12013-04-23 Filip Pizlo <fpizlo@apple.com> 2 3 DFG CFA filters CheckFunction in a really weird way, and assumes that the function's structure won't change 4 https://bugs.webkit.org/show_bug.cgi?id=115077 5 6 Reviewed by Oliver Hunt. 7 8 The filtering did three things that are unusual: 9 10 1) AbstractValue::filterByValue() assumed that the passed value's structure wouldn't change, in 11 the sense that at it assumed it could use that value's *current* structure to do structure 12 filtering. Filtering by structure only makes sense if you can prove that the given value will 13 always have that structure (for example by either using a watchpoing or emitting code that 14 checks that structure at run-time). 15 16 2) AbstractValue::filterByValue() and the CheckFunction case in AbstractState::executeEffects() 17 tried to invalidate the CFA based on whether the filtration led to an empty value. This is 18 well-intentioned, but it's not how the CFA currently works. It's inconsistent with other 19 parts of the CFA. We shouldn't introduce this feature into just one kind of filtration and 20 not have it elsewhere. 21 22 3) The attempt to detect when the value was empty was actually implemented incorrectly. It 23 relied on AbstractValue::validate(). That method says that a concrete value does not belong 24 to the abstract value if it has a different structure. This makes sense for the other place 25 where AbstractValue::validate() is called: during OSR entry, where we are talking about a 26 JSValue that we see *right now*. It doesn't make sense in the CFA, since in the CFA any 27 value we observe in the code is a value whose structure may change when the code starts 28 running, and so we cannot use the value's current structure to infer things about the code 29 when it starts running. 30 31 I fixed the above problems by (1) changing filterByValue() to not filter the structure, (2) 32 changing filterByValue() and the CheckFunction case to not invalidate the CFA, and (3) 33 making sure that nobody else was misusing AbstractValue::validate() (they weren't). 34 35 * dfg/DFGAbstractState.cpp: 36 (JSC::DFG::AbstractState::executeEffects): 37 * dfg/DFGAbstractValue.h: 38 (JSC::DFG::AbstractValue::filterByValue): 39 402013-04-23 Oliver Hunt <oliver@apple.com> 41 42 Default ParserError() initialiser doesn't initialise all fields 43 https://bugs.webkit.org/show_bug.cgi?id=115074 44 45 Reviewed by Joseph Pecoraro. 46 47 Only the jsc command prompt depended on this, but we'll fix it to 48 be on the safe side. 49 50 * parser/ParserError.h: 51 (JSC::ParserError::ParserError): 52 532013-04-23 Christophe Dumez <ch.dumez@sisa.samsung.com> 54 55 Global constructors should be configurable and not enumerable 56 https://bugs.webkit.org/show_bug.cgi?id=110573 57 58 Reviewed by Geoffrey Garen. 59 60 Update JSObject::deleteProperty() so that mark to set the property 61 value to undefined if it is in static hashtable of properties. The 62 previous code was not doing anything in this case and this meant 63 we could not remove builtin DOMWindow properties such as 64 "ProgressEvent" even if marked as Deletable. 65 66 * runtime/JSObject.cpp: 67 (JSC::JSObject::deleteProperty): 68 * runtime/Lookup.h: 69 (JSC): 70 (JSC::putEntry): 71 (JSC::lookupPut): 72 732013-04-23 Geoffrey Garen <ggaren@apple.com> 74 75 Filled out more cases of branch folding in bytecode when emitting 76 expressions into a branching context 77 https://bugs.webkit.org/show_bug.cgi?id=115057 78 79 Reviewed by Filip Pizlo. 80 81 This covers a few cases like: 82 83 - while (true) { } 84 - while (1) { } 85 - if (x) break; 86 - if (x) continue; 87 - if (boolean_expr == boolean_const) { } 88 - if (boolean_expr == 1_or_0) { } 89 - if (bitop == 1_or_0) { } 90 91 This also works, but will bring shame on your family: 92 93 - while ("hello world") { } 94 95 No change on the benchmarks we track, but a 2.5X speedup on a microbenchmark 96 that uses these techniques. 97 98 * JavaScriptCore.order: Order! 99 100 * bytecompiler/BytecodeGenerator.cpp: 101 (JSC::BytecodeGenerator::emitNewArray): 102 (JSC::BytecodeGenerator::emitThrowReferenceError): 103 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): 104 * bytecompiler/BytecodeGenerator.h: 105 (JSC::BytecodeGenerator::shouldEmitDebugHooks): Updated ancillary code 106 for interface simplifications. 107 108 * bytecompiler/NodesCodegen.cpp: 109 (JSC::ConstantNode::emitBytecodeInConditionContext): Constants can 110 jump unconditionally when used within a condition context. 111 112 (JSC::ConstantNode::emitBytecode): 113 (JSC::StringNode::jsValue): Gave constants a common base class so I 114 could implement their codegen just once. 115 116 (JSC::BinaryOpNode::emitBytecodeInConditionContext): 117 (JSC::canFoldToBranch): 118 (JSC::BinaryOpNode::tryFoldToBranch): Fold (!/=)= and (!/=)== where 119 appropriate. A lot of cases are not appropriate because of the surprising 120 type conversion semantics of ==. For example, if (number == true) { } is 121 not the same as if (number) { } because the former will up-convert true 122 to number and then do numeric comparison. 123 124 (JSC::singleStatement): 125 (JSC::IfElseNode::tryFoldBreakAndContinue): 126 (JSC::IfElseNode::emitBytecode): 127 (JSC::ContinueNode::trivialTarget): 128 (JSC::BreakNode::trivialTarget): Fold "if (expression) break" and 129 "if (expression) continue" into direct jumps from expression. 130 131 * parser/ASTBuilder.h: 132 (ASTBuilder): 133 (JSC::ASTBuilder::createIfStatement): 134 * parser/NodeConstructors.h: 135 (JSC::ConstantNode::ConstantNode): 136 (JSC): 137 (JSC::NullNode::NullNode): 138 (JSC::BooleanNode::BooleanNode): 139 (JSC::NumberNode::NumberNode): 140 (JSC::StringNode::StringNode): 141 (JSC::IfElseNode::IfElseNode): 142 * parser/Nodes.h: 143 (JSC::ExpressionNode::isConstant): 144 (JSC::ExpressionNode::isBoolean): 145 (JSC::StatementNode::isBreak): 146 (JSC::StatementNode::isContinue): 147 (ConstantNode): 148 (JSC::ConstantNode::isPure): 149 (JSC::ConstantNode::isConstant): 150 (NullNode): 151 (JSC::NullNode::jsValue): 152 (JSC::BooleanNode::value): 153 (JSC::BooleanNode::isBoolean): 154 (JSC::BooleanNode::jsValue): 155 (JSC::NumberNode::value): 156 (NumberNode): 157 (JSC::NumberNode::jsValue): 158 (StringNode): 159 (BinaryOpNode): 160 (IfElseNode): 161 (ContinueNode): 162 (JSC::ContinueNode::isContinue): 163 (BreakNode): 164 (JSC::BreakNode::isBreak): 165 * parser/Parser.cpp: 166 (JSC::::parseIfStatement): 167 * parser/ResultType.h: 168 (JSC::ResultType::definitelyIsBoolean): 169 (ResultType): 170 * runtime/JSCJSValueInlines.h: 171 (JSC::JSValue::pureToBoolean): 172 * runtime/JSCell.h: 173 * runtime/JSCellInlines.h: 174 (JSC::JSCell::pureToBoolean): Updated for interface changes above. 175 1762013-04-23 Mark Lam <mark.lam@apple.com> 177 178 Simplify the baseline JIT loop hint call site. 179 https://bugs.webkit.org/show_bug.cgi?id=115052. 180 181 Reviewed by Geoffrey Garen. 182 183 Moved the watchdog timer check after the JIT optimization check. This 184 ensures that the JIT opimization counter is incremented on every loop 185 hint even if the watchdog timer fires. 186 187 Removed the code that allows the JIT OSR to happen if the watchdog 188 timer fires but does not result in a termination. It is extremely rare 189 that the JIT optimization counter would trigger an OSR on the same pass 190 as when the watchdog timer fire. If it does happen, we'll simply hold 191 off on servicing the watchdog timer until the next pass (because it's 192 not time critical). 193 194 * jit/JITOpcodes.cpp: 195 (JSC::JIT::emit_op_loop_hint): 196 (JSC::JIT::emitSlow_op_loop_hint): 197 1982013-04-23 Roger Fong <roger_fong@apple.com> 199 200 AppleWin build fix. 201 202 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 203 2042013-04-18 Mark Hahnenberg <mhahnenberg@apple.com> 205 206 Objective-C API: Update public header documentation 207 https://bugs.webkit.org/show_bug.cgi?id=114841 208 209 Reviewed by Geoffrey Garen. 210 211 Added documentation for the newly added object lifetime-related stuff. 212 213 * API/JSManagedValue.h: 214 * API/JSVirtualMachine.h: 215 2162013-04-22 Mark Lam <mark.lam@apple.com> 217 218 Fix a typo in MacroAssemblerARMv7.h. 219 https://bugs.webkit.org/show_bug.cgi?id=115011. 220 221 Reviewed by Geoffrey Garen. 222 223 * assembler/ARMAssembler.h: Fix a comment. 224 * assembler/ARMv7Assembler.h: Added some comments. 225 * assembler/MacroAssemblerARMv7.h: 226 - ARMAssembler::PL should be ARMv7Assembler::ConditionPL. 227 2282013-04-22 Julien Brianceau <jbrianceau@nds.com> 229 230 Add branchAdd32 missing implementation in SH4 base JIT. 231 This should fix SH4 build, broken since r148893. 232 https://bugs.webkit.org/show_bug.cgi?id=114993. 233 234 Reviewed by Oliver Hunt. 235 236 * assembler/MacroAssemblerSH4.h: 237 (JSC::MacroAssemblerSH4::branchAdd32): 238 (MacroAssemblerSH4): 239 2402013-04-22 Benjamin Poulain <bpoulain@apple.com> 241 242 Windows build fix after r148921 243 244 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 245 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 246 2472013-04-22 Benjamin Poulain <benjamin@webkit.org> 248 249 Remove the memory instrumentation code 250 https://bugs.webkit.org/show_bug.cgi?id=114931 251 252 Reviewed by Andreas Kling. 253 254 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 255 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 256 2572013-04-22 Mark Lam <mark.lam@apple.com> 258 259 Fix broken 32-bit build to green the bots. 260 https://bugs.webkit.org/show_bug.cgi?id=114968. 261 262 Unreviewed. 263 264 Basically, I moved a JIT::emit_op_loop_hint() and JIT::emitSlow_op_loop_hint() 265 into common code where they belong, instead of the 64-bit specific section. 266 267 Also fixed some SH4 assertions failures which were also caused by 268 https://bugs.webkit.org/show_bug.cgi?id=114963. Thanks to Julien Brianceau 269 for pointing this out. 270 271 * assembler/MacroAssemblerSH4.h: 272 (JSC::MacroAssemblerSH4::branchAdd32): 273 * jit/JITOpcodes.cpp: 274 (JSC): 275 (JSC::JIT::emit_op_loop_hint): 276 (JSC::JIT::emitSlow_op_loop_hint): 277 2782013-04-22 Oliver Hunt <oliver@apple.com> 279 280 Perform null check before trying to use the result of readline() 281 282 RS=Gavin 283 284 * jsc.cpp: 285 (runInteractive): 286 2872013-04-22 Oliver Hunt <oliver@apple.com> 288 289 Fix assertions to account for new Vector layout 290 291 RS=Gavin 292 293 * llint/LLIntData.cpp: 294 (JSC::LLInt::Data::performAssertions): 295 2962013-04-22 Mark Lam <mark.lam@apple.com> 297 298 Change baseline JIT watchdog timer check to use the proper fast slow path 299 infrastructure. 300 https://bugs.webkit.org/show_bug.cgi?id=114963. 301 302 Reviewed by Oliver Hunt. 303 304 Edit: The PositiveOrZero condition is added because it is needed for 305 the JIT optimization check. Previously, the JIT check branches around 306 the slow path if the test result is 'Signed' i.e. negative. Since we 307 now need to test for a condition that branches to the slow path (not 308 around it), we need the complement of 'Signed / Negative' i.e. Positive 309 or zero. 310 311 SH4 parts contributed by Julien Brianceau. 312 313 * assembler/ARMAssembler.h: 314 * assembler/MacroAssemblerARM.h: 315 * assembler/MacroAssemblerARMv7.h: 316 * assembler/MacroAssemblerMIPS.h: 317 (JSC::MacroAssemblerMIPS::branchAdd32): 318 * assembler/MacroAssemblerSH4.h: 319 (JSC::MacroAssemblerSH4::branchAdd32): 320 * assembler/MacroAssemblerX86Common.h: 321 * assembler/SH4Assembler.h: 322 * jit/JIT.cpp: 323 (JSC::JIT::emitEnterOptimizationCheck): 324 (JSC::JIT::privateCompileSlowCases): 325 * jit/JIT.h: 326 (JSC::JIT::emitEnterOptimizationCheck): 327 * jit/JITOpcodes.cpp: 328 (JSC::JIT::emit_op_loop_hint): 329 (JSC::JIT::emitSlow_op_loop_hint): 330 (JSC::JIT::emit_op_enter): 331 * jit/JITOpcodes32_64.cpp: 332 (JSC::JIT::emit_op_enter): 333 3342013-04-22 Andreas Kling <akling@apple.com> 335 336 Shrink baseline size of WTF::Vector on 64-bit by switching to unsigned capacity and size. 337 <http://webkit.org/b/97268> 338 <rdar://problem/12376519> 339 340 Reviewed by Sam Weinig. 341 342 Update LLInt WTF::Vector offset constants to match the new memory layout. 343 344 * llint/LowLevelInterpreter.asm: 345 3462013-04-21 Oliver Hunt <oliver@apple.com> 347 348 JS Lexer and Parser should be more informative when they encounter errors 349 https://bugs.webkit.org/show_bug.cgi?id=114924 350 351 Reviewed by Filip Pizlo. 352 353 Add new tokens to represent the various ways that parsing and lexing have failed. 354 This gives us the ability to produce better error messages in some cases, 355 and to indicate whether or not the failure was due to invalid source, or simply 356 early termination. 357 358 The jsc prompt now makes use of this so that you can write functions that 359 are more than one line long. 360 361 * bytecompiler/BytecodeGenerator.cpp: 362 (JSC::BytecodeGenerator::generate): 363 * jsc.cpp: 364 (stringFromUTF): 365 (jscSource): 366 (runInteractive): 367 * parser/Lexer.cpp: 368 (JSC::::parseFourDigitUnicodeHex): 369 (JSC::::parseIdentifierSlowCase): 370 (JSC::::parseString): 371 (JSC::::parseStringSlowCase): 372 (JSC::::lex): 373 * parser/Lexer.h: 374 (UnicodeHexValue): 375 (JSC::Lexer::UnicodeHexValue::UnicodeHexValue): 376 (JSC::Lexer::UnicodeHexValue::valueType): 377 (JSC::Lexer::UnicodeHexValue::isValid): 378 (JSC::Lexer::UnicodeHexValue::value): 379 (Lexer): 380 * parser/Parser.h: 381 (JSC::Parser::getTokenName): 382 (JSC::Parser::updateErrorMessageSpecialCase): 383 (JSC::::parse): 384 * parser/ParserError.h: 385 (ParserError): 386 (JSC::ParserError::ParserError): 387 * parser/ParserTokens.h: 388 * runtime/Completion.cpp: 389 (JSC): 390 (JSC::checkSyntax): 391 * runtime/Completion.h: 392 (JSC): 393 3942013-04-21 Mark Lam <mark.lam@apple.com> 395 396 Refactor identical inline functions in JSVALUE64 and JSVALUE32_64 sections 397 out into the common section. 398 https://bugs.webkit.org/show_bug.cgi?id=114910. 399 400 Reviewed by Filip Pizlo. 401 402 * dfg/DFGSpeculativeJIT.h: 403 (SpeculativeJIT): 404 (JSC::DFG::SpeculativeJIT::callOperation): 405 4062013-04-20 Allan Sandfeld Jensen <allan.jensen@digia.com> 407 408 LLint should be able to use x87 instead of SSE for floating pointer 409 https://bugs.webkit.org/show_bug.cgi?id=112239 410 411 Reviewed by Filip Pizlo. 412 413 Implements LLInt floating point operations in x87, to ensure we support 414 x86 without SSE2. 415 416 X86 (except 64bit) now defaults to using x87 instructions in order to 417 support all 32bit x86 back to i686. The implementation uses the fucomi 418 instruction from i686 which sets the new minimum. 419 420 The FPU registers must always be empty on entering or exiting a function. 421 We make sure to only use two X87 registers, and they are always emptied 422 before calling deeper functions or returning from the LLInt. 423 424 * jit/JITStubs.cpp: 425 (JSC): Empty FPU registers before exiting. 426 * llint/LowLevelInterpreter32_64.asm: 427 * llint/LowLevelInterpreter64.asm: 428 * offlineasm/instructions.rb: 429 * offlineasm/x86.rb: 430 4312013-04-19 Roger Fong <roger_fong@apple.com> 432 433 Remove uses of WebKit_Source from AppleWin build in JavaScriptCore. 434 435 * JavaScriptCore.vcxproj/JavaScriptCore.make: 436 * JavaScriptCore.vcxproj/build-generated-files.sh: 437 * JavaScriptCore.vcxproj/copy-files.cmd: 438 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: 439 4402013-04-19 Benjamin Poulain <bpoulain@apple.com> 441 442 Rename JSStringJoiner::build() to join() 443 https://bugs.webkit.org/show_bug.cgi?id=114845 444 445 Reviewed by Geoffrey Garen. 446 447 The method name build() came from StringBuilder history. It does not make much 448 sense on the StringJoiner. 449 450 * runtime/ArrayPrototype.cpp: 451 (JSC::arrayProtoFuncToString): 452 (JSC::arrayProtoFuncToLocaleString): 453 (JSC::arrayProtoFuncJoin): 454 * runtime/JSStringJoiner.cpp: 455 (JSC::JSStringJoiner::join): 456 * runtime/JSStringJoiner.h: 457 (JSStringJoiner): 458 4592013-04-19 Roger Fong <roger_fong@apple.com> 460 461 Unreviewed. WebKit_Source is incorrectly set. 462 463 * JavaScriptCore.vcxproj/JavaScriptCore.make: 464 4652013-04-19 Martin Robinson <mrobinson@igalia.com> 466 467 [GTK] JSCore.gir.in has a few problems 468 https://bugs.webkit.org/show_bug.cgi?id=114710 469 470 Reviewed by Philippe Normand. 471 472 * GNUmakefile.am: Add the gobject introspection steps for JavaScriptCore here, 473 because they are shared between WebKit1 and WebKit2. 474 * JavaScriptCore.gir.in: Added. Moved from the WebKit1 directory. Now written 475 as foreign interfaces and referencing the javascriptcoregtk library. 476 4772013-04-18 Benjamin Poulain <bpoulain@apple.com> 478 479 Use StringJoiner to create the JSString of arrayProtoFuncToString 480 https://bugs.webkit.org/show_bug.cgi?id=114779 481 482 Reviewed by Geoffrey Garen. 483 484 The function arrayProtoFuncToString was just a glorified JSStringJoiner. 485 This patch replaces it by JSStringJoiner to simplify the code and enjoy any optimization 486 made on JSStringJoiner. 487 488 For some reason, this makes the execution 3.4% faster, despite having almost identical code. 489 490 * runtime/ArrayPrototype.cpp: 491 (JSC::arrayProtoFuncToString): 492 4932013-04-18 Oliver Hunt <oliver@apple.com> 494 495 StackFrame::column() returning bogus value 496 https://bugs.webkit.org/show_bug.cgi?id=114840 497 498 Reviewed by Gavin Barraclough. 499 500 Don't add one part of the expression offset to the other part of the expression. 501 Make StackFrame::toString() include the column info. 502 503 * interpreter/Interpreter.cpp: 504 (JSC::StackFrame::expressionInfo): 505 (JSC::StackFrame::toString): 506 5072013-04-18 Mark Hahnenberg <mhahnenberg@apple.com> 508 509 Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com 510 https://bugs.webkit.org/show_bug.cgi?id=114774 511 512 Reviewed by Geoffrey Garen. 513 514 We're not linking up all of the slow cases in the baseline JIT when compiling put_to_base. 515 516 * jit/JITOpcodes.cpp: 517 (JSC::JIT::emitSlow_op_put_to_base): 518 5192013-04-18 Mark Lam <mark.lam@apple.com> 520 521 Interpreter entry points should throw the TerminatedExecutionException from the caller frame. 522 https://bugs.webkit.org/show_bug.cgi?id=114816. 523 524 Reviewed by Oliver Hunt. 525 526 * interpreter/Interpreter.cpp: 527 (JSC::Interpreter::execute): 528 (JSC::Interpreter::executeCall): 529 (JSC::Interpreter::executeConstruct): 530 5312013-04-18 Gabor Rapcsanyi <rgabor@webkit.org> 532 533 LLInt ARM backend should not use the d8 register as scratch register 534 https://bugs.webkit.org/show_bug.cgi?id=114811 535 536 Reviewed by Filip Pizlo. 537 538 The d8 register must preserved across function calls and should 539 not used as scratch register. Changing it to d6. 540 541 * offlineasm/arm.rb: 542 5432013-04-18 Geoffrey Garen <ggaren@apple.com> 544 545 Removed HeapTimer::synchronize 546 https://bugs.webkit.org/show_bug.cgi?id=114832 547 548 Reviewed by Mark Hahnenberg. 549 550 HeapTimer::synchronize was a flawed attempt to make HeapTimer thread-safe. 551 Instead, we use proper locking now. 552 553 This is a slight API change, since the GC timer will now only fire in the 554 run loop that created the JS VM, even if another run loop later executes 555 some JS. 556 557 * API/APIShims.h: 558 (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): 559 * heap/HeapTimer.cpp: 560 (JSC): 561 * heap/HeapTimer.h: 562 (HeapTimer): 563 5642013-04-17 Geoffrey Garen <ggaren@apple.com> 565 566 Renamed JSGlobalData to VM 567 https://bugs.webkit.org/show_bug.cgi?id=114777 568 569 Reviewed by Phil Pizlo. 570 571 * API/APICast.h: 572 (JSC): 573 (toJS): 574 (toRef): 575 * API/APIShims.h: 576 (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): 577 (APIEntryShimWithoutLock): 578 (JSC::APIEntryShim::APIEntryShim): 579 (APIEntryShim): 580 (JSC::APIEntryShim::~APIEntryShim): 581 (JSC::APICallbackShim::APICallbackShim): 582 (JSC::APICallbackShim::~APICallbackShim): 583 (APICallbackShim): 584 * API/JSAPIWrapperObject.h: 585 (JSAPIWrapperObject): 586 * API/JSAPIWrapperObject.mm: 587 (JSC::::createStructure): 588 (JSC::JSAPIWrapperObject::JSAPIWrapperObject): 589 (JSC::JSAPIWrapperObject::finishCreation): 590 (JSC::JSAPIWrapperObject::visitChildren): 591 * API/JSBase.cpp: 592 (JSGarbageCollect): 593 (JSReportExtraMemoryCost): 594 (JSSynchronousGarbageCollectForDebugging): 595 * API/JSCallbackConstructor.cpp: 596 (JSC::JSCallbackConstructor::JSCallbackConstructor): 597 (JSC::JSCallbackConstructor::finishCreation): 598 * API/JSCallbackConstructor.h: 599 (JSC::JSCallbackConstructor::createStructure): 600 * API/JSCallbackFunction.cpp: 601 (JSC::JSCallbackFunction::finishCreation): 602 (JSC::JSCallbackFunction::create): 603 * API/JSCallbackFunction.h: 604 (JSCallbackFunction): 605 (JSC::JSCallbackFunction::createStructure): 606 * API/JSCallbackObject.cpp: 607 (JSC::::create): 608 (JSC::::createStructure): 609 * API/JSCallbackObject.h: 610 (JSC::JSCallbackObjectData::setPrivateProperty): 611 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty): 612 (JSCallbackObject): 613 (JSC::JSCallbackObject::setPrivateProperty): 614 * API/JSCallbackObjectFunctions.h: 615 (JSC::::JSCallbackObject): 616 (JSC::::finishCreation): 617 (JSC::::put): 618 (JSC::::staticFunctionGetter): 619 * API/JSClassRef.cpp: 620 (OpaqueJSClassContextData::OpaqueJSClassContextData): 621 (OpaqueJSClass::contextData): 622 (OpaqueJSClass::prototype): 623 * API/JSClassRef.h: 624 (OpaqueJSClassContextData): 625 * API/JSContext.mm: 626 (-[JSContext setException:]): 627 (-[JSContext initWithGlobalContextRef:]): 628 (+[JSContext contextWithGlobalContextRef:]): 629 * API/JSContextRef.cpp: 630 (JSContextGroupCreate): 631 (JSContextGroupRelease): 632 (JSGlobalContextCreate): 633 (JSGlobalContextCreateInGroup): 634 (JSGlobalContextRetain): 635 (JSGlobalContextRelease): 636 (JSContextGetGroup): 637 (JSContextCreateBacktrace): 638 * API/JSObjectRef.cpp: 639 (JSObjectMake): 640 (JSObjectMakeConstructor): 641 (JSObjectMakeFunction): 642 (JSObjectSetPrototype): 643 (JSObjectHasProperty): 644 (JSObjectGetProperty): 645 (JSObjectSetProperty): 646 (JSObjectDeleteProperty): 647 (JSObjectGetPrivateProperty): 648 (JSObjectSetPrivateProperty): 649 (JSObjectDeletePrivateProperty): 650 (OpaqueJSPropertyNameArray::OpaqueJSPropertyNameArray): 651 (OpaqueJSPropertyNameArray): 652 (JSObjectCopyPropertyNames): 653 (JSPropertyNameArrayRelease): 654 (JSPropertyNameAccumulatorAddName): 655 * API/JSScriptRef.cpp: 656 (OpaqueJSScript::create): 657 (OpaqueJSScript::vm): 658 (OpaqueJSScript::OpaqueJSScript): 659 (OpaqueJSScript): 660 (parseScript): 661 * API/JSVirtualMachine.mm: 662 (scanExternalObjectGraph): 663 * API/JSVirtualMachineInternal.h: 664 (JSC): 665 * API/JSWrapperMap.mm: 666 (makeWrapper): 667 * API/ObjCCallbackFunction.h: 668 (JSC::ObjCCallbackFunction::createStructure): 669 * API/ObjCCallbackFunction.mm: 670 (JSC::ObjCCallbackFunction::create): 671 * API/OpaqueJSString.cpp: 672 (OpaqueJSString::identifier): 673 * API/OpaqueJSString.h: 674 (JSC): 675 (OpaqueJSString): 676 * GNUmakefile.list.am: 677 * JSCTypedArrayStubs.h: 678 (JSC): 679 * JavaScriptCore.order: 680 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 681 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 682 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 683 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 684 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 685 * JavaScriptCore.xcodeproj/project.pbxproj: 686 * KeywordLookupGenerator.py: 687 (Trie.printSubTreeAsC): 688 * Target.pri: 689 * assembler/ARMAssembler.cpp: 690 (JSC::ARMAssembler::executableCopy): 691 * assembler/ARMAssembler.h: 692 (ARMAssembler): 693 * assembler/AssemblerBuffer.h: 694 (JSC::AssemblerBuffer::executableCopy): 695 * assembler/AssemblerBufferWithConstantPool.h: 696 (JSC::AssemblerBufferWithConstantPool::executableCopy): 697 * assembler/LinkBuffer.cpp: 698 (JSC::LinkBuffer::linkCode): 699 * assembler/LinkBuffer.h: 700 (JSC): 701 (JSC::LinkBuffer::LinkBuffer): 702 (LinkBuffer): 703 * assembler/MIPSAssembler.h: 704 (JSC::MIPSAssembler::executableCopy): 705 * assembler/SH4Assembler.h: 706 (JSC::SH4Assembler::executableCopy): 707 * assembler/X86Assembler.h: 708 (JSC::X86Assembler::executableCopy): 709 (JSC::X86Assembler::X86InstructionFormatter::executableCopy): 710 * bytecode/CallLinkInfo.cpp: 711 (JSC::CallLinkInfo::unlink): 712 * bytecode/CallLinkInfo.h: 713 (CallLinkInfo): 714 * bytecode/CodeBlock.cpp: 715 (JSC::dumpStructure): 716 (JSC::CodeBlock::printStructures): 717 (JSC::CodeBlock::CodeBlock): 718 (JSC::CodeBlock::~CodeBlock): 719 (JSC::CodeBlock::visitStructures): 720 (JSC::CodeBlock::finalizeUnconditionally): 721 (JSC::CodeBlock::createActivation): 722 (JSC::CodeBlock::unlinkCalls): 723 (JSC::CodeBlock::unlinkIncomingCalls): 724 (JSC::CodeBlock::findClosureCallForReturnPC): 725 (JSC::ProgramCodeBlock::jettisonImpl): 726 (JSC::EvalCodeBlock::jettisonImpl): 727 (JSC::FunctionCodeBlock::jettisonImpl): 728 (JSC::CodeBlock::predictedMachineCodeSize): 729 (JSC::CodeBlock::usesOpcode): 730 * bytecode/CodeBlock.h: 731 (JSC::CodeBlock::appendWeakReference): 732 (JSC::CodeBlock::appendWeakReferenceTransition): 733 (JSC::CodeBlock::setJITCode): 734 (JSC::CodeBlock::setGlobalData): 735 (JSC::CodeBlock::vm): 736 (JSC::CodeBlock::valueProfileForBytecodeOffset): 737 (JSC::CodeBlock::addConstant): 738 (JSC::CodeBlock::setConstantRegisters): 739 (CodeBlock): 740 (JSC::CodeBlock::WeakReferenceTransition::WeakReferenceTransition): 741 * bytecode/EvalCodeCache.h: 742 (JSC::EvalCodeCache::getSlow): 743 * bytecode/GetByIdStatus.cpp: 744 (JSC::GetByIdStatus::computeFromLLInt): 745 (JSC::GetByIdStatus::computeForChain): 746 (JSC::GetByIdStatus::computeFor): 747 * bytecode/GetByIdStatus.h: 748 (GetByIdStatus): 749 * bytecode/Instruction.h: 750 (JSC::Instruction::Instruction): 751 * bytecode/ObjectAllocationProfile.h: 752 (JSC::ObjectAllocationProfile::initialize): 753 (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): 754 * bytecode/PolymorphicAccessStructureList.h: 755 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set): 756 (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList): 757 * bytecode/PolymorphicPutByIdList.h: 758 (JSC::PutByIdAccess::transition): 759 (JSC::PutByIdAccess::replace): 760 * bytecode/PreciseJumpTargets.cpp: 761 (JSC::computePreciseJumpTargets): 762 * bytecode/PutByIdStatus.cpp: 763 (JSC::PutByIdStatus::computeFromLLInt): 764 (JSC::PutByIdStatus::computeFor): 765 * bytecode/PutByIdStatus.h: 766 (JSC): 767 (PutByIdStatus): 768 * bytecode/ResolveGlobalStatus.cpp: 769 (JSC::computeForStructure): 770 * bytecode/SamplingTool.cpp: 771 (JSC::SamplingTool::notifyOfScope): 772 * bytecode/SamplingTool.h: 773 (JSC::ScriptSampleRecord::ScriptSampleRecord): 774 (SamplingTool): 775 * bytecode/StructureStubInfo.h: 776 (JSC::StructureStubInfo::initGetByIdSelf): 777 (JSC::StructureStubInfo::initGetByIdProto): 778 (JSC::StructureStubInfo::initGetByIdChain): 779 (JSC::StructureStubInfo::initPutByIdTransition): 780 (JSC::StructureStubInfo::initPutByIdReplace): 781 * bytecode/UnlinkedCodeBlock.cpp: 782 (JSC::generateFunctionCodeBlock): 783 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): 784 (JSC::UnlinkedFunctionExecutable::link): 785 (JSC::UnlinkedFunctionExecutable::fromGlobalCode): 786 (JSC::UnlinkedFunctionExecutable::codeBlockFor): 787 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 788 * bytecode/UnlinkedCodeBlock.h: 789 (JSC::UnlinkedFunctionExecutable::create): 790 (UnlinkedFunctionExecutable): 791 (JSC::UnlinkedFunctionExecutable::finishCreation): 792 (JSC::UnlinkedFunctionExecutable::createStructure): 793 (JSC::UnlinkedCodeBlock::addRegExp): 794 (JSC::UnlinkedCodeBlock::addConstant): 795 (JSC::UnlinkedCodeBlock::addFunctionDecl): 796 (JSC::UnlinkedCodeBlock::addFunctionExpr): 797 (JSC::UnlinkedCodeBlock::vm): 798 (UnlinkedCodeBlock): 799 (JSC::UnlinkedCodeBlock::finishCreation): 800 (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock): 801 (JSC::UnlinkedProgramCodeBlock::create): 802 (JSC::UnlinkedProgramCodeBlock::addFunctionDeclaration): 803 (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock): 804 (JSC::UnlinkedProgramCodeBlock::createStructure): 805 (JSC::UnlinkedEvalCodeBlock::create): 806 (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock): 807 (JSC::UnlinkedEvalCodeBlock::createStructure): 808 (JSC::UnlinkedFunctionCodeBlock::create): 809 (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock): 810 (JSC::UnlinkedFunctionCodeBlock::createStructure): 811 * bytecompiler/BytecodeGenerator.cpp: 812 (JSC::BytecodeGenerator::BytecodeGenerator): 813 (JSC::BytecodeGenerator::addConstant): 814 (JSC::BytecodeGenerator::emitLoad): 815 (JSC::BytecodeGenerator::emitDirectPutById): 816 (JSC::BytecodeGenerator::addStringConstant): 817 (JSC::BytecodeGenerator::expectedFunctionForIdentifier): 818 (JSC::BytecodeGenerator::emitThrowReferenceError): 819 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): 820 * bytecompiler/BytecodeGenerator.h: 821 (BytecodeGenerator): 822 (JSC::BytecodeGenerator::vm): 823 (JSC::BytecodeGenerator::propertyNames): 824 (JSC::BytecodeGenerator::makeFunction): 825 * bytecompiler/NodesCodegen.cpp: 826 (JSC::RegExpNode::emitBytecode): 827 (JSC::ArrayNode::toArgumentList): 828 (JSC::ApplyFunctionCallDotNode::emitBytecode): 829 (JSC::InstanceOfNode::emitBytecode): 830 * debugger/Debugger.cpp: 831 (JSC::Debugger::recompileAllJSFunctions): 832 (JSC::evaluateInGlobalCallFrame): 833 * debugger/Debugger.h: 834 (JSC): 835 * debugger/DebuggerActivation.cpp: 836 (JSC::DebuggerActivation::DebuggerActivation): 837 (JSC::DebuggerActivation::finishCreation): 838 * debugger/DebuggerActivation.h: 839 (JSC::DebuggerActivation::create): 840 (JSC::DebuggerActivation::createStructure): 841 (DebuggerActivation): 842 * debugger/DebuggerCallFrame.cpp: 843 (JSC::DebuggerCallFrame::evaluate): 844 * dfg/DFGAbstractState.cpp: 845 (JSC::DFG::AbstractState::executeEffects): 846 * dfg/DFGAssemblyHelpers.h: 847 (JSC::DFG::AssemblyHelpers::AssemblyHelpers): 848 (JSC::DFG::AssemblyHelpers::vm): 849 (JSC::DFG::AssemblyHelpers::debugCall): 850 (JSC::DFG::AssemblyHelpers::emitExceptionCheck): 851 (AssemblyHelpers): 852 * dfg/DFGByteCodeParser.cpp: 853 (JSC::DFG::ByteCodeParser::ByteCodeParser): 854 (ByteCodeParser): 855 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): 856 (JSC::DFG::ByteCodeParser::parseBlock): 857 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 858 (JSC::DFG::ByteCodeParser::parseCodeBlock): 859 * dfg/DFGByteCodeParser.h: 860 (JSC): 861 * dfg/DFGCCallHelpers.h: 862 (JSC::DFG::CCallHelpers::CCallHelpers): 863 * dfg/DFGCapabilities.cpp: 864 (JSC::DFG::canHandleOpcodes): 865 * dfg/DFGConstantFoldingPhase.cpp: 866 (JSC::DFG::ConstantFoldingPhase::foldConstants): 867 * dfg/DFGDisassembler.cpp: 868 (JSC::DFG::Disassembler::reportToProfiler): 869 * dfg/DFGDriver.cpp: 870 (JSC::DFG::compile): 871 * dfg/DFGDriver.h: 872 (JSC): 873 * dfg/DFGFixupPhase.cpp: 874 (JSC::DFG::FixupPhase::fixupNode): 875 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): 876 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): 877 * dfg/DFGGraph.cpp: 878 (JSC::DFG::Graph::Graph): 879 * dfg/DFGGraph.h: 880 (Graph): 881 * dfg/DFGJITCompiler.cpp: 882 (JSC::DFG::JITCompiler::JITCompiler): 883 (JSC::DFG::JITCompiler::linkOSRExits): 884 (JSC::DFG::JITCompiler::link): 885 (JSC::DFG::JITCompiler::compile): 886 (JSC::DFG::JITCompiler::compileFunction): 887 * dfg/DFGJITCompiler.h: 888 (JSC): 889 * dfg/DFGOSREntry.cpp: 890 (JSC::DFG::prepareOSREntry): 891 * dfg/DFGOSRExitCompiler.cpp: 892 * dfg/DFGOSRExitCompiler32_64.cpp: 893 (JSC::DFG::OSRExitCompiler::compileExit): 894 * dfg/DFGOSRExitCompiler64.cpp: 895 (JSC::DFG::OSRExitCompiler::compileExit): 896 * dfg/DFGOperations.cpp: 897 (JSC::DFG::putByVal): 898 (JSC::DFG::operationPutByValInternal): 899 (JSC::getHostCallReturnValueWithExecState): 900 * dfg/DFGPhase.h: 901 (JSC::DFG::Phase::vm): 902 * dfg/DFGRepatch.cpp: 903 (JSC::DFG::generateProtoChainAccessStub): 904 (JSC::DFG::tryCacheGetByID): 905 (JSC::DFG::tryBuildGetByIDList): 906 (JSC::DFG::tryBuildGetByIDProtoList): 907 (JSC::DFG::emitPutReplaceStub): 908 (JSC::DFG::emitPutTransitionStub): 909 (JSC::DFG::tryCachePutByID): 910 (JSC::DFG::tryBuildPutByIdList): 911 (JSC::DFG::linkSlowFor): 912 (JSC::DFG::dfgLinkFor): 913 (JSC::DFG::dfgLinkSlowFor): 914 (JSC::DFG::dfgLinkClosureCall): 915 * dfg/DFGSpeculativeJIT.cpp: 916 (JSC::DFG::SpeculativeJIT::typedArrayDescriptor): 917 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): 918 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 919 (JSC::DFG::SpeculativeJIT::compileFromCharCode): 920 (JSC::DFG::SpeculativeJIT::compileMakeRope): 921 (JSC::DFG::SpeculativeJIT::compileStringEquality): 922 (JSC::DFG::SpeculativeJIT::compileToStringOnCell): 923 (JSC::DFG::SpeculativeJIT::speculateObject): 924 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): 925 (JSC::DFG::SpeculativeJIT::speculateString): 926 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): 927 * dfg/DFGSpeculativeJIT.h: 928 (JSC::DFG::SpeculativeJIT::prepareForExternalCall): 929 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): 930 (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): 931 * dfg/DFGSpeculativeJIT32_64.cpp: 932 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 933 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 934 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 935 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 936 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 937 (JSC::DFG::SpeculativeJIT::compile): 938 * dfg/DFGSpeculativeJIT64.cpp: 939 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 940 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 941 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 942 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 943 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 944 (JSC::DFG::SpeculativeJIT::compile): 945 * dfg/DFGThunks.cpp: 946 (JSC::DFG::osrExitGenerationThunkGenerator): 947 (JSC::DFG::throwExceptionFromCallSlowPathGenerator): 948 (JSC::DFG::slowPathFor): 949 (JSC::DFG::linkForThunkGenerator): 950 (JSC::DFG::linkCallThunkGenerator): 951 (JSC::DFG::linkConstructThunkGenerator): 952 (JSC::DFG::linkClosureCallThunkGenerator): 953 (JSC::DFG::virtualForThunkGenerator): 954 (JSC::DFG::virtualCallThunkGenerator): 955 (JSC::DFG::virtualConstructThunkGenerator): 956 * dfg/DFGThunks.h: 957 (JSC): 958 (DFG): 959 * heap/BlockAllocator.h: 960 (JSC): 961 * heap/CopiedSpace.cpp: 962 (JSC::CopiedSpace::tryAllocateSlowCase): 963 (JSC::CopiedSpace::tryReallocate): 964 * heap/CopiedSpaceInlines.h: 965 (JSC::CopiedSpace::tryAllocate): 966 * heap/GCThreadSharedData.cpp: 967 (JSC::GCThreadSharedData::GCThreadSharedData): 968 (JSC::GCThreadSharedData::reset): 969 * heap/GCThreadSharedData.h: 970 (JSC): 971 (GCThreadSharedData): 972 * heap/HandleSet.cpp: 973 (JSC::HandleSet::HandleSet): 974 (JSC::HandleSet::~HandleSet): 975 (JSC::HandleSet::grow): 976 * heap/HandleSet.h: 977 (JSC): 978 (HandleSet): 979 (JSC::HandleSet::vm): 980 * heap/Heap.cpp: 981 (JSC::Heap::Heap): 982 (JSC): 983 (JSC::Heap::lastChanceToFinalize): 984 (JSC::Heap::protect): 985 (JSC::Heap::unprotect): 986 (JSC::Heap::stack): 987 (JSC::Heap::getConservativeRegisterRoots): 988 (JSC::Heap::markRoots): 989 (JSC::Heap::deleteAllCompiledCode): 990 (JSC::Heap::collect): 991 (JSC::Heap::isValidAllocation): 992 * heap/Heap.h: 993 (JSC): 994 (Heap): 995 (JSC::Heap::vm): 996 * heap/HeapTimer.cpp: 997 (JSC::HeapTimer::HeapTimer): 998 (JSC::HeapTimer::timerDidFire): 999 (JSC::HeapTimer::timerEvent): 1000 * heap/HeapTimer.h: 1001 (JSC): 1002 (HeapTimer): 1003 * heap/IncrementalSweeper.cpp: 1004 (JSC::IncrementalSweeper::IncrementalSweeper): 1005 (JSC::IncrementalSweeper::sweepNextBlock): 1006 (JSC::IncrementalSweeper::willFinishSweeping): 1007 (JSC::IncrementalSweeper::create): 1008 * heap/IncrementalSweeper.h: 1009 (IncrementalSweeper): 1010 * heap/Local.h: 1011 (Local): 1012 (JSC::::Local): 1013 (JSC::LocalStack::LocalStack): 1014 (JSC::LocalStack::push): 1015 (LocalStack): 1016 * heap/LocalScope.h: 1017 (JSC): 1018 (LocalScope): 1019 (JSC::LocalScope::LocalScope): 1020 * heap/MachineStackMarker.cpp: 1021 (JSC::MachineThreads::addCurrentThread): 1022 * heap/MarkedAllocator.cpp: 1023 (JSC::MarkedAllocator::allocateSlowCase): 1024 * heap/MarkedBlock.cpp: 1025 (JSC::MarkedBlock::MarkedBlock): 1026 * heap/MarkedBlock.h: 1027 (JSC::MarkedBlock::vm): 1028 * heap/SlotVisitor.cpp: 1029 (JSC::SlotVisitor::SlotVisitor): 1030 (JSC::SlotVisitor::setup): 1031 * heap/Strong.h: 1032 (JSC): 1033 (Strong): 1034 (JSC::Strong::operator=): 1035 * heap/StrongInlines.h: 1036 (JSC::::Strong): 1037 (JSC::::set): 1038 * heap/SuperRegion.h: 1039 (JSC): 1040 * heap/WeakSet.cpp: 1041 * heap/WeakSet.h: 1042 (WeakSet): 1043 (JSC::WeakSet::WeakSet): 1044 (JSC::WeakSet::vm): 1045 * interpreter/AbstractPC.cpp: 1046 (JSC::AbstractPC::AbstractPC): 1047 * interpreter/AbstractPC.h: 1048 (JSC): 1049 (AbstractPC): 1050 * interpreter/CachedCall.h: 1051 (JSC::CachedCall::CachedCall): 1052 * interpreter/CallFrame.h: 1053 (ExecState): 1054 (JSC::ExecState::clearException): 1055 (JSC::ExecState::clearSupplementaryExceptionInfo): 1056 (JSC::ExecState::exception): 1057 (JSC::ExecState::hadException): 1058 (JSC::ExecState::propertyNames): 1059 (JSC::ExecState::emptyList): 1060 (JSC::ExecState::interpreter): 1061 (JSC::ExecState::heap): 1062 (JSC::ExecState::arrayConstructorTable): 1063 (JSC::ExecState::arrayPrototypeTable): 1064 (JSC::ExecState::booleanPrototypeTable): 1065 (JSC::ExecState::dateTable): 1066 (JSC::ExecState::dateConstructorTable): 1067 (JSC::ExecState::errorPrototypeTable): 1068 (JSC::ExecState::globalObjectTable): 1069 (JSC::ExecState::jsonTable): 1070 (JSC::ExecState::mathTable): 1071 (JSC::ExecState::numberConstructorTable): 1072 (JSC::ExecState::numberPrototypeTable): 1073 (JSC::ExecState::objectConstructorTable): 1074 (JSC::ExecState::privateNamePrototypeTable): 1075 (JSC::ExecState::regExpTable): 1076 (JSC::ExecState::regExpConstructorTable): 1077 (JSC::ExecState::regExpPrototypeTable): 1078 (JSC::ExecState::stringConstructorTable): 1079 (JSC::ExecState::abstractReturnPC): 1080 * interpreter/CallFrameClosure.h: 1081 (CallFrameClosure): 1082 * interpreter/Interpreter.cpp: 1083 (JSC): 1084 (JSC::eval): 1085 (JSC::loadVarargs): 1086 (JSC::Interpreter::Interpreter): 1087 (JSC::Interpreter::dumpRegisters): 1088 (JSC::Interpreter::unwindCallFrame): 1089 (JSC::appendSourceToError): 1090 (JSC::getCallerInfo): 1091 (JSC::Interpreter::getStackTrace): 1092 (JSC::Interpreter::addStackTraceIfNecessary): 1093 (JSC::Interpreter::throwException): 1094 (JSC::Interpreter::execute): 1095 (JSC::Interpreter::executeCall): 1096 (JSC::Interpreter::executeConstruct): 1097 (JSC::Interpreter::prepareForRepeatCall): 1098 (JSC::Interpreter::retrieveArgumentsFromVMCode): 1099 (JSC::Interpreter::retrieveCallerFromVMCode): 1100 * interpreter/Interpreter.h: 1101 (JSC): 1102 (JSC::TopCallFrameSetter::TopCallFrameSetter): 1103 (JSC::TopCallFrameSetter::~TopCallFrameSetter): 1104 (TopCallFrameSetter): 1105 (JSC::NativeCallFrameTracer::NativeCallFrameTracer): 1106 (Interpreter): 1107 * interpreter/JSStack.cpp: 1108 (JSC::JSStack::JSStack): 1109 * interpreter/JSStack.h: 1110 (JSC): 1111 * jit/ClosureCallStubRoutine.cpp: 1112 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine): 1113 * jit/ClosureCallStubRoutine.h: 1114 (ClosureCallStubRoutine): 1115 * jit/ExecutableAllocator.cpp: 1116 (JSC::ExecutableAllocator::ExecutableAllocator): 1117 (JSC::ExecutableAllocator::allocate): 1118 * jit/ExecutableAllocator.h: 1119 (JSC): 1120 (ExecutableAllocator): 1121 * jit/ExecutableAllocatorFixedVMPool.cpp: 1122 (JSC::ExecutableAllocator::ExecutableAllocator): 1123 (JSC::ExecutableAllocator::allocate): 1124 * jit/GCAwareJITStubRoutine.cpp: 1125 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine): 1126 (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject): 1127 (JSC::createJITStubRoutine): 1128 * jit/GCAwareJITStubRoutine.h: 1129 (GCAwareJITStubRoutine): 1130 (MarkingGCAwareJITStubRoutineWithOneObject): 1131 (JSC): 1132 * jit/JIT.cpp: 1133 (JSC::JIT::JIT): 1134 (JSC::JIT::privateCompile): 1135 (JSC::JIT::linkFor): 1136 (JSC::JIT::linkSlowCall): 1137 * jit/JIT.h: 1138 (JSC::JIT::compile): 1139 (JSC::JIT::compileClosureCall): 1140 (JSC::JIT::compileGetByIdProto): 1141 (JSC::JIT::compileGetByIdSelfList): 1142 (JSC::JIT::compileGetByIdProtoList): 1143 (JSC::JIT::compileGetByIdChainList): 1144 (JSC::JIT::compileGetByIdChain): 1145 (JSC::JIT::compilePutByIdTransition): 1146 (JSC::JIT::compileGetByVal): 1147 (JSC::JIT::compilePutByVal): 1148 (JSC::JIT::compileCTINativeCall): 1149 (JSC::JIT::compilePatchGetArrayLength): 1150 (JIT): 1151 * jit/JITCall.cpp: 1152 (JSC::JIT::compileLoadVarargs): 1153 (JSC::JIT::compileCallEvalSlowCase): 1154 (JSC::JIT::compileOpCallSlowCase): 1155 (JSC::JIT::privateCompileClosureCall): 1156 * jit/JITCall32_64.cpp: 1157 (JSC::JIT::compileLoadVarargs): 1158 (JSC::JIT::compileCallEvalSlowCase): 1159 (JSC::JIT::compileOpCallSlowCase): 1160 (JSC::JIT::privateCompileClosureCall): 1161 * jit/JITCode.h: 1162 (JSC): 1163 (JSC::JITCode::execute): 1164 * jit/JITDriver.h: 1165 (JSC::jitCompileIfAppropriate): 1166 (JSC::jitCompileFunctionIfAppropriate): 1167 * jit/JITExceptions.cpp: 1168 (JSC::genericThrow): 1169 (JSC::jitThrow): 1170 * jit/JITExceptions.h: 1171 (JSC): 1172 * jit/JITInlines.h: 1173 (JSC::JIT::emitLoadCharacterString): 1174 (JSC::JIT::updateTopCallFrame): 1175 * jit/JITOpcodes.cpp: 1176 (JSC::JIT::privateCompileCTINativeCall): 1177 (JSC::JIT::emit_op_new_object): 1178 (JSC::JIT::emit_op_to_primitive): 1179 (JSC::JIT::emit_op_catch): 1180 (JSC::JIT::emit_op_convert_this): 1181 (JSC::JIT::emitSlow_op_convert_this): 1182 * jit/JITOpcodes32_64.cpp: 1183 (JSC::JIT::privateCompileCTINativeCall): 1184 (JSC::JIT::emit_op_new_object): 1185 (JSC::JIT::emit_op_to_primitive): 1186 (JSC::JIT::emitSlow_op_eq): 1187 (JSC::JIT::emitSlow_op_neq): 1188 (JSC::JIT::compileOpStrictEq): 1189 (JSC::JIT::emit_op_catch): 1190 (JSC::JIT::emit_op_convert_this): 1191 (JSC::JIT::emitSlow_op_convert_this): 1192 * jit/JITPropertyAccess.cpp: 1193 (JSC::JIT::stringGetByValStubGenerator): 1194 (JSC::JIT::emitSlow_op_get_by_val): 1195 (JSC::JIT::compileGetByIdHotPath): 1196 (JSC::JIT::privateCompilePutByIdTransition): 1197 (JSC::JIT::privateCompilePatchGetArrayLength): 1198 (JSC::JIT::privateCompileGetByIdProto): 1199 (JSC::JIT::privateCompileGetByIdSelfList): 1200 (JSC::JIT::privateCompileGetByIdProtoList): 1201 (JSC::JIT::privateCompileGetByIdChainList): 1202 (JSC::JIT::privateCompileGetByIdChain): 1203 (JSC::JIT::privateCompileGetByVal): 1204 (JSC::JIT::privateCompilePutByVal): 1205 * jit/JITPropertyAccess32_64.cpp: 1206 (JSC::JIT::stringGetByValStubGenerator): 1207 (JSC::JIT::emitSlow_op_get_by_val): 1208 (JSC::JIT::compileGetByIdHotPath): 1209 (JSC::JIT::privateCompilePutByIdTransition): 1210 (JSC::JIT::privateCompilePatchGetArrayLength): 1211 (JSC::JIT::privateCompileGetByIdProto): 1212 (JSC::JIT::privateCompileGetByIdSelfList): 1213 (JSC::JIT::privateCompileGetByIdProtoList): 1214 (JSC::JIT::privateCompileGetByIdChainList): 1215 (JSC::JIT::privateCompileGetByIdChain): 1216 * jit/JITStubs.cpp: 1217 (JSC::ctiTrampoline): 1218 (JSC): 1219 (JSC::performPlatformSpecificJITAssertions): 1220 (JSC::tryCachePutByID): 1221 (JSC::tryCacheGetByID): 1222 (JSC::returnToThrowTrampoline): 1223 (JSC::throwExceptionFromOpCall): 1224 (JSC::DEFINE_STUB_FUNCTION): 1225 (JSC::getPolymorphicAccessStructureListSlot): 1226 (JSC::jitCompileFor): 1227 (JSC::lazyLinkFor): 1228 (JSC::putByVal): 1229 * jit/JITStubs.h: 1230 (JSC): 1231 (JITStackFrame): 1232 * jit/JITThunks.cpp: 1233 (JSC::JITThunks::ctiNativeCall): 1234 (JSC::JITThunks::ctiNativeConstruct): 1235 (JSC::JITThunks::ctiStub): 1236 (JSC::JITThunks::hostFunctionStub): 1237 * jit/JITThunks.h: 1238 (JSC): 1239 (JITThunks): 1240 * jit/JITWriteBarrier.h: 1241 (JSC): 1242 (JSC::JITWriteBarrierBase::set): 1243 (JSC::JITWriteBarrier::set): 1244 * jit/SpecializedThunkJIT.h: 1245 (JSC::SpecializedThunkJIT::loadJSStringArgument): 1246 (JSC::SpecializedThunkJIT::finalize): 1247 * jit/ThunkGenerator.h: 1248 (JSC): 1249 * jit/ThunkGenerators.cpp: 1250 (JSC::generateSlowCaseFor): 1251 (JSC::linkForGenerator): 1252 (JSC::linkCallGenerator): 1253 (JSC::linkConstructGenerator): 1254 (JSC::linkClosureCallGenerator): 1255 (JSC::virtualForGenerator): 1256 (JSC::virtualCallGenerator): 1257 (JSC::virtualConstructGenerator): 1258 (JSC::stringLengthTrampolineGenerator): 1259 (JSC::nativeForGenerator): 1260 (JSC::nativeCallGenerator): 1261 (JSC::nativeConstructGenerator): 1262 (JSC::stringCharLoad): 1263 (JSC::charToString): 1264 (JSC::charCodeAtThunkGenerator): 1265 (JSC::charAtThunkGenerator): 1266 (JSC::fromCharCodeThunkGenerator): 1267 (JSC::sqrtThunkGenerator): 1268 (JSC::floorThunkGenerator): 1269 (JSC::ceilThunkGenerator): 1270 (JSC::roundThunkGenerator): 1271 (JSC::expThunkGenerator): 1272 (JSC::logThunkGenerator): 1273 (JSC::absThunkGenerator): 1274 (JSC::powThunkGenerator): 1275 * jit/ThunkGenerators.h: 1276 (JSC): 1277 * jsc.cpp: 1278 (GlobalObject): 1279 (GlobalObject::create): 1280 (GlobalObject::createStructure): 1281 (GlobalObject::finishCreation): 1282 (GlobalObject::addFunction): 1283 (GlobalObject::addConstructableFunction): 1284 (functionDumpCallFrame): 1285 (functionJSCStack): 1286 (functionReleaseExecutableMemory): 1287 (functionRun): 1288 (main): 1289 (runWithScripts): 1290 (jscmain): 1291 * llint/LLIntData.cpp: 1292 (JSC::LLInt::Data::performAssertions): 1293 * llint/LLIntData.h: 1294 (JSC): 1295 (Data): 1296 (JSC::LLInt::Data::performAssertions): 1297 * llint/LLIntEntrypoints.cpp: 1298 (JSC::LLInt::getFunctionEntrypoint): 1299 (JSC::LLInt::getEvalEntrypoint): 1300 (JSC::LLInt::getProgramEntrypoint): 1301 * llint/LLIntEntrypoints.h: 1302 (JSC): 1303 (LLInt): 1304 (JSC::LLInt::getEntrypoint): 1305 * llint/LLIntExceptions.cpp: 1306 (JSC::LLInt::interpreterThrowInCaller): 1307 (JSC::LLInt::returnToThrow): 1308 (JSC::LLInt::callToThrow): 1309 * llint/LLIntOffsetsExtractor.cpp: 1310 * llint/LLIntSlowPaths.cpp: 1311 (LLInt): 1312 (JSC::LLInt::llint_trace_operand): 1313 (JSC::LLInt::llint_trace_value): 1314 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 1315 (JSC::LLInt::shouldJIT): 1316 (JSC::LLInt::handleHostCall): 1317 (JSC::LLInt::setUpCall): 1318 * llint/LLIntThunks.cpp: 1319 (JSC::LLInt::generateThunkWithJumpTo): 1320 (JSC::LLInt::functionForCallEntryThunkGenerator): 1321 (JSC::LLInt::functionForConstructEntryThunkGenerator): 1322 (JSC::LLInt::functionForCallArityCheckThunkGenerator): 1323 (JSC::LLInt::functionForConstructArityCheckThunkGenerator): 1324 (JSC::LLInt::evalEntryThunkGenerator): 1325 (JSC::LLInt::programEntryThunkGenerator): 1326 * llint/LLIntThunks.h: 1327 (JSC): 1328 (LLInt): 1329 * llint/LowLevelInterpreter.asm: 1330 * llint/LowLevelInterpreter.cpp: 1331 (JSC::CLoop::execute): 1332 * llint/LowLevelInterpreter32_64.asm: 1333 * llint/LowLevelInterpreter64.asm: 1334 * offlineasm/cloop.rb: 1335 * parser/ASTBuilder.h: 1336 (JSC::ASTBuilder::ASTBuilder): 1337 (JSC::ASTBuilder::createSourceElements): 1338 (JSC::ASTBuilder::createCommaExpr): 1339 (JSC::ASTBuilder::createLogicalNot): 1340 (JSC::ASTBuilder::createUnaryPlus): 1341 (JSC::ASTBuilder::createVoid): 1342 (JSC::ASTBuilder::thisExpr): 1343 (JSC::ASTBuilder::createResolve): 1344 (JSC::ASTBuilder::createObjectLiteral): 1345 (JSC::ASTBuilder::createArray): 1346 (JSC::ASTBuilder::createNumberExpr): 1347 (JSC::ASTBuilder::createString): 1348 (JSC::ASTBuilder::createBoolean): 1349 (JSC::ASTBuilder::createNull): 1350 (JSC::ASTBuilder::createBracketAccess): 1351 (JSC::ASTBuilder::createDotAccess): 1352 (JSC::ASTBuilder::createRegExp): 1353 (JSC::ASTBuilder::createNewExpr): 1354 (JSC::ASTBuilder::createConditionalExpr): 1355 (JSC::ASTBuilder::createAssignResolve): 1356 (JSC::ASTBuilder::createFunctionExpr): 1357 (JSC::ASTBuilder::createFunctionBody): 1358 (JSC::ASTBuilder::createGetterOrSetterProperty): 1359 (JSC::ASTBuilder::createArguments): 1360 (JSC::ASTBuilder::createArgumentsList): 1361 (JSC::ASTBuilder::createProperty): 1362 (JSC::ASTBuilder::createPropertyList): 1363 (JSC::ASTBuilder::createElementList): 1364 (JSC::ASTBuilder::createFormalParameterList): 1365 (JSC::ASTBuilder::createClause): 1366 (JSC::ASTBuilder::createClauseList): 1367 (JSC::ASTBuilder::createFuncDeclStatement): 1368 (JSC::ASTBuilder::createBlockStatement): 1369 (JSC::ASTBuilder::createExprStatement): 1370 (JSC::ASTBuilder::createIfStatement): 1371 (JSC::ASTBuilder::createForLoop): 1372 (JSC::ASTBuilder::createForInLoop): 1373 (JSC::ASTBuilder::createEmptyStatement): 1374 (JSC::ASTBuilder::createVarStatement): 1375 (JSC::ASTBuilder::createReturnStatement): 1376 (JSC::ASTBuilder::createBreakStatement): 1377 (JSC::ASTBuilder::createContinueStatement): 1378 (JSC::ASTBuilder::createTryStatement): 1379 (JSC::ASTBuilder::createSwitchStatement): 1380 (JSC::ASTBuilder::createWhileStatement): 1381 (JSC::ASTBuilder::createDoWhileStatement): 1382 (JSC::ASTBuilder::createLabelStatement): 1383 (JSC::ASTBuilder::createWithStatement): 1384 (JSC::ASTBuilder::createThrowStatement): 1385 (JSC::ASTBuilder::createDebugger): 1386 (JSC::ASTBuilder::createConstStatement): 1387 (JSC::ASTBuilder::appendConstDecl): 1388 (JSC::ASTBuilder::addVar): 1389 (JSC::ASTBuilder::combineCommaNodes): 1390 (JSC::ASTBuilder::Scope::Scope): 1391 (JSC::ASTBuilder::createNumber): 1392 (ASTBuilder): 1393 (JSC::ASTBuilder::makeTypeOfNode): 1394 (JSC::ASTBuilder::makeDeleteNode): 1395 (JSC::ASTBuilder::makeNegateNode): 1396 (JSC::ASTBuilder::makeBitwiseNotNode): 1397 (JSC::ASTBuilder::makeMultNode): 1398 (JSC::ASTBuilder::makeDivNode): 1399 (JSC::ASTBuilder::makeModNode): 1400 (JSC::ASTBuilder::makeAddNode): 1401 (JSC::ASTBuilder::makeSubNode): 1402 (JSC::ASTBuilder::makeLeftShiftNode): 1403 (JSC::ASTBuilder::makeRightShiftNode): 1404 (JSC::ASTBuilder::makeURightShiftNode): 1405 (JSC::ASTBuilder::makeBitOrNode): 1406 (JSC::ASTBuilder::makeBitAndNode): 1407 (JSC::ASTBuilder::makeBitXOrNode): 1408 (JSC::ASTBuilder::makeFunctionCallNode): 1409 (JSC::ASTBuilder::makeBinaryNode): 1410 (JSC::ASTBuilder::makeAssignNode): 1411 (JSC::ASTBuilder::makePrefixNode): 1412 (JSC::ASTBuilder::makePostfixNode): 1413 * parser/Lexer.cpp: 1414 (JSC::Keywords::Keywords): 1415 (JSC::::Lexer): 1416 (JSC::::parseIdentifier): 1417 (JSC::::parseIdentifierSlowCase): 1418 * parser/Lexer.h: 1419 (JSC::Keywords::isKeyword): 1420 (JSC::Keywords::getKeyword): 1421 (Keywords): 1422 (Lexer): 1423 (JSC::::makeIdentifier): 1424 (JSC::::makeRightSizedIdentifier): 1425 (JSC::::makeIdentifierLCharFromUChar): 1426 (JSC::::makeLCharIdentifier): 1427 * parser/NodeConstructors.h: 1428 (JSC::ParserArenaFreeable::operator new): 1429 (JSC::ParserArenaDeletable::operator new): 1430 (JSC::ParserArenaRefCounted::ParserArenaRefCounted): 1431 (JSC::PropertyNode::PropertyNode): 1432 (JSC::ContinueNode::ContinueNode): 1433 (JSC::BreakNode::BreakNode): 1434 (JSC::ForInNode::ForInNode): 1435 * parser/Nodes.cpp: 1436 (JSC::ScopeNode::ScopeNode): 1437 (JSC::ProgramNode::ProgramNode): 1438 (JSC::ProgramNode::create): 1439 (JSC::EvalNode::EvalNode): 1440 (JSC::EvalNode::create): 1441 (JSC::FunctionBodyNode::FunctionBodyNode): 1442 (JSC::FunctionBodyNode::create): 1443 * parser/Nodes.h: 1444 (ParserArenaFreeable): 1445 (ParserArenaDeletable): 1446 (ParserArenaRefCounted): 1447 (ArrayNode): 1448 (ForInNode): 1449 (ContinueNode): 1450 (BreakNode): 1451 (ScopeNode): 1452 (ProgramNode): 1453 (EvalNode): 1454 (FunctionBodyNode): 1455 * parser/Parser.cpp: 1456 (JSC::::Parser): 1457 (JSC::::parseInner): 1458 (JSC::::parseSourceElements): 1459 (JSC::::parseTryStatement): 1460 (JSC::::parseFunctionBody): 1461 (JSC::::parseFunctionInfo): 1462 (JSC::::parseAssignmentExpression): 1463 (JSC::::parseProperty): 1464 (JSC::::parsePrimaryExpression): 1465 (JSC::::parseMemberExpression): 1466 (JSC::::parseUnaryExpression): 1467 * parser/Parser.h: 1468 (JSC): 1469 (JSC::Scope::Scope): 1470 (JSC::Scope::declareVariable): 1471 (JSC::Scope::declareParameter): 1472 (Scope): 1473 (Parser): 1474 (JSC::Parser::pushScope): 1475 (JSC::::parse): 1476 (JSC::parse): 1477 * parser/ParserArena.h: 1478 (IdentifierArena): 1479 (JSC::IdentifierArena::makeIdentifier): 1480 (JSC::IdentifierArena::makeIdentifierLCharFromUChar): 1481 (JSC::IdentifierArena::makeNumericIdentifier): 1482 * parser/SyntaxChecker.h: 1483 (JSC::SyntaxChecker::SyntaxChecker): 1484 (JSC::SyntaxChecker::createProperty): 1485 (JSC::SyntaxChecker::createGetterOrSetterProperty): 1486 * profiler/LegacyProfiler.cpp: 1487 (JSC::LegacyProfiler::startProfiling): 1488 (JSC::LegacyProfiler::stopProfiling): 1489 * profiler/LegacyProfiler.h: 1490 (JSC): 1491 * profiler/ProfilerBytecode.cpp: 1492 (JSC::Profiler::Bytecode::toJS): 1493 * profiler/ProfilerBytecodeSequence.cpp: 1494 (JSC::Profiler::BytecodeSequence::BytecodeSequence): 1495 (JSC::Profiler::BytecodeSequence::addSequenceProperties): 1496 * profiler/ProfilerBytecodes.cpp: 1497 (JSC::Profiler::Bytecodes::toJS): 1498 * profiler/ProfilerCompilation.cpp: 1499 (JSC::Profiler::Compilation::toJS): 1500 * profiler/ProfilerCompiledBytecode.cpp: 1501 (JSC::Profiler::CompiledBytecode::toJS): 1502 * profiler/ProfilerDatabase.cpp: 1503 (JSC::Profiler::Database::Database): 1504 (JSC::Profiler::Database::toJS): 1505 (JSC::Profiler::Database::toJSON): 1506 * profiler/ProfilerDatabase.h: 1507 (Database): 1508 * profiler/ProfilerOSRExit.cpp: 1509 (JSC::Profiler::OSRExit::toJS): 1510 * profiler/ProfilerOrigin.cpp: 1511 (JSC::Profiler::Origin::toJS): 1512 * profiler/ProfilerProfiledBytecodes.cpp: 1513 (JSC::Profiler::ProfiledBytecodes::toJS): 1514 * runtime/ArgList.h: 1515 (MarkedArgumentBuffer): 1516 * runtime/Arguments.cpp: 1517 (JSC::Arguments::putByIndex): 1518 (JSC::Arguments::put): 1519 (JSC::Arguments::deleteProperty): 1520 (JSC::Arguments::defineOwnProperty): 1521 (JSC::Arguments::tearOff): 1522 (JSC::Arguments::didTearOffActivation): 1523 (JSC::Arguments::tearOffForInlineCallFrame): 1524 * runtime/Arguments.h: 1525 (JSC::Arguments::create): 1526 (JSC::Arguments::createStructure): 1527 (Arguments): 1528 (JSC::Arguments::Arguments): 1529 (JSC::Arguments::trySetArgument): 1530 (JSC::Arguments::finishCreation): 1531 * runtime/ArrayConstructor.cpp: 1532 (JSC::ArrayConstructor::finishCreation): 1533 * runtime/ArrayConstructor.h: 1534 (JSC::ArrayConstructor::createStructure): 1535 * runtime/ArrayPrototype.cpp: 1536 (JSC::ArrayPrototype::ArrayPrototype): 1537 (JSC::ArrayPrototype::finishCreation): 1538 (JSC::arrayProtoFuncSort): 1539 (JSC::arrayProtoFuncSplice): 1540 * runtime/ArrayPrototype.h: 1541 (JSC::ArrayPrototype::createStructure): 1542 * runtime/BatchedTransitionOptimizer.h: 1543 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): 1544 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): 1545 (BatchedTransitionOptimizer): 1546 * runtime/BooleanConstructor.cpp: 1547 (JSC::BooleanConstructor::finishCreation): 1548 (JSC::constructBoolean): 1549 (JSC::constructBooleanFromImmediateBoolean): 1550 * runtime/BooleanConstructor.h: 1551 (JSC::BooleanConstructor::createStructure): 1552 * runtime/BooleanObject.cpp: 1553 (JSC::BooleanObject::BooleanObject): 1554 (JSC::BooleanObject::finishCreation): 1555 * runtime/BooleanObject.h: 1556 (BooleanObject): 1557 (JSC::BooleanObject::create): 1558 (JSC::BooleanObject::createStructure): 1559 * runtime/BooleanPrototype.cpp: 1560 (JSC::BooleanPrototype::BooleanPrototype): 1561 (JSC::BooleanPrototype::finishCreation): 1562 (JSC::booleanProtoFuncToString): 1563 * runtime/BooleanPrototype.h: 1564 (JSC::BooleanPrototype::createStructure): 1565 * runtime/Butterfly.h: 1566 (JSC): 1567 (Butterfly): 1568 * runtime/ButterflyInlines.h: 1569 (JSC::Butterfly::createUninitialized): 1570 (JSC::Butterfly::create): 1571 (JSC::Butterfly::growPropertyStorage): 1572 (JSC::Butterfly::createOrGrowArrayRight): 1573 (JSC::Butterfly::growArrayRight): 1574 (JSC::Butterfly::resizeArray): 1575 * runtime/CodeCache.cpp: 1576 (JSC::CodeCache::getCodeBlock): 1577 (JSC::CodeCache::getProgramCodeBlock): 1578 (JSC::CodeCache::getEvalCodeBlock): 1579 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 1580 * runtime/CodeCache.h: 1581 (JSC): 1582 (JSC::SourceCodeValue::SourceCodeValue): 1583 (CodeCache): 1584 * runtime/CommonIdentifiers.cpp: 1585 (JSC): 1586 (JSC::CommonIdentifiers::CommonIdentifiers): 1587 * runtime/CommonIdentifiers.h: 1588 (CommonIdentifiers): 1589 * runtime/CommonSlowPaths.h: 1590 (JSC::CommonSlowPaths::opIn): 1591 * runtime/Completion.cpp: 1592 (JSC::checkSyntax): 1593 (JSC::evaluate): 1594 * runtime/DateConstructor.cpp: 1595 (JSC::DateConstructor::finishCreation): 1596 * runtime/DateConstructor.h: 1597 (JSC::DateConstructor::createStructure): 1598 * runtime/DateInstance.cpp: 1599 (JSC::DateInstance::DateInstance): 1600 (JSC::DateInstance::finishCreation): 1601 (JSC::DateInstance::calculateGregorianDateTime): 1602 (JSC::DateInstance::calculateGregorianDateTimeUTC): 1603 * runtime/DateInstance.h: 1604 (DateInstance): 1605 (JSC::DateInstance::create): 1606 (JSC::DateInstance::createStructure): 1607 * runtime/DatePrototype.cpp: 1608 (JSC::DatePrototype::finishCreation): 1609 (JSC::dateProtoFuncSetTime): 1610 (JSC::setNewValueFromTimeArgs): 1611 (JSC::setNewValueFromDateArgs): 1612 (JSC::dateProtoFuncSetYear): 1613 (JSC::dateProtoFuncToJSON): 1614 * runtime/DatePrototype.h: 1615 (JSC::DatePrototype::createStructure): 1616 * runtime/Error.cpp: 1617 (JSC::createError): 1618 (JSC::createEvalError): 1619 (JSC::createRangeError): 1620 (JSC::createReferenceError): 1621 (JSC::createSyntaxError): 1622 (JSC::createTypeError): 1623 (JSC::createURIError): 1624 (JSC::addErrorInfo): 1625 (JSC::throwError): 1626 * runtime/Error.h: 1627 (JSC): 1628 (JSC::StrictModeTypeErrorFunction::create): 1629 (JSC::StrictModeTypeErrorFunction::createStructure): 1630 * runtime/ErrorConstructor.cpp: 1631 (JSC::ErrorConstructor::finishCreation): 1632 * runtime/ErrorConstructor.h: 1633 (JSC::ErrorConstructor::createStructure): 1634 * runtime/ErrorInstance.cpp: 1635 (JSC::ErrorInstance::ErrorInstance): 1636 * runtime/ErrorInstance.h: 1637 (JSC::ErrorInstance::createStructure): 1638 (JSC::ErrorInstance::create): 1639 (ErrorInstance): 1640 (JSC::ErrorInstance::finishCreation): 1641 * runtime/ErrorPrototype.cpp: 1642 (JSC::ErrorPrototype::ErrorPrototype): 1643 (JSC::ErrorPrototype::finishCreation): 1644 * runtime/ErrorPrototype.h: 1645 (JSC::ErrorPrototype::createStructure): 1646 * runtime/ExceptionHelpers.cpp: 1647 (JSC::createInterruptedExecutionException): 1648 (JSC::createTerminatedExecutionException): 1649 * runtime/ExceptionHelpers.h: 1650 (JSC): 1651 (JSC::InterruptedExecutionError::InterruptedExecutionError): 1652 (JSC::InterruptedExecutionError::create): 1653 (JSC::InterruptedExecutionError::createStructure): 1654 (JSC::TerminatedExecutionError::TerminatedExecutionError): 1655 (JSC::TerminatedExecutionError::create): 1656 (JSC::TerminatedExecutionError::createStructure): 1657 * runtime/Executable.cpp: 1658 (JSC::jettisonCodeBlock): 1659 (JSC::EvalExecutable::EvalExecutable): 1660 (JSC::ProgramExecutable::ProgramExecutable): 1661 (JSC::FunctionExecutable::FunctionExecutable): 1662 (JSC::EvalExecutable::compileOptimized): 1663 (JSC::EvalExecutable::compileInternal): 1664 (JSC::EvalExecutable::jettisonOptimizedCode): 1665 (JSC::ProgramExecutable::checkSyntax): 1666 (JSC::ProgramExecutable::compileOptimized): 1667 (JSC::ProgramExecutable::jettisonOptimizedCode): 1668 (JSC::ProgramExecutable::initializeGlobalProperties): 1669 (JSC::FunctionExecutable::compileOptimizedForCall): 1670 (JSC::FunctionExecutable::compileOptimizedForConstruct): 1671 (JSC::FunctionExecutable::produceCodeBlockFor): 1672 (JSC::FunctionExecutable::jettisonOptimizedCodeForCall): 1673 (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct): 1674 (JSC::FunctionExecutable::fromGlobalCode): 1675 * runtime/Executable.h: 1676 (JSC::ExecutableBase::ExecutableBase): 1677 (JSC::ExecutableBase::finishCreation): 1678 (JSC::ExecutableBase::createStructure): 1679 (JSC::NativeExecutable::create): 1680 (JSC::NativeExecutable::createStructure): 1681 (JSC::NativeExecutable::finishCreation): 1682 (JSC::NativeExecutable::NativeExecutable): 1683 (JSC::ScriptExecutable::ScriptExecutable): 1684 (JSC::ScriptExecutable::finishCreation): 1685 (JSC::EvalExecutable::compile): 1686 (EvalExecutable): 1687 (JSC::EvalExecutable::create): 1688 (JSC::EvalExecutable::createStructure): 1689 (JSC::ProgramExecutable::create): 1690 (ProgramExecutable): 1691 (JSC::ProgramExecutable::compile): 1692 (JSC::ProgramExecutable::createStructure): 1693 (JSC::FunctionExecutable::create): 1694 (JSC::FunctionExecutable::compileForCall): 1695 (FunctionExecutable): 1696 (JSC::FunctionExecutable::compileForConstruct): 1697 (JSC::FunctionExecutable::jettisonOptimizedCodeFor): 1698 (JSC::FunctionExecutable::createStructure): 1699 (JSC::JSFunction::JSFunction): 1700 * runtime/ExecutionHarness.h: 1701 (JSC::prepareForExecution): 1702 (JSC::prepareFunctionForExecution): 1703 * runtime/FunctionConstructor.cpp: 1704 (JSC::FunctionConstructor::finishCreation): 1705 * runtime/FunctionConstructor.h: 1706 (JSC::FunctionConstructor::createStructure): 1707 * runtime/FunctionPrototype.cpp: 1708 (JSC::FunctionPrototype::finishCreation): 1709 (JSC::FunctionPrototype::addFunctionProperties): 1710 (JSC::functionProtoFuncBind): 1711 * runtime/FunctionPrototype.h: 1712 (JSC::FunctionPrototype::createStructure): 1713 * runtime/GCActivityCallback.cpp: 1714 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): 1715 (JSC::DefaultGCActivityCallback::doWork): 1716 (JSC::DefaultGCActivityCallback::didAllocate): 1717 * runtime/GCActivityCallback.h: 1718 (JSC::GCActivityCallback::GCActivityCallback): 1719 * runtime/GCActivityCallbackBlackBerry.cpp: 1720 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): 1721 (JSC::DefaultGCActivityCallback::doWork): 1722 (JSC::DefaultGCActivityCallback::didAllocate): 1723 * runtime/GetterSetter.h: 1724 (JSC::GetterSetter::GetterSetter): 1725 (JSC::GetterSetter::create): 1726 (JSC::GetterSetter::setGetter): 1727 (JSC::GetterSetter::setSetter): 1728 (JSC::GetterSetter::createStructure): 1729 * runtime/Identifier.cpp: 1730 (JSC::Identifier::add): 1731 (JSC::Identifier::add8): 1732 (JSC::Identifier::addSlowCase): 1733 (JSC::Identifier::from): 1734 (JSC::Identifier::checkCurrentIdentifierTable): 1735 * runtime/Identifier.h: 1736 (JSC::Identifier::Identifier): 1737 (JSC::Identifier::createLCharFromUChar): 1738 (Identifier): 1739 (JSC::Identifier::add): 1740 * runtime/InternalFunction.cpp: 1741 (JSC::InternalFunction::InternalFunction): 1742 (JSC::InternalFunction::finishCreation): 1743 (JSC::InternalFunction::name): 1744 (JSC::InternalFunction::displayName): 1745 * runtime/InternalFunction.h: 1746 (JSC::InternalFunction::createStructure): 1747 (InternalFunction): 1748 * runtime/JSAPIValueWrapper.h: 1749 (JSC::JSAPIValueWrapper::createStructure): 1750 (JSC::JSAPIValueWrapper::finishCreation): 1751 (JSC::JSAPIValueWrapper::JSAPIValueWrapper): 1752 * runtime/JSActivation.cpp: 1753 (JSC::JSActivation::symbolTablePut): 1754 (JSC::JSActivation::symbolTablePutWithAttributes): 1755 (JSC::JSActivation::getOwnPropertySlot): 1756 (JSC::JSActivation::put): 1757 (JSC::JSActivation::putDirectVirtual): 1758 (JSC::JSActivation::argumentsGetter): 1759 * runtime/JSActivation.h: 1760 (JSActivation): 1761 (JSC::JSActivation::create): 1762 (JSC::JSActivation::createStructure): 1763 (JSC::JSActivation::JSActivation): 1764 (JSC::JSActivation::tearOff): 1765 * runtime/JSArray.cpp: 1766 (JSC::createArrayButterflyInDictionaryIndexingMode): 1767 (JSC::JSArray::setLengthWritable): 1768 (JSC::JSArray::unshiftCountSlowCase): 1769 (JSC::JSArray::setLength): 1770 (JSC::JSArray::push): 1771 (JSC::JSArray::shiftCountWithAnyIndexingType): 1772 (JSC::JSArray::unshiftCountWithArrayStorage): 1773 (JSC::JSArray::unshiftCountWithAnyIndexingType): 1774 (JSC::ContiguousTypeAccessor::setWithValue): 1775 (JSC::JSArray::sortCompactedVector): 1776 (JSC::JSArray::sortVector): 1777 * runtime/JSArray.h: 1778 (JSC::JSArray::JSArray): 1779 (JSArray): 1780 (JSC::JSArray::shiftCountForShift): 1781 (JSC::JSArray::unshiftCountForShift): 1782 (JSC::JSArray::createStructure): 1783 (JSC::createContiguousArrayButterfly): 1784 (JSC::createArrayButterfly): 1785 (JSC): 1786 (JSC::JSArray::create): 1787 (JSC::JSArray::tryCreateUninitialized): 1788 (JSC::constructArray): 1789 * runtime/JSBoundFunction.cpp: 1790 (JSC::JSBoundFunction::create): 1791 (JSC::JSBoundFunction::JSBoundFunction): 1792 * runtime/JSBoundFunction.h: 1793 (JSC::JSBoundFunction::createStructure): 1794 * runtime/JSCJSValue.cpp: 1795 (JSC::JSValue::putToPrimitive): 1796 (JSC::JSValue::toStringSlowCase): 1797 * runtime/JSCJSValue.h: 1798 (JSC): 1799 * runtime/JSCell.h: 1800 (JSCell): 1801 * runtime/JSCellInlines.h: 1802 (JSC::JSCell::JSCell): 1803 (JSC::JSCell::finishCreation): 1804 (JSC::allocateCell): 1805 (JSC::JSCell::setStructure): 1806 (JSC::JSCell::fastGetOwnProperty): 1807 * runtime/JSDateMath.cpp: 1808 (JSC::getDSTOffset): 1809 (JSC::getUTCOffset): 1810 (JSC::parseDate): 1811 * runtime/JSDestructibleObject.h: 1812 (JSC::JSDestructibleObject::JSDestructibleObject): 1813 * runtime/JSFunction.cpp: 1814 (JSC::JSFunction::create): 1815 (JSC::JSFunction::JSFunction): 1816 (JSC::JSFunction::finishCreation): 1817 (JSC::JSFunction::createAllocationProfile): 1818 (JSC::JSFunction::name): 1819 (JSC::JSFunction::displayName): 1820 (JSC::JSFunction::getOwnPropertySlot): 1821 (JSC::JSFunction::deleteProperty): 1822 * runtime/JSFunction.h: 1823 (JSFunction): 1824 (JSC::JSFunction::create): 1825 (JSC::JSFunction::setScope): 1826 (JSC::JSFunction::createStructure): 1827 * runtime/JSGlobalData.cpp: Removed. 1828 * runtime/JSGlobalData.h: Removed. 