shouldEmitProfileHooks): 28764 (BytecodeGenerator): 28765 * bytecompiler/NodesCodegen.cpp: 28766 (JSC): 28767 (JSC::NullNode::emitBytecode): 28768 (JSC::BooleanNode::emitBytecode): 28769 (JSC::NumberNode::emitBytecode): 28770 (JSC::StringNode::emitBytecode): 28771 (JSC::IfNode::emitBytecode): 28772 (JSC::IfElseNode::emitBytecode): 28773 * parser/ASTBuilder.h: 28774 (JSC::ASTBuilder::createIfStatement): 28775 (ASTBuilder): 28776 * parser/NodeConstructors.h: 28777 (JSC): 28778 (JSC::NullNode::NullNode): 28779 (JSC::BooleanNode::BooleanNode): 28780 (JSC::NumberNode::NumberNode): 28781 (JSC::StringNode::StringNode): 28782 (JSC::IfNode::IfNode): 28783 (JSC::IfElseNode::IfElseNode): 28784 * parser/Nodes.h: 28785 (JSC::ExpressionNode::isPure): 28786 (JSC::ExpressionNode::isSubtract): 28787 (StatementNode): 28788 (NullNode): 28789 (JSC::NullNode::isNull): 28790 (BooleanNode): 28791 (JSC::BooleanNode::isPure): 28792 (NumberNode): 28793 (JSC::NumberNode::value): 28794 (JSC::NumberNode::isPure): 28795 (StringNode): 28796 (JSC::StringNode::isPure): 28797 (JSC::StringNode::isString): 28798 (BinaryOpNode): 28799 (IfNode): 28800 (JSC): 28801 (IfElseNode): 28802 (ContinueNode): 28803 (BreakNode): 28804 * parser/Parser.cpp: 28805 (JSC::::parseIfStatement): 28806 * parser/ResultType.h: 28807 (ResultType): 28808 * runtime/JSCJSValueInlines.h: 28809 (JSC::JSValue::pureToBoolean): 28810 * runtime/JSCell.h: 28811 (JSCell): 28812 * runtime/JSCellInlines.h: 28813 (JSC): 28814 288152013-04-25 Filip Pizlo <fpizlo@apple.com> 28816 28817 PreciseJumpTargets should treat loop_hint as a jump target 28818 https://bugs.webkit.org/show_bug.cgi?id=115209 28819 28820 Reviewed by Mark Hahnenberg. 28821 28822 I didn't add a test but I turned this into a release assertion. Running Octane is enough 28823 to trigger it. 28824 28825 * bytecode/PreciseJumpTargets.cpp: 28826 (JSC::computePreciseJumpTargets): 28827 * dfg/DFGByteCodeParser.cpp: 28828 (JSC::DFG::ByteCodeParser::parseBlock): 28829 288302013-04-25 Roman Zhuykov <zhroma@ispras.ru> 28831 28832 Fix problems with processing negative zero on DFG. 28833 https://bugs.webkit.org/show_bug.cgi?id=113862 28834 28835 Reviewed by Filip Pizlo. 28836 28837 Fix NodeNeedsNegZero flag propagation in BackwardPropagationPhase. 28838 Function arithNodeFlags should not mask NodeNeedsNegZero flag for ArithNegate and DoubleAsInt32 28839 nodes and this flag should be always used to decide where we need to generate nezative-zero checks. 28840 Remove unnecessary negative-zero checks from integer ArithDiv on ARM. 28841 Also remove such checks from integer ArithMod on ARM and X86, and make them always to 28842 check not only "modulo_result == 0" but also "dividend < 0". 28843 Generate faster code for case when ArithMod operation divisor is constant power of 2 on ARMv7 28844 in the same way as on ARMv7s, and add negative-zero checks into this code when needed. 28845 Change speculationCheck ExitKind from Overflow to NegativeZero where applicable. 28846 28847 This shows 30% speedup of math-spectral-norm, and 5% speedup 28848 on SunSpider overall on ARMv7 Linux. 