1829 * runtime/JSGlobalObject.cpp: 1830 (JSC::JSGlobalObject::JSGlobalObject): 1831 (JSC::JSGlobalObject::~JSGlobalObject): 1832 (JSC::JSGlobalObject::setGlobalThis): 1833 (JSC::JSGlobalObject::init): 1834 (JSC::JSGlobalObject::putDirectVirtual): 1835 (JSC::JSGlobalObject::reset): 1836 (JSC): 1837 (JSC::JSGlobalObject::haveABadTime): 1838 (JSC::JSGlobalObject::createThrowTypeError): 1839 (JSC::JSGlobalObject::resetPrototype): 1840 (JSC::JSGlobalObject::addStaticGlobals): 1841 (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): 1842 (JSC::JSGlobalObject::createProgramCodeBlock): 1843 (JSC::JSGlobalObject::createEvalCodeBlock): 1844 * runtime/JSGlobalObject.h: 1845 (JSC::JSGlobalObject::create): 1846 (JSGlobalObject): 1847 (JSC::JSGlobalObject::finishCreation): 1848 (JSC::JSGlobalObject::vm): 1849 (JSC::JSGlobalObject::createStructure): 1850 (JSC::ExecState::dynamicGlobalObject): 1851 (JSC::constructEmptyArray): 1852 (DynamicGlobalObjectScope): 1853 * runtime/JSGlobalObjectFunctions.cpp: 1854 (JSC::globalFuncProtoSetter): 1855 * runtime/JSLock.cpp: 1856 (JSC::JSLockHolder::JSLockHolder): 1857 (JSC::JSLockHolder::init): 1858 (JSC::JSLockHolder::~JSLockHolder): 1859 (JSC::JSLock::JSLock): 1860 (JSC::JSLock::willDestroyGlobalData): 1861 (JSC::JSLock::lock): 1862 (JSC::JSLock::unlock): 1863 (JSC::JSLock::DropAllLocks::DropAllLocks): 1864 (JSC::JSLock::DropAllLocks::~DropAllLocks): 1865 * runtime/JSLock.h: 1866 (JSC): 1867 (JSLockHolder): 1868 (JSLock): 1869 (JSC::JSLock::vm): 1870 (DropAllLocks): 1871 * runtime/JSNameScope.h: 1872 (JSC::JSNameScope::createStructure): 1873 (JSC::JSNameScope::finishCreation): 1874 (JSC::JSNameScope::JSNameScope): 1875 * runtime/JSNotAnObject.h: 1876 (JSC::JSNotAnObject::JSNotAnObject): 1877 (JSC::JSNotAnObject::create): 1878 (JSC::JSNotAnObject::createStructure): 1879 * runtime/JSONObject.cpp: 1880 (JSC::JSONObject::JSONObject): 1881 (JSC::JSONObject::finishCreation): 1882 (Holder): 1883 (JSC::Stringifier::Stringifier): 1884 (JSC::Stringifier::stringify): 1885 (JSC::Stringifier::toJSON): 1886 (JSC::Stringifier::appendStringifiedValue): 1887 (JSC::Stringifier::Holder::Holder): 1888 (JSC::Stringifier::Holder::appendNextProperty): 1889 (JSC::Walker::Walker): 1890 (JSC::Walker::walk): 1891 (JSC::JSONProtoFuncParse): 1892 (JSC::JSONProtoFuncStringify): 1893 (JSC::JSONStringify): 1894 * runtime/JSONObject.h: 1895 (JSC::JSONObject::createStructure): 1896 * runtime/JSObject.cpp: 1897 (JSC::JSObject::put): 1898 (JSC::JSObject::putByIndex): 1899 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): 1900 (JSC::JSObject::enterDictionaryIndexingMode): 1901 (JSC::JSObject::notifyPresenceOfIndexedAccessors): 1902 (JSC::JSObject::createInitialIndexedStorage): 1903 (JSC::JSObject::createInitialUndecided): 1904 (JSC::JSObject::createInitialInt32): 1905 (JSC::JSObject::createInitialDouble): 1906 (JSC::JSObject::createInitialContiguous): 1907 (JSC::JSObject::createArrayStorage): 1908 (JSC::JSObject::createInitialArrayStorage): 1909 (JSC::JSObject::convertUndecidedToInt32): 1910 (JSC::JSObject::convertUndecidedToDouble): 1911 (JSC::JSObject::convertUndecidedToContiguous): 1912 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): 1913 (JSC::JSObject::convertUndecidedToArrayStorage): 1914 (JSC::JSObject::convertInt32ToDouble): 1915 (JSC::JSObject::convertInt32ToContiguous): 1916 (JSC::JSObject::convertInt32ToArrayStorage): 1917 (JSC::JSObject::genericConvertDoubleToContiguous): 1918 (JSC::JSObject::convertDoubleToContiguous): 1919 (JSC::JSObject::rageConvertDoubleToContiguous): 1920 (JSC::JSObject::convertDoubleToArrayStorage): 1921 (JSC::JSObject::convertContiguousToArrayStorage): 1922 (JSC::JSObject::convertUndecidedForValue): 1923 (JSC::JSObject::convertInt32ForValue): 1924 (JSC::JSObject::setIndexQuicklyToUndecided): 1925 (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex): 1926 (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex): 1927 (JSC::JSObject::ensureInt32Slow): 1928 (JSC::JSObject::ensureDoubleSlow): 1929 (JSC::JSObject::ensureContiguousSlow): 1930 (JSC::JSObject::rageEnsureContiguousSlow): 1931 (JSC::JSObject::ensureArrayStorageSlow): 1932 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode): 1933 (JSC::JSObject::switchToSlowPutArrayStorage): 1934 (JSC::JSObject::putDirectVirtual): 1935 (JSC::JSObject::setPrototype): 1936 (JSC::JSObject::setPrototypeWithCycleCheck): 1937 (JSC::JSObject::putDirectAccessor): 1938 (JSC::JSObject::deleteProperty): 1939 (JSC::JSObject::getPropertySpecificValue): 1940 (JSC::JSObject::getOwnNonIndexPropertyNames): 1941 (JSC::JSObject::seal): 1942 (JSC::JSObject::freeze): 1943 (JSC::JSObject::preventExtensions): 1944 (JSC::JSObject::reifyStaticFunctionsForDelete): 1945 (JSC::JSObject::removeDirect): 1946 (JSC::JSObject::putIndexedDescriptor): 1947 (JSC::JSObject::defineOwnIndexedProperty): 1948 (JSC::JSObject::allocateSparseIndexMap): 1949 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): 1950 (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage): 1951 (JSC::JSObject::putByIndexBeyondVectorLength): 1952 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): 1953 (JSC::JSObject::putDirectIndexBeyondVectorLength): 1954 (JSC::JSObject::putDirectNativeFunction): 1955 (JSC::JSObject::increaseVectorLength): 1956 (JSC::JSObject::ensureLengthSlow): 1957 (JSC::JSObject::growOutOfLineStorage): 1958 (JSC::JSObject::getOwnPropertyDescriptor): 1959 (JSC::putDescriptor): 1960 (JSC::JSObject::putDirectMayBeIndex): 1961 (JSC::DefineOwnPropertyScope::DefineOwnPropertyScope): 1962 (JSC::DefineOwnPropertyScope::~DefineOwnPropertyScope): 1963 (DefineOwnPropertyScope): 1964 (JSC::JSObject::defineOwnNonIndexProperty): 1965 * runtime/JSObject.h: 1966 (JSObject): 1967 (JSC::JSObject::putByIndexInline): 1968 (JSC::JSObject::putDirectIndex): 1969 (JSC::JSObject::setIndexQuickly): 1970 (JSC::JSObject::initializeIndex): 1971 (JSC::JSObject::getDirect): 1972 (JSC::JSObject::getDirectOffset): 1973 (JSC::JSObject::putDirect): 1974 (JSC::JSObject::isSealed): 1975 (JSC::JSObject::isFrozen): 1976 (JSC::JSObject::flattenDictionaryObject): 1977 (JSC::JSObject::ensureInt32): 1978 (JSC::JSObject::ensureDouble): 1979 (JSC::JSObject::ensureContiguous): 1980 (JSC::JSObject::rageEnsureContiguous): 1981 (JSC::JSObject::ensureArrayStorage): 1982 (JSC::JSObject::finishCreation): 1983 (JSC::JSObject::createStructure): 1984 (JSC::JSObject::ensureLength): 1985 (JSC::JSNonFinalObject::createStructure): 1986 (JSC::JSNonFinalObject::JSNonFinalObject): 1987 (JSC::JSNonFinalObject::finishCreation): 1988 (JSC::JSFinalObject::createStructure): 1989 (JSC::JSFinalObject::finishCreation): 1990 (JSC::JSFinalObject::JSFinalObject): 1991 (JSC::JSFinalObject::create): 1992 (JSC::JSObject::setButterfly): 1993 (JSC::JSObject::JSObject): 1994 (JSC::JSObject::inlineGetOwnPropertySlot): 1995 (JSC::JSObject::putDirectInternal): 1996 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): 1997 (JSC::JSObject::putOwnDataProperty): 1998 (JSC::JSObject::putDirectWithoutTransition): 1999 (JSC): 2000 * runtime/JSPropertyNameIterator.cpp: 2001 (JSC::JSPropertyNameIterator::JSPropertyNameIterator): 2002 (JSC::JSPropertyNameIterator::create): 2003 * runtime/JSPropertyNameIterator.h: 2004 (JSC::JSPropertyNameIterator::createStructure): 2005 (JSC::JSPropertyNameIterator::setCachedStructure): 2006 (JSC::JSPropertyNameIterator::setCachedPrototypeChain): 2007 (JSC::JSPropertyNameIterator::finishCreation): 2008 (JSC::StructureRareData::setEnumerationCache): 2009 * runtime/JSProxy.cpp: 2010 (JSC::JSProxy::setTarget): 2011 * runtime/JSProxy.h: 2012 (JSC::JSProxy::create): 2013 (JSC::JSProxy::createStructure): 2014 (JSC::JSProxy::JSProxy): 2015 (JSC::JSProxy::finishCreation): 2016 (JSProxy): 2017 * runtime/JSScope.cpp: 2018 (JSC::executeResolveOperations): 2019 (JSC::JSScope::resolveContainingScopeInternal): 2020 (JSC::JSScope::resolveWithBase): 2021 (JSC::JSScope::resolveWithThis): 2022 (JSC::JSScope::resolvePut): 2023 * runtime/JSScope.h: 2024 (JSScope): 2025 (JSC::JSScope::JSScope): 2026 (JSC::JSScope::vm): 2027 (JSC::ExecState::vm): 2028 * runtime/JSSegmentedVariableObject.h: 2029 (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject): 2030 (JSC::JSSegmentedVariableObject::finishCreation): 2031 * runtime/JSString.cpp: 2032 (JSC::JSRopeString::RopeBuilder::expand): 2033 (JSC::StringObject::create): 2034 * runtime/JSString.h: 2035 (JSC): 2036 (JSString): 2037 (JSC::JSString::JSString): 2038 (JSC::JSString::finishCreation): 2039 (JSC::JSString::create): 2040 (JSC::JSString::createHasOtherOwner): 2041 (JSC::JSString::createStructure): 2042 (JSRopeString): 2043 (JSC::JSRopeString::RopeBuilder::RopeBuilder): 2044 (JSC::JSRopeString::RopeBuilder::append): 2045 (RopeBuilder): 2046 (JSC::JSRopeString::JSRopeString): 2047 (JSC::JSRopeString::finishCreation): 2048 (JSC::JSRopeString::append): 2049 (JSC::JSRopeString::createNull): 2050 (JSC::JSRopeString::create): 2051 (JSC::jsEmptyString): 2052 (JSC::jsSingleCharacterString): 2053 (JSC::jsSingleCharacterSubstring): 2054 (JSC::jsNontrivialString): 2055 (JSC::jsString): 2056 (JSC::jsSubstring): 2057 (JSC::jsSubstring8): 2058 (JSC::jsOwnedString): 2059 (JSC::jsStringBuilder): 2060 (JSC::inlineJSValueNotStringtoString): 2061 * runtime/JSStringJoiner.cpp: 2062 (JSC::JSStringJoiner::build): 2063 * runtime/JSSymbolTableObject.h: 2064 (JSC::JSSymbolTableObject::JSSymbolTableObject): 2065 (JSC::JSSymbolTableObject::finishCreation): 2066 (JSC::symbolTablePut): 2067 (JSC::symbolTablePutWithAttributes): 2068 * runtime/JSVariableObject.h: 2069 (JSC::JSVariableObject::JSVariableObject): 2070 * runtime/JSWithScope.h: 2071 (JSC::JSWithScope::create): 2072 (JSC::JSWithScope::createStructure): 2073 (JSC::JSWithScope::JSWithScope): 2074 * runtime/JSWrapperObject.h: 2075 (JSWrapperObject): 2076 (JSC::JSWrapperObject::createStructure): 2077 (JSC::JSWrapperObject::JSWrapperObject): 2078 (JSC::JSWrapperObject::setInternalValue): 2079 * runtime/LiteralParser.cpp: 2080 (JSC::::tryJSONPParse): 2081 (JSC::::makeIdentifier): 2082 (JSC::::parse): 2083 * runtime/Lookup.cpp: 2084 (JSC::HashTable::createTable): 2085 (JSC::setUpStaticFunctionSlot): 2086 * runtime/Lookup.h: 2087 (JSC::HashTable::initializeIfNeeded): 2088 (JSC::HashTable::entry): 2089 (JSC::HashTable::begin): 2090 (JSC::HashTable::end): 2091 (HashTable): 2092 (JSC::lookupPut): 2093 * runtime/MathObject.cpp: 2094 (JSC::MathObject::MathObject): 2095 (JSC::MathObject::finishCreation): 2096 (JSC::mathProtoFuncSin): 2097 * runtime/MathObject.h: 2098 (JSC::MathObject::createStructure): 2099 * runtime/MemoryStatistics.cpp: 2100 * runtime/MemoryStatistics.h: 2101 * runtime/NameConstructor.cpp: 2102 (JSC::NameConstructor::finishCreation): 2103 (JSC::constructPrivateName): 2104 * runtime/NameConstructor.h: 2105 (JSC::NameConstructor::createStructure): 2106 * runtime/NameInstance.cpp: 2107 (JSC::NameInstance::NameInstance): 2108 * runtime/NameInstance.h: 2109 (JSC::NameInstance::createStructure): 2110 (JSC::NameInstance::create): 2111 (NameInstance): 2112 (JSC::NameInstance::finishCreation): 2113 * runtime/NamePrototype.cpp: 2114 (JSC::NamePrototype::NamePrototype): 2115 (JSC::NamePrototype::finishCreation): 2116 * runtime/NamePrototype.h: 2117 (JSC::NamePrototype::createStructure): 2118 * runtime/NativeErrorConstructor.h: 2119 (JSC::NativeErrorConstructor::createStructure): 2120 (JSC::NativeErrorConstructor::finishCreation): 2121 * runtime/NativeErrorPrototype.cpp: 2122 (JSC::NativeErrorPrototype::finishCreation): 2123 * runtime/NumberConstructor.cpp: 2124 (JSC::NumberConstructor::finishCreation): 2125 (JSC::constructWithNumberConstructor): 2126 * runtime/NumberConstructor.h: 2127 (JSC::NumberConstructor::createStructure): 2128 * runtime/NumberObject.cpp: 2129 (JSC::NumberObject::NumberObject): 2130 (JSC::NumberObject::finishCreation): 2131 (JSC::constructNumber): 2132 * runtime/NumberObject.h: 2133 (NumberObject): 2134 (JSC::NumberObject::create): 2135 (JSC::NumberObject::createStructure): 2136 * runtime/NumberPrototype.cpp: 2137 (JSC::NumberPrototype::NumberPrototype): 2138 (JSC::NumberPrototype::finishCreation): 2139 (JSC::integerValueToString): 2140 (JSC::numberProtoFuncToString): 2141 * runtime/NumberPrototype.h: 2142 (JSC::NumberPrototype::createStructure): 2143 * runtime/ObjectConstructor.cpp: 2144 (JSC::ObjectConstructor::finishCreation): 2145 (JSC::objectConstructorGetOwnPropertyDescriptor): 2146 (JSC::objectConstructorSeal): 2147 (JSC::objectConstructorFreeze): 2148 (JSC::objectConstructorPreventExtensions): 2149 (JSC::objectConstructorIsSealed): 2150 (JSC::objectConstructorIsFrozen): 2151 * runtime/ObjectConstructor.h: 2152 (JSC::ObjectConstructor::createStructure): 2153 (JSC::constructEmptyObject): 2154 * runtime/ObjectPrototype.cpp: 2155 (JSC::ObjectPrototype::ObjectPrototype): 2156 (JSC::ObjectPrototype::finishCreation): 2157 (JSC::objectProtoFuncToString): 2158 * runtime/ObjectPrototype.h: 2159 (JSC::ObjectPrototype::createStructure): 2160 * runtime/Operations.cpp: 2161 (JSC::jsTypeStringForValue): 2162 * runtime/Operations.h: 2163 (JSC): 2164 (JSC::jsString): 2165 (JSC::jsStringFromArguments): 2166 (JSC::normalizePrototypeChainForChainAccess): 2167 (JSC::normalizePrototypeChain): 2168 * runtime/PropertyMapHashTable.h: 2169 (JSC::PropertyMapEntry::PropertyMapEntry): 2170 (JSC::PropertyTable::createStructure): 2171 (PropertyTable): 2172 (JSC::PropertyTable::copy): 2173 * runtime/PropertyNameArray.h: 2174 (JSC::PropertyNameArray::PropertyNameArray): 2175 (JSC::PropertyNameArray::vm): 2176 (JSC::PropertyNameArray::addKnownUnique): 2177 (PropertyNameArray): 2178 * runtime/PropertyTable.cpp: 2179 (JSC::PropertyTable::create): 2180 (JSC::PropertyTable::clone): 2181 (JSC::PropertyTable::PropertyTable): 2182 * runtime/PrototypeMap.cpp: 2183 (JSC::PrototypeMap::emptyObjectStructureForPrototype): 2184 * runtime/RegExp.cpp: 2185 (JSC::RegExp::RegExp): 2186 (JSC::RegExp::finishCreation): 2187 (JSC::RegExp::createWithoutCaching): 2188 (JSC::RegExp::create): 2189 (JSC::RegExp::compile): 2190 (JSC::RegExp::compileIfNecessary): 2191 (JSC::RegExp::match): 2192 (JSC::RegExp::compileMatchOnly): 2193 (JSC::RegExp::compileIfNecessaryMatchOnly): 2194 * runtime/RegExp.h: 2195 (JSC): 2196 (RegExp): 2197 (JSC::RegExp::createStructure): 2198 * runtime/RegExpCache.cpp: 2199 (JSC::RegExpCache::lookupOrCreate): 2200 (JSC::RegExpCache::RegExpCache): 2201 (JSC::RegExpCache::addToStrongCache): 2202 * runtime/RegExpCache.h: 2203 (RegExpCache): 2204 * runtime/RegExpCachedResult.cpp: 2205 (JSC::RegExpCachedResult::lastResult): 2206 (JSC::RegExpCachedResult::setInput): 2207 * runtime/RegExpCachedResult.h: 2208 (JSC::RegExpCachedResult::RegExpCachedResult): 2209 (JSC::RegExpCachedResult::record): 2210 * runtime/RegExpConstructor.cpp: 2211 (JSC::RegExpConstructor::RegExpConstructor): 2212 (JSC::RegExpConstructor::finishCreation): 2213 (JSC::constructRegExp): 2214 * runtime/RegExpConstructor.h: 2215 (JSC::RegExpConstructor::createStructure): 2216 (RegExpConstructor): 2217 (JSC::RegExpConstructor::performMatch): 2218 * runtime/RegExpMatchesArray.cpp: 2219 (JSC::RegExpMatchesArray::RegExpMatchesArray): 2220 (JSC::RegExpMatchesArray::create): 2221 (JSC::RegExpMatchesArray::finishCreation): 2222 (JSC::RegExpMatchesArray::reifyAllProperties): 2223 * runtime/RegExpMatchesArray.h: 2224 (RegExpMatchesArray): 2225 (JSC::RegExpMatchesArray::createStructure): 2226 * runtime/RegExpObject.cpp: 2227 (JSC::RegExpObject::RegExpObject): 2228 (JSC::RegExpObject::finishCreation): 2229 (JSC::RegExpObject::match): 2230 * runtime/RegExpObject.h: 2231 (JSC::RegExpObject::create): 2232 (JSC::RegExpObject::setRegExp): 2233 (JSC::RegExpObject::setLastIndex): 2234 (JSC::RegExpObject::createStructure): 2235 * runtime/RegExpPrototype.cpp: 2236 (JSC::regExpProtoFuncCompile): 2237 * runtime/RegExpPrototype.h: 2238 (JSC::RegExpPrototype::createStructure): 2239 * runtime/SmallStrings.cpp: 2240 (JSC::SmallStrings::initializeCommonStrings): 2241 (JSC::SmallStrings::createEmptyString): 2242 (JSC::SmallStrings::createSingleCharacterString): 2243 (JSC::SmallStrings::initialize): 2244 * runtime/SmallStrings.h: 2245 (JSC): 2246 (JSC::SmallStrings::singleCharacterString): 2247 (SmallStrings): 2248 * runtime/SparseArrayValueMap.cpp: 2249 (JSC::SparseArrayValueMap::SparseArrayValueMap): 2250 (JSC::SparseArrayValueMap::finishCreation): 2251 (JSC::SparseArrayValueMap::create): 2252 (JSC::SparseArrayValueMap::createStructure): 2253 (JSC::SparseArrayValueMap::putDirect): 2254 (JSC::SparseArrayEntry::put): 2255 * runtime/SparseArrayValueMap.h: 2256 * runtime/StrictEvalActivation.cpp: 2257 (JSC::StrictEvalActivation::StrictEvalActivation): 2258 * runtime/StrictEvalActivation.h: 2259 (JSC::StrictEvalActivation::create): 2260 (JSC::StrictEvalActivation::createStructure): 2261 * runtime/StringConstructor.cpp: 2262 (JSC::StringConstructor::finishCreation): 2263 * runtime/StringConstructor.h: 2264 (JSC::StringConstructor::createStructure): 2265 * runtime/StringObject.cpp: 2266 (JSC::StringObject::StringObject): 2267 (JSC::StringObject::finishCreation): 2268 (JSC::constructString): 2269 * runtime/StringObject.h: 2270 (JSC::StringObject::create): 2271 (JSC::StringObject::createStructure): 2272 (StringObject): 2273 * runtime/StringPrototype.cpp: 2274 (JSC::StringPrototype::StringPrototype): 2275 (JSC::StringPrototype::finishCreation): 2276 (JSC::removeUsingRegExpSearch): 2277 (JSC::replaceUsingRegExpSearch): 2278 (JSC::stringProtoFuncMatch): 2279 (JSC::stringProtoFuncSearch): 2280 (JSC::stringProtoFuncSplit): 2281 * runtime/StringPrototype.h: 2282 (JSC::StringPrototype::createStructure): 2283 * runtime/StringRecursionChecker.h: 2284 (JSC::StringRecursionChecker::performCheck): 2285 (JSC::StringRecursionChecker::~StringRecursionChecker): 2286 * runtime/Structure.cpp: 2287 (JSC::StructureTransitionTable::add): 2288 (JSC::Structure::Structure): 2289 (JSC::Structure::materializePropertyMap): 2290 (JSC::Structure::despecifyDictionaryFunction): 2291 (JSC::Structure::addPropertyTransition): 2292 (JSC::Structure::removePropertyTransition): 2293 (JSC::Structure::changePrototypeTransition): 2294 (JSC::Structure::despecifyFunctionTransition): 2295 (JSC::Structure::attributeChangeTransition): 2296 (JSC::Structure::toDictionaryTransition): 2297 (JSC::Structure::toCacheableDictionaryTransition): 2298 (JSC::Structure::toUncacheableDictionaryTransition): 2299 (JSC::Structure::sealTransition): 2300 (JSC::Structure::freezeTransition): 2301 (JSC::Structure::preventExtensionsTransition): 2302 (JSC::Structure::takePropertyTableOrCloneIfPinned): 2303 (JSC::Structure::nonPropertyTransition): 2304 (JSC::Structure::isSealed): 2305 (JSC::Structure::isFrozen): 2306 (JSC::Structure::flattenDictionaryStructure): 2307 (JSC::Structure::addPropertyWithoutTransition): 2308 (JSC::Structure::removePropertyWithoutTransition): 2309 (JSC::Structure::allocateRareData): 2310 (JSC::Structure::cloneRareDataFrom): 2311 (JSC::Structure::copyPropertyTable): 2312 (JSC::Structure::copyPropertyTableForPinning): 2313 (JSC::Structure::get): 2314 (JSC::Structure::despecifyFunction): 2315 (JSC::Structure::despecifyAllFunctions): 2316 (JSC::Structure::putSpecificValue): 2317 (JSC::Structure::createPropertyMap): 2318 (JSC::Structure::getPropertyNamesFromStructure): 2319 (JSC::Structure::prototypeChainMayInterceptStoreTo): 2320 * runtime/Structure.h: 2321 (Structure): 2322 (JSC::Structure::finishCreation): 2323 (JSC::Structure::setPrototypeWithoutTransition): 2324 (JSC::Structure::setGlobalObject): 2325 (JSC::Structure::setObjectToStringValue): 2326 (JSC::Structure::materializePropertyMapIfNecessary): 2327 (JSC::Structure::materializePropertyMapIfNecessaryForPinning): 2328 (JSC::Structure::setPreviousID): 2329 * runtime/StructureChain.cpp: 2330 (JSC::StructureChain::StructureChain): 2331 * runtime/StructureChain.h: 2332 (JSC::StructureChain::create): 2333 (JSC::StructureChain::createStructure): 2334 (JSC::StructureChain::finishCreation): 2335 (StructureChain): 2336 * runtime/StructureInlines.h: 2337 (JSC::Structure::create): 2338 (JSC::Structure::createStructure): 2339 (JSC::Structure::get): 2340 (JSC::Structure::setEnumerationCache): 2341 (JSC::Structure::prototypeChain): 2342 (JSC::Structure::propertyTable): 2343 * runtime/StructureRareData.cpp: 2344 (JSC::StructureRareData::createStructure): 2345 (JSC::StructureRareData::create): 2346 (JSC::StructureRareData::clone): 2347 (JSC::StructureRareData::StructureRareData): 2348 * runtime/StructureRareData.h: 2349 (StructureRareData): 2350 * runtime/StructureRareDataInlines.h: 2351 (JSC::StructureRareData::setPreviousID): 2352 (JSC::StructureRareData::setObjectToStringValue): 2353 * runtime/StructureTransitionTable.h: 2354 (StructureTransitionTable): 2355 (JSC::StructureTransitionTable::setSingleTransition): 2356 * runtime/SymbolTable.h: 2357 (JSC::SharedSymbolTable::create): 2358 (JSC::SharedSymbolTable::createStructure): 2359 (JSC::SharedSymbolTable::SharedSymbolTable): 2360 * runtime/VM.cpp: Copied from Source/JavaScriptCore/runtime/JSGlobalData.cpp. 2361 (JSC::VM::VM): 2362 (JSC::VM::~VM): 2363 (JSC::VM::createContextGroup): 2364 (JSC::VM::create): 2365 (JSC::VM::createLeaked): 2366 (JSC::VM::sharedInstanceExists): 2367 (JSC::VM::sharedInstance): 2368 (JSC::VM::sharedInstanceInternal): 2369 (JSC::VM::getHostFunction): 2370 (JSC::VM::ClientData::~ClientData): 2371 (JSC::VM::resetDateCache): 2372 (JSC::VM::startSampling): 2373 (JSC::VM::stopSampling): 2374 (JSC::VM::discardAllCode): 2375 (JSC::VM::dumpSampleData): 2376 (JSC::VM::addSourceProviderCache): 2377 (JSC::VM::clearSourceProviderCaches): 2378 (JSC::VM::releaseExecutableMemory): 2379 (JSC::releaseExecutableMemory): 2380 (JSC::VM::gatherConservativeRoots): 2381 (JSC::VM::addRegExpToTrace): 2382 (JSC::VM::dumpRegExpTrace): 2383 * runtime/VM.h: Copied from Source/JavaScriptCore/runtime/JSGlobalData.h. 2384 (VM): 2385 (JSC::VM::isSharedInstance): 2386 (JSC::VM::usingAPI): 2387 (JSC::VM::isInitializingObject): 2388 (JSC::VM::setInitializingObjectClass): 2389 (JSC::WeakSet::heap): 2390 * runtime/WriteBarrier.h: 2391 (JSC): 2392 (JSC::WriteBarrierBase::set): 2393 (JSC::WriteBarrierBase::setMayBeNull): 2394 (JSC::WriteBarrierBase::setEarlyValue): 2395 (JSC::WriteBarrier::WriteBarrier): 2396 * testRegExp.cpp: 2397 (GlobalObject): 2398 (GlobalObject::create): 2399 (GlobalObject::createStructure): 2400 (GlobalObject::finishCreation): 2401 (main): 2402 (testOneRegExp): 2403 (parseRegExpLine): 2404 (runFromFiles): 2405 (realMain): 2406 * yarr/YarrInterpreter.h: 2407 (BytecodePattern): 2408 * yarr/YarrJIT.cpp: 2409 (YarrGenerator): 2410 (JSC::Yarr::YarrGenerator::compile): 2411 (JSC::Yarr::jitCompile): 2412 * yarr/YarrJIT.h: 2413 (JSC): 2414 24152013-04-18 Xuefei Ren <xren@blackberry.com> 2416 2417 remove build warning(unused parameter) 2418 https://bugs.webkit.org/show_bug.cgi?id=114670 2419 2420 Reviewed by Rob Buis. 2421 2422 remove warning in Source/JavaScriptCore/runtime/GCActivityCallbackBlackBerry.cpp 2423 2424 * runtime/GCActivityCallbackBlackBerry.cpp: 2425 (JSC::DefaultGCActivityCallback::didAllocate): 2426 24272013-04-18 Jonathan Liu <net147@gmail.com> 2428 2429 Implement JIT for MinGW-w64 64-bit 2430 https://bugs.webkit.org/show_bug.cgi?id=114580 2431 2432 Reviewed by Jocelyn Turcotte. 2433 2434 * jit/JITStubs.cpp: 2435 (JSC): 2436 24372013-04-17 Mark Lam <mark.lam@apple.com> 2438 2439 Avoid using a branch range that is too far for some CPU architectures. 2440 https://bugs.webkit.org/show_bug.cgi?id=114782. 2441 2442 Reviewed by David Kilzer. 2443 2444 * llint/LowLevelInterpreter.asm: 2445 * llint/LowLevelInterpreter32_64.asm: 2446 * llint/LowLevelInterpreter64.asm: 2447 24482013-04-17 Julien Brianceau <jbrianceau@nds.com> 2449 2450 Fix SH4 build (broken since r148639). 2451 https://bugs.webkit.org/show_bug.cgi?id=114773. 2452 2453 Allow longer displacements for specific branches in SH4 LLINT. 2454 2455 Reviewed by Oliver Hunt. 2456 2457 * offlineasm/sh4.rb: 2458 24592013-04-14 Roger Fong <roger_fong@apple.com> 2460 2461 Unreviewed. More Windows build fix. 2462 2463 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 2464 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2465 24662013-04-14 Roger Fong <roger_fong@apple.com> 2467 2468 Unreviewed. Windows build fix. 2469 2470 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 2471 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2472 24732013-04-17 Mark Lam <mark.lam@apple.com> 2474 2475 Fix broken build. Replaced a static const with a #define. 2476 https://bugs.webkit.org/show_bug.cgi?id=114577. 2477 2478 Unreviewed. 2479 2480 * runtime/Watchdog.cpp: 2481 (JSC::Watchdog::Watchdog): 2482 (JSC::Watchdog::isEnabled): 2483 24842013-04-17 Mark Lam <mark.lam@apple.com> 2485 2486 Add LLINT and baseline JIT support for timing out scripts. 2487 https://bugs.webkit.org/show_bug.cgi?id=114577. 2488 2489 Reviewed by Geoffrey Garen. 2490 2491 Introduces the new Watchdog class which is used to track script 2492 execution time, and initiate script termination if needed. 2493 2494 * API/JSContextRef.cpp: 2495 (internalScriptTimeoutCallback): 2496 (JSContextGroupSetExecutionTimeLimit): 2497 (JSContextGroupClearExecutionTimeLimit): 2498 * API/JSContextRefPrivate.h: 2499 - Added new script execution time limit APIs. 2500 * API/tests/testapi.c: 2501 (currentCPUTime): 2502 (shouldTerminateCallback): 2503 (cancelTerminateCallback): 2504 (extendTerminateCallback): 2505 (main): 2506 - Added new API tests for script execution time limit. 2507 * CMakeLists.txt: 2508 * GNUmakefile.list.am: 2509 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 2510 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 2511 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 2512 * JavaScriptCore.xcodeproj/project.pbxproj: 2513 * Target.pri: 2514 * bytecompiler/BytecodeGenerator.cpp: 2515 (JSC::BytecodeGenerator::emitLoopHint): 2516 - loop hints are needed for the llint as well. Hence, it will be 2517 emitted unconditionally. 2518 * interpreter/Interpreter.cpp: 2519 (JSC::Interpreter::addStackTraceIfNecessary): 2520 (JSC::Interpreter::throwException): 2521 (JSC::Interpreter::execute): 2522 (JSC::Interpreter::executeCall): 2523 (JSC::Interpreter::executeConstruct): 2524 - Added checks for script termination before entering script code. 2525 * jit/JIT.cpp: 2526 (JSC::JIT::emitWatchdogTimerCheck): 2527 * jit/JIT.h: 2528 (JSC::JIT::emit_op_loop_hint): 2529 * jit/JITStubs.cpp: 2530 (JSC::DEFINE_STUB_FUNCTION(void, handle_watchdog_timer)): 2531 * jit/JITStubs.h: 2532 * llint/LLIntExceptions.cpp: 2533 (JSC::LLInt::doThrow): 2534 - Factored out some common code from returnToThrow() and callToThrow(). 2535 (JSC::LLInt::returnToThrow): 2536 (JSC::LLInt::callToThrow): 2537 * llint/LLIntSlowPaths.cpp: 2538 (JSC::LLInt::LLINT_SLOW_PATH_DECL(slow_path_handle_watchdog_timer)): 2539 * llint/LLIntSlowPaths.h: 2540 * llint/LowLevelInterpreter.asm: 2541 * llint/LowLevelInterpreter32_64.asm: 2542 * llint/LowLevelInterpreter64.asm: 2543 * runtime/ExceptionHelpers.cpp: 2544 (JSC::throwTerminatedExecutionException): 2545 - Also removed the now unused InterruptedExecutionException. 2546 * runtime/ExceptionHelpers.h: 2547 * runtime/JSGlobalData.cpp: 2548 (JSC::JSGlobalData::JSGlobalData): 2549 * runtime/JSGlobalData.h: 2550 - Added watchdog, and removed the now obsolete Terminator. 2551 * runtime/Terminator.h: Removed. 2552 * runtime/Watchdog.cpp: Added. 2553 (JSC::Watchdog::Watchdog): 2554 (JSC::Watchdog::~Watchdog): 2555 (JSC::Watchdog::setTimeLimit): 2556 (JSC::Watchdog::didFire): 2557 (JSC::Watchdog::isEnabled): 2558 (JSC::Watchdog::fire): 2559 (JSC::Watchdog::arm): 2560 (JSC::Watchdog::disarm): 2561 (JSC::Watchdog::startCountdownIfNeeded): 2562 (JSC::Watchdog::startCountdown): 2563 (JSC::Watchdog::stopCountdown): 2564 (JSC::Watchdog::Scope::Scope): 2565 (JSC::Watchdog::Scope::~Scope): 2566 * runtime/Watchdog.h: Added. 2567 (Watchdog): 2568 (JSC::Watchdog::didFire): 2569 (JSC::Watchdog::timerDidFireAddress): 2570 (JSC::Watchdog::isArmed): 2571 (Watchdog::Scope): 2572 * runtime/WatchdogMac.cpp: Added. 2573 (JSC::Watchdog::initTimer): 2574 (JSC::Watchdog::destroyTimer): 2575 (JSC::Watchdog::startTimer): 2576 (JSC::Watchdog::stopTimer): 2577 * runtime/WatchdogNone.cpp: Added. 2578 (JSC::Watchdog::initTimer): 2579 (JSC::Watchdog::destroyTimer): 2580 (JSC::Watchdog::startTimer): 2581 (JSC::Watchdog::stopTimer): 2582 25832013-04-14 Roger Fong <roger_fong@apple.com> 2584 2585 Unreviewed. VS2010 Windows build fix. 2586 2587 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: 2588 25892013-04-14 Roger Fong <roger_fong@apple.com> 2590 2591 Copy make-file-export-generator script to the the Source folders of the projects that use it. 2592 <rdar://problem/13675604> 2593 2594 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: 2595 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: 2596 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: 2597 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/make-export-file-generator: Copied from Source/WebCore/make-export-file-generator. 2598 25992013-04-17 Brent Fulgham <bfulgham@webkit.org> 2600 2601 [Windows, WinCairo] Stop individually building WTF files in JSC. 2602 https://bugs.webkit.org/show_bug.cgi?id=114705 2603 2604 Reviewed by Anders Carlsson. 2605 2606 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 2607 Export additional String/fastMalloc symbols needed by JSC program. 2608 * JavaScriptCore.vcproj/jsc/jsc.vcproj: Don't manually build 2609 WTF implementation files (a second time!) in this project. 2610 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2611 Export additional String/fastMalloc symbols needed by JSC program. 2612 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Don't manually 2613 build WTF implementation files (a second time!) in this project. 2614 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Ditto. 2615 26162013-04-17 Mark Lam <mark.lam@apple.com> 2617 2618 releaseExecutableMemory() should canonicalize cell liveness data before 2619 it scans the GC roots. 2620 https://bugs.webkit.org/show_bug.cgi?id=114733. 2621 2622 Reviewed by Mark Hahnenberg. 2623 2624 * heap/Heap.cpp: 2625 (JSC::Heap::canonicalizeCellLivenessData): 2626 * heap/Heap.h: 2627 * runtime/JSGlobalData.cpp: 2628 (JSC::JSGlobalData::releaseExecutableMemory): 2629 26302013-04-16 Commit Queue <rniwa@webkit.org> 2631 2632 Unreviewed, rolling out r148576. 2633 http://trac.webkit.org/changeset/148576 2634 https://bugs.webkit.org/show_bug.cgi?id=114714 2635 2636 WebCore is building some of these same files (Requested by 2637 bfulgham on #webkit). 2638 2639 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 2640 * JavaScriptCore.vcproj/jsc/jsc.vcproj: 2641 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2642 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: 2643 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: 2644 26452013-04-16 Brent Fulgham <bfulgham@webkit.org> 2646 2647 [Windows, WinCairo] Stop individually building WTF files in JSC. 2648 https://bugs.webkit.org/show_bug.cgi?id=114705 2649 2650 Reviewed by Anders Carlsson. 2651 2652 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 2653 Export additional String/fastMalloc symbols needed by JSC program. 2654 * JavaScriptCore.vcproj/jsc/jsc.vcproj: Don't manually build 2655 WTF implementation files (a second time!) in this project. 2656 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2657 Export additional String/fastMalloc symbols needed by JSC program. 2658 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Don't manually 2659 build WTF implementation files (a second time!) in this project. 2660 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Ditto. 2661 26622013-04-16 Patrick Gansterer <paroga@webkit.org> 2663 2664 [CMake] Do not use JAVASCRIPTCORE_DIR in add_custom_command() of JavaScriptCore project 2665 https://bugs.webkit.org/show_bug.cgi?id=114265 2666 2667 Reviewed by Brent Fulgham. 2668 2669 Use CMAKE_CURRENT_SOURCE_DIR instead, since it provides the same value and is more 2670 understandable. Also move the GENERATE_HASH_LUT macro into the CMakeLists.txt 2671 of JavaScriptCore to avoid the usage of JAVASCRIPTCORE_DIR there too. 2672 2673 * CMakeLists.txt: 2674 26752013-04-16 Anders Carlsson <andersca@apple.com> 2676 2677 Another Windows build fix attempt. 2678 2679 * runtime/JSGlobalData.h: 2680 (JSGlobalData): 2681 26822013-04-16 Anders Carlsson <andersca@apple.com> 2683 2684 Try to fix the Windows build. 2685 2686 * runtime/JSGlobalData.h: 2687 26882013-04-16 Brent Fulgham <bfulgham@webkit.org> 2689 2690 [Windows] Unreviewed VS2010 build correction. 2691 2692 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: 2693 Specify proper link library to avoid mixture of ICU 4.0 and 4.6 2694 symbols during link. 2695 26962013-04-15 Ryosuke Niwa <rniwa@webkit.org> 2697 2698 Windows clean build fix after r148479. 2699 2700 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 2701 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 2702 27032013-04-15 Anders Carlsson <andersca@apple.com> 2704 2705 ScriptWrappable subclasses shouldn't have to include WeakInlines.h 2706 https://bugs.webkit.org/show_bug.cgi?id=114641 2707 2708 Reviewed by Alexey Proskuryakov. 2709 2710 Move back the Weak constructor, destructor and clear() to Weak.h. Add a new weakClearSlowCase function 2711 and put it in Weak.cpp. 2712 2713 * CMakeLists.txt: 2714 * GNUmakefile.list.am: 2715 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 2716 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 2717 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 2718 * JavaScriptCore.xcodeproj/project.pbxproj: 2719 * Target.pri: 2720 * heap/Weak.cpp: Added. 2721 * heap/Weak.h: 2722 * heap/WeakInlines.h: 2723 * heap/WeakSetInlines.h: 2724 27252013-04-15 Mark Hahnenberg <mhahnenberg@apple.com> 2726 2727 HeapTimer lifetime should be less complicated 2728 https://bugs.webkit.org/show_bug.cgi?id=114529 2729 2730 Reviewed by Oliver Hunt. 2731 2732 Right now our HeapTimer lifetime is rather complicated. HeapTimers are "owned" by the JSGlobalData, 2733 but there's an issue in that there can be races between a thread that is trying to tear down a JSGlobalData 2734 and the HeapTimer's fire function. Our current code for tearing down HeapTimers is an intricate and delicate 2735 dance which probably contains subtle bugs. 2736 2737 We can make our lives easier by changing things around a bit. 2738 2739 1) We should free the API lock from being solely owned by the JSGlobalData so we don't have to worry about 2740 grabbing the lock out of invalid memory when our HeapTimer callback fires. 2741 2742 2) We should also make it so that we deref the JSGlobalData first, then unlock the API lock so that when we 2743 have the lock, the JSGlobalData is in one of two states: fully valid or completely destroyed, and we know exactly which one. 2744 2745 3) The JSLock can tell us this information by keeping a back pointer to the JSGlobalData. When the JSGlobalData's 2746 destructor is called, it clears this pointer in the JSLock. Other clients of the API lock can then check 2747 this pointer to determine whether or not the JSGlobalData is still around. 2748 2749 4) The CFRunLoopTimer will use the API lock as its context rather than the HeapTimer itself. The only way 2750 the HeapTimer's callback can get to the HeapTimer is through the API lock's JSGlobalData pointer. 2751 2752 5) The CFRunLoopTimerContext struct has two fields for retain and release callbacks for the context's info field. 2753 We'll provide these callbacks to ref() and deref() the JSLock as necessary. Thus, the timer becomes the other 2754 owner of the JSLock apart from the JSGlobalData. 2755 2756 * API/APIShims.h: Remove the cruft that was required by the previous design, such as RefGlobalDataTag. 2757 (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): 2758 (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock): 2759 (APIEntryShimWithoutLock): 2760 (JSC::APIEntryShim::APIEntryShim): 2761 (JSC::APIEntryShim::~APIEntryShim): Protect the API lock with a RefPtr, deref the JSGlobalData, which could destroy it, 2762 then unlock the API lock. This ordering prevents others from obtaining the API lock while the JSGlobalData is in the 2763 middle of being torn down. 2764 (JSC::APIEntryShim::init): We now take the lock, then ref the JSGlobalData, which is the opposite order of when we 2765 tear down the shim. 2766 * heap/Heap.cpp: 2767 (JSC::Heap::setActivityCallback): Use PassOwnPtr now. 2768 (JSC::Heap::activityCallback): Ditto. 2769 (JSC::Heap::sweeper): Ditto. 2770 (JSC): 2771 * heap/Heap.h: 2772 (Heap): 2773 * heap/HeapTimer.cpp: 2774 (JSC::retainAPILock): Retain callback for CFRunLoopTimerContext struct. 2775 (JSC::releaseAPILock): Release callback for the CFRunLoopTimerContext struct. 2776 (JSC::HeapTimer::HeapTimer): Use the API lock as the context's info field rather than the HeapTimer. 2777 (JSC::HeapTimer::timerDidFire): Grab the API lock. Return early if the JSGlobalData has already been destroyed. 2778 Otherwise, figure out which kind of HeapTimer we are based on the CFRunLoopTimerRef passed to the callback and 2779 call the HeapTimer's callback. 2780 * heap/HeapTimer.h: 2781 (HeapTimer): 2782 * heap/IncrementalSweeper.cpp: 2783 (JSC::IncrementalSweeper::create): PassOwnPtr all the things. 2784 * heap/IncrementalSweeper.h: 2785 (IncrementalSweeper): 2786 * jsc.cpp: 2787 (jscmain): We use an APIEntryShim instead of a RefPtr for the JSGlobalData because we need to 2788 tear down the JSGlobalData while we still hold the lock, which the APIEntryShim handles correctly. 2789 * runtime/GCActivityCallback.h: 2790 (DefaultGCActivityCallback): 2791 (JSC::DefaultGCActivityCallback::create): 2792 * runtime/JSGlobalData.cpp: 2793 (JSC::JSGlobalData::JSGlobalData): 2794 (JSC::JSGlobalData::~JSGlobalData): Notify the API lock that the JSGlobalData is being torn down. 2795 * runtime/JSGlobalData.h: 2796 (JSGlobalData): 2797 (JSC::JSGlobalData::apiLock): 2798 * runtime/JSLock.cpp: 2799 (JSC::JSLockHolder::JSLockHolder): Ref, then lock (just like the API shim). 2800 (JSC): 2801 (JSC::JSLock::willDestroyGlobalData): 2802 (JSC::JSLockHolder::init): 2803 (JSC::JSLockHolder::~JSLockHolder): Protect, deref, then unlock (just like the API shim). 2804 (JSC::JSLock::JSLock): 2805 * runtime/JSLock.h: Add back pointer to the JSGlobalData and a callback for when the JSGlobalData is being 2806 torn down that clears this pointer to notify other clients (i.e. timer callbacks) that the JSGlobalData is no 2807 longer valid. 2808 (JSLockHolder): 2809 (JSLock): 2810 (JSC::JSLock::globalData): 2811 * testRegExp.cpp: 2812 (realMain): We use an APIEntryShim instead of a RefPtr for the JSGlobalData because we need to 2813 tear down the JSGlobalData while we still hold the lock, which the APIEntryShim handles correctly. 2814 28152013-04-15 Julien Brianceau <jbrianceau@nds.com> 2816 2817 LLInt SH4 backend implementation 2818 https://bugs.webkit.org/show_bug.cgi?id=112886 2819 2820 Reviewed by Oliver Hunt. 2821 2822 * dfg/DFGOperations.cpp: 2823 (JSC): 2824 * jit/JITStubs.cpp: 2825 * llint/LLIntOfflineAsmConfig.h: 2826 * llint/LowLevelInterpreter.asm: 2827 * llint/LowLevelInterpreter32_64.asm: 2828 * offlineasm/arm.rb: 2829 * offlineasm/ast.rb: 2830 * offlineasm/backends.rb: 2831 * offlineasm/instructions.rb: 2832 * offlineasm/mips.rb: 2833 * offlineasm/risc.rb: 2834 * offlineasm/sh4.rb: Added. 2835 28362013-04-15 Patrick Gansterer <paroga@webkit.org> 2837 2838 [CMake] Add WTF_USE_*_UNICODE variables 2839 https://bugs.webkit.org/show_bug.cgi?id=114556 2840 2841 Reviewed by Brent Fulgham. 2842 2843 WTF_USE_ICU_UNICODE and WTF_USE_WCHAR_UNICODE are used to 2844 reduce duplication in the platform specific CMake files. 2845 2846 * CMakeLists.txt: 2847 * PlatformEfl.cmake: 2848 28492013-04-13 Patrick Gansterer <paroga@webkit.org> 2850 2851 Add missing export macro to SymbolTableEntry::freeFatEntrySlow() 2852 2853 * runtime/SymbolTable.h: 2854 (SymbolTableEntry): 2855 28562013-04-12 Mark Hahnenberg <mhahnenberg@apple.com> 2857 2858 Block freeing thread should call Region::destroy instead of delete 2859 https://bugs.webkit.org/show_bug.cgi?id=114544 2860 2861 Reviewed by Oliver Hunt. 2862 2863 Since Region doesn't have a virtual destructor, calling delete will not properly clean up all of 2864 the state of the Region. We should call destroy() instead. 2865 2866 * heap/BlockAllocator.cpp: 2867 (JSC::BlockAllocator::releaseFreeRegions): 2868 (JSC::BlockAllocator::blockFreeingThreadMain): 2869 28702013-04-11 Benjamin Poulain <bpoulain@apple.com> 2871 2872 Merge CharacterClassTable into CharacterClass 2873 https://bugs.webkit.org/show_bug.cgi?id=114409 2874 2875 Reviewed by Darin Adler. 2876 2877 CharacterClassTable is only a pointer and a boolean. 2878 It is a little overkill to make a separate allocation 2879 for that. 2880 2881 * create_regex_tables: 2882 * yarr/YarrJIT.cpp: 2883 (JSC::Yarr::YarrGenerator::matchCharacterClass): 2884 * yarr/YarrPattern.cpp: 2885 (JSC::Yarr::CharacterClassConstructor::charClass): 2886 * yarr/YarrPattern.h: 2887 (CharacterClass): 2888 (JSC::Yarr::CharacterClass::CharacterClass): 2889 28902013-04-11 Michael Saboff <msaboff@apple.com> 2891 2892 Added UNLIKELY() suggested in https://bugs.webkit.org/show_bug.cgi?id=114366 2893 after checking in the original change. 2894 2895 Rubber-stamped by Jessie Berlin. 2896 2897 * dfg/DFGOperations.cpp: 2898 28992013-04-10 Benjamin Poulain <benjamin@webkit.org> 2900 2901 Unify JSC Parser's error and error message 2902 https://bugs.webkit.org/show_bug.cgi?id=114363 2903 2904 Reviewed by Geoffrey Garen. 2905 2906 The parser kept the error state over two attributes: 2907 error and errorMessage. They were changed in sync, 2908 but had some discrepancy (for example, the error message 2909 was always defined to something). 2910 2911 This patch unifies the two. There is an error if 2912 if the error message is non-null or if the parsing finished 2913 before the end. 2914 2915 This also gets rid of the allocation of the error message 2916 when instantiating a parser. 2917 2918 * parser/Parser.cpp: 2919 (JSC::::Parser): 2920 (JSC::::parseInner): 2921 (JSC::::parseSourceElements): 2922 (JSC::::parseVarDeclaration): 2923 (JSC::::parseConstDeclaration): 2924 (JSC::::parseForStatement): 2925 (JSC::::parseSwitchStatement): 2926 (JSC::::parsePrimaryExpression): 2927 * parser/Parser.h: 2928 (JSC::Parser::updateErrorMessage): 2929 (JSC::Parser::updateErrorWithNameAndMessage): 2930 (JSC::Parser::hasError): 2931 (Parser): 2932 29332013-04-10 Oliver Hunt <oliver@apple.com> 2934 2935 Set trap is not being called for API objects 2936 https://bugs.webkit.org/show_bug.cgi?id=114403 2937 2938 Reviewed by Anders Carlsson. 2939 2940 Intercept putByIndex on the callback object and add tests 2941 to make sure we don't regress in future. 2942 2943 * API/JSCallbackObject.h: 2944 (JSCallbackObject): 2945 * API/JSCallbackObjectFunctions.h: 2946 (JSC::::putByIndex): 2947 (JSC): 2948 * API/tests/testapi.c: 2949 (PropertyCatchalls_setProperty): 2950 * API/tests/testapi.js: 2951 29522013-04-10 Benjamin Poulain <bpoulain@apple.com> 2953 2954 Mass remove all the empty directories 2955 2956 Rubberstamped by Ryosuke Niwa. 2957 2958 * qt/api: Removed. 2959 * qt/benchmarks/qscriptengine: Removed. 2960 * qt/benchmarks/qscriptvalue: Removed. 2961 * qt/tests/qscriptengine: Removed. 2962 * qt/tests/qscriptstring: Removed. 2963 * qt/tests/qscriptvalue: Removed. 2964 * qt/tests/qscriptvalueiterator: Removed. 2965 29662013-04-10 Mark Hahnenberg <mhahnenberg@apple.com> 2967 2968 JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly 2969 https://bugs.webkit.org/show_bug.cgi?id=114235 2970 2971 Reviewed by Filip Pizlo. 2972 2973 If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are 2974 accessible in the base object's backing store, which is bad. 2975 2976 * runtime/JSObject.cpp: 2977 (JSC::JSObject::getPropertyNames): 2978 (JSC::JSObject::getOwnNonIndexPropertyNames): 2979 * runtime/PropertyNameArray.h: 2980 (JSC::PropertyNameArray::PropertyNameArray): 2981 (JSC::PropertyNameArray::setNumCacheableSlotsForObject): 2982 (JSC::PropertyNameArray::setBaseObject): 2983 (PropertyNameArray): 2984 29852013-04-10 Patrick Gansterer <paroga@webkit.org> 2986 2987 Remove code duplicates from MacroAssemblerARM 2988 https://bugs.webkit.org/show_bug.cgi?id=104457 2989 2990 Reviewed by Oliver Hunt. 2991 2992 Reuse some existing methods to avoid duplicated code. 2993 2994 * assembler/MacroAssemblerARM.h: 2995 (JSC::MacroAssemblerARM::store8): 2996 (JSC::MacroAssemblerARM::store32): 2997 (JSC::MacroAssemblerARM::swap): 2998 (JSC::MacroAssemblerARM::add32): 2999 (JSC::MacroAssemblerARM::sub32): 3000 30012013-04-10 Michael Saboff <msaboff@apple.com> 3002 3003 DFG: Negative size for new Array() interpreted as large unsigned int 3004 https://bugs.webkit.org/show_bug.cgi?id=114366 3005 3006 Reviewed by Oliver Hunt. 3007 3008 Added new check in operationNewArrayWithSize() for a negative 3009 size. If size is negative throw a "RangeError: Array size is not a 3010 small enough positive integer" exception. 3011 3012 * dfg/DFGOperations.cpp: 3013 30142013-04-10 peavo@outlook.com <peavo@outlook.com> 3015 3016 WinCairo build fails to link. 3017 https://bugs.webkit.org/show_bug.cgi?id=114358 3018 3019 Reviewed by Brent Fulgham. 3020 3021 Export the symbol WTF::MD5::checksum(). 3022 3023 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 3024 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 3025 30262013-04-08 Anders Carlsson <andersca@apple.com> 3027 3028 Remove unneeded headers from FrameLoader.h 3029 https://bugs.webkit.org/show_bug.cgi?id=114223 3030 3031 Reviewed by Geoffrey Garen. 3032 3033 Update for WTF changes. 3034 3035 * bytecode/SpeculatedType.h: 3036 * runtime/JSCJSValue.h: 3037 30382013-04-09 Geoffrey Garen <ggaren@apple.com> 3039 3040 Removed bitrotted TimeoutChecker code 3041 https://bugs.webkit.org/show_bug.cgi?id=114336 3042 3043 Reviewed by Alexey Proskuryakov. 3044 3045 This mechanism hasn't worked for a while. 3046 3047 MarkL is working on a new version of this feature with a distinct 3048 implementation. 3049 3050 * API/APIShims.h: 3051 (JSC::APIEntryShim::~APIEntryShim): 3052 (JSC::APIEntryShim::init): 3053 * GNUmakefile.list.am: 3054 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 3055 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 3056 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 3057 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 3058 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 3059 * JavaScriptCore.xcodeproj/project.pbxproj: 3060 * Target.pri: 3061 * dfg/DFGGPRInfo.h: 3062 * jit/JIT.cpp: 3063 * jit/JIT.h: 3064 * jit/JITStubs.cpp: 3065 * jit/JITStubs.h: 3066 * jit/JSInterfaceJIT.h: 3067 (JSInterfaceJIT): 3068 * runtime/JSGlobalData.cpp: 3069 (JSC::JSGlobalData::JSGlobalData): 3070 * runtime/JSGlobalData.h: 3071 * runtime/JSGlobalObject.cpp: 3072 * runtime/JSONObject.cpp: 3073 (JSC::Stringifier::appendStringifiedValue): 3074 (JSC::Walker::walk): 3075 * runtime/TimeoutChecker.cpp: Removed. 3076 * runtime/TimeoutChecker.h: Removed. 3077 30782013-04-10 Oliver Hunt <oliver@apple.com> 3079 3080 REGRESSION (r148073): WebKit Nightly r148082 crashes on launch in JSObjectSetPrivate 3081 https://bugs.webkit.org/show_bug.cgi?id=114341 3082 3083 Reviewed by Alexey Proskuryakov. 3084 3085 Make JSObjectSetPrivate use uncheckedToJS as some clients 3086 clear their private data during finalization for some reason. 3087 3088 * API/JSObjectRef.cpp: 3089 (JSObjectSetPrivate): 3090 30912013-04-09 Oliver Hunt <oliver@apple.com> 3092 3093 Add liveness tests to JSC API entry points 3094 https://bugs.webkit.org/show_bug.cgi?id=114318 3095 3096 Reviewed by Geoffrey Garen. 3097 3098 Add simple checks for the existence of a method table on any 3099 JSCells passed across the API. This in turn forces a structure 3100 validity test. 3101 3102 * API/APICast.h: 3103 (toJS): 3104 (toJSForGC): 3105 (unsafeToJS): 3106 * API/JSObjectRef.cpp: 3107 (JSObjectGetPrivate): 3108 31092013-04-09 Oliver Hunt <oliver@apple.com> 3110 3111 Rollout last patch as it destroyed everything 3112 3113 * API/APICast.h: 3114 (toJS): 3115 (toJSForGC): 3116 31172013-04-09 Oliver Hunt <oliver@apple.com> 3118 3119 Add liveness tests to JSC API entry points 3120 https://bugs.webkit.org/show_bug.cgi?id=114318 3121 3122 Reviewed by Filip Pizlo. 3123 3124 Add simple checks for the existence of a method table on any 3125 JSCells passed across the API. This in turn forces a structure 3126 validity test. 3127 3128 * API/APICast.h: 3129 (toJS): 3130 (toJSForGC): 3131 31322013-04-09 Balazs Kilvady <kilvadyb@homejinni.com> 3133 3134 LLInt conditional branch compilation fault on MIPS. 3135 https://bugs.webkit.org/show_bug.cgi?id=114264 3136 3137 Reviewed by Filip Pizlo. 3138 3139 Fix conditional branch compilation in LLInt offlineasm. 3140 3141 * offlineasm/mips.rb: 3142 31432013-04-08 Mark Hahnenberg <mhahnenberg@apple.com> 3144 3145 JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly 3146 https://bugs.webkit.org/show_bug.cgi?id=114235 3147 3148 Reviewed by Geoffrey Garen. 3149 3150 Due to the way that numCacheableSlots is currently calculated, checking an object's prototype for enumerable 3151 properties causes us not to cache any properties at all. We should only cache properties on the object itself 3152 since we currently don't take advantage of any sort of name caching for properties in the prototype chain. 3153 This fix undoes a ~2% SunSpider regression caused by http://trac.webkit.org/changeset/147570. 3154 3155 * runtime/JSObject.cpp: 3156 (JSC::JSObject::getOwnNonIndexPropertyNames): 3157 31582013-04-09 Ryosuke Niwa <rniwa@webkit.org> 3159 3160 Remove yarr.gyp 3161 https://bugs.webkit.org/show_bug.cgi?id=114247 3162 3163 Reviewed by Benjamin Poulain. 3164 3165 * yarr/yarr.gyp: Removed. 3166 31672013-04-08 Ryosuke Niwa <rniwa@webkit.org> 3168 3169 Remove JavaScriptCore.gyp/gypi 3170 https://bugs.webkit.org/show_bug.cgi?id=114238 3171 3172 Reviewed by Benjamin Poulain. 3173 3174 * JavaScriptCore.gyp: Removed. 3175 * JavaScriptCore.gyp/.gitignore: Removed. 3176 * JavaScriptCore.gypi: Removed. 3177 31782013-04-08 Vahag Vardanyan <vaag@ispras.ru> 3179 3180 Adds fromCharCode intrinsic support. 3181 https://bugs.webkit.org/show_bug.cgi?id=104807 3182 3183 Reviewed by Oliver Hunt. 3184 3185 Switch to using fromCharCode intrinsic instead of call operation in some cases. 3186 3187 * dfg/DFGAbstractState.cpp: 3188 (JSC::DFG::AbstractState::executeEffects): 3189 * dfg/DFGByteCodeParser.cpp: 3190 (JSC::DFG::ByteCodeParser::handleIntrinsic): 3191 * dfg/DFGFixupPhase.cpp: 3192 (JSC::DFG::FixupPhase::fixupNode): 3193 * dfg/DFGNodeType.h: 3194 (DFG): 3195 * dfg/DFGOperations.cpp: 3196 * dfg/DFGOperations.h: 3197 * dfg/DFGPredictionPropagationPhase.cpp: 3198 (JSC::DFG::PredictionPropagationPhase::propagate): 3199 * dfg/DFGSpeculativeJIT.cpp: 3200 (JSC::DFG::SpeculativeJIT::compileFromCharCode): 3201 (DFG): 3202 * dfg/DFGSpeculativeJIT.h: 3203 (JSC::DFG::SpeculativeJIT::callOperation): 3204 (SpeculativeJIT): 3205 * dfg/DFGSpeculativeJIT32_64.cpp: 3206 (JSC::DFG::SpeculativeJIT::compile): 3207 * dfg/DFGSpeculativeJIT64.cpp: 3208 (JSC::DFG::SpeculativeJIT::compile): 3209 * runtime/StringConstructor.cpp: 3210 (JSC::stringFromCharCode): 3211 (JSC): 3212 * runtime/StringConstructor.h: 3213 (JSC): 3214 32152013-04-08 Benjamin Poulain <benjamin@webkit.org> 3216 3217 Remove HTML Notification 3218 https://bugs.webkit.org/show_bug.cgi?id=114231 3219 3220 Reviewed by Ryosuke Niwa. 3221 3222 * Configurations/FeatureDefines.xcconfig: 3223 32242013-04-05 Roger Fong <roger_fong@apple.com> 3225 3226 Build fix. 3227 3228 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 3229 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 3230 32312013-04-08 Filip Pizlo <fpizlo@apple.com> 3232 3233 DFG should be able to inline string equality comparisons 3234 https://bugs.webkit.org/show_bug.cgi?id=114224 3235 3236 Reviewed by Oliver Hunt. 3237 3238 Inline 8-bit string equality, go to slow path for 16-bit strings. 2x speed-up for string equality 3239 comparisons on 8-bit strings. 20-50% speed-up on JSRegress/HashMap tests. 30% speed-up on 3240 string-fasta. 2% speed-up on SunSpider overall. Some small speed-ups elsewhere. 3241 3242 This is a gnarly change but we have loads of test coverage already between the HashMap tests and 3243 preexisting DFG string equality tests (which appear to have been designed to test OSR exits, but 3244 also give us good overall coverage on string equality behavior). 3245 3246 * dfg/DFGFixupPhase.cpp: 3247 (JSC::DFG::FixupPhase::fixupNode): 3248 * dfg/DFGOperations.cpp: 3249 * dfg/DFGOperations.h: 3250 * dfg/DFGSpeculativeJIT.cpp: 3251 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 3252 (JSC::DFG::SpeculativeJIT::compare): 3253 (JSC::DFG::SpeculativeJIT::compileStrictEq): 3254 (JSC::DFG::SpeculativeJIT::compileStringEquality): 3255 (DFG): 3256 * dfg/DFGSpeculativeJIT.h: 3257 (SpeculativeJIT): 3258 32592013-04-08 Geoffrey Garen <ggaren@apple.com> 3260 3261 Stop #include-ing all of JavaScriptCore in every DOM-related file 3262 https://bugs.webkit.org/show_bug.cgi?id=114220 3263 3264 Reviewed by Sam Weinig. 3265 3266 I separated WeakInlines.h from Weak.h so WebCore data types that need 3267 to declare a Weak<T> data member don't have to #include all of the 3268 infrastructure for accessing that data member. 3269 3270 This also required separating Weak<T> from PassWeak<T> by removing the 3271 WeakImplAccessor class template and pushing code down into its subclasses. 3272 3273 * API/JSWeakObjectMapRefPrivate.cpp: 3274 * JavaScriptCore.xcodeproj/project.pbxproj: 3275 * bytecode/UnlinkedCodeBlock.h: 3276 * heap/PassWeak.h: 3277 (JSC): 3278 (PassWeak): 3279 (JSC::::PassWeak): 3280 (JSC::::operator): 3281 (JSC::::get): 3282 * heap/SlotVisitorInlines.h: 3283 * heap/Weak.h: 3284 (JSC): 3285 (Weak): 3286 * heap/WeakInlines.h: Copied from Source/JavaScriptCore/heap/Weak.h. 3287 (JSC): 3288 (JSC::::Weak): 3289 (JSC::::operator): 3290 (JSC::::get): 3291 (JSC::::was): 3292 (JSC::weakClear): 3293 * jit/JITThunks.h: 3294 * runtime/RegExpCache.h: 3295 * runtime/Structure.h: 3296 * runtime/WeakGCMap.h: 3297 32982013-04-05 Roger Fong <roger_fong@apple.com> 3299 3300 Windows build fix fix. 3301 3302 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 3303 33042013-04-05 Roger Fong <roger_fong@apple.com> 3305 3306 Windows build fix. 3307 3308 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 3309 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 3310 33112013-04-08 Oliver Hunt <oliver@apple.com> 3312 3313 Make resolve more robust in the face of lookup misses 3314 https://bugs.webkit.org/show_bug.cgi?id=114211 3315 3316 Reviewed by Filip Pizlo. 3317 3318 This simply short circuits the resolve operations in the 3319 event that we don't find a path to a property. There's no 3320 repro case for this happening unfortunately. 3321 3322 * llint/LLIntSlowPaths.cpp: 3323 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 3324 33252013-04-08 Oliver Hunt <oliver@apple.com> 3326 3327 Build fix. 3328 3329 * assembler/ARMv7Assembler.h: 3330 (ARMv7Assembler): 3331 33322013-04-08 Justin Haygood <jhaygood@reaktix.com> 3333 3334 Allow KeywordLookupGenerator.py to work on Windows with Windows style line endings 3335 https://bugs.webkit.org/show_bug.cgi?id=63234 3336 3337 Reviewed by Oliver Hunt. 3338 3339 * KeywordLookupGenerator.py: 3340 (parseKeywords): 3341 33422013-04-08 Filip Pizlo <fpizlo@apple.com> 3343 3344 REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests 3345 https://bugs.webkit.org/show_bug.cgi?id=114129 3346 <rdar://problem/13594898> 3347 3348 Reviewed by Darin Adler. 3349 3350 The check to see if we need a cell check when simplifying a GetById or PutById needs to be hoisted to 3351 above where we abstractly execute the instruction, since after we abstracting execute it, it will 3352 seem like it no longer needs the cell check. 3353 3354 * dfg/DFGConstantFoldingPhase.cpp: 3355 (JSC::DFG::ConstantFoldingPhase::foldConstants): 3356 33572013-04-07 Oliver Hunt <oliver@apple.com> 3358 3359 Add bounds checking for WTF::Vector::operator[] 3360 https://bugs.webkit.org/show_bug.cgi?id=89600 3361 3362 Reviewed by Filip Pizlo. 3363 3364 Make a few JSC classes opt-out of release mode bounds checking. 3365 3366 * assembler/AssemblerBuffer.h: 3367 (AssemblerBuffer): 3368 * assembler/AssemblerBufferWithConstantPool.h: 3369 (AssemblerBufferWithConstantPool): 3370 * bytecode/CodeBlock.cpp: 3371 (JSC::CodeBlock::CodeBlock): 3372 (JSC::CodeBlock::bytecodeOffset): 3373 (JSC): 3374 (JSC::replaceExistingEntries): 3375 * bytecode/CodeBlock.h: 3376 (JSC::CodeBlock::bytecodeOffsetForCallAtIndex): 3377 (JSC::CodeBlock::callReturnIndexVector): 3378 (JSC::CodeBlock::codeOrigins): 3379 (RareData): 3380 * bytecode/UnlinkedCodeBlock.h: 3381 (JSC::UnlinkedEvalCodeBlock::adoptVariables): 3382 (UnlinkedEvalCodeBlock): 3383 * bytecompiler/BytecodeGenerator.cpp: 3384 (JSC::BytecodeGenerator::BytecodeGenerator): 3385 (JSC::BytecodeGenerator::emitNewArray): 3386 (JSC::BytecodeGenerator::emitCall): 3387 (JSC::BytecodeGenerator::emitConstruct): 3388 * bytecompiler/BytecodeGenerator.h: 3389 (CallArguments): 3390 (JSC::BytecodeGenerator::instructions): 3391 (BytecodeGenerator): 3392 * bytecompiler/StaticPropertyAnalysis.h: 3393 (JSC::StaticPropertyAnalysis::create): 3394 (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): 3395 (StaticPropertyAnalysis): 3396 * bytecompiler/StaticPropertyAnalyzer.h: 3397 (StaticPropertyAnalyzer): 3398 (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer): 3399 * dfg/DFGJITCompiler.cpp: 3400 (JSC::DFG::JITCompiler::link): 3401 * parser/ASTBuilder.h: 3402 (ASTBuilder): 3403 * runtime/ArgList.h: 3404 (MarkedArgumentBuffer): 3405 * runtime/ArrayPrototype.cpp: 3406 (JSC::arrayProtoFuncSort): 3407 34082013-04-07 Benjamin Poulain <benjamin@webkit.org> 3409 3410 Use Vector::reserveInitialCapacity() when possible in JavaScriptCore runtime 3411 https://bugs.webkit.org/show_bug.cgi?id=114111 3412 3413 Reviewed by Andreas Kling. 3414 3415 Almost all the code was already using Vector::reserveInitialCapacity() 3416 and Vector::uncheckedAppend(). Fix the remaining parts. 3417 3418 * runtime/ArgList.h: 3419 (MarkedArgumentBuffer): The type VectorType is unused. 3420 3421 * runtime/ArrayPrototype.cpp: 3422 (JSC::arrayProtoFuncSort): 3423 Move the variable closer to where it is needed. 3424 3425 * runtime/JSArray.cpp: 3426 (JSC::JSArray::setLengthWithArrayStorage): 3427 * runtime/JSObject.cpp: 3428 (JSC::JSObject::getOwnPropertyNames): 3429 34302013-04-07 Patrick Gansterer <paroga@webkit.org> 3431 3432 Remove references to Skia and V8 from CMake files 3433 https://bugs.webkit.org/show_bug.cgi?id=114130 3434 3435 Reviewed by Geoffrey Garen. 3436 3437 * shell/PlatformBlackBerry.cmake: 3438 34392013-04-07 David Kilzer <ddkilzer@apple.com> 3440 3441 Remove the rest of SVG_DOM_OBJC_BINDINGS 3442 <http://webkit.org/b/114112> 3443 3444 Reviewed by Geoffrey Garen. 3445 3446 * Configurations/FeatureDefines.xcconfig: 3447 - Remove ENABLE_SVG_DOM_OBJC_BINDINGS macro. 3448 34492013-04-07 Oliver Hunt <oliver@apple.com> 3450 3451 Inspector should display information about non-object exceptions 3452 https://bugs.webkit.org/show_bug.cgi?id=114123 3453 3454 Reviewed by Adele Peterson. 3455 3456 Make sure we store the right stack information, even when throwing 3457 a primitive. 3458 3459 * interpreter/CallFrame.h: 3460 (JSC::ExecState::clearSupplementaryExceptionInfo): 3461 (ExecState): 3462 * interpreter/Interpreter.cpp: 3463 (JSC::Interpreter::addStackTraceIfNecessary): 3464 (JSC::Interpreter::throwException): 3465 34662013-04-06 Oliver Hunt <oliver@apple.com> 3467 3468 Unify the many and varied stack trace mechanisms, and make the result sane. 3469 https://bugs.webkit.org/show_bug.cgi?id=114072 3470 3471 Reviewed by Filip Pizlo. 3472 3473 Makes JSC::StackFrame record the bytecode offset and other necessary data 3474 rather than requiring us to perform eager evaluation of the line number, etc. 3475 Then remove most of the users of retrieveLastCaller, as most of them were 3476 using it to create a stack trace in a fairly incomplete and inefficient way. 3477 3478 StackFrame now also has a couple of helpers to get the line and column info. 3479 3480 * API/JSContextRef.cpp: 3481 (JSContextCreateBacktrace): 3482 * bytecompiler/BytecodeGenerator.cpp: 3483 (JSC::BytecodeGenerator::emitDebugHook): 3484 * interpreter/Interpreter.cpp: 3485 (JSC): 3486 (JSC::Interpreter::dumpRegisters): 3487 (JSC::Interpreter::unwindCallFrame): 3488 (JSC::getBytecodeOffsetForCallFrame): 3489 (JSC::getCallerInfo): 3490 (JSC::StackFrame::line): 3491 (JSC::StackFrame::column): 3492 (JSC::StackFrame::expressionInfo): 3493 (JSC::StackFrame::toString): 3494 (JSC::Interpreter::getStackTrace): 3495 (JSC::Interpreter::addStackTraceIfNecessary): 3496 (JSC::Interpreter::retrieveCallerFromVMCode): 3497 * interpreter/Interpreter.h: 3498 (StackFrame): 3499 (Interpreter): 3500 * runtime/Error.cpp: 3501 (JSC::throwError): 3502 * runtime/JSGlobalData.h: 3503 (JSC): 3504 (JSGlobalData): 3505 * runtime/JSGlobalObject.cpp: 3506 (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): 3507 35082013-04-06 Geoffrey Garen <ggaren@apple.com> 3509 3510 Removed v8 bindings hooks from IDL files 3511 https://bugs.webkit.org/show_bug.cgi?id=114091 3512 3513 Reviewed by Anders Carlsson and Sam Weinig. 3514 3515 * heap/HeapStatistics.h: 3516 35172013-04-03 Roger Fong <roger_fong@apple.com> 3518 3519 Windows VS2010 build fix. 3520 3521 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 3522 35232013-04-06 Zan Dobersek <zdobersek@igalia.com> 3524 3525 Remove the remaining PLATFORM(CHROMIUM) guard in JavaScriptCore 3526 https://bugs.webkit.org/show_bug.cgi?id=114082 3527 3528 Reviewed by Ryosuke Niwa. 3529 3530 * runtime/JSExportMacros.h: Remove the remaining PLATFORM(CHROMIUM) guard. 3531 35322013-04-06 Ed Bartosh <bartosh@gmail.com> 3533 3534 --minimal build fails with error: control reaches end of non-void function 3535 https://bugs.webkit.org/show_bug.cgi?id=114085 3536 3537 Reviewed by Oliver Hunt. 3538 3539 * interpreter/Interpreter.cpp: return 0 if JIT is not enabled 3540 (JSC::getBytecodeOffsetForCallFrame): 3541 35422013-04-06 Geoffrey Garen <ggaren@apple.com> 3543 3544 Try to fix the Windows build. 3545 3546 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 3547 Added back a symbol that is exported. 3548 35492013-04-06 Geoffrey Garen <ggaren@apple.com> 3550 3551 Try to fix the Windows build. 3552 3553 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 3554 Removed symbols that aren't exported. 3555 35562013-04-06 Geoffrey Garen <ggaren@apple.com> 3557 3558 Rolled out 147820 and 147818 because they caused plugins tests to ASSERT 3559 https://bugs.webkit.org/show_bug.cgi?id=114094 3560 3561 Reviewed by Anders Carlsson. 3562 3563 * API/JSContextRef.cpp: 3564 (JSContextCreateBacktrace): 3565 * bytecompiler/BytecodeGenerator.cpp: 3566 (JSC::BytecodeGenerator::emitDebugHook): 3567 * interpreter/Interpreter.cpp: 3568 (JSC): 3569 (JSC::Interpreter::dumpRegisters): 3570 (JSC::Interpreter::unwindCallFrame): 3571 (JSC::getLineNumberForCallFrame): 3572 (JSC::getCallerInfo): 3573 (JSC::Interpreter::getStackTrace): 3574 (JSC::Interpreter::addStackTraceIfNecessary): 3575 (JSC::Interpreter::retrieveCallerFromVMCode): 3576 * interpreter/Interpreter.h: 3577 (StackFrame): 3578 (JSC::StackFrame::toString): 3579 (JSC::StackFrame::friendlyLineNumber): 3580 (Interpreter): 3581 * runtime/Error.cpp: 3582 (JSC::throwError): 3583 * runtime/JSGlobalData.h: 3584 (JSC): 3585 (JSGlobalData): 3586 * runtime/JSGlobalObject.cpp: 3587 (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): 3588 35892013-04-06 Patrick Gansterer <paroga@webkit.org> 3590 3591 Unreviewed build fix after r146932. 3592 3593 * profiler/ProfilerDatabase.cpp: 3594 (Profiler): 3595 35962013-04-06 Patrick Gansterer <paroga@webkit.org> 3597 3598 Do not call getenv() on Windows CE where it does not exist. 3599 3600 * runtime/JSGlobalData.cpp: 3601 (JSC::JSGlobalData::JSGlobalData): 3602 36032013-04-05 Benjamin Poulain <benjamin@webkit.org> 3604 3605 Second attempt to fix the Windows bot 3606 3607 Unreviewed. 3608 3609 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 3610 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 3611 36122013-04-05 Benjamin Poulain <bpoulain@apple.com> 3613 3614 Attempt to fix the Windows bot 3615 3616 Unreviewed. 3617 3618 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 3619 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 3620 r147825 removed the symbol for nullptr_t. Add it back. 3621 36222013-04-02 Roger Fong <roger_fong@apple.com> 3623 3624 Build fix. 3625 3626 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 3627 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 3628 36292013-04-05 Oliver Hunt <oliver@apple.com> 3630 3631 Build fix. 3632 3633 * interpreter/Interpreter.cpp: 3634 (JSC::getBytecodeOffsetForCallFrame): 3635 36362013-04-05 Oliver Hunt <oliver@apple.com> 3637 3638 Unify the many and varied stack trace mechanisms, and make the result sane. 3639 https://bugs.webkit.org/show_bug.cgi?id=114072 3640 3641 Reviewed by Filip Pizlo. 3642 3643 Makes JSC::StackFrame record the bytecode offset and other necessary data 3644 rather than requiring us to perform eager evaluation of the line number, etc. 3645 Then remove most of the users of retrieveLastCaller, as most of them were 3646 using it to create a stack trace in a fairly incomplete and inefficient way. 3647 3648 StackFrame now also has a couple of helpers to get the line and column info. 3649 3650 * API/JSContextRef.cpp: 3651 (JSContextCreateBacktrace): 3652 * bytecompiler/BytecodeGenerator.cpp: 3653 (JSC::BytecodeGenerator::emitDebugHook): 3654 * interpreter/Interpreter.cpp: 3655 (JSC): 3656 (JSC::Interpreter::dumpRegisters): 3657 (JSC::Interpreter::unwindCallFrame): 3658 (JSC::getBytecodeOffsetForCallFrame): 3659 (JSC::getCallerInfo): 3660 (JSC::StackFrame::line): 3661 (JSC::StackFrame::column): 3662 (JSC::StackFrame::expressionInfo): 3663 (JSC::StackFrame::toString): 3664 (JSC::Interpreter::getStackTrace): 3665 (JSC::Interpreter::addStackTraceIfNecessary): 3666 (JSC::Interpreter::retrieveCallerFromVMCode): 3667 * interpreter/Interpreter.h: 3668 (StackFrame): 3669 (Interpreter): 3670 * runtime/Error.cpp: 3671 (JSC::throwError): 3672 * runtime/JSGlobalData.h: 3673 (JSC): 3674 (JSGlobalData): 3675 * runtime/JSGlobalObject.cpp: 3676 (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): 3677 36782013-04-05 Mark Hahnenberg <mhahnenberg@apple.com> 3679 3680 tryCacheGetByID sets StructureStubInfo accessType to an incorrect value 3681 https://bugs.webkit.org/show_bug.cgi?id=114068 3682 3683 Reviewed by Geoffrey Garen. 3684 3685 In the case where we have a non-Value cacheable property, we set the StructureStubInfo accessType to 3686 get_by_id_self, but then we don't patch self and instead patch in a get_by_id_self_fail. This leads to 3687 incorrect profiling data so when the DFG compiles the function, it uses a GetByOffset rather than a GetById, 3688 which leads to loading a GetterSetter directly out of an object. 3689 3690 * jit/JITStubs.cpp: 3691 (JSC::tryCacheGetByID): 3692 (JSC::DEFINE_STUB_FUNCTION): 3693 36942013-04-05 Filip Pizlo <fpizlo@apple.com> 3695 3696 If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this 3697 https://bugs.webkit.org/show_bug.cgi?id=114062 3698 3699 Reviewed by Oliver Hunt. 3700 3701 * bytecode/CodeBlock.h: 3702 (JSC::CodeBlock::canGetCodeOrigin): 3703 (CodeBlock): 3704 * interpreter/CallFrame.cpp: 3705 (JSC::CallFrame::trueCallFrame): 3706 * interpreter/Interpreter.cpp: 3707 (JSC::Interpreter::getStackTrace): 3708 37092013-04-05 Geoffrey Garen <ggaren@apple.com> 3710 3711 Made USE(JSC) unconditional 3712 https://bugs.webkit.org/show_bug.cgi?id=114058 3713 3714 Reviewed by Anders Carlsson. 3715 3716 * config.h: 3717 37182013-04-05 Filip Pizlo <fpizlo@apple.com> 3719 3720 Unreviewed, rolling out http://trac.webkit.org/changeset/147729 3721 3722 It's causing a bunch of breakage on some more strict compilers: 3723 <inline asm>:1267:2: error: ambiguous instructions require an explicit suffix (could be 'ficomps', or 'ficompl') 3724 3725 * offlineasm/x86.rb: 3726 37272013-04-05 Roger Fong <roger_fong@apple.com> 3728 3729 More VS2010 solution makefile fixes. 3730 <rdar://problem/13588964> 3731 3732 * JavaScriptCore.vcxproj/JavaScriptCore.make: 3733 37342013-04-05 Allan Sandfeld Jensen <allan.jensen@digia.com> 3735 3736 LLint should be able to use x87 instead of SSE for floating pointer 3737 3738 https://bugs.webkit.org/show_bug.cgi?id=112239 3739 3740 Reviewed by Filip Pizlo. 3741 3742 Implements LLInt floating point operations in x87, to ensure we support 3743 x86 without SSE2. 3744 3745 X86 (except 64bit) now defaults to using x87 instructions in order to 3746 support all 32bit x86 back to i686. The implementation uses the fucomi 3747 instruction from i686 which sets the new minimum. 3748 3749 * offlineasm/x86.rb: 3750 37512013-04-04 Christophe Dumez <ch.dumez@sisa.samsung.com> 3752 3753 Unreviewed EFL build fix. 3754 3755 We had undefined reference to `JSC::CodeOrigin::maximumBytecodeIndex'. 3756 3757 * bytecode/CodeBlock.cpp: 3758 (JSC::CodeBlock::findClosureCallForReturnPC): 3759 (JSC::CodeBlock::bytecodeOffset): 3760 37612013-04-04 Geoffrey Garen <ggaren@apple.com> 3762 3763 Stop pretending that statements return a value 3764 https://bugs.webkit.org/show_bug.cgi?id=113969 3765 3766 Reviewed by Oliver Hunt. 3767 3768 Expressions have an intrinsic value, which they return to their parent 3769 in the AST. 3770 3771 Statements just execute for effect in sequence. 3772 3773 This patch moves emitBytecode into the ExpressionNode and StatementNode 3774 subclasses, and changes the SatementNode subclass to return void. This 3775 eliminates some cruft where we used to return 0, or try to save a bogus 3776 register and return it, as if a statement had a consuming parent in the 3777 AST. 3778 3779 * bytecompiler/BytecodeGenerator.h: 3780 (JSC::BytecodeGenerator::emitNode): 3781 (BytecodeGenerator): 3782 (JSC::BytecodeGenerator::emitNodeInConditionContext): 3783 * bytecompiler/NodesCodegen.cpp: 3784 (JSC::ConstStatementNode::emitBytecode): 3785 (JSC::BlockNode::emitBytecode): 3786 (JSC::EmptyStatementNode::emitBytecode): 3787 (JSC::DebuggerStatementNode::emitBytecode): 3788 (JSC::ExprStatementNode::emitBytecode): 3789 (JSC::VarStatementNode::emitBytecode): 3790 (JSC::IfNode::emitBytecode): 3791 (JSC::IfElseNode::emitBytecode): 3792 (JSC::DoWhileNode::emitBytecode): 3793 (JSC::WhileNode::emitBytecode): 3794 (JSC::ForNode::emitBytecode): 3795 (JSC::ForInNode::emitBytecode): 3796 (JSC::ContinueNode::emitBytecode): 3797 (JSC::BreakNode::emitBytecode): 3798 (JSC::ReturnNode::emitBytecode): 3799 (JSC::WithNode::emitBytecode): 3800 (JSC::CaseClauseNode::emitBytecode): 3801 (JSC::CaseBlockNode::emitBytecodeForBlock): 3802 (JSC::SwitchNode::emitBytecode): 3803 (JSC::LabelNode::emitBytecode): 3804 (JSC::ThrowNode::emitBytecode): 3805 (JSC::TryNode::emitBytecode): 3806 (JSC::ScopeNode::emitStatementsBytecode): 3807 (JSC::ProgramNode::emitBytecode): 3808 (JSC::EvalNode::emitBytecode): 3809 (JSC::FunctionBodyNode::emitBytecode): 3810 (JSC::FuncDeclNode::emitBytecode): 3811 * parser/NodeConstructors.h: 3812 (JSC::PropertyListNode::PropertyListNode): 3813 (JSC::ArgumentListNode::ArgumentListNode): 3814 * parser/Nodes.h: 3815 (Node): 3816 (ExpressionNode): 3817 (StatementNode): 3818 (ConstStatementNode): 3819 (BlockNode): 3820 (EmptyStatementNode): 3821 (DebuggerStatementNode): 3822 (ExprStatementNode): 3823 (VarStatementNode): 3824 (IfNode): 3825 (IfElseNode): 3826 (DoWhileNode): 3827 (WhileNode): 3828 (ForNode): 3829 (ForInNode): 3830 (ContinueNode): 3831 (BreakNode): 3832 (ReturnNode): 3833 (WithNode): 3834 (LabelNode): 3835 (ThrowNode): 3836 (TryNode): 3837 (ProgramNode): 3838 (EvalNode): 3839 (FunctionBodyNode): 3840 (FuncDeclNode): 3841 (CaseBlockNode): 3842 (SwitchNode): 3843 38442013-04-04 Oliver Hunt <oliver@apple.com> 3845 3846 Exception stack unwinding doesn't handle inline callframes correctly 3847 https://bugs.webkit.org/show_bug.cgi?id=113952 3848 3849 Reviewed by Geoffrey Garen. 3850 3851 The basic problem here is that the exception stack unwinding was 3852 attempting to be "clever" and avoid doing a correct stack walk 3853 as it "knew" inline callframes couldn't have exception handlers. 3854 3855 This used to be safe as the exception handling machinery was 3856 designed to fail gently and just claim that no handler existed. 3857 This was "safe" and even "correct" inasmuch as we currently 3858 don't run any code with exception handlers through the dfg. 3859 3860 This patch fixes the logic by simply making everything uniformly 3861 use the safe stack walking machinery, and making the correct 3862 boundary checks occur everywhere that they should. 3863 3864 * bytecode/CodeBlock.cpp: 3865 (JSC::CodeBlock::findClosureCallForReturnPC): 3866 (JSC::CodeBlock::bytecodeOffset): 3867 * interpreter/Interpreter.cpp: 3868 (JSC): 3869 (JSC::Interpreter::dumpRegisters): 3870 (JSC::Interpreter::unwindCallFrame): 3871 (JSC::getCallerInfo): 3872 (JSC::Interpreter::getStackTrace): 3873 (JSC::Interpreter::retrieveCallerFromVMCode): 3874 38752013-04-04 Geoffrey Garen <ggaren@apple.com> 3876 3877 Removed a defunct comment 3878 https://bugs.webkit.org/show_bug.cgi?id=113948 3879 3880 Reviewed by Oliver Hunt. 3881 3882 This is also a convenient way to test the EWS. 3883 3884 * bytecompiler/BytecodeGenerator.cpp: 3885 (JSC): 3886 38872013-04-04 Martin Robinson <mrobinson@igalia.com> 3888 3889 [GTK] Remove the gyp build 3890 https://bugs.webkit.org/show_bug.cgi?id=113942 3891 3892 Reviewed by Gustavo Noronha Silva. 3893 3894 * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Removed. 3895 * JavaScriptCore.gyp/redirect-stdout.sh: Removed. 3896 38972013-04-04 Geoffrey Garen <ggaren@apple.com> 3898 3899 Simplified bytecode generation by merging prefix and postfix nodes 3900 https://bugs.webkit.org/show_bug.cgi?id=113925 3901 3902 Reviewed by Filip Pizlo. 3903 3904 PostfixNode now inherits from PrefixNode, so when we detect that we're 3905 in a context where postifx and prefix are equivalent, PostFixNode can 3906 just call through to PrefixNode codegen, instead of duplicating the 3907 logic. 3908 3909 * bytecompiler/NodesCodegen.cpp: 3910 (JSC::PostfixNode::emitResolve): 3911 (JSC::PostfixNode::emitBracket): 3912 (JSC::PostfixNode::emitDot): 3913 * parser/NodeConstructors.h: 3914 (JSC::PostfixNode::PostfixNode): 3915 * parser/Nodes.h: 3916 (JSC): 3917 (PrefixNode): 3918 (PostfixNode): 3919 39202013-04-04 Andras Becsi <andras.becsi@digia.com> 3921 3922 Fix the build with GCC 4.8 3923 https://bugs.webkit.org/show_bug.cgi?id=113147 3924 3925 Reviewed by Allan Sandfeld Jensen. 3926 3927 Initialize JSObject* exception to suppress warnings that make 3928 the build fail because of -Werror=maybe-uninitialized. 3929 3930 * runtime/Executable.cpp: 3931 (JSC::FunctionExecutable::compileForCallInternal): 3932 (JSC::FunctionExecutable::compileForConstructInternal): 3933 39342013-04-02 Mark Hahnenberg <mhahnenberg@apple.com> 3935 3936 get_by_pname can become confused when iterating over objects with static properties 3937 https://bugs.webkit.org/show_bug.cgi?id=113831 3938 3939 Reviewed by Geoffrey Garen. 3940 3941 get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly 3942 access an object's backing store. One way to fix this is to not cache any properties when iterating over 3943 objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch. 3944 3945 * runtime/JSObject.cpp: 3946 (JSC::JSObject::getOwnNonIndexPropertyNames): 3947 * runtime/JSPropertyNameIterator.cpp: 3948 (JSC::JSPropertyNameIterator::create): 3949 * runtime/PropertyNameArray.h: 3950 (JSC::PropertyNameArray::PropertyNameArray): 3951 (JSC::PropertyNameArray::numCacheableSlots): 3952 (JSC::PropertyNameArray::setNumCacheableSlots): 3953 (PropertyNameArray): 3954 39552013-04-02 Geoffrey Garen <ggaren@apple.com> 3956 3957 DFG should compile a little sooner 3958 https://bugs.webkit.org/show_bug.cgi?id=113835 3959 3960 Unreviewed. 3961 3962 Rolled out r147511 because it was based on incorrect performance 3963 measurement. 3964 3965 * bytecode/CodeBlock.cpp: 3966 (JSC::CodeBlock::optimizationThresholdScalingFactor): 3967 39682013-04-02 Geoffrey Garen <ggaren@apple.com> 3969 3970 DFG should compile a little sooner 3971 https://bugs.webkit.org/show_bug.cgi?id=113835 3972 3973 Reviewed by Michael Saboff. 3974 3975 2% speedup on SunSpider. 3976 3977 2% speedup on JSRegress. 3978 3979 Neutral on Octane, v8, and Kraken. 3980 3981 The worst-hit single sub-test is kraken-stanford-crypto-ccm.js, which gets 3982 18% slower. Since Kraken is neutral overall in its preferred mean, I 3983 think that's OK for now. 3984 3985 (Our array indexing speculation fails pathologically on 3986 kraken-stanford-crypto-ccm.js. Compiling sooner is a regression because 3987 it triggers those failures sooner. I'm going to file some follow-up bugs 3988 explaining how to fix our speculations on this sub-test, at which point 3989 compiling earlier should become a slight speedup on Kraken overall.) 3990 3991 * bytecode/CodeBlock.cpp: 3992 (JSC::CodeBlock::optimizationThresholdScalingFactor): I experimented 3993 with a few different options, including reducing the coefficient 'a'. 3994 A simple linear reduction on instruction count worked best. 3995 39962013-04-01 Benjamin Poulain <benjamin@webkit.org> 3997 3998 Use Vector::reserveInitialCapacity and Vector::uncheckedAppend for JSC's APIs 3999 https://bugs.webkit.org/show_bug.cgi?id=113651 4000 4001 Reviewed by Andreas Kling. 4002 4003 This removes a bunch of branches on initialization and when 4004 filling the vector. 4005 4006 * API/JSCallbackConstructor.cpp: 4007 (JSC::constructJSCallback): 4008 * API/JSCallbackFunction.cpp: 4009 (JSC::JSCallbackFunction::call): 4010 * API/JSCallbackObjectFunctions.h: 4011 (JSC::::construct): 4012 (JSC::::call): 4013 * API/JSObjectRef.cpp: 4014 (JSObjectCopyPropertyNames): 4015 40162013-04-01 Mark Hahnenberg <mhahnenberg@apple.com> 4017 4018 Fixing borked VS 2010 project file 4019 4020 Unreviewed bot greening. 4021 4022 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4023 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 4024 40252013-04-01 Mark Hahnenberg <mhahnenberg@apple.com> 4026 4027 One more Windows build fix 4028 4029 Unreviewed. 4030 4031 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 4032 40332013-04-01 Mark Hahnenberg <mhahnenberg@apple.com> 4034 4035 More build fallout fixes. 4036 4037 Unreviewed build fix. 4038 4039 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Add new export symbols. 4040 * heap/SuperRegion.cpp: Windows didn't like "LLU". 4041 40422013-04-01 Mark Hahnenberg <mhahnenberg@apple.com> 4043 4044 r147324 broke the world 4045 https://bugs.webkit.org/show_bug.cgi?id=113704 4046 4047 Unreviewed build fix. 4048 4049 Remove a bunch of unused variables and use the correctly sized types for 32-bit platforms. 4050 4051 * heap/BlockAllocator.cpp: 4052 (JSC::BlockAllocator::BlockAllocator): 4053 * heap/BlockAllocator.h: 4054 (BlockAllocator): 4055 * heap/Heap.cpp: 4056 (JSC::Heap::Heap): 4057 * heap/SuperRegion.cpp: 4058 (JSC::SuperRegion::SuperRegion): 4059 * heap/SuperRegion.h: 4060 (SuperRegion): 4061 40622013-04-01 Mark Hahnenberg <mhahnenberg@apple.com> 4063 4064 32-bit Windows build fix 4065 4066 Unreviewed build fix. 4067 4068 * heap/SuperRegion.cpp: 4069 * heap/SuperRegion.h: Use uint64_t instead of size_t. 4070 (SuperRegion): 4071 40722013-04-01 Mark Hahnenberg <mhahnenberg@apple.com> 4073 4074 EFL build fix 4075 4076 Unreviewed build fix. 4077 4078 * CMakeLists.txt: 4079 40802013-03-31 Mark Hahnenberg <mhahnenberg@apple.com> 4081 4082 Regions should be allocated from the same contiguous segment of virtual memory 4083 https://bugs.webkit.org/show_bug.cgi?id=113662 4084 4085 Reviewed by Filip Pizlo. 4086 4087 Instead of letting the OS spread our Regions all over the place, we should allocate them all within 4088 some range of each other. This change will open the door to some other optimizations, e.g. doing simple 4089 range checks for our write barriers and compressing JSCell pointers to 32-bits. 4090 4091 Added new SuperRegion class that encapsulates allocating Regions from a contiguous reserved chunk of 4092 virtual address space. It functions very similarly to the FixedVMPoolExecutableAllocator class used by the JIT. 4093 4094 Also added two new subclasses of Region, NormalRegion and ExcessRegion. 4095 4096 NormalRegion is the type of Region that is normally allocated when there is available space remaining 4097 in the SuperRegion. If we ever run out of space in the SuperRegion, we fall back to allocating 4098 ExcessRegions, which are identical to how Regions have behaved up until now, i.e. they contain a 4099 PageAllocationAligned. 4100 4101 We only use the SuperRegion (and NormalRegions) on 64-bit systems, since it doesn't make sense to reserve the 4102 entire 4 GB address space on 32-bit systems just for the JS heap. 4103 4104 * GNUmakefile.list.am: 4105 * JavaScriptCore.gypi: 4106 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 4107 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4108 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 4109 * JavaScriptCore.xcodeproj/project.pbxproj: 4110 * Target.pri: 4111 * heap/BlockAllocator.cpp: 4112 (JSC::BlockAllocator::BlockAllocator): 4113 * heap/BlockAllocator.h: 4114 (JSC): 4115 (BlockAllocator): 4116 (JSC::BlockAllocator::allocate): 4117 (JSC::BlockAllocator::allocateCustomSize): 4118 (JSC::BlockAllocator::deallocateCustomSize): 4119 * heap/Heap.cpp: 4120 (JSC::Heap::Heap): 4121 (JSC): 4122 (JSC::Heap::didExceedFixedHeapSizeLimit): 4123 * heap/Heap.h: 4124 (Heap): 4125 * heap/MarkedBlock.cpp: 4126 (JSC::MarkedBlock::create): 4127 * heap/Region.h: 4128 (Region): 4129 (JSC): 4130 (NormalRegion): 4131 (JSC::NormalRegion::base): 4132 (JSC::NormalRegion::size): 4133 (ExcessRegion): 4134 (JSC::ExcessRegion::base): 4135 (JSC::ExcessRegion::size): 4136 (JSC::NormalRegion::NormalRegion): 4137 (JSC::NormalRegion::tryCreate): 4138 (JSC::NormalRegion::tryCreateCustomSize): 4139 (JSC::NormalRegion::reset): 4140 (JSC::ExcessRegion::ExcessRegion): 4141 (JSC::ExcessRegion::~ExcessRegion): 4142 (JSC::ExcessRegion::create): 4143 (JSC::ExcessRegion::createCustomSize): 4144 (JSC::ExcessRegion::reset): 4145 (JSC::Region::Region): 4146 (JSC::Region::initializeBlockList): 4147 (JSC::Region::create): 4148 (JSC::Region::createCustomSize): 4149 (JSC::Region::~Region): 4150 (JSC::Region::destroy): 4151 (JSC::Region::reset): 4152 (JSC::Region::deallocate): 4153 (JSC::Region::base): 4154 (JSC::Region::size): 4155 * heap/SuperRegion.cpp: Added. 4156 (JSC): 4157 (JSC::SuperRegion::SuperRegion): 4158 (JSC::SuperRegion::getAlignedBase): 4159 (JSC::SuperRegion::allocateNewSpace): 4160 (JSC::SuperRegion::notifyNeedPage): 4161 (JSC::SuperRegion::notifyPageIsFree): 4162 * heap/SuperRegion.h: Added. 4163 (JSC): 4164 (SuperRegion): 4165 41662013-04-01 Benjamin Poulain <benjamin@webkit.org> 4167 4168 Remove an unused variable from the ARMv7 Assembler 4169 https://bugs.webkit.org/show_bug.cgi?id=113653 4170 4171 Reviewed by Andreas Kling. 4172 4173 * assembler/ARMv7Assembler.h: 4174 (ARMv7Assembler): 4175 41762013-03-31 Adam Barth <abarth@webkit.org> 4177 4178 [Chromium] Yarr should build using a separate GYP file from JavaScriptCore 4179 https://bugs.webkit.org/show_bug.cgi?id=113652 4180 4181 Reviewed by Nico Weber. 4182 4183 This patch moves JavaScriptCore.gyp to yarr.gyp because Chromium only 4184 uses this GYP file to build yarr. 4185 4186 * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: 4187 * JavaScriptCore.gypi: 4188 * yarr/yarr.gyp: Renamed from Source/JavaScriptCore/JavaScriptCore.gyp/JavaScriptCore.gyp. 4189 41902013-03-31 Filip Pizlo <fpizlo@apple.com> 4191 4192 Unreviewed, fix a comment. While thinking about TBAA for array accesses, 4193 I realized that we have to be super careful about aliasing of typed arrays. 4194 4195 * dfg/DFGCSEPhase.cpp: 4196 (JSC::DFG::CSEPhase::getByValLoadElimination): 4197 41982013-03-30 Mark Hahnenberg <mhahnenberg@apple.com> 4199 4200 Move Region into its own header 4201 https://bugs.webkit.org/show_bug.cgi?id=113617 4202 4203 Reviewed by Geoffrey Garen. 4204 4205 BlockAllocator.h is getting a little crowded. We should move the Region class into its own 4206 header, since it's pretty independent from the BlockAllocator. 4207 4208 * GNUmakefile.list.am: 4209 * JavaScriptCore.gypi: 4210 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 4211 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 4212 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 4213 * JavaScriptCore.xcodeproj/project.pbxproj: 4214 * heap/BlockAllocator.h: 4215 (JSC): 4216 * heap/Region.h: Added. 4217 (JSC): 4218 (DeadBlock): 4219 (JSC::DeadBlock::DeadBlock): 4220 (Region): 4221 (JSC::Region::blockSize): 4222 (JSC::Region::isFull): 4223 (JSC::Region::isEmpty): 4224 (JSC::Region::isCustomSize): 4225 (JSC::Region::create): 4226 (JSC::Region::createCustomSize): 4227 (JSC::Region::Region): 4228 (JSC::Region::~Region): 4229 (JSC::Region::reset): 4230 (JSC::Region::allocate): 4231 (JSC::Region::deallocate): 4232 42332013-03-29 Mark Hahnenberg <mhahnenberg@apple.com> 4234 4235 Objective-C API: Remove -[JSManagedValue managedValueWithValue:owner:] 4236 https://bugs.webkit.org/show_bug.cgi?id=113602 4237 4238 Reviewed by Geoffrey Garen. 4239 4240 Since we put the primary way of keeping track of external object graphs (i.e. "managed" references) 4241 in JSVirtualMachine, there is some overlap in the functionality of that interface and JSManagedValue. 4242 Specifically, we no longer need the methods that include an owner, since ownership is now tracked 4243 by JSVirtualMachine. These JSManagedValues will become weak pointers unless they are used 4244 with [JSVirtualMachine addManagedReference:withOwner:], in which case their lifetime is tied to that 4245 of their owner. 4246 4247 * API/JSManagedValue.h: 4248 * API/JSManagedValue.mm: 4249 (-[JSManagedValue init]): 4250 (-[JSManagedValue initWithValue:]): 4251 (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): 4252 * API/JSVirtualMachine.mm: 4253 (getInternalObjcObject): 4254 * API/tests/testapi.mm: 4255 (-[TextXYZ setOnclick:]): 4256 (-[TextXYZ dealloc]): 4257 42582013-03-29 Geoffrey Garen <ggaren@apple.com> 4259 4260 Simplified bytecode generation by unforking "condition context" codegen 4261 https://bugs.webkit.org/show_bug.cgi?id=113554 4262 4263 Reviewed by Mark Hahnenberg. 4264 4265 Now, a node that establishes a condition context can always ask its child 4266 nodes to generate into that context. 4267 4268 This has a few advantages: 4269 4270 (*) Removes a bunch of code; 4271 4272 (*) Optimizes a few missed cases like "if (!(x < 2))", "if (!!x)", and 4273 "if (!x || !y)"; 4274 4275 (*) Paves the way to removing more opcodes. 4276 4277 * bytecode/Opcode.h: 4278 (JSC): Separated out the branching opcodes for clarity. 4279 * bytecompiler/NodesCodegen.cpp: 4280 (JSC::ExpressionNode::emitBytecodeInConditionContext): All expressions 4281 can be emitted in a condition context now -- the default behavior is 4282 to branch based on the expression's value. 4283 4284 (JSC::LogicalNotNode::emitBytecodeInConditionContext): 4285 (JSC::LogicalOpNode::emitBytecodeInConditionContext): 4286 (JSC::ConditionalNode::emitBytecode): 4287 (JSC::IfNode::emitBytecode): 4288 (JSC::IfElseNode::emitBytecode): 4289 (JSC::DoWhileNode::emitBytecode): 4290 (JSC::WhileNode::emitBytecode): 4291 (JSC::ForNode::emitBytecode): 4292 * parser/Nodes.h: 4293 (JSC::ExpressionNode::isSubtract): 4294 (ExpressionNode): 4295 (LogicalNotNode): 4296 (LogicalOpNode): Removed lots of code for handling expressions 4297 that couldn't generate into a condition context because all expressions 4298 can now. 4299 43002013-03-28 Geoffrey Garen <ggaren@apple.com> 4301 4302 Simplified the bytecode by removing op_loop and op_loop_if_* 4303 https://bugs.webkit.org/show_bug.cgi?id=113548 4304 4305 Reviewed by Filip Pizlo. 4306 4307 Regular jumps will suffice. 4308 4309 These opcodes are identical to branches, except they also do timeout 4310 checking. That style of timeout checking has been broken for a long 4311 time, and when we add back timeout checking, it won't use these opcodes. 4312 4313 * JavaScriptCore.order: 4314 * bytecode/CodeBlock.cpp: 4315 (JSC::CodeBlock::dumpBytecode): 4316 * bytecode/Opcode.h: 4317 (JSC): 4318 (JSC::padOpcodeName): 4319 * bytecode/PreciseJumpTargets.cpp: 4320 (JSC::computePreciseJumpTargets): 4321 * bytecompiler/BytecodeGenerator.cpp: 4322 (JSC::BytecodeGenerator::emitJump): 4323 (JSC::BytecodeGenerator::emitJumpIfTrue): 4324 (JSC::BytecodeGenerator::emitJumpIfFalse): 4325 * dfg/DFGByteCodeParser.cpp: 4326 (JSC::DFG::ByteCodeParser::parseBlock): 4327 * dfg/DFGCapabilities.h: 4328 (JSC::DFG::canCompileOpcode): 4329 * jit/JIT.cpp: 4330 (JSC::JIT::privateCompileMainPass): 4331 (JSC::JIT::privateCompileSlowCases): 4332 * jit/JIT.h: 4333 (JIT): 4334 (JSC): 4335 * llint/LowLevelInterpreter.asm: 4336 * llint/LowLevelInterpreter32_64.asm: 4337 * llint/LowLevelInterpreter64.asm: 4338 43392013-03-28 Geoffrey Garen <ggaren@apple.com> 4340 4341 Simplified the bytecode by removing op_jmp_scopes 4342 https://bugs.webkit.org/show_bug.cgi?id=113545 4343 4344 Reviewed by Filip Pizlo. 4345 4346 We already have op_pop_scope and op_jmp, so we don't need op_jmp_scopes. 4347 Using op_jmp_scopes was also adding a "jump to self" to codegen for 4348 return statements, which was pretty silly. 4349 4350 * JavaScriptCore.order: 4351 * bytecode/CodeBlock.cpp: 4352 (JSC::CodeBlock::dumpBytecode): 4353 * bytecode/Opcode.h: 4354 (JSC::padOpcodeName): 4355 * bytecode/PreciseJumpTargets.cpp: 4356 (JSC::computePreciseJumpTargets): 4357 * bytecompiler/BytecodeGenerator.cpp: 4358 (JSC::BytecodeGenerator::emitComplexPopScopes): 4359 (JSC::BytecodeGenerator::emitPopScopes): 4360 * bytecompiler/BytecodeGenerator.h: 4361 (BytecodeGenerator): 4362 * bytecompiler/NodesCodegen.cpp: 4363 (JSC::ContinueNode::emitBytecode): 4364 (JSC::BreakNode::emitBytecode): 4365 (JSC::ReturnNode::emitBytecode): 4366 * jit/JIT.cpp: 4367 (JSC::JIT::privateCompileMainPass): 4368 * jit/JIT.h: 4369 * jit/JITOpcodes.cpp: 4370 * jit/JITOpcodes32_64.cpp: 4371 * jit/JITStubs.cpp: 4372 * jit/JITStubs.h: 4373 * llint/LLIntSlowPaths.cpp: 4374 * llint/LLIntSlowPaths.h: 4375 * llint/LowLevelInterpreter.asm: 4376 43772013-03-28 Mark Hahnenberg <mhahnenberg@apple.com> 4378 4379 Safari hangs during test262 run in CodeCache::pruneSlowCase 4380 https://bugs.webkit.org/show_bug.cgi?id=113469 4381 4382 Reviewed by Geoffrey Garen. 4383 4384 We can end up hanging for quite some time if we add a lot of small keys to the CodeCache. 4385 By the time we get around to pruning the cache, we have a potentially tens or hundreds of 4386 thousands of small entries, which can cause a noticeable hang when pruning them. 4387 4388 To fix this issue we added a hard cap to the number of entries in the cache because we 4389 could potentially have to remove every element in the map. 4390 4391 * runtime/CodeCache.cpp: 4392 (JSC::CodeCacheMap::pruneSlowCase): We need to prune until we're both under the hard cap and the 4393 capacity in bytes. 4394 * runtime/CodeCache.h: 4395 (CodeCacheMap): 4396 (JSC::CodeCacheMap::numberOfEntries): Convenience accessor function to the number of entries in 4397 the map that does the cast to size_t of m_map.size() for us. 4398 (JSC::CodeCacheMap::canPruneQuickly): Checks that the total number is under the hard cap. We put this 4399 check inside a function to more accurately describe why we're doing the check and to abstract out 4400 the actual calculation in case we want to coalesce calls to pruneSlowCase in the future. 4401 (JSC::CodeCacheMap::prune): Check the number of entries against our hard cap. If it's greater than 4402 the cap then we need to drop down to pruneSlowCase. 4403 44042013-03-28 Zan Dobersek <zdobersek@igalia.com> 4405 4406 Unreviewed build fix for the EFL and GTK ports. 4407 4408 * runtime/CodeCache.cpp: 4409 (JSC::CodeCacheMap::pruneSlowCase): Pass a 0 casted to the int64_t type instead of 0LL 4410 to the std::max call so the arguments' types match. 4411 44122013-03-27 Geoffrey Garen <ggaren@apple.com> 4413 4414 Unreviewed build fix: Removed a dead field. 4415 4416 Pointed out by Mark Lam. 4417 4418 * dfg/DFGByteCodeParser.cpp: 4419 (JSC::DFG::ByteCodeParser::ByteCodeParser): 4420 (ByteCodeParser): 4421 44222013-03-27 Geoffrey Garen <ggaren@apple.com> 4423 4424 Unreviewed build fix: Removed a dead field. 4425 4426 * dfg/DFGByteCodeParser.cpp: 4427 (JSC::DFG::ByteCodeParser::ByteCodeParser): 4428 (ByteCodeParser): 4429 44302013-03-27 Geoffrey Garen <ggaren@apple.com> 4431 4432 Removed some dead code in the DFG bytecode parser 4433 https://bugs.webkit.org/show_bug.cgi?id=113472 4434 4435 Reviewed by Sam Weinig. 4436 4437 Now that Phi creation and liveness analysis are separate passes, we can 4438 remove the vestiges of code that used to do that in the bytecode 4439 parser. 4440 4441 * dfg/DFGByteCodeParser.cpp: 4442 (ByteCodeParser): 4443 (JSC::DFG::ByteCodeParser::addToGraph): 4444 (JSC::DFG::ByteCodeParser::parse): 4445 44462013-03-27 Filip Pizlo <fpizlo@apple.com> 4447 4448 JIT and DFG should NaN-check loads from Float32 arrays 4449 https://bugs.webkit.org/show_bug.cgi?id=113462 4450 <rdar://problem/13490804> 4451 4452 Reviewed by Mark Hahnenberg. 4453 4454 * dfg/DFGSpeculativeJIT.cpp: 4455 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): 4456 * jit/JITPropertyAccess.cpp: 4457 (JSC::JIT::emitFloatTypedArrayGetByVal): 4458 44592013-03-27 Mark Hahnenberg <mhahnenberg@apple.com> 4460 4461 CodeCache::m_capacity can becoming negative, producing undefined results in pruneSlowCase 4462 https://bugs.webkit.org/show_bug.cgi?id=113453 4463 4464 Reviewed by Geoffrey Garen. 4465 4466 * runtime/CodeCache.cpp: 4467 (JSC::CodeCacheMap::pruneSlowCase): We make sure that m_minCapacity doesn't drop below zero now. 4468 This prevents m_capacity from doing the same. 4469 44702013-03-27 Filip Pizlo <fpizlo@apple.com> 4471 4472 DFG should use CheckStructure for typed array checks whenever possible 4473 https://bugs.webkit.org/show_bug.cgi?id=113374 4474 4475 Reviewed by Geoffrey Garen. 4476 4477 We used to do the right thing, but it appears that this regressed at some point. Since the 4478 FixupPhase now has the ability to outright remove spurious CheckStructures on array 4479 operations, it is profitable for the ByteCodeParser to insert CheckStructures whenver there 4480 is a chance that it might be profitable, and when the profiling tells us what structure to 4481 check. 4482 4483 Also added some code for doing ArrayProfile debugging. 4484 4485 This is a slightly speed-up. Maybe 3% on Mandreel. 4486 4487 * bytecode/ArrayProfile.cpp: 4488 (JSC::ArrayProfile::computeUpdatedPrediction): 4489 * dfg/DFGArrayMode.h: 4490 (JSC::DFG::ArrayMode::benefitsFromStructureCheck): 4491 44922013-03-27 Zeno Albisser <zeno@webkit.org> 4493 4494 [Qt] Remove Qt specific WorkQueueItem definitions. 4495 https://bugs.webkit.org/show_bug.cgi?id=112891 4496 4497 This patch is preparation work for removing 4498 WorkQueue related code from TestRunnerQt and 4499 replacing it with generic TestRunner code. 4500 4501 Reviewed by Benjamin Poulain. 4502 4503 * API/JSStringRefQt.cpp: 4504 (JSStringCreateWithQString): 4505 Adding a convenience function to create a 4506 JSStringRef from a QString. 4507 * API/JSStringRefQt.h: 4508 45092013-03-26 Filip Pizlo <fpizlo@apple.com> 4510 4511 REGRESSION: Sometimes, operations on proven strings ignore changes to the string prototype 4512 https://bugs.webkit.org/show_bug.cgi?id=113353 4513 <rdar://problem/13510778> 4514 4515 Reviewed by Mark Hahnenberg and Geoffrey Garen. 4516 4517 ToString should call speculateStringObject() even if you know that it's a string object, since 4518 it calls it to also get the watchpoint. Note that even with this change, if you do 4519 Phantom(Check:StringObject:@a), it might get eliminated just because we proved that @a is a 4520 string object (thereby eliminating the prototype watchpoint); that's fine since ToString is 4521 MustGenerate and never decays to Phantom. 4522 4523 * dfg/DFGSpeculativeJIT.cpp: 4524 (JSC::DFG::SpeculativeJIT::compileToStringOnCell): 4525 (JSC::DFG::SpeculativeJIT::speculateStringObject): 4526 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): 4527 * dfg/DFGSpeculativeJIT.h: 4528 (SpeculativeJIT): 4529 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): 4530 45312013-03-26 Mark Hahnenberg <mhahnenberg@apple.com> 4532 4533 REGRESSION(r144131): It made fast/js/regress/string-repeat-arith.html assert on 32 bit 4534 https://bugs.webkit.org/show_bug.cgi?id=112106 4535 4536 Rubber stamped by Filip Pizlo. 4537 4538 * dfg/DFGSpeculativeJIT.cpp: 4539 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): Get rid of the case for constants because 4540 we would have done constant folding anyways on a ValueToInt32. 4541 * dfg/DFGSpeculativeJIT32_64.cpp: 4542 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): Fixed a random compile error with this flag enabled. 4543 45442013-03-26 Filip Pizlo <fpizlo@apple.com> 4545 4546 JSC_enableProfiler=true should also cause JSGlobalData to save the profiler output somewhere 4547 https://bugs.webkit.org/show_bug.cgi?id=113144 4548 4549 Reviewed by Geoffrey Garen. 4550 4551 Forgot to include Geoff's requested change in the original commit. 4552 4553 * profiler/ProfilerDatabase.cpp: 4554 (Profiler): 4555 45562013-03-25 Filip Pizlo <fpizlo@apple.com> 4557 4558 JSC_enableProfiler=true should also cause JSGlobalData to save the profiler output somewhere 4559 https://bugs.webkit.org/show_bug.cgi?id=113144 4560 4561 Reviewed by Geoffrey Garen. 4562 4563 Added the ability to save profiler output with JSC_enableProfiler=true. It will save it 4564 to the current directory, or JSC_PROFILER_PATH if the latter was specified. 4565 4566 This works by saving the Profiler::Database either when it is destroyed or atexit(), 4567 whichever happens first. 4568 4569 This allows use of the profiler from any WebKit client. 4570 4571 * jsc.cpp: 4572 (jscmain): 4573 * profiler/ProfilerDatabase.cpp: 4574 (Profiler): 4575 (JSC::Profiler::Database::Database): 4576 (JSC::Profiler::Database::~Database): 4577 (JSC::Profiler::Database::registerToSaveAtExit): 4578 (JSC::Profiler::Database::addDatabaseToAtExit): 4579 (JSC::Profiler::Database::removeDatabaseFromAtExit): 4580 (JSC::Profiler::Database::performAtExitSave): 4581 (JSC::Profiler::Database::removeFirstAtExitDatabase): 4582 (JSC::Profiler::Database::atExitCallback): 4583 * profiler/ProfilerDatabase.h: 4584 (JSC::Profiler::Database::databaseID): 4585 (Database): 4586 * runtime/JSGlobalData.cpp: 4587 (JSC::JSGlobalData::JSGlobalData): 4588 45892013-03-25 Filip Pizlo <fpizlo@apple.com> 4590 4591 ArrayMode should not consider SpecOther when refining the base 4592 https://bugs.webkit.org/show_bug.cgi?id=113271 4593 4594 Reviewed by Geoffrey Garen. 4595 4596 9% speed-up on Octane/pdfjs. 4597 4598 * dfg/DFGArrayMode.cpp: 4599 (JSC::DFG::ArrayMode::refine): 4600 46012013-03-26 Csaba Osztrogonác <ossy@webkit.org> 4602 4603 Fix unused parameter warnings in JITInlines.h 4604 https://bugs.webkit.org/show_bug.cgi?id=112560 4605 4606 Reviewed by Zoltan Herczeg. 4607 4608 * jit/JITInlines.h: 4609 (JSC::JIT::beginUninterruptedSequence): 4610 (JSC::JIT::endUninterruptedSequence): 4611 (JSC): 4612 46132013-03-25 Kent Tamura <tkent@chromium.org> 4614 4615 Rename ENABLE_INPUT_TYPE_DATETIME 4616 https://bugs.webkit.org/show_bug.cgi?id=113254 4617 4618 Reviewed by Kentaro Hara. 4619 4620 Rename ENABLE_INPUT_TYPE_DATETIME to ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE. 4621 Actually I'd like to remove the code, but we shouldn't remove it yet 4622 because we shipped products with it on some platforms. 4623 4624 * Configurations/FeatureDefines.xcconfig: 4625 46262013-03-25 Mark Lam <mark.lam@apple.com> 4627 4628 Offlineasm cloop backend compiles op+branch incorrectly. 4629 https://bugs.webkit.org/show_bug.cgi?id=113146. 4630 4631 Reviewed by Geoffrey Garen. 4632 4633 * dfg/DFGRepatch.h: 4634 (JSC::DFG::dfgResetGetByID): 4635 (JSC::DFG::dfgResetPutByID): 4636 - These functions never return when the DFG is dsiabled, not just when 4637 asserts are enabled. Changing the attribute from NO_RETURN_DUE_TO_ASSERT 4638 to NO_RETURN. 4639 * llint/LLIntOfflineAsmConfig.h: 4640 - Added some #defines needed to get the cloop building again. 4641 * offlineasm/cloop.rb: 4642 - Fix cloopEmitOpAndBranchIfOverflow() and cloopEmitOpAndBranch() to 4643 emit code that unconditionally executes the specified operation before 4644 doing the conditional branch. 4645 46462013-03-25 Mark Hahnenberg <mhahnenberg@apple.com> 4647 4648 JSObject::enterDictionaryIndexingMode doesn't have a case for ALL_BLANK_INDEXING_TYPES 4649 https://bugs.webkit.org/show_bug.cgi?id=113236 4650 4651 Reviewed by Geoffrey Garen. 4652 4653 * runtime/JSObject.cpp: 4654 (JSC::JSObject::enterDictionaryIndexingMode): We forgot blank indexing types. 4655 46562013-03-23 Mark Hahnenberg <mhahnenberg@apple.com> 4657 4658 HandleSet should use HeapBlocks for storing handles 4659 https://bugs.webkit.org/show_bug.cgi?id=113145 4660 4661 Reviewed by Geoffrey Garen. 4662 4663 * GNUmakefile.list.am: Build project changes. 4664 * JavaScriptCore.gypi: Ditto. 4665 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Ditto. 4666 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Ditto. 4667 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. 4668 * JavaScriptCore.xcodeproj/project.pbxproj: Ditto. 4669 * heap/BlockAllocator.cpp: Rename the RegionSet to m_fourKBBlockRegionSet because there are 4670 too many block types to include them all in the name now. 4671 (JSC::BlockAllocator::BlockAllocator): 4672 * heap/BlockAllocator.h: 4673 (BlockAllocator): Add the appropriate override for regionSetFor. 4674 (JSC::WeakBlock): 4675 (JSC::MarkStackSegment): 4676 (JSC::HandleBlock): 4677 * heap/HandleBlock.h: Added. 4678 (HandleBlock): New class for HandleBlocks. 4679 (JSC::HandleBlock::blockFor): Static method to get the block of the given HandleNode pointer. Allows 4680 us to quickly figure out which HandleSet the HandleNode belongs to without storing the pointer to it 4681 in the HandleNode. 4682 (JSC::HandleBlock::handleSet): Getter. 4683 * heap/HandleBlockInlines.h: Added. 4684 (JSC::HandleBlock::create): 4685 (JSC::HandleBlock::HandleBlock): 4686 (JSC::HandleBlock::payloadEnd): 4687 (JSC::HandleBlock::payload): 4688 (JSC::HandleBlock::nodes): 4689 (JSC::HandleBlock::nodeAtIndex): 4690 (JSC::HandleBlock::nodeCapacity): 4691 * heap/HandleSet.cpp: 4692 (JSC::HandleSet::~HandleSet): 4693 (JSC::HandleSet::grow): 4694 * heap/HandleSet.h: 4695 (HandleNode): Move the internal Node class from HandleSet to be its own public class so it can be 4696 used by HandleBlock. 4697 (HandleSet): Add a typedef so that Node refers to the new HandleNode class. 4698 (JSC::HandleSet::toHandle): 4699 (JSC::HandleSet::toNode): 4700 (JSC::HandleSet::allocate): 4701 (JSC::HandleSet::deallocate): 4702 (JSC::HandleNode::HandleNode): 4703 (JSC::HandleNode::slot): 4704 (JSC::HandleNode::handleSet): Use the new blockFor static function to get the right HandleBlock and lookup 4705 the HandleSet. 4706 (JSC::HandleNode::setPrev): 4707 (JSC::HandleNode::prev): 4708 (JSC::HandleNode::setNext): 4709 (JSC::HandleNode::next): 4710 (JSC::HandleSet::forEachStrongHandle): 4711 * heap/Heap.h: Friend HandleSet so that it can access the BlockAllocator when allocating HandleBlocks. 4712 47132013-03-22 David Kilzer <ddkilzer@apple.com> 4714 4715 BUILD FIX (r145119): Make JSValue* properties default to (assign) 4716 <rdar://problem/13380794> 4717 4718 Reviewed by Mark Hahnenberg. 4719 4720 Fixes the following build failures: 4721 4722 Source/JavaScriptCore/API/tests/testapi.mm:106:1: error: no 'assign', 'retain', or 'copy' attribute is specified - 'assign' is assumed [-Werror,-Wobjc-property-no-attribute] 4723 @property JSValue *onclick; 4724 ^ 4725 Source/JavaScriptCore/API/tests/testapi.mm:106:1: error: default property attrib ute 'assign' not appropriate for non-GC object [-Werror,-Wobjc-property-no-attribute] 4726 Source/JavaScriptCore/API/tests/testapi.mm:107:1: error: no 'assign', 'retain', or 'copy' attribute is specified - 'assign' is assumed [-Werror,-Wobjc-property-no-attribute] 4727 @property JSValue *weakOnclick; 4728 ^ 4729 Source/JavaScriptCore/API/tests/testapi.mm:107:1: error: default property attribute 'assign' not appropriate for non-GC object [-Werror,-Wobjc-property-no-attribute] 4730 4 errors generated. 4731 4732 * API/tests/testapi.mm: Default to (assign) for JSValue* 4733 properties. 4734 47352013-03-22 Ryosuke Niwa <rniwa@webkit.org> 4736 4737 testLeakingPrototypesAcrossContexts added in r146682 doesn't compile on Win and fails on Mac 4738 https://bugs.webkit.org/show_bug.cgi?id=113125 4739 4740 Reviewed by Mark Hahnenberg 4741 4742 Remove the test added in r146682 as it's now failing on Mac. 4743 This is the test that was causing a compilation failure on Windows. 4744 4745 * API/tests/testapi.c: 4746 (main): 4747 47482013-03-22 Ryosuke Niwa <rniwa@webkit.org> 4749 4750 Fix the typo: WIN -> WINDOWS. 4751 4752 * API/tests/testapi.c: 4753 (main): 4754 47552013-03-22 Ryosuke Niwa <rniwa@webkit.org> 4756 4757 I really can't figure out what's wrong with this one. 4758 Temporarily disable the test added by r146682 on Windows since it doesn't compile. 4759 4760 * API/tests/testapi.c: 4761 (main): 4762 47632013-03-22 Ryosuke Niwa <rniwa@webkit.org> 4764 4765 Another build fix (after r146693) for r146682. 4766 4767 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 4768 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 4769 47702013-03-22 Roger Fong <roger_fong@apple.com> 4771 4772 Unreviewed. AppleWin build fix. 4773 4774 * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: 4775 * JavaScriptCore.vcxproj/copy-files.cmd: 4776 47772013-03-22 Mark Hahnenberg <mhahnenberg@apple.com> 4778 4779 -[TinyDOMNode dealloc] should call [super dealloc] when ARC is not enabled 4780 https://bugs.webkit.org/show_bug.cgi?id=113054 4781 4782 Reviewed by Geoffrey Garen. 4783 4784 * API/tests/testapi.mm: 4785 (-[TinyDOMNode dealloc]): 4786 47872013-03-22 Mark Hahnenberg <mhahnenberg@apple.com> 4788 4789 opaqueJSClassData should be cached on JSGlobalObject, not the JSGlobalData 4790 https://bugs.webkit.org/show_bug.cgi?id=113086 4791 4792 Reviewed by Geoffrey Garen. 4793 4794 opaqueJSClassData stores cached prototypes for JSClassRefs in the C API. It doesn't make sense to 4795 share these prototypes within a JSGlobalData across JSGlobalObjects, and in fact doing so will cause 4796 a leak of the original JSGlobalObject that these prototypes were created in. Therefore we should move 4797 this cache to JSGlobalObject where it belongs and where it won't cause memory leaks. 4798 4799 * API/JSBase.cpp: Needed to add an extern "C" so that testapi.c can use the super secret GC function. 4800 * API/JSClassRef.cpp: We now grab the cached context data from the global object rather than the global data. 4801 (OpaqueJSClass::contextData): 4802 * API/JSClassRef.h: Remove this header because it's unnecessary and causes circular dependencies. 4803 * API/tests/testapi.c: Added a new test that makes sure that using the same JSClassRef in two different contexts 4804 doesn't cause leaks of the original global object. 4805 (leakFinalize): 4806 (nestedAllocateObject): This is a hack to bypass the conservative scan of the GC, which was unnecessarily marking 4807 objects and keeping them alive, ruining the test result. 4808 (testLeakingPrototypesAcrossContexts): 4809 (main): 4810 * API/tests/testapi.mm: extern "C" this so we can continue using it here. 4811 * runtime/JSGlobalData.cpp: Remove JSClassRef related stuff. 4812 (JSC::JSGlobalData::~JSGlobalData): 4813 * runtime/JSGlobalData.h: 4814 (JSGlobalData): 4815 * runtime/JSGlobalObject.h: Add the stuff that JSGlobalData had. We add it to JSGlobalObjectRareData so that 4816 clients who don't use the C API don't have to pay the memory cost of this extra HashMap. 4817 (JSGlobalObject): 4818 (JSGlobalObjectRareData): 4819 (JSC::JSGlobalObject::opaqueJSClassData): 4820 48212013-03-19 Martin Robinson <mrobinson@igalia.com> 4822 4823 [GTK] Add support for building the WebCore bindings to the gyp build 4824 https://bugs.webkit.org/show_bug.cgi?id=112638 4825 4826 Reviewed by Nico Weber. 4827 4828 * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Export all include directories to direct 4829 dependents and fix the indentation of the libjavascriptcore target. 4830 48312013-03-21 Filip Pizlo <fpizlo@apple.com> 4832 4833 Fix some minor issues in the DFG's profiling of heap accesses 4834 https://bugs.webkit.org/show_bug.cgi?id=113010 4835 4836 Reviewed by Goeffrey Garen. 4837 4838 1) If a CodeBlock gets jettisoned by GC, we should count the exit sites. 4839 4840 2) If a CodeBlock clears a structure stub during GC, it should record this, and 4841 the DFG should prefer to not inline that access (i.e. treat it as if it had an 4842 exit site). 4843 4844 3) If a PutById was seen by the baseline JIT, and the JIT attempted to cache it, 4845 but it chose not to, then assume that it will take slow path. 4846 4847 4) If we frequently exited because of a structure check on a weak constant, 4848 don't try to inline that access in the future. 4849 4850 5) Treat all exits that were counted as being frequent. 4851 4852 81% speed-up on Octane/gbemu. Small speed-ups elsewhere, and no regressions. 4853 4854 * bytecode/CodeBlock.cpp: 4855 (JSC::CodeBlock::finalizeUnconditionally): 4856 (JSC): 4857 (JSC::CodeBlock::resetStubDuringGCInternal): 4858 (JSC::CodeBlock::reoptimize): 4859 (JSC::CodeBlock::jettison): 4860 (JSC::ProgramCodeBlock::jettisonImpl): 4861 (JSC::EvalCodeBlock::jettisonImpl): 4862 (JSC::FunctionCodeBlock::jettisonImpl): 4863 (JSC::CodeBlock::tallyFrequentExitSites): 4864 * bytecode/CodeBlock.h: 4865 (CodeBlock): 4866 (JSC::CodeBlock::tallyFrequentExitSites): 4867 (ProgramCodeBlock): 4868 (EvalCodeBlock): 4869 (FunctionCodeBlock): 4870 * bytecode/GetByIdStatus.cpp: 4871 (JSC::GetByIdStatus::computeFor): 4872 * bytecode/PutByIdStatus.cpp: 4873 (JSC::PutByIdStatus::computeFor): 4874 * bytecode/StructureStubInfo.h: 4875 (JSC::StructureStubInfo::StructureStubInfo): 4876 (StructureStubInfo): 4877 * dfg/DFGByteCodeParser.cpp: 4878 (JSC::DFG::ByteCodeParser::handleGetById): 4879 (JSC::DFG::ByteCodeParser::parseBlock): 4880 * dfg/DFGOSRExit.cpp: 4881 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow): 4882 * dfg/DFGOSRExit.h: 4883 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite): 4884 (OSRExit): 4885 * jit/JITStubs.cpp: 4886 (JSC::DEFINE_STUB_FUNCTION): 4887 * runtime/Options.h: 4888 (JSC): 4889 48902013-03-22 Filip Pizlo <fpizlo@apple.com> 4891 4892 DFG folding of PutById to SimpleReplace should consider the specialized function case 4893 https://bugs.webkit.org/show_bug.cgi?id=113093 4894 4895 Reviewed by Geoffrey Garen and Mark Hahnenberg. 4896 4897 * bytecode/PutByIdStatus.cpp: 4898 (JSC::PutByIdStatus::computeFor): 4899 49002013-03-22 David Kilzer <ddkilzer@apple.com> 4901 4902 BUILD FIX (r146558): Build testapi.mm with ARC enabled for armv7s 4903 <http://webkit.org/b/112608> 4904 4905 Fixes the following build failure: 4906 4907 Source/JavaScriptCore/API/tests/testapi.mm:205:1: error: method possibly missing a [super dealloc] call [-Werror,-Wobjc-missing-super-calls] 4908 } 4909 ^ 4910 1 error generated. 4911 4912 * Configurations/ToolExecutable.xcconfig: Enable ARC for armv7s 4913 architecture. 4914 49152013-03-22 David Kilzer <ddkilzer@apple.com> 4916 4917 Revert "BUILD FIX (r146558): Call [super dealloc] from -[TinyDOMNode dealloc]" 4918 4919 This fixes a build failure introduced by this change: 4920 4921 Source/JavaScriptCore/API/tests/testapi.mm:206:6: error: ARC forbids explicit message send of 'dealloc' 4922 [super dealloc]; 4923 ^ ~~~~~~~ 4924 1 error generated. 4925 4926 Not sure why this didn't fail locally on my Mac Pro. 4927 4928 * API/tests/testapi.mm: 4929 (-[TinyDOMNode dealloc]): Remove call to [super dealloc]. 4930 49312013-03-22 David Kilzer <ddkilzer@apple.com> 4932 4933 BUILD FIX (r146558): Call [super dealloc] from -[TinyDOMNode dealloc] 4934 <http://webkit.org/b/112608> 4935 4936 Fixes the following build failure: 4937 4938 Source/JavaScriptCore/API/tests/testapi.mm:205:1: error: method possibly missing a [super dealloc] call [-Werror,-Wobjc-missing-super-calls] 4939 } 4940 ^ 4941 1 error generated. 4942 4943 * API/tests/testapi.mm: 4944 (-[TinyDOMNode dealloc]): Call [super dealloc]. 4945 49462013-03-22 Ryosuke Niwa <rniwa@webkit.org> 4947 4948 Leak bots erroneously report JSC::WatchpointSet as leaking 4949 https://bugs.webkit.org/show_bug.cgi?id=107781 4950 4951 Reviewed by Filip Pizlo. 4952 4953 Since leaks doesn't support tagged pointers, avoid using it by flipping the bit flag to indicate 4954 the entry is "fat". We set the flag when the entry is NOT fat; i.e. slim. 4955 4956 Replaced FatFlag by SlimFlag and initialized m_bits with this flag to indicate that the entry is 4957 initially "slim". 4958 4959 * runtime/SymbolTable.cpp: 4960 (JSC::SymbolTableEntry::copySlow): Don't set FatFlag since it has been replaced by SlimFlag. 4961 (JSC::SymbolTableEntry::inflateSlow): Ditto. 4962 4963 * runtime/SymbolTable.h: 4964 (JSC::SymbolTableEntry::Fast::Fast): Set SlimFlag by default. 4965 (JSC::SymbolTableEntry::Fast::isNull): Ignore SlimFlag. 4966 (JSC::SymbolTableEntry::Fast::isFat): An entry is fat when m_bits is not entirely zero and SlimFlag 4967 is not set. 4968 4969 (JSC::SymbolTableEntry::SymbolTableEntry): Set SlimFlag by default. 4970 (JSC::SymbolTableEntry::SymbolTableEntry::getFast): Set SlimFlag when creating Fast from a fat entry. 4971 (JSC::SymbolTableEntry::isNull): Ignore SlimFlag. 4972 (JSC::SymbolTableEntry::FatEntry::FatEntry): Strip SlimFlag. 4973 (JSC::SymbolTableEntry::isFat): An entry is fat when m_bits is not entirely zero and SlimFlag is unset. 4974 (JSC::SymbolTableEntry::fatEntry): Don't strip FatFlag as this flag doesn't exist anymore. 4975 (JSC::SymbolTableEntry::pack): Preserve SlimFlag. 4976 4977 (JSC::SymbolTableIndexHashTraits): empty value is no longer zero so don't set emptyValueIsZero true. 4978 49792013-03-21 Mark Hahnenberg <mhahnenberg@apple.com> 4980 4981 Objective-C API: Need a good way to preserve custom properties on JS wrappers 4982 https://bugs.webkit.org/show_bug.cgi?id=112608 4983 4984 Reviewed by Geoffrey Garen. 4985 4986 Currently, we just use a weak map, which means that garbage collection can cause a wrapper to 4987 disappear if it isn't directly exported to JavaScript. 4988 4989 The most straightforward and safe way (with respect to garbage collection and concurrency) is to have 4990 clients add and remove their external references along with their owners. Effectively, the client is 4991 recording the structure of the external object graph so that the garbage collector can make sure to 4992 mark any wrappers that are reachable through either the JS object graph of the external Obj-C object 4993 graph. By keeping these wrappers alive, this has the effect that custom properties on these wrappers 4994 will also remain alive. 4995 4996 The rule for if an object needs to be tracked by the runtime (and therefore whether the client should report it) is as follows: 4997 For a particular object, its references to its children should be added if: 4998 1. The child is referenced from JavaScript. 4999 2. The child contains references to other objects for which (1) or (2) are true. 5000 5001 * API/JSAPIWrapperObject.mm: 5002 (JSAPIWrapperObjectHandleOwner::finalize): 5003 (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots): A wrapper object is kept alive only if its JSGlobalObject 5004 is marked and its corresponding Objective-C object was added to the set of opaque roots. 5005 (JSC::JSAPIWrapperObject::visitChildren): We now call out to scanExternalObjectGraph, which handles adding all Objective-C 5006 objects to the set of opaque roots. 5007 * API/JSAPIWrapperObject.h: 5008 (JSAPIWrapperObject): 5009 * API/JSContext.mm: Moved dealloc to its proper place in the main implementation. 5010 (-[JSContext dealloc]): 5011 * API/JSVirtualMachine.h: 5012 * API/JSVirtualMachine.mm: 5013 (-[JSVirtualMachine initWithContextGroupRef:]): 5014 (-[JSVirtualMachine dealloc]): 5015 (getInternalObjcObject): Helper funciton to get the Objective-C object out of JSManagedValues or JSValues if there is one. 5016 (-[JSVirtualMachine addManagedReference:withOwner:]): Adds the Objective-C object to the set of objects 5017 owned by the owner object in that particular virtual machine. 5018 (-[JSVirtualMachine removeManagedReference:withOwner:]): Removes the relationship between the two objects. 5019 (-[JSVirtualMachine externalObjectGraph]): 5020 (scanExternalObjectGraph): Does a depth-first search of the external object graph in a particular virtual machine starting at 5021 the specified root. Each new object it encounters it adds to the set of opaque roots. These opaque roots will keep their 5022 corresponding wrapper objects alive if they have them. 5023 * API/JSManagedReferenceInternal.h: Added. 5024 * API/JSVirtualMachine.mm: Added the per-JSVirtualMachine map between objects and the objects they own, which is more formally 5025 known as that virtual machine's external object graph. 5026 * API/JSWrapperMap.mm: 5027 (-[JSWrapperMap dealloc]): We were leaking this before :-( 5028 (-[JSVirtualMachine initWithContextGroupRef:]): 5029 (-[JSVirtualMachine dealloc]): 5030 (-[JSVirtualMachine externalObjectGraph]): 5031 * API/JSVirtualMachineInternal.h: 5032 * API/tests/testapi.mm: Added two new tests using the TinyDOMNode class. The first tests that a custom property added to a wrapper 5033 doesn't vanish after GC, even though that wrapper isn't directly accessible to the JS garbage collector but is accessible through 5034 the external Objective-C object graph. The second test makes sure that adding an object to the external object graph with the same 5035 owner doesn't cause any sort of problems. 5036 (+[TinyDOMNode sharedVirtualMachine]): 5037 (-[TinyDOMNode init]): 5038 (-[TinyDOMNode dealloc]): 5039 (-[TinyDOMNode appendChild:]): 5040 (-[TinyDOMNode numberOfChildren]): 5041 (-[TinyDOMNode childAtIndex:]): 5042 (-[TinyDOMNode removeChildAtIndex:]): 5043 * JavaScriptCore.xcodeproj/project.pbxproj: 5044 * heap/SlotVisitor.h: 5045 (SlotVisitor): 5046 * heap/SlotVisitorInlines.h: 5047 (JSC::SlotVisitor::containsOpaqueRootTriState): Added a new method to SlotVisitor to allow scanExternalObjectGraph to have a 5048 thread-safe view of opaque roots during parallel marking. The set of opaque roots available to any one SlotVisitor isn't guaranteed 5049 to be 100% correct, but that just results in a small duplication of work in scanExternalObjectGraph. To indicate this change for 5050 false negatives we return a TriState that's either true or mixed, but never false. 5051 50522013-03-21 Mark Lam <mark.lam@apple.com> 5053 5054 Fix O(n^2) op_debug bytecode charPosition to column computation. 5055 https://bugs.webkit.org/show_bug.cgi?id=112957. 5056 5057 Reviewed by Geoffrey Garen. 5058 5059 The previous algorithm does a linear reverse scan of the source string 5060 to find the line start for any given char position. This results in a 5061 O(n^2) algortithm when the source string has no line breaks. 5062 5063 The new algorithm computes a line start column table for a 5064 SourceProvider on first use. This line start table is used to fix up 5065 op_debug's charPosition operand into a column operand when an 5066 UnlinkedCodeBlock is linked into a CodeBlock. The initialization of 5067 the line start table is O(n), and the CodeBlock column fix up is 5068 O(log(n)). 5069 5070 * bytecode/CodeBlock.cpp: 5071 (JSC::CodeBlock::dumpBytecode): 5072 (JSC::CodeBlock::CodeBlock): - do column fix up. 5073 * interpreter/Interpreter.cpp: 5074 (JSC::Interpreter::debug): - no need to do column fixup anymore. 5075 * interpreter/Interpreter.h: 5076 * jit/JITStubs.cpp: 5077 (JSC::DEFINE_STUB_FUNCTION): 5078 * llint/LLIntSlowPaths.cpp: 5079 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 5080 * parser/SourceProvider.cpp: 5081 (JSC::SourceProvider::lineStarts): 5082 (JSC::charPositionExtractor): 5083 (JSC::SourceProvider::charPositionToColumnNumber): 5084 - initialize line start column table if needed. 5085 - look up line start for the given char position. 5086 * parser/SourceProvider.h: 5087 50882013-03-21 Filip Pizlo <fpizlo@apple.com> 5089 5090 JSC profiler should have an at-a-glance report of the success of DFG optimization 5091 https://bugs.webkit.org/show_bug.cgi?id=112988 5092 5093 Reviewed by Geoffrey Garen. 5094 5095 * dfg/DFGByteCodeParser.cpp: 5096 (JSC::DFG::ByteCodeParser::handleCall): 5097 (JSC::DFG::ByteCodeParser::handleGetById): 5098 (JSC::DFG::ByteCodeParser::parseBlock): 5099 * profiler/ProfilerCompilation.cpp: 5100 (JSC::Profiler::Compilation::Compilation): 5101 (JSC::Profiler::Compilation::toJS): 5102 * profiler/ProfilerCompilation.h: 5103 (JSC::Profiler::Compilation::noticeInlinedGetById): 5104 (JSC::Profiler::Compilation::noticeInlinedPutById): 5105 (JSC::Profiler::Compilation::noticeInlinedCall): 5106 (Compilation): 5107 * runtime/CommonIdentifiers.h: 5108 51092013-03-21 Mark Lam <mark.lam@apple.com> 5110 5111 Fix lexer charPosition computation when "rewind"ing the lexer. 5112 https://bugs.webkit.org/show_bug.cgi?id=112952. 5113 5114 Reviewed by Michael Saboff. 5115 5116 Changed the Lexer to no longer keep a m_charPosition. Instead, we compute 5117 currentCharPosition() from m_code and m_codeStartPlusOffset, where 5118 m_codeStartPlusOffset is the SourceProvider m_codeStart + the SourceCode 5119 start offset. This ensures that the charPosition is always in sync with 5120 m_code. 5121 5122 * parser/Lexer.cpp: 5123 (JSC::::setCode): 5124 (JSC::::internalShift): 5125 (JSC::::shift): 5126 (JSC::::lex): 5127 * parser/Lexer.h: 5128 (JSC::Lexer::currentCharPosition): 5129 (JSC::::lexExpectIdentifier): 5130 51312013-03-21 Alberto Garcia <agarcia@igalia.com> 5132 5133 [BlackBerry] GCActivityCallback: replace JSLock with JSLockHolder 5134 https://bugs.webkit.org/show_bug.cgi?id=112448 5135 5136 Reviewed by Xan Lopez. 5137 5138 This changed in r121381. 5139 5140 * runtime/GCActivityCallbackBlackBerry.cpp: 5141 (JSC::DefaultGCActivityCallback::doWork): 5142 51432013-03-21 Mark Hahnenberg <mhahnenberg@apple.com> 5144 5145 Objective-C API: wrapperClass holds a static JSClassRef, which causes JSGlobalObjects to leak 5146 https://bugs.webkit.org/show_bug.cgi?id=112856 5147 5148 Reviewed by Geoffrey Garen. 5149 5150 Through a very convoluted path that involves the caching of prototypes on the JSClassRef, we can leak 5151 JSGlobalObjects when inserting an Objective-C object into multiple independent JSContexts. 5152 5153 * API/JSAPIWrapperObject.cpp: Removed. 5154 * API/JSAPIWrapperObject.h: 5155 (JSAPIWrapperObject): 5156 * API/JSAPIWrapperObject.mm: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.cpp. Made this an 5157 Objective-C++ file so that we can call release on the wrappedObject. Also added a WeakHandleOwner for 5158 JSAPIWrapperObjects. This will also be used in a future patch for https://bugs.webkit.org/show_bug.cgi?id=112608. 5159 (JSAPIWrapperObjectHandleOwner): 5160 (jsAPIWrapperObjectHandleOwner): 5161 (JSAPIWrapperObjectHandleOwner::finalize): This finalize replaces the old finalize that was done through 5162 the C API. 5163 (JSC::JSAPIWrapperObject::finishCreation): Allocate the WeakImpl. Balanced in finalize. 5164 (JSC::JSAPIWrapperObject::setWrappedObject): We now do the retain of the wrappedObject here rather than in random 5165 places scattered around JSWrapperMap.mm 5166 * API/JSObjectRef.cpp: Added some ifdefs for platforms that don't support the Obj-C API. 5167 (JSObjectGetPrivate): Ditto. 5168 (JSObjectSetPrivate): Ditto. 5169 (JSObjectGetPrivateProperty): Ditto. 5170 (JSObjectSetPrivateProperty): Ditto. 5171 (JSObjectDeletePrivateProperty): Ditto. 5172 * API/JSValueRef.cpp: Ditto. 5173 (JSValueIsObjectOfClass): Ditto. 5174 * API/JSWrapperMap.mm: Remove wrapperClass(). 5175 (objectWithCustomBrand): Change to no longer use a parent class, which was only used to give the ability to 5176 finalize wrapper objects. 5177 (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Change to no longer use wrapperClass(). 5178 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Ditto. 5179 (tryUnwrapObjcObject): We now check if the object inherits from JSAPIWrapperObject. 5180 * API/tests/testapi.mm: Added a test that exports an Objective-C object to two different JSContexts and makes 5181 sure that the first one is collected properly by using a weak JSManagedValue for the wrapper in the first JSContext. 5182 * CMakeLists.txt: Build file modifications. 5183 * GNUmakefile.list.am: Ditto. 5184 * JavaScriptCore.gypi: Ditto. 5185 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Ditto. 5186 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Ditto. 5187 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. 5188 * JavaScriptCore.xcodeproj/project.pbxproj: Ditto. 5189 * runtime/JSGlobalObject.cpp: More ifdefs for unsupported platforms. 5190 (JSC::JSGlobalObject::reset): Ditto. 5191 (JSC::JSGlobalObject::visitChildren): Ditto. 5192 * runtime/JSGlobalObject.h: Ditto. 5193 (JSGlobalObject): Ditto. 5194 (JSC::JSGlobalObject::objcCallbackFunctionStructure): Ditto. 5195 51962013-03-21 Anton Muhin <antonm@chromium.org> 5197 5198 Unreviewed, rolling out r146483. 5199 http://trac.webkit.org/changeset/146483 5200 https://bugs.webkit.org/show_bug.cgi?id=111695 5201 5202 Breaks debug builds. 5203 5204 * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo. 5205 52062013-03-21 Gabor Rapcsanyi <rgabor@webkit.org> 5207 5208 Implement LLInt for CPU(ARM_TRADITIONAL) 5209 https://bugs.webkit.org/show_bug.cgi?id=97589 5210 5211 Reviewed by Zoltan Herczeg. 5212 5213 Enable LLInt for ARMv5 and ARMv7 traditional as well. 5214 5215 * llint/LLIntOfflineAsmConfig.h: 5216 * llint/LowLevelInterpreter.asm: 5217 * llint/LowLevelInterpreter32_64.asm: 5218 * offlineasm/arm.rb: 5219 * offlineasm/backends.rb: 5220 * offlineasm/instructions.rb: 5221 52222013-03-20 Cosmin Truta <ctruta@blackberry.com> 5223 5224 [QNX][ARM] REGRESSION(r135330): Various failures in Octane 5225 https://bugs.webkit.org/show_bug.cgi?id=112863 5226 5227 Reviewed by Yong Li. 5228 5229 This was fixed in http://trac.webkit.org/changeset/146396 on Linux only. 5230 Enable this fix on QNX. 5231 5232 * assembler/ARMv7Assembler.h: 5233 (ARMv7Assembler): 5234 (JSC::ARMv7Assembler::replaceWithJump): 5235 (JSC::ARMv7Assembler::maxJumpReplacementSize): 5236 * assembler/MacroAssemblerARMv7.h: 5237 (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch): 5238 52392013-03-20 Filip Pizlo <fpizlo@apple.com> 5240 5241 Fix indentation of JSString.h 5242 5243 Rubber stamped by Mark Hahnenberg. 5244 5245 * runtime/JSString.h: 5246 52472013-03-20 Filip Pizlo <fpizlo@apple.com> 5248 5249 "" + x where x is not a string should be optimized by the DFG to some manner of ToString conversion 5250 https://bugs.webkit.org/show_bug.cgi?id=112845 5251 5252 Reviewed by Mark Hahnenberg. 5253 5254 I like to do "" + x. So I decided to make DFG recognize it, and related idioms. 5255 5256 * dfg/DFGFixupPhase.cpp: 5257 (JSC::DFG::FixupPhase::fixupNode): 5258 (JSC::DFG::FixupPhase::fixupToPrimitive): 5259 (FixupPhase): 5260 (JSC::DFG::FixupPhase::fixupToString): 5261 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): 5262 * dfg/DFGPredictionPropagationPhase.cpp: 5263 (JSC::DFG::resultOfToPrimitive): 5264 (DFG): 5265 (JSC::DFG::PredictionPropagationPhase::propagate): 5266 * dfg/DFGPredictionPropagationPhase.h: 5267 (DFG): 5268 52692013-03-20 Zoltan Herczeg <zherczeg@webkit.org> 5270 5271 ARMv7 replaceWithJump ASSERT failure after r135330. 5272 https://bugs.webkit.org/show_bug.cgi?id=103146 5273 5274 Reviewed by Filip Pizlo. 5275 5276 On Linux, the 24 bit distance range of jumps sometimes does not 5277 enough to cover all targets addresses. This patch supports jumps 5278 outside of this range using a mov/movt/bx 10 byte long sequence. 5279 5280 * assembler/ARMv7Assembler.h: 5281 (ARMv7Assembler): 5282 (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2): 5283 (JSC::ARMv7Assembler::nopw): 5284 (JSC::ARMv7Assembler::label): 5285 (JSC::ARMv7Assembler::replaceWithJump): 5286 (JSC::ARMv7Assembler::maxJumpReplacementSize): 5287 * assembler/MacroAssemblerARMv7.h: 5288 (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch): 5289 52902013-03-20 Mark Hahnenberg <mhahnenberg@apple.com> 5291 5292 Objective-C API: Fix over-releasing in allocateConstructorAndPrototypeWithSuperClassInfo: 5293 https://bugs.webkit.org/show_bug.cgi?id=112832 5294 5295 Reviewed by Geoffrey Garen. 5296 5297 If either the m_constructor or m_prototype (but not both) is collected, we will call 5298 allocateConstructorAndPrototypeWithSuperClassInfo, which will create a new object to replace the one 5299 that was collected, but at the end of the method we call release on both of them. 5300 This is incorrect since we autorelease the JSValue in the case that the object doesn't need to be 5301 reallocated. Thus we'll end up overreleasing later during the drain of the autorelease pool. 5302 5303 * API/JSWrapperMap.mm: 5304 (objectWithCustomBrand): We no longer alloc here. We instead call the JSValue valueWithValue class method, 5305 which autoreleases for us. 5306 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We no longer call release on the 5307 constructor or prototype JSValues. 5308 * API/tests/testapi.mm: Added a new test that crashes on ToT due to over-releasing. 5309 53102013-03-19 Filip Pizlo <fpizlo@apple.com> 5311 5312 It's called "Hash Consing" not "Hash Consting" 5313 https://bugs.webkit.org/show_bug.cgi?id=112768 5314 5315 Rubber stamped by Mark Hahnenberg. 5316 5317 See http://en.wikipedia.org/wiki/Hash_consing 5318 5319 * heap/GCThreadSharedData.cpp: 5320 (JSC::GCThreadSharedData::GCThreadSharedData): 5321 (JSC::GCThreadSharedData::reset): 5322 * heap/GCThreadSharedData.h: 5323 (GCThreadSharedData): 5324 * heap/SlotVisitor.cpp: 5325 (JSC::SlotVisitor::SlotVisitor): 5326 (JSC::SlotVisitor::setup): 5327 (JSC::SlotVisitor::reset): 5328 (JSC::JSString::tryHashConsLock): 5329 (JSC::JSString::releaseHashConsLock): 5330 (JSC::JSString::shouldTryHashCons): 5331 (JSC::SlotVisitor::internalAppend): 5332 * heap/SlotVisitor.h: 5333 (SlotVisitor): 5334 * runtime/JSGlobalData.cpp: 5335 (JSC::JSGlobalData::JSGlobalData): 5336 * runtime/JSGlobalData.h: 5337 (JSGlobalData): 5338 (JSC::JSGlobalData::haveEnoughNewStringsToHashCons): 5339 (JSC::JSGlobalData::resetNewStringsSinceLastHashCons): 5340 * runtime/JSString.h: 5341 (JSC::JSString::finishCreation): 5342 (JSString): 5343 (JSC::JSString::isHashConsSingleton): 5344 (JSC::JSString::clearHashConsSingleton): 5345 (JSC::JSString::setHashConsSingleton): 5346 53472013-03-20 Filip Pizlo <fpizlo@apple.com> 5348 5349 DFG implementation of op_strcat should inline rope allocations 5350 https://bugs.webkit.org/show_bug.cgi?id=112780 5351 5352 Reviewed by Oliver Hunt. 5353 5354 This gets rid of the StrCat node and adds a MakeRope node. The MakeRope node can 5355 take either two or three operands, and allocates a rope string with either two or 5356 three fibers. (The magic choice of three children for non-VarArg nodes happens to 5357 match exactly with the magic choice of three fibers for rope strings.) 5358 5359 ValueAdd on KnownString is replaced with MakeRope with two children. 5360 5361 StrCat gets replaced by an appropriate sequence of MakeRope's. 5362 5363 MakeRope does not do the dynamic check to see if its children are empty strings. 5364 This is replaced by a static check, instead. The downside is that we may use more 5365 memory if the strings passed to MakeRope turn out to dynamically be empty. The 5366 upside is that we do fewer checks in the cases where either the strings are not 5367 empty, or where the strings are statically known to be empty. I suspect both of 5368 those cases are more common, than the case where the string is dynamically empty. 5369 5370 This also results in some badness for X86. MakeRope needs six registers if it is 5371 allocating a three-rope. We don't have six registers to spare on X86. Currently, 5372 the code side-steps this problem by just never usign three-ropes in optimized 5373 code on X86. All other architectures, including X86_64, don't have this problem. 5374 5375 This is a shocking speed-up. 9% progressions on both V8/splay and 5376 SunSpider/date-format-xparb. 1% progression on V8v7 overall, and ~0.5% progression 5377 on SunSpider. 2x speed-up on microbenchmarks that test op_strcat. 5378 5379 * dfg/DFGAbstractState.cpp: 5380 (JSC::DFG::AbstractState::executeEffects): 5381 * dfg/DFGAdjacencyList.h: 5382 (AdjacencyList): 5383 (JSC::DFG::AdjacencyList::removeEdge): 5384 * dfg/DFGArgumentsSimplificationPhase.cpp: 5385 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild): 5386 * dfg/DFGBackwardsPropagationPhase.cpp: 5387 (JSC::DFG::BackwardsPropagationPhase::propagate): 5388 * dfg/DFGByteCodeParser.cpp: 5389 (JSC::DFG::ByteCodeParser::parseBlock): 5390 * dfg/DFGCSEPhase.cpp: 5391 (JSC::DFG::CSEPhase::putStructureStoreElimination): 5392 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): 5393 (JSC::DFG::CSEPhase::performNodeCSE): 5394 * dfg/DFGDCEPhase.cpp: 5395 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren): 5396 * dfg/DFGFixupPhase.cpp: 5397 (JSC::DFG::FixupPhase::fixupNode): 5398 (JSC::DFG::FixupPhase::createToString): 5399 (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion): 5400 (JSC::DFG::FixupPhase::convertStringAddUse): 5401 (FixupPhase): 5402 (JSC::DFG::FixupPhase::convertToMakeRope): 5403 (JSC::DFG::FixupPhase::fixupMakeRope): 5404 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): 5405 * dfg/DFGNodeType.h: 5406 (DFG): 5407 * dfg/DFGOperations.cpp: 5408 * dfg/DFGOperations.h: 5409 * dfg/DFGPredictionPropagationPhase.cpp: 5410 (JSC::DFG::PredictionPropagationPhase::propagate): 5411 * dfg/DFGSpeculativeJIT.cpp: 5412 (JSC::DFG::SpeculativeJIT::compileAdd): 5413 (JSC::DFG::SpeculativeJIT::compileMakeRope): 5414 (DFG): 5415 * dfg/DFGSpeculativeJIT.h: 5416 (JSC::DFG::SpeculativeJIT::callOperation): 5417 (SpeculativeJIT): 5418 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand): 5419 (JSC::DFG::SpeculateCellOperand::~SpeculateCellOperand): 5420 (JSC::DFG::SpeculateCellOperand::gpr): 5421 (JSC::DFG::SpeculateCellOperand::use): 5422 * dfg/DFGSpeculativeJIT32_64.cpp: 5423 (JSC::DFG::SpeculativeJIT::compile): 5424 * dfg/DFGSpeculativeJIT64.cpp: 5425 (JSC::DFG::SpeculativeJIT::compile): 5426 * runtime/JSString.h: 5427 (JSRopeString): 5428 54292013-03-20 Peter Gal <galpeter@inf.u-szeged.hu> 5430 5431 Implement and32 on MIPS platform 5432 https://bugs.webkit.org/show_bug.cgi?id=112665 5433 5434 Reviewed by Zoltan Herczeg. 5435 5436 * assembler/MacroAssemblerMIPS.h: 5437 (JSC::MacroAssemblerMIPS::and32): Added missing method. 5438 (MacroAssemblerMIPS): 5439 54402013-03-20 Mark Lam <mark.lam@apple.com> 5441 5442 Fix incorrect debugger column number value. 5443 https://bugs.webkit.org/show_bug.cgi?id=112741. 5444 5445 Reviewed by Oliver Hunt. 5446 5447 1. In lexer, parser, and debugger code, renamed column to charPosition. 5448 2. Convert the charPosition to the equivalent column number before 5449 passing it to the debugger. 5450 3. Changed ScopeNodes to take both a startLocation and an endLocation. 5451 This allows FunctionBodyNodes, ProgramNodes, and EvalNodess to emit 5452 correct debug hooks with correct starting line and column numbers. 5453 4. Fixed the Lexer to not reset the charPosition (previously 5454 columnNumber) in Lexer::lex(). 5455 5456 * JavaScriptCore.order: 5457 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 5458 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 5459 * bytecode/CodeBlock.cpp: 5460 (JSC::CodeBlock::dumpBytecode): 5461 * bytecompiler/BytecodeGenerator.cpp: 5462 (JSC::BytecodeGenerator::emitDebugHook): 5463 * bytecompiler/BytecodeGenerator.h: 5464 (JSC::BytecodeGenerator::emitExpressionInfo): 5465 * bytecompiler/NodesCodegen.cpp: 5466 (JSC::ArrayNode::toArgumentList): 5467 (JSC::ConstStatementNode::emitBytecode): 5468 (JSC::EmptyStatementNode::emitBytecode): 5469 (JSC::DebuggerStatementNode::emitBytecode): 5470 (JSC::ExprStatementNode::emitBytecode): 5471 (JSC::VarStatementNode::emitBytecode): 5472 (JSC::IfNode::emitBytecode): 5473 (JSC::IfElseNode::emitBytecode): 5474 (JSC::DoWhileNode::emitBytecode): 5475 (JSC::WhileNode::emitBytecode): 5476 (JSC::ForNode::emitBytecode): 5477 (JSC::ForInNode::emitBytecode): 5478 (JSC::ContinueNode::emitBytecode): 5479 (JSC::BreakNode::emitBytecode): 5480 (JSC::ReturnNode::emitBytecode): 5481 (JSC::WithNode::emitBytecode): 5482 (JSC::SwitchNode::emitBytecode): 5483 (JSC::LabelNode::emitBytecode): 5484 (JSC::ThrowNode::emitBytecode): 5485 (JSC::TryNode::emitBytecode): 5486 (JSC::ProgramNode::emitBytecode): 5487 (JSC::EvalNode::emitBytecode): 5488 (JSC::FunctionBodyNode::emitBytecode): 5489 * interpreter/Interpreter.cpp: 5490 (JSC::Interpreter::debug): 5491 - convert charPosition to column for the debugger. 5492 * interpreter/Interpreter.h: 5493 * jit/JITStubs.cpp: 5494 (DEFINE_STUB_FUNCTION(void, op_debug)): 5495 * llint/LLIntSlowPaths.cpp: 5496 (LLINT_SLOW_PATH_DECL(slow_op_debug)): 5497 * parser/ASTBuilder.h: 5498 (JSC::ASTBuilder::createFunctionExpr): 5499 (JSC::ASTBuilder::createFunctionBody): 5500 (JSC::ASTBuilder::createGetterOrSetterProperty): 5501 (JSC::ASTBuilder::createFuncDeclStatement): 5502 (JSC::ASTBuilder::createBlockStatement): 5503 (JSC::ASTBuilder::createExprStatement): 5504 (JSC::ASTBuilder::createIfStatement): 5505 (JSC::ASTBuilder::createForLoop): 5506 (JSC::ASTBuilder::createForInLoop): 5507 (JSC::ASTBuilder::createVarStatement): 5508 (JSC::ASTBuilder::createReturnStatement): 5509 (JSC::ASTBuilder::createBreakStatement): 5510 (JSC::ASTBuilder::createContinueStatement): 5511 (JSC::ASTBuilder::createTryStatement): 5512 (JSC::ASTBuilder::createSwitchStatement): 5513 (JSC::ASTBuilder::createWhileStatement): 5514 (JSC::ASTBuilder::createDoWhileStatement): 5515 (JSC::ASTBuilder::createWithStatement): 5516 (JSC::ASTBuilder::createThrowStatement): 5517 (JSC::ASTBuilder::createDebugger): 5518 (JSC::ASTBuilder::createConstStatement): 5519 * parser/Lexer.cpp: 5520 (JSC::::setCode): 5521 (JSC::::internalShift): 5522 (JSC::::shift): 5523 (JSC::::lex): 5524 * parser/Lexer.h: 5525 (JSC::Lexer::currentCharPosition): 5526 (Lexer): 5527 (JSC::::lexExpectIdentifier): 5528 * parser/NodeConstructors.h: 5529 (JSC::Node::Node): 5530 * parser/Nodes.cpp: 5531 (JSC::StatementNode::setLoc): 5532 (JSC::ScopeNode::ScopeNode): 5533 (JSC::ProgramNode::ProgramNode): 5534 (JSC::ProgramNode::create): 5535 (JSC::EvalNode::EvalNode): 5536 (JSC::EvalNode::create): 5537 (JSC::FunctionBodyNode::FunctionBodyNode): 5538 (JSC::FunctionBodyNode::create): 5539 * parser/Nodes.h: 5540 (JSC::Node::charPosition): 5541 (Node): 5542 (StatementNode): 5543 (JSC::StatementNode::lastLine): 5544 (ScopeNode): 5545 (JSC::ScopeNode::startLine): 5546 (JSC::ScopeNode::startCharPosition): 5547 (ProgramNode): 5548 (EvalNode): 5549 (FunctionBodyNode): 5550 * parser/Parser.cpp: 5551 (JSC::::Parser): 5552 (JSC::::parseFunctionBody): 5553 (JSC::::parseFunctionInfo): 5554 * parser/Parser.h: 5555 (JSC::::parse): 5556 * parser/ParserTokens.h: 5557 (JSC::JSTokenLocation::JSTokenLocation): 5558 (JSTokenLocation): 5559 * parser/SyntaxChecker.h: 5560 (JSC::SyntaxChecker::createFunctionBody): 5561 55622013-03-20 Csaba Osztrogonác <ossy@webkit.org> 5563 5564 REGRESSION(r146089): It broke 20 sputnik tests on ARM traditional and Thumb2 5565 https://bugs.webkit.org/show_bug.cgi?id=112676 5566 5567 Rubber-stamped by Filip Pizlo. 5568 5569 Add one more EABI_32BIT_DUMMY_ARG to make DFG JIT ARM EABI compatible 5570 again after r146089 similar to https://bugs.webkit.org/show_bug.cgi?id=84449 5571 5572 * dfg/DFGSpeculativeJIT.h: 5573 (JSC::DFG::SpeculativeJIT::callOperation): 5574 55752013-03-19 Michael Saboff <msaboff@apple.com> 5576 5577 Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData 5578 https://bugs.webkit.org/show_bug.cgi?id=112694 5579 5580 Reviewed by Filip Pizlo. 5581 5582 We were trying to convert an NewArray to a Phantom, but convertToPhantom doesn't handle 5583 nodes with variable arguments. Added code to insert a Phantom node in front of all the 5584 live children of a var args node. Added ASSERT not var args for convertToPhantom to 5585 catch any other similar cases. Added a new convertToPhantomUnchecked() for converting 5586 var arg nodes. 5587 5588 * dfg/DFGDCEPhase.cpp: 5589 (JSC::DFG::DCEPhase::run): 5590 * dfg/DFGNode.h: 5591 (Node): 5592 (JSC::DFG::Node::setOpAndDefaultNonExitFlags): Added ASSERT(!(m_flags & NodeHasVarArgs)) 5593 (JSC::DFG::Node::setOpAndDefaultNonExitFlagsUnchecked): 5594 (JSC::DFG::Node::convertToPhantomUnchecked): 5595 55962013-03-19 Mark Hahnenberg <mhahnenberg@apple.com> 5597 5598 Crash in SpeculativeJIT::fillSpeculateIntInternal<false> on http://bellard.org/jslinux 5599 https://bugs.webkit.org/show_bug.cgi?id=112738 5600 5601 Reviewed by Filip Pizlo. 5602 5603 * dfg/DFGFixupPhase.cpp: 5604 (JSC::DFG::FixupPhase::fixIntEdge): We shouldn't be killing this node because it could be 5605 referenced by other people. 5606 56072013-03-19 Oliver Hunt <oliver@apple.com> 5608 5609 RELEASE_ASSERT fires in exception handler lookup 5610 5611 RS=Geoff Garen. 5612 5613 Temporarily switch this RELEASE_ASSERT into a regular ASSERT 5614 as currently this is producing fairly bad crashiness. 5615 5616 * bytecode/CodeBlock.cpp: 5617 (JSC::CodeBlock::handlerForBytecodeOffset): 5618 56192013-03-18 Filip Pizlo <fpizlo@apple.com> 5620 5621 DFG should optimize StringObject.length and StringOrStringObject.length 5622 https://bugs.webkit.org/show_bug.cgi?id=112658 5623 5624 Reviewed by Mark Hahnenberg. 5625 5626 Implemented by injecting a ToString(StringObject:@a) or ToString(StringOrStringObject:@a) prior 5627 to GetArrayLength with ArrayMode(Array::String) if @a is predicted StringObject or 5628 StringOrStringObject. 5629 5630 * dfg/DFGFixupPhase.cpp: 5631 (JSC::DFG::FixupPhase::fixupNode): 5632 (JSC::DFG::FixupPhase::createToString): 5633 (FixupPhase): 5634 (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion): 5635 (JSC::DFG::FixupPhase::convertStringAddUse): 5636 56372013-03-19 Gabor Rapcsanyi <rgabor@webkit.org> 5638 5639 Implement and32 on ARMv7 and ARM traditional platforms 5640 https://bugs.webkit.org/show_bug.cgi?id=112663 5641 5642 Reviewed by Zoltan Herczeg. 5643 5644 * assembler/MacroAssemblerARM.h: 5645 (JSC::MacroAssemblerARM::and32): Add missing method. 5646 (MacroAssemblerARM): 5647 * assembler/MacroAssemblerARMv7.h: 5648 (JSC::MacroAssemblerARMv7::and32): Add missing method. 5649 (MacroAssemblerARMv7): 5650 56512013-03-18 Filip Pizlo <fpizlo@apple.com> 5652 5653 DFG ToString generic cases should work correctly 5654 https://bugs.webkit.org/show_bug.cgi?id=112654 5655 <rdar://problem/13447250> 5656 5657 Reviewed by Geoffrey Garen. 5658 5659 * dfg/DFGSpeculativeJIT.cpp: 5660 (JSC::DFG::SpeculativeJIT::compileToStringOnCell): 5661 * dfg/DFGSpeculativeJIT32_64.cpp: 5662 (JSC::DFG::SpeculativeJIT::compile): 5663 * dfg/DFGSpeculativeJIT64.cpp: 5664 (JSC::DFG::SpeculativeJIT::compile): 5665 56662013-03-18 Michael Saboff <msaboff@apple.com> 5667 5668 Unreviewed build fix for 32 bit builds. 5669 5670 * dfg/DFGSpeculativeJIT32_64.cpp: 5671 (JSC::DFG::SpeculativeJIT::compile): 5672 56732013-03-18 Michael Saboff <msaboff@apple.com> 5674 5675 EFL: Unsafe branch detected in compilePutByValForFloatTypedArray() 5676 https://bugs.webkit.org/show_bug.cgi?id=112609 5677 5678 Reviewed by Geoffrey Garen. 5679 5680 Created local valueFPR and scratchFPR and filled them with valueOp.fpr() and scratch.fpr() 5681 respectively so that if valueOp.fpr() causes a spill during allocation, it occurs before the 5682 branch and also to follow convention. Added register allocation checks to FPRTemporary. 5683 Cleaned up a couple of other places to follow the "AllocatVirtualRegType foo, get machine 5684 reg from foo" pattern. 5685 5686 * dfg/DFGSpeculativeJIT.cpp: 5687 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): 5688 * dfg/DFGSpeculativeJIT.h: 5689 (JSC::DFG::SpeculativeJIT::fprAllocate): 5690 * dfg/DFGSpeculativeJIT32_64.cpp: 5691 (JSC::DFG::SpeculativeJIT::convertToDouble): 5692 (JSC::DFG::SpeculativeJIT::compile): 5693 * dfg/DFGSpeculativeJIT64.cpp: 5694 (JSC::DFG::SpeculativeJIT::compile): 5695 56962013-03-18 Filip Pizlo <fpizlo@apple.com> 5697 5698 DFG should inline binary string concatenations (i.e. ValueAdd with string children) 5699 https://bugs.webkit.org/show_bug.cgi?id=112599 5700 5701 Reviewed by Oliver Hunt. 5702 5703 This does as advertised: if you do x + y where x and y are strings, you'll get 5704 a fast inlined JSRopeString allocation (along with whatever checks are necessary). 5705 It also does good things if either x or y (or both) are StringObjects, or some 5706 other thing like StringOrStringObject. It also lays the groundwork for making this 5707 fast if either x or y are numbers, or some other reasonably-cheap-to-convert 5708 value. 5709 5710 * dfg/DFGAbstractState.cpp: 5711 (JSC::DFG::AbstractState::executeEffects): 5712 * dfg/DFGFixupPhase.cpp: 5713 (JSC::DFG::FixupPhase::fixupNode): 5714 (FixupPhase): 5715 (JSC::DFG::FixupPhase::isStringObjectUse): 5716 (JSC::DFG::FixupPhase::convertStringAddUse): 5717 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): 5718 * dfg/DFGOperations.cpp: 5719 * dfg/DFGOperations.h: 5720 * dfg/DFGSpeculativeJIT.cpp: 5721 (JSC::DFG::SpeculativeJIT::compileAdd): 5722 * dfg/DFGSpeculativeJIT.h: 5723 (JSC::DFG::SpeculativeJIT::callOperation): 5724 (SpeculativeJIT): 5725 (JSC::DFG::SpeculativeJIT::emitAllocateJSCell): 5726 (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): 5727 * runtime/JSString.h: 5728 (JSC::JSString::offsetOfFlags): 5729 (JSString): 5730 (JSRopeString): 5731 (JSC::JSRopeString::offsetOfFibers): 5732 57332013-03-18 Filip Pizlo <fpizlo@apple.com> 5734 5735 JSC_NATIVE_FUNCTION() takes an identifier for the name and then uses #name, which is unsafe if name was already #define'd to something else 5736 https://bugs.webkit.org/show_bug.cgi?id=112639 5737 5738 Reviewed by Michael Saboff. 5739 5740 Change it to take a string instead. 5741 5742 * runtime/JSObject.h: 5743 (JSC): 5744 * runtime/ObjectPrototype.cpp: 5745 (JSC::ObjectPrototype::finishCreation): 5746 * runtime/StringPrototype.cpp: 5747 (JSC::StringPrototype::finishCreation): 5748 57492013-03-18 Brent Fulgham <bfulgham@webkit.org> 5750 5751 [WinCairo] Get build working under VS2010. 5752 https://bugs.webkit.org/show_bug.cgi?id=112604 5753 5754 Reviewed by Tim Horton. 5755 5756 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Use CFLite-specific 5757 build target (standard version links against CoreFoundation.lib 5758 instead of CFLite.lib). 5759 * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Added. 5760 * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: Added. 5761 * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: Added. 5762 57632013-03-18 Roger Fong <roger_fong@apple.com> 5764 5765 AppleWin VS2010 Debug configuration build fix.. 5766 5767 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 5768 57692013-03-18 Brent Fulgham <bfulgham@webkit.org> 5770 5771 [WinCairo] Get build working under VS2010. 5772 https://bugs.webkit.org/show_bug.cgi?id=112604 5773 5774 Reviewed by Tim Horton. 5775 5776 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add build targets for 5777 Debug_WinCairo and Release_WinCairo using CFLite. 5778 * JavaScriptCore.vcxproj/JavaScriptCoreCFLite.props: Added. 5779 * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: Added. 5780 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: 5781 Add Debug_WinCairo and Release_WinCairo build targets to 5782 make sure headers are copied to proper build folder. 5783 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Ditto. 5784 * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: Added. 5785 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: 5786 Add Debug_WinCairo and Release_WinCairo build targets to 5787 make sure headers are copied to proper build folder. 5788 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: 5789 Ditto. 5790 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: 5791 Ditto. 5792 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto. 5793 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto. 5794 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto. 5795 57962013-03-18 Michael Saboff <msaboff@apple.com> 5797 5798 Potentially unsafe register allocations in DFG code generation 5799 https://bugs.webkit.org/show_bug.cgi?id=112477 5800 5801 Reviewed by Geoffrey Garen. 5802 5803 Moved allocation of temporary GPRs to be before any generated branches in the functions below. 5804 5805 * dfg/DFGSpeculativeJIT32_64.cpp: 5806 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 5807 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 5808 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 5809 * dfg/DFGSpeculativeJIT64.cpp: 5810 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 5811 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 5812 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 5813 58142013-03-15 Filip Pizlo <fpizlo@apple.com> 5815 5816 DFG string conversions and allocations should be inlined 5817 https://bugs.webkit.org/show_bug.cgi?id=112376 5818 5819 Reviewed by Geoffrey Garen. 5820 5821 This turns new String(), String(), String.prototype.valueOf(), and 5822 String.prototype.toString() into intrinsics. It gives the DFG the ability to handle 5823 conversions from StringObject to JSString and vice-versa, and also gives it the 5824 ability to handle cases where a variable may be either a StringObject or a JSString. 5825 To do this, I added StringObject to value profiling (and removed the stale 5826 distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive 5827 handling, using some of the new functionality but also taking advantage of the 5828 existence of Identity(String:@a). 