28849 28850 * assembler/MacroAssemblerARM.h: 28851 (JSC::MacroAssemblerARM::branchConvertDoubleToInt32): 28852 * assembler/MacroAssemblerARMv7.h: 28853 (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32): 28854 * assembler/MacroAssemblerMIPS.h: 28855 (JSC::MacroAssemblerMIPS::branchConvertDoubleToInt32): 28856 * assembler/MacroAssemblerSH4.h: 28857 (JSC::MacroAssemblerSH4::branchConvertDoubleToInt32): 28858 * assembler/MacroAssemblerX86Common.h: 28859 (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32): 28860 * dfg/DFGBackwardsPropagationPhase.cpp: 28861 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero): 28862 (JSC::DFG::BackwardsPropagationPhase::isNotPosZero): 28863 (JSC::DFG::BackwardsPropagationPhase::propagate): 28864 * dfg/DFGNode.h: 28865 (JSC::DFG::Node::arithNodeFlags): 28866 * dfg/DFGSpeculativeJIT.cpp: 28867 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): 28868 (JSC::DFG::SpeculativeJIT::compileSoftModulo): 28869 (JSC::DFG::SpeculativeJIT::compileArithNegate): 28870 288712013-04-25 Oliver Hunt <oliver@apple.com> 28872 28873 Stack guards are too conservative 28874 https://bugs.webkit.org/show_bug.cgi?id=115147 28875 28876 Reviewed by Mark Hahnenberg. 28877 28878 Increase stack guard to closer to old size. 28879 28880 * interpreter/Interpreter.cpp: 28881 (JSC::Interpreter::StackPolicy::StackPolicy): 28882 288832013-04-25 Oliver Hunt <oliver@apple.com> 28884 28885 Stack guards are too conservative 28886 https://bugs.webkit.org/show_bug.cgi?id=115147 28887 28888 Reviewed by Geoffrey Garen. 28889 28890 Reduce the limits and simplify the decision making. 28891 28892 * interpreter/Interpreter.cpp: 28893 (JSC::Interpreter::StackPolicy::StackPolicy): 28894 288952013-04-25 Nick Diego Yamane <nick.yamane@openbossa.org> 28896 28897 JSC: Fix interpreter misbehavior in builds with JIT disabled 28898 https://bugs.webkit.org/show_bug.cgi?id=115190 28899 28900 Reviewed by Oliver Hunt. 28901 28902 Commit http://trac.webkit.org/changeset/147858 modified 28903 some details on how JS stack traces are built. The method 28904 "getLineNumberForCallFrame", renamed in that changeset to 28905 "getBytecodeOffsetForCallFrame" is always returning `0' when 28906 JIT is disabled 28907 28908 How to reproduce: 28909 - Build webkit with JIT disabled 28910 - Open MiniBrowser, for example, with http://google.com 28911 - In a debug build, WebProcess will hit the following ASSERT: 28912 Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:279 ASSERT(low); 28913 28914 * interpreter/Interpreter.cpp: 28915 (JSC::getBytecodeOffsetForCallFrame): 28916 289172013-04-25 Oliver Hunt <oliver@apple.com> 28918 28919 Make checkSyntax take a JSGlobalData instead of an ExecState 28920 28921 RS=Tim 28922 28923 * jsc.cpp: 28924 (runInteractive): 28925 * runtime/Completion.cpp: 28926 (JSC::checkSyntax): 28927 * runtime/Completion.h: 28928 (JSC): 28929 289302013-04-25 Michael Saboff <msaboff@apple.com> 28931 28932 32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean 28933 https://bugs.webkit.org/show_bug.cgi?id=115188 28934 28935 Reviewed by Geoffrey Garen. 28936 28937 Changed the RegExpTest node to set the AbstractValue to boolean, since that 28938 what it is. 28939 28940 * dfg/DFGAbstractState.cpp: 28941 (JSC::DFG::AbstractState::executeEffects): 28942 289432013-04-25 Julien Brianceau <jbrianceau@nds.com> 28944 28945 REGRESSION(r137994): Random crashes occur with SH4 JSC. 28946 https://bugs.webkit.org/show_bug.cgi?id=115167. 28947 28948 Reviewed by Oliver Hunt. 28949 28950 Since r137994, uncommited pages could be inside the area of memory in 28951 parameter of the cacheFlush function. That's why we have to flush each 28952 page separately to avoid a fail of the whole flush, if an uncommited page 28953 is in the area. 28954 28955 This patch is very similar to changeset 145194 made for ARMv7 architecture, 28956 see https://bugs.webkit.org/show_bug.cgi?id=111441 for further information. 28957 28958 * assembler/SH4Assembler.h: 28959 (JSC::SH4Assembler::cacheFlush): 28960 289612013-04-24 Mark Lam <mark.lam@apple.com> 28962 28963 Add watchdog timer polling for the DFG. 28964 https://bugs.webkit.org/show_bug.cgi?id=115134. 28965 28966 Reviewed by Geoffrey Garen. 28967 28968 The strategy is to add a speculation check to the DFG generated code to 28969 test if the watchdog timer has fired or not. If the watchdog timer has 28970 fired, the generated code will do an OSR exit to the baseline JIT, and 28971 let it handle servicing the watchdog timer. 28972 28973 If the watchdog is not enabled, this speculation check will not be 28974 emitted. 28975 28976 * API/tests/testapi.c: 28977 (currentCPUTime_callAsFunction): 28978 (extendTerminateCallback): 28979 (main): 28980 - removed try/catch statements so that we can test the watchdog on the DFG. 28981 - added JS bindings to a native currentCPUTime() function so that the timeout 28982 tests can be more accurate. 28983 - also shortened the time values so that the tests can complete sooner. 28984 28985 * bytecode/ExitKind.h: 28986 * dfg/DFGAbstractState.cpp: 28987 (JSC::DFG::AbstractState::executeEffects): 28988 * dfg/DFGByteCodeParser.cpp: 28989 (JSC::DFG::ByteCodeParser::parseBlock): 28990 * dfg/DFGFixupPhase.cpp: 28991 (JSC::DFG::FixupPhase::fixupNode): 28992 * dfg/DFGNodeType.h: 28993 * dfg/DFGPredictionPropagationPhase.cpp: 28994 (JSC::DFG::PredictionPropagationPhase::propagate): 28995 * dfg/DFGSpeculativeJIT32_64.cpp: 28996 (JSC::DFG::SpeculativeJIT::compile): 28997 * dfg/DFGSpeculativeJIT64.cpp: 28998 (JSC::DFG::SpeculativeJIT::compile): 28999 * runtime/Watchdog.cpp: 29000 (JSC::Watchdog::setTimeLimit): 29001 290022013-04-24 Filip Pizlo <fpizlo@apple.com> 29003 29004 Special thunks for math functions should work on ARMv7 29005 https://bugs.webkit.org/show_bug.cgi?id=115144 29006 29007 Reviewed by Gavin Barraclough and Oliver Hunt. 29008 29009 The only hard bit here was ensuring that we implemented the very special 29010 "cheap C call" convention on ARMv7. 29011 29012 * assembler/AbstractMacroAssembler.h: 29013 (JSC::isARMv7s): 29014 (JSC): 29015 (JSC::isX86): 29016 * dfg/DFGCommon.h: 29017 * jit/SpecializedThunkJIT.h: 29018 (SpecializedThunkJIT): 29019 (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn): 29020 * jit/ThunkGenerators.cpp: 29021 (JSC::floorThunkGenerator): 29022 (JSC::ceilThunkGenerator): 29023 (JSC::roundThunkGenerator): 29024 (JSC::expThunkGenerator): 29025 (JSC::logThunkGenerator): 29026 290272013-04-24 Julien Brianceau <jbrianceau@nds.com> 29028 29029 Misc bugfix and cleaning in sh4 base JIT. 29030 https://bugs.webkit.org/show_bug.cgi?id=115022. 29031 29032 Reviewed by Oliver Hunt. 29033 29034 Remove unused add32() and sub32() with scratchreg parameter to avoid 29035 confusion as this function prototype means another behaviour. 29036 Remove unused "void push(Address)" function which seems quite buggy. 29037 29038 * assembler/MacroAssemblerSH4.h: 29039 (JSC::MacroAssemblerSH4::and32): Cosmetic change. 29040 (JSC::MacroAssemblerSH4::lshift32): Cosmetic change. 29041 (JSC::MacroAssemblerSH4::or32): Cosmetic change. 29042 (JSC::MacroAssemblerSH4::xor32): Cosmetic change. 29043 (MacroAssemblerSH4): 29044 (JSC::MacroAssemblerSH4::load32): Cosmetic change. 29045 (JSC::MacroAssemblerSH4::load8Signed): Fix invalid offset upper limit 29046 when using r0 register and cosmetic changes. 29047 (JSC::MacroAssemblerSH4::load8): Reuse load8Signed to avoid duplication. 29048 (JSC::MacroAssemblerSH4::load16): Fix invalid offset upper limit when 29049 using r0 register, fix missing offset shift and cosmetic changes. 29050 (JSC::MacroAssemblerSH4::store32): Cosmetic change. 29051 (JSC::MacroAssemblerSH4::branchAdd32): Store result value before branch. 