5829 5830 This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken. 5831 On microbenchmarks that stress new String() this is a 14x speed-up. 5832 5833 * CMakeLists.txt: 5834 * DerivedSources.make: 5835 * DerivedSources.pri: 5836 * GNUmakefile.list.am: 5837 * bytecode/CodeBlock.h: 5838 (CodeBlock): 5839 (JSC::CodeBlock::hasExitSite): 5840 (JSC): 5841 * bytecode/DFGExitProfile.cpp: 5842 (JSC::DFG::ExitProfile::hasExitSite): 5843 (DFG): 5844 * bytecode/DFGExitProfile.h: 5845 (ExitProfile): 5846 (JSC::DFG::ExitProfile::hasExitSite): 5847 * bytecode/ExitKind.cpp: 5848 (JSC::exitKindToString): 5849 * bytecode/ExitKind.h: 5850 * bytecode/SpeculatedType.cpp: 5851 (JSC::dumpSpeculation): 5852 (JSC::speculationToAbbreviatedString): 5853 (JSC::speculationFromClassInfo): 5854 * bytecode/SpeculatedType.h: 5855 (JSC): 5856 (JSC::isStringObjectSpeculation): 5857 (JSC::isStringOrStringObjectSpeculation): 5858 * create_hash_table: 5859 * dfg/DFGAbstractState.cpp: 5860 (JSC::DFG::AbstractState::executeEffects): 5861 * dfg/DFGAbstractState.h: 5862 (JSC::DFG::AbstractState::filterEdgeByUse): 5863 * dfg/DFGByteCodeParser.cpp: 5864 (ByteCodeParser): 5865 (JSC::DFG::ByteCodeParser::handleCall): 5866 (JSC::DFG::ByteCodeParser::emitArgumentPhantoms): 5867 (DFG): 5868 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): 5869 * dfg/DFGCSEPhase.cpp: 5870 (JSC::DFG::CSEPhase::putStructureStoreElimination): 5871 * dfg/DFGEdge.h: 5872 (JSC::DFG::Edge::shift): 5873 * dfg/DFGFixupPhase.cpp: 5874 (JSC::DFG::FixupPhase::fixupNode): 5875 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): 5876 (FixupPhase): 5877 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): 5878 (JSC::DFG::FixupPhase::observeUseKindOnNode): 5879 * dfg/DFGGraph.h: 5880 (JSC::DFG::Graph::hasGlobalExitSite): 5881 (Graph): 5882 (JSC::DFG::Graph::hasExitSite): 5883 (JSC::DFG::Graph::clobbersWorld): 5884 * dfg/DFGNode.h: 5885 (JSC::DFG::Node::convertToToString): 5886 (Node): 5887 (JSC::DFG::Node::hasStructure): 5888 (JSC::DFG::Node::shouldSpeculateStringObject): 5889 (JSC::DFG::Node::shouldSpeculateStringOrStringObject): 5890 * dfg/DFGNodeType.h: 5891 (DFG): 5892 * dfg/DFGOperations.cpp: 5893 * dfg/DFGOperations.h: 5894 * dfg/DFGPredictionPropagationPhase.cpp: 5895 (JSC::DFG::PredictionPropagationPhase::propagate): 5896 * dfg/DFGSpeculativeJIT.cpp: 5897 (JSC::DFG::SpeculativeJIT::compileToStringOnCell): 5898 (DFG): 5899 (JSC::DFG::SpeculativeJIT::compileNewStringObject): 5900 (JSC::DFG::SpeculativeJIT::speculateObject): 5901 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): 5902 (JSC::DFG::SpeculativeJIT::speculateString): 5903 (JSC::DFG::SpeculativeJIT::speculateStringObject): 5904 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): 5905 (JSC::DFG::SpeculativeJIT::speculate): 5906 * dfg/DFGSpeculativeJIT.h: 5907 (JSC::DFG::SpeculativeJIT::callOperation): 5908 (SpeculativeJIT): 5909 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand): 5910 (DFG): 5911 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): 5912 * dfg/DFGSpeculativeJIT32_64.cpp: 5913 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 5914 (JSC::DFG::SpeculativeJIT::compile): 5915 * dfg/DFGSpeculativeJIT64.cpp: 5916 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 5917 (JSC::DFG::SpeculativeJIT::compile): 5918 * dfg/DFGUseKind.cpp: 5919 (WTF::printInternal): 5920 * dfg/DFGUseKind.h: 5921 (JSC::DFG::typeFilterFor): 5922 * interpreter/CallFrame.h: 5923 (JSC::ExecState::regExpPrototypeTable): 5924 * runtime/CommonIdentifiers.h: 5925 * runtime/Intrinsic.h: 5926 * runtime/JSDestructibleObject.h: 5927 (JSDestructibleObject): 5928 (JSC::JSDestructibleObject::classInfoOffset): 5929 * runtime/JSGlobalData.cpp: 5930 (JSC): 5931 (JSC::JSGlobalData::JSGlobalData): 5932 (JSC::JSGlobalData::~JSGlobalData): 5933 * runtime/JSGlobalData.h: 5934 (JSGlobalData): 5935 * runtime/JSObject.cpp: 5936 * runtime/JSObject.h: 5937 (JSC): 5938 * runtime/JSWrapperObject.h: 5939 (JSC::JSWrapperObject::allocationSize): 5940 (JSWrapperObject): 5941 (JSC::JSWrapperObject::internalValueOffset): 5942 (JSC::JSWrapperObject::internalValueCellOffset): 5943 * runtime/StringPrototype.cpp: 5944 (JSC): 5945 (JSC::StringPrototype::finishCreation): 5946 (JSC::StringPrototype::create): 5947 * runtime/StringPrototype.h: 5948 (StringPrototype): 5949 59502013-03-18 Filip Pizlo <fpizlo@apple.com> 5951 5952 ObjectPrototype properties should be eagerly created rather than lazily via static tables 5953 https://bugs.webkit.org/show_bug.cgi?id=112539 5954 5955 Reviewed by Oliver Hunt. 5956 5957 This is the first part of https://bugs.webkit.org/show_bug.cgi?id=112233. Rolling this 5958 in first since it's the less-likely-to-be-broken part. 5959 5960 * CMakeLists.txt: 5961 * DerivedSources.make: 5962 * DerivedSources.pri: 5963 * GNUmakefile.list.am: 5964 * interpreter/CallFrame.h: 5965 (JSC::ExecState::objectConstructorTable): 5966 * runtime/CommonIdentifiers.h: 5967 * runtime/JSGlobalData.cpp: 5968 (JSC): 5969 (JSC::JSGlobalData::JSGlobalData): 5970 (JSC::JSGlobalData::~JSGlobalData): 5971 * runtime/JSGlobalData.h: 5972 (JSGlobalData): 5973 * runtime/JSObject.cpp: 5974 (JSC::JSObject::putDirectNativeFunction): 5975 (JSC): 5976 * runtime/JSObject.h: 5977 (JSObject): 5978 (JSC): 5979 * runtime/Lookup.cpp: 5980 (JSC::setUpStaticFunctionSlot): 5981 * runtime/ObjectPrototype.cpp: 5982 (JSC): 5983 (JSC::ObjectPrototype::finishCreation): 5984 (JSC::ObjectPrototype::create): 5985 * runtime/ObjectPrototype.h: 5986 (ObjectPrototype): 5987 59882013-03-16 Pratik Solanki <psolanki@apple.com> 5989 5990 Disable High DPI Canvas on iOS 5991 https://bugs.webkit.org/show_bug.cgi?id=112511 5992 5993 Reviewed by Joseph Pecoraro. 5994 5995 * Configurations/FeatureDefines.xcconfig: 5996 59972013-03-15 Andreas Kling <akling@apple.com> 5998 5999 Don't also clone StructureRareData when cloning Structure. 6000 <http://webkit.org/b/111672> 6001 6002 Reviewed by Mark Hahnenberg. 6003 6004 We were cloning a lot of StructureRareData with only the previousID pointer set since 6005 the enumerationCache is not shared between clones. 6006 6007 Let the Structure copy constructor decide whether it wants to clone the rare data. 6008 The decision is made by StructureRareData::needsCloning() and will currently always 6009 return false, since StructureRareData only holds on to caches at present. 6010 This may change in the future as more members are added to StructureRareData. 6011 6012 * runtime/Structure.cpp: 6013 (JSC::Structure::Structure): 6014 (JSC::Structure::cloneRareDataFrom): 6015 * runtime/StructureInlines.h: 6016 (JSC::Structure::create): 6017 60182013-03-15 Mark Hahnenberg <mhahnenberg@apple.com> 6019 6020 Roll out r145838 6021 https://bugs.webkit.org/show_bug.cgi?id=112458 6022 6023 Unreviewed. Requested by Filip Pizlo. 6024 6025 * CMakeLists.txt: 6026 * DerivedSources.make: 6027 * DerivedSources.pri: 6028 * GNUmakefile.list.am: 6029 * dfg/DFGOperations.cpp: 6030 * interpreter/CallFrame.h: 6031 (JSC::ExecState::objectPrototypeTable): 6032 * jit/JITStubs.cpp: 6033 (JSC::getByVal): 6034 * llint/LLIntSlowPaths.cpp: 6035 (JSC::LLInt::getByVal): 6036 * runtime/CommonIdentifiers.h: 6037 * runtime/JSCell.cpp: 6038 (JSC): 6039 * runtime/JSCell.h: 6040 (JSCell): 6041 * runtime/JSCellInlines.h: 6042 (JSC): 6043 (JSC::JSCell::fastGetOwnProperty): 6044 * runtime/JSGlobalData.cpp: 6045 (JSC): 6046 (JSC::JSGlobalData::JSGlobalData): 6047 (JSC::JSGlobalData::~JSGlobalData): 6048 * runtime/JSGlobalData.h: 6049 (JSGlobalData): 6050 * runtime/JSObject.cpp: 6051 (JSC): 6052 * runtime/JSObject.h: 6053 (JSObject): 6054 (JSC): 6055 * runtime/Lookup.cpp: 6056 (JSC::setUpStaticFunctionSlot): 6057 * runtime/ObjectPrototype.cpp: 6058 (JSC): 6059 (JSC::ObjectPrototype::finishCreation): 6060 (JSC::ObjectPrototype::getOwnPropertySlot): 6061 (JSC::ObjectPrototype::getOwnPropertyDescriptor): 6062 * runtime/ObjectPrototype.h: 6063 (JSC::ObjectPrototype::create): 6064 (ObjectPrototype): 6065 * runtime/PropertyMapHashTable.h: 6066 (JSC::PropertyTable::findWithString): 6067 * runtime/Structure.h: 6068 (Structure): 6069 * runtime/StructureInlines.h: 6070 (JSC::Structure::get): 6071 60722013-03-15 Michael Saboff <msaboff@apple.com> 6073 6074 Cleanup of DFG and Baseline JIT debugging code 6075 https://bugs.webkit.org/show_bug.cgi?id=111871 6076 6077 Reviewed by Geoffrey Garen. 6078 6079 Fixed various debug related issue in baseline and DFG JITs. See below. 6080 6081 * dfg/DFGRepatch.cpp: 6082 (JSC::DFG::dfgLinkClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL. 6083 * dfg/DFGScratchRegisterAllocator.h: Now use ScratchBuffer::activeLengthPtr() to get 6084 pointer to scratch register length. 6085 (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer): 6086 (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer): 6087 * dfg/DFGSpeculativeJIT.cpp: 6088 (JSC::DFG::SpeculativeJIT::checkConsistency): Added missing case labels for DataFormatOSRMarker, 6089 DataFormatDead, and DataFormatArguments and made them RELEASE_ASSERT_NOT_REACHED(); 6090 * jit/JITCall.cpp: 6091 (JSC::JIT::privateCompileClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL. 6092 * jit/JITCall32_64.cpp: 6093 (JSC::JIT::privateCompileClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL. 6094 * runtime/JSGlobalData.h: 6095 (JSC::ScratchBuffer::ScratchBuffer): Fixed buffer allocation alignment to 6096 be on a double boundary. 6097 (JSC::ScratchBuffer::setActiveLength): 6098 (JSC::ScratchBuffer::activeLength): 6099 (JSC::ScratchBuffer::activeLengthPtr): 6100 61012013-03-15 Michael Saboff <msaboff@apple.com> 6102 6103 Add runtime check for improper register allocations in DFG 6104 https://bugs.webkit.org/show_bug.cgi?id=112380 6105 6106 Reviewed by Geoffrey Garen. 6107 6108 Added framework to check for register allocation within a branch source - target range. All register allocations 6109 are saved using the offset in the code stream where the allocation occurred. Later when a jump is linked, the 6110 currently saved register allocations are checked to make sure that they didn't occur in the range of code that was 6111 jumped over. This protects against the case where an allocation could have spilled register contents to free up 6112 a register and that spill only occurs on one path of a many through the code. A subsequent fill of the spilled 6113 register may load garbage. See https://bugs.webkit.org/show_bug.cgi?id=111777 for one such bug. 6114 This code is protected by the compile time check of #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION). 6115 The check is only done during the processing of SpeculativeJIT::compile(Node* node) and its callees. 6116 6117 * assembler/AbstractMacroAssembler.h: 6118 (JSC::AbstractMacroAssembler::Jump::link): Invoke register allocation checks using source and target of link. 6119 (JSC::AbstractMacroAssembler::Jump::linkTo): Invoke register allocation checks using source and target of link. 6120 (AbstractMacroAssembler): 6121 (RegisterAllocationOffset): New helper class to store the instruction stream offset and compare against a 6122 jump range. 6123 (JSC::AbstractMacroAssembler::RegisterAllocationOffset::RegisterAllocationOffset): 6124 (JSC::AbstractMacroAssembler::RegisterAllocationOffset::check): 6125 (JSC::AbstractMacroAssembler::addRegisterAllocationAtOffset): 6126 (JSC::AbstractMacroAssembler::clearRegisterAllocationOffsets): 6127 (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange): 6128 * dfg/DFGSpeculativeJIT.h: 6129 (JSC::DFG::SpeculativeJIT::allocate): 6130 * dfg/DFGSpeculativeJIT32_64.cpp: 6131 (JSC::DFG::SpeculativeJIT::compile): 6132 * dfg/DFGSpeculativeJIT64.cpp: 6133 (JSC::DFG::SpeculativeJIT::compile): 6134 61352013-03-14 Oliver Hunt <oliver@apple.com> 6136 6137 REGRESSION(r145000): Crash loading arstechnica.com when Safari Web Inspector is open 6138 https://bugs.webkit.org/show_bug.cgi?id=111868 6139 6140 Reviewed by Antti Koivisto. 6141 6142 Don't allow non-local property lookup when the debugger is enabled. 6143 6144 * bytecompiler/BytecodeGenerator.cpp: 6145 (JSC::BytecodeGenerator::resolve): 6146 61472013-03-11 Mark Hahnenberg <mhahnenberg@apple.com> 6148 6149 Objective-C API: Objective-C functions exposed to JavaScript have the wrong type (object instead of function) 6150 https://bugs.webkit.org/show_bug.cgi?id=105892 6151 6152 Reviewed by Geoffrey Garen. 6153 6154 Changed ObjCCallbackFunction to subclass JSCallbackFunction which already has all of the machinery to call 6155 functions using the C API. Since ObjCCallbackFunction is now a JSCell, we changed the old implementation of 6156 ObjCCallbackFunction to be the internal implementation and keep track of all the proper data so that we 6157 don't have to put all of that in the header, which will now be included from C++ files (e.g. JSGlobalObject.cpp). 6158 6159 * API/JSCallbackFunction.cpp: Change JSCallbackFunction to allow subclassing. Originally it was internally 6160 passing its own Structure up the chain of constructors, but we now want to be able to pass other Structures as well. 6161 (JSC::JSCallbackFunction::JSCallbackFunction): 6162 (JSC::JSCallbackFunction::create): 6163 * API/JSCallbackFunction.h: 6164 (JSCallbackFunction): 6165 * API/JSWrapperMap.mm: Changed interface to tryUnwrapBlock. 6166 (tryUnwrapObjcObject): 6167 * API/ObjCCallbackFunction.h: 6168 (ObjCCallbackFunction): Moved into the JSC namespace, just like JSCallbackFunction. 6169 (JSC::ObjCCallbackFunction::createStructure): Overridden so that the correct ClassInfo gets used since we have 6170 a destructor. 6171 (JSC::ObjCCallbackFunction::impl): Getter for the internal impl. 6172 * API/ObjCCallbackFunction.mm: 6173 (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): What used to be ObjCCallbackFunction is now 6174 ObjCCallbackFunctionImpl. It handles the Objective-C specific parts of managing callback functions. 6175 (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): 6176 (JSC::objCCallbackFunctionCallAsFunction): Same as the old one, but now it casts to ObjCCallbackFunction and grabs the impl 6177 rather than using JSObjectGetPrivate. 6178 (JSC::ObjCCallbackFunction::ObjCCallbackFunction): New bits to allow being part of the JSCell hierarchy. 6179 (JSC::ObjCCallbackFunction::create): 6180 (JSC::ObjCCallbackFunction::destroy): 6181 (JSC::ObjCCallbackFunctionImpl::call): Handles the actual invocation, just like it used to. 6182 (objCCallbackFunctionForInvocation): 6183 (tryUnwrapBlock): Changed to check the ClassInfo for inheritance directly, rather than going through the C API call. 6184 * API/tests/testapi.mm: Added new test to make sure that doing Function.prototype.toString.call(f) won't result in 6185 an error when f is an Objective-C method or block underneath the covers. 6186 * runtime/JSGlobalObject.cpp: Added new Structure for ObjCCallbackFunction. 6187 (JSC::JSGlobalObject::reset): 6188 (JSC::JSGlobalObject::visitChildren): 6189 * runtime/JSGlobalObject.h: 6190 (JSGlobalObject): 6191 (JSC::JSGlobalObject::objcCallbackFunctionStructure): 6192 61932013-03-14 Mark Hahnenberg <mhahnenberg@apple.com> 6194 6195 Objective-C API: Nested dictionaries are not converted properly in the Objective-C binding 6196 https://bugs.webkit.org/show_bug.cgi?id=112377 6197 6198 Reviewed by Oliver Hunt. 6199 6200 Accidental reassignment of the root task in the container conversion logic was causing the last 6201 array or dictionary processed to be returned in the case of nested containers. 6202 6203 * API/JSValue.mm: 6204 (containerValueToObject): 6205 * API/tests/testapi.mm: 6206 62072013-03-13 Filip Pizlo <fpizlo@apple.com> 6208 6209 JSObject fast by-string access optimizations should work even on the prototype chain, and even when the result is undefined 6210 https://bugs.webkit.org/show_bug.cgi?id=112233 6211 6212 Reviewed by Oliver Hunt. 6213 6214 Extended the existing fast access path for String keys to work over the entire prototype chain, 6215 not just the self access case. This will fail as soon as it sees an object that intercepts 6216 getOwnPropertySlot, so this patch also ensures that ObjectPrototype does not fall into that 6217 category. This is accomplished by making ObjectPrototype eagerly reify all of its properties. 6218 This is safe for ObjectPrototype because it's so common and we expect all of its properties to 6219 be reified for any interesting programs anyway. A new idiom for adding native functions to 6220 prototypes is introduced, which ought to work well for any other prototypes that we wish to do 6221 this conversion for. 6222 6223 This is a >60% speed-up in the case that you frequently do by-string lookups that "miss", i.e. 6224 they don't turn up anything. 6225 6226 * CMakeLists.txt: 6227 * DerivedSources.make: 6228 * DerivedSources.pri: 6229 * GNUmakefile.list.am: 6230 * dfg/DFGOperations.cpp: 6231 * interpreter/CallFrame.h: 6232 (JSC::ExecState::objectConstructorTable): 6233 * jit/JITStubs.cpp: 6234 (JSC::getByVal): 6235 * llint/LLIntSlowPaths.cpp: 6236 (JSC::LLInt::getByVal): 6237 * runtime/CommonIdentifiers.h: 6238 * runtime/JSCell.cpp: 6239 (JSC::JSCell::getByStringSlow): 6240 (JSC): 6241 * runtime/JSCell.h: 6242 (JSCell): 6243 * runtime/JSCellInlines.h: 6244 (JSC): 6245 (JSC::JSCell::getByStringAndKey): 6246 (JSC::JSCell::getByString): 6247 * runtime/JSGlobalData.cpp: 6248 (JSC): 6249 (JSC::JSGlobalData::JSGlobalData): 6250 (JSC::JSGlobalData::~JSGlobalData): 6251 * runtime/JSGlobalData.h: 6252 (JSGlobalData): 6253 * runtime/JSObject.cpp: 6254 (JSC::JSObject::putDirectNativeFunction): 6255 (JSC): 6256 * runtime/JSObject.h: 6257 (JSObject): 6258 (JSC): 6259 * runtime/Lookup.cpp: 6260 (JSC::setUpStaticFunctionSlot): 6261 * runtime/ObjectPrototype.cpp: 6262 (JSC): 6263 (JSC::ObjectPrototype::finishCreation): 6264 (JSC::ObjectPrototype::create): 6265 * runtime/ObjectPrototype.h: 6266 (ObjectPrototype): 6267 * runtime/PropertyMapHashTable.h: 6268 (JSC::PropertyTable::findWithString): 6269 * runtime/Structure.h: 6270 (Structure): 6271 * runtime/StructureInlines.h: 6272 (JSC::Structure::get): 6273 (JSC): 6274 62752013-03-13 Filip Pizlo <fpizlo@apple.com> 6276 6277 DFG bytecode parser is too aggressive about getting rid of GetLocals on captured variables 6278 https://bugs.webkit.org/show_bug.cgi?id=112287 6279 <rdar://problem/13342340> 6280 6281 Reviewed by Oliver Hunt. 6282 6283 * bytecode/CodeBlock.cpp: 6284 (JSC::CodeBlock::dumpBytecode): 6285 (JSC::CodeBlock::finalizeUnconditionally): 6286 * dfg/DFGByteCodeParser.cpp: 6287 (JSC::DFG::ByteCodeParser::getLocal): 6288 62892013-03-13 Ryosuke Niwa <rniwa@webkit.org> 6290 6291 Threaded HTML Parser is missing feature define flags in all but Chromium port's build files 6292 https://bugs.webkit.org/show_bug.cgi?id=112277 6293 6294 Reviewed by Adam Barth. 6295 6296 * Configurations/FeatureDefines.xcconfig: 6297 62982013-03-13 Csaba Osztrogonác <ossy@webkit.org> 6299 6300 LLINT C loop warning fix for GCC 6301 https://bugs.webkit.org/show_bug.cgi?id=112145 6302 6303 Reviewed by Filip Pizlo. 6304 6305 * llint/LowLevelInterpreter.cpp: 6306 (JSC::CLoop::execute): 6307 63082013-02-13 Simon Hausmann <simon.hausmann@digia.com> 6309 6310 Add support for convenient conversion from JSStringRef to QString 6311 https://bugs.webkit.org/show_bug.cgi?id=109694 6312 6313 Reviewed by Allan Sandfeld Jensen. 6314 6315 Add JSStringCopyQString helper function that allows for the convenient 6316 extraction of a QString out of a JSStringRef. 6317 6318 * API/JSStringRefQt.cpp: Added. 6319 (JSStringCopyQString): 6320 * API/JSStringRefQt.h: Added. 6321 * API/OpaqueJSString.h: 6322 (OpaqueJSString): 6323 (OpaqueJSString::qString): 6324 (OpaqueJSString::OpaqueJSString): 6325 * Target.pri: 6326 63272013-03-13 Peter Gal <galpeter@inf.u-szeged.hu> 6328 6329 Token 'not' is ignored in the offlineasm. 6330 https://bugs.webkit.org/show_bug.cgi?id=111568 6331 6332 Reviewed by Filip Pizlo. 6333 6334 * offlineasm/parser.rb: Build the Not AST node if the 'not' token is found. 6335 63362013-03-12 Tim Horton <timothy_horton@apple.com> 6337 6338 WTF uses macros for exports. Try to fix the Windows build. Unreviewed. 6339 6340 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 6341 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 6342 63432013-03-12 Filip Pizlo <fpizlo@apple.com> 6344 6345 Array.prototype.sort should at least try to be PTIME even when the array is in some bizarre mode 6346 https://bugs.webkit.org/show_bug.cgi?id=112187 6347 <rdar://problem/13393550> 6348 6349 Reviewed by Michael Saboff and Gavin Barraclough. 6350 6351 If we have an array-like object in crazy mode passed into Array.prototype.sort, and its length is large, 6352 then first copy all elements into a separate, compact, un-holy array and sort that. Then copy back. 6353 This means that sorting will be at worst O(n^2) in the actual number of things in the array, rather than 6354 O(n^2) in the array's length. 6355 6356 * runtime/ArrayPrototype.cpp: 6357 (JSC::attemptFastSort): 6358 (JSC::performSlowSort): 6359 (JSC): 6360 (JSC::arrayProtoFuncSort): 6361 63622013-03-12 Tim Horton <timothy_horton@apple.com> 6363 6364 Try to fix the Windows build. 6365 6366 Not reviewed. 6367 6368 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 6369 63702013-03-12 Geoffrey Garen <ggaren@apple.com> 6371 6372 Try to fix the Windows build. 6373 6374 Not reviewed. 6375 6376 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 6377 Export a thing. 6378 63792013-03-11 Oliver Hunt <oliver@apple.com> 6380 6381 Harden JSStringJoiner 6382 https://bugs.webkit.org/show_bug.cgi?id=112093 6383 6384 Reviewed by Filip Pizlo. 6385 6386 Harden JSStringJoiner, make it use our CheckedArithmetic 6387 class to simplify everything. 6388 6389 * runtime/JSStringJoiner.cpp: 6390 (JSC::JSStringJoiner::build): 6391 * runtime/JSStringJoiner.h: 6392 (JSStringJoiner): 6393 (JSC::JSStringJoiner::JSStringJoiner): 6394 (JSC::JSStringJoiner::append): 6395 63962013-03-12 Filip Pizlo <fpizlo@apple.com> 6397 6398 DFG generic array access cases should not be guarded by CheckStructure even of the profiling tells us that it could be 6399 https://bugs.webkit.org/show_bug.cgi?id=112183 6400 6401 Reviewed by Oliver Hunt. 6402 6403 Slight speed-up on string-unpack-code. 6404 6405 * dfg/DFGFixupPhase.cpp: 6406 (JSC::DFG::FixupPhase::findAndRemoveUnnecessaryStructureCheck): 6407 (FixupPhase): 6408 (JSC::DFG::FixupPhase::checkArray): 6409 (JSC::DFG::FixupPhase::blessArrayOperation): 6410 64112013-03-12 Gabor Rapcsanyi <rgabor@webkit.org> 6412 6413 https://bugs.webkit.org/show_bug.cgi?id=112141 6414 LLInt CLoop backend misses Double2Ints() on 32bit architectures 6415 6416 Reviewed by Filip Pizlo. 6417 6418 Implement Double2Ints() in CLoop backend of LLInt on 32bit architectures. 6419 6420 * llint/LowLevelInterpreter.cpp: 6421 (LLInt): 6422 (JSC::LLInt::Double2Ints): 6423 * offlineasm/cloop.rb: 6424 64252013-03-12 Gabor Rapcsanyi <rgabor@webkit.org> 6426 6427 Making more sophisticated cache flush on ARM Linux platform 6428 https://bugs.webkit.org/show_bug.cgi?id=111854 6429 6430 Reviewed by Zoltan Herczeg. 6431 6432 The cache flush on ARM Linux invalidates whole pages 6433 instead of just the required area. 6434 6435 * assembler/ARMAssembler.h: 6436 (ARMAssembler): 6437 (JSC::ARMAssembler::linuxPageFlush): 6438 (JSC::ARMAssembler::cacheFlush): 6439 * assembler/ARMv7Assembler.h: 6440 (ARMv7Assembler): 6441 (JSC::ARMv7Assembler::linuxPageFlush): 6442 (JSC::ARMv7Assembler::cacheFlush): 6443 64442013-03-12 Gabor Rapcsanyi <rgabor@webkit.org> 6445 6446 Renaming the armv7.rb LLINT backend to arm.rb 6447 https://bugs.webkit.org/show_bug.cgi?id=110565 6448 6449 Reviewed by Zoltan Herczeg. 6450 6451 This is the first step of a unified ARM backend for 6452 all ARM 32 bit architectures in LLInt. 6453 6454 * CMakeLists.txt: 6455 * GNUmakefile.list.am: 6456 * JavaScriptCore.gypi: 6457 * LLIntOffsetsExtractor.pro: 6458 * offlineasm/arm.rb: Copied from Source/JavaScriptCore/offlineasm/armv7.rb. 6459 * offlineasm/armv7.rb: Removed. 6460 * offlineasm/backends.rb: 6461 * offlineasm/risc.rb: 6462 64632013-03-12 Csaba Osztrogonác <ossy@webkit.org> 6464 6465 REGRESSION(r145482): It broke 33 jsc tests and zillion layout tests on all platform 6466 https://bugs.webkit.org/show_bug.cgi?id=112112 6467 6468 Reviewed by Oliver Hunt. 6469 6470 Rolling out https://trac.webkit.org/changeset/145482 to unbreak the bots. 6471 6472 * runtime/JSStringJoiner.cpp: 6473 (JSC::JSStringJoiner::build): 6474 * runtime/JSStringJoiner.h: 6475 (JSStringJoiner): 6476 (JSC::JSStringJoiner::JSStringJoiner): 6477 (JSC::JSStringJoiner::append): 6478 64792013-03-12 Filip Pizlo <fpizlo@apple.com> 6480 6481 DFG prediction propagation phase should not rerun forward propagation if double voting has already converged 6482 https://bugs.webkit.org/show_bug.cgi?id=111920 6483 6484 Reviewed by Oliver Hunt. 6485 6486 I don't know why we weren't exiting early after double voting if !m_changed. 6487 6488 This change also removes backwards propagation from the voting fixpoint, since at that 6489 point short-circuiting loops is probably not particularly profitable. Profiling shows 6490 that this reduces the time spent in prediction propagation even further. 6491 6492 This change appears to be a 1% SunSpider speed-up. 6493 6494 * dfg/DFGPredictionPropagationPhase.cpp: 6495 (JSC::DFG::PredictionPropagationPhase::run): 6496 64972013-03-11 Filip Pizlo <fpizlo@apple.com> 6498 6499 DFG overflow check elimination is too smart for its own good 6500 https://bugs.webkit.org/show_bug.cgi?id=111832 6501 6502 Reviewed by Oliver Hunt and Gavin Barraclough. 6503 6504 Rolling this back in after fixing accidental misuse of JSValue. The code was doing value < someInt 6505 rather than value.asInt32() < someInt. This "worked" when isWithinPowerOfTwo wasn't templatized. 6506 It worked by always being false and always disabling the relvant optimization. 6507 6508 This improves overflow check elimination in three ways: 6509 6510 1) It reduces the amount of time the compiler will spend doing it. 6511 6512 2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation 6513 over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children) 6514 are int32's and then perform a possibly-overflowing operation, we must be careful not to assume 6515 that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that 6516 @b->children are int32's and that hence @b might produce a large enough result that doubles would 6517 start chopping low bits. The specific implication of this is that for a binary operation to not 6518 propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one 6519 of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such 6520 operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the 6521 latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that 6522 large won't even make it into the DFG currently. 6523 6524 3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub 6525 are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate 6526 NodeUsedAsNumber to either @a or @b. 6527 6528 This is neutral on V8v7 and a slight speed-up on compile time benchmarks. 6529 6530 * CMakeLists.txt: 6531 * GNUmakefile.list.am: 6532 * JavaScriptCore.xcodeproj/project.pbxproj: 6533 * Target.pri: 6534 * dfg/DFGArrayMode.cpp: 6535 (JSC::DFG::ArrayMode::refine): 6536 * dfg/DFGBackwardsPropagationPhase.cpp: Added. 6537 (DFG): 6538 (BackwardsPropagationPhase): 6539 (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase): 6540 (JSC::DFG::BackwardsPropagationPhase::run): 6541 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero): 6542 (JSC::DFG::BackwardsPropagationPhase::isNotZero): 6543 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant): 6544 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive): 6545 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): 6546 (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags): 6547 (JSC::DFG::BackwardsPropagationPhase::propagate): 6548 (JSC::DFG::performBackwardsPropagation): 6549 * dfg/DFGBackwardsPropagationPhase.h: Added. 6550 (DFG): 6551 * dfg/DFGCPSRethreadingPhase.cpp: 6552 (JSC::DFG::CPSRethreadingPhase::run): 6553 (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom): 6554 (CPSRethreadingPhase): 6555 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): 6556 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): 6557 * dfg/DFGDriver.cpp: 6558 (JSC::DFG::compile): 6559 * dfg/DFGGraph.cpp: 6560 (JSC::DFG::Graph::dump): 6561 * dfg/DFGNodeFlags.cpp: 6562 (JSC::DFG::dumpNodeFlags): 6563 (DFG): 6564 * dfg/DFGNodeFlags.h: 6565 (DFG): 6566 * dfg/DFGPredictionPropagationPhase.cpp: 6567 (PredictionPropagationPhase): 6568 (JSC::DFG::PredictionPropagationPhase::propagate): 6569 * dfg/DFGUnificationPhase.cpp: 6570 (JSC::DFG::UnificationPhase::run): 6571 * dfg/DFGVariableAccessData.h: 6572 (JSC::DFG::VariableAccessData::VariableAccessData): 6573 (JSC::DFG::VariableAccessData::mergeIsLoadedFrom): 6574 (VariableAccessData): 6575 (JSC::DFG::VariableAccessData::setIsLoadedFrom): 6576 (JSC::DFG::VariableAccessData::isLoadedFrom): 6577 65782013-03-11 Oliver Hunt <oliver@apple.com> 6579 6580 Harden JSStringJoiner 6581 https://bugs.webkit.org/show_bug.cgi?id=112093 6582 6583 Reviewed by Filip Pizlo. 6584 6585 Harden JSStringJoiner, make it use our CheckedArithmetic 6586 class to simplify everything. 6587 6588 * runtime/JSStringJoiner.cpp: 6589 (JSC::JSStringJoiner::build): 6590 * runtime/JSStringJoiner.h: 6591 (JSStringJoiner): 6592 (JSC::JSStringJoiner::JSStringJoiner): 6593 (JSC::JSStringJoiner::append): 6594 65952013-03-11 Michael Saboff <msaboff@apple.com> 6596 6597 Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only) 6598 https://bugs.webkit.org/show_bug.cgi?id=112067 6599 6600 Reviewed by Geoffrey Garen. 6601 6602 We weren't setting the tag in SetCallee. Therefore set it to CellTag. 6603 6604 * dfg/DFGSpeculativeJIT32_64.cpp: 6605 (JSC::DFG::SpeculativeJIT::compile): 6606 66072013-03-11 Oliver Hunt <oliver@apple.com> 6608 6609 Make SegmentedVector Noncopyable 6610 https://bugs.webkit.org/show_bug.cgi?id=112059 6611 6612 Reviewed by Geoffrey Garen. 6613 6614 Copying a SegmentedVector is very expensive, and really shouldn't 6615 be necessary. So I've taken the one place where we currently copy 6616 and replaced it with a regular Vector, and replaced the address 6617 dependent logic with a indexing ref instead. 6618 6619 * bytecompiler/BytecodeGenerator.cpp: 6620 (JSC::BytecodeGenerator::newLabelScope): 6621 (JSC::BytecodeGenerator::emitComplexJumpScopes): 6622 * bytecompiler/BytecodeGenerator.h: 6623 (BytecodeGenerator): 6624 * bytecompiler/LabelScope.h: 6625 (JSC): 6626 (JSC::LabelScopePtr::LabelScopePtr): 6627 (LabelScopePtr): 6628 (JSC::LabelScopePtr::operator=): 6629 (JSC::LabelScopePtr::~LabelScopePtr): 6630 (JSC::LabelScopePtr::operator*): 6631 (JSC::LabelScopePtr::operator->): 6632 * bytecompiler/NodesCodegen.cpp: 6633 (JSC::DoWhileNode::emitBytecode): 6634 (JSC::WhileNode::emitBytecode): 6635 (JSC::ForNode::emitBytecode): 6636 (JSC::ForInNode::emitBytecode): 6637 (JSC::SwitchNode::emitBytecode): 6638 (JSC::LabelNode::emitBytecode): 6639 66402013-03-10 Andreas Kling <akling@apple.com> 6641 6642 SpeculativeJIT should use OwnPtr<SlowPathGenerator>. 6643 <http://webkit.org/b/111942> 6644 6645 Reviewed by Anders Carlsson. 6646 6647 There's no need to include DFGSlowPathGenerator.h from the header as long as the destructor is out-of-line, 6648 so let's use OwnPtr instead of raw pointers + deleteAllValues(). 6649 6650 * dfg/DFGSpeculativeJIT.cpp: 6651 (JSC::DFG::SpeculativeJIT::~SpeculativeJIT): 6652 (JSC::DFG::SpeculativeJIT::addSlowPathGenerator): 6653 * dfg/DFGSpeculativeJIT.h: 6654 (SpeculativeJIT): 6655 66562013-03-09 Sheriff Bot <webkit.review.bot@gmail.com> 6657 6658 Unreviewed, rolling out r145299. 6659 http://trac.webkit.org/changeset/145299 6660 https://bugs.webkit.org/show_bug.cgi?id=111928 6661 6662 compilation failure with recent clang 6663 (DFGBackwardsPropagationPhase.cpp:132:35: error: comparison of 6664 constant 10 with expression of type 'bool' is always false) 6665 (Requested by thorton on #webkit). 6666 6667 * CMakeLists.txt: 6668 * GNUmakefile.list.am: 6669 * JavaScriptCore.xcodeproj/project.pbxproj: 6670 * Target.pri: 6671 * dfg/DFGArrayMode.cpp: 6672 (JSC::DFG::ArrayMode::refine): 6673 * dfg/DFGBackwardsPropagationPhase.cpp: Removed. 6674 * dfg/DFGBackwardsPropagationPhase.h: Removed. 6675 * dfg/DFGCPSRethreadingPhase.cpp: 6676 (JSC::DFG::CPSRethreadingPhase::run): 6677 (CPSRethreadingPhase): 6678 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): 6679 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): 6680 * dfg/DFGDriver.cpp: 6681 (JSC::DFG::compile): 6682 * dfg/DFGGraph.cpp: 6683 (JSC::DFG::Graph::dump): 6684 * dfg/DFGNodeFlags.cpp: 6685 (JSC::DFG::nodeFlagsAsString): 6686 (DFG): 6687 * dfg/DFGNodeFlags.h: 6688 (DFG): 6689 * dfg/DFGPredictionPropagationPhase.cpp: 6690 (JSC::DFG::PredictionPropagationPhase::isNotNegZero): 6691 (PredictionPropagationPhase): 6692 (JSC::DFG::PredictionPropagationPhase::isNotZero): 6693 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant): 6694 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive): 6695 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo): 6696 (JSC::DFG::PredictionPropagationPhase::propagate): 6697 (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags): 6698 * dfg/DFGUnificationPhase.cpp: 6699 (JSC::DFG::UnificationPhase::run): 6700 * dfg/DFGVariableAccessData.h: 6701 (JSC::DFG::VariableAccessData::VariableAccessData): 6702 (VariableAccessData): 6703 67042013-03-08 Filip Pizlo <fpizlo@apple.com> 6705 6706 DFG overflow check elimination is too smart for its own good 6707 https://bugs.webkit.org/show_bug.cgi?id=111832 6708 6709 Reviewed by Oliver Hunt and Gavin Barraclough. 6710 6711 This improves overflow check elimination in three ways: 6712 6713 1) It reduces the amount of time the compiler will spend doing it. 6714 6715 2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation 6716 over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children) 6717 are int32's and then perform a possibly-overflowing operation, we must be careful not to assume 6718 that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that 6719 @b->children are int32's and that hence @b might produce a large enough result that doubles would 6720 start chopping low bits. The specific implication of this is that for a binary operation to not 6721 propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one 6722 of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such 6723 operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the 6724 latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that 6725 large won't even make it into the DFG currently. 6726 6727 3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub 6728 are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate 6729 NodeUsedAsNumber to either @a or @b. 6730 6731 This is neutral on V8v7 and a slight speed-up on compile time benchmarks. 6732 6733 * CMakeLists.txt: 6734 * GNUmakefile.list.am: 6735 * JavaScriptCore.xcodeproj/project.pbxproj: 6736 * Target.pri: 6737 * dfg/DFGArrayMode.cpp: 6738 (JSC::DFG::ArrayMode::refine): 6739 * dfg/DFGBackwardsPropagationPhase.cpp: Added. 6740 (DFG): 6741 (BackwardsPropagationPhase): 6742 (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase): 6743 (JSC::DFG::BackwardsPropagationPhase::run): 6744 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero): 6745 (JSC::DFG::BackwardsPropagationPhase::isNotZero): 6746 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant): 6747 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive): 6748 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): 6749 (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags): 6750 (JSC::DFG::BackwardsPropagationPhase::propagate): 6751 (JSC::DFG::performBackwardsPropagation): 6752 * dfg/DFGBackwardsPropagationPhase.h: Added. 6753 (DFG): 6754 * dfg/DFGCPSRethreadingPhase.cpp: 6755 (JSC::DFG::CPSRethreadingPhase::run): 6756 (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom): 6757 (CPSRethreadingPhase): 6758 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): 6759 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): 6760 * dfg/DFGDriver.cpp: 6761 (JSC::DFG::compile): 6762 * dfg/DFGGraph.cpp: 6763 (JSC::DFG::Graph::dump): 6764 * dfg/DFGNodeFlags.cpp: 6765 (JSC::DFG::dumpNodeFlags): 6766 (DFG): 6767 * dfg/DFGNodeFlags.h: 6768 (DFG): 6769 * dfg/DFGPredictionPropagationPhase.cpp: 6770 (PredictionPropagationPhase): 6771 (JSC::DFG::PredictionPropagationPhase::propagate): 6772 * dfg/DFGUnificationPhase.cpp: 6773 (JSC::DFG::UnificationPhase::run): 6774 * dfg/DFGVariableAccessData.h: 6775 (JSC::DFG::VariableAccessData::VariableAccessData): 6776 (JSC::DFG::VariableAccessData::mergeIsLoadedFrom): 6777 (VariableAccessData): 6778 (JSC::DFG::VariableAccessData::setIsLoadedFrom): 6779 (JSC::DFG::VariableAccessData::isLoadedFrom): 6780 67812013-03-08 Roger Fong <roger_fong@apple.com> 6782 6783 Makefile fixes. 6784 6785 * JavaScriptCore.vcxproj/JavaScriptCore.make: 6786 67872013-03-08 Gabor Rapcsanyi <rgabor@webkit.org> 6788 6789 Cache flush problem on ARMv7 JSC 6790 https://bugs.webkit.org/show_bug.cgi?id=111441 6791 6792 Reviewed by Zoltan Herczeg. 6793 6794 Not proper cache flush causing random crashes on ARMv7 Linux with V8 tests. 6795 The problem is similar to https://bugs.webkit.org/show_bug.cgi?id=77712. 6796 Change the cache fulsh mechanism similar to ARM traditinal and revert the 6797 temporary fix. 6798 6799 * assembler/ARMv7Assembler.h: 6800 (JSC::ARMv7Assembler::cacheFlush): 6801 68022013-03-07 Geoffrey Garen <ggaren@apple.com> 6803 6804 REGRESSION (r143759): 40% JSBench regression, 20% Octane/closure regression, 40% Octane/jquery regression, 2% Octane regression 6805 https://bugs.webkit.org/show_bug.cgi?id=111797 6806 6807 Reviewed by Oliver Hunt. 6808 6809 The bot's testing configuration stresses the cache's starting guess 6810 of 1MB. 6811 6812 This patch removes any starting guess, and just uses wall clock time 6813 to discover the initial working set size of an app, in code size. 6814 6815 * runtime/CodeCache.cpp: 6816 (JSC::CodeCacheMap::pruneSlowCase): Update our timer as we go. 6817 6818 Also fixed a bug where pruning from 0 to 0 would hang -- that case is 6819 a possibility now that we start with a capacity of 0. 6820 6821 * runtime/CodeCache.h: 6822 (CodeCacheMap): 6823 (JSC::CodeCacheMap::CodeCacheMap): 6824 (JSC::CodeCacheMap::add): 6825 (JSC::CodeCacheMap::prune): Don't prune if we're in the middle of 6826 discovering the working set size of an app, in code size. 6827 68282013-03-07 Michael Saboff <msaboff@apple.com> 6829 6830 Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article 6831 https://bugs.webkit.org/show_bug.cgi?id=111777 6832 6833 Reviewed by Filip Pizlo. 6834 6835 Moved register allocations to be above any generated control flow so that any 6836 resulting spill would be visible to all subsequently generated code. 6837 6838 * dfg/DFGSpeculativeJIT32_64.cpp: 6839 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 6840 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 6841 (JSC::DFG::SpeculativeJIT::compile): 6842 * dfg/DFGSpeculativeJIT64.cpp: 6843 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 6844 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 6845 (JSC::DFG::SpeculativeJIT::compile): 6846 68472013-03-07 Filip Pizlo <fpizlo@apple.com> 6848 6849 DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way 6850 https://bugs.webkit.org/show_bug.cgi?id=111783 6851 6852 Reviewed by Mark Hahnenberg. 6853 6854 Unreachable code is not touched by CFA and so thinks that even untyped uses are checked. 6855 But dead untyped uses don't need checks and hence don't need to be Phantom'd. The DCE knew 6856 this in findTypeCheckRoot() but not in eliminateIrrelevantPhantomChildren(), leading to a 6857 Phantom node that had another Phantom node as one of its kids. 6858 6859 * dfg/DFGDCEPhase.cpp: 6860 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren): 6861 68622013-03-07 Filip Pizlo <fpizlo@apple.com> 6863 6864 The DFG fixpoint is not strictly profitable, and should be straight-lined 6865 https://bugs.webkit.org/show_bug.cgi?id=111764 6866 6867 Reviewed by Oliver Hunt and Geoffrey Garen. 6868 6869 The DFG previously ran optimizations to fixpoint because there exists a circular dependency: 6870 6871 CSE depends on CFG simplification: CFG simplification merges blocks, and CSE is block-local. 6872 6873 CFG simplification depends on CFA and constant folding: constant folding reveals branches on 6874 constants. 6875 6876 CFA depends on CSE: CSE reveals must-alias relationships by proving that two operations 6877 always produce identical values. 6878 6879 Arguments simplification also depends on CSE, but it ought not depend on anything else. 6880 6881 Hence we get a cycle like: CFA -> folding -> CFG -> CSE -> CFA. 6882 6883 Note that before we had sparse conditional CFA, we also had CFA depending on CFG. This ought 6884 not be the case anymore: CFG simplification should not by itself lead to better CFA results. 6885 6886 My guess is that the weakest link in this cycle is CFG -> CSE. CSE cuts both ways: if you 6887 CSE too much then you increase register pressure. Hence it's not clear that you always want 6888 to CSE after simplifying control flow. This leads to an order of optimization as follows: 6889 6890 CSE -> arguments -> CFA -> folding -> CFG 6891 6892 This is a 2.5% speed-up on SunSpider, a 4% speed-up on V8Spider, a possible 0.3% slow-down 6893 on V8v7, nothing on Kraken, and 1.2% speed-up in the JSRegress geomean. I'll take a 2.5% 6894 speed-up over a 0.3% V8v7 speed-up. 6895 6896 * dfg/DFGDriver.cpp: 6897 (JSC::DFG::compile): 6898 68992013-03-07 Roger Fong <roger_fong@apple.com> 6900 6901 Build fix for AppleWin VS2010. 6902 6903 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 6904 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 6905 69062013-03-05 Mark Hahnenberg <mhahnenberg@apple.com> 6907 6908 Objective-C API: Need a good way to reference event handlers without causing cycles 6909 https://bugs.webkit.org/show_bug.cgi?id=111088 6910 6911 Reviewed by Geoffrey Garen. 6912 6913 JSManagedValue is like a special kind of weak value. When you create a JSManagedValue, you can 6914 supply an Objective-C object as its "owner". As long as the Objective-C owner object remains 6915 alive and its wrapper remains accessible to the JSC garbage collector (e.g. by being marked by 6916 the global object), the reference to the JavaScript value is strong. As soon as the Objective-C 6917 owner is deallocated or its wrapper becomes inaccessible to the garbage collector, the reference 6918 becomes weak. 6919 6920 If you do not supply an owner or you use the weakValueWithValue: convenience class method, the 6921 returned JSManagedValue behaves as a normal weak reference. 6922 6923 This new class allows clients to maintain references to JavaScript values in the Objective-C 6924 heap without creating reference cycles/leaking memory. 6925 6926 * API/JSAPIWrapperObject.cpp: Added. 6927 (JSC): 6928 (JSC::::createStructure): 6929 (JSC::JSAPIWrapperObject::JSAPIWrapperObject): This is a special JSObject for the Objective-C API that knows 6930 for the purposes of garbage collection/marking that it wraps an opaque Objective-C object. 6931 (JSC::JSAPIWrapperObject::visitChildren): We add the pointer to the wrapped Objective-C object to the set of 6932 opaque roots so that the weak handle owner for JSManagedValues can find it later. 6933 * API/JSAPIWrapperObject.h: Added. 6934 (JSC): 6935 (JSAPIWrapperObject): 6936 (JSC::JSAPIWrapperObject::wrappedObject): 6937 (JSC::JSAPIWrapperObject::setWrappedObject): 6938 * API/JSBase.cpp: 6939 (JSSynchronousGarbageCollect): 6940 * API/JSBasePrivate.h: 6941 * API/JSCallbackObject.cpp: 6942 (JSC): 6943 * API/JSCallbackObject.h: 6944 (JSC::JSCallbackObject::destroy): Moved this to the header so that we don't get link errors with JSAPIWrapperObject. 6945 * API/JSContext.mm: 6946 (-[JSContext initWithVirtualMachine:]): We weren't adding manually allocated/initialized JSVirtualMachine objects to 6947 the global cache of virtual machines. The init methods handle this now rather than contextWithGlobalContextRef, since 6948 not everyone is guaranteed to use the latter. 6949 (-[JSContext initWithGlobalContextRef:]): 6950 (+[JSContext contextWithGlobalContextRef:]): 6951 * API/JSManagedValue.h: Added. 6952 * API/JSManagedValue.mm: Added. 6953 (JSManagedValueHandleOwner): 6954 (managedValueHandleOwner): 6955 (+[JSManagedValue weakValueWithValue:]): 6956 (+[JSManagedValue managedValueWithValue:owner:]): 6957 (-[JSManagedValue init]): We explicitly call the ARC entrypoints to initialize/get the weak owner field since we don't 6958 use ARC when building our framework. 6959 (-[JSManagedValue initWithValue:]): 6960 (-[JSManagedValue initWithValue:owner:]): 6961 (-[JSManagedValue dealloc]): 6962 (-[JSManagedValue value]): 6963 (-[JSManagedValue weakOwner]): 6964 (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): If the Objective-C owner is still alive (i.e. loading the weak field 6965 returns non-nil) and that value was added to the set of opaque roots by the wrapper for that Objective-C owner, then the the 6966 JSObject to which the JSManagedObject refers is still alive. 6967 * API/JSObjectRef.cpp: We have to add explicit checks for the JSAPIWrapperObject, just like the other types of JSCallbackObjects. 6968 (JSObjectGetPrivate): 6969 (JSObjectSetPrivate): 6970 (JSObjectGetPrivateProperty): 6971 (JSObjectSetPrivateProperty): 6972 (JSObjectDeletePrivateProperty): 6973 * API/JSValue.mm: 6974 (objectToValueWithoutCopy): 6975 * API/JSValueRef.cpp: 6976 (JSValueIsObjectOfClass): 6977 * API/JSVirtualMachine.mm: 6978 (-[JSVirtualMachine initWithContextGroupRef:]): 6979 (+[JSVirtualMachine virtualMachineWithContextGroupRef:]): 6980 * API/JSWrapperMap.mm: 6981 (wrapperFinalize): 6982 (makeWrapper): This is our own internal version of JSObjectMake which creates JSAPIWrapperObjects, the Obj-C API 6983 version of JSCallbackObjects. 6984 (createObjectWithCustomBrand): 6985 (-[JSObjCClassInfo wrapperForObject:]): 6986 (tryUnwrapObjcObject): 6987 * API/JavaScriptCore.h: 6988 * API/tests/testapi.mm: Added new tests for the strong and weak uses of JSManagedValue in the context of an 6989 onclick handler for an Objective-C object inserted into a JSContext. 6990 (-[TextXYZ setWeakOnclick:]): 6991 (-[TextXYZ setOnclick:]): 6992 (-[TextXYZ weakOnclick]): 6993 (-[TextXYZ onclick]): 6994 (-[TextXYZ click]): 6995 * CMakeLists.txt: Various build system additions. 6996 * GNUmakefile.list.am: 6997 * JavaScriptCore.gypi: 6998 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 6999 * JavaScriptCore.xcodeproj/project.pbxproj: 7000 * runtime/JSGlobalObject.cpp: Added the new canonical Structure for the JSAPIWrapperObject class. 7001 (JSC::JSGlobalObject::reset): 7002 (JSC): 7003 (JSC::JSGlobalObject::visitChildren): 7004 * runtime/JSGlobalObject.h: 7005 (JSGlobalObject): 7006 (JSC::JSGlobalObject::objcWrapperObjectStructure): 7007 70082013-03-06 Filip Pizlo <fpizlo@apple.com> 7009 7010 ConvertThis should be turned into Identity based on predictions in Fixup, rather than based on proofs in ConstantFolding 7011 https://bugs.webkit.org/show_bug.cgi?id=111674 7012 7013 Reviewed by Oliver Hunt. 7014 7015 This gets rid of the speculated forms of ConvertThis in the backend, and has Fixup 7016 convert them to either Identity(Object:@child) if the child is predicted object, or 7017 Phantom(Other:@child) ; WeakJSConstant(global this object) if it's predicted Other. 7018 7019 The goal of this is to ensure that the optimization fixpoint doesn't create 7020 Identity's, since doing so requires a rerun of CSE. So far this isn't a speed-up 7021 but I'm hoping this will be a step towards reducing the need to rerun the fixpoint 7022 so as to ultimately reduce compile times. 7023 7024 * dfg/DFGAbstractState.cpp: 7025 (JSC::DFG::AbstractState::executeEffects): 7026 * dfg/DFGAssemblyHelpers.h: 7027 (AssemblyHelpers): 7028 * dfg/DFGConstantFoldingPhase.cpp: 7029 (JSC::DFG::ConstantFoldingPhase::foldConstants): 7030 * dfg/DFGFixupPhase.cpp: 7031 (JSC::DFG::FixupPhase::fixupNode): 7032 (FixupPhase): 7033 (JSC::DFG::FixupPhase::observeUseKindOnNode): 7034 (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable): 7035 * dfg/DFGGraph.h: 7036 (JSC::DFG::Graph::globalThisObjectFor): 7037 (Graph): 7038 * dfg/DFGNode.h: 7039 (Node): 7040 (JSC::DFG::Node::convertToIdentity): 7041 (JSC::DFG::Node::convertToWeakConstant): 7042 * dfg/DFGSpeculativeJIT32_64.cpp: 7043 (JSC::DFG::SpeculativeJIT::compile): 7044 * dfg/DFGSpeculativeJIT64.cpp: 7045 (JSC::DFG::SpeculativeJIT::compile): 7046 70472013-03-07 Peter Gal <galpeter@inf.u-szeged.hu> 7048 7049 Children method in LLINT AST Not class should return [@child] 7050 https://bugs.webkit.org/show_bug.cgi?id=90740 7051 7052 Reviewed by Filip Pizlo. 7053 7054 * offlineasm/ast.rb: Fixed the return value of the children method in the Not AST class. 7055 70562013-03-05 Oliver Hunt <oliver@apple.com> 7057 7058 Bring back eager resolution of function scoped variables 7059 https://bugs.webkit.org/show_bug.cgi?id=111497 7060 7061 Reviewed by Geoffrey Garen. 7062 7063 This reverts the get/put_scoped_var part of the great non-local 7064 variable resolution refactoring. This still leaves all the lazy 7065 variable resolution logic as it's necessary for global property 7066 resolution, and i don't want to make the patch bigger than it 7067 already is. 7068 7069 * bytecode/CodeBlock.cpp: 7070 (JSC::CodeBlock::dumpBytecode): 7071 (JSC::CodeBlock::CodeBlock): 7072 * bytecode/CodeBlock.h: 7073 (CodeBlock): 7074 * bytecode/Opcode.h: 7075 (JSC): 7076 (JSC::padOpcodeName): 7077 * bytecode/UnlinkedCodeBlock.cpp: 7078 (JSC::generateFunctionCodeBlock): 7079 (JSC::UnlinkedFunctionExecutable::codeBlockFor): 7080 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 7081 * bytecode/UnlinkedCodeBlock.h: 7082 (JSC): 7083 (UnlinkedFunctionExecutable): 7084 (UnlinkedCodeBlock): 7085 (JSC::UnlinkedCodeBlock::usesGlobalObject): 7086 (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): 7087 (JSC::UnlinkedCodeBlock::globalObjectRegister): 7088 * bytecompiler/BytecodeGenerator.cpp: 7089 (JSC::ResolveResult::checkValidity): 7090 (JSC::BytecodeGenerator::BytecodeGenerator): 7091 (JSC::BytecodeGenerator::emitLoadGlobalObject): 7092 (JSC): 7093 (JSC::BytecodeGenerator::resolve): 7094 (JSC::BytecodeGenerator::resolveConstDecl): 7095 (JSC::BytecodeGenerator::emitResolve): 7096 (JSC::BytecodeGenerator::emitResolveBase): 7097 (JSC::BytecodeGenerator::emitResolveBaseForPut): 7098 (JSC::BytecodeGenerator::emitResolveWithBaseForPut): 7099 (JSC::BytecodeGenerator::emitResolveWithThis): 7100 (JSC::BytecodeGenerator::emitGetStaticVar): 7101 (JSC::BytecodeGenerator::emitPutStaticVar): 7102 * bytecompiler/BytecodeGenerator.h: 7103 (JSC::ResolveResult::lexicalResolve): 7104 (JSC::ResolveResult::isStatic): 7105 (JSC::ResolveResult::depth): 7106 (JSC::ResolveResult::index): 7107 (ResolveResult): 7108 (JSC::ResolveResult::ResolveResult): 7109 (BytecodeGenerator): 7110 * bytecompiler/NodesCodegen.cpp: 7111 (JSC::ResolveNode::isPure): 7112 (JSC::FunctionCallResolveNode::emitBytecode): 7113 (JSC::PostfixNode::emitResolve): 7114 (JSC::TypeOfResolveNode::emitBytecode): 7115 (JSC::PrefixNode::emitResolve): 7116 (JSC::ReadModifyResolveNode::emitBytecode): 7117 (JSC::AssignResolveNode::emitBytecode): 7118 (JSC::ConstDeclNode::emitCodeSingle): 7119 * dfg/DFGByteCodeParser.cpp: 7120 (JSC::DFG::ByteCodeParser::parseBlock): 7121 * dfg/DFGCapabilities.cpp: 7122 (JSC::DFG::debugFail): 7123 * dfg/DFGCapabilities.h: 7124 (JSC::DFG::canCompileOpcode): 7125 (JSC::DFG::canInlineOpcode): 7126 * jit/JIT.cpp: 7127 (JSC::JIT::privateCompileMainPass): 7128 * jit/JIT.h: 7129 (JIT): 7130 * jit/JITPropertyAccess.cpp: 7131 (JSC::JIT::emit_op_get_scoped_var): 7132 (JSC): 7133 (JSC::JIT::emit_op_put_scoped_var): 7134 * jit/JITPropertyAccess32_64.cpp: 7135 (JSC::JIT::emit_op_get_scoped_var): 7136 (JSC): 7137 (JSC::JIT::emit_op_put_scoped_var): 7138 * llint/LowLevelInterpreter32_64.asm: 7139 * llint/LowLevelInterpreter64.asm: 7140 * runtime/CodeCache.cpp: 7141 (JSC::CodeCache::getCodeBlock): 7142 (JSC::CodeCache::getProgramCodeBlock): 7143 (JSC::CodeCache::getEvalCodeBlock): 7144 * runtime/CodeCache.h: 7145 (JSC): 7146 (CodeCache): 7147 * runtime/Executable.cpp: 7148 (JSC::EvalExecutable::compileInternal): 7149 (JSC::FunctionExecutable::produceCodeBlockFor): 7150 * runtime/JSGlobalObject.cpp: 7151 (JSC::JSGlobalObject::createEvalCodeBlock): 7152 * runtime/JSGlobalObject.h: 7153 (JSGlobalObject): 7154 * runtime/Options.cpp: 7155 (JSC::Options::initialize): 7156 71572013-03-06 Filip Pizlo <fpizlo@apple.com> 7158 7159 Unreviewed, roll out http://trac.webkit.org/changeset/144989 7160 7161 I think we want the assertion that I removed. 7162 7163 * dfg/DFGAbstractState.cpp: 7164 (JSC::DFG::AbstractState::merge): 7165 (JSC::DFG::AbstractState::mergeVariableBetweenBlocks): 7166 * dfg/DFGAbstractState.h: 7167 (AbstractState): 7168 71692013-03-06 Filip Pizlo <fpizlo@apple.com> 7170 7171 DFG::AbstractState::merge() is still more complicated than it needs to be 7172 https://bugs.webkit.org/show_bug.cgi?id=111619 7173 7174 Reviewed by Mark Hahnenberg. 7175 7176 This method is the one place where we still do some minimal amount of liveness pruning, but the style with 7177 which it is written is awkward, and it makes an assertion about variablesAtTail that will be invalidated 7178 by https://bugs.webkit.org/show_bug.cgi?id=111539. 7179 7180 * dfg/DFGAbstractState.cpp: 7181 (JSC::DFG::AbstractState::merge): 7182 (JSC::DFG::AbstractState::mergeVariableBetweenBlocks): 7183 * dfg/DFGAbstractState.h: 7184 (AbstractState): 7185 71862013-03-06 Filip Pizlo <fpizlo@apple.com> 7187 7188 DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination 7189 https://bugs.webkit.org/show_bug.cgi?id=111536 7190 7191 Reviewed by Oliver Hunt and Mark Hahnenberg. 7192 7193 The fixpoint will do aggressive load elimination and pure CSE. There's no need to do it after the fixpoint. 7194 On the other hand, the fixpoint does not profit from doing store elimination (except for SetLocal/Flush). 7195 Previously we had CSE do both, and had it avoid doing some store elimination during the fixpoint by querying 7196 the fixpoint state. This changes CSE to be templated on mode - either NormalCSE or StoreElimination - so 7197 that we explicitly put it into one of those modes depending on where we call it from. The goal is to reduce 7198 time spent doing load elimination after the fixpoint, since that is just wasted cycles. 7199 7200 * dfg/DFGCSEPhase.cpp: 7201 (JSC::DFG::CSEPhase::CSEPhase): 7202 (JSC::DFG::CSEPhase::run): 7203 (JSC::DFG::CSEPhase::performNodeCSE): 7204 (JSC::DFG::CSEPhase::performBlockCSE): 7205 (JSC::DFG::performCSE): 7206 (DFG): 7207 (JSC::DFG::performStoreElimination): 7208 * dfg/DFGCSEPhase.h: 7209 (DFG): 7210 * dfg/DFGDriver.cpp: 7211 (JSC::DFG::compile): 7212 72132013-03-06 Andreas Kling <akling@apple.com> 7214 7215 Pack Structure members better. 7216 <http://webkit.org/b/111593> 7217 <rdar://problem/13359200> 7218 7219 Reviewed by Mark Hahnenberg. 7220 7221 Shrink Structure by 8 bytes (now at 104 bytes) on 64-bit by packing the members better. 7222 7223 * runtime/Structure.cpp: 7224 (JSC::Structure::Structure): 7225 * runtime/Structure.h: 7226 (Structure): 7227 72282013-03-06 Andreas Kling <akling@apple.com> 7229 7230 Unreviewed, fix Windows build after r144910. 7231 7232 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 7233 72342013-03-05 Filip Pizlo <fpizlo@apple.com> 7235 7236 DFG should not check if nodes are shouldGenerate prior to DCE 7237 https://bugs.webkit.org/show_bug.cgi?id=111520 7238 7239 Reviewed by Geoffrey Garen. 7240 7241 All nodes are live before DCE. We don't need to check that they aren't, because they 7242 definitely will be. 7243 7244 * dfg/DFGArgumentsSimplificationPhase.cpp: 7245 (JSC::DFG::ArgumentsSimplificationPhase::run): 7246 * dfg/DFGCFAPhase.cpp: 7247 (JSC::DFG::CFAPhase::performBlockCFA): 7248 * dfg/DFGCFGSimplificationPhase.cpp: 7249 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): 7250 * dfg/DFGCSEPhase.cpp: 7251 (JSC::DFG::CSEPhase::pureCSE): 7252 (JSC::DFG::CSEPhase::int32ToDoubleCSE): 7253 (JSC::DFG::CSEPhase::constantCSE): 7254 (JSC::DFG::CSEPhase::weakConstantCSE): 7255 (JSC::DFG::CSEPhase::getCalleeLoadElimination): 7256 (JSC::DFG::CSEPhase::getArrayLengthElimination): 7257 (JSC::DFG::CSEPhase::globalVarLoadElimination): 7258 (JSC::DFG::CSEPhase::scopedVarLoadElimination): 7259 (JSC::DFG::CSEPhase::globalVarWatchpointElimination): 7260 (JSC::DFG::CSEPhase::globalVarStoreElimination): 7261 (JSC::DFG::CSEPhase::scopedVarStoreElimination): 7262 (JSC::DFG::CSEPhase::getByValLoadElimination): 7263 (JSC::DFG::CSEPhase::checkStructureElimination): 7264 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): 7265 (JSC::DFG::CSEPhase::putStructureStoreElimination): 7266 (JSC::DFG::CSEPhase::getByOffsetLoadElimination): 7267 (JSC::DFG::CSEPhase::putByOffsetStoreElimination): 7268 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): 7269 (JSC::DFG::CSEPhase::checkArrayElimination): 7270 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): 7271 (JSC::DFG::CSEPhase::getMyScopeLoadElimination): 7272 (JSC::DFG::CSEPhase::getLocalLoadElimination): 7273 (JSC::DFG::CSEPhase::setLocalStoreElimination): 7274 (JSC::DFG::CSEPhase::performNodeCSE): 7275 * dfg/DFGFixupPhase.cpp: 7276 (JSC::DFG::FixupPhase::fixupNode): 7277 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): 7278 * dfg/DFGPredictionPropagationPhase.cpp: 7279 (JSC::DFG::PredictionPropagationPhase::propagate): 7280 * dfg/DFGStructureCheckHoistingPhase.cpp: 7281 (JSC::DFG::StructureCheckHoistingPhase::run): 7282 72832013-03-06 Csaba Osztrogonác <ossy@webkit.org> 7284 7285 Fix unused parameter warnings in ARM assembler 7286 https://bugs.webkit.org/show_bug.cgi?id=111433 7287 7288 Reviewed by Kentaro Hara. 7289 7290 * assembler/ARMAssembler.h: Remove unreachable revertJump() after r143346. 7291 * assembler/MacroAssemblerARM.h: 7292 (JSC::MacroAssemblerARM::moveIntsToDouble): Remove unused scratch parameter instead of UNUSED_PARAM. 7293 (JSC::MacroAssemblerARM::branchConvertDoubleToInt32): Remove unused fpTemp parameter. 7294 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch): Remove unused parameters. 7295 72962013-03-06 Andreas Kling <akling@apple.com> 7297 7298 Unused Structure property tables waste 14MB on Membuster. 7299 <http://webkit.org/b/110854> 7300 <rdar://problem/13292104> 7301 7302 Reviewed by Geoffrey Garen. 7303 7304 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking. 7305 14 MB progression on Membuster3. 7306 7307 This time it should stick; I've been through all the tests with COLLECT_ON_EVERY_ALLOCATION. 7308 The issue with the last version was that Structure::m_offset could be used uninitialized 7309 when re-materializing a previously GC'd property table, causing some sanity checks to fail. 7310 7311 * CMakeLists.txt: 7312 * GNUmakefile.list.am: 7313 * JavaScriptCore.gypi: 7314 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 7315 * JavaScriptCore.xcodeproj/project.pbxproj: 7316 * Target.pri: 7317 7318 Added PropertyTable.cpp. 7319 7320 * runtime/PropertyTable.cpp: Added. 7321 (JSC::PropertyTable::create): 7322 (JSC::PropertyTable::clone): 7323 (JSC::PropertyTable::PropertyTable): 7324 (JSC::PropertyTable::destroy): 7325 (JSC::PropertyTable::~PropertyTable): 7326 (JSC::PropertyTable::visitChildren): 7327 7328 Moved marking of property table values here from Structure::visitChildren(). 7329 7330 * runtime/WriteBarrier.h: 7331 (JSC::WriteBarrierBase::get): 7332 7333 Move m_cell to a local before using it multiple times. This avoids a multiple-access race when 7334 Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread 7335 zaps the property table. 7336 7337 * runtime/Structure.h: 7338 (JSC::Structure::materializePropertyMapIfNecessary): 7339 (JSC::Structure::materializePropertyMapIfNecessaryForPinning): 7340 * runtime/StructureInlines.h: 7341 (JSC::Structure::propertyTable): 7342 7343 Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active. 7344 Because GC can zap an unpinned property table at any time, it's not entirely safe to access it. 7345 Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves. 7346 7347 (JSC::Structure::putWillGrowOutOfLineStorage): 7348 (JSC::Structure::checkOffsetConsistency): 7349 7350 Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable. 7351 7352 * runtime/Structure.cpp: 7353 (JSC::Structure::visitChildren): 7354 7355 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd. 7356 7357 (JSC::Structure::takePropertyTableOrCloneIfPinned): 7358 7359 Added for setting up the property table in a new transition, this code is now shared between 7360 addPropertyTransition() and nonPropertyTransition(). 7361 7362 * runtime/JSGlobalData.h: 7363 * runtime/JSGlobalData.cpp: 7364 (JSC::JSGlobalData::JSGlobalData): 7365 7366 Add a global propertyTableStructure. 7367 7368 * runtime/PropertyMapHashTable.h: 7369 (PropertyTable): 7370 (JSC::PropertyTable::createStructure): 7371 (JSC::PropertyTable::copy): 7372 7373 Make PropertyTable a GC object. 7374 7375 * runtime/Structure.cpp: 7376 (JSC::Structure::dumpStatistics): 7377 (JSC::Structure::materializePropertyMap): 7378 (JSC::Structure::despecifyDictionaryFunction): 7379 (JSC::Structure::addPropertyTransition): 7380 (JSC::Structure::changePrototypeTransition): 7381 (JSC::Structure::despecifyFunctionTransition): 7382 (JSC::Structure::attributeChangeTransition): 7383 (JSC::Structure::toDictionaryTransition): 7384 (JSC::Structure::sealTransition): 7385 (JSC::Structure::freezeTransition): 7386 (JSC::Structure::preventExtensionsTransition): 7387 (JSC::Structure::nonPropertyTransition): 7388 (JSC::Structure::isSealed): 7389 (JSC::Structure::isFrozen): 7390 (JSC::Structure::flattenDictionaryStructure): 7391 (JSC::Structure::pin): 7392 (JSC::Structure::copyPropertyTable): 7393 (JSC::Structure::copyPropertyTableForPinning): 7394 (JSC::Structure::get): 7395 (JSC::Structure::despecifyFunction): 7396 (JSC::Structure::despecifyAllFunctions): 7397 (JSC::Structure::putSpecificValue): 7398 (JSC::Structure::remove): 7399 (JSC::Structure::createPropertyMap): 7400 (JSC::Structure::getPropertyNamesFromStructure): 7401 (JSC::Structure::checkConsistency): 7402 74032013-03-05 Filip Pizlo <fpizlo@apple.com> 7404 7405 Get rid of the invert argument to SpeculativeJIT::jumpSlowForUnwantedArrayMode 7406 https://bugs.webkit.org/show_bug.cgi?id=105624 7407 7408 Reviewed by Oliver Hunt. 7409 7410 All callers pass invert = false, which is the default value of the argument. So, get 7411 rid of the argument and fold away all code that checks it. 7412 7413 * dfg/DFGSpeculativeJIT.cpp: 7414 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): 7415 * dfg/DFGSpeculativeJIT.h: 7416 (SpeculativeJIT): 7417 74182013-03-05 Filip Pizlo <fpizlo@apple.com> 7419 7420 Unreviewed, fix an incorrect comment. The comment was a holdover from a work-in-progress version of this code. 7421 7422 * dfg/DFGDCEPhase.cpp: 7423 (JSC::DFG::DCEPhase::run): 7424 74252013-03-04 Filip Pizlo <fpizlo@apple.com> 7426 7427 DFG DCE might eliminate checks unsoundly 7428 https://bugs.webkit.org/show_bug.cgi?id=109389 7429 7430 Reviewed by Oliver Hunt. 7431 7432 This gets rid of all eager reference counting, and does all dead code elimination 7433 in one phase - the DCEPhase. This phase also sets up the node reference counts, 7434 which are then used not just for DCE but also register allocation and stack slot 7435 allocation. 7436 7437 Doing this required a number of surgical changes in places that previously relied 7438 on always having liveness information. For example, the structure check hoisting 7439 phase must now consult whether a VariableAccessData is profitable for unboxing to 7440 make sure that it doesn't try to do hoisting on set SetLocals. The arguments 7441 simplification phase employs its own light-weight liveness analysis. Both phases 7442 previously just used reference counts. 7443 7444 The largest change is that now, dead nodes get turned into Phantoms. Those 7445 Phantoms will retain those child edges that are not proven. This ensures that any 7446 type checks performed by a dead node remain even after the node is killed. On the 7447 other hand, this Phantom conversion means that we need special handling for 7448 SetLocal. I decided to make the four forms of SetLocal explicit: 7449 7450 MovHint(@a, rK): Just indicates that node @a contains the value that would have 7451 now been placed into virtual register rK. Does not actually cause @a to be 7452 stored into rK. This would have previously been a dead SetLocal with @a 7453 being live. MovHints are always dead. 7454 7455 ZombieHint(rK): Indicates that at this point, register rK will contain a dead 7456 value and OSR should put Undefined into it. This would have previously been 7457 a dead SetLocal with @a being dead also. ZombieHints are always dead. 7458 7459 MovHintAndCheck(@a, rK): Identical to MovHint except @a is also type checked, 7460 according to whatever UseKind the edge to @a has. The type check is always a 7461 forward exit. MovHintAndChecks are always live, since they are 7462 NodeMustGenerate. Previously this would have been a dead SetLocal with a 7463 live @a, and the check would have disappeared. This is one of the bugs that 7464 this patch solves. 7465 7466 SetLocal(@a, rK): This still does exactly what it does now, if the SetLocal is 7467 live. 7468 7469 Basically this patch makes it so that dead SetLocals eventually decay to MovHint, 7470 ZombieHint, or MovHintAndCheck depending on the situation. If the child @a is 7471 also dead, then you get a ZombieHint. If the child @a is live but the SetLocal 7472 has a type check and @a's type hasn't been proven to have that type then you get 7473 a MovHintAndCheck. Otherwise you get a MovHint. 7474 7475 This is performance neutral. 7476 7477 * CMakeLists.txt: 7478 * GNUmakefile.list.am: 7479 * JavaScriptCore.xcodeproj/project.pbxproj: 7480 * Target.pri: 7481 * dfg/DFGAbstractState.cpp: 7482 (JSC::DFG::AbstractState::executeEffects): 7483 (JSC::DFG::AbstractState::mergeStateAtTail): 7484 * dfg/DFGArgumentsSimplificationPhase.cpp: 7485 (JSC::DFG::ArgumentsSimplificationPhase::run): 7486 (ArgumentsSimplificationPhase): 7487 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild): 7488 * dfg/DFGBasicBlock.h: 7489 (BasicBlock): 7490 * dfg/DFGBasicBlockInlines.h: 7491 (DFG): 7492 * dfg/DFGByteCodeParser.cpp: 7493 (JSC::DFG::ByteCodeParser::addToGraph): 7494 (JSC::DFG::ByteCodeParser::insertPhiNode): 7495 (JSC::DFG::ByteCodeParser::emitFunctionChecks): 7496 * dfg/DFGCFAPhase.cpp: 7497 (JSC::DFG::CFAPhase::run): 7498 * dfg/DFGCFGSimplificationPhase.cpp: 7499 (JSC::DFG::CFGSimplificationPhase::run): 7500 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): 7501 * dfg/DFGCPSRethreadingPhase.cpp: 7502 (JSC::DFG::CPSRethreadingPhase::run): 7503 (JSC::DFG::CPSRethreadingPhase::addPhiSilently): 7504 * dfg/DFGCSEPhase.cpp: 7505 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): 7506 (JSC::DFG::CSEPhase::setReplacement): 7507 (JSC::DFG::CSEPhase::performNodeCSE): 7508 * dfg/DFGCommon.cpp: 7509 (WTF::printInternal): 7510 (WTF): 7511 * dfg/DFGCommon.h: 7512 (WTF): 7513 * dfg/DFGConstantFoldingPhase.cpp: 7514 (JSC::DFG::ConstantFoldingPhase::foldConstants): 7515 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): 7516 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode): 7517 * dfg/DFGDCEPhase.cpp: Added. 7518 (DFG): 7519 (DCEPhase): 7520 (JSC::DFG::DCEPhase::DCEPhase): 7521 (JSC::DFG::DCEPhase::run): 7522 (JSC::DFG::DCEPhase::findTypeCheckRoot): 7523 (JSC::DFG::DCEPhase::countEdge): 7524 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren): 7525 (JSC::DFG::performDCE): 7526 * dfg/DFGDCEPhase.h: Added. 7527 (DFG): 7528 * dfg/DFGDriver.cpp: 7529 (JSC::DFG::compile): 7530 * dfg/DFGFixupPhase.cpp: 7531 (JSC::DFG::FixupPhase::fixupNode): 7532 (JSC::DFG::FixupPhase::checkArray): 7533 (JSC::DFG::FixupPhase::blessArrayOperation): 7534 (JSC::DFG::FixupPhase::fixIntEdge): 7535 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 7536 (JSC::DFG::FixupPhase::truncateConstantToInt32): 7537 * dfg/DFGGraph.cpp: 7538 (JSC::DFG::Graph::Graph): 7539 (JSC::DFG::Graph::dump): 7540 (DFG): 7541 * dfg/DFGGraph.h: 7542 (JSC::DFG::Graph::changeChild): 7543 (JSC::DFG::Graph::changeEdge): 7544 (JSC::DFG::Graph::compareAndSwap): 7545 (JSC::DFG::Graph::clearAndDerefChild): 7546 (JSC::DFG::Graph::performSubstitution): 7547 (JSC::DFG::Graph::performSubstitutionForEdge): 7548 (Graph): 7549 (JSC::DFG::Graph::substitute): 7550 * dfg/DFGInsertionSet.h: 7551 (InsertionSet): 7552 * dfg/DFGNode.h: 7553 (JSC::DFG::Node::Node): 7554 (JSC::DFG::Node::convertToConstant): 7555 (JSC::DFG::Node::convertToGetLocalUnlinked): 7556 (JSC::DFG::Node::containsMovHint): 7557 (Node): 7558 (JSC::DFG::Node::hasVariableAccessData): 7559 (JSC::DFG::Node::willHaveCodeGenOrOSR): 7560 * dfg/DFGNodeType.h: 7561 (DFG): 7562 * dfg/DFGPredictionPropagationPhase.cpp: 7563 (JSC::DFG::PredictionPropagationPhase::propagate): 7564 * dfg/DFGSpeculativeJIT.cpp: 7565 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 7566 (JSC::DFG::SpeculativeJIT::compileMovHint): 7567 (JSC::DFG::SpeculativeJIT::compileMovHintAndCheck): 7568 (DFG): 7569 (JSC::DFG::SpeculativeJIT::compileInlineStart): 7570 (JSC::DFG::SpeculativeJIT::compile): 7571 * dfg/DFGSpeculativeJIT.h: 7572 (SpeculativeJIT): 7573 * dfg/DFGSpeculativeJIT32_64.cpp: 7574 (JSC::DFG::SpeculativeJIT::compile): 7575 * dfg/DFGSpeculativeJIT64.cpp: 7576 (JSC::DFG::SpeculativeJIT::compile): 7577 * dfg/DFGStructureCheckHoistingPhase.cpp: 7578 (JSC::DFG::StructureCheckHoistingPhase::run): 7579 (JSC::DFG::StructureCheckHoistingPhase::shouldConsiderForHoisting): 7580 (StructureCheckHoistingPhase): 7581 * dfg/DFGValidate.cpp: 7582 (JSC::DFG::Validate::validate): 7583 75842013-03-05 Mark Hahnenberg <mhahnenberg@apple.com> 7585 7586 Objective-C API: JSValue should implement init and return nil in exceptional cases 7587 https://bugs.webkit.org/show_bug.cgi?id=111487 7588 7589 Reviewed by Darin Adler. 7590 7591 * API/JSValue.mm: 7592 (-[JSValue init]): We return nil here because there is no way to get the instance into a coherent state 7593 without a JSContext. 7594 (-[JSValue initWithValue:inContext:]): Similarly, we should also return nil here if either of the arguments is 0. 7595 75962013-03-05 Sheriff Bot <webkit.review.bot@gmail.com> 7597 7598 Unreviewed, rolling out r144708. 7599 http://trac.webkit.org/changeset/144708 7600 https://bugs.webkit.org/show_bug.cgi?id=111447 7601 7602 random assertion crashes in inspector tests on qt+mac bots 7603 (Requested by kling on #webkit). 7604 7605 * CMakeLists.txt: 7606 * GNUmakefile.list.am: 7607 * JavaScriptCore.gypi: 7608 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 7609 * JavaScriptCore.xcodeproj/project.pbxproj: 7610 * Target.pri: 7611 * runtime/JSGlobalData.cpp: 7612 (JSC::JSGlobalData::JSGlobalData): 7613 * runtime/JSGlobalData.h: 7614 (JSGlobalData): 7615 * runtime/PropertyMapHashTable.h: 7616 (PropertyTable): 7617 (JSC::PropertyTable::PropertyTable): 7618 (JSC): 7619 (JSC::PropertyTable::~PropertyTable): 7620 (JSC::PropertyTable::copy): 7621 * runtime/PropertyTable.cpp: Removed. 7622 * runtime/Structure.cpp: 7623 (JSC::Structure::dumpStatistics): 7624 (JSC::Structure::materializePropertyMap): 7625 (JSC::Structure::despecifyDictionaryFunction): 7626 (JSC::Structure::addPropertyTransition): 7627 (JSC::Structure::changePrototypeTransition): 7628 (JSC::Structure::despecifyFunctionTransition): 7629 (JSC::Structure::attributeChangeTransition): 7630 (JSC::Structure::toDictionaryTransition): 7631 (JSC::Structure::sealTransition): 7632 (JSC::Structure::freezeTransition): 7633 (JSC::Structure::preventExtensionsTransition): 7634 (JSC::Structure::nonPropertyTransition): 7635 (JSC::Structure::isSealed): 7636 (JSC::Structure::isFrozen): 7637 (JSC::Structure::flattenDictionaryStructure): 7638 (JSC::Structure::pin): 7639 (JSC::Structure::copyPropertyTable): 7640 (JSC::Structure::copyPropertyTableForPinning): 7641 (JSC::Structure::get): 7642 (JSC::Structure::despecifyFunction): 7643 (JSC::Structure::despecifyAllFunctions): 7644 (JSC::Structure::putSpecificValue): 7645 (JSC::Structure::remove): 7646 (JSC::Structure::createPropertyMap): 7647 (JSC::Structure::getPropertyNamesFromStructure): 7648 (JSC::Structure::visitChildren): 7649 (JSC::Structure::checkConsistency): 7650 * runtime/Structure.h: 7651 (JSC): 7652 (JSC::Structure::putWillGrowOutOfLineStorage): 7653 (JSC::Structure::materializePropertyMapIfNecessary): 7654 (JSC::Structure::materializePropertyMapIfNecessaryForPinning): 7655 (JSC::Structure::checkOffsetConsistency): 7656 (Structure): 7657 * runtime/StructureInlines.h: 7658 (JSC::Structure::get): 7659 * runtime/WriteBarrier.h: 7660 (JSC::WriteBarrierBase::get): 7661 76622013-03-05 David Kilzer <ddkilzer@apple.com> 7663 7664 BUILD FIX (r144698): Only enable SPEECH_SYNTHESIS for Mac 7665 <http://webkit.org/b/106742> 7666 7667 Fixes the following build failures: 7668 7669 Undefined symbols for architecture i386: 7670 "__ZTVN7WebCore25PlatformSpeechSynthesizerE", referenced from: 7671 __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o 7672 NOTE: a missing vtable usually means the first non-inline virtual member function has no definition. 7673 "__ZN7WebCore25PlatformSpeechSynthesizer19initializeVoiceListEv", referenced from: 7674 __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o 7675 ld: symbol(s) not found for architecture i386 7676 7677 * Configurations/FeatureDefines.xcconfig: 7678 - Fix definition of ENABLE_ENCRYPTED_MEDIA_V2_macosx to match 7679 other FeatureDefines.xcconfig files. 7680 - Only set ENABLE_SPEECH_SYNTHESIS for the macosx platform. 7681 76822013-03-04 Andreas Kling <akling@apple.com> 7683 7684 Unused Structure property tables waste 14MB on Membuster. 7685 <http://webkit.org/b/110854> 7686 <rdar://problem/13292104> 7687 7688 Reviewed by Geoffrey Garen. 7689 7690 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking. 7691 14 MB progression on Membuster3. 7692 7693 * CMakeLists.txt: 7694 * GNUmakefile.list.am: 7695 * JavaScriptCore.gypi: 7696 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 7697 * JavaScriptCore.xcodeproj/project.pbxproj: 7698 * Target.pri: 7699 7700 Added PropertyTable.cpp. 7701 7702 * runtime/PropertyTable.cpp: Added. 7703 (JSC::PropertyTable::create): 7704 (JSC::PropertyTable::clone): 7705 (JSC::PropertyTable::PropertyTable): 7706 (JSC::PropertyTable::destroy): 7707 (JSC::PropertyTable::~PropertyTable): 7708 (JSC::PropertyTable::visitChildren): 7709 7710 Moved marking of property table values here from Structure::visitChildren(). 7711 7712 * runtime/WriteBarrier.h: 7713 (JSC::WriteBarrierBase::get): 7714 7715 Move m_cell to a local before using it multiple times. This avoids a multiple-access race when 7716 Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread 7717 zaps the property table. 7718 7719 * runtime/Structure.h: 7720 (JSC::Structure::materializePropertyMapIfNecessary): 7721 (JSC::Structure::materializePropertyMapIfNecessaryForPinning): 7722 * runtime/StructureInlines.h: 7723 (JSC::Structure::propertyTable): 7724 7725 Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active. 7726 Because GC can zap an unpinned property table at any time, it's not entirely safe to access it. 7727 Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves. 7728 7729 (JSC::Structure::putWillGrowOutOfLineStorage): 7730 (JSC::Structure::checkOffsetConsistency): 7731 7732 Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable. 7733 7734 * runtime/Structure.cpp: 7735 (JSC::Structure::visitChildren): 7736 7737 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd. 7738 7739 * runtime/JSGlobalData.h: 7740 * runtime/JSGlobalData.cpp: 7741 (JSC::JSGlobalData::JSGlobalData): 7742 7743 Add a global propertyTableStructure. 7744 7745 * runtime/PropertyMapHashTable.h: 7746 (PropertyTable): 7747 (JSC::PropertyTable::createStructure): 7748 (JSC::PropertyTable::copy): 7749 7750 Make PropertyTable a GC object. 7751 7752 * runtime/Structure.cpp: 7753 (JSC::Structure::dumpStatistics): 7754 (JSC::Structure::materializePropertyMap): 7755 (JSC::Structure::despecifyDictionaryFunction): 7756 (JSC::Structure::addPropertyTransition): 7757 (JSC::Structure::changePrototypeTransition): 7758 (JSC::Structure::despecifyFunctionTransition): 7759 (JSC::Structure::attributeChangeTransition): 7760 (JSC::Structure::toDictionaryTransition): 7761 (JSC::Structure::sealTransition): 7762 (JSC::Structure::freezeTransition): 7763 (JSC::Structure::preventExtensionsTransition): 7764 (JSC::Structure::nonPropertyTransition): 7765 (JSC::Structure::isSealed): 7766 (JSC::Structure::isFrozen): 7767 (JSC::Structure::flattenDictionaryStructure): 7768 (JSC::Structure::pin): 7769 (JSC::Structure::copyPropertyTable): 7770 (JSC::Structure::copyPropertyTableForPinning): 7771 (JSC::Structure::get): 7772 (JSC::Structure::despecifyFunction): 7773 (JSC::Structure::despecifyAllFunctions): 7774 (JSC::Structure::putSpecificValue): 7775 (JSC::Structure::remove): 7776 (JSC::Structure::createPropertyMap): 7777 (JSC::Structure::getPropertyNamesFromStructure): 7778 (JSC::Structure::checkConsistency): 7779 77802013-03-04 Chris Fleizach <cfleizach@apple.com> 7781 7782 Support WebSpeech - Speech Synthesis 7783 https://bugs.webkit.org/show_bug.cgi?id=106742 7784 7785 Reviewed by Simon Fraser. 7786 7787 Enable speech synthesis for the Mac. 7788 7789 * Configurations/FeatureDefines.xcconfig: 7790 77912013-03-04 Mark Hahnenberg <mhahnenberg@apple.com> 7792 7793 Remove contextInternalContext from JSContextInternal.h 7794 https://bugs.webkit.org/show_bug.cgi?id=111356 7795 7796 Reviewed by Geoffrey Garen. 7797 7798 We don't need it any more since we have globalContextRef in JSContext. 7799 7800 * API/JSContext.mm: 7801 * API/JSContextInternal.h: 7802 * API/JSValue.mm: 7803 (+[JSValue valueWithBool:inContext:]): 7804 (+[JSValue valueWithDouble:inContext:]): 7805 (+[JSValue valueWithInt32:inContext:]): 7806 (+[JSValue valueWithUInt32:inContext:]): 7807 (+[JSValue valueWithNewObjectInContext:]): 7808 (+[JSValue valueWithNewArrayInContext:]): 7809 (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): 7810 (+[JSValue valueWithNewErrorFromMessage:inContext:]): 7811 (+[JSValue valueWithNullInContext:]): 7812 (+[JSValue valueWithUndefinedInContext:]): 7813 (-[JSValue toBool]): 7814 (-[JSValue toDouble]): 7815 (-[JSValue toNumber]): 7816 (-[JSValue toString]): 7817 (-[JSValue toDate]): 7818 (-[JSValue toArray]): 7819 (-[JSValue toDictionary]): 7820 (-[JSValue valueForProperty:]): 7821 (-[JSValue setValue:forProperty:]): 7822 (-[JSValue deleteProperty:]): 7823 (-[JSValue hasProperty:]): 7824 (-[JSValue valueAtIndex:]): 7825 (-[JSValue setValue:atIndex:]): 7826 (-[JSValue isUndefined]): 7827 (-[JSValue isNull]): 7828 (-[JSValue isBoolean]): 7829 (-[JSValue isNumber]): 7830 (-[JSValue isString]): 7831 (-[JSValue isObject]): 7832 (-[JSValue isEqualToObject:]): 7833 (-[JSValue isEqualWithTypeCoercionToObject:]): 7834 (-[JSValue isInstanceOf:]): 7835 (-[JSValue callWithArguments:]): 7836 (-[JSValue constructWithArguments:]): 7837 (-[JSValue invokeMethod:withArguments:]): 7838 (valueToObject): 7839 (objectToValueWithoutCopy): 7840 (objectToValue): 7841 (-[JSValue initWithValue:inContext:]): 7842 (-[JSValue dealloc]): 7843 (-[JSValue description]): 7844 * API/JSWrapperMap.mm: 7845 (createObjectWithCustomBrand): 7846 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): 7847 (-[JSObjCClassInfo wrapperForObject:]): 7848 (-[JSWrapperMap jsWrapperForObject:]): 7849 * API/ObjCCallbackFunction.mm: 7850 (ObjCCallbackFunction::call): 7851 (objCCallbackFunctionForInvocation): 7852 78532013-03-04 Andreas Kling <akling@apple.com> 7854 7855 Add simple vector traits for JSC::Identifier. 7856 <http://webkit.org/b/111323> 7857 7858 Reviewed by Geoffrey Garen. 7859 7860 Identifiers are really just Strings, giving them simple vector traits makes 7861 Vector move them with memcpy() instead of churning the refcounts. 7862 7863 * runtime/Identifier.h: 7864 (WTF): 7865 78662013-03-04 Kunihiko Sakamoto <ksakamoto@chromium.org> 7867 7868 Add build flag for FontLoader 7869 https://bugs.webkit.org/show_bug.cgi?id=111289 7870 7871 Reviewed by Benjamin Poulain. 7872 7873 Add ENABLE_FONT_LOAD_EVENTS build flag (disabled by default). 7874 7875 * Configurations/FeatureDefines.xcconfig: 7876 78772013-03-03 Andreas Kling <akling@apple.com> 7878 7879 Shrink JSC::HashTable entries. 7880 <http://webkit.org/b/111275> 7881 <rdar://problem/13333511> 7882 7883 Reviewed by Anders Carlsson. 7884 7885 Move the Intrinsic value out of the function-specific part of the union, 7886 and store it next to m_attributes. Reduces the size of HashEntry by 8 bytes. 7887 7888 990 kB progression on Membuster3. (PTUS: 797 kB) 7889 7890 * runtime/Lookup.h: 7891 (JSC::HashEntry::initialize): 7892 (JSC::HashEntry::intrinsic): 7893 (HashEntry): 7894 78952013-03-01 David Kilzer <ddkilzer@apple.com> 7896 7897 BUILD FIX: testapi should link to Foundation, not CoreFoundation 7898 7899 * JavaScriptCore.xcodeproj/project.pbxproj: Change testapi to 7900 link to Foundation.framework instead of CoreFoundation.framework 7901 since it uses NS types. 7902 79032013-03-01 Mark Hahnenberg <mhahnenberg@apple.com> 7904 7905 Objective-C API: Passing JS functions to Objective-C callbacks causes JSValue to leak 7906 https://bugs.webkit.org/show_bug.cgi?id=107836 7907 7908 Reviewed by Oliver Hunt. 7909 7910 We've decided to remove support for this feature from the API because there's no way to automatically manage 7911 the memory for clients in a satisfactory manner. Clients can still pass JS functions to Objective-C methods, 7912 but the methods must accept plain JSValues instead of Objective-C blocks. 7913 7914 We now ignore functions that are part of a protocol that inherits from JSExport that accept blocks as arguments. 7915 7916 * API/JSBlockAdaptor.h: Removed. 7917 * API/JSBlockAdaptor.mm: Removed. 7918 * API/ObjCCallbackFunction.mm: 7919 (ArgumentTypeDelegate::typeBlock): Return nil to signal that we want to ignore this function when copying it 7920 to the object from the protocol. 7921 * API/tests/testapi.mm: Added a test to make sure that we ignore methods declared as part of a JSExport-ed protocol 7922 that have block arguments. 7923 (-[TestObject bogusCallback:]): 7924 * JavaScriptCore.gypi: Updated build files. 7925 * JavaScriptCore.xcodeproj/project.pbxproj: 7926 79272013-03-01 Filip Pizlo <fpizlo@apple.com> 7928 7929 DFG Branch(LogicalNot) peephole should not try to optimize and work-around the case where LogicalNot may be otherwise live 7930 https://bugs.webkit.org/show_bug.cgi?id=111209 7931 7932 Reviewed by Oliver Hunt. 7933 7934 Even if it is then everything will work just fine. It's not necessary to check the ref count here. 7935 7936 * dfg/DFGFixupPhase.cpp: 7937 (JSC::DFG::FixupPhase::fixupNode): 7938 79392013-03-01 Filip Pizlo <fpizlo@apple.com> 7940 7941 DFG CSE phase shouldn't rely on ref count of nodes, since it doesn't have to 7942 https://bugs.webkit.org/show_bug.cgi?id=111205 7943 7944 Reviewed by Oliver Hunt. 7945 7946 I don't understand the intuition behind setLocalStoreElimination() validating that the SetLocal's ref count 7947 is 1. I believe this is a hold-over from when setLocalStoreElimination() would match one SetLocal to another, 7948 and then try to eliminate the first SetLocal. But that's not how it works now. Now, setLocalStoreElimination() 7949 is actually Flush elimination: it eliminates any Flush that anchors a SetLocal if it proves that every path 7950 from the SetLocal to the Flush is devoid of operations that may observe the local. It doesn't actually kill 7951 the SetLocal itself: if the SetLocal is live because of other things (other Flushes or GetLocals in other 7952 basic blocks), then the SetLocal will naturally still be alive because th Flush was only keeping the SetLocal 7953 alive by one count rather than being solely responsible for its liveness. 7954 7955 * dfg/DFGCSEPhase.cpp: 7956 (JSC::DFG::CSEPhase::setLocalStoreElimination): 7957 (JSC::DFG::CSEPhase::eliminate): 7958 (JSC::DFG::CSEPhase::performNodeCSE): 7959 79602013-03-01 Filip Pizlo <fpizlo@apple.com> 7961 7962 Rename MovHint to MovHintEvent so I can create a NodeType called MovHint 7963 7964 Rubber stamped by Mark Hahnenberg. 7965 7966 This is similar to the SetLocal/SetLocalEvent naming scheme, where SetLocal is the 7967 NodeType and SetLocalEvent is the VariableEventKind. 7968 7969 * dfg/DFGVariableEvent.cpp: 7970 (JSC::DFG::VariableEvent::dump): 7971 * dfg/DFGVariableEvent.h: 7972 (JSC::DFG::VariableEvent::movHint): 7973 (JSC::DFG::VariableEvent::id): 7974 (JSC::DFG::VariableEvent::operand): 7975 (VariableEvent): 7976 * dfg/DFGVariableEventStream.cpp: 7977 (JSC::DFG::VariableEventStream::reconstruct): 7978 79792013-03-01 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com> 7980 7981 [JSC] Fix sign comparison warning/error after r144340. 7982 https://bugs.webkit.org/show_bug.cgi?id=111164 7983 7984 Reviewed by Mark Hahnenberg. 7985 7986 gcc (both 4.2.1 and 4.7.2) complain about comparing signed and 7987 unsigned terms (clang accepts it just fine). 7988 7989 Work around that by casting the 1 to an uintptr_t as well. 7990 7991 * dfg/DFGEdge.h: 7992 (JSC::DFG::Edge::makeWord): 7993 79942013-02-28 Filip Pizlo <fpizlo@apple.com> 7995 7996 DFG CFA should not do liveness pruning 7997 https://bugs.webkit.org/show_bug.cgi?id=111119 7998 7999 Reviewed by Mark Hahnenberg. 8000 8001 It adds complexity and probably buys nothing. Moreover, I'm transitioning to having 8002 liveness only available at the bitter end of compilation, so this will stop working 8003 after https://bugs.webkit.org/show_bug.cgi?id=109389 anyway. 8004 8005 * dfg/DFGAbstractState.cpp: 8006 (JSC::DFG::AbstractState::initialize): 8007 (JSC::DFG::AbstractState::mergeStateAtTail): 8008 80092013-02-28 Filip Pizlo <fpizlo@apple.com> 8010 8011 Don't try to emit profiling if you don't have the DFG JIT. 8012 8013 Rubber stamped by Mark Hahnenberg. 8014 8015 * jit/JIT.h: 8016 (JSC::JIT::shouldEmitProfiling): 8017 80182013-02-28 Filip Pizlo <fpizlo@apple.com> 8019 8020 DFG Phantom node should be honest about the fact that it can exit 8021 https://bugs.webkit.org/show_bug.cgi?id=111115 8022 8023 Reviewed by Mark Hahnenberg. 8024 8025 The chances of this having cause serious issues are low, since most clients of the 8026 NodeDoesNotExit flag run after CFA and CFA updates this properly. But one possible 8027 case of badness is if the ByteCodeParser inserted a Phantom with a type check in 8028 between a LogicalNot and a Branch; then that peephole optimization in Fixup might 8029 go slightly wrong. 8030 8031 * dfg/DFGNodeType.h: 8032 (DFG): 8033 80342013-02-28 Mark Hahnenberg <mhahnenberg@apple.com> 8035 8036 Add casts in DFGGPRInfo.h to suppress warnings 8037 https://bugs.webkit.org/show_bug.cgi?id=111104 8038 8039 Reviewed by Filip Pizlo. 8040 8041 With certain flags on, we get compiler warnings on ARM. We should do the proper casts to make these warnings go away. 8042 8043 * dfg/DFGGPRInfo.h: 8044 (JSC::DFG::GPRInfo::toIndex): 8045 (JSC::DFG::GPRInfo::debugName): 8046 80472013-02-28 Filip Pizlo <fpizlo@apple.com> 8048 8049 It should be easy to determine if a DFG node exits forward or backward when doing type checks 8050 https://bugs.webkit.org/show_bug.cgi?id=111102 8051 8052 Reviewed by Mark Hahnenberg. 8053 8054 This adds a NodeExitsForward flag, which tells you the exit directionality of 8055 type checks performed by the node. Even if you convert the node to a Phantom 8056 and use the Edge UseKind for type checks, you'll still get the same exit 8057 directionality that the original node would have wanted. 8058 8059 * dfg/DFGArgumentsSimplificationPhase.cpp: 8060 (JSC::DFG::ArgumentsSimplificationPhase::run): 8061 * dfg/DFGArrayifySlowPathGenerator.h: 8062 (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator): 8063 * dfg/DFGCFGSimplificationPhase.cpp: 8064 (JSC::DFG::CFGSimplificationPhase::run): 8065 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 8066 * dfg/DFGCPSRethreadingPhase.cpp: 8067 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): 8068 * dfg/DFGCSEPhase.cpp: 8069 (JSC::DFG::CSEPhase::setReplacement): 8070 (JSC::DFG::CSEPhase::eliminate): 8071 (JSC::DFG::CSEPhase::performNodeCSE): 8072 * dfg/DFGConstantFoldingPhase.cpp: 8073 (JSC::DFG::ConstantFoldingPhase::foldConstants): 8074 * dfg/DFGFixupPhase.cpp: 8075 (JSC::DFG::FixupPhase::checkArray): 8076 * dfg/DFGNode.h: 8077 (Node): 8078 (JSC::DFG::Node::setOpAndDefaultNonExitFlags): 8079 (JSC::DFG::Node::convertToPhantom): 8080 * dfg/DFGNodeFlags.cpp: 8081 (JSC::DFG::nodeFlagsAsString): 8082 * dfg/DFGNodeFlags.h: 8083 (DFG): 8084 * dfg/DFGNodeType.h: 8085 (DFG): 8086 * dfg/DFGSpeculativeJIT.cpp: 8087 (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck): 8088 (DFG): 8089 (JSC::DFG::SpeculativeJIT::speculationCheck): 8090 (JSC::DFG::SpeculativeJIT::speculationWatchpoint): 8091 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck): 8092 (JSC::DFG::SpeculativeJIT::backwardTypeCheck): 8093 (JSC::DFG::SpeculativeJIT::typeCheck): 8094 (JSC::DFG::SpeculativeJIT::forwardTypeCheck): 8095 (JSC::DFG::SpeculativeJIT::fillStorage): 8096 (JSC::DFG::SpeculativeJIT::compile): 8097 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 8098 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 8099 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 8100 * dfg/DFGSpeculativeJIT.h: 8101 (SpeculativeJIT): 8102 (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand): 8103 (JSC::DFG::SpeculateIntegerOperand::gpr): 8104 (SpeculateIntegerOperand): 8105 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand): 8106 (JSC::DFG::SpeculateDoubleOperand::fpr): 8107 (SpeculateDoubleOperand): 8108 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand): 8109 (JSC::DFG::SpeculateCellOperand::gpr): 8110 (SpeculateCellOperand): 8111 (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand): 8112 (JSC::DFG::SpeculateBooleanOperand::gpr): 8113 (SpeculateBooleanOperand): 8114 * dfg/DFGSpeculativeJIT32_64.cpp: 8115 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 8116 (JSC::DFG::SpeculativeJIT::fillSpeculateInt): 8117 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 8118 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 8119 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 8120 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 8121 (JSC::DFG::SpeculativeJIT::compile): 8122 * dfg/DFGSpeculativeJIT64.cpp: 8123 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 8124 (JSC::DFG::SpeculativeJIT::fillSpeculateInt): 8125 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 8126 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 8127 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 8128 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 8129 (JSC::DFG::SpeculativeJIT::compile): 8130 81312013-02-28 Filip Pizlo <fpizlo@apple.com> 8132 8133 CodeBlock::valueProfile() has a bogus assertion 8134 https://bugs.webkit.org/show_bug.cgi?id=111106 8135 <rdar://problem/13131427> 8136 8137 Reviewed by Mark Hahnenberg. 8138 8139 This was just a bad assertion: m_bytecodeOffset == -1 means that the value profile is constructed but not initialized. 8140 ValueProfile constructs itself in a safe way; you can call any method you want on a constructed but not initialized 8141 ValueProfile. CodeBlock first constructs all ValueProfiles (by growing the ValueProfile vector) and then initializes 8142 their m_bytecodeOffset later. This is necessary because the initialization is linking bytecode instructions to their 8143 ValueProfiles, so at that point we don't want the ValueProfile vector to resize, which implies that we want all of 8144 them to already be constructed. A GC can happen during this phase, and the GC may want to walk all ValueProfiles. 8145 This is safe, but one of the ValueProfile getters (CodeBlock::valueProfile()) was asserting that any value profile 8146 you get has had its m_bytecodeOffset initialized. This need not be the case and nothing will go wrong if it isn't. 8147 8148 The solution is to remove the assertion, which I believe was put there to ensure that my m_valueProfiles refactoring 8149 a long time ago was sound: it used to be that a ValueProfile with m_bytecodeOffset == -1 was an argument profile; now 8150 all argument profiles are in m_argumentValueProfiles instead. I think it's safe to say that this refactoring was done 8151 soundly since it was a long time ago. So we should kill the assertion - I don't see an easy way to make the assertion 8152 sound with respect to the GC-during-CodeBlock-construction issue, and I don't believe that the assertion is buying us 8153 anything at this point. 8154 8155 * bytecode/CodeBlock.h: 8156 (JSC::CodeBlock::valueProfile): 8157 81582013-02-27 Filip Pizlo <fpizlo@apple.com> 8159 8160 DFG CFA should leave behind information in Edge that says if the Edge's type check is proven to succeed 8161 https://bugs.webkit.org/show_bug.cgi?id=110840 8162 8163 Reviewed by Mark Hahnenberg. 8164 8165 This doesn't add any observable functionality to the compiler, yet. But it does give 8166 every phase that runs after CFA the ability to know, in O(1) time, whether an edge 8167 will need to execute a type check. 8168 8169 * dfg/DFGAbstractState.h: 8170 (JSC::DFG::AbstractState::filterEdgeByUse): 8171 (JSC::DFG::AbstractState::filterByType): 8172 * dfg/DFGCommon.cpp: 8173 (WTF): 8174 (WTF::printInternal): 8175 * dfg/DFGCommon.h: 8176 (JSC::DFG::isProved): 8177 (DFG): 8178 (JSC::DFG::proofStatusForIsProved): 8179 (WTF): 8180 * dfg/DFGEdge.cpp: 8181 (JSC::DFG::Edge::dump): 8182 * dfg/DFGEdge.h: 8183 (JSC::DFG::Edge::Edge): 8184 (JSC::DFG::Edge::setNode): 8185 (JSC::DFG::Edge::useKindUnchecked): 8186 (JSC::DFG::Edge::setUseKind): 8187 (Edge): 8188 (JSC::DFG::Edge::proofStatusUnchecked): 8189 (JSC::DFG::Edge::proofStatus): 8190 (JSC::DFG::Edge::setProofStatus): 8191 (JSC::DFG::Edge::isProved): 8192 (JSC::DFG::Edge::needsCheck): 8193 (JSC::DFG::Edge::shift): 8194 (JSC::DFG::Edge::makeWord): 8195 81962013-02-28 Simon Hausmann <simon.hausmann@digia.com> 8197 8198 [Qt][Mac] Fix massive parallel builds 8199 8200 Reviewed by Tor Arne Vestbø. 8201 8202 There exists a race condition that LLIntDesiredOffsets.h is written to 8203 by two parllel instances of the ruby script. This patch ensures that similar to the output file, 8204 the generated file is also prefixed according to the build configuration. 8205 8206 * LLIntOffsetsExtractor.pro: 8207 82082013-02-27 Sheriff Bot <webkit.review.bot@gmail.com> 8209 8210 Unreviewed, rolling out r144168. 8211 http://trac.webkit.org/changeset/144168 8212 https://bugs.webkit.org/show_bug.cgi?id=111019 8213 8214 It broke the build and tronical is unavailable (Requested by 8215 Ossy_night on #webkit). 8216 8217 * LLIntOffsetsExtractor.pro: 8218 82192013-02-26 Filip Pizlo <fpizlo@apple.com> 8220 8221 Disable some unsound DFG DCE 8222 https://bugs.webkit.org/show_bug.cgi?id=110948 8223 8224 Reviewed by Michael Saboff. 8225 8226 DCE of bitops is not sound since the bitops might call some variant of valueOf. 8227 8228 This used to work right because ValueToInt32 was MustGenerate. From the DFG IR 8229 standpoint it feels weird to make ValueToInt32 be MustGenerate since that node is 8230 implemented entirely as a pure conversion. If we ever gave the DFG the ability to 8231 do effectful bitops, we would most likely implement them as special nodes not 8232 related to the ValueToInt32 and bitop nodes we have now. 8233 8234 This change is performance neutral. 8235 8236 * dfg/DFGNodeType.h: 8237 (DFG): 8238 82392013-02-27 Glenn Adams <glenn@skynav.com> 8240 8241 Add ENABLE_CSS3_TEXT_LINE_BREAK flag. 8242 https://bugs.webkit.org/show_bug.cgi?id=110944 8243 8244 Reviewed by Dean Jackson. 8245 8246 * Configurations/FeatureDefines.xcconfig: 8247 82482013-02-27 Julien Brianceau <jbrianceau@nds.com> 8249 8250 Fix build when DFG_JIT is not enabled 8251 https://bugs.webkit.org/show_bug.cgi?id=110991 8252 8253 Reviewed by Csaba Osztrogonác. 8254 8255 * jit/JIT.h: 8256 (JSC::JIT::canBeOptimizedOrInlined): 8257 82582013-02-27 Simon Hausmann <simon.hausmann@digia.com> 8259 8260 [Qt][Mac] Fix massive parallel builds 8261 8262 Reviewed by Tor Arne Vestbø. 8263 8264 There exists a race condition that LLIntDesiredOffsets.h is written to 8265 by two parllel instances of the ruby script. This patch ensures that similar to the output file, 8266 the generated file is also prefixed according to the build configuration. 8267 8268 * LLIntOffsetsExtractor.pro: 8269 82702013-02-26 Filip Pizlo <fpizlo@apple.com> 8271 8272 DFG OSR exit doesn't know which virtual register to use for the last result register for post_inc and post_dec 8273 https://bugs.webkit.org/show_bug.cgi?id=109036 8274 <rdar://problem/13292139> 8275 8276 Reviewed by Gavin Barraclough. 8277 8278 This was a two-fold problem: 8279 8280 1) post_inc/dec has two results - the new value of the variable, and the old value of the variable. DFG OSR exit 8281 assumed that the "last result" used for the Baseline JIT's register allocation would be the new value. It was 8282 wrong in this assumption. 8283 8284 2) The Baseline JIT knew to disable its last result optimization in cases where it might confuse the DFG. But it 8285 was doing this only for code blocks that could be totally optimized, but not code blocks that could only be 8286 optimized when inlined. 8287 8288 This patch introduces a more rigorous notion of when the Baseline JIT emits profiling, when it does extra work 8289 to account for the possibility of OSR exit, and when it does extra work to account for the possibility of OSR 8290 entry. These notions are called shouldEmitProfiling(), canBeOptimizedOrInlined(), and canBeOptimized(), 8291 respectively. 8292 8293 This is performance-neutral and fixes the reported bug. It probably fixes other bugs as well, since previously 8294 we for example weren't doing the more conservative implementation of op_mov in the Baseline JIT for code blocks 8295 that could be inlined but not optimized. So, if such a code block OSR exited at just the right point, you'd get 8296 symptoms similar to this bug. 8297 8298 * dfg/DFGCapabilities.h: 8299 (JSC::DFG::canCompileOpcode): 8300 * dfg/DFGCommon.h: 8301 * jit/JIT.cpp: 8302 (JSC::JIT::privateCompile): 8303 * jit/JIT.h: 8304 (JSC::JIT::compilePatchGetArrayLength): 8305 (JSC::JIT::canBeOptimizedOrInlined): 8306 (JIT): 8307 * jit/JITArithmetic.cpp: 8308 (JSC::JIT::emit_op_post_inc): 8309 (JSC::JIT::emit_op_post_dec): 8310 * jit/JITArithmetic32_64.cpp: 8311 (JSC::JIT::emit_op_post_inc): 8312 (JSC::JIT::emit_op_post_dec): 8313 * jit/JITCall.cpp: 8314 (JSC::JIT::emit_op_call_put_result): 8315 (JSC::JIT::compileOpCall): 8316 * jit/JITCall32_64.cpp: 8317 (JSC::JIT::compileOpCall): 8318 * jit/JITInlines.h: 8319 (JSC::JIT::emitArrayProfilingSite): 8320 (JSC::JIT::map): 8321 * jit/JITOpcodes.cpp: 8322 (JSC::JIT::emit_op_mov): 8323 * jit/JITPropertyAccess.cpp: 8324 (JSC::JIT::compileGetByIdHotPath): 8325 (JSC::JIT::privateCompilePutByIdTransition): 8326 * jit/JITPropertyAccess32_64.cpp: 8327 (JSC::JIT::compileGetByIdHotPath): 8328 (JSC::JIT::privateCompilePutByIdTransition): 8329 83302013-02-26 Roger Fong <roger_fong@apple.com> 8331 8332 Unreviewed. AppleWin VS2010 build fix. 8333 8334 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 8335 83362013-02-25 Filip Pizlo <fpizlo@apple.com> 8337 8338 The DFG backend's and OSR's decision to unbox a variable should be based on whether it's used in a typed context 8339 https://bugs.webkit.org/show_bug.cgi?id=110433 8340 8341 Reviewed by Oliver Hunt and Mark Hahnenberg. 8342 8343 This introduces the equivalent of a liveness analysis, except for type checking. 8344 A variable is said to be "profitable for unboxing" (i.e. live at a type check) 8345 if there exists a type check on a GetLocal of that variable, and the type check 8346 is consistent with the variable's prediction. Variables that are not profitable 8347 for unboxing aren't unboxed. Previously they would have been. 8348 8349 This is a slight speed-up on some things but mostly neutral. 8350 8351 * dfg/DFGArgumentPosition.h: 8352 (JSC::DFG::ArgumentPosition::ArgumentPosition): 8353 (JSC::DFG::ArgumentPosition::mergeShouldNeverUnbox): 8354 (JSC::DFG::ArgumentPosition::mergeArgumentPredictionAwareness): 8355 (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness): 8356 (ArgumentPosition): 8357 (JSC::DFG::ArgumentPosition::isProfitableToUnbox): 8358 (JSC::DFG::ArgumentPosition::shouldUseDoubleFormat): 8359 * dfg/DFGCommon.h: 8360 (JSC::DFG::checkAndSet): 8361 (DFG): 8362 * dfg/DFGFixupPhase.cpp: 8363 (JSC::DFG::FixupPhase::run): 8364 (JSC::DFG::FixupPhase::fixupNode): 8365 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): 8366 (FixupPhase): 8367 (JSC::DFG::FixupPhase::alwaysUnboxSimplePrimitives): 8368 (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable): 8369 * dfg/DFGPredictionPropagationPhase.cpp: 8370 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): 8371 * dfg/DFGSpeculativeJIT.cpp: 8372 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 8373 * dfg/DFGVariableAccessData.h: 8374 (JSC::DFG::VariableAccessData::VariableAccessData): 8375 (JSC::DFG::VariableAccessData::mergeIsCaptured): 8376 (JSC::DFG::VariableAccessData::mergeIsProfitableToUnbox): 8377 (VariableAccessData): 8378 (JSC::DFG::VariableAccessData::isProfitableToUnbox): 8379 (JSC::DFG::VariableAccessData::shouldUnboxIfPossible): 8380 (JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed): 8381 (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): 8382 (JSC::DFG::VariableAccessData::shouldUseDoubleFormat): 8383 (JSC::DFG::VariableAccessData::mergeFlags): 8384 83852013-02-26 Oliver Hunt <oliver@apple.com> 8386 8387 Fix windows build. 8388 8389 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 8390 83912013-02-26 Oliver Hunt <oliver@apple.com> 8392 8393 Web Inspector: REGRESSION: [JSC] SourceProvider reuses IDs 8394 https://bugs.webkit.org/show_bug.cgi?id=99674 8395 8396 Reviewed by Gavin Barraclough. 8397 8398 Simple incrementing counter for SourceProvider IDs. Uses a 8399 lock to incrementing the counter so we don't increment reuse 8400 counter values or reassign the ID for a given SourceProvider. 8401 8402 * parser/SourceProvider.cpp: 8403 (JSC::SourceProvider::SourceProvider): 8404 (JSC): 8405 (JSC::SourceProvider::getID): 8406 * parser/SourceProvider.h: 8407 (JSC::SourceProvider::asID): 8408 (SourceProvider): 8409 84102013-02-26 Sheriff Bot <webkit.review.bot@gmail.com> 8411 8412 Unreviewed, rolling out r144074. 8413 http://trac.webkit.org/changeset/144074 8414 https://bugs.webkit.org/show_bug.cgi?id=110897 8415 8416 Causing 20+ crashes on Mac (Requested by bradee-oh on 8417 #webkit). 8418 8419 * CMakeLists.txt: 8420 * GNUmakefile.list.am: 8421 * JavaScriptCore.gypi: 8422 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 8423 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8424 * JavaScriptCore.xcodeproj/project.pbxproj: 8425 * Target.pri: 8426 * runtime/JSGlobalData.cpp: 8427 (JSC::JSGlobalData::JSGlobalData): 8428 * runtime/JSGlobalData.h: 8429 (JSGlobalData): 8430 * runtime/PropertyMapHashTable.h: 8431 (PropertyTable): 8432 (JSC::PropertyTable::PropertyTable): 8433 (JSC): 8434 (JSC::PropertyTable::~PropertyTable): 8435 (JSC::PropertyTable::copy): 8436 * runtime/PropertyTable.cpp: Removed. 8437 * runtime/Structure.cpp: 8438 (JSC::Structure::materializePropertyMap): 8439 (JSC::Structure::addPropertyTransition): 8440 (JSC::Structure::changePrototypeTransition): 8441 (JSC::Structure::despecifyFunctionTransition): 8442 (JSC::Structure::attributeChangeTransition): 8443 (JSC::Structure::toDictionaryTransition): 8444 (JSC::Structure::preventExtensionsTransition): 8445 (JSC::Structure::nonPropertyTransition): 8446 (JSC::Structure::copyPropertyTable): 8447 (JSC::Structure::copyPropertyTableForPinning): 8448 (JSC::Structure::putSpecificValue): 8449 (JSC::Structure::createPropertyMap): 8450 (JSC::Structure::visitChildren): 8451 * runtime/Structure.h: 8452 (JSC): 8453 (JSC::Structure::putWillGrowOutOfLineStorage): 8454 (JSC::Structure::checkOffsetConsistency): 8455 (Structure): 8456 * runtime/StructureInlines.h: 8457 84582013-02-26 Roger Fong <roger_fong@apple.com> 8459 8460 Unreviewed. AppleWin VS2010 build fix. 8461 8462 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: 8463 84642013-02-26 Jer Noble <jer.noble@apple.com> 8465 8466 Unreviewed build fix; use correct macro for platform name in FeatureDefines.xcconfig. 8467 8468 * Configurations/FeatureDefines.xcconfig: 8469 84702013-02-26 Michael Saboff <msaboff@apple.com> 8471 8472 Potential crash in YARR JIT generated code when building 64 bit 8473 https://bugs.webkit.org/show_bug.cgi?id=110893 8474 8475 Reviewed by Gavin Barraclough. 8476 8477 The ABI doesn't define the behavior for the upper bits of a value that takes less than 64 bits. 8478 Therefore, we zero extend both the count and length registers to assure that these unsigned values 8479 don't have garbage upper bits. 8480 8481 * yarr/YarrJIT.cpp: 8482 (JSC::Yarr::YarrGenerator::generateEnter): 8483 84842013-02-26 Andreas Kling <akling@apple.com> 8485 8486 Unused Structure property tables waste 14MB on Membuster. 8487 <http://webkit.org/b/110854> 8488 <rdar://problem/13292104> 8489 8490 Reviewed by Filip Pizlo. 8491 8492 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking. 8493 14 MB progression on Membuster3. 8494 8495 * CMakeLists.txt: 8496 * GNUmakefile.list.am: 8497 * JavaScriptCore.gypi: 8498 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 8499 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8500 * JavaScriptCore.xcodeproj/project.pbxproj: 8501 * Target.pri: 8502 8503 Added PropertyTable.cpp. 8504 8505 * runtime/PropertyTable.cpp: Added. 8506 (JSC::PropertyTable::create): 8507 (JSC::PropertyTable::clone): 8508 (JSC::PropertyTable::PropertyTable): 8509 (JSC::PropertyTable::destroy): 8510 (JSC::PropertyTable::~PropertyTable): 8511 (JSC::PropertyTable::visitChildren): 8512 8513 Moved marking of property table values here from Structure::visitChildren(). 8514 8515 * runtime/StructureInlines.h: 8516 (JSC::Structure::putWillGrowOutOfLineStorage): 8517 (JSC::Structure::checkOffsetConsistency): 8518 8519 Moved these to StructureInlines.h to break header dependency cycle between Structure/PropertyTable. 8520 8521 * runtime/Structure.cpp: 8522 (JSC::Structure::visitChildren): 8523 8524 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd. 8525 8526 (JSC::Structure::materializePropertyMap): 8527 (JSC::Structure::addPropertyTransition): 8528 (JSC::Structure::changePrototypeTransition): 8529 (JSC::Structure::despecifyFunctionTransition): 8530 (JSC::Structure::attributeChangeTransition): 8531 (JSC::Structure::toDictionaryTransition): 8532 (JSC::Structure::preventExtensionsTransition): 8533 (JSC::Structure::nonPropertyTransition): 8534 (JSC::Structure::copyPropertyTable): 8535 (JSC::Structure::copyPropertyTableForPinning): 8536 (JSC::Structure::putSpecificValue): 8537 (JSC::Structure::createPropertyMap): 8538 * runtime/Structure.h: 8539 (Structure): 8540 * runtime/JSGlobalData.cpp: 8541 (JSC::JSGlobalData::JSGlobalData): 8542 * runtime/JSGlobalData.h: 8543 (JSGlobalData): 8544 * runtime/PropertyMapHashTable.h: 8545 (PropertyTable): 8546 (JSC::PropertyTable::createStructure): 8547 (JSC::PropertyTable::copy): 8548 85492013-02-26 Andreas Kling <akling@apple.com> 8550 8551 Unreviewed, rolling out r144054. 8552 http://trac.webkit.org/changeset/144054 8553 https://bugs.webkit.org/show_bug.cgi?id=110854 8554 8555 broke builds 8556 8557 * CMakeLists.txt: 8558 * GNUmakefile.list.am: 8559 * JavaScriptCore.gypi: 8560 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 8561 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8562 * JavaScriptCore.xcodeproj/project.pbxproj: 8563 * Target.pri: 8564 * runtime/JSGlobalData.cpp: 8565 (JSC::JSGlobalData::JSGlobalData): 8566 * runtime/JSGlobalData.h: 8567 (JSGlobalData): 8568 * runtime/PropertyMapHashTable.h: 8569 (PropertyTable): 8570 (JSC::PropertyTable::PropertyTable): 8571 (JSC): 8572 (JSC::PropertyTable::~PropertyTable): 8573 (JSC::PropertyTable::copy): 8574 * runtime/PropertyTable.cpp: Removed. 8575 * runtime/Structure.cpp: 8576 (JSC::Structure::materializePropertyMap): 8577 (JSC::Structure::addPropertyTransition): 8578 (JSC::Structure::changePrototypeTransition): 8579 (JSC::Structure::despecifyFunctionTransition): 8580 (JSC::Structure::attributeChangeTransition): 8581 (JSC::Structure::toDictionaryTransition): 8582 (JSC::Structure::preventExtensionsTransition): 8583 (JSC::Structure::nonPropertyTransition): 8584 (JSC::Structure::copyPropertyTable): 8585 (JSC::Structure::copyPropertyTableForPinning): 8586 (JSC::Structure::putSpecificValue): 8587 (JSC::Structure::createPropertyMap): 8588 (JSC::Structure::visitChildren): 8589 * runtime/Structure.h: 8590 (JSC): 8591 (JSC::Structure::putWillGrowOutOfLineStorage): 8592 (JSC::Structure::checkOffsetConsistency): 8593 (Structure): 8594 * runtime/StructureInlines.h: 8595 85962013-02-26 Andreas Kling <akling@apple.com> 8597 8598 Unused Structure property tables waste 14MB on Membuster. 8599 <http://webkit.org/b/110854> 8600 <rdar://problem/13292104> 8601 8602 Reviewed by Filip Pizlo. 8603 8604 Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking. 8605 14 MB progression on Membuster3. 8606 8607 * CMakeLists.txt: 8608 * GNUmakefile.list.am: 8609 * JavaScriptCore.gypi: 8610 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 8611 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 8612 * JavaScriptCore.xcodeproj/project.pbxproj: 8613 * Target.pri: 8614 8615 Added PropertyTable.cpp. 8616 8617 * runtime/PropertyTable.cpp: Added. 8618 (JSC::PropertyTable::create): 8619 (JSC::PropertyTable::clone): 8620 (JSC::PropertyTable::PropertyTable): 8621 (JSC::PropertyTable::destroy): 8622 (JSC::PropertyTable::~PropertyTable): 8623 (JSC::PropertyTable::visitChildren): 8624 8625 Moved marking of property table values here from Structure::visitChildren(). 8626 8627 * runtime/StructureInlines.h: 8628 (JSC::Structure::putWillGrowOutOfLineStorage): 8629 (JSC::Structure::checkOffsetConsistency): 8630 8631 Moved these to StructureInlines.h to break header dependency cycle between Structure/PropertyTable. 8632 8633 * runtime/Structure.cpp: 8634 (JSC::Structure::visitChildren): 8635 8636 Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd. 8637 8638 (JSC::Structure::materializePropertyMap): 8639 (JSC::Structure::addPropertyTransition): 8640 (JSC::Structure::changePrototypeTransition): 8641 (JSC::Structure::despecifyFunctionTransition): 8642 (JSC::Structure::attributeChangeTransition): 8643 (JSC::Structure::toDictionaryTransition): 8644 (JSC::Structure::preventExtensionsTransition): 8645 (JSC::Structure::nonPropertyTransition): 8646 (JSC::Structure::copyPropertyTable): 8647 (JSC::Structure::copyPropertyTableForPinning): 8648 (JSC::Structure::putSpecificValue): 8649 (JSC::Structure::createPropertyMap): 8650 * runtime/Structure.h: 8651 (Structure): 8652 * runtime/JSGlobalData.cpp: 8653 (JSC::JSGlobalData::JSGlobalData): 8654 * runtime/JSGlobalData.h: 8655 (JSGlobalData): 8656 * runtime/PropertyMapHashTable.h: 8657 (PropertyTable): 8658 (JSC::PropertyTable::createStructure): 8659 (JSC::PropertyTable::copy): 8660 86612013-02-26 Jocelyn Turcotte <jocelyn.turcotte@digia.com> 8662 8663 Implement JIT on Windows 64 bits 8664 https://bugs.webkit.org/show_bug.cgi?id=107965 8665 8666 Reviewed by Simon Hausmann. 8667 8668 1. MSVC doesn't support inline assembly for 64 bits, implements the trampoline in a separate ASM file. 8669 8670 2. Windows 64 bits has a different calling convention than other OSes following the AMD64 ABI. 8671 Differences that we have to handle here: 8672 - Registers passed parameters are RCX, RDX, R8 and R9 instead of RDI, RSI, RDX, RCX, R8 and R9 8673 - RDI and RSI must be preserved by callee 8674 - Only return values <= 8 bytes can be returned by register (RDX can't be used to return a second word) 8675 - There is no red-zone after RIP on the stack, but instead 4 reserved words before it 8676 8677 * Target.pri: 8678 * jit/JITStubs.cpp: 8679 * jit/JITStubs.h: 8680 (JSC): 8681 (JITStackFrame): 8682 (JSC::JITStackFrame::returnAddressSlot): 8683 * jit/JITStubsMSVC64.asm: Added. 8684 * jit/JSInterfaceJIT.h: 8685 (JSInterfaceJIT): 8686 * jit/ThunkGenerators.cpp: 8687 (JSC::nativeForGenerator): 8688 * yarr/YarrJIT.cpp: 8689 (YarrGenerator): 8690 (JSC::Yarr::YarrGenerator::generateEnter): 8691 (JSC::Yarr::YarrGenerator::generateReturn): 8692 86932013-02-26 Oliver Hunt <oliver@apple.com> 8694 8695 Kill another analyzer warning in javascriptcore 8696 https://bugs.webkit.org/show_bug.cgi?id=110802 8697 8698 Reviewed by Benjamin Poulain. 8699 8700 Add null checks. 8701 8702 * profiler/LegacyProfiler.cpp: 8703 (JSC::LegacyProfiler::startProfiling): 8704 (JSC::LegacyProfiler::stopProfiling): 8705 87062013-02-26 Sheriff Bot <webkit.review.bot@gmail.com> 8707 8708 Unreviewed, rolling out r144004. 8709 http://trac.webkit.org/changeset/144004 8710 https://bugs.webkit.org/show_bug.cgi?id=110858 8711 8712 This iOS change is outdated (Requested by notbenjamin on 8713 #webkit). 8714 8715 * bytecompiler/BytecodeGenerator.cpp: 8716 (JSC::BytecodeGenerator::BytecodeGenerator): 8717 * bytecompiler/BytecodeGenerator.h: 8718 (JSC::BytecodeGenerator::emitNode): 8719 (JSC::BytecodeGenerator::emitNodeInConditionContext): 8720 (BytecodeGenerator): 8721 * parser/Parser.cpp: 8722 (JSC::::Parser): 8723 * parser/Parser.h: 8724 (JSC::Parser::canRecurse): 8725 (Parser): 8726 87272013-02-25 Filip Pizlo <fpizlo@apple.com> 8728 8729 REGRESSION(r143654): some jquery test asserts on 32 bit debug build 8730 https://bugs.webkit.org/show_bug.cgi?id=110756 8731 8732 Reviewed by Geoffrey Garen. 8733 8734 TypeOf does speculations manually, so it should mark its JSValueOperand as doing ManualOperandSpeculation. 8735 8736 * dfg/DFGSpeculativeJIT32_64.cpp: 8737 (JSC::DFG::SpeculativeJIT::compile): 8738 87392013-02-25 Benjamin Poulain <bpoulain@apple.com> 8740 8741 [JSC] Upstream iOS Stack bound checking 8742 https://bugs.webkit.org/show_bug.cgi?id=110813 8743 8744 Reviewed by Filip Pizlo. 8745 8746 On iOS, the StackBounds cannot be cached because the stack 8747 can be in one of two threads (the web thread or the UI thread). 8748 8749 We simply always consider the current stack bound when testing 8750 stack boundaries. 8751 8752 * bytecompiler/BytecodeGenerator.cpp: 8753 (JSC::BytecodeGenerator::BytecodeGenerator): 8754 * bytecompiler/BytecodeGenerator.h: 8755 (JSC::BytecodeGenerator::emitNode): 8756 (JSC::BytecodeGenerator::emitNodeInConditionContext): 8757 (BytecodeGenerator): 8758 * parser/Parser.cpp: 8759 (JSC::::Parser): 8760 * parser/Parser.h: 8761 (JSC::Parser::canRecurse): 8762 (Parser): 8763 87642013-02-25 Michael Saboff <msaboff@apple.com> 8765 8766 For JSVALUE32_64, maxOffsetRelativeToPatchedStorage() doesn't compute the maximum negative offset 8767 https://bugs.webkit.org/show_bug.cgi?id=110828 8768 8769 Reviewed by Oliver Hunt. 8770 8771 * runtime/JSObject.h: 8772 (JSC::maxOffsetRelativeToPatchedStorage): Only add the OBJECT_OFFSETOF(tag) for positive offsets. 8773 That way this function will return the offset farthest from 0 needed to access either the payload 8774 or tag. 8775 87762013-02-25 Jeffrey Pfau <jpfau@apple.com> 8777 8778 Optionally partition cache to prevent using cache for tracking 8779 https://bugs.webkit.org/show_bug.cgi?id=110269 8780 8781 Reviewed by Maciej Stachowiak. 8782 8783 * Configurations/FeatureDefines.xcconfig: Add defines for cache partitioning and public suffix list usage 8784 87852013-02-25 Roger Fong <roger_fong@apple.com> 8786 8787 Unreviewed. VS2010 solution build fix. 8788 8789 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: 8790 87912013-02-24 Filip Pizlo <fpizlo@apple.com> 8792 8793 DFG::Edge should have more bits for UseKind, and DFG::Allocator should be simpler 8794 https://bugs.webkit.org/show_bug.cgi?id=110722 8795 8796 Reviewed by Oliver Hunt. 8797 8798 This rolls out the DFG::Allocator part of http://trac.webkit.org/changeset/143654, 8799 and changes Edge to have more room for UseKinds and possibly other things. 8800 8801 This is performance-neutral on both 32-bit and 64-bit. It reduces the size of 8802 DFG::Node on 64-bit (by virtue of getting rid of the 16-byte alignment of Node) 8803 and increases it slightly on 32-bit (by 4 bytes total - 16-byte alignment led to 8804 80 bytes, but the base size of Node plus the 12 bytes of new m_encodedWords in 8805 Edge gets 84 bytes). But, it will mean that we don't have to increase Node by 8806 another 16 bytes if we ever want to add more UseKinds or other things to Edge. 8807 8808 * dfg/DFGAllocator.h: 8809 (DFG): 8810 (Allocator): 8811 (JSC::DFG::Allocator::Region::headerSize): 8812 (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): 8813 (JSC::DFG::Allocator::Region::data): 8814 (JSC::DFG::Allocator::Region::isInThisRegion): 8815 (JSC::DFG::::Allocator): 8816 (JSC::DFG::::~Allocator): 8817 (JSC::DFG::::allocate): 8818 (JSC::DFG::::free): 8819 (JSC::DFG::::freeAll): 8820 (JSC::DFG::::reset): 8821 (JSC::DFG::::indexOf): 8822 (JSC::DFG::::allocatorOf): 8823 (JSC::DFG::::bumpAllocate): 8824 (JSC::DFG::::freeListAllocate): 8825 (JSC::DFG::::allocateSlow): 8826 (JSC::DFG::::freeRegionsStartingAt): 8827 (JSC::DFG::::startBumpingIn): 8828 * dfg/DFGEdge.h: 8829 (JSC::DFG::Edge::Edge): 8830 (Edge): 8831 (JSC::DFG::Edge::node): 8832 (JSC::DFG::Edge::setNode): 8833 (JSC::DFG::Edge::useKindUnchecked): 8834 (JSC::DFG::Edge::setUseKind): 8835 (JSC::DFG::Edge::operator==): 8836 (JSC::DFG::Edge::operator!=): 8837 (JSC::DFG::Edge::makeWord): 8838 * dfg/DFGNodeAllocator.h: 8839 (DFG): 8840 88412013-02-22 Filip Pizlo <fpizlo@apple.com> 8842 8843 The DFG special case checks for isCreatedThisArgument are fragile 8844 https://bugs.webkit.org/show_bug.cgi?id=110535 8845 8846 Reviewed by Oliver Hunt. 8847 8848 There may be many situations in which we want to force a variable to never be 8849 unboxed. Capturing is one such case, and the created this argument is another. 8850 Previously all code that dealt with this issue had to query both scenarios. 8851 8852 Now DFG::VariableAccessData knows these things. You just have to ask 8853 VariableAccessData for whether a variable should be unboxed. Anyone wishing to 8854 force a variable to never be unboxed just tells VariableAccessData. 8855 8856 * dfg/DFGAbstractState.cpp: 8857 (JSC::DFG::AbstractState::initialize): 8858 * dfg/DFGByteCodeParser.cpp: 8859 (JSC::DFG::ByteCodeParser::parseBlock): 8860 (DFG): 8861 * dfg/DFGCFGSimplificationPhase.cpp: 8862 (CFGSimplificationPhase): 8863 * dfg/DFGFixupPhase.cpp: 8864 (JSC::DFG::FixupPhase::fixupNode): 8865 * dfg/DFGGraph.h: 8866 (Graph): 8867 * dfg/DFGPredictionPropagationPhase.cpp: 8868 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): 8869 * dfg/DFGSpeculativeJIT.cpp: 8870 (JSC::DFG::SpeculativeJIT::compile): 8871 * dfg/DFGSpeculativeJIT32_64.cpp: 8872 (JSC::DFG::SpeculativeJIT::compile): 8873 * dfg/DFGSpeculativeJIT64.cpp: 8874 (JSC::DFG::SpeculativeJIT::compile): 8875 * dfg/DFGUnificationPhase.cpp: 8876 (JSC::DFG::UnificationPhase::run): 8877 * dfg/DFGVariableAccessData.h: 8878 (JSC::DFG::VariableAccessData::VariableAccessData): 8879 (JSC::DFG::VariableAccessData::mergeIsCaptured): 8880 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): 8881 (VariableAccessData): 8882 (JSC::DFG::VariableAccessData::shouldNeverUnbox): 8883 (JSC::DFG::VariableAccessData::shouldUnboxIfPossible): 8884 (JSC::DFG::VariableAccessData::shouldUseDoubleFormat): 8885 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): 8886 88872013-02-25 Geoffrey Garen <ggaren@apple.com> 8888 8889 Do one lookup per code cache insertion instead of two 8890 https://bugs.webkit.org/show_bug.cgi?id=110674 8891 8892 Reviewed by Sam Weinig. 8893 8894 Deployed the idiomatic "add null value" trick to avoid a second hash 8895 lookup when inserting an item. 8896 8897 * runtime/CodeCache.cpp: 8898 (JSC::CodeCacheMap::pruneSlowCase): Factored this into a helper function 8899 to improve clarity and get some code off the hot path. 8900 8901 (JSC::CodeCache::getCodeBlock): 8902 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Use the add() API 8903 to avoid two hash lookups. Be sure to remove items if parsing fails, 8904 otherwise we'll leave nulls in the table. (I'm guessing that caching parse 8905 errors is not a win.) 8906 8907 * runtime/CodeCache.h: 8908 (JSC::SourceCodeValue::SourceCodeValue): 8909 (CodeCacheMap): 8910 (JSC::CodeCacheMap::add): Combined find() and set() into add(). 8911 8912 (JSC::CodeCacheMap::remove): 8913 (JSC::CodeCacheMap::age): 8914 (JSC::CodeCacheMap::prune): Refactored to support above changes. 8915 89162013-02-25 Carlos Garcia Campos <cgarcia@igalia.com> 8917 8918 [BlackBerry][ARM] Fix cast-align warnings in JavaScriptCore 8919 https://bugs.webkit.org/show_bug.cgi?id=110738 8920 8921 Reviewed by Rob Buis. 8922 8923 Use reinterpret_cast_ptr instead of reinterpret_cast for 8924 pointers. 8925 8926 * dfg/DFGOperations.cpp: 8927 * heap/CopiedBlock.h: 8928 (JSC::CopiedBlock::zeroFillWilderness): 8929 * heap/WeakBlock.h: 8930 (JSC::WeakBlock::asWeakImpl): 8931 (JSC::WeakBlock::asFreeCell): 8932 (JSC::WeakBlock::weakImpls): 8933 * heap/WeakImpl.h: 8934 (JSC::WeakImpl::asWeakImpl): 8935 * interpreter/JSStack.cpp: 8936 (JSC::JSStack::disableErrorStackReserve): 8937 * interpreter/JSStack.h: 8938 (JSC::JSStack::reservationEnd): 8939 * runtime/ArrayStorage.h: 8940 (JSC::ArrayStorage::from): 8941 * runtime/Butterfly.h: 8942 (JSC::Butterfly::indexingPayload): 8943 * runtime/IndexingHeader.h: 8944 (JSC::IndexingHeader::propertyStorage): 8945 * runtime/JSActivation.h: 8946 (JSC::JSActivation::tearOff): 8947 (JSC::JSActivation::isTornOff): 8948 (JSC::JSActivation::storage): 8949 89502013-02-22 Filip Pizlo <fpizlo@apple.com> 8951 8952 DFG::SpeculativeJIT::speculateNumber() should just use SpeculateDoubleOperand instead of doing its own thing 8953 https://bugs.webkit.org/show_bug.cgi?id=110659 8954 8955 Reviewed by Oliver Hunt and Mark Hahnenberg. 8956 8957 This simplifies the code, and also has the effect that if speculateNumber() is called 8958 prior to someone actually using the number in a double context, then the number will 8959 already be up-converted to double and ready to go. 8960 8961 Previously if this ever came up, the subsequent use would have to again branch to see 8962 if the value is tagged as int or tagged as double. 8963 8964 On the other hand, if you ever did speculateNumber() and then used the value as a 8965 JSValue, this will be a slow down now. 8966 8967 I suspect that the former (speculateNumber() and then use as number) is more likely 8968 than the latter (speculateNumber() and then use as JSValue). 8969 8970 * dfg/DFGSpeculativeJIT.cpp: 8971 (JSC::DFG::SpeculativeJIT::speculateNumber): 8972 89732013-02-22 Filip Pizlo <fpizlo@apple.com> 8974 8975 DFG FixupPhase should have one common hook for knowing if a node is ever being speculated a certain way 8976 https://bugs.webkit.org/show_bug.cgi?id=110650 8977 8978 Reviewed by Mark Hahnenberg. 8979 8980 Changes almost all calls to edge.setUseKind(kind) to be 8981 setUseKindAndUnboxIfProfitable<kind>(edge). This will allow us to use the latter 8982 as a hook for deciding which locals to unbox (webkit.org/b/110433). 8983 8984 * dfg/DFGFixupPhase.cpp: 8985 (JSC::DFG::FixupPhase::fixupNode): 8986 (FixupPhase): 8987 (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable): 8988 (JSC::DFG::FixupPhase::fixIntEdge): 8989 (JSC::DFG::FixupPhase::fixDoubleEdge): 8990 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): 8991 89922013-02-22 Filip Pizlo <fpizlo@apple.com> 8993 8994 REGRESSION(r143654): some fast/js test crashes on 32 bit build 8995 https://bugs.webkit.org/show_bug.cgi?id=110590 8996 8997 Reviewed by Mark Hahnenberg. 8998 8999 In compileValueToInt32, the refactoring in r143654 undid one of the fixes from 9000 r143314 due to a merge goof. 9001 9002 In speculateNumber, we were simply forgetting to indicate that we need a 9003 ManualOperandSpeculation on a JSValueOperand. ManualOperandSpeculation should 9004 be passed whenever you will be performing the type checks yourself rather than 9005 using the operand class to do it for you. 9006 9007 * dfg/DFGSpeculativeJIT.cpp: 9008 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 9009 (JSC::DFG::SpeculativeJIT::speculateNumber): 9010 90112013-02-22 Geoffrey Garen <ggaren@apple.com> 9012 9013 Not reviewed. 9014 9015 Fix the 32-bit build by using the right data type in more places. 9016 9017 * runtime/CodeCache.h: 9018 (CodeCacheMap): 9019 90202013-02-22 Geoffrey Garen <ggaren@apple.com> 9021 9022 Not reviewed. 9023 9024 Fix the 32-bit build by using the right data type. 9025 9026 * runtime/CodeCache.h: 9027 (JSC::CodeCacheMap::find): 9028 90292013-02-21 Geoffrey Garen <ggaren@apple.com> 9030 9031 Code cache size should adapt to workload 9032 https://bugs.webkit.org/show_bug.cgi?id=110560 9033 9034 Reviewed by Antti Koivisto. 9035 9036 (*) 5% PLT arithmetic mean speedup 9037 (*) 10% PLT geometric mean speedup 9038 (*) 3.4X microbenchmark speedup 9039 (*) Reduces initial cache capacity by 16X 9040 9041 * runtime/CodeCache.cpp: 9042 (JSC::CodeCache::CodeCache): Updated for interface change. 9043 9044 * runtime/CodeCache.h: 9045 (JSC::SourceCodeValue::SourceCodeValue): 9046 (SourceCodeValue): Turned the cache value into a struct so it can track its age. 9047 9048 (CodeCacheMap): 9049 (JSC::CodeCacheMap::CodeCacheMap): 9050 (JSC::CodeCacheMap::find): 9051 (JSC::CodeCacheMap::set): 9052 (JSC::CodeCacheMap::clear): 9053 (JSC::CodeCacheMap::pruneIfNeeded): 9054 (CodeCache): Grow and shrink in response to usage. 9055 90562013-02-21 Jessie Berlin <jberlin@apple.com> 9057 9058 Fix a typo that broke the 32 bit build. 9059 9060 * dfg/DFGSpeculativeJIT32_64.cpp: 9061 (JSC::DFG::SpeculativeJIT::compile): 9062 90632013-02-21 Michael Saboff <msaboff@apple.com> 9064 9065 25-30% regression in V8 RayTrace test in 32 bit builds with JIT disabled 9066 https://bugs.webkit.org/show_bug.cgi?id=110539 9067 9068 Reviewed by Filip Pizlo. 9069 9070 Change the scale used to lookup pointers in JSGlobalObject::m_specialPointers to be 4 bytes for 9071 the 32 bit version of the interpreter. 9072 9073 * llint/LowLevelInterpreter32_64.asm: 9074 90752013-02-21 Roger Fong <roger_fong@apple.com> 9076 9077 Unreviewed. Add executable property to cmd file. 9078 Required for executable files to maintain their executable permissions over svn. 9079 9080 * JavaScriptCore.vcxproj/copy-files.cmd: Added property svn:executable. 9081 90822013-02-21 Filip Pizlo <fpizlo@apple.com> 9083 9084 Object allocation profiling will refuse to create objects with more than JSFinalObject::maxInlineCapacity() inline slots, but JSFunction::allocationProfile() asserts that the number of inline slots is always what it asked for 9085 https://bugs.webkit.org/show_bug.cgi?id=110519 9086 <rdar://problem/13218566> 9087 9088 Reviewed by Geoffrey Garen. 9089 9090 * runtime/JSFunction.h: 9091 (JSC::JSFunction::allocationProfile): 9092 90932013-02-21 Roger Fong <roger_fong@apple.com> 9094 9095 Unreviewed. Build fix for VS2010 WebKit solution. 9096 9097 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 9098 90992013-02-20 Filip Pizlo <fpizlo@apple.com> 9100 9101 DFG should not change its mind about what type speculations a node does, by encoding the checks in the NodeType, UseKind, and ArrayMode 9102 https://bugs.webkit.org/show_bug.cgi?id=109371 9103 9104 Reviewed by Oliver Hunt. 9105 9106 FixupPhase now locks in the speculations that each node will do. The DFG then 9107 remembers those speculations, and doesn't change its mind about them even if the 9108 graph is transformed - for example if a node's child is repointed to a different 9109 node as part of CSE, CFG simplification, or folding. Each node ensures that it 9110 executes the speculations promised by its edges. This is true even for Phantom 9111 nodes. 9112 9113 This still leaves some craziness on the table for future work, like the 9114 elimination of speculating SetLocal's due to CFG simplification 9115 (webkit.org/b/109388) and elimination of nodes via DCE (webkit.org/b/109389). 9116 9117 In all, this allows for a huge simplification of the DFG. Instead of having to 9118 execute the right speculation heuristic each time you want to decide what a node 9119 does (for example Node::shouldSpeculateInteger(child1, child2) && 9120 node->canSpeculateInteger()), you just ask for the use kinds of its children 9121 (typically node->binaryUseKind() == Int32Use). Because the use kinds are 9122 discrete, you can often just switch over them. This makes many parts of the code 9123 more clear than they were before. 9124 9125 Having UseKinds describe the speculations being performed also makes it far 9126 easier to perform analyses that need to know what speculations are done. This is 9127 so far only used to simplify large parts of the CFA. 9128 9129 To have a larger vocabulary of UseKinds, this also changes the node allocator to 9130 be able to round up Node sizes to the nearest multiple of 16. 9131 9132 This appears to be neutral on benchmarks, except for some goofy speed-ups, like 9133 8% on Octane/box2d. 9134 9135 * CMakeLists.txt: 9136 * GNUmakefile.list.am: 9137 * JavaScriptCore.xcodeproj/project.pbxproj: 9138 * Target.pri: 9139 * dfg/DFGAbstractState.cpp: 9140 (JSC::DFG::AbstractState::startExecuting): 9141 (DFG): 9142 (JSC::DFG::AbstractState::executeEdges): 9143 (JSC::DFG::AbstractState::verifyEdge): 9144 (JSC::DFG::AbstractState::verifyEdges): 9145 (JSC::DFG::AbstractState::executeEffects): 9146 (JSC::DFG::AbstractState::execute): 9147 * dfg/DFGAbstractState.h: 9148 (AbstractState): 9149 (JSC::DFG::AbstractState::filterEdgeByUse): 9150 (JSC::DFG::AbstractState::filterByType): 9151 * dfg/DFGAbstractValue.h: 9152 (JSC::DFG::AbstractValue::filter): 9153 * dfg/DFGAdjacencyList.h: 9154 (JSC::DFG::AdjacencyList::AdjacencyList): 9155 (JSC::DFG::AdjacencyList::child): 9156 (JSC::DFG::AdjacencyList::setChild): 9157 (JSC::DFG::AdjacencyList::reset): 9158 (JSC::DFG::AdjacencyList::firstChild): 9159 (JSC::DFG::AdjacencyList::setFirstChild): 9160 (JSC::DFG::AdjacencyList::numChildren): 9161 (JSC::DFG::AdjacencyList::setNumChildren): 9162 (AdjacencyList): 9163 * dfg/DFGAllocator.h: 9164 (DFG): 9165 (Allocator): 9166 (JSC::DFG::Allocator::cellSize): 9167 (JSC::DFG::Allocator::Region::headerSize): 9168 (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): 9169 (JSC::DFG::Allocator::Region::payloadSize): 9170 (JSC::DFG::Allocator::Region::payloadBegin): 9171 (JSC::DFG::Allocator::Region::payloadEnd): 9172 (JSC::DFG::Allocator::Region::isInThisRegion): 9173 (JSC::DFG::::Allocator): 9174 (JSC::DFG::::~Allocator): 9175 (JSC::DFG::::allocate): 9176 (JSC::DFG::::free): 9177 (JSC::DFG::::freeAll): 9178 (JSC::DFG::::reset): 9179 (JSC::DFG::::indexOf): 9180 (JSC::DFG::::allocatorOf): 9181 (JSC::DFG::::bumpAllocate): 9182 (JSC::DFG::::freeListAllocate): 9183 (JSC::DFG::::allocateSlow): 9184 (JSC::DFG::::freeRegionsStartingAt): 9185 (JSC::DFG::::startBumpingIn): 9186 * dfg/DFGByteCodeParser.cpp: 9187 (JSC::DFG::ByteCodeParser::addToGraph): 9188 (JSC::DFG::ByteCodeParser::handleMinMax): 9189 * dfg/DFGCSEPhase.cpp: 9190 (JSC::DFG::CSEPhase::setLocalStoreElimination): 9191 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): 9192 (JSC::DFG::CSEPhase::setReplacement): 9193 (JSC::DFG::CSEPhase::performNodeCSE): 9194 * dfg/DFGCommon.h: 9195 (DFG): 9196 * dfg/DFGConstantFoldingPhase.cpp: 9197 (JSC::DFG::ConstantFoldingPhase::foldConstants): 9198 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): 9199 * dfg/DFGDriver.cpp: 9200 (JSC::DFG::compile): 9201 * dfg/DFGEdge.cpp: 9202 (JSC::DFG::Edge::dump): 9203 * dfg/DFGEdge.h: 9204 (JSC::DFG::Edge::useKindUnchecked): 9205 (JSC::DFG::Edge::useKind): 9206 (JSC::DFG::Edge::shift): 9207 * dfg/DFGFixupPhase.cpp: 9208 (JSC::DFG::FixupPhase::run): 9209 (JSC::DFG::FixupPhase::fixupNode): 9210 (JSC::DFG::FixupPhase::checkArray): 9211 (JSC::DFG::FixupPhase::blessArrayOperation): 9212 (JSC::DFG::FixupPhase::fixIntEdge): 9213 (JSC::DFG::FixupPhase::fixDoubleEdge): 9214 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 9215 (FixupPhase): 9216 (JSC::DFG::FixupPhase::truncateConstantToInt32): 9217 (JSC::DFG::FixupPhase::truncateConstantsIfNecessary): 9218 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): 9219 * dfg/DFGGraph.cpp: 9220 (DFG): 9221 (JSC::DFG::Graph::refChildren): 9222 (JSC::DFG::Graph::derefChildren): 9223 * dfg/DFGGraph.h: 9224 (JSC::DFG::Graph::ref): 9225 (JSC::DFG::Graph::deref): 9226 (JSC::DFG::Graph::performSubstitution): 9227 (JSC::DFG::Graph::isPredictedNumerical): 9228 (JSC::DFG::Graph::addImmediateShouldSpeculateInteger): 9229 (DFG): 9230 * dfg/DFGNode.h: 9231 (JSC::DFG::Node::Node): 9232 (JSC::DFG::Node::convertToGetByOffset): 9233 (JSC::DFG::Node::convertToPutByOffset): 9234 (JSC::DFG::Node::willHaveCodeGenOrOSR): 9235 (JSC::DFG::Node::child1): 9236 (JSC::DFG::Node::child2): 9237 (JSC::DFG::Node::child3): 9238 (JSC::DFG::Node::binaryUseKind): 9239 (Node): 9240 (JSC::DFG::Node::isBinaryUseKind): 9241 * dfg/DFGNodeAllocator.h: 9242 (DFG): 9243 * dfg/DFGNodeFlags.cpp: 9244 (JSC::DFG::nodeFlagsAsString): 9245 * dfg/DFGNodeType.h: 9246 (DFG): 9247 * dfg/DFGPredictionPropagationPhase.cpp: 9248 (JSC::DFG::PredictionPropagationPhase::propagate): 9249 * dfg/DFGSpeculativeJIT.cpp: 9250 (JSC::DFG::SpeculativeJIT::speculationCheck): 9251 (DFG): 9252 (JSC::DFG::SpeculativeJIT::speculationWatchpoint): 9253 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck): 9254 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): 9255 (JSC::DFG::SpeculativeJIT::typeCheck): 9256 (JSC::DFG::SpeculativeJIT::forwardTypeCheck): 9257 (JSC::DFG::SpeculativeJIT::fillStorage): 9258 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 9259 (JSC::DFG::SpeculativeJIT::compile): 9260 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): 9261 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 9262 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 9263 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 9264 (JSC::DFG::SpeculativeJIT::compileInstanceOf): 9265 (JSC::DFG::SpeculativeJIT::compileAdd): 9266 (JSC::DFG::SpeculativeJIT::compileArithSub): 9267 (JSC::DFG::SpeculativeJIT::compileArithNegate): 9268 (JSC::DFG::SpeculativeJIT::compileArithMul): 9269 (JSC::DFG::SpeculativeJIT::compileArithMod): 9270 (JSC::DFG::SpeculativeJIT::compare): 9271 (JSC::DFG::SpeculativeJIT::compileStrictEq): 9272 (JSC::DFG::SpeculativeJIT::speculateInt32): 9273 (JSC::DFG::SpeculativeJIT::speculateNumber): 9274 (JSC::DFG::SpeculativeJIT::speculateRealNumber): 9275 (JSC::DFG::SpeculativeJIT::speculateBoolean): 9276 (JSC::DFG::SpeculativeJIT::speculateCell): 9277 (JSC::DFG::SpeculativeJIT::speculateObject): 9278 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): 9279 (JSC::DFG::SpeculativeJIT::speculateString): 9280 (JSC::DFG::SpeculativeJIT::speculateNotCell): 9281 (JSC::DFG::SpeculativeJIT::speculateOther): 9282 (JSC::DFG::SpeculativeJIT::speculate): 9283 * dfg/DFGSpeculativeJIT.h: 9284 (SpeculativeJIT): 9285 (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): 9286 (JSC::DFG::SpeculativeJIT::needsTypeCheck): 9287 (JSC::DFG::IntegerOperand::IntegerOperand): 9288 (JSC::DFG::IntegerOperand::edge): 9289 (IntegerOperand): 9290 (JSC::DFG::IntegerOperand::node): 9291 (JSC::DFG::IntegerOperand::gpr): 9292 (JSC::DFG::IntegerOperand::use): 9293 (JSC::DFG::JSValueOperand::JSValueOperand): 9294 (JSValueOperand): 9295 (JSC::DFG::JSValueOperand::edge): 9296 (JSC::DFG::JSValueOperand::node): 9297 (JSC::DFG::JSValueOperand::gpr): 9298 (JSC::DFG::JSValueOperand::fill): 9299 (JSC::DFG::JSValueOperand::use): 9300 (JSC::DFG::StorageOperand::StorageOperand): 9301 (JSC::DFG::StorageOperand::edge): 9302 (StorageOperand): 9303 (JSC::DFG::StorageOperand::node): 9304 (JSC::DFG::StorageOperand::gpr): 9305 (JSC::DFG::StorageOperand::use): 9306 (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand): 9307 (SpeculateIntegerOperand): 9308 (JSC::DFG::SpeculateIntegerOperand::edge): 9309 (JSC::DFG::SpeculateIntegerOperand::node): 9310 (JSC::DFG::SpeculateIntegerOperand::gpr): 9311 (JSC::DFG::SpeculateIntegerOperand::use): 9312 (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand): 9313 (SpeculateStrictInt32Operand): 9314 (JSC::DFG::SpeculateStrictInt32Operand::edge): 9315 (JSC::DFG::SpeculateStrictInt32Operand::node): 9316 (JSC::DFG::SpeculateStrictInt32Operand::gpr): 9317 (JSC::DFG::SpeculateStrictInt32Operand::use): 9318 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand): 9319 (SpeculateDoubleOperand): 9320 (JSC::DFG::SpeculateDoubleOperand::edge): 9321 (JSC::DFG::SpeculateDoubleOperand::node): 9322 (JSC::DFG::SpeculateDoubleOperand::fpr): 9323 (JSC::DFG::SpeculateDoubleOperand::use): 9324 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand): 9325 (SpeculateCellOperand): 9326 (JSC::DFG::SpeculateCellOperand::edge): 9327 (JSC::DFG::SpeculateCellOperand::node): 9328 (JSC::DFG::SpeculateCellOperand::gpr): 9329 (JSC::DFG::SpeculateCellOperand::use): 9330 (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand): 9331 (JSC::DFG::SpeculateBooleanOperand::edge): 9332 (SpeculateBooleanOperand): 9333 (JSC::DFG::SpeculateBooleanOperand::node): 9334 (JSC::DFG::SpeculateBooleanOperand::gpr): 9335 (JSC::DFG::SpeculateBooleanOperand::use): 9336 (DFG): 9337 * dfg/DFGSpeculativeJIT32_64.cpp: 9338 (JSC::DFG::SpeculativeJIT::fillInteger): 9339 (JSC::DFG::SpeculativeJIT::fillJSValue): 9340 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 9341 (JSC::DFG::SpeculativeJIT::fillSpeculateInt): 9342 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 9343 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 9344 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 9345 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 9346 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 9347 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 9348 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 9349 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 9350 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 9351 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 9352 (JSC::DFG::SpeculativeJIT::emitBranch): 9353 (JSC::DFG::SpeculativeJIT::compile): 9354 * dfg/DFGSpeculativeJIT64.cpp: 9355 (JSC::DFG::SpeculativeJIT::fillInteger): 9356 (JSC::DFG::SpeculativeJIT::fillJSValue): 9357 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 9358 (JSC::DFG::SpeculativeJIT::fillSpeculateInt): 9359 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 9360 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 9361 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 9362 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 9363 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 9364 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 9365 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 9366 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 9367 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 9368 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 9369 (JSC::DFG::SpeculativeJIT::emitBranch): 9370 (JSC::DFG::SpeculativeJIT::compile): 9371 * dfg/DFGStructureCheckHoistingPhase.cpp: 9372 (JSC::DFG::StructureCheckHoistingPhase::run): 9373 * dfg/DFGUseKind.cpp: Added. 9374 (WTF): 9375 (WTF::printInternal): 9376 * dfg/DFGUseKind.h: Added. 9377 (DFG): 9378 (JSC::DFG::typeFilterFor): 9379 (JSC::DFG::isNumerical): 9380 (WTF): 9381 * dfg/DFGValidate.cpp: 9382 (JSC::DFG::Validate::reportValidationContext): 9383 93842013-02-20 Mark Hahnenberg <mhahnenberg@apple.com> 9385 9386 Objective-C API: Need a way to use the Objective-C JavaScript API with WebKit 9387 https://bugs.webkit.org/show_bug.cgi?id=106059 9388 9389 Reviewed by Geoffrey Garen. 9390 9391 * API/JSBase.h: Renamed enable flag for API. 9392 * API/JSBlockAdaptor.h: Using new flag. 9393 * API/JSBlockAdaptor.mm: Ditto. 9394 * API/JSContext.h: Add convenience C API conversion function for JSGlobalContextRef. 9395 * API/JSContext.mm: 9396 (-[JSContext JSGlobalContextRef]): Implementation of C API convenience function. 9397 (-[JSContext initWithVirtualMachine:]): We don't use the m_apiData field any more. 9398 (-[JSContext initWithGlobalContextRef:]): init method for allocating new JSContexts given a JSGlobalContextRef. 9399 (-[JSContext dealloc]): No more m_apiData. 9400 (-[JSContext wrapperForObjCObject:]): Renamed wrapperForObject. 9401 (-[JSContext wrapperForJSObject:]): Fetches or allocates the JSValue for the specified JSValueRef in this JSContext. 9402 (+[JSContext contextWithGlobalContextRef:]): Helper function to grab the lightweight JSContext wrapper for a given 9403 JSGlobalContextRef from the global wrapper cache or allocate a new one if there isn't already one. 9404 * API/JSContextInternal.h: New flag, new method declaration for initWithGlobalContextRef. 9405 * API/JSExport.h: New flag. 9406 * API/JSValue.h: New flag and new C API convenience method. 9407 * API/JSValue.mm: 9408 (-[JSValue JSValueRef]): Implementation of the C API convenience method. 9409 (objectToValueWithoutCopy): 9410 (+[JSValue valueWithValue:inContext:]): We now ask the JSContext for an Objective-C JSValue wrapper, which it can cache 9411 in its internal JSWrapperMap. 9412 * API/JSValueInternal.h: 9413 * API/JSVirtualMachine.h: 9414 * API/JSVirtualMachine.mm: Added global cache that maps JSContextGroupRef -> JSVirtualMachine lightweight wrappers. 9415 (wrapperCacheLock): 9416 (initWrapperCache): 9417 (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): 9418 (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): 9419 (-[JSVirtualMachine init]): 9420 (-[JSVirtualMachine initWithContextGroupRef:]): 9421 (-[JSVirtualMachine dealloc]): 9422 (+[JSVirtualMachine virtualMachineWithContextGroupRef:]): 9423 (-[JSVirtualMachine contextForGlobalContextRef:]): 9424 (-[JSVirtualMachine addContext:forGlobalContextRef:]): 9425 * API/JSVirtualMachineInternal.h: 9426 * API/JSWrapperMap.h: 9427 * API/JSWrapperMap.mm: 9428 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We use the JSObjectSetPrototype C API call because 9429 setting the __proto__ property causes all sorts of bad things to happen behind the scenes, which can cause crashes based on 9430 when it gets called. 9431 (-[JSWrapperMap initWithContext:]): 9432 (-[JSWrapperMap jsWrapperForObject:]): 9433 (-[JSWrapperMap objcWrapperForJSValueRef:]): 9434 * API/JavaScriptCore.h: 9435 * API/ObjCCallbackFunction.h: 9436 * API/ObjCCallbackFunction.mm: 9437 (ObjCCallbackFunction::ObjCCallbackFunction): We never actually should have retained the target in the case that we had a 9438 block as a callback. Blocks are initially allocated on the stack and are only moved to the heap if we call their copy method. 9439 Retaining the block on the stack was a bad idea because if that stack frame ever went away and we called the block later, 9440 we'd crash and burn. 9441 (ObjCCallbackFunction::setContext): We need a new setter for when the weak reference to a JSContext inside an ObjCCallbackFunction 9442 disappears, we can allocate a new one in its place. 9443 (ObjCCallbackFunction): 9444 (objCCallbackFunctionCallAsFunction): Reset the callback's context if it's ever destroyed. 9445 (objCCallbackFunctionForInvocation): Again, don't set the __proto__ property because it uses black magic that can cause us to crash 9446 depending on when this is called. 9447 (objCCallbackFunctionForBlock): Here is where we copy the block to the heap when we're first creating the callback object for it. 9448 * API/tests/testapi.c: 9449 (main): 9450 * API/tests/testapi.mm: We're going to get rid of the automatic block conversion, since that is causing leaks. I changed it 9451 here in this test just so that it wouldn't mask any other potential leaks. Also modified some of the tests since JSContexts are 9452 just lightweight wrappers now, we're not guaranteed to get the same pointer back from the call to [JSValue context] as the one 9453 that the value was created in. 9454 (-[TestObject callback:]): 9455 * JavaScriptCore.xcodeproj/project.pbxproj: 9456 * runtime/JSGlobalData.cpp: 9457 (JSC::JSGlobalData::JSGlobalData): No more m_apiData. 9458 * runtime/JSGlobalData.h: Ditto. 9459 * runtime/JSGlobalObject.cpp: 9460 (JSC::JSGlobalObject::JSGlobalObject): Ditto. 9461 * runtime/JSGlobalObject.h: 9462 94632013-02-19 Filip Pizlo <fpizlo@apple.com> 9464 9465 DFG::SpeculativeJIT::compileInt32ToDouble() has an unnecessary case for constant operands 9466 https://bugs.webkit.org/show_bug.cgi?id=110309 9467 9468 Reviewed by Sam Weinig. 9469 9470 It used to be necessary, back when we didn't have constant folding. Now we have 9471 constant folding. So we don't need it. 9472 9473 * dfg/DFGSpeculativeJIT.cpp: 9474 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 9475 94762013-02-20 Filip Pizlo <fpizlo@apple.com> 9477 9478 DFG inlines Resolves that it doesn't know how to handle correctly 9479 https://bugs.webkit.org/show_bug.cgi?id=110405 9480 9481 Reviewed by Geoffrey Garen. 9482 9483 Don't try to be clever: if there's a failing resolve, we can't inline it, period. 9484 9485 * dfg/DFGCapabilities.h: 9486 (JSC::DFG::canInlineResolveOperations): 9487 (JSC::DFG::canInlineOpcode): 9488 94892013-02-20 Roger Fong <roger_fong@apple.com> 9490 9491 Get VS2010 Solution B&I ready. 9492 <rdar://problem/1322988> 9493 9494 Rubberstamped by Timothy Horton. 9495 9496 Add Production configuration. 9497 Add a JavaScriptCore submit solution with a DebugSuffix configuration. 9498 Modify JavaScriptCore.make as necessary. 9499 9500 * JavaScriptCore.vcxproj/JavaScriptCore.make: Added. 9501 * JavaScriptCore.vcxproj/JavaScriptCore.sln: Removed. 9502 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.sln. 9503 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 9504 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 9505 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: 9506 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: 9507 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: 9508 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: 9509 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: Added. 