29052 290532013-04-24 Patrick Gansterer <paroga@webkit.org> 29054 29055 [WIN] Remove pthread from Visual Studio files in JavaScriptCore 29056 https://bugs.webkit.org/show_bug.cgi?id=114864 29057 29058 Reviewed by Brent Fulgham. 29059 29060 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: 29061 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops: 29062 * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: 29063 * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: 29064 * JavaScriptCore.vcproj/testapi/testapiCommon.vsprops: 29065 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 29066 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: 29067 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: 29068 * JavaScriptCore.vcxproj/jsc/jscCommon.props: 29069 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: 29070 * JavaScriptCore.vcxproj/testapi/testapiCommon.props: 29071 * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: 29072 290732013-04-24 Filip Pizlo <fpizlo@apple.com> 29074 29075 DFG should keep the operand to create_this alive if it's emitting code for create_this 29076 https://bugs.webkit.org/show_bug.cgi?id=115133 29077 29078 Reviewed by Mark Hahnenberg. 29079 29080 The DFG must model bytecode liveness, or else OSR exit is going to have a really bad time. 29081 29082 * dfg/DFGByteCodeParser.cpp: 29083 (JSC::DFG::ByteCodeParser::parseBlock): 29084 290852013-04-24 Roger Fong <roger_fong@apple.com> 29086 29087 Have VS2010 WebKit solution look in WebKit_Libraries/lib32 for dependencies. 29088 29089 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: 29090 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: 29091 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: 29092 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: 29093 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: 29094 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: 29095 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: 29096 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: 29097 290982013-04-24 Geoffrey Garen <ggaren@apple.com> 29099 29100 32-bit build fix. 29101 29102 Unreviewed. 29103 29104 * dfg/DFGSpeculativeJIT.cpp: 29105 (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): Explicitly 29106 truncate to 32-bit to avoid compiler warnings. It's safe to truncate 29107 because the payload of a boolean is the low bits on both 64-bit and 32-bit. 29108 291092013-04-23 Geoffrey Garen <ggaren@apple.com> 29110 29111 Filled out more cases of branch folding in the DFG 29112 https://bugs.webkit.org/show_bug.cgi?id=115088 29113 29114 Reviewed by Oliver Hunt. 29115 29116 No change on the benchmarks we track, but a 3X speedup on a 29117 microbenchmark that uses these techniques. 29118 29119 * dfg/DFGByteCodeParser.cpp: 29120 (JSC::DFG::ByteCodeParser::parseBlock): (!/=)= and (!/=)== can constant 29121 fold all types, not just numbers, because true constants have no 29122 side effects when type-converted at runtime. 29123 29124 * dfg/DFGFixupPhase.cpp: 29125 (JSC::DFG::FixupPhase::fixupNode): 29126 * dfg/DFGNode.h: 29127 (JSC::DFG::Node::shouldSpeculateBoolean): Added support for fixing up 29128 boolean uses, like we do for other types like number. 29129 29130 * dfg/DFGSpeculativeJIT.cpp: 29131 (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): 29132 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 29133 (JSC::DFG::SpeculativeJIT::compare): 29134 (JSC::DFG::SpeculativeJIT::compileStrictEq): 29135 (JSC::DFG::SpeculativeJIT::compileBooleanCompare): Peephole fuse 29136 boolean compare and/or compare-branch, now that we have the types for 29137 them. 29138 29139 * dfg/DFGSpeculativeJIT.h: Updated declarations. 29140 29141== Rolled over to ChangeLog-2013-04-24 == 29142