9510 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: 9511 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: 9512 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: 9513 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: Added. 9514 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: 9515 * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: Added. 9516 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: 9517 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: 9518 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: 9519 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: 9520 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: 9521 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: 9522 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: Added. 9523 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: 9524 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: 9525 * JavaScriptCore.vcxproj/jsc/jscCommon.props: 9526 * JavaScriptCore.vcxproj/jsc/jscProduction.props: Added. 9527 * JavaScriptCore.vcxproj/jsc/jscRelease.props: 9528 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: 9529 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: 9530 * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: Added. 9531 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: 9532 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: 9533 * JavaScriptCore.vcxproj/testapi/testapiCommon.props: 9534 * JavaScriptCore.vcxproj/testapi/testapiProduction.props: Added. 9535 * JavaScriptCore.vcxproj/testapi/testapiRelease.props: 9536 95372013-02-19 Jer Noble <jer.noble@apple.com> 9538 9539 EME: Enable both ENCRYPTED_MEDIA and ENCRYPTED_MEDIA_V2 until clients transition to the new API. 9540 https://bugs.webkit.org/show_bug.cgi?id=110284 9541 9542 Reviewed by Eric Carlson. 9543 9544 Re-enable the ENCRYPTED_MEDIA flag. 9545 9546 * Configurations/FeatureDefines.xcconfig: 9547 95482013-02-20 Dirk Schulze <krit@webkit.org> 9549 9550 Enable CANVAS_PATH flag 9551 https://bugs.webkit.org/show_bug.cgi?id=108508 9552 9553 Reviewed by Simon Fraser. 9554 9555 Enable CANVAS_PATH flag on trunk. 9556 9557 Existing tests cover the feature. 9558 9559 * Configurations/FeatureDefines.xcconfig: 9560 95612013-02-19 Mark Rowe <mrowe@apple.com> 9562 9563 Unreviewed, uninteresting change to test a theory about bad dependency handling. 9564 9565 * API/JSStringRefCF.cpp: 9566 (JSStringCreateWithCFString): Remove an unnecessary else clause. 9567 95682013-02-19 Oliver Hunt <oliver@apple.com> 9569 9570 Silence some analyzer warnings 9571 https://bugs.webkit.org/show_bug.cgi?id=110281 9572 9573 Reviewed by Mark Hahnenberg. 9574 9575 The static analyzer believes that callerCodeBlock can be null, 9576 based on other code performing null tests. This should not 9577 ever be the case, but we'll add RELEASE_ASSERTs to make it 9578 obvious if we're ever wrong. 9579 9580 * interpreter/Interpreter.cpp: 9581 (JSC::getCallerInfo): 9582 95832013-02-19 Oliver Hunt <oliver@apple.com> 9584 9585 Don't force everything to be blinded in debug builds 9586 https://bugs.webkit.org/show_bug.cgi?id=110279 9587 9588 Reviewed by Mark Hahnenberg. 9589 9590 Switch to an explicit flag for indicating that we want 9591 every constant to be blinded. 9592 9593 * assembler/MacroAssembler.h: 9594 (JSC::MacroAssembler::shouldBlind): 9595 95962013-02-19 Filip Pizlo <fpizlo@apple.com> 9597 9598 Fix indentation of Opcode.h 9599 9600 Rubber stamped by Mark Hahnenberg. 9601 9602 * bytecode/Opcode.h: 9603 96042013-02-19 Filip Pizlo <fpizlo@apple.com> 9605 9606 Moved PolymorphicAccessStructureList into its own file. 9607 9608 Rubber stamped by Mark Hahnenberg. 9609 9610 * GNUmakefile.list.am: 9611 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 9612 * JavaScriptCore.xcodeproj/project.pbxproj: 9613 * bytecode/Instruction.h: 9614 (JSC): 9615 * bytecode/PolymorphicAccessStructureList.h: Added. 9616 (JSC): 9617 (PolymorphicAccessStructureList): 9618 (PolymorphicStubInfo): 9619 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo): 9620 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set): 9621 (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList): 9622 (JSC::PolymorphicAccessStructureList::visitWeak): 9623 * bytecode/StructureStubInfo.h: 9624 96252013-02-19 Filip Pizlo <fpizlo@apple.com> 9626 9627 Fix indentation of Instruction.h 9628 9629 Rubber stamped by Mark Hahnenberg. 9630 9631 * bytecode/Instruction.h: 9632 96332013-02-18 Geoffrey Garen <ggaren@apple.com> 9634 9635 Unreviewed, rolling in r143348. 9636 http://trac.webkit.org/changeset/143348 9637 https://bugs.webkit.org/show_bug.cgi?id=110242 9638 9639 The bug was that isEmptyValue() was returning true for the deleted value. 9640 Fixed this and simplified things further by delegating to m_sourceCode 9641 for both isNull() and isHashTableDeletedValue(), so they can't be out of 9642 sync. 9643 9644 * runtime/CodeCache.cpp: 9645 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 9646 * runtime/CodeCache.h: 9647 (JSC::SourceCodeKey::SourceCodeKey): 9648 (JSC::SourceCodeKey::isHashTableDeletedValue): 9649 (JSC::SourceCodeKey::hash): 9650 (JSC::SourceCodeKey::length): 9651 (JSC::SourceCodeKey::isNull): 9652 (JSC::SourceCodeKey::operator==): 9653 (SourceCodeKey): 9654 96552013-02-15 Martin Robinson <mrobinson@igalia.com> 9656 9657 [GTK] Improve gyp build JavaScriptCore code generation 9658 https://bugs.webkit.org/show_bug.cgi?id=109969 9659 9660 Reviewed by Dirk Pranke. 9661 9662 Switch away from using DerivedSources.make when building JavaScriptCore generated 9663 sources. This bring a couple advantages, such as building the sources in parallel, 9664 but requires us to list the generated sources more than once. 9665 9666 * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Add rules for generating JavaScriptCore sources. 9667 * JavaScriptCore.gyp/generate-derived-sources.sh: Added. 9668 * JavaScriptCore.gyp/redirect-stdout.sh: Added. 9669 96702013-02-19 Sheriff Bot <webkit.review.bot@gmail.com> 9671 9672 Unreviewed, rolling out r143348. 9673 http://trac.webkit.org/changeset/143348 9674 https://bugs.webkit.org/show_bug.cgi?id=110242 9675 9676 "Caused a deleted value sentinel crash on the layout tests" 9677 (Requested by ggaren on #webkit). 9678 9679 * runtime/CodeCache.cpp: 9680 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 9681 * runtime/CodeCache.h: 9682 (JSC::SourceCodeKey::SourceCodeKey): 9683 (JSC::SourceCodeKey::isHashTableDeletedValue): 9684 (JSC::SourceCodeKey::hash): 9685 (JSC::SourceCodeKey::length): 9686 (JSC::SourceCodeKey::isNull): 9687 (JSC::SourceCodeKey::operator==): 9688 (SourceCodeKey): 9689 96902013-02-19 Mark Hahnenberg <mhahnenberg@apple.com> 9691 9692 HeapBlock::destroy should issue warning if result is unused 9693 https://bugs.webkit.org/show_bug.cgi?id=110233 9694 9695 Reviewed by Oliver Hunt. 9696 9697 To enforce the fact that we need to return blocks to the BlockAllocator after calling destroy, 9698 we should add WARN_UNUSED_RETURN to HeapBlock::destroy and any other destroy functions in its subclasses. 9699 9700 * heap/HeapBlock.h: 9701 97022013-02-19 Mark Hahnenberg <mhahnenberg@apple.com> 9703 9704 WeakSet::removeAllocator leaks WeakBlocks 9705 https://bugs.webkit.org/show_bug.cgi?id=110228 9706 9707 Reviewed by Geoffrey Garen. 9708 9709 We need to return the WeakBlock to the BlockAllocator after the call to WeakBlock::destroy. 9710 9711 * heap/WeakSet.cpp: 9712 (JSC::WeakSet::removeAllocator): 9713 97142013-02-18 Geoffrey Garen <ggaren@apple.com> 9715 9716 Save space on keys in the CodeCache 9717 https://bugs.webkit.org/show_bug.cgi?id=110179 9718 9719 Reviewed by Oliver Hunt. 9720 9721 Share the SourceProvider's string instead of making our own copy. This 9722 chops off 16MB - 32MB from the CodeCache's memory footprint when full. 9723 (It's 16MB when the strings are LChar, and 32MB when they're UChar.) 9724 9725 * runtime/CodeCache.cpp: 9726 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 9727 * runtime/CodeCache.h: Removed a defunct enum value. 9728 9729 (JSC::SourceCodeKey::SourceCodeKey): 9730 (JSC::SourceCodeKey::isHashTableDeletedValue): 9731 (SourceCodeKey): 9732 (JSC::SourceCodeKey::hash): 9733 (JSC::SourceCodeKey::length): 9734 (JSC::SourceCodeKey::isNull): 9735 (JSC::SourceCodeKey::string): 9736 (JSC::SourceCodeKey::operator==): Store a SourceCode instead of a String 9737 so we can share our string with our SourceProvider. Cache our hash so 9738 we don't have to re-decode our string just to re-hash the table. 9739 97402013-02-19 Zoltan Herczeg <zherczeg@webkit.org> 9741 9742 revertBranchPtrWithPatch is incorrect on ARM traditional 9743 https://bugs.webkit.org/show_bug.cgi?id=110201 9744 9745 Reviewed by Oliver Hunt. 9746 9747 Revert two instructions back to their original value. 9748 9749 * assembler/ARMAssembler.h: 9750 (JSC::ARMAssembler::revertBranchPtrWithPatch): 9751 (ARMAssembler): 9752 * assembler/MacroAssemblerARM.h: 9753 (JSC::MacroAssemblerARM::branchPtrWithPatch): 9754 (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch): 9755 97562013-02-19 Filip Pizlo <fpizlo@apple.com> 9757 9758 REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms 9759 https://bugs.webkit.org/show_bug.cgi?id=110184 9760 9761 Reviewed by Zoltan Herczeg. 9762 9763 32-bit backend was making all sorts of crazy assumptions, which happened to mostly 9764 not break things prior to http://trac.webkit.org/changeset/143241. This brings the 9765 32-bit backend's type speculation fully into compliance with what the 64-bit 9766 backend does. 9767 9768 * dfg/DFGSpeculativeJIT.cpp: 9769 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): 9770 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 9771 * dfg/DFGSpeculativeJIT32_64.cpp: 9772 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 9773 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 9774 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 9775 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 9776 97772013-02-18 Ilya Tikhonovsky <loislo@chromium.org> 9778 9779 Unreviewed build fix for Apple Windows. Second stage. 9780 Add missed export statement. 9781 9782 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 9783 97842013-02-18 Roger Fong <roger_fong@apple.com> 9785 9786 Unreviewed Windows build fix. 9787 9788 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 9789 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 9790 97912013-02-18 Darin Adler <darin@apple.com> 9792 9793 Remove unneeded explicit function template arguments. 9794 https://bugs.webkit.org/show_bug.cgi?id=110043 9795 9796 Reviewed by Ryosuke Niwa. 9797 9798 * runtime/Identifier.cpp: 9799 (JSC::IdentifierASCIIStringTranslator::hash): Let the compiler deduce the type 9800 when calling computeHashAndMaskTop8Bits. 9801 (JSC::IdentifierLCharFromUCharTranslator::hash): Ditto. 9802 * runtime/Identifier.h: 9803 (JSC::IdentifierCharBufferTranslator::hash): Ditto. 98042013-02-18 Geoffrey Garen <ggaren@apple.com> 9805 9806 Shrank the SourceProvider cache 9807 https://bugs.webkit.org/show_bug.cgi?id=110158 9808 9809 Reviewed by Oliver Hunt. 9810 9811 CodeCache is now our primary source cache, so a long-lived SourceProvider 9812 cache is a waste. I measured this as a 10MB Membuster win; with more 9813 precise instrumentation, Andreas estimated it as up to 30MB. 9814 9815 I didn't eliminate the SourceProvider cache because it's still useful 9816 in speeding up uncached parsing of scripts with large nested functions 9817 (i.e., all scripts). 9818 9819 * heap/Heap.cpp: 9820 (JSC::Heap::collect): Discard all source provider caches after GC. This 9821 is a convenient place to do so because it's reasonably soon after initial 9822 parsing without being immediate. 9823 9824 * parser/Parser.cpp: 9825 (JSC::::Parser): Updated for interface change: The heap now owns the 9826 source provider cache, since most SourceProviders are not expected to 9827 have one by default, and the heap is responsible for throwing them away. 9828 9829 (JSC::::parseInner): No need to update statistics on cache size, since 9830 we're going to throw it away no matter what. 9831 9832 (JSC::::parseFunctionInfo): Reduced the minimum function size to 16. This 9833 is a 27% win on a new parsing micro-benchmark I've added. Now that the 9834 cache is temporary, we don't have to worry so much about its memory 9835 footprint. 9836 9837 * parser/Parser.h: 9838 (Parser): Updated for interface changes. 9839 9840 * parser/SourceProvider.cpp: 9841 (JSC::SourceProvider::SourceProvider): 9842 (JSC::SourceProvider::~SourceProvider): 9843 * parser/SourceProvider.h: 9844 (JSC): 9845 (SourceProvider): SourceProvider doesn't own its cache anymore because 9846 the cache is temporary. 9847 9848 * parser/SourceProviderCache.cpp: 9849 (JSC::SourceProviderCache::clear): 9850 (JSC::SourceProviderCache::add): 9851 * parser/SourceProviderCache.h: 9852 (JSC::SourceProviderCache::SourceProviderCache): 9853 (SourceProviderCache): 9854 * parser/SourceProviderCacheItem.h: 9855 (SourceProviderCacheItem): No need to update statistics on cache size, 9856 since we're going to throw it away no matter what. 9857 9858 * runtime/JSGlobalData.cpp: 9859 (JSC::JSGlobalData::addSourceProviderCache): 9860 (JSC): 9861 (JSC::JSGlobalData::clearSourceProviderCaches): 9862 * runtime/JSGlobalData.h: 9863 (JSC): 9864 (JSGlobalData): Moved the cache here so it's easier to throw away. 9865 98662013-02-18 Filip Pizlo <fpizlo@apple.com> 9867 9868 DFG backend Branch handling has duplicate code and dead code 9869 https://bugs.webkit.org/show_bug.cgi?id=110162 9870 9871 Reviewed by Mark Hahnenberg. 9872 9873 Streamline the code, and make the 64 backend's optimizations make more sense 9874 (i.e. not be dead code). 9875 9876 * dfg/DFGSpeculativeJIT32_64.cpp: 9877 (JSC::DFG::SpeculativeJIT::compile): 9878 * dfg/DFGSpeculativeJIT64.cpp: 9879 (JSC::DFG::SpeculativeJIT::emitBranch): 9880 (JSC::DFG::SpeculativeJIT::compile): 9881 98822013-02-18 Brent Fulgham <bfulgham@webkit.org> 9883 9884 [Windows] Unreviewed VS2010 build correction after r143273. 9885 9886 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing source 9887 file SourceProvider.cpp. 9888 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. 9889 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Add missing exports. 9890 98912013-02-18 Filip Pizlo <fpizlo@apple.com> 9892 9893 Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty 9894 https://bugs.webkit.org/show_bug.cgi?id=110155 9895 <rdar://problem/13233773> 9896 9897 Reviewed by Mark Rowe. 9898 9899 This was a rookie mistake. It was doing: 9900 9901 for (blah) { 9902 m_offset = foo // foo's monotonically increase in the loop 9903 } 9904 9905 as a way of computing max offset for all of the properties. Except what if the loop doesn't 9906 execute because there are no properties? Well, then, you're going to have a bogus m_offset. 9907 9908 The solution is to initialize m_offset at the top of the loop. 9909 9910 * runtime/Structure.cpp: 9911 (JSC::Structure::flattenDictionaryStructure): 9912 99132013-02-18 Balazs Kilvady <kilvadyb@homejinni.com> 9914 9915 MIPS DFG implementation. 9916 https://bugs.webkit.org/show_bug.cgi?id=101328 9917 9918 Reviewed by Oliver Hunt. 9919 9920 DFG implementation for MIPS. 9921 9922 * assembler/MIPSAssembler.h: 9923 (JSC::MIPSAssembler::MIPSAssembler): 9924 (JSC::MIPSAssembler::sllv): 9925 (JSC::MIPSAssembler::movd): 9926 (MIPSAssembler): 9927 (JSC::MIPSAssembler::negd): 9928 (JSC::MIPSAssembler::labelForWatchpoint): 9929 (JSC::MIPSAssembler::label): 9930 (JSC::MIPSAssembler::vmov): 9931 (JSC::MIPSAssembler::linkDirectJump): 9932 (JSC::MIPSAssembler::maxJumpReplacementSize): 9933 (JSC::MIPSAssembler::revertJumpToMove): 9934 (JSC::MIPSAssembler::replaceWithJump): 9935 * assembler/MacroAssembler.h: 9936 (MacroAssembler): 9937 (JSC::MacroAssembler::poke): 9938 * assembler/MacroAssemblerMIPS.h: 9939 (JSC::MacroAssemblerMIPS::add32): 9940 (MacroAssemblerMIPS): 9941 (JSC::MacroAssemblerMIPS::and32): 9942 (JSC::MacroAssemblerMIPS::lshift32): 9943 (JSC::MacroAssemblerMIPS::mul32): 9944 (JSC::MacroAssemblerMIPS::or32): 9945 (JSC::MacroAssemblerMIPS::rshift32): 9946 (JSC::MacroAssemblerMIPS::urshift32): 9947 (JSC::MacroAssemblerMIPS::sub32): 9948 (JSC::MacroAssemblerMIPS::xor32): 9949 (JSC::MacroAssemblerMIPS::store32): 9950 (JSC::MacroAssemblerMIPS::jump): 9951 (JSC::MacroAssemblerMIPS::branchAdd32): 9952 (JSC::MacroAssemblerMIPS::branchMul32): 9953 (JSC::MacroAssemblerMIPS::branchSub32): 9954 (JSC::MacroAssemblerMIPS::branchNeg32): 9955 (JSC::MacroAssemblerMIPS::call): 9956 (JSC::MacroAssemblerMIPS::loadDouble): 9957 (JSC::MacroAssemblerMIPS::moveDouble): 9958 (JSC::MacroAssemblerMIPS::swapDouble): 9959 (JSC::MacroAssemblerMIPS::subDouble): 9960 (JSC::MacroAssemblerMIPS::mulDouble): 9961 (JSC::MacroAssemblerMIPS::divDouble): 9962 (JSC::MacroAssemblerMIPS::negateDouble): 9963 (JSC::MacroAssemblerMIPS::branchEqual): 9964 (JSC::MacroAssemblerMIPS::branchNotEqual): 9965 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32): 9966 (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32): 9967 (JSC::MacroAssemblerMIPS::truncateDoubleToInt32): 9968 (JSC::MacroAssemblerMIPS::truncateDoubleToUint32): 9969 (JSC::MacroAssemblerMIPS::branchDoubleNonZero): 9970 (JSC::MacroAssemblerMIPS::branchDoubleZeroOrNaN): 9971 (JSC::MacroAssemblerMIPS::invert): 9972 (JSC::MacroAssemblerMIPS::replaceWithJump): 9973 (JSC::MacroAssemblerMIPS::maxJumpReplacementSize): 9974 * dfg/DFGAssemblyHelpers.h: 9975 (AssemblyHelpers): 9976 (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall): 9977 (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn): 9978 (JSC::DFG::AssemblyHelpers::debugCall): 9979 * dfg/DFGCCallHelpers.h: 9980 (CCallHelpers): 9981 (JSC::DFG::CCallHelpers::setupArguments): 9982 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 9983 * dfg/DFGFPRInfo.h: 9984 (DFG): 9985 (FPRInfo): 9986 (JSC::DFG::FPRInfo::toRegister): 9987 (JSC::DFG::FPRInfo::toIndex): 9988 (JSC::DFG::FPRInfo::debugName): 9989 * dfg/DFGGPRInfo.h: 9990 (DFG): 9991 (GPRInfo): 9992 (JSC::DFG::GPRInfo::toRegister): 9993 (JSC::DFG::GPRInfo::toIndex): 9994 (JSC::DFG::GPRInfo::debugName): 9995 * dfg/DFGSpeculativeJIT.h: 9996 (SpeculativeJIT): 9997 * jit/JSInterfaceJIT.h: 9998 (JSInterfaceJIT): 9999 * runtime/JSGlobalData.h: 10000 (JSC::ScratchBuffer::allocationSize): 10001 (ScratchBuffer): 10002 100032013-02-18 Filip Pizlo <fpizlo@apple.com> 10004 10005 DFG::SpeculativeJIT::isKnownXYZ methods should use CFA rather than other things 10006 https://bugs.webkit.org/show_bug.cgi?id=110092 10007 10008 Reviewed by Geoffrey Garen. 10009 10010 These methods were previously using GenerationInfo and other things to try to 10011 gain information that the CFA could give away for free, if you asked kindly 10012 enough. 10013 10014 Also fixed CallLinkStatus's dump() method since it was making an invalid 10015 assertion: we most certainly can have a status where the structure is non-null 10016 and the executable is null, like if we're dealing with an InternalFunction. 10017 10018 Also removed calls to isKnownNotXYZ from fillSpeculateABC methods in 32_64. I 10019 don't know why that was there. But it was causing asserts if the value was 10020 empty - i.e. we had already exited unconditionally but we didn't know it. I 10021 could have fixed this by introducing another form of isKnownNotXYZ which was 10022 tolerant of empty values, but I didn't feel like fixing code that I knew to be 10023 unnecessary. (More deeply, isKnownNotCell, for example, really asks: "do you 10024 know that this value can never be a cell?" while some of the previous uses 10025 wanted to ask: "do you know that this is a value that is not a cell?". The 10026 former is "true" if the value is a contradiction [i.e. BOTTOM], while the 10027 latter is "false" for contradictions, since contradictions are not values.) 10028 10029 * bytecode/CallLinkStatus.cpp: 10030 (JSC::CallLinkStatus::dump): 10031 * bytecode/CallLinkStatus.h: 10032 (JSC::CallLinkStatus::CallLinkStatus): 10033 * dfg/DFGSpeculativeJIT.cpp: 10034 (DFG): 10035 * dfg/DFGSpeculativeJIT.h: 10036 (JSC::DFG::SpeculativeJIT::isKnownInteger): 10037 (JSC::DFG::SpeculativeJIT::isKnownCell): 10038 (JSC::DFG::SpeculativeJIT::isKnownNotInteger): 10039 (JSC::DFG::SpeculativeJIT::isKnownNotNumber): 10040 (JSC::DFG::SpeculativeJIT::isKnownNotCell): 10041 * dfg/DFGSpeculativeJIT32_64.cpp: 10042 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 10043 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 10044 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 10045 * dfg/DFGStructureAbstractValue.h: 10046 (JSC::DFG::StructureAbstractValue::dump): 10047 100482013-02-17 Filip Pizlo <fpizlo@apple.com> 10049 10050 Get rid of DFG::DoubleOperand and simplify ValueToInt32 10051 https://bugs.webkit.org/show_bug.cgi?id=110072 10052 10053 Reviewed by Geoffrey Garen. 10054 10055 ValueToInt32 had a side-effecting path, which was not OSR-friendly: an OSR after 10056 the side-effect would lead to the side-effect re-executing. I got rid of that path 10057 and replaced it with an optimization for the case where the input is speculated 10058 number-or-other. This makes idioms like null|0 and true|0 work as expected, and 10059 get optimized appropriately. 10060 10061 Also got rid of DoubleOperand. Replaced all remaining uses of it with 10062 SpeculateDoubleOperand. Because the latter asserts that the Edge is a DoubleUse 10063 edge and the remaining uses of DoubleOperand are all for untyped uses, I worked 10064 around the assertion by setting the UseKind to DoubleUse by force. This is sound, 10065 since all existing assertions for DoubleUse are actually asserting that we're not 10066 converting a value to double unexpectedly. But all of these calls to 10067 SpeculateDoubleOperand are when the operand is already known to be represented as 10068 double, so there is no conversion. 10069 10070 This is neutral on benchmarks, except stanford-crypto-ccm, which speeds up a 10071 little. Mostly, this is intended to delete a bunch of code. DoubleOperand was 10072 equivalent to the replace-edge-with-DoubleUse trick that I'm using now, except it 10073 involved a _lot_ more code. 10074 10075 * dfg/DFGAbstractState.cpp: 10076 (JSC::DFG::AbstractState::execute): 10077 * dfg/DFGCSEPhase.cpp: 10078 (JSC::DFG::CSEPhase::performNodeCSE): 10079 * dfg/DFGFixupPhase.cpp: 10080 (JSC::DFG::FixupPhase::fixupNode): 10081 * dfg/DFGNodeType.h: 10082 (DFG): 10083 * dfg/DFGSpeculativeJIT.cpp: 10084 (DFG): 10085 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 10086 * dfg/DFGSpeculativeJIT.h: 10087 (SpeculativeJIT): 10088 (DFG): 10089 (FPRTemporary): 10090 * dfg/DFGSpeculativeJIT32_64.cpp: 10091 (DFG): 10092 (JSC::DFG::SpeculativeJIT::compile): 10093 * dfg/DFGSpeculativeJIT64.cpp: 10094 (DFG): 10095 100962013-02-18 Ádám Kallai <kadam@inf.u-szeged.hu> 10097 10098 [Qt] Mountain Lion buildfix after r143147. 10099 10100 Reviewed by Csaba Osztrogonác. 10101 10102 * runtime/DateConstructor.cpp: 10103 101042013-02-18 Zan Dobersek <zdobersek@igalia.com> 10105 10106 Stop placing std::isfinite and std::signbit inside the global scope 10107 https://bugs.webkit.org/show_bug.cgi?id=109817 10108 10109 Reviewed by Darin Adler. 10110 10111 Prefix calls to the isfinite and signbit methods with std:: as the two 10112 methods are no longer being imported into the global scope. 10113 10114 * assembler/MacroAssembler.h: 10115 (JSC::MacroAssembler::shouldBlindDouble): 10116 * offlineasm/cloop.rb: 10117 * runtime/BigInteger.h: 10118 (JSC::BigInteger::BigInteger): 10119 * runtime/DateConstructor.cpp: 10120 (JSC::constructDate): 10121 * runtime/DatePrototype.cpp: 10122 (JSC::fillStructuresUsingTimeArgs): 10123 (JSC::fillStructuresUsingDateArgs): 10124 (JSC::dateProtoFuncToISOString): 10125 (JSC::dateProtoFuncSetYear): 10126 * runtime/JSCJSValueInlines.h: 10127 (JSC::JSValue::JSValue): 10128 * runtime/JSGlobalObjectFunctions.cpp: 10129 (JSC::globalFuncIsFinite): 10130 * runtime/JSONObject.cpp: 10131 (JSC::Stringifier::appendStringifiedValue): 10132 * runtime/MathObject.cpp: 10133 (JSC::mathProtoFuncMax): Also include an opportunistic style fix. 10134 (JSC::mathProtoFuncMin): Ditto. 10135 * runtime/NumberPrototype.cpp: 10136 (JSC::toStringWithRadix): 10137 (JSC::numberProtoFuncToExponential): 10138 (JSC::numberProtoFuncToFixed): 10139 (JSC::numberProtoFuncToPrecision): 10140 (JSC::numberProtoFuncToString): 10141 * runtime/Uint16WithFraction.h: 10142 (JSC::Uint16WithFraction::Uint16WithFraction): 10143 101442013-02-18 Ádám Kallai <kadam@inf.u-szeged.hu> 10145 10146 [Qt] Mountain Lion buildfix after r143147. 10147 10148 Reviewed by Csaba Osztrogonác. 10149 10150 * runtime/DateInstance.cpp: 10151 101522013-02-18 Ilya Tikhonovsky <loislo@chromium.org> 10153 10154 Unreviewed speculative build fix for Apple Win bots. 10155 10156 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 10157 101582013-02-18 Filip Pizlo <fpizlo@apple.com> 10159 10160 Fix indentation of StructureStubInfo.h 10161 10162 Rubber stamped by Mark Hahnenberg. 10163 10164 * bytecode/StructureStubInfo.h: 10165 101662013-02-18 Filip Pizlo <fpizlo@apple.com> 10167 10168 Fix indentation of JSGlobalObject.h and JSGlobalObjectFunctions.h 10169 10170 Rubber stamped by Mark Hahnenberg. 10171 10172 * runtime/JSGlobalObject.h: 10173 * runtime/JSGlobalObjectFunctions.h: 10174 101752013-02-18 Filip Pizlo <fpizlo@apple.com> 10176 10177 Fix indention of Operations.h 10178 10179 Rubber stamped by Mark Hahnenberg. 10180 10181 * runtime/Operations.h: 10182 101832013-02-18 Filip Pizlo <fpizlo@apple.com> 10184 10185 Remove DFG::SpeculativeJIT::isKnownNumeric(), since it's not called from anywhere. 10186 10187 Rubber stamped by Andy Estes. 10188 10189 * dfg/DFGSpeculativeJIT.cpp: 10190 (DFG): 10191 * dfg/DFGSpeculativeJIT.h: 10192 (SpeculativeJIT): 10193 101942013-02-18 Filip Pizlo <fpizlo@apple.com> 10195 10196 Remove DFG::SpeculativeJIT::isStrictInt32(), since it's not called from anywhere. 10197 10198 Rubber stampted by Andy Estes. 10199 10200 * dfg/DFGSpeculativeJIT.cpp: 10201 (DFG): 10202 * dfg/DFGSpeculativeJIT.h: 10203 (SpeculativeJIT): 10204 102052013-02-18 Filip Pizlo <fpizlo@apple.com> 10206 10207 Remove dead code for ValueToNumber from the DFG. 10208 10209 Rubber stamped by Andy Estes. 10210 10211 We killed ValueToNumber at some point, but forgot to kill all of the backend support 10212 for it. 10213 10214 * dfg/DFGByteCodeParser.cpp: 10215 (JSC::DFG::ByteCodeParser::handleMinMax): 10216 * dfg/DFGOperations.cpp: 10217 * dfg/DFGOperations.h: 10218 * dfg/DFGSpeculativeJIT.h: 10219 (SpeculativeJIT): 10220 * dfg/DFGSpeculativeJIT32_64.cpp: 10221 * dfg/DFGSpeculativeJIT64.cpp: 10222 102232013-02-17 Csaba Osztrogonác <ossy@webkit.org> 10224 10225 Unreviewed buildfix for JSVALUE32_64 builds after r143147. 10226 10227 * jit/JIT.h: 10228 102292013-02-17 Filip Pizlo <fpizlo@apple.com> 10230 10231 Move all Structure out-of-line inline methods to StructureInlines.h 10232 https://bugs.webkit.org/show_bug.cgi?id=110024 10233 10234 Rubber stamped by Mark Hahnenberg and Sam Weinig. 10235 10236 This was supposed to be easy. 10237 10238 But, initially, there was a Structure inline method in CodeBlock.h, and moving that 10239 into StructureInlines.h meant that Operations.h included CodeBlock.h. This would 10240 cause WebCore build failures, because CodeBlock.h transitively included the JSC 10241 parser (via many, many paths), and the JSC parser defines tokens using enumeration 10242 elements that CSSGrammar.cpp (generated by bison) would #define. For example, 10243 bison would give CSSGrammar.cpp a #define FUNCTION 123, and would do so before 10244 including anything interesting. The JSC parser would have an enum that included 10245 FUNCTION as an element. Hence the JSC parser included into CSSGrammar.cpp would have 10246 a token element called FUNCTION declared in an enumeration, but FUNCTION was 10247 #define'd to 123, leading to a parser error. 10248 10249 Wow. 10250 10251 So I removed all transitive include paths from CodeBlock.h to the JSC Parser. I 10252 believe I was able to do so without out-of-lining anything interesting or performance 10253 critical. This is probably a purely good thing to have done: it will be nice to be 10254 able to make changes to the parser without having to compile the universe. 10255 10256 Of course, doing this caused a bunch of other things to not compile, since a bunch of 10257 headers relied on things being implicitly included for them when they transitively 10258 included the parser. I fixed a lot of that. 10259 10260 Finally, I ended up removing the method that depended on CodeBlock.h from 10261 StructureInlines.h, and putting it in Structure.cpp. That might seem like all of this 10262 was a waste of time, except that I suspect it was a worthwhile forcing function for 10263 cleaning up a bunch of cruft. 10264 10265 * API/JSCallbackFunction.cpp: 10266 * CMakeLists.txt: 10267 * GNUmakefile.list.am: 10268 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 10269 * JavaScriptCore.xcodeproj/project.pbxproj: 10270 * Target.pri: 10271 * bytecode/CodeBlock.h: 10272 (JSC): 10273 * bytecode/EvalCodeCache.h: 10274 * bytecode/SamplingTool.h: 10275 * bytecode/UnlinkedCodeBlock.cpp: 10276 (JSC::UnlinkedFunctionExecutable::parameterCount): 10277 (JSC): 10278 * bytecode/UnlinkedCodeBlock.h: 10279 (UnlinkedFunctionExecutable): 10280 * bytecompiler/BytecodeGenerator.h: 10281 * bytecompiler/Label.h: 10282 (JSC): 10283 * dfg/DFGByteCodeParser.cpp: 10284 * dfg/DFGByteCodeParser.h: 10285 * dfg/DFGFPRInfo.h: 10286 * dfg/DFGRegisterBank.h: 10287 * heap/HandleStack.cpp: 10288 * jit/JITWriteBarrier.h: 10289 * parser/Nodes.h: 10290 (JSC): 10291 * parser/Parser.h: 10292 * parser/ParserError.h: Added. 10293 (JSC): 10294 (JSC::ParserError::ParserError): 10295 (ParserError): 10296 (JSC::ParserError::toErrorObject): 10297 * parser/ParserModes.h: 10298 * parser/SourceProvider.cpp: Added. 10299 (JSC): 10300 (JSC::SourceProvider::SourceProvider): 10301 (JSC::SourceProvider::~SourceProvider): 10302 * parser/SourceProvider.h: 10303 (JSC): 10304 (SourceProvider): 10305 * runtime/ArrayPrototype.cpp: 10306 * runtime/DatePrototype.cpp: 10307 * runtime/Executable.h: 10308 * runtime/JSGlobalObject.cpp: 10309 * runtime/JSGlobalObject.h: 10310 (JSC): 10311 * runtime/Operations.h: 10312 * runtime/Structure.cpp: 10313 (JSC::Structure::prototypeForLookup): 10314 (JSC): 10315 * runtime/Structure.h: 10316 (JSC): 10317 * runtime/StructureInlines.h: Added. 10318 (JSC): 10319 (JSC::Structure::create): 10320 (JSC::Structure::createStructure): 10321 (JSC::Structure::get): 10322 (JSC::Structure::masqueradesAsUndefined): 10323 (JSC::SlotVisitor::internalAppend): 10324 (JSC::Structure::transitivelyTransitionedFrom): 10325 (JSC::Structure::setEnumerationCache): 10326 (JSC::Structure::enumerationCache): 10327 (JSC::Structure::prototypeForLookup): 10328 (JSC::Structure::prototypeChain): 10329 (JSC::Structure::isValid): 10330 * runtime/StructureRareData.cpp: 10331 103322013-02-17 Roger Fong <roger_fong@apple.com> 10333 10334 Unreviewed. Windows build fix. 10335 10336 * runtime/CodeCache.h: 10337 (CodeCacheMap): 10338 103392013-02-16 Geoffrey Garen <ggaren@apple.com> 10340 10341 Code cache should be explicit about what it caches 10342 https://bugs.webkit.org/show_bug.cgi?id=110039 10343 10344 Reviewed by Oliver Hunt. 10345 10346 This patch makes the code cache more explicit in two ways: 10347 10348 (1) The cache caches top-level scripts. Any sub-functions executed as a 10349 part of a script are cached with it and evicted with it. 10350 10351 This simplifies things by eliminating out-of-band sub-function tracking, 10352 and fixes pathological cases where functions for live scripts would be 10353 evicted in favor of functions for dead scripts, and/or high probability 10354 functions executed early in script lifetime would be evicted in favor of 10355 low probability functions executed late in script lifetime, due to LRU. 10356 10357 Statistical data from general browsing and PLT confirms that caching 10358 functions independently of scripts is not profitable. 10359 10360 (2) The cache tracks script size, not script count. 10361 10362 This reduces the worst-case cache size by a factor of infinity. 10363 10364 Script size is a reasonable first-order estimate of in-memory footprint 10365 for a cached script because there are no syntactic constructs that have 10366 super-linear memory footprint. 10367 10368 * bytecode/UnlinkedCodeBlock.cpp: 10369 (JSC::generateFunctionCodeBlock): Moved this function out of the cache 10370 because it does not consult the cache, and is not managed by it. 10371 10372 (JSC::UnlinkedFunctionExecutable::visitChildren): Visit our code blocks 10373 because they are strong references now, rather than weak, a la (1). 10374 10375 (JSC::UnlinkedFunctionExecutable::codeBlockFor): Updated for interface changes. 10376 10377 * bytecode/UnlinkedCodeBlock.h: 10378 (UnlinkedFunctionExecutable): 10379 (UnlinkedFunctionCodeBlock): Strong now, not weak, a la (1). 10380 10381 * runtime/CodeCache.cpp: 10382 (JSC::CodeCache::CodeCache): 10383 * runtime/CodeCache.h: 10384 (JSC::SourceCodeKey::length): 10385 (SourceCodeKey): 10386 (CodeCacheMap): 10387 (JSC::CodeCacheMap::CodeCacheMap): 10388 (JSC::CodeCacheMap::find): 10389 (JSC::CodeCacheMap::set): 10390 (JSC::CodeCacheMap::clear): 10391 (CodeCache): 10392 (JSC::CodeCache::clear): Removed individual function tracking, due to (1). 10393 Added explicit character counting, for (2). 10394 10395 You might think 16000000 characters is a lot. It is. But this patch 10396 didn't establish that limit -- it just took the existing limit and 10397 made it more visible. I intend to reduce the size of the cache in a 10398 future patch. 10399 104002013-02-16 Filip Pizlo <fpizlo@apple.com> 10401 10402 Remove support for bytecode comments, since it doesn't build, and hasn't been used in a while. 10403 https://bugs.webkit.org/show_bug.cgi?id=110035 10404 10405 Rubber stamped by Andreas Kling. 10406 10407 There are other ways of achieving the same effect, like adding print statements to the bytecode generator. 10408 The fact that this feature doesn't build and nobody noticed implies that it's probably not a popular 10409 feature. As well, the amount of wiring that was required for it was quite big considering its relatively 10410 modest utility. 10411 10412 * GNUmakefile.list.am: 10413 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 10414 * JavaScriptCore.xcodeproj/project.pbxproj: 10415 * bytecode/CodeBlock.cpp: 10416 (JSC): 10417 (JSC::CodeBlock::dumpBytecode): 10418 (JSC::CodeBlock::CodeBlock): 10419 * bytecode/CodeBlock.h: 10420 (CodeBlock): 10421 * bytecode/Comment.h: Removed. 10422 * bytecompiler/BytecodeGenerator.cpp: 10423 (JSC::BytecodeGenerator::BytecodeGenerator): 10424 (JSC::BytecodeGenerator::emitOpcode): 10425 (JSC): 10426 * bytecompiler/BytecodeGenerator.h: 10427 (BytecodeGenerator): 10428 (JSC::BytecodeGenerator::symbolTable): 10429 104302013-02-16 Brent Fulgham <bfulgham@webkit.org> 10431 10432 [Windows] Unreviewed Visual Studio 2010 build fix after r143117 10433 10434 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Reference new path to property sheets. 10435 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 10436 Build correction after new operator == added. 10437 104382013-02-16 Filip Pizlo <fpizlo@apple.com> 10439 10440 Fix indentation of Structure.h 10441 10442 Rubber stamped by Mark Hahnenberg. 10443 10444 * runtime/Structure.h: 10445 104462013-02-16 Christophe Dumez <ch.dumez@sisa.samsung.com> 10447 10448 Unreviewed build fix. 10449 10450 Export symbol for new CString operator== operator to fix Windows build. 10451 10452 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 10453 104542013-02-15 Filip Pizlo <fpizlo@apple.com> 10455 10456 Structure should be more methodical about the relationship between m_offset and m_propertyTable 10457 https://bugs.webkit.org/show_bug.cgi?id=109978 10458 10459 Reviewed by Mark Hahnenberg. 10460 10461 Allegedly, the previous relationship was that either m_propertyTable or m_offset 10462 would be set, and if m_propertyTable was not set you could rebuild it. In reality, 10463 we would sometimes "reset" both: some transitions wouldn't set m_offset, and other 10464 transitions would clear the previous structure's m_propertyTable. So, in a 10465 structure transition chain of A->B->C you could have: 10466 10467 A transitions to B: B doesn't copy m_offset but does copy m_propertyTable, because 10468 that seemed like a good idea at the time (this was a common idiom in the code). 10469 B transitions to C: C steals B's m_propertyTable, leaving B with neither a 10470 m_propertyTable nor a m_offset. 10471 10472 Then we would ask for the size of the property storage of B and get the answer 10473 "none". That's not good. 10474 10475 Now, there is a new relationship, which, hopefully, should fix things: m_offset is 10476 always set and always refers to the maximum offset ever used by the property table. 10477 From this, you can infer both the inline and out-of-line property size, and 10478 capacity. This is accomplished by having PropertyTable::add() take a 10479 PropertyOffset reference, which must be Structure::m_offset. It will update this 10480 offset. As well, all transitions now copy m_offset. And we frequently assert 10481 (using RELEASE_ASSERT) that the m_offset matches what m_propertyTable would tell 10482 you. Hence if you ever modify the m_propertyTable, you'll also update the offset. 10483 If you ever copy the property table, you'll also copy the offset. Life should be 10484 good, I think. 10485 10486 * runtime/PropertyMapHashTable.h: 10487 (JSC::PropertyTable::add): 10488 * runtime/Structure.cpp: 10489 (JSC::Structure::materializePropertyMap): 10490 (JSC::Structure::addPropertyTransition): 10491 (JSC::Structure::removePropertyTransition): 10492 (JSC::Structure::changePrototypeTransition): 10493 (JSC::Structure::despecifyFunctionTransition): 10494 (JSC::Structure::attributeChangeTransition): 10495 (JSC::Structure::toDictionaryTransition): 10496 (JSC::Structure::sealTransition): 10497 (JSC::Structure::freezeTransition): 10498 (JSC::Structure::preventExtensionsTransition): 10499 (JSC::Structure::nonPropertyTransition): 10500 (JSC::Structure::flattenDictionaryStructure): 10501 (JSC::Structure::checkConsistency): 10502 (JSC::Structure::putSpecificValue): 10503 (JSC::Structure::createPropertyMap): 10504 (JSC::PropertyTable::checkConsistency): 10505 * runtime/Structure.h: 10506 (JSC): 10507 (JSC::Structure::putWillGrowOutOfLineStorage): 10508 (JSC::Structure::outOfLineCapacity): 10509 (JSC::Structure::outOfLineSize): 10510 (JSC::Structure::isEmpty): 10511 (JSC::Structure::materializePropertyMapIfNecessary): 10512 (JSC::Structure::materializePropertyMapIfNecessaryForPinning): 10513 (Structure): 10514 (JSC::Structure::checkOffsetConsistency): 10515 105162013-02-15 Martin Robinson <mrobinson@igalia.com> 10517 10518 [GTK] Spread the gyp build files throughout the tree 10519 https://bugs.webkit.org/show_bug.cgi?id=109960 10520 10521 Reviewed by Dirk Pranke. 10522 10523 * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Renamed from Source/WebKit/gtk/gyp/JavaScriptCore.gyp. 10524 * JavaScriptCore.gyp/generate-derived-sources.sh: Renamed from Source/WebKit/gtk/gyp/generate-derived-sources.sh. 10525 105262013-02-15 Filip Pizlo <fpizlo@apple.com> 10527 10528 DFG SpeculativeJIT64 should be more precise about when it's dealing with a cell (even though it probably doesn't matter) 10529 https://bugs.webkit.org/show_bug.cgi?id=109625 10530 10531 Reviewed by Mark Hahnenberg. 10532 10533 * dfg/DFGSpeculativeJIT64.cpp: 10534 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 10535 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 10536 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 10537 (JSC::DFG::SpeculativeJIT::compile): 10538 105392013-02-15 Geoffrey Garen <ggaren@apple.com> 10540 10541 Merged the global function cache into the source code cache 10542 https://bugs.webkit.org/show_bug.cgi?id=108660 10543 10544 Reviewed by Sam Weinig. 10545 10546 Responding to review comments by Darin Adler. 10547 10548 * runtime/CodeCache.h: 10549 (JSC::SourceCodeKey::SourceCodeKey): Don't initialize m_name and m_flags 10550 in the hash table deleted value because they're meaningless. 10551 105522013-02-14 Filip Pizlo <fpizlo@apple.com> 10553 10554 DFG AbstractState should filter operands to NewArray more precisely 10555 https://bugs.webkit.org/show_bug.cgi?id=109900 10556 10557 Reviewed by Mark Hahnenberg. 10558 10559 NewArray for primitive indexing types speculates that the inputs are the appropriate 10560 primitives. Now, the CFA filters the abstract state accordingly, as well. 10561 10562 * dfg/DFGAbstractState.cpp: 10563 (JSC::DFG::AbstractState::execute): 10564 105652013-02-15 Andreas Kling <akling@apple.com> 10566 10567 Yarr: Use OwnPtr to make pattern/disjunction/character-class ownership clearer. 10568 <http://webkit.org/b/109218> 10569 10570 Reviewed by Benjamin Poulain. 10571 10572 - Let classes that manage lifetime of other objects hold on to them with OwnPtr instead of raw pointers. 10573 - Placed some strategic Vector::shrinkToFit(), ::reserveInitialCapacity() and ::swap(). 10574 10575 668 kB progression on Membuster3. 10576 10577 * yarr/YarrInterpreter.cpp: 10578 (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd): 10579 (JSC::Yarr::ByteCompiler::emitDisjunction): 10580 (ByteCompiler): 10581 * yarr/YarrInterpreter.h: 10582 (JSC::Yarr::BytecodePattern::BytecodePattern): 10583 (BytecodePattern): 10584 * yarr/YarrJIT.cpp: 10585 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern): 10586 (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion): 10587 (JSC::Yarr::YarrGenerator::opCompileBody): 10588 * yarr/YarrPattern.cpp: 10589 (JSC::Yarr::CharacterClassConstructor::charClass): 10590 (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor): 10591 (JSC::Yarr::YarrPatternConstructor::reset): 10592 (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter): 10593 (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd): 10594 (JSC::Yarr::YarrPatternConstructor::copyDisjunction): 10595 (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): 10596 (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses): 10597 (JSC::Yarr::YarrPatternConstructor::optimizeBOL): 10598 (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms): 10599 (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions): 10600 * yarr/YarrPattern.h: 10601 (JSC::Yarr::PatternDisjunction::addNewAlternative): 10602 (PatternDisjunction): 10603 (YarrPattern): 10604 (JSC::Yarr::YarrPattern::reset): 10605 (JSC::Yarr::YarrPattern::newlineCharacterClass): 10606 (JSC::Yarr::YarrPattern::digitsCharacterClass): 10607 (JSC::Yarr::YarrPattern::spacesCharacterClass): 10608 (JSC::Yarr::YarrPattern::wordcharCharacterClass): 10609 (JSC::Yarr::YarrPattern::nondigitsCharacterClass): 10610 (JSC::Yarr::YarrPattern::nonspacesCharacterClass): 10611 (JSC::Yarr::YarrPattern::nonwordcharCharacterClass): 10612 106132013-02-14 Geoffrey Garen <ggaren@apple.com> 10614 10615 Merged the global function cache into the source code cache 10616 https://bugs.webkit.org/show_bug.cgi?id=108660 10617 10618 Reviewed by Sam Weinig. 10619 10620 This has a few benefits: 10621 10622 (*) Saves a few kB by removing a second cache data structure. 10623 10624 (*) Reduces the worst case memory usage of the cache by 1.75X. (Heavy 10625 use of 'new Function' and other techniques could cause us to fill 10626 both root caches, and they didn't trade off against each other.) 10627 10628 (*) Paves the way for future improvements based on a non-trivial 10629 cache key (for example, shrinkable pointer to the key string, and 10630 more precise cache size accounting). 10631 10632 Also cleaned up the cache implementation and simplified it a bit. 10633 10634 * heap/Handle.h: 10635 (HandleBase): 10636 * heap/Strong.h: 10637 (Strong): Build! 10638 10639 * runtime/CodeCache.cpp: 10640 (JSC): 10641 (JSC::CodeCache::getCodeBlock): 10642 (JSC::CodeCache::generateFunctionCodeBlock): 10643 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 10644 (JSC::CodeCache::usedFunctionCode): Updated for three interface changes: 10645 10646 (*) SourceCodeKey is a class, not a pair. 10647 10648 (*) Table values are abstract pointers, since they can be executables 10649 or code blocks. (In a future patch, I'd like to change this so we 10650 always store only code blocks. But that's too much for one patch.) 10651 10652 (*) The cache function is named "set" because it always overwrites 10653 unconditionally. 10654 10655 * runtime/CodeCache.h: 10656 (CacheMap): 10657 (JSC::CacheMap::find): 10658 (JSC::CacheMap::set): 10659 (JSC::CacheMap::clear): Added support for specifying hash traits, so we 10660 can use a SourceCodeKey. 10661 10662 Removed side table and random number generator to save space and reduce 10663 complexity. Hash tables are already random, so we don't need another source 10664 of randomness. 10665 10666 (SourceCodeKey): 10667 (JSC::SourceCodeKey::SourceCodeKey): 10668 (JSC::SourceCodeKey::isHashTableDeletedValue): 10669 (JSC::SourceCodeKey::hash): 10670 (JSC::SourceCodeKey::isNull): 10671 (JSC::SourceCodeKey::operator==): 10672 (JSC::SourceCodeKeyHash::hash): 10673 (JSC::SourceCodeKeyHash::equal): 10674 (SourceCodeKeyHash): 10675 (SourceCodeKeyHashTraits): 10676 (JSC::SourceCodeKeyHashTraits::isEmptyValue): A SourceCodeKey is just a 10677 fancy triplet: source code string; function name (or null, for non-functions); 10678 and flags. Flags and function name distinguish between functions and programs 10679 with identical code, so they can live in the same cache. 10680 10681 I chose to use the source code string as the primary hashing reference 10682 because it's likely to be unique. We can use profiling to choose another 10683 technique in future, if collisions between functions and programs prove 10684 to be hot. I suspect they won't. 10685 10686 (JSC::CodeCache::clear): 10687 (CodeCache): Removed the second cache. 10688 10689 * heap/Handle.h: 10690 (HandleBase): 10691 * heap/Strong.h: 10692 (Strong): 10693 * runtime/CodeCache.cpp: 10694 (JSC): 10695 (JSC::CodeCache::getCodeBlock): 10696 (JSC::CodeCache::generateFunctionCodeBlock): 10697 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 10698 (JSC::CodeCache::usedFunctionCode): 10699 * runtime/CodeCache.h: 10700 (JSC): 10701 (CacheMap): 10702 (JSC::CacheMap::find): 10703 (JSC::CacheMap::set): 10704 (JSC::CacheMap::clear): 10705 (SourceCodeKey): 10706 (JSC::SourceCodeKey::SourceCodeKey): 10707 (JSC::SourceCodeKey::isHashTableDeletedValue): 10708 (JSC::SourceCodeKey::hash): 10709 (JSC::SourceCodeKey::isNull): 10710 (JSC::SourceCodeKey::operator==): 10711 (JSC::SourceCodeKeyHash::hash): 10712 (JSC::SourceCodeKeyHash::equal): 10713 (SourceCodeKeyHash): 10714 (SourceCodeKeyHashTraits): 10715 (JSC::SourceCodeKeyHashTraits::isEmptyValue): 10716 (JSC::CodeCache::clear): 10717 (CodeCache): 10718 107192013-02-14 Tony Chang <tony@chromium.org> 10720 10721 Unreviewed, set svn:eol-style native for .sln, .vcproj, and .vsprops files. 10722 https://bugs.webkit.org/show_bug.cgi?id=96934 10723 10724 * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style. 10725 * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style. 10726 * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added property svn:eol-style. 10727 * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Added property svn:eol-style. 10728 * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Added property svn:eol-style. 10729 * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Added property svn:eol-style. 10730 * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Added property svn:eol-style. 10731 * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Added property svn:eol-style. 10732 * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Added property svn:eol-style. 10733 * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Added property svn:eol-style. 10734 107352013-02-14 Tony Chang <tony@chromium.org> 10736 10737 Unreviewed, set svn:eol-style CRLF for .sln files. 10738 10739 * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style. 10740 * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style. 10741 107422013-02-14 David Kilzer <ddkilzer@apple.com> 10743 10744 [Mac] Clean up WARNING_CFLAGS 10745 <http://webkit.org/b/109747> 10746 <rdar://problem/13208373> 10747 10748 Reviewed by Mark Rowe. 10749 10750 * Configurations/Base.xcconfig: Use 10751 GCC_WARN_64_TO_32_BIT_CONVERSION to enable and disable 10752 -Wshorten-64-to-32 rather than WARNING_CFLAGS. 10753 10754 * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style. 10755 * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style. 10756 107572013-02-13 Anders Carlsson <andersca@apple.com> 10758 10759 Better build fix. 10760 10761 * API/tests/testapi.c: 10762 (assertEqualsAsNumber): 10763 (main): 10764 107652013-02-13 Roger Fong <roger_fong@apple.com> 10766 10767 Unreviewed. Build fix. 10768 10769 * API/tests/testapi.c: 10770 (assertEqualsAsNumber): 10771 (main): 10772 107732013-02-13 Oliver Hunt <oliver@apple.com> 10774 10775 Yet another build fix 10776 10777 * bytecode/CodeBlock.cpp: 10778 (JSC::CodeBlock::CodeBlock): 10779 107802013-02-13 Zan Dobersek <zdobersek@igalia.com> 10781 10782 The 'global isinf/isnan' compiler quirk required when using clang with libstdc++ 10783 https://bugs.webkit.org/show_bug.cgi?id=109325 10784 10785 Reviewed by Anders Carlsson. 10786 10787 Prefix calls to the isinf and isnan methods with std::, declaring we want to use the 10788 two methods as they're provided by the C++ standard library being used. 10789 10790 * API/JSValueRef.cpp: 10791 (JSValueMakeNumber): 10792 * JSCTypedArrayStubs.h: 10793 (JSC): 10794 * bytecompiler/BytecodeGenerator.cpp: 10795 (JSC::BytecodeGenerator::emitLoad): 10796 * dfg/DFGByteCodeParser.cpp: 10797 (JSC::DFG::ByteCodeParser::constantNaN): 10798 * offlineasm/cloop.rb: 10799 * runtime/DateConstructor.cpp: 10800 (JSC::dateUTC): Also include an opportunistic style fix. 10801 * runtime/DateInstance.cpp: 10802 (JSC::DateInstance::calculateGregorianDateTime): 10803 (JSC::DateInstance::calculateGregorianDateTimeUTC): 10804 * runtime/DatePrototype.cpp: 10805 (JSC::dateProtoFuncGetMilliSeconds): 10806 (JSC::dateProtoFuncGetUTCMilliseconds): 10807 (JSC::setNewValueFromTimeArgs): 10808 (JSC::setNewValueFromDateArgs): 10809 (JSC::dateProtoFuncSetYear): 10810 * runtime/JSCJSValue.cpp: 10811 (JSC::JSValue::toInteger): 10812 * runtime/JSDateMath.cpp: 10813 (JSC::getUTCOffset): 10814 (JSC::parseDateFromNullTerminatedCharacters): 10815 (JSC::parseDate): 10816 * runtime/JSGlobalObjectFunctions.cpp: 10817 (JSC::globalFuncIsNaN): 10818 * runtime/MathObject.cpp: 10819 (JSC::mathProtoFuncMax): 10820 (JSC::mathProtoFuncMin): 10821 (JSC::mathProtoFuncPow): 10822 * runtime/PropertyDescriptor.cpp: 10823 (JSC::sameValue): 10824 108252013-02-13 Filip Pizlo <fpizlo@apple.com> 10826 10827 Change another use of (SpecCell & ~SpecString) to SpecObject. 10828 10829 Reviewed by Mark Hahnenberg. 10830 10831 * dfg/DFGAbstractState.cpp: 10832 (JSC::DFG::AbstractState::execute): 10833 108342013-02-13 Filip Pizlo <fpizlo@apple.com> 10835 10836 ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types 10837 https://bugs.webkit.org/show_bug.cgi?id=109726 10838 10839 Reviewed by Mark Hahnenberg. 10840 10841 If you add it to the list of relevant node types, you also need to make sure 10842 it's listed as either hasChild or one of the other kinds. Otherwise you get 10843 an assertion. This is causing test failures in run-javascriptcore-tests. 10844 10845 * dfg/DFGMinifiedNode.h: 10846 (JSC::DFG::MinifiedNode::hasChild): 10847 108482013-02-13 Oliver Hunt <oliver@apple.com> 10849 10850 Build fix. 10851 10852 Rearranged the code somewhat to reduce the number of 10853 DFG related ifdefs. 10854 10855 * bytecode/CodeBlock.cpp: 10856 (JSC::CodeBlock::CodeBlock): 10857 108582013-02-13 Filip Pizlo <fpizlo@apple.com> 10859 10860 ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types 10861 https://bugs.webkit.org/show_bug.cgi?id=109726 10862 10863 Reviewed by Gavin Barraclough. 10864 10865 This is asymptomatic because ForwardInt32ToDouble is only used in SetLocals, in 10866 which case the value is already stored to the stack. Still, we should fix this. 10867 10868 * dfg/DFGMinifiedNode.h: 10869 (JSC::DFG::belongsInMinifiedGraph): 10870 108712013-02-12 Filip Pizlo <fpizlo@apple.com> 10872 10873 DFG LogicalNot/Branch peephole removal and inversion ignores the possibility of things exiting 10874 https://bugs.webkit.org/show_bug.cgi?id=109489 10875 10876 Reviewed by Mark Hahnenberg. 10877 10878 If things can exit between the LogicalNot and the Branch then don't peephole. 10879 10880 * dfg/DFGFixupPhase.cpp: 10881 (JSC::DFG::FixupPhase::fixupNode): 10882 108832013-02-13 Oliver Hunt <oliver@apple.com> 10884 10885 Remove unnecessary indirection to non-local variable access operations 10886 https://bugs.webkit.org/show_bug.cgi?id=109724 10887 10888 Reviewed by Filip Pizlo. 10889 10890 Linked bytecode now stores a direct pointer to the resolve operation 10891 vectors, so the interpreter no longer needs a bunch of indirection to 10892 to perform non-local lookup. 10893 10894 * bytecode/CodeBlock.cpp: 10895 (JSC::CodeBlock::CodeBlock): 10896 * bytecode/CodeBlock.h: 10897 (CodeBlock): 10898 * bytecode/Instruction.h: 10899 * dfg/DFGByteCodeParser.cpp: 10900 (ByteCodeParser): 10901 (InlineStackEntry): 10902 (JSC::DFG::ByteCodeParser::parseResolveOperations): 10903 (JSC::DFG::ByteCodeParser::parseBlock): 10904 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 10905 * dfg/DFGCapabilities.h: 10906 (JSC::DFG::canInlineOpcode): 10907 * dfg/DFGGraph.h: 10908 (ResolveGlobalData): 10909 (ResolveOperationData): 10910 (PutToBaseOperationData): 10911 * dfg/DFGSpeculativeJIT.h: 10912 * dfg/DFGSpeculativeJIT32_64.cpp: 10913 (JSC::DFG::SpeculativeJIT::compile): 10914 * dfg/DFGSpeculativeJIT64.cpp: 10915 (JSC::DFG::SpeculativeJIT::compile): 10916 * jit/JITOpcodes.cpp: 10917 (JSC::JIT::emit_op_put_to_base): 10918 (JSC::JIT::emit_op_resolve): 10919 (JSC::JIT::emitSlow_op_resolve): 10920 (JSC::JIT::emit_op_resolve_base): 10921 (JSC::JIT::emitSlow_op_resolve_base): 10922 (JSC::JIT::emit_op_resolve_with_base): 10923 (JSC::JIT::emitSlow_op_resolve_with_base): 10924 (JSC::JIT::emit_op_resolve_with_this): 10925 (JSC::JIT::emitSlow_op_resolve_with_this): 10926 (JSC::JIT::emitSlow_op_put_to_base): 10927 * jit/JITOpcodes32_64.cpp: 10928 (JSC::JIT::emit_op_put_to_base): 10929 * llint/LLIntSlowPaths.cpp: 10930 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 10931 * llint/LowLevelInterpreter.asm: 10932 109332013-02-13 Zoltan Herczeg <zherczeg@webkit.org> 10934 10935 replaceWithJump should not decrease the offset by 1 on ARM traditional. 10936 https://bugs.webkit.org/show_bug.cgi?id=109689 10937 10938 Reviewed by Oliver Hunt. 10939 10940 * assembler/ARMAssembler.h: 10941 (JSC::ARMAssembler::replaceWithJump): 10942 109432013-02-12 Joseph Pecoraro <pecoraro@apple.com> 10944 10945 [iOS] Enable PAGE_VISIBILITY_API 10946 https://bugs.webkit.org/show_bug.cgi?id=109399 10947 10948 Reviewed by David Kilzer. 10949 10950 * Configurations/FeatureDefines.xcconfig: 10951 109522013-02-12 Filip Pizlo <fpizlo@apple.com> 10953 10954 Renamed SpecObjectMask to SpecObject. 10955 10956 Rubber stamped by Mark Hahnenberg. 10957 10958 "SpecObjectMask" is a weird name considering that a bunch of the other speculated 10959 types are also masks, but don't have "Mask" in the name. 10960 10961 * bytecode/SpeculatedType.h: 10962 (JSC): 10963 (JSC::isObjectSpeculation): 10964 (JSC::isObjectOrOtherSpeculation): 10965 * dfg/DFGAbstractState.cpp: 10966 (JSC::DFG::AbstractState::execute): 10967 * dfg/DFGPredictionPropagationPhase.cpp: 10968 (JSC::DFG::PredictionPropagationPhase::propagate): 10969 * dfg/DFGSpeculativeJIT.cpp: 10970 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): 10971 * dfg/DFGSpeculativeJIT32_64.cpp: 10972 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 10973 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 10974 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 10975 * dfg/DFGSpeculativeJIT64.cpp: 10976 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 10977 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 10978 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 10979 109802013-02-12 Filip Pizlo <fpizlo@apple.com> 10981 10982 DFG CFA doesn't filter precisely enough for CompareStrictEq 10983 https://bugs.webkit.org/show_bug.cgi?id=109618 10984 10985 Reviewed by Mark Hahnenberg. 10986 10987 The backend speculates object for this case, but the CFA was filtering on 10988 (SpecCell & ~SpecString) | SpecOther. 10989 10990 * dfg/DFGAbstractState.cpp: 10991 (JSC::DFG::AbstractState::execute): 10992 109932013-02-12 Martin Robinson <mrobinson@igalia.com> 10994 10995 Fix the gyp build of JavaScriptCore. 10996 10997 * JavaScriptCore.gypi: Added some missing DFG files to the source list. 10998 109992013-02-12 Sheriff Bot <webkit.review.bot@gmail.com> 11000 11001 Unreviewed, rolling out r142387. 11002 http://trac.webkit.org/changeset/142387 11003 https://bugs.webkit.org/show_bug.cgi?id=109601 11004 11005 caused all layout and jscore tests on windows to fail 11006 (Requested by kling on #webkit). 11007 11008 * bytecode/UnlinkedCodeBlock.cpp: 11009 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 11010 * bytecode/UnlinkedCodeBlock.h: 11011 (UnlinkedCodeBlock): 11012 110132013-02-11 Filip Pizlo <fpizlo@apple.com> 11014 11015 DFG CompareEq optimization should be retuned 11016 https://bugs.webkit.org/show_bug.cgi?id=109545 11017 11018 Reviewed by Mark Hahnenberg. 11019 11020 - Made the object-to-object equality case work again by hoisting the if statement 11021 for it. Previously, object-to-object equality would be compiled as 11022 object-to-object-or-other. 11023 11024 - Added AbstractState guards for most of the type checks that the object equality 11025 code uses. 11026 11027 Looks like a hint of a speed-up on all of the things. 11028 11029 * dfg/DFGAbstractState.cpp: 11030 (JSC::DFG::AbstractState::execute): 11031 * dfg/DFGSpeculativeJIT.cpp: 11032 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): 11033 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 11034 (JSC::DFG::SpeculativeJIT::compare): 11035 * dfg/DFGSpeculativeJIT32_64.cpp: 11036 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 11037 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 11038 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 11039 * dfg/DFGSpeculativeJIT64.cpp: 11040 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 11041 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 11042 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 11043 110442013-02-12 Gabor Rapcsanyi <rgabor@webkit.org> 11045 11046 JSC asserting with long parameter list functions in debug mode on ARM traditional 11047 https://bugs.webkit.org/show_bug.cgi?id=109565 11048 11049 Reviewed by Zoltan Herczeg. 11050 11051 Increase the value of sequenceGetByIdSlowCaseInstructionSpace to 80. 11052 11053 * jit/JIT.h: 11054 110552013-02-11 Oliver Hunt <oliver@apple.com> 11056 11057 Make JSC API more NULL tolerant 11058 https://bugs.webkit.org/show_bug.cgi?id=109515 11059 11060 Reviewed by Mark Hahnenberg. 11061 11062 We do so much marshalling for the C API these days anyway that a single null 11063 check isn't a performance issue. Yet the existing "null is unsafe" behaviour 11064 leads to crashes in embedding applications whenever there's an untested code 11065 path, so it seems having defined behaviour is superior. 11066 11067 * API/APICast.h: 11068 (toJS): 11069 (toJSForGC): 11070 * API/JSObjectRef.cpp: 11071 (JSObjectIsFunction): 11072 (JSObjectCallAsFunction): 11073 (JSObjectIsConstructor): 11074 (JSObjectCallAsConstructor): 11075 * API/tests/testapi.c: 11076 (main): 11077 110782013-02-11 Filip Pizlo <fpizlo@apple.com> 11079 11080 Unreviewed, adding a FIXME to remind ourselves of a bug. 11081 https://bugs.webkit.org/show_bug.cgi?id=109487 11082 11083 * dfg/DFGSpeculativeJIT.cpp: 11084 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant): 11085 110862013-02-11 Filip Pizlo <fpizlo@apple.com> 11087 11088 Strange bug in DFG OSR in JSC 11089 https://bugs.webkit.org/show_bug.cgi?id=109491 11090 11091 Reviewed by Mark Hahnenberg. 11092 11093 Int32ToDouble was being injected after a side-effecting operation and before a SetLocal. Anytime we 11094 inject something just before a SetLocal we should be aware that the previous operation may have been 11095 a side-effect associated with the current code origin. Hence, we should use a forward exit. 11096 Int32ToDouble does not do forward exits by default. 11097 11098 This patch adds a forward-exiting form of Int32ToDouble, for use in SetLocal Int32ToDouble injections. 11099 Changed the CSE and other things to treat these nodes identically, but for the exit strategy to be 11100 distinct (Int32ToDouble -> backward, ForwardInt32ToDouble -> forward). The use of the NodeType for 11101 signaling exit direction is not "great" but it's what we use in other places already (like 11102 ForwardCheckStructure). 11103 11104 * dfg/DFGAbstractState.cpp: 11105 (JSC::DFG::AbstractState::execute): 11106 * dfg/DFGCSEPhase.cpp: 11107 (JSC::DFG::CSEPhase::int32ToDoubleCSE): 11108 (CSEPhase): 11109 (JSC::DFG::CSEPhase::performNodeCSE): 11110 * dfg/DFGCommon.h: 11111 * dfg/DFGFixupPhase.cpp: 11112 (JSC::DFG::FixupPhase::fixupNode): 11113 (JSC::DFG::FixupPhase::fixDoubleEdge): 11114 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 11115 * dfg/DFGNode.h: 11116 (JSC::DFG::Node::willHaveCodeGenOrOSR): 11117 * dfg/DFGNodeType.h: 11118 (DFG): 11119 * dfg/DFGPredictionPropagationPhase.cpp: 11120 (JSC::DFG::PredictionPropagationPhase::propagate): 11121 * dfg/DFGSpeculativeJIT.cpp: 11122 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 11123 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 11124 * dfg/DFGSpeculativeJIT.h: 11125 * dfg/DFGSpeculativeJIT32_64.cpp: 11126 (JSC::DFG::SpeculativeJIT::compile): 11127 * dfg/DFGSpeculativeJIT64.cpp: 11128 (JSC::DFG::SpeculativeJIT::compile): 11129 * dfg/DFGVariableEventStream.cpp: 11130 (JSC::DFG::VariableEventStream::reconstruct): 11131 111322013-02-11 Filip Pizlo <fpizlo@apple.com> 11133 11134 NonStringCell and Object are practically the same thing for the purpose of speculation 11135 https://bugs.webkit.org/show_bug.cgi?id=109492 11136 11137 Reviewed by Mark Hahnenberg. 11138 11139 Removed isNonStringCellSpeculation, and made all callers use isObjectSpeculation. 11140 11141 Changed isNonStringCellOrOtherSpeculation to be isObjectOrOtherSpeculation. 11142 11143 I believe this is correct because even weird object types like JSNotAnObject end up 11144 being "objects" from the standpoint of our typesystem. Anyway, the assumption that 11145 "is cell but not a string" equates to "object" is an assumption that is already made 11146 in other places in the system so there's little value in being paranoid about it. 11147 11148 * bytecode/SpeculatedType.h: 11149 (JSC::isObjectSpeculation): 11150 (JSC::isObjectOrOtherSpeculation): 11151 * dfg/DFGAbstractState.cpp: 11152 (JSC::DFG::AbstractState::execute): 11153 * dfg/DFGNode.h: 11154 (Node): 11155 (JSC::DFG::Node::shouldSpeculateObjectOrOther): 11156 * dfg/DFGSpeculativeJIT.cpp: 11157 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 11158 (JSC::DFG::SpeculativeJIT::compare): 11159 (JSC::DFG::SpeculativeJIT::compileStrictEq): 11160 * dfg/DFGSpeculativeJIT.h: 11161 (SpeculativeJIT): 11162 * dfg/DFGSpeculativeJIT32_64.cpp: 11163 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 11164 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 11165 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 11166 (JSC::DFG::SpeculativeJIT::emitBranch): 11167 (JSC::DFG::SpeculativeJIT::compile): 11168 * dfg/DFGSpeculativeJIT64.cpp: 11169 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): 11170 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 11171 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): 11172 (JSC::DFG::SpeculativeJIT::emitBranch): 11173 (JSC::DFG::SpeculativeJIT::compile): 11174 111752013-02-10 Filip Pizlo <fpizlo@apple.com> 11176 11177 DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding 11178 https://bugs.webkit.org/show_bug.cgi?id=109387 11179 11180 Reviewed by Oliver Hunt and Mark Hahnenberg. 11181 11182 Lock in the decision to use a non-speculative constant comparison as early as possible 11183 and don't let the CFA change it by folding constants. This might be a performance 11184 penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on 11185 the other hand it completely side-steps the unsoundness that the bug speaks of. 11186 11187 Rolling back in after adding 32-bit path. 11188 11189 * dfg/DFGAbstractState.cpp: 11190 (JSC::DFG::AbstractState::execute): 11191 * dfg/DFGByteCodeParser.cpp: 11192 (JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq): 11193 (ByteCodeParser): 11194 (JSC::DFG::ByteCodeParser::parseBlock): 11195 * dfg/DFGCSEPhase.cpp: 11196 (JSC::DFG::CSEPhase::performNodeCSE): 11197 * dfg/DFGNodeType.h: 11198 (DFG): 11199 * dfg/DFGPredictionPropagationPhase.cpp: 11200 (JSC::DFG::PredictionPropagationPhase::propagate): 11201 * dfg/DFGSpeculativeJIT.cpp: 11202 (JSC::DFG::SpeculativeJIT::compileStrictEq): 11203 * dfg/DFGSpeculativeJIT32_64.cpp: 11204 (JSC::DFG::SpeculativeJIT::compile): 11205 * dfg/DFGSpeculativeJIT64.cpp: 11206 (JSC::DFG::SpeculativeJIT::compile): 11207 112082013-02-10 Filip Pizlo <fpizlo@apple.com> 11209 11210 DFG TypeOf implementation should have its backend code aligned to what the CFA does 11211 https://bugs.webkit.org/show_bug.cgi?id=109385 11212 11213 Reviewed by Sam Weinig. 11214 11215 The problem was that if we ended up trying to constant fold, but didn't succeed 11216 because of prediction mismatches, then we would also fail to do filtration. 11217 11218 Rearranged the control flow in the CFA to fix that. 11219 11220 As far as I know, this is asymptomatic - it's sort of OK for the CFA to prove less 11221 things, which is what the bug was. 11222 11223 * dfg/DFGAbstractState.cpp: 11224 (JSC::DFG::AbstractState::execute): 11225 112262013-02-11 Sheriff Bot <webkit.review.bot@gmail.com> 11227 11228 Unreviewed, rolling out r142491. 11229 http://trac.webkit.org/changeset/142491 11230 https://bugs.webkit.org/show_bug.cgi?id=109470 11231 11232 broke the 32 bit build (Requested by jessieberlin on #webkit). 11233 11234 * dfg/DFGAbstractState.cpp: 11235 (JSC::DFG::AbstractState::execute): 11236 * dfg/DFGByteCodeParser.cpp: 11237 (JSC::DFG::ByteCodeParser::parseBlock): 11238 * dfg/DFGCSEPhase.cpp: 11239 (JSC::DFG::CSEPhase::performNodeCSE): 11240 * dfg/DFGNodeType.h: 11241 (DFG): 11242 * dfg/DFGPredictionPropagationPhase.cpp: 11243 (JSC::DFG::PredictionPropagationPhase::propagate): 11244 * dfg/DFGSpeculativeJIT.cpp: 11245 (JSC::DFG::SpeculativeJIT::compileStrictEq): 11246 * dfg/DFGSpeculativeJIT64.cpp: 11247 (JSC::DFG::SpeculativeJIT::compile): 11248 112492013-02-10 Filip Pizlo <fpizlo@apple.com> 11250 11251 DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding 11252 https://bugs.webkit.org/show_bug.cgi?id=109387 11253 11254 Reviewed by Oliver Hunt. 11255 11256 Lock in the decision to use a non-speculative constant comparison as early as possible 11257 and don't let the CFA change it by folding constants. This might be a performance 11258 penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on 11259 the other hand it completely side-steps the unsoundness that the bug speaks of. 11260 11261 * dfg/DFGAbstractState.cpp: 11262 (JSC::DFG::AbstractState::execute): 11263 * dfg/DFGByteCodeParser.cpp: 11264 (JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq): 11265 (ByteCodeParser): 11266 (JSC::DFG::ByteCodeParser::parseBlock): 11267 * dfg/DFGCSEPhase.cpp: 11268 (JSC::DFG::CSEPhase::performNodeCSE): 11269 * dfg/DFGNodeType.h: 11270 (DFG): 11271 * dfg/DFGPredictionPropagationPhase.cpp: 11272 (JSC::DFG::PredictionPropagationPhase::propagate): 11273 * dfg/DFGSpeculativeJIT.cpp: 11274 (JSC::DFG::SpeculativeJIT::compileStrictEq): 11275 * dfg/DFGSpeculativeJIT64.cpp: 11276 (JSC::DFG::SpeculativeJIT::compile): 11277 112782013-02-11 Csaba Osztrogonác <ossy@webkit.org> 11279 11280 Unreviewed fix after r13954 for !ENABLE(JIT) builds. 11281 11282 * llint/LowLevelInterpreter.cpp: 11283 112842013-02-11 Gabor Rapcsanyi <rgabor@webkit.org> 11285 11286 JSC build failing with verbose debug mode 11287 https://bugs.webkit.org/show_bug.cgi?id=109441 11288 11289 Reviewed by Darin Adler. 11290 11291 Fixing some verbose messages which caused build errors. 11292 11293 * dfg/DFGAbstractState.cpp: 11294 (JSC::DFG::AbstractState::mergeToSuccessors): 11295 * dfg/DFGCFAPhase.cpp: 11296 (JSC::DFG::CFAPhase::performBlockCFA): 11297 * dfg/DFGCSEPhase.cpp: 11298 (JSC::DFG::CSEPhase::setReplacement): 11299 (JSC::DFG::CSEPhase::eliminate): 11300 * dfg/DFGPredictionInjectionPhase.cpp: 11301 (JSC::DFG::PredictionInjectionPhase::run): 11302 113032013-02-10 Martin Robinson <mrobinson@igalia.com> 11304 11305 Fix the GTK+ gyp build 11306 11307 * JavaScriptCore.gypi: Update the source list to accurately 11308 reflect what's in the repository and remove the offsets extractor 11309 from the list of JavaScriptCore files. It's only used to build 11310 the extractor binary. 11311 113122013-02-09 Andreas Kling <akling@apple.com> 11313 11314 Shrink-wrap UnlinkedCodeBlock members. 11315 <http://webkit.org/b/109368> 11316 11317 Reviewed by Oliver Hunt. 11318 11319 Rearrange the members of UnlinkedCodeBlock to avoid unnecessary padding on 64-bit. 11320 Knocks ~600 KB off of the Membuster3 peak. 11321 11322 * bytecode/UnlinkedCodeBlock.cpp: 11323 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 11324 * bytecode/UnlinkedCodeBlock.h: 11325 (UnlinkedCodeBlock): 11326 113272013-02-08 Filip Pizlo <fpizlo@apple.com> 11328 11329 DFG should allow phases to break Phi's and then have one phase to rebuild them 11330 https://bugs.webkit.org/show_bug.cgi?id=108414 11331 11332 Reviewed by Mark Hahnenberg. 11333 11334 Introduces two new DFG forms: LoadStore and ThreadedCPS. These are described in 11335 detail in DFGCommon.h. 11336 11337 Consequently, DFG phases no longer have to worry about preserving data flow 11338 links between basic blocks. It is generally always safe to request that the 11339 graph be dethreaded (Graph::dethread), which brings it into LoadStore form, where 11340 the data flow is implicit. In this form, only liveness-at-head needs to be 11341 preserved. 11342 11343 All of the machinery for "threading" the graph to introduce data flow between 11344 blocks is now moved out of the bytecode parser and into the CPSRethreadingPhase. 11345 All phases that previously did this maintenance themselves now just rely on 11346 being able to dethread the graph. The one exception is the structure check 11347 hoising phase, which operates over a threaded graph and preserves it, for the 11348 sake of performance. 11349 11350 Also moved two other things into their own phases: unification (previously found 11351 in the parser) and prediction injection (previously found in various places). 11352 11353 * CMakeLists.txt: 11354 * GNUmakefile.list.am: 11355 * JavaScriptCore.xcodeproj/project.pbxproj: 11356 * Target.pri: 11357 * bytecode/Operands.h: 11358 (Operands): 11359 (JSC::Operands::sizeFor): 11360 (JSC::Operands::atFor): 11361 * dfg/DFGAbstractState.cpp: 11362 (JSC::DFG::AbstractState::execute): 11363 (JSC::DFG::AbstractState::mergeStateAtTail): 11364 * dfg/DFGAllocator.h: 11365 (JSC::DFG::::allocateSlow): 11366 * dfg/DFGArgumentsSimplificationPhase.cpp: 11367 (JSC::DFG::ArgumentsSimplificationPhase::run): 11368 * dfg/DFGBasicBlockInlines.h: 11369 (DFG): 11370 * dfg/DFGByteCodeParser.cpp: 11371 (JSC::DFG::ByteCodeParser::getLocal): 11372 (JSC::DFG::ByteCodeParser::getArgument): 11373 (JSC::DFG::ByteCodeParser::flushDirect): 11374 (JSC::DFG::ByteCodeParser::parseBlock): 11375 (DFG): 11376 (JSC::DFG::ByteCodeParser::parse): 11377 * dfg/DFGCFGSimplificationPhase.cpp: 11378 (JSC::DFG::CFGSimplificationPhase::run): 11379 (JSC::DFG::CFGSimplificationPhase::killUnreachable): 11380 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): 11381 (CFGSimplificationPhase): 11382 (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors): 11383 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 11384 * dfg/DFGCPSRethreadingPhase.cpp: Added. 11385 (DFG): 11386 (CPSRethreadingPhase): 11387 (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase): 11388 (JSC::DFG::CPSRethreadingPhase::run): 11389 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes): 11390 (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): 11391 (JSC::DFG::CPSRethreadingPhase::addPhiSilently): 11392 (JSC::DFG::CPSRethreadingPhase::addPhi): 11393 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): 11394 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal): 11395 (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): 11396 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): 11397 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal): 11398 (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): 11399 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): 11400 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks): 11401 (JSC::DFG::CPSRethreadingPhase::propagatePhis): 11402 (JSC::DFG::CPSRethreadingPhase::PhiStackEntry::PhiStackEntry): 11403 (PhiStackEntry): 11404 (JSC::DFG::CPSRethreadingPhase::phiStackFor): 11405 (JSC::DFG::performCPSRethreading): 11406 * dfg/DFGCPSRethreadingPhase.h: Added. 11407 (DFG): 11408 * dfg/DFGCSEPhase.cpp: 11409 (CSEPhase): 11410 (JSC::DFG::CSEPhase::performNodeCSE): 11411 * dfg/DFGCommon.cpp: 11412 (WTF): 11413 (WTF::printInternal): 11414 * dfg/DFGCommon.h: 11415 (JSC::DFG::logCompilationChanges): 11416 (DFG): 11417 (WTF): 11418 * dfg/DFGConstantFoldingPhase.cpp: 11419 (JSC::DFG::ConstantFoldingPhase::foldConstants): 11420 * dfg/DFGDriver.cpp: 11421 (JSC::DFG::compile): 11422 * dfg/DFGGraph.cpp: 11423 (JSC::DFG::Graph::Graph): 11424 (JSC::DFG::Graph::dump): 11425 (JSC::DFG::Graph::dethread): 11426 (JSC::DFG::Graph::collectGarbage): 11427 * dfg/DFGGraph.h: 11428 (JSC::DFG::Graph::performSubstitution): 11429 (Graph): 11430 (JSC::DFG::Graph::performSubstitutionForEdge): 11431 (JSC::DFG::Graph::convertToConstant): 11432 * dfg/DFGNode.h: 11433 (JSC::DFG::Node::convertToPhantomLocal): 11434 (Node): 11435 (JSC::DFG::Node::convertToGetLocal): 11436 (JSC::DFG::Node::hasVariableAccessData): 11437 * dfg/DFGNodeType.h: 11438 (DFG): 11439 * dfg/DFGPhase.cpp: 11440 (JSC::DFG::Phase::beginPhase): 11441 * dfg/DFGPhase.h: 11442 (JSC::DFG::runAndLog): 11443 * dfg/DFGPredictionInjectionPhase.cpp: Added. 11444 (DFG): 11445 (PredictionInjectionPhase): 11446 (JSC::DFG::PredictionInjectionPhase::PredictionInjectionPhase): 11447 (JSC::DFG::PredictionInjectionPhase::run): 11448 (JSC::DFG::performPredictionInjection): 11449 * dfg/DFGPredictionInjectionPhase.h: Added. 11450 (DFG): 11451 * dfg/DFGPredictionPropagationPhase.cpp: 11452 (JSC::DFG::PredictionPropagationPhase::run): 11453 (JSC::DFG::PredictionPropagationPhase::propagate): 11454 * dfg/DFGSpeculativeJIT32_64.cpp: 11455 (JSC::DFG::SpeculativeJIT::compile): 11456 * dfg/DFGSpeculativeJIT64.cpp: 11457 (JSC::DFG::SpeculativeJIT::compile): 11458 * dfg/DFGStructureCheckHoistingPhase.cpp: 11459 (JSC::DFG::StructureCheckHoistingPhase::run): 11460 * dfg/DFGUnificationPhase.cpp: Added. 11461 (DFG): 11462 (UnificationPhase): 11463 (JSC::DFG::UnificationPhase::UnificationPhase): 11464 (JSC::DFG::UnificationPhase::run): 11465 (JSC::DFG::performUnification): 11466 * dfg/DFGUnificationPhase.h: Added. 11467 (DFG): 11468 * dfg/DFGValidate.cpp: 11469 (JSC::DFG::Validate::validate): 11470 (JSC::DFG::Validate::dumpGraphIfAppropriate): 11471 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 11472 (JSC::DFG::VirtualRegisterAllocationPhase::run): 11473 * llint/LLIntSlowPaths.cpp: 11474 (JSC::LLInt::setUpCall): 11475 * runtime/JSCJSValue.cpp: 11476 (JSC::JSValue::dump): 11477 * runtime/JSString.h: 11478 (JSString): 11479 * runtime/Options.h: 11480 (JSC): 11481 114822013-02-08 Jer Noble <jer.noble@apple.com> 11483 11484 Bring WebKit up to speed with latest Encrypted Media spec. 11485 https://bugs.webkit.org/show_bug.cgi?id=97037 11486 11487 Reviewed by Eric Carlson. 11488 11489 Define the ENABLE_ENCRYPTED_MEDIA_V2 setting. 11490 11491 * Configurations/FeatureDefines.xcconfig: 11492 114932013-02-08 Gavin Barraclough <barraclough@apple.com> 11494 11495 Objective-C API for JavaScriptCore 11496 https://bugs.webkit.org/show_bug.cgi?id=105889 11497 11498 Reviewed by Joseph Pecoraro 11499 11500 Following up on review comments, mostly typos. 11501 11502 * API/JSBlockAdaptor.h: 11503 * API/JSBlockAdaptor.mm: 11504 (-[JSBlockAdaptor blockFromValue:inContext:withException:]): 11505 * API/JSContext.h: 11506 * API/JSExport.h: 11507 * API/JSValue.h: 11508 * API/JSValue.mm: 11509 * API/JSWrapperMap.mm: 11510 (selectorToPropertyName): 11511 (-[JSWrapperMap classInfoForClass:]): 11512 (-[JSWrapperMap wrapperForObject:]): 11513 115142013-02-08 Martin Robinson <mrobinson@igalia.com> 11515 11516 [GTK] Add an experimental gyp build 11517 https://bugs.webkit.org/show_bug.cgi?id=109003 11518 11519 Reviewed by Gustavo Noronha Silva. 11520 11521 * JavaScriptCore.gypi: Update the list of source files to include those 11522 necessary for the GTK+ build. 11523 115242013-02-08 Andreas Kling <akling@apple.com> 11525 11526 JSC: Lower minimum PropertyTable size. 11527 <http://webkit.org/b/109247> 11528 11529 Reviewed by Darin Adler. 11530 11531 Lower the minimum table size for PropertyTable from 16 to 8. 11532 3.32 MB progression on Membuster3 (a ~13% reduction in memory used by PropertyTables.) 11533 11534 * runtime/PropertyMapHashTable.h: 11535 (PropertyTable): 11536 (JSC::PropertyTable::sizeForCapacity): 11537 115382013-02-07 Roger Fong <roger_fong@apple.com> 11539 11540 Unreviewed. More VS2010 WebKit solution touchups. 11541 Make JavaScriptCoreExports.def.in be treated as a custom build file so that changes to it cause the exports to be rebuilt. 11542 11543 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: 11544 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: 11545 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: 11546 115472013-02-07 Mark Hahnenberg <mhahnenberg@apple.com> 11548 11549 Objective-C API: testapi.mm should use ARC 11550 https://bugs.webkit.org/show_bug.cgi?id=107838 11551 11552 Reviewed by Mark Rowe. 11553 11554 Removing the changes to the Xcode project file and moving the equivalent flags into 11555 the ToolExecutable xcconfig file. 11556 11557 * Configurations/ToolExecutable.xcconfig: 11558 * JavaScriptCore.xcodeproj/project.pbxproj: 11559 115602013-02-07 Brent Fulgham <bfulgham@webkit.org> 11561 11562 [Windows] Unreviewed Visual Studio 2010 build fixes after r142179. 11563 11564 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Correct changed symbols 11565 * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Removed autogenerated file. 11566 115672013-02-05 Filip Pizlo <fpizlo@apple.com> 11568 11569 DFG::ByteCodeParser should do surgical constant folding to reduce load on the optimization fixpoint 11570 https://bugs.webkit.org/show_bug.cgi?id=109000 11571 11572 Reviewed by Oliver Hunt. 11573 11574 Previously our source parser's ASTBuilder did some surgical constant folding, but it 11575 didn't cover some cases. It was particularly incapable of doing constant folding for 11576 cases where we do some minimal loop peeling in the bytecode generator - since it 11577 didn't "see" those constants prior to the peeling. Example: 11578 11579 for (var i = 0; i < 4; ++i) 11580 things; 11581 11582 This will get peeled just a bit by the bytecode generator, so that the "i < 4" is 11583 duplicated both at the top of the loop and the bottom. This means that we have a 11584 constant comparison: "0 < 4", which the bytecode generator emits without any further 11585 thought. 11586 11587 The DFG optimization fixpoint of course folds this and simplifies the CFG 11588 accordingly, but this incurs a compile-time cost. The purpose of this change is to 11589 do some surgical constant folding in the DFG's bytecode parser, so that such 11590 constructs reduce load on the CFG simplifier and the optimization fixpoint. The goal 11591 is not to cover all cases, since the DFG CFA and CFG simplifier have a powerful 11592 sparse conditional constant propagation that we can always fall back on. Instead the 11593 goal is to cover enough cases that for common small functions we don't have to 11594 perform such transformations, thereby reducing compile times. 11595 11596 This also refactors m_inlineStackEntry->m_inlineCallFrame to be a handy method call 11597 and also adds the notion of a TriState-based JSValue::pureToBoolean(). Both of these 11598 things are used by the folder. 11599 11600 As well, care has been taken to make sure that the bytecode parser only does folding 11601 that is statically provable, and that doesn't arise out of speculation. This means 11602 we cannot fold on data flow that crosses inlining boundaries. On the other hand, the 11603 folding that the bytecode parser uses doesn't require phantoming anything. Such is 11604 the trade-off: for anything that we do need phantoming, we defer it to the 11605 optimization fixpoint. 11606 11607 Slight SunSpider speed-up. 11608 11609 * dfg/DFGByteCodeParser.cpp: 11610 (JSC::DFG::ByteCodeParser::get): 11611 (JSC::DFG::ByteCodeParser::getLocal): 11612 (JSC::DFG::ByteCodeParser::setLocal): 11613 (JSC::DFG::ByteCodeParser::flushDirect): 11614 (JSC::DFG::ByteCodeParser::flushArgumentsAndCapturedVariables): 11615 (JSC::DFG::ByteCodeParser::toInt32): 11616 (ByteCodeParser): 11617 (JSC::DFG::ByteCodeParser::inlineCallFrame): 11618 (JSC::DFG::ByteCodeParser::currentCodeOrigin): 11619 (JSC::DFG::ByteCodeParser::canFold): 11620 (JSC::DFG::ByteCodeParser::handleInlining): 11621 (JSC::DFG::ByteCodeParser::getScope): 11622 (JSC::DFG::ByteCodeParser::parseResolveOperations): 11623 (JSC::DFG::ByteCodeParser::parseBlock): 11624 (JSC::DFG::ByteCodeParser::parseCodeBlock): 11625 * dfg/DFGNode.h: 11626 (JSC::DFG::Node::isStronglyProvedConstantIn): 11627 (Node): 11628 * runtime/JSCJSValue.h: 11629 * runtime/JSCJSValueInlines.h: 11630 (JSC::JSValue::pureToBoolean): 11631 (JSC): 11632 116332013-02-07 Zoltan Herczeg <zherczeg@webkit.org> 11634 11635 Invalid code is generated for storing constants with baseindex addressing modes on ARM traditional. 11636 https://bugs.webkit.org/show_bug.cgi?id=109050 11637 11638 Reviewed by Oliver Hunt. 11639 11640 The S! scratch register is reused, but it should contain the constant value. 11641 11642 * assembler/ARMAssembler.cpp: 11643 (JSC::ARMAssembler::baseIndexTransfer32): 11644 (JSC::ARMAssembler::baseIndexTransfer16): 11645 116462013-02-07 Andras Becsi <andras.becsi@digia.com> 11647 11648 [Qt] Use GNU ar's thin archive format for intermediate static libs 11649 https://bugs.webkit.org/show_bug.cgi?id=109052 11650 11651 Reviewed by Jocelyn Turcotte. 11652 11653 Adjust project files that used activeBuildConfig() 11654 to use targetSubDir(). 11655 11656 * JavaScriptCore.pri: 11657 * LLIntOffsetsExtractor.pro: 11658 * Target.pri: 11659 116602013-02-06 Roger Fong <roger_fong@apple.com> 11661 11662 Unreviewed. Touchups to VS2010 WebKit solution. 11663 Fix an export generator script, modify some property sheets, add resouce file. 11664 11665 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: 11666 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: 11667 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: 11668 * JavaScriptCore.vcxproj/resource.h: Added. 11669 116702013-02-06 Ilya Tikhonovsky <loislo@chromium.org> 11671 11672 Web Inspector: Native Memory Instrumentation: assign class name to the heap graph node automatically 11673 https://bugs.webkit.org/show_bug.cgi?id=107262 11674 11675 Reviewed by Yury Semikhatsky. 11676 11677 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 11678 116792013-02-06 Mike West <mkwst@chromium.org> 11680 11681 Add an ENABLE_NOSNIFF feature flag. 11682 https://bugs.webkit.org/show_bug.cgi?id=109029 11683 11684 Reviewed by Jochen Eisinger. 11685 11686 This new flag will control the behavior of 'X-Content-Type-Options: nosniff' 11687 when processing script and other resource types. 11688 11689 * Configurations/FeatureDefines.xcconfig: 11690 116912013-02-05 Mark Hahnenberg <mhahnenberg@apple.com> 11692 11693 put_to_base should emit a Phantom for "value" across the ForceOSRExit 11694 https://bugs.webkit.org/show_bug.cgi?id=108998 11695 11696 Reviewed by Oliver Hunt. 11697 11698 Otherwise, the OSR exit compiler could clobber it, which would lead to badness. 11699 11700 * bytecode/CodeBlock.cpp: 11701 (JSC::CodeBlock::tallyFrequentExitSites): Build fixes for when DFG debug logging is enabled. 11702 * dfg/DFGByteCodeParser.cpp: 11703 (JSC::DFG::ByteCodeParser::parseBlock): Added extra Phantoms for the "value" field where needed. 11704 * dfg/DFGSpeculativeJIT.cpp: 11705 (JSC::DFG::SpeculativeJIT::compile): Ditto. 11706 117072013-02-05 Michael Saboff <msaboff@apple.com> 11708 11709 Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled 11710 https://bugs.webkit.org/show_bug.cgi?id=108991 11711 11712 Reviewed by Oliver Hunt. 11713 11714 Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location 11715 may step on calleeGPR is it happen to be nonArgGPR2. 11716 11717 * dfg/DFGRepatch.cpp: 11718 (JSC::DFG::dfgLinkClosureCall): 11719 117202013-02-05 Roger Fong <roger_fong@apple.com> 11721 11722 Add a JavaScriptCore Export Generator project. 11723 https://bugs.webkit.org/show_bug.cgi?id=108971. 11724 11725 Reviewed by Brent Fulgham. 11726 11727 * JavaScriptCore.vcxproj/JavaScriptCore.sln: 11728 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 11729 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 11730 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 11731 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator: Added. 11732 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: Added. 11733 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: Added. 11734 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.user: Added. 11735 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: Added. 11736 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: Added. 11737 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: Added. 11738 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: Added. 11739 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: Added. 11740 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: Added. 11741 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Added. 11742 117432013-02-04 Filip Pizlo <fpizlo@apple.com> 11744 11745 DFG should have a precise view of jump targets 11746 https://bugs.webkit.org/show_bug.cgi?id=108868 11747 11748 Reviewed by Oliver Hunt. 11749 11750 Previously, the DFG relied entirely on the CodeBlock's jump targets list for 11751 determining when to break basic blocks. This worked great, except sometimes it 11752 would be too conservative since the CodeBlock just says where the bytecode 11753 generator inserted labels. 11754 11755 This change keeps the old jump target list in CodeBlock since it is still 11756 valuable to the baseline JIT, but switches the DFG to use its own jump target 11757 calculator. This ought to reduce pressure on the DFG simplifier, which would 11758 previously do a lot of work to try to merge redundantly created basic blocks. 11759 It appears to be a 1% progression on SunSpider. 11760 11761 * CMakeLists.txt: 11762 * GNUmakefile.list.am: 11763 * JavaScriptCore.xcodeproj/project.pbxproj: 11764 * Target.pri: 11765 * bytecode/PreciseJumpTargets.cpp: Added. 11766 (JSC): 11767 (JSC::addSimpleSwitchTargets): 11768 (JSC::computePreciseJumpTargets): 11769 * bytecode/PreciseJumpTargets.h: Added. 11770 (JSC): 11771 * dfg/DFGByteCodeParser.cpp: 11772 (JSC::DFG::ByteCodeParser::parseCodeBlock): 11773 117742013-02-01 Roger Fong <roger_fong@apple.com> 11775 11776 Make ConfigurationBuildDir include directories precede WebKitLibraries in JSC. 11777 https://bugs.webkit.org/show_bug.cgi?id=108693. 11778 11779 Rubberstamped by Timothy Horton. 11780 11781 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: 11782 117832013-02-04 Mark Hahnenberg <mhahnenberg@apple.com> 11784 11785 Structure::m_outOfLineCapacity is unnecessary 11786 https://bugs.webkit.org/show_bug.cgi?id=108206 11787 11788 Reviewed by Darin Adler. 11789 11790 Simplifying the utility functions that we use since we don't need a 11791 bunch of fancy templates for this one specific call site. 11792 11793 * runtime/Structure.h: 11794 (JSC::Structure::outOfLineCapacity): 11795 117962013-02-05 Mark Hahnenberg <mhahnenberg@apple.com> 11797 11798 Objective-C API: testapi.mm should use ARC 11799 https://bugs.webkit.org/show_bug.cgi?id=107838 11800 11801 Reviewed by Oliver Hunt. 11802 11803 In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs. 11804 We should enable ARC, since that is what most of our clients will be using. We use Xcode project 11805 settings to make sure we don't try to compile ARC on 32-bit. 11806 11807 * API/tests/testapi.mm: 11808 (+[TestObject testObject]): 11809 (testObjectiveCAPI): 11810 * JavaScriptCore.xcodeproj/project.pbxproj: 11811 118122013-02-05 Brent Fulgham <bfulgham@webkit.org> 11813 11814 [Windows] Unreviewed VS2010 Build Correction after r141651 11815 11816 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing 11817 StructureRareData.h and StructureRareData.cpp files. 11818 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. 11819 118202013-02-05 Michael Saboff <msaboff@apple.com> 11821 11822 r141788 won't build due to not having all changes needed by Node* change 11823 https://bugs.webkit.org/show_bug.cgi?id=108944 11824 11825 Reviewed by David Kilzer. 11826 11827 Fixed three instances of integerResult(..., m_compileIndex) to be integerResult(..., node). 11828 11829 * dfg/DFGSpeculativeJIT.cpp: 11830 (JSC::DFG::SpeculativeJIT::compileSoftModulo): 11831 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s): 11832 118332013-02-04 Sheriff Bot <webkit.review.bot@gmail.com> 11834 11835 Unreviewed, rolling out r141809. 11836 http://trac.webkit.org/changeset/141809 11837 https://bugs.webkit.org/show_bug.cgi?id=108860 11838 11839 ARC isn't supported on 32-bit. (Requested by mhahnenberg on 11840 #webkit). 11841 11842 * API/tests/testapi.mm: 11843 (+[TestObject testObject]): 11844 (testObjectiveCAPI): 11845 * JavaScriptCore.xcodeproj/project.pbxproj: 11846 118472013-02-04 Mark Hahnenberg <mhahnenberg@apple.com> 11848 11849 Objective-C API: testapi.mm should use ARC 11850 https://bugs.webkit.org/show_bug.cgi?id=107838 11851 11852 Reviewed by Oliver Hunt. 11853 11854 In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs. 11855 We should enable ARC, since that is what most of our clients will be using. 11856 11857 * API/tests/testapi.mm: 11858 (-[TestObject init]): 11859 (-[TestObject dealloc]): 11860 (+[TestObject testObject]): 11861 (testObjectiveCAPI): 11862 * JavaScriptCore.xcodeproj/project.pbxproj: 11863 118642013-02-04 Mark Hahnenberg <mhahnenberg@apple.com> 11865 11866 Objective-C API: ObjCCallbackFunction should retain the target of its NSInvocation 11867 https://bugs.webkit.org/show_bug.cgi?id=108843 11868 11869 Reviewed by Darin Adler. 11870 11871 Currently, ObjCCallbackFunction doesn't retain the target of its NSInvocation. It needs to do 11872 this to prevent crashes when trying to invoke a callback later on. 11873 11874 * API/ObjCCallbackFunction.mm: 11875 (ObjCCallbackFunction::ObjCCallbackFunction): 11876 (ObjCCallbackFunction::~ObjCCallbackFunction): 11877 118782013-02-04 Martin Robinson <mrobinson@igalia.com> 11879 11880 Fix GTK+ 'make dist' in preparation for the 1.11.5 release. 11881 11882 * GNUmakefile.list.am: Update the source lists. 11883 118842013-02-04 Michael Saboff <msaboff@apple.com> 11885 11886 For ARMv7s use integer divide instruction for divide and modulo when possible 11887 https://bugs.webkit.org/show_bug.cgi?id=108840 11888 11889 Reviewed in person by Filip Pizlo. 11890 11891 Added ARMv7s integer divide path for ArithDiv and ArithMod where operands and results are integer. 11892 This is patterned after the similar code for X86. Also added modulo power of 2 optimization 11893 that uses logical and. Added sdiv and udiv to the ARMv7 disassembler. Put all the changes 11894 behind #if CPU(APPLE_ARMV7S). 11895 11896 * assembler/ARMv7Assembler.h: 11897 (ARMv7Assembler): 11898 (JSC::ARMv7Assembler::sdiv): 11899 (JSC::ARMv7Assembler::udiv): 11900 * dfg/DFGCommon.h: 11901 (JSC::DFG::isARMv7s): 11902 * dfg/DFGFixupPhase.cpp: 11903 (JSC::DFG::FixupPhase::fixupNode): 11904 * dfg/DFGSpeculativeJIT.cpp: 11905 (JSC::DFG::SpeculativeJIT::compileSoftModulo): 11906 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s): 11907 * dfg/DFGSpeculativeJIT.h: 11908 (SpeculativeJIT): 11909 * dfg/DFGSpeculativeJIT32_64.cpp: 11910 (JSC::DFG::SpeculativeJIT::compile): 11911 119122013-02-04 David Kilzer <ddkilzer@apple.com> 11913 11914 Check PrivateHeaders/JSBasePrivate.h for inappropriate macros 11915 <http://webkit.org/b/108749> 11916 11917 Reviewed by Joseph Pecoraro. 11918 11919 * JavaScriptCore.xcodeproj/project.pbxproj: Add 11920 PrivateHeaders/JSBasePrivate.h to list of headers to check in 11921 "Check for Inappropriate Macros in External Headers" build phase 11922 script. 11923 119242013-02-04 David Kilzer <ddkilzer@apple.com> 11925 11926 Remove duplicate entries from JavaScriptCore Xcode project 11927 11928 $ uniq Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | diff -u - Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | patch -p0 -R 11929 patching file Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 11930 11931 * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicates. 11932 119332013-02-04 David Kilzer <ddkilzer@apple.com> 11934 11935 Sort JavaScriptCore Xcode project file 11936 11937 * JavaScriptCore.xcodeproj/project.pbxproj: 11938 119392013-02-03 David Kilzer <ddkilzer@apple.com> 11940 11941 Upstream ENABLE_PDFKIT_PLUGIN settting 11942 <http://webkit.org/b/108792> 11943 11944 Reviewed by Tim Horton. 11945 11946 * Configurations/FeatureDefines.xcconfig: Disable PDFKIT_PLUGIN 11947 on iOS since PDFKit is a Mac-only framework. 11948 119492013-02-02 Andreas Kling <akling@apple.com> 11950 11951 Vector should consult allocator about ideal size when choosing capacity. 11952 <http://webkit.org/b/108410> 11953 <rdar://problem/13124002> 11954 11955 Reviewed by Benjamin Poulain. 11956 11957 Remove assertion about Vector capacity that won't hold anymore since capacity() 11958 may not be what you passed to reserveCapacity(). 11959 Also export WTF::fastMallocGoodSize() for Windows builds. 11960 11961 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 11962 * bytecode/CodeBlock.cpp: 11963 (JSC::CodeBlock::CodeBlock): 11964 119652013-02-02 Patrick Gansterer <paroga@webkit.org> 11966 11967 [CMake] Adopt the WinCE port to new CMake 11968 https://bugs.webkit.org/show_bug.cgi?id=108754 11969 11970 Reviewed by Laszlo Gombos. 11971 11972 * os-win32/WinMain.cpp: Removed. 11973 * shell/PlatformWinCE.cmake: Removed. 11974 119752013-02-02 Mark Rowe <mrowe@apple.com> 11976 11977 <http://webkit.org/b/108745> WTF shouldn't use a script build phase to detect the presence of headers when the compiler can do it for us 11978 11979 Reviewed by Sam Weinig. 11980 11981 * DerivedSources.make: Remove an obsolete Makefile rule. This should have been removed when the use 11982 of the generated file moved to WTF. 11983 119842013-02-02 David Kilzer <ddkilzer@apple.com> 11985 11986 Upstream iOS FeatureDefines 11987 <http://webkit.org/b/108753> 11988 11989 Reviewed by Anders Carlsson. 11990 11991 * Configurations/FeatureDefines.xcconfig: 11992 - ENABLE_DEVICE_ORIENTATION: Add iOS configurations. 11993 - ENABLE_PLUGIN_PROXY_FOR_VIDEO: Ditto. 11994 - FEATURE_DEFINES: Add ENABLE_PLUGIN_PROXY_FOR_VIDEO. Add 11995 PLATFORM_NAME variant to reduce future merge conflicts. 11996 119972013-02-01 Mark Hahnenberg <mhahnenberg@apple.com> 11998 11999 Structure::m_enumerationCache should be moved to StructureRareData 12000 https://bugs.webkit.org/show_bug.cgi?id=108723 12001 12002 Reviewed by Oliver Hunt. 12003 12004 m_enumerationCache is only used by objects whose properties are iterated over, so not every Structure needs this 12005 field and it can therefore be moved safely to StructureRareData to help with memory savings. 12006 12007 * runtime/JSPropertyNameIterator.h: 12008 (JSPropertyNameIterator): 12009 (JSC::Register::propertyNameIterator): 12010 (JSC::StructureRareData::enumerationCache): Add to JSPropertyNameIterator.h so that it can see the correct type. 12011 (JSC::StructureRareData::setEnumerationCache): Ditto. 12012 * runtime/Structure.cpp: 12013 (JSC::Structure::addPropertyWithoutTransition): Use the enumerationCache() getter rather than accessing the field. 12014 (JSC::Structure::removePropertyWithoutTransition): Ditto. 12015 (JSC::Structure::visitChildren): We no longer have to worry about marking the m_enumerationCache field. 12016 * runtime/Structure.h: 12017 (JSC::Structure::setEnumerationCache): Move the old accessors back since we don't have to have any knowledge of 12018 the JSPropertyNameIterator type. 12019 (JSC::Structure::enumerationCache): Ditto. 12020 * runtime/StructureRareData.cpp: 12021 (JSC::StructureRareData::visitChildren): Mark the new m_enumerationCache field. 12022 * runtime/StructureRareData.h: Add new functions/fields. 12023 (StructureRareData): 12024 120252013-02-01 Roger Fong <roger_fong@apple.com> 12026 12027 Unreviewed. JavaScriptCore VS2010 project cleanup. 12028 12029 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 12030 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 12031 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 12032 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: 12033 120342013-02-01 Sheriff Bot <webkit.review.bot@gmail.com> 12035 12036 Unreviewed, rolling out r141662. 12037 http://trac.webkit.org/changeset/141662 12038 https://bugs.webkit.org/show_bug.cgi?id=108738 12039 12040 it's an incorrect change since processPhiStack will 12041 dereference dangling BasicBlock pointers (Requested by pizlo 12042 on #webkit). 12043 12044 * dfg/DFGByteCodeParser.cpp: 12045 (JSC::DFG::ByteCodeParser::parse): 12046 120472013-02-01 Filip Pizlo <fpizlo@apple.com> 12048 12049 Eliminate dead blocks sooner in the DFG::ByteCodeParser to make clear that you don't need to hold onto them during Phi construction 12050 https://bugs.webkit.org/show_bug.cgi?id=108717 12051 12052 Reviewed by Mark Hahnenberg. 12053 12054 I think this makes the code clearer. It doesn't change behavior. 12055 12056 * dfg/DFGByteCodeParser.cpp: 12057 (JSC::DFG::ByteCodeParser::parse): 12058 120592013-02-01 Mark Hahnenberg <mhahnenberg@apple.com> 12060 12061 Structure should have a StructureRareData field to save space 12062 https://bugs.webkit.org/show_bug.cgi?id=108659 12063 12064 Reviewed by Oliver Hunt. 12065 12066 Many of the fields in Structure are used in a subset of all total Structures; however, all Structures must 12067 pay the memory cost of those fields, regardless of whether they use them or not. Since we can have potentially 12068 many Structures on a single page (e.g. bing.com creates ~1500 Structures), it would be profitable to 12069 refactor Structure so that not every Structure has to pay the memory costs for these infrequently used fields. 12070 12071 To accomplish this, we can create a new StructureRareData class to house these seldom used fields which we 12072 can allocate on demand whenever a Structure requires it. This StructureRareData can itself be a JSCell, and 12073 can do all the marking of the fields for the Structure. The StructureRareData field will be part of a union 12074 with m_previous to minimize overhead. We'll add a new field to JSTypeInfo to indicate that the Structure has 12075 a StructureRareData field. During transitions, a Structure will clone its previous Structure's StructureRareData 12076 if it has one. There could be some potential for optimizing this process, but the initial implementation will 12077 be dumb since we'd be paying these overhead costs for each Structure anyways. 12078 12079 Initially we'll only put two fields in the StructureRareData to avoid a memory regression. Over time we'll 12080 continue to move fields from Structure to StructureRareData. Optimistically, this could potentially reduce our 12081 Structure memory footprint by up to around 75%. It could also clear the way for removing destructors from 12082 Structures (and into StructureRareData). 12083 12084 * CMakeLists.txt: 12085 * GNUmakefile.list.am: 12086 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 12087 * JavaScriptCore.xcodeproj/project.pbxproj: 12088 * Target.pri: 12089 * dfg/DFGRepatch.cpp: Includes for linking purposes. 12090 * jit/JITStubs.cpp: 12091 * jsc.cpp: 12092 * llint/LLIntSlowPaths.cpp: 12093 * runtime/JSCellInlines.h: Added ifdef guards. 12094 * runtime/JSGlobalData.cpp: New Structure for StructureRareData class. 12095 (JSC::JSGlobalData::JSGlobalData): 12096 * runtime/JSGlobalData.h: 12097 (JSGlobalData): 12098 * runtime/JSGlobalObject.h: 12099 * runtime/JSTypeInfo.h: New flag to indicate whether or not a Structure has a StructureRareData field. 12100 (JSC::TypeInfo::flags): 12101 (JSC::TypeInfo::structureHasRareData): 12102 * runtime/ObjectPrototype.cpp: 12103 * runtime/Structure.cpp: We use a combined WriteBarrier<JSCell> field m_previousOrRareData to avoid compiler issues. 12104 (JSC::Structure::dumpStatistics): 12105 (JSC::Structure::Structure): 12106 (JSC::Structure::materializePropertyMap): 12107 (JSC::Structure::addPropertyTransition): 12108 (JSC::Structure::nonPropertyTransition): 12109 (JSC::Structure::pin): 12110 (JSC::Structure::allocateRareData): Handles allocating a brand new StructureRareData field. 12111 (JSC::Structure::cloneRareDataFrom): Handles cloning a StructureRareData field from another. Used during Structure 12112 transitions. 12113 (JSC::Structure::visitChildren): We no longer have to worry about marking m_objectToStringValue. 12114 * runtime/Structure.h: 12115 (JSC::Structure::previousID): Checks the structureHasRareData flag to see where it should get the previous Structure. 12116 (JSC::Structure::objectToStringValue): Reads the value from the StructureRareData. If it doesn't exist, returns 0. 12117 (JSC::Structure::setObjectToStringValue): Ensures that we have a StructureRareData field, then forwards the function 12118 call to it. 12119 (JSC::Structure::materializePropertyMapIfNecessary): 12120 (JSC::Structure::setPreviousID): Checks for StructureRareData and forwards if necessary. 12121 (Structure): 12122 (JSC::Structure::clearPreviousID): Ditto. 12123 (JSC::Structure::create): 12124 * runtime/StructureRareData.cpp: Added. All of the basic functionality of a JSCell with the fields that we've moved 12125 from Structure and the functions required to access/modify those fields as Structure would have done. 12126 (JSC): 12127 (JSC::StructureRareData::createStructure): 12128 (JSC::StructureRareData::create): 12129 (JSC::StructureRareData::clone): 12130 (JSC::StructureRareData::StructureRareData): 12131 (JSC::StructureRareData::visitChildren): 12132 * runtime/StructureRareData.h: Added. 12133 (JSC): 12134 (StructureRareData): 12135 * runtime/StructureRareDataInlines.h: Added. 12136 (JSC): 12137 (JSC::StructureRareData::previousID): 12138 (JSC::StructureRareData::setPreviousID): 12139 (JSC::StructureRareData::clearPreviousID): 12140 (JSC::Structure::previous): Handles the ugly casting to get the value of the right type of m_previousOrRareData. 12141 (JSC::Structure::rareData): Ditto. 12142 (JSC::StructureRareData::objectToStringValue): 12143 (JSC::StructureRareData::setObjectToStringValue): 12144 12145 * CMakeLists.txt: 12146 * GNUmakefile.list.am: 12147 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 12148 * JavaScriptCore.xcodeproj/project.pbxproj: 12149 * Target.pri: 12150 * dfg/DFGRepatch.cpp: 12151 * jit/JITStubs.cpp: 12152 * jsc.cpp: 12153 * llint/LLIntSlowPaths.cpp: 12154 * runtime/JSCellInlines.h: 12155 * runtime/JSGlobalData.cpp: 12156 (JSC::JSGlobalData::JSGlobalData): 12157 * runtime/JSGlobalData.h: 12158 (JSGlobalData): 12159 * runtime/JSGlobalObject.h: 12160 * runtime/JSTypeInfo.h: 12161 (JSC): 12162 (JSC::TypeInfo::flags): 12163 (JSC::TypeInfo::structureHasRareData): 12164 * runtime/ObjectPrototype.cpp: 12165 * runtime/Structure.cpp: 12166 (JSC::Structure::dumpStatistics): 12167 (JSC::Structure::Structure): 12168 (JSC::Structure::materializePropertyMap): 12169 (JSC::Structure::addPropertyTransition): 12170 (JSC::Structure::nonPropertyTransition): 12171 (JSC::Structure::pin): 12172 (JSC::Structure::allocateRareData): 12173 (JSC): 12174 (JSC::Structure::cloneRareDataFrom): 12175 (JSC::Structure::visitChildren): 12176 * runtime/Structure.h: 12177 (JSC::Structure::previousID): 12178 (JSC::Structure::objectToStringValue): 12179 (JSC::Structure::setObjectToStringValue): 12180 (JSC::Structure::materializePropertyMapIfNecessary): 12181 (JSC::Structure::setPreviousID): 12182 (Structure): 12183 (JSC::Structure::clearPreviousID): 12184 (JSC::Structure::previous): 12185 (JSC::Structure::rareData): 12186 (JSC::Structure::create): 12187 * runtime/StructureRareData.cpp: Added. 12188 (JSC): 12189 (JSC::StructureRareData::createStructure): 12190 (JSC::StructureRareData::create): 12191 (JSC::StructureRareData::clone): 12192 (JSC::StructureRareData::StructureRareData): 12193 (JSC::StructureRareData::visitChildren): 12194 * runtime/StructureRareData.h: Added. 12195 (JSC): 12196 (StructureRareData): 12197 * runtime/StructureRareDataInlines.h: Added. 12198 (JSC): 12199 (JSC::StructureRareData::previousID): 12200 (JSC::StructureRareData::setPreviousID): 12201 (JSC::StructureRareData::clearPreviousID): 12202 (JSC::StructureRareData::objectToStringValue): 12203 (JSC::StructureRareData::setObjectToStringValue): 12204 122052013-02-01 Balazs Kilvady <kilvadyb@homejinni.com> 12206 12207 offlineasm BaseIndex handling is broken on ARM due to MIPS changes 12208 https://bugs.webkit.org/show_bug.cgi?id=108261 12209 12210 Reviewed by Filip Pizlo. 12211 12212 offlineasm BaseIndex handling fix on MIPS. 12213 12214 * offlineasm/mips.rb: 12215 * offlineasm/risc.rb: 12216 122172013-02-01 Geoffrey Garen <ggaren@apple.com> 12218 12219 Removed an unused function: JSGlobalObject::createFunctionExecutableFromGlobalCode 12220 https://bugs.webkit.org/show_bug.cgi?id=108657 12221 12222 Reviewed by Anders Carlsson. 12223 12224 * runtime/JSGlobalObject.cpp: 12225 (JSC): 12226 * runtime/JSGlobalObject.h: 12227 (JSGlobalObject): 12228 122292013-02-01 Geoffrey Garen <ggaren@apple.com> 12230 12231 Added TriState to WTF and started using it in one place 12232 https://bugs.webkit.org/show_bug.cgi?id=108628 12233 12234 Reviewed by Beth Dakin. 12235 12236 * runtime/PrototypeMap.h: 12237 (JSC::PrototypeMap::isPrototype): Use TriState instead of boolean. In 12238 response to review feedback, this is an attempt to clarify that our 12239 'true' condition is actually just a 'maybe'. 12240 12241 * runtime/PrototypeMap.h: 12242 (PrototypeMap): 12243 (JSC::PrototypeMap::isPrototype): 12244 122452013-02-01 Alexis Menard <alexis@webkit.org> 12246 12247 Enable unprefixed CSS transitions by default. 12248 https://bugs.webkit.org/show_bug.cgi?id=108216 12249 12250 Reviewed by Dean Jackson. 12251 12252 Rename the flag CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED 12253 to CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED which will be used later to 12254 guard the unprefixing work for CSS Transforms and animations. 12255 12256 * Configurations/FeatureDefines.xcconfig: 12257 122582013-01-31 Filip Pizlo <fpizlo@apple.com> 12259 12260 DFG::CFGSimplificationPhase::keepOperandAlive() conflates liveness and availability 12261 https://bugs.webkit.org/show_bug.cgi?id=108580 12262 12263 Reviewed by Oliver Hunt. 12264 12265 This is a harmless bug in that it only results in us keeping a bit too many things 12266 for OSR. But it's worth fixing so that the code is consistent. 12267 12268 keepOperandAlive() is called when block A has a branch to blocks B and C, but the 12269 A->B edge is proven to never be taken and we want to optimize the code to have A 12270 unconditionally jump to C. In that case, for the purposes of OSR, we need to 12271 preserve the knowledge that the state that B expected to be live incoming from A 12272 ought still to be live up to the point of where the A->B,C branch used to be. The 12273 way we keep things alive is by using the variablesAtTail of A (i.e., we use the 12274 knowledge of in what manner A made state available to B and C). The way we choose 12275 which state should be kept alive ought to be chosen by the variablesAtHead of B 12276 (i.e. the things B says it needs from its predecessors, including A), except that 12277 keepOperandAlive() was previously just using variablesAtTail of A for this 12278 purpose. 12279 12280 The fix is to have keepOperandAlive() use both liveness and availability in its 12281 logic. It should use liveness (i.e. B->variablesAtHead) to decide what to keep 12282 alive, and it should use availability (i.e. A->variablesAtTail) to decide how to 12283 keep it alive. 12284 12285 This might be a microscopic win on some programs, but it's mainly intended to be 12286 a code clean-up so that I don't end up scratching my head in confusion the next 12287 time I look at this code. 12288 12289 * dfg/DFGCFGSimplificationPhase.cpp: 12290 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): 12291 (JSC::DFG::CFGSimplificationPhase::jettisonBlock): 12292 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 12293 122942013-01-31 Geoffrey Garen <ggaren@apple.com> 12295 12296 REGRESSION (r141192): Crash beneath cti_op_get_by_id_generic @ discussions.apple.com 12297 https://bugs.webkit.org/show_bug.cgi?id=108576 12298 12299 Reviewed by Filip Pizlo. 12300 12301 This was a long-standing bug. The DFG would destructively reuse a register 12302 in op_convert_this, but: 12303 12304 * The bug only presented during speculation failure for type Other 12305 12306 * The bug presented by removing the low bits of a pointer, which 12307 used to be harmless, since all objects were so aligned anyway. 12308 12309 * dfg/DFGSpeculativeJIT64.cpp: 12310 (JSC::DFG::SpeculativeJIT::compile): Don't reuse our this register as 12311 our scratch register. The whole point of our scratch register is to 12312 avoid destructively modifying our this register. I'm pretty sure this 12313 was a copy-paste error. 12314 123152013-01-31 Roger Fong <roger_fong@apple.com> 12316 12317 Unreviewed. Windows build fix. 12318 12319 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 12320 123212013-01-31 Jessie Berlin <jberlin@apple.com> 12322 12323 Rolling out r141407 because it is causing crashes under 12324 WTF::TCMalloc_Central_FreeList::FetchFromSpans() in Release builds. 12325 12326 * bytecode/CodeBlock.cpp: 12327 (JSC::CodeBlock::CodeBlock): 12328 123292013-01-31 Mark Hahnenberg <mhahnenberg@apple.com> 12330 12331 Objective-C API: JSContext exception property causes reference cycle 12332 https://bugs.webkit.org/show_bug.cgi?id=107778 12333 12334 Reviewed by Darin Adler. 12335 12336 JSContext has a (retain) JSValue * exception property which, when non-null, creates a 12337 reference cycle (since the JSValue * holds a strong reference back to the JSContext *). 12338 12339 * API/JSContext.mm: Instead of JSValue *, we now use a plain JSValueRef, which eliminates the reference cycle. 12340 (-[JSContext initWithVirtualMachine:]): 12341 (-[JSContext setException:]): 12342 (-[JSContext exception]): 12343 123442013-01-31 Roger Fong <roger_fong@apple.com> 12345 12346 Unreviewed build fix. Win7 port. 12347 12348 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 12349 123502013-01-31 Joseph Pecoraro <pecoraro@apple.com> 12351 12352 Disable ENABLE_FULLSCREEN_API on iOS 12353 https://bugs.webkit.org/show_bug.cgi?id=108250 12354 12355 Reviewed by Benjamin Poulain. 12356 12357 * Configurations/FeatureDefines.xcconfig: 12358 123592013-01-31 Mark Hahnenberg <mhahnenberg@apple.com> 12360 12361 Objective-C API: Fix insertion of values greater than the max index allowed by the spec 12362 https://bugs.webkit.org/show_bug.cgi?id=108264 12363 12364 Reviewed by Oliver Hunt. 12365 12366 Fixed a bug, added a test to the API tests, cleaned up some code. 12367 12368 * API/JSValue.h: Changed some of the documentation on setValue:atIndex: to indicate that 12369 setting values at indices greater than UINT_MAX - 1 wont' affect the length of JS arrays. 12370 * API/JSValue.mm: 12371 (-[JSValue valueAtIndex:]): We weren't returning when we should have been. 12372 (-[JSValue setValue:atIndex:]): Added a comment about why we do the early check for being larger than UINT_MAX. 12373 (objectToValueWithoutCopy): Removed two redundant cases that were already checked previously. 12374 * API/tests/testapi.mm: 12375 123762013-01-30 Andreas Kling <akling@apple.com> 12377 12378 Vector should consult allocator about ideal size when choosing capacity. 12379 <http://webkit.org/b/108410> 12380 <rdar://problem/13124002> 12381 12382 Reviewed by Benjamin Poulain. 12383 12384 Remove assertion about Vector capacity that won't hold anymore since capacity() 12385 may not be what you passed to reserveCapacity(). 12386 12387 * bytecode/CodeBlock.cpp: 12388 (JSC::CodeBlock::CodeBlock): 12389 123902013-01-30 Filip Pizlo <fpizlo@apple.com> 12391 12392 DFG bytecode parser should have more assertions about the status of local accesses 12393 https://bugs.webkit.org/show_bug.cgi?id=108417 12394 12395 Reviewed by Mark Hahnenberg. 12396 12397 Assert some things that we already know to be true, just to reassure ourselves that they are true. 12398 This is meant as a prerequisite for https://bugs.webkit.org/show_bug.cgi?id=108414, which will 12399 make these rules even stricter. 12400 12401 * dfg/DFGByteCodeParser.cpp: 12402 (JSC::DFG::ByteCodeParser::getLocal): 12403 (JSC::DFG::ByteCodeParser::getArgument): 12404 124052013-01-30 Mark Hahnenberg <mhahnenberg@apple.com> 12406 12407 Objective-C API: JSContext's dealloc causes ASSERT due to ordering of releases 12408 https://bugs.webkit.org/show_bug.cgi?id=107978 12409 12410 Reviewed by Filip Pizlo. 12411 12412 We need to add the Identifier table save/restore in JSContextGroupRelease so that we 12413 have the correct table if we end up destroying the JSGlobalData/Heap. 12414 12415 * API/JSContextRef.cpp: 12416 (JSContextGroupRelease): 12417 124182013-01-30 Mark Hahnenberg <mhahnenberg@apple.com> 12419 12420 Objective-C API: exceptionHandler needs to be released in JSContext dealloc 12421 https://bugs.webkit.org/show_bug.cgi?id=108378 12422 12423 Reviewed by Filip Pizlo. 12424 12425 JSContext has a (copy) exceptionHandler property that it doesn't release in dealloc. 12426 That sounds like the potential for a leak. It should be released. 12427 12428 * API/JSContext.mm: 12429 (-[JSContext dealloc]): 12430 124312013-01-30 Filip Pizlo <fpizlo@apple.com> 12432 12433 REGRESSION(140504): pure CSE no longer matches things, 10% regression on Kraken 12434 https://bugs.webkit.org/show_bug.cgi?id=108366 12435 12436 Reviewed by Geoffrey Garen and Mark Hahnenberg. 12437 12438 This was a longstanding bug that was revealed by http://trac.webkit.org/changeset/140504. 12439 Pure CSE requires that the Node::flags() that may affect the behavior of a node match, 12440 when comparing a possibly redundant node to its possible replacement. It was doing this 12441 by comparing Node::arithNodeFlags(), which as the name might appear to suggest, returns 12442 just those flag bits that correspond to actual node behavior and not auxiliary things. 12443 Unfortunately, Node::arithNodeFlags() wasn't actually masking off the irrelevant bits. 12444 This worked prior to r140504 because CSE itself didn't mutate the flags, so there was a 12445 very high probability that matching nodes would also have completely identical flag bits 12446 (even the ones that aren't relevant to arithmetic behavior, like NodeDoesNotExit). But 12447 r140504 moved one of CSE's side-tables (m_relevantToOSR) into a flag bit for quicker 12448 access. These bits would be mutated as the CSE ran over a basic block, in such a way that 12449 there was a very high probability that the possible replacement would already have the 12450 bit set, while the redundant node did not have the bit set. Since Node::arithNodeFlags() 12451 returned all of the bits, this would cause CSEPhase::pureCSE() to reject the match 12452 almost every time. 12453 12454 The solution is to make Node::arithNodeFlags() do as its name suggests: only return those 12455 flags that are relevant to arithmetic behavior. This patch introduces a new mask that 12456 represents those bits, and includes NodeBehaviorMask and NodeBackPropMask, which are both 12457 used for queries on Node::arithNodeFlags(), and both affect arithmetic code gen. None of 12458 the other flags are relevant to Node::arithNodeFlags() since they either correspond to 12459 information already conveyed by the opcode (like NodeResultMask, NodeMustGenerate, 12460 NodeHasVarArgs, NodeClobbersWorld, NodeMightClobber) or information that doesn't affect 12461 the result that the node will produce or any of the queries performed on the result of 12462 Node::arithNodeFlags (NodeDoesNotExit and of course NodeRelevantToOSR). 12463 12464 This is a 10% speed-up on Kraken, undoing the regression from r140504. 12465 12466 * dfg/DFGNode.h: 12467 (JSC::DFG::Node::arithNodeFlags): 12468 * dfg/DFGNodeFlags.h: 12469 (DFG): 12470 124712013-01-29 Mark Hahnenberg <mhahnenberg@apple.com> 12472 12473 Structure::m_outOfLineCapacity is unnecessary 12474 https://bugs.webkit.org/show_bug.cgi?id=108206 12475 12476 Reviewed by Geoffrey Garen. 12477 12478 We can calculate our out of line capacity by using the outOfLineSize and our knowledge about our resize policy. 12479 According to GDB, this knocks Structures down from 136 bytes to 128 bytes (I'm guessing the extra bytes are from 12480 better alignment of object fields), which puts Structures in a smaller size class. Woohoo! Looks neutral on our 12481 benchmarks. 12482 12483 * runtime/Structure.cpp: 12484 (JSC::Structure::Structure): 12485 (JSC): 12486 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): 12487 (JSC::Structure::addPropertyTransition): 12488 (JSC::Structure::addPropertyWithoutTransition): 12489 * runtime/Structure.h: 12490 (Structure): 12491 (JSC::Structure::outOfLineCapacity): 12492 (JSC::Structure::totalStorageCapacity): 12493 124942013-01-29 Geoffrey Garen <ggaren@apple.com> 12495 12496 Be a little more conservative about emitting table-based switches 12497 https://bugs.webkit.org/show_bug.cgi?id=108292 12498 12499 Reviewed by Filip Pizlo. 12500 12501 Profiling shows we're using op_switch in cases where it's a regression. 12502 12503 * bytecompiler/NodesCodegen.cpp: 12504 (JSC): 12505 (JSC::length): 12506 (JSC::CaseBlockNode::tryTableSwitch): 12507 (JSC::CaseBlockNode::emitBytecodeForBlock): 12508 * parser/Nodes.h: 12509 (CaseBlockNode): 12510 125112013-01-29 Sheriff Bot <webkit.review.bot@gmail.com> 12512 12513 Unreviewed, rolling out r140983. 12514 http://trac.webkit.org/changeset/140983 12515 https://bugs.webkit.org/show_bug.cgi?id=108277 12516 12517 Unfortunately, this API has one last client (Requested by 12518 abarth on #webkit). 12519 12520 * Configurations/FeatureDefines.xcconfig: 12521 125222013-01-29 Mark Hahnenberg <mhahnenberg@apple.com> 12523 12524 Objective-C API: JSObjCClassInfo creates reference cycle with JSContext 12525 https://bugs.webkit.org/show_bug.cgi?id=107839 12526 12527 Reviewed by Geoffrey Garen. 12528 12529 Fixing several ASSERTs that were incorrect along with some of the reallocation of m_prototype and 12530 m_constructor that they were based on. 12531 12532 * API/JSWrapperMap.mm: 12533 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We now only allocate those 12534 fields that are null (i.e. have been collected or have never been allocated to begin with). 12535 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Renamed to better indicate that we're 12536 reallocating one or both of the prototype/constructor combo. 12537 (-[JSObjCClassInfo wrapperForObject:]): Call new reallocate function. 12538 (-[JSObjCClassInfo constructor]): Ditto. 12539 125402013-01-29 Geoffrey Garen <ggaren@apple.com> 12541 12542 Make precise size classes more precise 12543 https://bugs.webkit.org/show_bug.cgi?id=108270 12544 12545 Reviewed by Mark Hahnenberg. 12546 12547 Size inference makes this profitable. 12548 12549 I chose 8 byte increments because JSString is 24 bytes. Otherwise, 16 12550 byte increments might be better. 12551 12552 * heap/Heap.h: 12553 (Heap): Removed firstAllocatorWithoutDestructors because it's unused now. 12554 12555 * heap/MarkedBlock.h: 12556 (MarkedBlock): Updated constants. 12557 12558 * heap/MarkedSpace.h: 12559 (MarkedSpace): 12560 (JSC): Also reduced the maximum precise size class because my testing 12561 has shown that the smaller size classes are much more common. This 12562 offsets some of the size class explosion caused by reducing the precise 12563 increment. 12564 12565 * llint/LLIntData.cpp: 12566 (JSC::LLInt::Data::performAssertions): No need for this ASSERT anymore 12567 because we don't rely on firstAllocatorWithoutDestructors anymore, since 12568 we pick size classes dynamically now. 12569 125702013-01-29 Oliver Hunt <oliver@apple.com> 12571 12572 Add some hardening to methodTable() 12573 https://bugs.webkit.org/show_bug.cgi?id=108253 12574 12575 Reviewed by Mark Hahnenberg. 12576 12577 When accessing methodTable() we now always make sure that our 12578 structure _could_ be valid. Added a separate method to get a 12579 classes methodTable during destruction as it's not possible to 12580 validate the structure at that point. This separation might 12581 also make it possible to improve the performance of methodTable 12582 access more generally in future. 12583 12584 * heap/MarkedBlock.cpp: 12585 (JSC::MarkedBlock::callDestructor): 12586 * runtime/JSCell.h: 12587 (JSCell): 12588 * runtime/JSCellInlines.h: 12589 (JSC::JSCell::methodTableForDestruction): 12590 (JSC): 12591 (JSC::JSCell::methodTable): 12592 125932013-01-29 Filip Pizlo <fpizlo@apple.com> 12594 12595 offlineasm BaseIndex handling is broken on ARM due to MIPS changes 12596 https://bugs.webkit.org/show_bug.cgi?id=108261 12597 12598 Reviewed by Oliver Hunt. 12599 12600 Backends shouldn't override each other's methods. That's not cool. 12601 12602 * offlineasm/mips.rb: 12603 126042013-01-29 Filip Pizlo <fpizlo@apple.com> 12605 12606 cloop.rb shouldn't use a method called 'dump' for code generation 12607 https://bugs.webkit.org/show_bug.cgi?id=108251 12608 12609 Reviewed by Mark Hahnenberg. 12610 12611 Revert http://trac.webkit.org/changeset/141178 and rename 'dump' to 'clDump'. 12612 12613 Also made trivial build fixes for !ENABLE(JIT). 12614 12615 * offlineasm/cloop.rb: 12616 * runtime/Executable.h: 12617 (ExecutableBase): 12618 (JSC::ExecutableBase::intrinsicFor): 12619 * runtime/JSGlobalData.h: 12620 126212013-01-29 Geoffrey Garen <ggaren@apple.com> 12622 12623 Removed GGC because it has been disabled for a long time 12624 https://bugs.webkit.org/show_bug.cgi?id=108245 12625 12626 Reviewed by Filip Pizlo. 12627 12628 * GNUmakefile.list.am: 12629 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 12630 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 12631 * JavaScriptCore.xcodeproj/project.pbxproj: 12632 * dfg/DFGRepatch.cpp: 12633 (JSC::DFG::emitPutReplaceStub): 12634 (JSC::DFG::emitPutTransitionStub): 12635 * dfg/DFGSpeculativeJIT.cpp: 12636 (JSC::DFG::SpeculativeJIT::writeBarrier): 12637 * dfg/DFGSpeculativeJIT.h: 12638 (SpeculativeJIT): 12639 * dfg/DFGSpeculativeJIT32_64.cpp: 12640 (JSC::DFG::SpeculativeJIT::compile): 12641 * dfg/DFGSpeculativeJIT64.cpp: 12642 (JSC::DFG::SpeculativeJIT::compile): 12643 * heap/CardSet.h: Removed. 12644 * heap/Heap.cpp: 12645 (JSC::Heap::markRoots): 12646 (JSC::Heap::collect): 12647 * heap/Heap.h: 12648 (Heap): 12649 (JSC::Heap::shouldCollect): 12650 (JSC::Heap::isWriteBarrierEnabled): 12651 (JSC): 12652 (JSC::Heap::writeBarrier): 12653 * heap/MarkedBlock.h: 12654 (MarkedBlock): 12655 (JSC): 12656 * heap/MarkedSpace.cpp: 12657 (JSC): 12658 * jit/JITPropertyAccess.cpp: 12659 (JSC::JIT::emitWriteBarrier): 12660 126612013-01-29 Filip Pizlo <fpizlo@apple.com> 12662 12663 Remove redundant AST dump method from cloop.rb, since they are already defined in ast.rb 12664 https://bugs.webkit.org/show_bug.cgi?id=108247 12665 12666 Reviewed by Oliver Hunt. 12667 12668 Makes offlineasm dumping easier to read and less likely to cause assertion failures. 12669 Also fixes the strange situation where cloop.rb and ast.rb both defined dump methods, 12670 but cloop.rb was winning. 12671 12672 * offlineasm/cloop.rb: 12673 126742013-01-29 Mark Hahnenberg <mhahnenberg@apple.com> 12675 12676 Objective-C API: JSObjCClassInfo creates reference cycle with JSContext 12677 https://bugs.webkit.org/show_bug.cgi?id=107839 12678 12679 Reviewed by Oliver Hunt. 12680 12681 JSContext has a JSWrapperMap, which has an NSMutableDictionary m_classMap, which has values that 12682 are JSObjCClassInfo objects, which have strong references to two JSValue *'s, m_prototype and 12683 m_constructor, which in turn have strong references to the JSContext, creating a reference cycle. 12684 We should make m_prototype and m_constructor Weak<JSObject>. This gets rid of the strong reference 12685 to the JSContext and also prevents clients from accidentally creating reference cycles by assigning 12686 to the prototype of the constructor. If Weak<JSObject> fields are ever garbage collected, we will 12687 reallocate them. 12688 12689 * API/JSContext.mm: 12690 (-[JSContext wrapperMap]): 12691 * API/JSContextInternal.h: 12692 * API/JSWrapperMap.mm: 12693 (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): 12694 (-[JSObjCClassInfo dealloc]): 12695 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): 12696 (-[JSObjCClassInfo allocateConstructorAndPrototype]): 12697 (-[JSObjCClassInfo wrapperForObject:]): 12698 (-[JSObjCClassInfo constructor]): 12699 127002013-01-29 Oliver Hunt <oliver@apple.com> 12701 12702 REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute 12703 https://bugs.webkit.org/show_bug.cgi?id=108097 12704 12705 Reviewed by Geoffrey Garen. 12706 12707 LiteralParser was accepting a bogus 'var a.b = c' statement 12708 12709 * runtime/LiteralParser.cpp: 12710 (JSC::::tryJSONPParse): 12711 127122013-01-29 Oliver Hunt <oliver@apple.com> 12713 12714 Force debug builds to do bounds checks on contiguous property storage 12715 https://bugs.webkit.org/show_bug.cgi?id=108212 12716 12717 Reviewed by Mark Hahnenberg. 12718 12719 Add a ContiguousData type that we use to represent contiguous property 12720 storage. In release builds it is simply a pointer to the correct type, 12721 but in debug builds it also carries the data length and performs bounds 12722 checks. This means we don't have to add as many manual bounds assertions 12723 when performing operations over contiguous data. 12724 12725 * dfg/DFGOperations.cpp: 12726 * runtime/ArrayStorage.h: 12727 (ArrayStorage): 12728 (JSC::ArrayStorage::vector): 12729 * runtime/Butterfly.h: 12730 (JSC::ContiguousData::ContiguousData): 12731 (ContiguousData): 12732 (JSC::ContiguousData::operator[]): 12733 (JSC::ContiguousData::data): 12734 (JSC::ContiguousData::length): 12735 (JSC): 12736 (JSC::Butterfly::contiguousInt32): 12737 (Butterfly): 12738 (JSC::Butterfly::contiguousDouble): 12739 (JSC::Butterfly::contiguous): 12740 * runtime/JSArray.cpp: 12741 (JSC::JSArray::sortNumericVector): 12742 (ContiguousTypeAccessor): 12743 (JSC::ContiguousTypeAccessor::getAsValue): 12744 (JSC::ContiguousTypeAccessor::setWithValue): 12745 (JSC::ContiguousTypeAccessor::replaceDataReference): 12746 (JSC): 12747 (JSC::JSArray::sortCompactedVector): 12748 (JSC::JSArray::sort): 12749 (JSC::JSArray::fillArgList): 12750 (JSC::JSArray::copyToArguments): 12751 * runtime/JSArray.h: 12752 (JSArray): 12753 * runtime/JSObject.cpp: 12754 (JSC::JSObject::copyButterfly): 12755 (JSC::JSObject::visitButterfly): 12756 (JSC::JSObject::createInitialInt32): 12757 (JSC::JSObject::createInitialDouble): 12758 (JSC::JSObject::createInitialContiguous): 12759 (JSC::JSObject::convertUndecidedToInt32): 12760 (JSC::JSObject::convertUndecidedToDouble): 12761 (JSC::JSObject::convertUndecidedToContiguous): 12762 (JSC::JSObject::convertInt32ToDouble): 12763 (JSC::JSObject::convertInt32ToContiguous): 12764 (JSC::JSObject::genericConvertDoubleToContiguous): 12765 (JSC::JSObject::convertDoubleToContiguous): 12766 (JSC::JSObject::rageConvertDoubleToContiguous): 12767 (JSC::JSObject::ensureInt32Slow): 12768 (JSC::JSObject::ensureDoubleSlow): 12769 (JSC::JSObject::ensureContiguousSlow): 12770 (JSC::JSObject::rageEnsureContiguousSlow): 12771 (JSC::JSObject::ensureLengthSlow): 12772 * runtime/JSObject.h: 12773 (JSC::JSObject::ensureInt32): 12774 (JSC::JSObject::ensureDouble): 12775 (JSC::JSObject::ensureContiguous): 12776 (JSC::JSObject::rageEnsureContiguous): 12777 (JSObject): 12778 (JSC::JSObject::indexingData): 12779 (JSC::JSObject::currentIndexingData): 12780 127812013-01-29 Brent Fulgham <bfulgham@webkit.org> 12782 12783 [Windows, WinCairo] Unreviewed build fix after r141050 12784 12785 * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Update symbols 12786 to match JavaScriptCore.vcproj version. 12787 127882013-01-29 Allan Sandfeld Jensen <allan.jensen@digia.com> 12789 12790 [Qt] Implement GCActivityCallback 12791 https://bugs.webkit.org/show_bug.cgi?id=103998 12792 12793 Reviewed by Simon Hausmann. 12794 12795 Implements the activity triggered garbage collector. 12796 12797 * runtime/GCActivityCallback.cpp: 12798 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): 12799 (JSC::DefaultGCActivityCallback::scheduleTimer): 12800 (JSC::DefaultGCActivityCallback::cancelTimer): 12801 * runtime/GCActivityCallback.h: 12802 (GCActivityCallback): 12803 (DefaultGCActivityCallback): 12804 128052013-01-29 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com> 12806 12807 Compilation warning in JSC 12808 https://bugs.webkit.org/show_bug.cgi?id=108178 12809 12810 Reviewed by Kentaro Hara. 12811 12812 Fixed 'comparison between signed and unsigned integer' warning in JSC::Structure constructor. 12813 12814 * runtime/Structure.cpp: 12815 (JSC::Structure::Structure): 12816 128172013-01-29 Jocelyn Turcotte <jocelyn.turcotte@digia.com> 12818 12819 [Qt] Fix the JSC build on Mac 12820 12821 Unreviewed, build fix. 12822 12823 * heap/HeapTimer.h: 12824 Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case. 12825 128262013-01-29 Allan Sandfeld Jensen <allan.jensen@digia.com> 12827 12828 [Qt] Implement IncrementalSweeper and HeapTimer 12829 https://bugs.webkit.org/show_bug.cgi?id=103996 12830 12831 Reviewed by Simon Hausmann. 12832 12833 Implements the incremental sweeping garbage collection for the Qt platform. 12834 12835 * heap/HeapTimer.cpp: 12836 (JSC::HeapTimer::HeapTimer): 12837 (JSC::HeapTimer::~HeapTimer): 12838 (JSC::HeapTimer::timerEvent): 12839 (JSC::HeapTimer::synchronize): 12840 (JSC::HeapTimer::invalidate): 12841 (JSC::HeapTimer::didStartVMShutdown): 12842 * heap/HeapTimer.h: 12843 (HeapTimer): 12844 * heap/IncrementalSweeper.cpp: 12845 (JSC::IncrementalSweeper::IncrementalSweeper): 12846 (JSC::IncrementalSweeper::scheduleTimer): 12847 * heap/IncrementalSweeper.h: 12848 (IncrementalSweeper): 12849 128502013-01-28 Filip Pizlo <fpizlo@apple.com> 12851 12852 DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node* 12853 https://bugs.webkit.org/show_bug.cgi?id=106868 12854 12855 Reviewed by Oliver Hunt. 12856 12857 This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all 12858 uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except 12859 for debugging (Node::index(), which is not guaranteed to be O(1)). 12860 12861 1% speed-up on SunSpider, presumably because this improves compile times. 12862 12863 * CMakeLists.txt: 12864 * GNUmakefile.list.am: 12865 * JavaScriptCore.xcodeproj/project.pbxproj: 12866 * Target.pri: 12867 * bytecode/DataFormat.h: 12868 (JSC::dataFormatToString): 12869 * dfg/DFGAbstractState.cpp: 12870 (JSC::DFG::AbstractState::initialize): 12871 (JSC::DFG::AbstractState::booleanResult): 12872 (JSC::DFG::AbstractState::execute): 12873 (JSC::DFG::AbstractState::mergeStateAtTail): 12874 (JSC::DFG::AbstractState::mergeToSuccessors): 12875 (JSC::DFG::AbstractState::mergeVariableBetweenBlocks): 12876 (JSC::DFG::AbstractState::dump): 12877 * dfg/DFGAbstractState.h: 12878 (DFG): 12879 (JSC::DFG::AbstractState::forNode): 12880 (AbstractState): 12881 (JSC::DFG::AbstractState::speculateInt32Unary): 12882 (JSC::DFG::AbstractState::speculateNumberUnary): 12883 (JSC::DFG::AbstractState::speculateBooleanUnary): 12884 (JSC::DFG::AbstractState::speculateInt32Binary): 12885 (JSC::DFG::AbstractState::speculateNumberBinary): 12886 (JSC::DFG::AbstractState::trySetConstant): 12887 * dfg/DFGAbstractValue.h: 12888 (AbstractValue): 12889 * dfg/DFGAdjacencyList.h: 12890 (JSC::DFG::AdjacencyList::AdjacencyList): 12891 (JSC::DFG::AdjacencyList::initialize): 12892 * dfg/DFGAllocator.h: Added. 12893 (DFG): 12894 (Allocator): 12895 (JSC::DFG::Allocator::Region::size): 12896 (JSC::DFG::Allocator::Region::headerSize): 12897 (JSC::DFG::Allocator::Region::numberOfThingsPerRegion): 12898 (JSC::DFG::Allocator::Region::data): 12899 (JSC::DFG::Allocator::Region::isInThisRegion): 12900 (JSC::DFG::Allocator::Region::regionFor): 12901 (Region): 12902 (JSC::DFG::::Allocator): 12903 (JSC::DFG::::~Allocator): 12904 (JSC::DFG::::allocate): 12905 (JSC::DFG::::free): 12906 (JSC::DFG::::freeAll): 12907 (JSC::DFG::::reset): 12908 (JSC::DFG::::indexOf): 12909 (JSC::DFG::::allocatorOf): 12910 (JSC::DFG::::bumpAllocate): 12911 (JSC::DFG::::freeListAllocate): 12912 (JSC::DFG::::allocateSlow): 12913 (JSC::DFG::::freeRegionsStartingAt): 12914 (JSC::DFG::::startBumpingIn): 12915 * dfg/DFGArgumentsSimplificationPhase.cpp: 12916 (JSC::DFG::ArgumentsSimplificationPhase::run): 12917 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse): 12918 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses): 12919 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse): 12920 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize): 12921 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild): 12922 * dfg/DFGArrayMode.cpp: 12923 (JSC::DFG::ArrayMode::originalArrayStructure): 12924 (JSC::DFG::ArrayMode::alreadyChecked): 12925 * dfg/DFGArrayMode.h: 12926 (ArrayMode): 12927 * dfg/DFGArrayifySlowPathGenerator.h: 12928 (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator): 12929 * dfg/DFGBasicBlock.h: 12930 (JSC::DFG::BasicBlock::node): 12931 (JSC::DFG::BasicBlock::isInPhis): 12932 (JSC::DFG::BasicBlock::isInBlock): 12933 (BasicBlock): 12934 * dfg/DFGBasicBlockInlines.h: 12935 (DFG): 12936 * dfg/DFGByteCodeParser.cpp: 12937 (ByteCodeParser): 12938 (JSC::DFG::ByteCodeParser::getDirect): 12939 (JSC::DFG::ByteCodeParser::get): 12940 (JSC::DFG::ByteCodeParser::setDirect): 12941 (JSC::DFG::ByteCodeParser::set): 12942 (JSC::DFG::ByteCodeParser::setPair): 12943 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): 12944 (JSC::DFG::ByteCodeParser::getLocal): 12945 (JSC::DFG::ByteCodeParser::setLocal): 12946 (JSC::DFG::ByteCodeParser::getArgument): 12947 (JSC::DFG::ByteCodeParser::setArgument): 12948 (JSC::DFG::ByteCodeParser::flushDirect): 12949 (JSC::DFG::ByteCodeParser::getToInt32): 12950 (JSC::DFG::ByteCodeParser::toInt32): 12951 (JSC::DFG::ByteCodeParser::getJSConstantForValue): 12952 (JSC::DFG::ByteCodeParser::getJSConstant): 12953 (JSC::DFG::ByteCodeParser::getCallee): 12954 (JSC::DFG::ByteCodeParser::getThis): 12955 (JSC::DFG::ByteCodeParser::setThis): 12956 (JSC::DFG::ByteCodeParser::isJSConstant): 12957 (JSC::DFG::ByteCodeParser::isInt32Constant): 12958 (JSC::DFG::ByteCodeParser::valueOfJSConstant): 12959 (JSC::DFG::ByteCodeParser::valueOfInt32Constant): 12960 (JSC::DFG::ByteCodeParser::constantUndefined): 12961 (JSC::DFG::ByteCodeParser::constantNull): 12962 (JSC::DFG::ByteCodeParser::one): 12963 (JSC::DFG::ByteCodeParser::constantNaN): 12964 (JSC::DFG::ByteCodeParser::cellConstant): 12965 (JSC::DFG::ByteCodeParser::addToGraph): 12966 (JSC::DFG::ByteCodeParser::insertPhiNode): 12967 (JSC::DFG::ByteCodeParser::addVarArgChild): 12968 (JSC::DFG::ByteCodeParser::addCall): 12969 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck): 12970 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit): 12971 (JSC::DFG::ByteCodeParser::getPrediction): 12972 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks): 12973 (JSC::DFG::ByteCodeParser::makeSafe): 12974 (JSC::DFG::ByteCodeParser::makeDivSafe): 12975 (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): 12976 (ConstantRecord): 12977 (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry): 12978 (PhiStackEntry): 12979 (JSC::DFG::ByteCodeParser::handleCall): 12980 (JSC::DFG::ByteCodeParser::emitFunctionChecks): 12981 (JSC::DFG::ByteCodeParser::handleInlining): 12982 (JSC::DFG::ByteCodeParser::setIntrinsicResult): 12983 (JSC::DFG::ByteCodeParser::handleMinMax): 12984 (JSC::DFG::ByteCodeParser::handleIntrinsic): 12985 (JSC::DFG::ByteCodeParser::handleGetByOffset): 12986 (JSC::DFG::ByteCodeParser::handleGetById): 12987 (JSC::DFG::ByteCodeParser::getScope): 12988 (JSC::DFG::ByteCodeParser::parseResolveOperations): 12989 (JSC::DFG::ByteCodeParser::parseBlock): 12990 (JSC::DFG::ByteCodeParser::processPhiStack): 12991 (JSC::DFG::ByteCodeParser::linkBlock): 12992 (JSC::DFG::ByteCodeParser::parseCodeBlock): 12993 (JSC::DFG::ByteCodeParser::parse): 12994 * dfg/DFGCFAPhase.cpp: 12995 (JSC::DFG::CFAPhase::performBlockCFA): 12996 * dfg/DFGCFGSimplificationPhase.cpp: 12997 (JSC::DFG::CFGSimplificationPhase::run): 12998 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): 12999 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal): 13000 (JSC::DFG::CFGSimplificationPhase::fixPhis): 13001 (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference): 13002 (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution): 13003 (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump): 13004 (OperandSubstitution): 13005 (JSC::DFG::CFGSimplificationPhase::skipGetLocal): 13006 (JSC::DFG::CFGSimplificationPhase::recordNewTarget): 13007 (JSC::DFG::CFGSimplificationPhase::fixTailOperand): 13008 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 13009 * dfg/DFGCSEPhase.cpp: 13010 (JSC::DFG::CSEPhase::canonicalize): 13011 (JSC::DFG::CSEPhase::endIndexForPureCSE): 13012 (JSC::DFG::CSEPhase::pureCSE): 13013 (JSC::DFG::CSEPhase::constantCSE): 13014 (JSC::DFG::CSEPhase::weakConstantCSE): 13015 (JSC::DFG::CSEPhase::getCalleeLoadElimination): 13016 (JSC::DFG::CSEPhase::getArrayLengthElimination): 13017 (JSC::DFG::CSEPhase::globalVarLoadElimination): 13018 (JSC::DFG::CSEPhase::scopedVarLoadElimination): 13019 (JSC::DFG::CSEPhase::globalVarWatchpointElimination): 13020 (JSC::DFG::CSEPhase::globalVarStoreElimination): 13021 (JSC::DFG::CSEPhase::scopedVarStoreElimination): 13022 (JSC::DFG::CSEPhase::getByValLoadElimination): 13023 (JSC::DFG::CSEPhase::checkFunctionElimination): 13024 (JSC::DFG::CSEPhase::checkExecutableElimination): 13025 (JSC::DFG::CSEPhase::checkStructureElimination): 13026 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): 13027 (JSC::DFG::CSEPhase::putStructureStoreElimination): 13028 (JSC::DFG::CSEPhase::getByOffsetLoadElimination): 13029 (JSC::DFG::CSEPhase::putByOffsetStoreElimination): 13030 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): 13031 (JSC::DFG::CSEPhase::checkArrayElimination): 13032 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): 13033 (JSC::DFG::CSEPhase::getMyScopeLoadElimination): 13034 (JSC::DFG::CSEPhase::getLocalLoadElimination): 13035 (JSC::DFG::CSEPhase::setLocalStoreElimination): 13036 (JSC::DFG::CSEPhase::performSubstitution): 13037 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): 13038 (JSC::DFG::CSEPhase::setReplacement): 13039 (JSC::DFG::CSEPhase::eliminate): 13040 (JSC::DFG::CSEPhase::performNodeCSE): 13041 (JSC::DFG::CSEPhase::performBlockCSE): 13042 (CSEPhase): 13043 * dfg/DFGCommon.cpp: Added. 13044 (DFG): 13045 (JSC::DFG::NodePointerTraits::dump): 13046 * dfg/DFGCommon.h: 13047 (DFG): 13048 (JSC::DFG::NodePointerTraits::defaultValue): 13049 (NodePointerTraits): 13050 (JSC::DFG::verboseCompilationEnabled): 13051 (JSC::DFG::shouldDumpGraphAtEachPhase): 13052 (JSC::DFG::validationEnabled): 13053 * dfg/DFGConstantFoldingPhase.cpp: 13054 (JSC::DFG::ConstantFoldingPhase::foldConstants): 13055 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter): 13056 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): 13057 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode): 13058 * dfg/DFGDisassembler.cpp: 13059 (JSC::DFG::Disassembler::Disassembler): 13060 (JSC::DFG::Disassembler::createDumpList): 13061 (JSC::DFG::Disassembler::dumpDisassembly): 13062 * dfg/DFGDisassembler.h: 13063 (JSC::DFG::Disassembler::setForNode): 13064 (Disassembler): 13065 * dfg/DFGDriver.cpp: 13066 (JSC::DFG::compile): 13067 * dfg/DFGEdge.cpp: Added. 13068 (DFG): 13069 (JSC::DFG::Edge::dump): 13070 * dfg/DFGEdge.h: 13071 (JSC::DFG::Edge::Edge): 13072 (JSC::DFG::Edge::node): 13073 (JSC::DFG::Edge::operator*): 13074 (JSC::DFG::Edge::operator->): 13075 (Edge): 13076 (JSC::DFG::Edge::setNode): 13077 (JSC::DFG::Edge::useKind): 13078 (JSC::DFG::Edge::setUseKind): 13079 (JSC::DFG::Edge::isSet): 13080 (JSC::DFG::Edge::shift): 13081 (JSC::DFG::Edge::makeWord): 13082 (JSC::DFG::operator==): 13083 (JSC::DFG::operator!=): 13084 * dfg/DFGFixupPhase.cpp: 13085 (JSC::DFG::FixupPhase::fixupBlock): 13086 (JSC::DFG::FixupPhase::fixupNode): 13087 (JSC::DFG::FixupPhase::checkArray): 13088 (JSC::DFG::FixupPhase::blessArrayOperation): 13089 (JSC::DFG::FixupPhase::fixIntEdge): 13090 (JSC::DFG::FixupPhase::fixDoubleEdge): 13091 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 13092 (FixupPhase): 13093 * dfg/DFGGenerationInfo.h: 13094 (JSC::DFG::GenerationInfo::GenerationInfo): 13095 (JSC::DFG::GenerationInfo::initConstant): 13096 (JSC::DFG::GenerationInfo::initInteger): 13097 (JSC::DFG::GenerationInfo::initJSValue): 13098 (JSC::DFG::GenerationInfo::initCell): 13099 (JSC::DFG::GenerationInfo::initBoolean): 13100 (JSC::DFG::GenerationInfo::initDouble): 13101 (JSC::DFG::GenerationInfo::initStorage): 13102 (GenerationInfo): 13103 (JSC::DFG::GenerationInfo::node): 13104 (JSC::DFG::GenerationInfo::noticeOSRBirth): 13105 (JSC::DFG::GenerationInfo::use): 13106 (JSC::DFG::GenerationInfo::appendFill): 13107 (JSC::DFG::GenerationInfo::appendSpill): 13108 * dfg/DFGGraph.cpp: 13109 (JSC::DFG::Graph::Graph): 13110 (JSC::DFG::Graph::~Graph): 13111 (DFG): 13112 (JSC::DFG::Graph::dumpCodeOrigin): 13113 (JSC::DFG::Graph::amountOfNodeWhiteSpace): 13114 (JSC::DFG::Graph::printNodeWhiteSpace): 13115 (JSC::DFG::Graph::dump): 13116 (JSC::DFG::Graph::dumpBlockHeader): 13117 (JSC::DFG::Graph::refChildren): 13118 (JSC::DFG::Graph::derefChildren): 13119 (JSC::DFG::Graph::predictArgumentTypes): 13120 (JSC::DFG::Graph::collectGarbage): 13121 (JSC::DFG::Graph::determineReachability): 13122 (JSC::DFG::Graph::resetExitStates): 13123 * dfg/DFGGraph.h: 13124 (Graph): 13125 (JSC::DFG::Graph::ref): 13126 (JSC::DFG::Graph::deref): 13127 (JSC::DFG::Graph::changeChild): 13128 (JSC::DFG::Graph::compareAndSwap): 13129 (JSC::DFG::Graph::clearAndDerefChild): 13130 (JSC::DFG::Graph::clearAndDerefChild1): 13131 (JSC::DFG::Graph::clearAndDerefChild2): 13132 (JSC::DFG::Graph::clearAndDerefChild3): 13133 (JSC::DFG::Graph::convertToConstant): 13134 (JSC::DFG::Graph::getJSConstantSpeculation): 13135 (JSC::DFG::Graph::addSpeculationMode): 13136 (JSC::DFG::Graph::valueAddSpeculationMode): 13137 (JSC::DFG::Graph::arithAddSpeculationMode): 13138 (JSC::DFG::Graph::addShouldSpeculateInteger): 13139 (JSC::DFG::Graph::mulShouldSpeculateInteger): 13140 (JSC::DFG::Graph::negateShouldSpeculateInteger): 13141 (JSC::DFG::Graph::isConstant): 13142 (JSC::DFG::Graph::isJSConstant): 13143 (JSC::DFG::Graph::isInt32Constant): 13144 (JSC::DFG::Graph::isDoubleConstant): 13145 (JSC::DFG::Graph::isNumberConstant): 13146 (JSC::DFG::Graph::isBooleanConstant): 13147 (JSC::DFG::Graph::isCellConstant): 13148 (JSC::DFG::Graph::isFunctionConstant): 13149 (JSC::DFG::Graph::isInternalFunctionConstant): 13150 (JSC::DFG::Graph::valueOfJSConstant): 13151 (JSC::DFG::Graph::valueOfInt32Constant): 13152 (JSC::DFG::Graph::valueOfNumberConstant): 13153 (JSC::DFG::Graph::valueOfBooleanConstant): 13154 (JSC::DFG::Graph::valueOfFunctionConstant): 13155 (JSC::DFG::Graph::valueProfileFor): 13156 (JSC::DFG::Graph::methodOfGettingAValueProfileFor): 13157 (JSC::DFG::Graph::numSuccessors): 13158 (JSC::DFG::Graph::successor): 13159 (JSC::DFG::Graph::successorForCondition): 13160 (JSC::DFG::Graph::isPredictedNumerical): 13161 (JSC::DFG::Graph::byValIsPure): 13162 (JSC::DFG::Graph::clobbersWorld): 13163 (JSC::DFG::Graph::varArgNumChildren): 13164 (JSC::DFG::Graph::numChildren): 13165 (JSC::DFG::Graph::varArgChild): 13166 (JSC::DFG::Graph::child): 13167 (JSC::DFG::Graph::voteNode): 13168 (JSC::DFG::Graph::voteChildren): 13169 (JSC::DFG::Graph::substitute): 13170 (JSC::DFG::Graph::substituteGetLocal): 13171 (JSC::DFG::Graph::addImmediateShouldSpeculateInteger): 13172 (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger): 13173 * dfg/DFGInsertionSet.h: 13174 (JSC::DFG::Insertion::Insertion): 13175 (JSC::DFG::Insertion::element): 13176 (Insertion): 13177 (JSC::DFG::InsertionSet::insert): 13178 (InsertionSet): 13179 * dfg/DFGJITCompiler.cpp: 13180 * dfg/DFGJITCompiler.h: 13181 (JSC::DFG::JITCompiler::setForNode): 13182 (JSC::DFG::JITCompiler::addressOfDoubleConstant): 13183 (JSC::DFG::JITCompiler::noticeOSREntry): 13184 * dfg/DFGLongLivedState.cpp: Added. 13185 (DFG): 13186 (JSC::DFG::LongLivedState::LongLivedState): 13187 (JSC::DFG::LongLivedState::~LongLivedState): 13188 (JSC::DFG::LongLivedState::shrinkToFit): 13189 * dfg/DFGLongLivedState.h: Added. 13190 (DFG): 13191 (LongLivedState): 13192 * dfg/DFGMinifiedID.h: 13193 (JSC::DFG::MinifiedID::MinifiedID): 13194 (JSC::DFG::MinifiedID::node): 13195 * dfg/DFGMinifiedNode.cpp: 13196 (JSC::DFG::MinifiedNode::fromNode): 13197 * dfg/DFGMinifiedNode.h: 13198 (MinifiedNode): 13199 * dfg/DFGNode.cpp: Added. 13200 (DFG): 13201 (JSC::DFG::Node::index): 13202 (WTF): 13203 (WTF::printInternal): 13204 * dfg/DFGNode.h: 13205 (DFG): 13206 (JSC::DFG::Node::Node): 13207 (Node): 13208 (JSC::DFG::Node::convertToGetByOffset): 13209 (JSC::DFG::Node::convertToPutByOffset): 13210 (JSC::DFG::Node::ref): 13211 (JSC::DFG::Node::shouldSpeculateInteger): 13212 (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic): 13213 (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined): 13214 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): 13215 (JSC::DFG::Node::shouldSpeculateNumber): 13216 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): 13217 (JSC::DFG::Node::shouldSpeculateFinalObject): 13218 (JSC::DFG::Node::shouldSpeculateArray): 13219 (JSC::DFG::Node::dumpChildren): 13220 (WTF): 13221 * dfg/DFGNodeAllocator.h: Added. 13222 (DFG): 13223 (operator new ): 13224 * dfg/DFGOSRExit.cpp: 13225 (JSC::DFG::OSRExit::OSRExit): 13226 * dfg/DFGOSRExit.h: 13227 (OSRExit): 13228 (SpeculationFailureDebugInfo): 13229 * dfg/DFGOSRExitCompiler.cpp: 13230 * dfg/DFGOSRExitCompiler32_64.cpp: 13231 (JSC::DFG::OSRExitCompiler::compileExit): 13232 * dfg/DFGOSRExitCompiler64.cpp: 13233 (JSC::DFG::OSRExitCompiler::compileExit): 13234 * dfg/DFGOperations.cpp: 13235 * dfg/DFGPhase.cpp: 13236 (DFG): 13237 (JSC::DFG::Phase::beginPhase): 13238 (JSC::DFG::Phase::endPhase): 13239 * dfg/DFGPhase.h: 13240 (Phase): 13241 (JSC::DFG::runAndLog): 13242 * dfg/DFGPredictionPropagationPhase.cpp: 13243 (JSC::DFG::PredictionPropagationPhase::setPrediction): 13244 (JSC::DFG::PredictionPropagationPhase::mergePrediction): 13245 (JSC::DFG::PredictionPropagationPhase::isNotNegZero): 13246 (JSC::DFG::PredictionPropagationPhase::isNotZero): 13247 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant): 13248 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive): 13249 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo): 13250 (JSC::DFG::PredictionPropagationPhase::propagate): 13251 (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags): 13252 (JSC::DFG::PredictionPropagationPhase::propagateForward): 13253 (JSC::DFG::PredictionPropagationPhase::propagateBackward): 13254 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): 13255 (PredictionPropagationPhase): 13256 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): 13257 * dfg/DFGScoreBoard.h: 13258 (JSC::DFG::ScoreBoard::ScoreBoard): 13259 (JSC::DFG::ScoreBoard::use): 13260 (JSC::DFG::ScoreBoard::useIfHasResult): 13261 (ScoreBoard): 13262 * dfg/DFGSilentRegisterSavePlan.h: 13263 (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan): 13264 (JSC::DFG::SilentRegisterSavePlan::node): 13265 (SilentRegisterSavePlan): 13266 * dfg/DFGSlowPathGenerator.h: 13267 (JSC::DFG::SlowPathGenerator::SlowPathGenerator): 13268 (JSC::DFG::SlowPathGenerator::generate): 13269 (SlowPathGenerator): 13270 * dfg/DFGSpeculativeJIT.cpp: 13271 (JSC::DFG::SpeculativeJIT::SpeculativeJIT): 13272 (JSC::DFG::SpeculativeJIT::speculationCheck): 13273 (JSC::DFG::SpeculativeJIT::speculationWatchpoint): 13274 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 13275 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck): 13276 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): 13277 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): 13278 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR): 13279 (JSC::DFG::SpeculativeJIT::silentSpill): 13280 (JSC::DFG::SpeculativeJIT::silentFill): 13281 (JSC::DFG::SpeculativeJIT::checkArray): 13282 (JSC::DFG::SpeculativeJIT::arrayify): 13283 (JSC::DFG::SpeculativeJIT::fillStorage): 13284 (JSC::DFG::SpeculativeJIT::useChildren): 13285 (JSC::DFG::SpeculativeJIT::isStrictInt32): 13286 (JSC::DFG::SpeculativeJIT::isKnownInteger): 13287 (JSC::DFG::SpeculativeJIT::isKnownNumeric): 13288 (JSC::DFG::SpeculativeJIT::isKnownCell): 13289 (JSC::DFG::SpeculativeJIT::isKnownNotCell): 13290 (JSC::DFG::SpeculativeJIT::isKnownNotInteger): 13291 (JSC::DFG::SpeculativeJIT::isKnownNotNumber): 13292 (JSC::DFG::SpeculativeJIT::writeBarrier): 13293 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): 13294 (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq): 13295 (JSC::DFG::GPRTemporary::GPRTemporary): 13296 (JSC::DFG::FPRTemporary::FPRTemporary): 13297 (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch): 13298 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): 13299 (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch): 13300 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): 13301 (JSC::DFG::SpeculativeJIT::noticeOSRBirth): 13302 (JSC::DFG::SpeculativeJIT::compileMovHint): 13303 (JSC::DFG::SpeculativeJIT::compile): 13304 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 13305 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): 13306 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): 13307 (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): 13308 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 13309 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): 13310 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 13311 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): 13312 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): 13313 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 13314 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 13315 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 13316 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): 13317 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): 13318 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): 13319 (JSC::DFG::SpeculativeJIT::compileInstanceOf): 13320 (JSC::DFG::SpeculativeJIT::compileSoftModulo): 13321 (JSC::DFG::SpeculativeJIT::compileAdd): 13322 (JSC::DFG::SpeculativeJIT::compileArithSub): 13323 (JSC::DFG::SpeculativeJIT::compileArithNegate): 13324 (JSC::DFG::SpeculativeJIT::compileArithMul): 13325 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86): 13326 (JSC::DFG::SpeculativeJIT::compileArithMod): 13327 (JSC::DFG::SpeculativeJIT::compare): 13328 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant): 13329 (JSC::DFG::SpeculativeJIT::compileStrictEq): 13330 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): 13331 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): 13332 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): 13333 (JSC::DFG::SpeculativeJIT::compileGetArrayLength): 13334 (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): 13335 (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): 13336 (JSC::DFG::SpeculativeJIT::compileRegExpExec): 13337 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): 13338 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): 13339 * dfg/DFGSpeculativeJIT.h: 13340 (SpeculativeJIT): 13341 (JSC::DFG::SpeculativeJIT::canReuse): 13342 (JSC::DFG::SpeculativeJIT::isFilled): 13343 (JSC::DFG::SpeculativeJIT::isFilledDouble): 13344 (JSC::DFG::SpeculativeJIT::use): 13345 (JSC::DFG::SpeculativeJIT::isConstant): 13346 (JSC::DFG::SpeculativeJIT::isJSConstant): 13347 (JSC::DFG::SpeculativeJIT::isInt32Constant): 13348 (JSC::DFG::SpeculativeJIT::isDoubleConstant): 13349 (JSC::DFG::SpeculativeJIT::isNumberConstant): 13350 (JSC::DFG::SpeculativeJIT::isBooleanConstant): 13351 (JSC::DFG::SpeculativeJIT::isFunctionConstant): 13352 (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): 13353 (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): 13354 (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32): 13355 (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): 13356 (JSC::DFG::SpeculativeJIT::valueOfJSConstant): 13357 (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): 13358 (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): 13359 (JSC::DFG::SpeculativeJIT::isNullConstant): 13360 (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64): 13361 (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch): 13362 (JSC::DFG::SpeculativeJIT::integerResult): 13363 (JSC::DFG::SpeculativeJIT::noResult): 13364 (JSC::DFG::SpeculativeJIT::cellResult): 13365 (JSC::DFG::SpeculativeJIT::booleanResult): 13366 (JSC::DFG::SpeculativeJIT::jsValueResult): 13367 (JSC::DFG::SpeculativeJIT::storageResult): 13368 (JSC::DFG::SpeculativeJIT::doubleResult): 13369 (JSC::DFG::SpeculativeJIT::initConstantInfo): 13370 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck): 13371 (JSC::DFG::SpeculativeJIT::isInteger): 13372 (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal): 13373 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): 13374 (JSC::DFG::SpeculativeJIT::setNodeForOperand): 13375 (JSC::DFG::IntegerOperand::IntegerOperand): 13376 (JSC::DFG::IntegerOperand::node): 13377 (JSC::DFG::IntegerOperand::gpr): 13378 (JSC::DFG::IntegerOperand::use): 13379 (IntegerOperand): 13380 (JSC::DFG::DoubleOperand::DoubleOperand): 13381 (JSC::DFG::DoubleOperand::node): 13382 (JSC::DFG::DoubleOperand::fpr): 13383 (JSC::DFG::DoubleOperand::use): 13384 (DoubleOperand): 13385 (JSC::DFG::JSValueOperand::JSValueOperand): 13386 (JSC::DFG::JSValueOperand::node): 13387 (JSC::DFG::JSValueOperand::gpr): 13388 (JSC::DFG::JSValueOperand::fill): 13389 (JSC::DFG::JSValueOperand::use): 13390 (JSValueOperand): 13391 (JSC::DFG::StorageOperand::StorageOperand): 13392 (JSC::DFG::StorageOperand::node): 13393 (JSC::DFG::StorageOperand::gpr): 13394 (JSC::DFG::StorageOperand::use): 13395 (StorageOperand): 13396 (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand): 13397 (JSC::DFG::SpeculateIntegerOperand::node): 13398 (JSC::DFG::SpeculateIntegerOperand::gpr): 13399 (JSC::DFG::SpeculateIntegerOperand::use): 13400 (SpeculateIntegerOperand): 13401 (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand): 13402 (JSC::DFG::SpeculateStrictInt32Operand::node): 13403 (JSC::DFG::SpeculateStrictInt32Operand::gpr): 13404 (JSC::DFG::SpeculateStrictInt32Operand::use): 13405 (SpeculateStrictInt32Operand): 13406 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand): 13407 (JSC::DFG::SpeculateDoubleOperand::node): 13408 (JSC::DFG::SpeculateDoubleOperand::fpr): 13409 (JSC::DFG::SpeculateDoubleOperand::use): 13410 (SpeculateDoubleOperand): 13411 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand): 13412 (JSC::DFG::SpeculateCellOperand::node): 13413 (JSC::DFG::SpeculateCellOperand::gpr): 13414 (JSC::DFG::SpeculateCellOperand::use): 13415 (SpeculateCellOperand): 13416 (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand): 13417 (JSC::DFG::SpeculateBooleanOperand::node): 13418 (JSC::DFG::SpeculateBooleanOperand::gpr): 13419 (JSC::DFG::SpeculateBooleanOperand::use): 13420 (SpeculateBooleanOperand): 13421 * dfg/DFGSpeculativeJIT32_64.cpp: 13422 (JSC::DFG::SpeculativeJIT::fillInteger): 13423 (JSC::DFG::SpeculativeJIT::fillDouble): 13424 (JSC::DFG::SpeculativeJIT::fillJSValue): 13425 (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber): 13426 (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32): 13427 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber): 13428 (JSC::DFG::SpeculativeJIT::cachedPutById): 13429 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 13430 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 13431 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): 13432 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 13433 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 13434 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): 13435 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): 13436 (JSC::DFG::SpeculativeJIT::emitCall): 13437 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 13438 (JSC::DFG::SpeculativeJIT::fillSpeculateInt): 13439 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 13440 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 13441 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 13442 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 13443 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 13444 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 13445 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 13446 (JSC::DFG::SpeculativeJIT::compileIntegerCompare): 13447 (JSC::DFG::SpeculativeJIT::compileDoubleCompare): 13448 (JSC::DFG::SpeculativeJIT::compileValueAdd): 13449 (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot): 13450 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 13451 (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch): 13452 (JSC::DFG::SpeculativeJIT::emitBranch): 13453 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): 13454 (JSC::DFG::SpeculativeJIT::compile): 13455 * dfg/DFGSpeculativeJIT64.cpp: 13456 (JSC::DFG::SpeculativeJIT::fillInteger): 13457 (JSC::DFG::SpeculativeJIT::fillDouble): 13458 (JSC::DFG::SpeculativeJIT::fillJSValue): 13459 (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber): 13460 (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32): 13461 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber): 13462 (JSC::DFG::SpeculativeJIT::cachedPutById): 13463 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 13464 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 13465 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): 13466 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 13467 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 13468 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): 13469 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): 13470 (JSC::DFG::SpeculativeJIT::emitCall): 13471 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 13472 (JSC::DFG::SpeculativeJIT::fillSpeculateInt): 13473 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 13474 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 13475 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 13476 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 13477 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 13478 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 13479 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 13480 (JSC::DFG::SpeculativeJIT::compileIntegerCompare): 13481 (JSC::DFG::SpeculativeJIT::compileDoubleCompare): 13482 (JSC::DFG::SpeculativeJIT::compileValueAdd): 13483 (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot): 13484 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 13485 (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch): 13486 (JSC::DFG::SpeculativeJIT::emitBranch): 13487 (JSC::DFG::SpeculativeJIT::compile): 13488 * dfg/DFGStructureAbstractValue.h: 13489 (StructureAbstractValue): 13490 * dfg/DFGStructureCheckHoistingPhase.cpp: 13491 (JSC::DFG::StructureCheckHoistingPhase::run): 13492 * dfg/DFGValidate.cpp: 13493 (DFG): 13494 (Validate): 13495 (JSC::DFG::Validate::validate): 13496 (JSC::DFG::Validate::reportValidationContext): 13497 * dfg/DFGValidate.h: 13498 * dfg/DFGValueSource.cpp: 13499 (JSC::DFG::ValueSource::dump): 13500 * dfg/DFGValueSource.h: 13501 (JSC::DFG::ValueSource::ValueSource): 13502 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 13503 (JSC::DFG::VirtualRegisterAllocationPhase::run): 13504 * runtime/FunctionExecutableDump.cpp: Added. 13505 (JSC): 13506 (JSC::FunctionExecutableDump::dump): 13507 * runtime/FunctionExecutableDump.h: Added. 13508 (JSC): 13509 (FunctionExecutableDump): 13510 (JSC::FunctionExecutableDump::FunctionExecutableDump): 13511 * runtime/JSGlobalData.cpp: 13512 (JSC::JSGlobalData::JSGlobalData): 13513 * runtime/JSGlobalData.h: 13514 (JSC): 13515 (DFG): 13516 (JSGlobalData): 13517 * runtime/Options.h: 13518 (JSC): 13519 135202013-01-28 Laszlo Gombos <l.gombos@samsung.com> 13521 13522 Collapse testing for a list of PLATFORM() into OS() and USE() tests 13523 https://bugs.webkit.org/show_bug.cgi?id=108018 13524 13525 Reviewed by Eric Seidel. 13526 13527 No functional change as "OS(DARWIN) && USE(CF)" equals to the 13528 following platforms: MAC, WX, QT and CHROMIUM. CHROMIUM 13529 is not using JavaScriptCore. 13530 13531 * runtime/DatePrototype.cpp: 13532 (JSC): 13533 135342013-01-28 Geoffrey Garen <ggaren@apple.com> 13535 13536 Static size inference for JavaScript objects 13537 https://bugs.webkit.org/show_bug.cgi?id=108093 13538 13539 Reviewed by Phil Pizlo. 13540 13541 * API/JSObjectRef.cpp: 13542 * JavaScriptCore.order: 13543 * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man. 13544 13545 * bytecode/CodeBlock.cpp: 13546 (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now 13547 have an extra inferredInlineCapacity argument. This is the statically 13548 inferred inline capacity, just from analyzing source text. op_new_object 13549 also gets a pointer to an allocation profile. (For op_create_this, the 13550 profile is in the construtor function.) 13551 13552 (JSC::CodeBlock::CodeBlock): Link op_new_object. 13553 13554 (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles. 13555 13556 * bytecode/CodeBlock.h: 13557 (CodeBlock): Removed some dead code. Added object allocation profiles. 13558 13559 * bytecode/Instruction.h: 13560 (JSC): New union type, since an instruction operand may point to an 13561 object allocation profile now. 13562 13563 * bytecode/ObjectAllocationProfile.h: Added. 13564 (JSC): 13565 (ObjectAllocationProfile): 13566 (JSC::ObjectAllocationProfile::offsetOfAllocator): 13567 (JSC::ObjectAllocationProfile::offsetOfStructure): 13568 (JSC::ObjectAllocationProfile::ObjectAllocationProfile): 13569 (JSC::ObjectAllocationProfile::isNull): 13570 (JSC::ObjectAllocationProfile::initialize): 13571 (JSC::ObjectAllocationProfile::structure): 13572 (JSC::ObjectAllocationProfile::inlineCapacity): 13573 (JSC::ObjectAllocationProfile::clear): 13574 (JSC::ObjectAllocationProfile::visitAggregate): 13575 (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class 13576 for tracking a prediction about object allocation: structure, inline 13577 capacity, allocator to use. 13578 13579 * bytecode/Opcode.h: 13580 (JSC): 13581 (JSC::padOpcodeName): Updated instruction sizes. 13582 13583 * bytecode/UnlinkedCodeBlock.cpp: 13584 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 13585 * bytecode/UnlinkedCodeBlock.h: 13586 (JSC): 13587 (JSC::UnlinkedCodeBlock::addObjectAllocationProfile): 13588 (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles): 13589 (UnlinkedCodeBlock): Unlinked support for allocation profiles. 13590 13591 * bytecompiler/BytecodeGenerator.cpp: 13592 (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the 13593 end of codegen, since this is our last opportunity. 13594 13595 (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property 13596 analyzer to bytecode generation. It tracks initializing assignments and 13597 makes a guess about how many will happen. 13598 13599 (JSC::BytecodeGenerator::newObjectAllocationProfile): 13600 (JSC): 13601 (JSC::BytecodeGenerator::emitProfiledOpcode): 13602 (JSC::BytecodeGenerator::emitMove): 13603 (JSC::BytecodeGenerator::emitResolve): 13604 (JSC::BytecodeGenerator::emitResolveBase): 13605 (JSC::BytecodeGenerator::emitResolveBaseForPut): 13606 (JSC::BytecodeGenerator::emitResolveWithBaseForPut): 13607 (JSC::BytecodeGenerator::emitResolveWithThis): 13608 (JSC::BytecodeGenerator::emitGetById): 13609 (JSC::BytecodeGenerator::emitPutById): 13610 (JSC::BytecodeGenerator::emitDirectPutById): 13611 (JSC::BytecodeGenerator::emitPutGetterSetter): 13612 (JSC::BytecodeGenerator::emitGetArgumentByVal): 13613 (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property 13614 analyzer, so it can observe allocations and stores. 13615 13616 (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper 13617 function because it was a significant amount of logic, and I wanted to 13618 add to it. 13619 13620 (JSC::BytecodeGenerator::emitNewObject): 13621 (JSC::BytecodeGenerator::emitExpectedFunctionSnippet): 13622 (JSC::BytecodeGenerator::emitCall): 13623 (JSC::BytecodeGenerator::emitCallVarargs): 13624 (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes 13625 to track their stores, in case a store kills a profiled allocation. Since 13626 profiled opcodes are basically the only interesting stores we do, this 13627 is a convenient place to notice any store that might kill an allocation. 13628 13629 * bytecompiler/BytecodeGenerator.h: 13630 (BytecodeGenerator): As above. 13631 13632 * bytecompiler/StaticPropertyAnalysis.h: Added. 13633 (JSC): 13634 (StaticPropertyAnalysis): 13635 (JSC::StaticPropertyAnalysis::create): 13636 (JSC::StaticPropertyAnalysis::addPropertyIndex): 13637 (JSC::StaticPropertyAnalysis::record): 13638 (JSC::StaticPropertyAnalysis::propertyIndexCount): 13639 (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper 13640 class for tracking allocations and stores. 13641 13642 * bytecompiler/StaticPropertyAnalyzer.h: Added. 13643 (StaticPropertyAnalyzer): 13644 (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer): 13645 (JSC::StaticPropertyAnalyzer::createThis): 13646 (JSC::StaticPropertyAnalyzer::newObject): 13647 (JSC::StaticPropertyAnalyzer::putById): 13648 (JSC::StaticPropertyAnalyzer::mov): 13649 (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations 13650 and stores and making an inline capacity guess. The heuristics here are 13651 intentionally minimal because we don't want this one class to try to 13652 re-create something like a DFG or a runtime analysis. If we discover that 13653 we need those kinds of analyses, we should just replace this class with 13654 something else. 13655 13656 This class tracks multiple registers that alias the same object -- that 13657 happens a lot, when moving locals into temporary registers -- but it 13658 doesn't track control flow or multiple objects that alias the same register. 13659 13660 * dfg/DFGAbstractState.cpp: 13661 (JSC::DFG::AbstractState::execute): Updated for rename. 13662 13663 * dfg/DFGByteCodeParser.cpp: 13664 (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and 13665 allocation profile. 13666 13667 * dfg/DFGNode.h: 13668 (JSC::DFG::Node::hasInlineCapacity): 13669 (Node): 13670 (JSC::DFG::Node::inlineCapacity): 13671 (JSC::DFG::Node::hasFunction): Give the graph a good way to represent 13672 inline capacity for an allocation. 13673 13674 * dfg/DFGNodeType.h: 13675 (DFG): Updated for rename. 13676 13677 * dfg/DFGOperations.cpp: Updated for interface change. 13678 13679 * dfg/DFGOperations.h: We pass the inline capacity to the slow case as 13680 an argument. This is the simplest way, since it's stored as a bytecode operand. 13681 13682 * dfg/DFGPredictionPropagationPhase.cpp: 13683 (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename. 13684 13685 * dfg/DFGRepatch.cpp: 13686 (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only 13687 appears when doing an inline cached load for property number 64 on a 32-bit 13688 system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the 13689 offset of the 64bit JSValue -- but we'll actually issue two loads, one for 13690 the payload at that offset, and one for the tag at that offset + 4. We need 13691 to ensure that both loads have a compact representation, or we'll corrupt 13692 the instruction stream. 13693 13694 * dfg/DFGSpeculativeJIT.cpp: 13695 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): 13696 * dfg/DFGSpeculativeJIT.h: 13697 (JSC::DFG::SpeculativeJIT::callOperation): 13698 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): 13699 (SpeculativeJIT): 13700 (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): 13701 * dfg/DFGSpeculativeJIT32_64.cpp: 13702 (JSC::DFG::SpeculativeJIT::compile): 13703 * dfg/DFGSpeculativeJIT64.cpp: 13704 (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support 13705 passing an allocator to our allocation function, and/or passing a Structure 13706 as a register instead of an immediate. 13707 13708 * heap/MarkedAllocator.h: 13709 (DFG): 13710 (MarkedAllocator): 13711 (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify 13712 JIT code generation of allocation from an arbitrary allocator. 13713 13714 * jit/JIT.h: 13715 (JSC): 13716 * jit/JITInlines.h: 13717 (JSC): 13718 (JSC::JIT::emitAllocateJSObject): 13719 * jit/JITOpcodes.cpp: 13720 (JSC::JIT::emit_op_new_object): 13721 (JSC::JIT::emitSlow_op_new_object): 13722 (JSC::JIT::emit_op_create_this): 13723 (JSC::JIT::emitSlow_op_create_this): 13724 * jit/JITOpcodes32_64.cpp: 13725 (JSC::JIT::emit_op_new_object): 13726 (JSC::JIT::emitSlow_op_new_object): 13727 (JSC::JIT::emit_op_create_this): 13728 (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG. 13729 13730 * jit/JITStubs.cpp: 13731 (JSC::tryCacheGetByID): Fixed the same bug mentioned above. 13732 13733 (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes. 13734 13735 * llint/LLIntData.cpp: 13736 (JSC::LLInt::Data::performAssertions): Updated for interface changes. 13737 13738 * llint/LLIntSlowPaths.cpp: 13739 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 13740 * llint/LowLevelInterpreter.asm: 13741 * llint/LowLevelInterpreter32_64.asm: 13742 * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs. 13743 13744 * profiler/ProfilerBytecode.cpp: 13745 * profiler/ProfilerBytecodes.cpp: 13746 * profiler/ProfilerCompilation.cpp: 13747 * profiler/ProfilerCompiledBytecode.cpp: 13748 * profiler/ProfilerDatabase.cpp: 13749 * profiler/ProfilerOSRExit.cpp: 13750 * profiler/ProfilerOrigin.cpp: 13751 * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h 13752 because that's where createEmptyObject() lives now. 13753 13754 * runtime/Executable.h: 13755 (JSC::JSFunction::JSFunction): Updated for rename. 13756 13757 * runtime/JSCellInlines.h: 13758 (JSC::allocateCell): Updated to match the allocator selection code in 13759 the JIT, so it's clearer that both are correct. 13760 13761 * runtime/JSFunction.cpp: 13762 (JSC::JSFunction::JSFunction): 13763 (JSC::JSFunction::createAllocationProfile): 13764 (JSC::JSFunction::visitChildren): 13765 (JSC::JSFunction::getOwnPropertySlot): 13766 (JSC::JSFunction::put): 13767 (JSC::JSFunction::defineOwnProperty): 13768 (JSC::JSFunction::getConstructData): 13769 * runtime/JSFunction.h: 13770 (JSC::JSFunction::offsetOfScopeChain): 13771 (JSC::JSFunction::offsetOfExecutable): 13772 (JSC::JSFunction::offsetOfAllocationProfile): 13773 (JSC::JSFunction::allocationProfile): 13774 (JSFunction): 13775 (JSC::JSFunction::tryGetAllocationProfile): 13776 (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID 13777 data member to be an ObjectAllocationProfile, which includes a pointer 13778 to the desired allocator. This simplifies JIT code, since we don't have 13779 to compute the allocator on the fly. I verified by code inspection that 13780 JSFunction is still only 64 bytes. 13781 13782 * runtime/JSGlobalObject.cpp: 13783 (JSC::JSGlobalObject::reset): 13784 (JSC::JSGlobalObject::visitChildren): 13785 * runtime/JSGlobalObject.h: 13786 (JSGlobalObject): 13787 (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty 13788 object structure anymore, because now clients need to specify how much 13789 inline capacity they want. 13790 13791 * runtime/JSONObject.cpp: 13792 * runtime/JSObject.h: 13793 (JSC): 13794 (JSFinalObject): 13795 (JSC::JSFinalObject::defaultInlineCapacity): 13796 (JSC::JSFinalObject::maxInlineCapacity): 13797 (JSC::JSFinalObject::createStructure): A little refactoring to try to 13798 clarify where some of these constants derive from. 13799 13800 (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above. 13801 13802 * runtime/JSProxy.cpp: 13803 (JSC::JSProxy::setTarget): Ugly, but effective. 13804 13805 * runtime/LiteralParser.cpp: 13806 * runtime/ObjectConstructor.cpp: 13807 (JSC::constructObject): 13808 (JSC::constructWithObjectConstructor): 13809 (JSC::callObjectConstructor): 13810 (JSC::objectConstructorCreate): Updated for interface changes. 13811 13812 * runtime/ObjectConstructor.h: 13813 (JSC::constructEmptyObject): Clarified your options for how to allocate 13814 an empty object, to emphasize what things can actually vary. 13815 13816 * runtime/PropertyOffset.h: These constants have moved because they're 13817 really higher level concepts to do with the layout of objects and the 13818 collector. PropertyOffset is just an abstract number line, independent 13819 of those things. 13820 13821 * runtime/PrototypeMap.cpp: 13822 (JSC::PrototypeMap::emptyObjectStructureForPrototype): 13823 (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): 13824 * runtime/PrototypeMap.h: 13825 (PrototypeMap): The map key is now a pair of prototype and inline capacity, 13826 since Structure encodes inline capacity. 13827 13828 * runtime/Structure.cpp: 13829 (JSC::Structure::Structure): 13830 (JSC::Structure::materializePropertyMap): 13831 (JSC::Structure::addPropertyTransition): 13832 (JSC::Structure::nonPropertyTransition): 13833 (JSC::Structure::copyPropertyTableForPinning): 13834 * runtime/Structure.h: 13835 (Structure): 13836 (JSC::Structure::totalStorageSize): 13837 (JSC::Structure::transitionCount): 13838 (JSC::Structure::create): Fixed a nasty refactoring bug that only shows 13839 up after enabling variable-sized inline capacities: we were passing our 13840 type info where our inline capacity was expected. The compiler didn't 13841 notice because both have type int :(. 13842 138432013-01-28 Oliver Hunt <oliver@apple.com> 13844 13845 Add more assertions to the property storage use in arrays 13846 https://bugs.webkit.org/show_bug.cgi?id=107728 13847 13848 Reviewed by Filip Pizlo. 13849 13850 Add a bunch of assertions to array and object butterfly 13851 usage. This should make debugging somewhat easier. 13852 13853 I also converted a couple of assertions to release asserts 13854 as they were so low cost it seemed a sensible thing to do. 13855 13856 * runtime/JSArray.cpp: 13857 (JSC::JSArray::sortVector): 13858 (JSC::JSArray::compactForSorting): 13859 * runtime/JSObject.h: 13860 (JSC::JSObject::getHolyIndexQuickly): 13861 138622013-01-28 Adam Barth <abarth@webkit.org> 13863 13864 Remove webkitNotifications.createHTMLNotification 13865 https://bugs.webkit.org/show_bug.cgi?id=107598 13866 13867 Reviewed by Benjamin Poulain. 13868 13869 * Configurations/FeatureDefines.xcconfig: 13870 138712013-01-28 Michael Saboff <msaboff@apple.com> 13872 13873 Cleanup ARM version of debugName() in DFGFPRInfo.h 13874 https://bugs.webkit.org/show_bug.cgi?id=108090 13875 13876 Reviewed by David Kilzer. 13877 13878 Fixed debugName() so it will compile by adding static_cast<int> and missing commas. 13879 13880 * dfg/DFGFPRInfo.h: 13881 (JSC::DFG::FPRInfo::debugName): 13882 138832013-01-27 Andreas Kling <akling@apple.com> 13884 13885 JSC: FunctionParameters are memory hungry. 13886 <http://webkit.org/b/108033> 13887 <rdar://problem/13094803> 13888 13889 Reviewed by Sam Weinig. 13890 13891 Instead of inheriting from Vector<Identifier>, make FunctionParameters a simple fixed-size array 13892 with a custom-allocating create() function. Removes one step of indirection and cuts memory usage 13893 roughly in half. 13894 13895 2.73 MB progression on Membuster3. 13896 13897 * bytecode/UnlinkedCodeBlock.cpp: 13898 (JSC::UnlinkedFunctionExecutable::paramString): 13899 * bytecompiler/BytecodeGenerator.cpp: 13900 (JSC::BytecodeGenerator::BytecodeGenerator): 13901 * parser/Nodes.cpp: 13902 (JSC::FunctionParameters::create): 13903 (JSC::FunctionParameters::FunctionParameters): 13904 (JSC::FunctionParameters::~FunctionParameters): 13905 * parser/Nodes.h: 13906 (FunctionParameters): 13907 (JSC::FunctionParameters::size): 13908 (JSC::FunctionParameters::at): 13909 (JSC::FunctionParameters::identifiers): 13910 139112013-01-27 Andreas Kling <akling@apple.com> 13912 13913 JSC: SourceProviderCache is memory hungry. 13914 <http://webkit.org/b/108029> 13915 <rdar://problem/13094806> 13916 13917 Reviewed by Sam Weinig. 13918 13919 Use fixed-size arrays for SourceProviderCacheItem's lists of captured variables. 13920 Since the lists never change after the object is created, there's no need to keep them in Vectors 13921 and we can instead create the whole cache item in a single allocation. 13922 13923 13.37 MB progression on Membuster3. 13924 13925 * parser/Parser.cpp: 13926 (JSC::::parseFunctionInfo): 13927 * parser/Parser.h: 13928 (JSC::Scope::copyCapturedVariablesToVector): 13929 (JSC::Scope::fillParametersForSourceProviderCache): 13930 (JSC::Scope::restoreFromSourceProviderCache): 13931 * parser/SourceProviderCacheItem.h: 13932 (SourceProviderCacheItemCreationParameters): 13933 (SourceProviderCacheItem): 13934 (JSC::SourceProviderCacheItem::approximateByteSize): 13935 (JSC::SourceProviderCacheItem::usedVariables): 13936 (JSC::SourceProviderCacheItem::writtenVariables): 13937 (JSC::SourceProviderCacheItem::~SourceProviderCacheItem): 13938 (JSC::SourceProviderCacheItem::create): 13939 (JSC::SourceProviderCacheItem::SourceProviderCacheItem): 13940 139412013-01-27 Zoltan Arvai <zarvai@inf.u-szeged.hu> 13942 13943 Fixing atomicIncrement implementation for Windows by dropping support before XP SP2. 13944 https://bugs.webkit.org/show_bug.cgi?id=106740 13945 13946 Reviewed by Benjamin Poulain. 13947 13948 * config.h: 13949 139502013-01-25 Filip Pizlo <fpizlo@apple.com> 13951 13952 DFG variable event stream shouldn't use NodeIndex 13953 https://bugs.webkit.org/show_bug.cgi?id=107996 13954 13955 Reviewed by Oliver Hunt. 13956 13957 Introduce the notion of a DFG::MinifiedID, which is just a unique ID of a DFG Node. 13958 Internally it currently uses a NodeIndex, but we could change this without having 13959 to recode all of the users of MinifiedID. This effectively decouples the OSR exit 13960 compiler's way of identifying nodes from the speculative JIT's way of identifying 13961 nodes, and should make it easier to make changes to the speculative JIT's internals 13962 in the future. 13963 13964 Also changed variable event stream logging to exclude information about births and 13965 deaths of constants, since the OSR exit compiler never cares about which register 13966 holds a constant; if a value is constant then the OSR exit compiler can reify it. 13967 13968 Also changed the variable event stream's value recovery computation to use a 13969 HashMap keyed by MinifiedID rather than a Vector indexed by NodeIndex. 13970 13971 This appears to be performance-neutral. It's primarily meant as a small step 13972 towards https://bugs.webkit.org/show_bug.cgi?id=106868. 13973 13974 * GNUmakefile.list.am: 13975 * JavaScriptCore.xcodeproj/project.pbxproj: 13976 * dfg/DFGGenerationInfo.h: 13977 (JSC::DFG::GenerationInfo::GenerationInfo): 13978 (JSC::DFG::GenerationInfo::initConstant): 13979 (JSC::DFG::GenerationInfo::initInteger): 13980 (JSC::DFG::GenerationInfo::initJSValue): 13981 (JSC::DFG::GenerationInfo::initCell): 13982 (JSC::DFG::GenerationInfo::initBoolean): 13983 (JSC::DFG::GenerationInfo::initDouble): 13984 (JSC::DFG::GenerationInfo::initStorage): 13985 (JSC::DFG::GenerationInfo::noticeOSRBirth): 13986 (JSC::DFG::GenerationInfo::use): 13987 (JSC::DFG::GenerationInfo::appendFill): 13988 (JSC::DFG::GenerationInfo::appendSpill): 13989 (GenerationInfo): 13990 * dfg/DFGJITCompiler.cpp: 13991 (JSC::DFG::JITCompiler::link): 13992 * dfg/DFGMinifiedGraph.h: 13993 (JSC::DFG::MinifiedGraph::at): 13994 (MinifiedGraph): 13995 * dfg/DFGMinifiedID.h: Added. 13996 (DFG): 13997 (MinifiedID): 13998 (JSC::DFG::MinifiedID::MinifiedID): 13999 (JSC::DFG::MinifiedID::operator!): 14000 (JSC::DFG::MinifiedID::nodeIndex): 14001 (JSC::DFG::MinifiedID::operator==): 14002 (JSC::DFG::MinifiedID::operator!=): 14003 (JSC::DFG::MinifiedID::operator<): 14004 (JSC::DFG::MinifiedID::operator>): 14005 (JSC::DFG::MinifiedID::operator<=): 14006 (JSC::DFG::MinifiedID::operator>=): 14007 (JSC::DFG::MinifiedID::hash): 14008 (JSC::DFG::MinifiedID::dump): 14009 (JSC::DFG::MinifiedID::isHashTableDeletedValue): 14010 (JSC::DFG::MinifiedID::invalidID): 14011 (JSC::DFG::MinifiedID::otherInvalidID): 14012 (JSC::DFG::MinifiedID::fromBits): 14013 (JSC::DFG::MinifiedIDHash::hash): 14014 (JSC::DFG::MinifiedIDHash::equal): 14015 (MinifiedIDHash): 14016 (WTF): 14017 * dfg/DFGMinifiedNode.cpp: 14018 (JSC::DFG::MinifiedNode::fromNode): 14019 * dfg/DFGMinifiedNode.h: 14020 (JSC::DFG::MinifiedNode::id): 14021 (JSC::DFG::MinifiedNode::child1): 14022 (JSC::DFG::MinifiedNode::getID): 14023 (JSC::DFG::MinifiedNode::compareByNodeIndex): 14024 (MinifiedNode): 14025 * dfg/DFGSpeculativeJIT.cpp: 14026 (JSC::DFG::SpeculativeJIT::compileMovHint): 14027 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): 14028 * dfg/DFGSpeculativeJIT.h: 14029 (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand): 14030 * dfg/DFGValueSource.cpp: 14031 (JSC::DFG::ValueSource::dump): 14032 * dfg/DFGValueSource.h: 14033 (JSC::DFG::ValueSource::ValueSource): 14034 (JSC::DFG::ValueSource::isSet): 14035 (JSC::DFG::ValueSource::kind): 14036 (JSC::DFG::ValueSource::id): 14037 (ValueSource): 14038 (JSC::DFG::ValueSource::idFromKind): 14039 (JSC::DFG::ValueSource::kindFromID): 14040 * dfg/DFGVariableEvent.cpp: 14041 (JSC::DFG::VariableEvent::dump): 14042 (JSC::DFG::VariableEvent::dumpFillInfo): 14043 (JSC::DFG::VariableEvent::dumpSpillInfo): 14044 * dfg/DFGVariableEvent.h: 14045 (JSC::DFG::VariableEvent::fillGPR): 14046 (JSC::DFG::VariableEvent::fillPair): 14047 (JSC::DFG::VariableEvent::fillFPR): 14048 (JSC::DFG::VariableEvent::spill): 14049 (JSC::DFG::VariableEvent::death): 14050 (JSC::DFG::VariableEvent::movHint): 14051 (JSC::DFG::VariableEvent::id): 14052 (VariableEvent): 14053 * dfg/DFGVariableEventStream.cpp: 14054 (DFG): 14055 (JSC::DFG::VariableEventStream::tryToSetConstantRecovery): 14056 (JSC::DFG::VariableEventStream::reconstruct): 14057 * dfg/DFGVariableEventStream.h: 14058 (VariableEventStream): 14059 140602013-01-25 Roger Fong <roger_fong@apple.com> 14061 14062 Unreviewed. Rename LLInt projects folder and make appropriate changes to solutions. 14063 14064 * JavaScriptCore.vcxproj/JavaScriptCore.sln: 14065 * JavaScriptCore.vcxproj/LLInt: Copied from JavaScriptCore.vcxproj/LLInt.vcproj. 14066 * JavaScriptCore.vcxproj/LLInt.vcproj: Removed. 14067 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Removed. 14068 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Removed. 14069 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Removed. 14070 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Removed. 14071 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed. 14072 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Removed. 14073 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed. 14074 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed. 14075 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Removed. 14076 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed. 14077 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Removed. 14078 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed. 14079 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Removed. 14080 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed. 14081 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed. 14082 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed. 14083 140842013-01-24 Roger Fong <roger_fong@apple.com> 14085 14086 VS2010 JavascriptCore: Clean up property sheets, add a JSC solution, add testRegExp and testAPI projects. 14087 https://bugs.webkit.org/show_bug.cgi?id=106987 14088 14089 Reviewed by Brent Fulgham. 14090 14091 * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added. 14092 * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: 14093 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: 14094 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: 14095 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: 14096 * JavaScriptCore.vcxproj/jsc/jscCommon.props: 14097 * JavaScriptCore.vcxproj/jsc/jscDebug.props: 14098 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: 14099 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: 14100 * JavaScriptCore.vcxproj/testRegExp: Added. 14101 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Added. 14102 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Added. 14103 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.user: Added. 14104 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Added. 14105 * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Added. 14106 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Added. 14107 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Added. 14108 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Added. 14109 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Added. 14110 * JavaScriptCore.vcxproj/testapi: Added. 14111 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Added. 14112 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Added. 14113 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.user: Added. 14114 * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Added. 14115 * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Added. 14116 * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Added. 14117 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Added. 14118 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Added. 14119 * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Added. 14120 141212013-01-24 Roger Fong <roger_fong@apple.com> 14122 14123 Unreviewed. Windows build fix. 14124 14125 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 14126 141272013-01-24 Filip Pizlo <fpizlo@apple.com> 14128 14129 DFG::JITCompiler::getSpeculation() methods are badly named and superfluous 14130 https://bugs.webkit.org/show_bug.cgi?id=107860 14131 14132 Reviewed by Mark Hahnenberg. 14133 14134 * dfg/DFGJITCompiler.h: 14135 (JITCompiler): 14136 * dfg/DFGSpeculativeJIT64.cpp: 14137 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 14138 (JSC::DFG::SpeculativeJIT::emitBranch): 14139 141402013-01-24 Mark Hahnenberg <mhahnenberg@apple.com> 14141 14142 Objective-C API: Rename JSValue.h/APIJSValue.h to JSCJSValue.h/JSValue.h 14143 https://bugs.webkit.org/show_bug.cgi?id=107327 14144 14145 Reviewed by Filip Pizlo. 14146 14147 We're renaming these two files, so we have to replace the names everywhere. 14148 14149 * API/APICast.h: 14150 * API/APIJSValue.h: Removed. 14151 * API/JSBlockAdaptor.mm: 14152 * API/JSStringRefCF.cpp: 14153 * API/JSValue.h: Copied from Source/JavaScriptCore/API/APIJSValue.h. 14154 * API/JSValue.mm: 14155 * API/JSValueInternal.h: 14156 * API/JSValueRef.cpp: 14157 * API/JSWeakObjectMapRefPrivate.cpp: 14158 * API/JavaScriptCore.h: 14159 * CMakeLists.txt: 14160 * GNUmakefile.list.am: 14161 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 14162 * JavaScriptCore.xcodeproj/project.pbxproj: 14163 * Target.pri: 14164 * bytecode/CallLinkStatus.h: 14165 * bytecode/CodeBlock.cpp: 14166 * bytecode/MethodOfGettingAValueProfile.h: 14167 * bytecode/ResolveGlobalStatus.cpp: 14168 * bytecode/ResolveGlobalStatus.h: 14169 * bytecode/SpeculatedType.h: 14170 * bytecode/ValueRecovery.h: 14171 * dfg/DFGByteCodeParser.cpp: 14172 * dfg/DFGJITCompiler.cpp: 14173 * dfg/DFGNode.h: 14174 * dfg/DFGSpeculativeJIT.cpp: 14175 * dfg/DFGSpeculativeJIT64.cpp: 14176 * heap/CopiedBlock.h: 14177 * heap/HandleStack.cpp: 14178 * heap/HandleTypes.h: 14179 * heap/WeakImpl.h: 14180 * interpreter/Interpreter.h: 14181 * interpreter/Register.h: 14182 * interpreter/VMInspector.h: 14183 * jit/HostCallReturnValue.cpp: 14184 * jit/HostCallReturnValue.h: 14185 * jit/JITCode.h: 14186 * jit/JITExceptions.cpp: 14187 * jit/JITExceptions.h: 14188 * jit/JSInterfaceJIT.h: 14189 * llint/LLIntCLoop.h: 14190 * llint/LLIntData.h: 14191 * llint/LLIntSlowPaths.cpp: 14192 * profiler/ProfilerBytecode.h: 14193 * profiler/ProfilerBytecodeSequence.h: 14194 * profiler/ProfilerBytecodes.h: 14195 * profiler/ProfilerCompilation.h: 14196 * profiler/ProfilerCompiledBytecode.h: 14197 * profiler/ProfilerDatabase.h: 14198 * profiler/ProfilerOSRExit.h: 14199 * profiler/ProfilerOSRExitSite.h: 14200 * profiler/ProfilerOrigin.h: 14201 * profiler/ProfilerOriginStack.h: 14202 * runtime/ArgList.cpp: 14203 * runtime/CachedTranscendentalFunction.h: 14204 * runtime/CallData.h: 14205 * runtime/Completion.h: 14206 * runtime/ConstructData.h: 14207 * runtime/DateConstructor.cpp: 14208 * runtime/DateInstance.cpp: 14209 * runtime/DatePrototype.cpp: 14210 * runtime/JSAPIValueWrapper.h: 14211 * runtime/JSCJSValue.cpp: Copied from Source/JavaScriptCore/runtime/JSValue.cpp. 14212 * runtime/JSCJSValue.h: Copied from Source/JavaScriptCore/runtime/JSValue.h. 14213 (JSValue): 14214 * runtime/JSCJSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlines.h. 14215 * runtime/JSGlobalData.h: 14216 * runtime/JSGlobalObject.cpp: 14217 * runtime/JSGlobalObjectFunctions.h: 14218 * runtime/JSStringJoiner.h: 14219 * runtime/JSValue.cpp: Removed. 14220 * runtime/JSValue.h: Removed. 14221 * runtime/JSValueInlines.h: Removed. 14222 * runtime/LiteralParser.h: 14223 * runtime/Operations.h: 14224 * runtime/PropertyDescriptor.h: 14225 * runtime/PropertySlot.h: 14226 * runtime/Protect.h: 14227 * runtime/RegExpPrototype.cpp: 14228 * runtime/Structure.h: 14229 142302013-01-23 Oliver Hunt <oliver@apple.com> 14231 14232 Harden JSC a bit with RELEASE_ASSERT 14233 https://bugs.webkit.org/show_bug.cgi?id=107766 14234 14235 Reviewed by Mark Hahnenberg. 14236 14237 Went through and replaced a pile of ASSERTs that were covering 14238 significantly important details (bounds checks, etc) where 14239 having the checks did not impact release performance in any 14240 measurable way. 14241 14242 * API/JSContextRef.cpp: 14243 (JSContextCreateBacktrace): 14244 * assembler/MacroAssembler.h: 14245 (JSC::MacroAssembler::branchAdd32): 14246 (JSC::MacroAssembler::branchMul32): 14247 * bytecode/CodeBlock.cpp: 14248 (JSC::CodeBlock::dumpBytecode): 14249 (JSC::CodeBlock::handlerForBytecodeOffset): 14250 (JSC::CodeBlock::lineNumberForBytecodeOffset): 14251 (JSC::CodeBlock::bytecodeOffset): 14252 * bytecode/CodeBlock.h: 14253 (JSC::CodeBlock::bytecodeOffsetForCallAtIndex): 14254 (JSC::CodeBlock::bytecodeOffset): 14255 (JSC::CodeBlock::exceptionHandler): 14256 (JSC::CodeBlock::codeOrigin): 14257 (JSC::CodeBlock::immediateSwitchJumpTable): 14258 (JSC::CodeBlock::characterSwitchJumpTable): 14259 (JSC::CodeBlock::stringSwitchJumpTable): 14260 (JSC::CodeBlock::setIdentifiers): 14261 (JSC::baselineCodeBlockForInlineCallFrame): 14262 (JSC::ExecState::uncheckedR): 14263 * bytecode/CodeOrigin.cpp: 14264 (JSC::CodeOrigin::inlineStack): 14265 * bytecode/CodeOrigin.h: 14266 (JSC::CodeOrigin::CodeOrigin): 14267 * dfg/DFGCSEPhase.cpp: 14268 * dfg/DFGOSRExit.cpp: 14269 * dfg/DFGScratchRegisterAllocator.h: 14270 (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer): 14271 (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer): 14272 * dfg/DFGSpeculativeJIT.h: 14273 (JSC::DFG::SpeculativeJIT::allocate): 14274 (JSC::DFG::SpeculativeJIT::spill): 14275 (JSC::DFG::SpeculativeJIT::integerResult): 14276 * dfg/DFGSpeculativeJIT64.cpp: 14277 (JSC::DFG::SpeculativeJIT::fillInteger): 14278 (JSC::DFG::SpeculativeJIT::fillDouble): 14279 (JSC::DFG::SpeculativeJIT::fillJSValue): 14280 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): 14281 (JSC::DFG::SpeculativeJIT::emitCall): 14282 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 14283 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 14284 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 14285 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 14286 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 14287 (JSC::DFG::SpeculativeJIT::compile): 14288 * dfg/DFGValueSource.h: 14289 (JSC::DFG::dataFormatToValueSourceKind): 14290 (JSC::DFG::ValueSource::ValueSource): 14291 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 14292 * heap/BlockAllocator.cpp: 14293 (JSC::BlockAllocator::BlockAllocator): 14294 (JSC::BlockAllocator::releaseFreeRegions): 14295 (JSC::BlockAllocator::blockFreeingThreadMain): 14296 * heap/Heap.cpp: 14297 (JSC::Heap::lastChanceToFinalize): 14298 (JSC::Heap::collect): 14299 * interpreter/Interpreter.cpp: 14300 (JSC::Interpreter::throwException): 14301 (JSC::Interpreter::execute): 14302 * jit/GCAwareJITStubRoutine.cpp: 14303 (JSC::GCAwareJITStubRoutine::observeZeroRefCount): 14304 * jit/JIT.cpp: 14305 (JSC::JIT::privateCompileMainPass): 14306 (JSC::JIT::privateCompileSlowCases): 14307 * jit/JITExceptions.cpp: 14308 (JSC::genericThrow): 14309 * jit/JITInlines.h: 14310 (JSC::JIT::emitLoad): 14311 * jit/JITOpcodes.cpp: 14312 (JSC::JIT::emit_op_end): 14313 (JSC::JIT::emit_resolve_operations): 14314 * jit/JITStubRoutine.cpp: 14315 (JSC::JITStubRoutine::observeZeroRefCount): 14316 * jit/JITStubs.cpp: 14317 (JSC::returnToThrowTrampoline): 14318 * runtime/Arguments.cpp: 14319 (JSC::Arguments::getOwnPropertySlot): 14320 (JSC::Arguments::getOwnPropertyDescriptor): 14321 (JSC::Arguments::deleteProperty): 14322 (JSC::Arguments::defineOwnProperty): 14323 (JSC::Arguments::didTearOffActivation): 14324 * runtime/ArrayPrototype.cpp: 14325 (JSC::shift): 14326 (JSC::unshift): 14327 (JSC::arrayProtoFuncLastIndexOf): 14328 * runtime/ButterflyInlines.h: 14329 (JSC::Butterfly::growPropertyStorage): 14330 * runtime/CodeCache.cpp: 14331 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 14332 * runtime/CodeCache.h: 14333 (JSC::CacheMap::add): 14334 * runtime/Completion.cpp: 14335 (JSC::checkSyntax): 14336 (JSC::evaluate): 14337 * runtime/Executable.cpp: 14338 (JSC::FunctionExecutable::FunctionExecutable): 14339 (JSC::EvalExecutable::unlinkCalls): 14340 (JSC::ProgramExecutable::compileOptimized): 14341 (JSC::ProgramExecutable::unlinkCalls): 14342 (JSC::ProgramExecutable::initializeGlobalProperties): 14343 (JSC::FunctionExecutable::baselineCodeBlockFor): 14344 (JSC::FunctionExecutable::compileOptimizedForCall): 14345 (JSC::FunctionExecutable::compileOptimizedForConstruct): 14346 (JSC::FunctionExecutable::compileForCallInternal): 14347 (JSC::FunctionExecutable::compileForConstructInternal): 14348 (JSC::FunctionExecutable::unlinkCalls): 14349 (JSC::NativeExecutable::hashFor): 14350 * runtime/Executable.h: 14351 (JSC::EvalExecutable::compile): 14352 (JSC::ProgramExecutable::compile): 14353 (JSC::FunctionExecutable::compileForCall): 14354 (JSC::FunctionExecutable::compileForConstruct): 14355 * runtime/IndexingHeader.h: 14356 (JSC::IndexingHeader::setVectorLength): 14357 * runtime/JSArray.cpp: 14358 (JSC::JSArray::pop): 14359 (JSC::JSArray::shiftCountWithArrayStorage): 14360 (JSC::JSArray::shiftCountWithAnyIndexingType): 14361 (JSC::JSArray::unshiftCountWithArrayStorage): 14362 * runtime/JSGlobalObjectFunctions.cpp: 14363 (JSC::jsStrDecimalLiteral): 14364 * runtime/JSObject.cpp: 14365 (JSC::JSObject::copyButterfly): 14366 (JSC::JSObject::defineOwnIndexedProperty): 14367 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): 14368 * runtime/JSString.cpp: 14369 (JSC::JSRopeString::getIndexSlowCase): 14370 * yarr/YarrInterpreter.cpp: 14371 (JSC::Yarr::Interpreter::popParenthesesDisjunctionContext): 14372 143732013-01-23 Filip Pizlo <fpizlo@apple.com> 14374 14375 Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures 14376 https://bugs.webkit.org/show_bug.cgi?id=107750 14377 <rdar://problem/12387265> 14378 14379 Reviewed by Mark Hahnenberg. 14380 14381 The point of this assertion was that if there is no variable capturing going on, then there should only be one GetLocal 14382 for the variable anywhere in the basic block. But if there is some capturing, then we'll have an unbounded number of 14383 GetLocals. The assertion was too imprecise for the latter case. I want to keep this assertion, so I introduced a 14384 checker that verifies this precisely: if there are any captured accesses to the variable anywhere at or after the 14385 GetLocal we are eliminating, then we allow redundant GetLocals. 14386 14387 * dfg/DFGConstantFoldingPhase.cpp: 14388 (JSC::DFG::ConstantFoldingPhase::foldConstants): 14389 (ConstantFoldingPhase): 14390 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter): 14391 143922013-01-23 Oliver Hunt <oliver@apple.com> 14393 14394 Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC 14395 https://bugs.webkit.org/show_bug.cgi?id=107736 14396 14397 Reviewed by Mark Hahnenberg. 14398 14399 Mechanical change with no performance impact. 14400 14401 * API/JSBlockAdaptor.mm: 14402 (BlockArgumentTypeDelegate::typeVoid): 14403 * API/JSCallbackObjectFunctions.h: 14404 (JSC::::construct): 14405 (JSC::::call): 14406 * API/JSScriptRef.cpp: 14407 * API/ObjCCallbackFunction.mm: 14408 (ArgumentTypeDelegate::typeVoid): 14409 * assembler/ARMv7Assembler.h: 14410 (JSC::ARMv7Assembler::link): 14411 (JSC::ARMv7Assembler::replaceWithLoad): 14412 (JSC::ARMv7Assembler::replaceWithAddressComputation): 14413 * assembler/MacroAssembler.h: 14414 (JSC::MacroAssembler::invert): 14415 * assembler/MacroAssemblerARM.h: 14416 (JSC::MacroAssemblerARM::countLeadingZeros32): 14417 (JSC::MacroAssemblerARM::divDouble): 14418 * assembler/MacroAssemblerMIPS.h: 14419 (JSC::MacroAssemblerMIPS::absDouble): 14420 (JSC::MacroAssemblerMIPS::replaceWithJump): 14421 (JSC::MacroAssemblerMIPS::maxJumpReplacementSize): 14422 * assembler/MacroAssemblerSH4.h: 14423 (JSC::MacroAssemblerSH4::absDouble): 14424 (JSC::MacroAssemblerSH4::replaceWithJump): 14425 (JSC::MacroAssemblerSH4::maxJumpReplacementSize): 14426 * assembler/SH4Assembler.h: 14427 (JSC::SH4Assembler::shllImm8r): 14428 (JSC::SH4Assembler::shlrImm8r): 14429 (JSC::SH4Assembler::cmplRegReg): 14430 (JSC::SH4Assembler::branch): 14431 * assembler/X86Assembler.h: 14432 (JSC::X86Assembler::replaceWithLoad): 14433 (JSC::X86Assembler::replaceWithAddressComputation): 14434 * bytecode/CallLinkInfo.cpp: 14435 (JSC::CallLinkInfo::unlink): 14436 * bytecode/CodeBlock.cpp: 14437 (JSC::debugHookName): 14438 (JSC::CodeBlock::printGetByIdOp): 14439 (JSC::CodeBlock::printGetByIdCacheStatus): 14440 (JSC::CodeBlock::visitAggregate): 14441 (JSC::CodeBlock::finalizeUnconditionally): 14442 (JSC::CodeBlock::usesOpcode): 14443 * bytecode/DataFormat.h: 14444 (JSC::needDataFormatConversion): 14445 * bytecode/ExitKind.cpp: 14446 (JSC::exitKindToString): 14447 (JSC::exitKindIsCountable): 14448 * bytecode/MethodOfGettingAValueProfile.cpp: 14449 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket): 14450 * bytecode/Opcode.h: 14451 (JSC::opcodeLength): 14452 * bytecode/PolymorphicPutByIdList.cpp: 14453 (JSC::PutByIdAccess::fromStructureStubInfo): 14454 (JSC::PutByIdAccess::visitWeak): 14455 * bytecode/StructureStubInfo.cpp: 14456 (JSC::StructureStubInfo::deref): 14457 * bytecompiler/BytecodeGenerator.cpp: 14458 (JSC::ResolveResult::checkValidity): 14459 (JSC::BytecodeGenerator::emitGetLocalVar): 14460 (JSC::BytecodeGenerator::beginSwitch): 14461 * bytecompiler/NodesCodegen.cpp: 14462 (JSC::BinaryOpNode::emitBytecode): 14463 (JSC::emitReadModifyAssignment): 14464 * dfg/DFGAbstractState.cpp: 14465 (JSC::DFG::AbstractState::execute): 14466 (JSC::DFG::AbstractState::mergeStateAtTail): 14467 (JSC::DFG::AbstractState::mergeToSuccessors): 14468 * dfg/DFGByteCodeParser.cpp: 14469 (JSC::DFG::ByteCodeParser::makeSafe): 14470 (JSC::DFG::ByteCodeParser::parseBlock): 14471 * dfg/DFGCFGSimplificationPhase.cpp: 14472 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal): 14473 (JSC::DFG::CFGSimplificationPhase::fixTailOperand): 14474 * dfg/DFGCSEPhase.cpp: 14475 (JSC::DFG::CSEPhase::setLocalStoreElimination): 14476 * dfg/DFGCapabilities.cpp: 14477 (JSC::DFG::canHandleOpcodes): 14478 * dfg/DFGCommon.h: 14479 (JSC::DFG::useKindToString): 14480 * dfg/DFGDoubleFormatState.h: 14481 (JSC::DFG::mergeDoubleFormatStates): 14482 (JSC::DFG::doubleFormatStateToString): 14483 * dfg/DFGFixupPhase.cpp: 14484 (JSC::DFG::FixupPhase::blessArrayOperation): 14485 * dfg/DFGGraph.h: 14486 (JSC::DFG::Graph::clobbersWorld): 14487 * dfg/DFGNode.h: 14488 (JSC::DFG::Node::valueOfJSConstant): 14489 (JSC::DFG::Node::successor): 14490 * dfg/DFGNodeFlags.cpp: 14491 (JSC::DFG::nodeFlagsAsString): 14492 * dfg/DFGNodeType.h: 14493 (JSC::DFG::defaultFlags): 14494 * dfg/DFGRepatch.h: 14495 (JSC::DFG::dfgResetGetByID): 14496 (JSC::DFG::dfgResetPutByID): 14497 * dfg/DFGSlowPathGenerator.h: 14498 (JSC::DFG::SlowPathGenerator::call): 14499 * dfg/DFGSpeculativeJIT.cpp: 14500 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): 14501 (JSC::DFG::SpeculativeJIT::silentSpill): 14502 (JSC::DFG::SpeculativeJIT::silentFill): 14503 (JSC::DFG::SpeculativeJIT::checkArray): 14504 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): 14505 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 14506 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): 14507 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): 14508 * dfg/DFGSpeculativeJIT.h: 14509 (JSC::DFG::SpeculativeJIT::bitOp): 14510 (JSC::DFG::SpeculativeJIT::shiftOp): 14511 (JSC::DFG::SpeculativeJIT::integerResult): 14512 * dfg/DFGSpeculativeJIT32_64.cpp: 14513 (JSC::DFG::SpeculativeJIT::fillInteger): 14514 (JSC::DFG::SpeculativeJIT::fillDouble): 14515 (JSC::DFG::SpeculativeJIT::fillJSValue): 14516 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 14517 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 14518 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 14519 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 14520 (JSC::DFG::SpeculativeJIT::compile): 14521 * dfg/DFGSpeculativeJIT64.cpp: 14522 (JSC::DFG::SpeculativeJIT::fillInteger): 14523 (JSC::DFG::SpeculativeJIT::fillDouble): 14524 (JSC::DFG::SpeculativeJIT::fillJSValue): 14525 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 14526 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 14527 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 14528 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 14529 (JSC::DFG::SpeculativeJIT::compile): 14530 * dfg/DFGStructureCheckHoistingPhase.cpp: 14531 (JSC::DFG::StructureCheckHoistingPhase::run): 14532 * dfg/DFGValueSource.h: 14533 (JSC::DFG::ValueSource::valueRecovery): 14534 * dfg/DFGVariableEvent.cpp: 14535 (JSC::DFG::VariableEvent::dump): 14536 * dfg/DFGVariableEventStream.cpp: 14537 (JSC::DFG::VariableEventStream::reconstruct): 14538 * heap/BlockAllocator.h: 14539 (JSC::BlockAllocator::regionSetFor): 14540 * heap/GCThread.cpp: 14541 (JSC::GCThread::gcThreadMain): 14542 * heap/MarkedBlock.cpp: 14543 (JSC::MarkedBlock::sweepHelper): 14544 * heap/MarkedBlock.h: 14545 (JSC::MarkedBlock::isLive): 14546 * interpreter/CallFrame.h: 14547 (JSC::ExecState::inlineCallFrame): 14548 * interpreter/Interpreter.cpp: 14549 (JSC::getCallerInfo): 14550 (JSC::getStackFrameCodeType): 14551 (JSC::Interpreter::execute): 14552 * jit/ExecutableAllocatorFixedVMPool.cpp: 14553 (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree): 14554 * jit/JIT.cpp: 14555 (JSC::JIT::privateCompileMainPass): 14556 (JSC::JIT::privateCompileSlowCases): 14557 (JSC::JIT::privateCompile): 14558 * jit/JITArithmetic.cpp: 14559 (JSC::JIT::emitSlow_op_mod): 14560 * jit/JITArithmetic32_64.cpp: 14561 (JSC::JIT::emitBinaryDoubleOp): 14562 (JSC::JIT::emitSlow_op_mod): 14563 * jit/JITPropertyAccess.cpp: 14564 (JSC::JIT::isDirectPutById): 14565 * jit/JITStubs.cpp: 14566 (JSC::getPolymorphicAccessStructureListSlot): 14567 (JSC::DEFINE_STUB_FUNCTION): 14568 * llint/LLIntSlowPaths.cpp: 14569 (JSC::LLInt::jitCompileAndSetHeuristics): 14570 * parser/Lexer.cpp: 14571 (JSC::::lex): 14572 * parser/Nodes.h: 14573 (JSC::ExpressionNode::emitBytecodeInConditionContext): 14574 * parser/Parser.h: 14575 (JSC::Parser::getTokenName): 14576 (JSC::Parser::updateErrorMessageSpecialCase): 14577 * parser/SyntaxChecker.h: 14578 (JSC::SyntaxChecker::operatorStackPop): 14579 * runtime/Arguments.cpp: 14580 (JSC::Arguments::tearOffForInlineCallFrame): 14581 * runtime/DatePrototype.cpp: 14582 (JSC::formatLocaleDate): 14583 * runtime/Executable.cpp: 14584 (JSC::samplingDescription): 14585 * runtime/Executable.h: 14586 (JSC::ScriptExecutable::unlinkCalls): 14587 * runtime/Identifier.cpp: 14588 (JSC): 14589 * runtime/InternalFunction.cpp: 14590 (JSC::InternalFunction::getCallData): 14591 * runtime/JSArray.cpp: 14592 (JSC::JSArray::push): 14593 (JSC::JSArray::sort): 14594 * runtime/JSCell.cpp: 14595 (JSC::JSCell::defaultValue): 14596 (JSC::JSCell::getOwnPropertyNames): 14597 (JSC::JSCell::getOwnNonIndexPropertyNames): 14598 (JSC::JSCell::className): 14599 (JSC::JSCell::getPropertyNames): 14600 (JSC::JSCell::customHasInstance): 14601 (JSC::JSCell::putDirectVirtual): 14602 (JSC::JSCell::defineOwnProperty): 14603 (JSC::JSCell::getOwnPropertyDescriptor): 14604 * runtime/JSCell.h: 14605 (JSCell): 14606 * runtime/JSNameScope.cpp: 14607 (JSC::JSNameScope::put): 14608 * runtime/JSObject.cpp: 14609 (JSC::JSObject::getOwnPropertySlotByIndex): 14610 (JSC::JSObject::putByIndex): 14611 (JSC::JSObject::ensureArrayStorageSlow): 14612 (JSC::JSObject::deletePropertyByIndex): 14613 (JSC::JSObject::getOwnPropertyNames): 14614 (JSC::JSObject::putByIndexBeyondVectorLength): 14615 (JSC::JSObject::putDirectIndexBeyondVectorLength): 14616 (JSC::JSObject::getOwnPropertyDescriptor): 14617 * runtime/JSObject.h: 14618 (JSC::JSObject::canGetIndexQuickly): 14619 (JSC::JSObject::getIndexQuickly): 14620 (JSC::JSObject::tryGetIndexQuickly): 14621 (JSC::JSObject::canSetIndexQuickly): 14622 (JSC::JSObject::canSetIndexQuicklyForPutDirect): 14623 (JSC::JSObject::setIndexQuickly): 14624 (JSC::JSObject::initializeIndex): 14625 (JSC::JSObject::hasSparseMap): 14626 (JSC::JSObject::inSparseIndexingMode): 14627 * runtime/JSScope.cpp: 14628 (JSC::JSScope::isDynamicScope): 14629 * runtime/JSSymbolTableObject.cpp: 14630 (JSC::JSSymbolTableObject::putDirectVirtual): 14631 * runtime/JSSymbolTableObject.h: 14632 (JSSymbolTableObject): 14633 * runtime/LiteralParser.cpp: 14634 (JSC::::parse): 14635 * runtime/RegExp.cpp: 14636 (JSC::RegExp::compile): 14637 (JSC::RegExp::compileMatchOnly): 14638 * runtime/StructureTransitionTable.h: 14639 (JSC::newIndexingType): 14640 * tools/CodeProfile.cpp: 14641 (JSC::CodeProfile::sample): 14642 * yarr/YarrCanonicalizeUCS2.h: 14643 (JSC::Yarr::getCanonicalPair): 14644 (JSC::Yarr::areCanonicallyEquivalent): 14645 * yarr/YarrInterpreter.cpp: 14646 (JSC::Yarr::Interpreter::matchCharacterClass): 14647 (JSC::Yarr::Interpreter::matchBackReference): 14648 (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd): 14649 (JSC::Yarr::Interpreter::matchParentheses): 14650 (JSC::Yarr::Interpreter::backtrackParentheses): 14651 (JSC::Yarr::Interpreter::matchDisjunction): 14652 * yarr/YarrJIT.cpp: 14653 (JSC::Yarr::YarrGenerator::generateTerm): 14654 (JSC::Yarr::YarrGenerator::backtrackTerm): 14655 * yarr/YarrParser.h: 14656 (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary): 14657 (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference): 14658 * yarr/YarrPattern.cpp: 14659 (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn): 14660 146612013-01-23 Tony Chang <tony@chromium.org> 14662 14663 Unreviewed, set svn:eol-style to CRLF on Windows .sln files. 14664 14665 * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style. 14666 * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style. 14667 146682013-01-23 Oliver Hunt <oliver@apple.com> 14669 14670 Replace numerous manual CRASH's in JSC with RELEASE_ASSERT 14671 https://bugs.webkit.org/show_bug.cgi?id=107726 14672 14673 Reviewed by Filip Pizlo. 14674 14675 Fairly manual change from if (foo) CRASH(); to RELEASE_ASSERT(!foo); 14676 14677 * assembler/MacroAssembler.h: 14678 (JSC::MacroAssembler::branchAdd32): 14679 (JSC::MacroAssembler::branchMul32): 14680 * bytecode/CodeBlockHash.cpp: 14681 (JSC::CodeBlockHash::CodeBlockHash): 14682 * heap/BlockAllocator.h: 14683 (JSC::Region::create): 14684 (JSC::Region::createCustomSize): 14685 * heap/GCAssertions.h: 14686 * heap/HandleSet.cpp: 14687 (JSC::HandleSet::visitStrongHandles): 14688 (JSC::HandleSet::writeBarrier): 14689 * heap/HandleSet.h: 14690 (JSC::HandleSet::allocate): 14691 * heap/Heap.cpp: 14692 (JSC::Heap::collect): 14693 * heap/SlotVisitor.cpp: 14694 (JSC::SlotVisitor::validate): 14695 * interpreter/Interpreter.cpp: 14696 (JSC::Interpreter::execute): 14697 * jit/ExecutableAllocator.cpp: 14698 (JSC::DemandExecutableAllocator::allocateNewSpace): 14699 (JSC::ExecutableAllocator::allocate): 14700 * jit/ExecutableAllocator.h: 14701 (JSC::roundUpAllocationSize): 14702 * jit/ExecutableAllocatorFixedVMPool.cpp: 14703 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): 14704 (JSC::ExecutableAllocator::allocate): 14705 * runtime/ButterflyInlines.h: 14706 (JSC::Butterfly::createUninitialized): 14707 * runtime/Completion.cpp: 14708 (JSC::evaluate): 14709 * runtime/JSArray.h: 14710 (JSC::constructArray): 14711 * runtime/JSGlobalObject.cpp: 14712 (JSC::slowValidateCell): 14713 * runtime/JSObject.cpp: 14714 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): 14715 (JSC::JSObject::createArrayStorage): 14716 * tools/TieredMMapArray.h: 14717 (JSC::TieredMMapArray::append): 14718 * yarr/YarrInterpreter.cpp: 14719 (JSC::Yarr::Interpreter::allocDisjunctionContext): 14720 (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext): 14721 (JSC::Yarr::Interpreter::InputStream::readChecked): 14722 (JSC::Yarr::Interpreter::InputStream::uncheckInput): 14723 (JSC::Yarr::Interpreter::InputStream::atEnd): 14724 (JSC::Yarr::Interpreter::interpret): 14725 147262013-01-22 Filip Pizlo <fpizlo@apple.com> 14727 14728 Convert CSE phase to not rely too much on NodeIndex 14729 https://bugs.webkit.org/show_bug.cgi?id=107616 14730 14731 Reviewed by Geoffrey Garen. 14732 14733 - Instead of looping over the graph (which assumes that you can simply loop over all 14734 nodes without considering blocks first) to reset node.replacement, do that in the 14735 loop that sets up relevantToOSR, just before running CSE on the block. 14736 14737 - Instead of having a relevantToOSR bitvector indexed by NodeIndex, made 14738 NodeRelevantToOSR be a NodeFlag. We had exactly one bit left in NodeFlags, so I did 14739 some reshuffling to fit it in. 14740 14741 * dfg/DFGCSEPhase.cpp: 14742 (JSC::DFG::CSEPhase::CSEPhase): 14743 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): 14744 (JSC::DFG::CSEPhase::performNodeCSE): 14745 (JSC::DFG::CSEPhase::performBlockCSE): 14746 (CSEPhase): 14747 * dfg/DFGNodeFlags.h: 14748 (DFG): 14749 * dfg/DFGNodeType.h: 14750 (DFG): 14751 147522013-01-21 Kentaro Hara <haraken@chromium.org> 14753 14754 Implement UIEvent constructor 14755 https://bugs.webkit.org/show_bug.cgi?id=107430 14756 14757 Reviewed by Adam Barth. 14758 14759 Editor's draft: https://dvcs.w3.org/hg/d4e/raw-file/tip/source_respec.htm 14760 14761 UIEvent constructor is implemented under a DOM4_EVENTS_CONSTRUCTOR flag, 14762 which is enabled on Safari and Chromium for now. 14763 14764 * Configurations/FeatureDefines.xcconfig: 14765 147662013-01-22 Roger Fong <roger_fong@apple.com> 14767 14768 Unreviewed VS2010 build fix following r140259. 14769 14770 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: 14771 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: 14772 147732013-01-22 Roger Fong <roger_fong@apple.com> 14774 14775 JavaScriptCore property sheets, project files and modified build scripts. 14776 https://bugs.webkit.org/show_bug.cgi?id=106987 14777 14778 Reviewed by Brent Fulgham. 14779 14780 * JavaScriptCore.vcxproj: Added. 14781 * JavaScriptCore.vcxproj/JavaScriptCore.resources: Added. 14782 * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist: Added. 14783 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added. 14784 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added. 14785 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.user: Added. 14786 * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Added. 14787 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Added. 14788 * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Added. 14789 * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Added. 14790 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Added. 14791 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Added. 14792 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Added. 14793 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.user: Added. 14794 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Added. 14795 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Added. 14796 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Added. 14797 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Added. 14798 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Added. 14799 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Added. 14800 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Added. 14801 * JavaScriptCore.vcxproj/LLInt.vcproj: Added. 14802 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Added. 14803 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Added. 14804 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Added. 14805 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Added. 14806 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Added. 14807 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Added. 14808 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Added. 14809 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Added. 14810 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Added. 14811 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Added. 14812 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Added. 14813 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Added. 14814 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Added. 14815 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Added. 14816 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Added. 14817 * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Added. 14818 * JavaScriptCore.vcxproj/build-generated-files.sh: Added. 14819 * JavaScriptCore.vcxproj/copy-files.cmd: Added. 14820 * JavaScriptCore.vcxproj/jsc: Added. 14821 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Added. 14822 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Added. 14823 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.user: Added. 14824 * JavaScriptCore.vcxproj/jsc/jscCommon.props: Added. 14825 * JavaScriptCore.vcxproj/jsc/jscDebug.props: Added. 14826 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Added. 14827 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Added. 14828 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Added. 14829 * JavaScriptCore.vcxproj/jsc/jscRelease.props: Added. 14830 * config.h: 14831 148322013-01-22 Joseph Pecoraro <pecoraro@apple.com> 14833 14834 [Mac] Enable Page Visibility (PAGE_VISIBILITY_API) 14835 https://bugs.webkit.org/show_bug.cgi?id=107230 14836 14837 Reviewed by David Kilzer. 14838 14839 * Configurations/FeatureDefines.xcconfig: 14840 148412013-01-22 Tobias Netzel <tobias.netzel@googlemail.com> 14842 14843 Yarr JIT isn't big endian compatible 14844 https://bugs.webkit.org/show_bug.cgi?id=102897 14845 14846 Reviewed by Oliver Hunt. 14847 14848 This patch was tested in the current mozilla codebase only and has passed the regexp tests there. 14849 14850 * yarr/YarrJIT.cpp: 14851 (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce): 14852 148532013-01-22 David Kilzer <ddkilzer@apple.com> 14854 14855 Fix DateMath.cpp to compile with -Wshorten-64-to-32 14856 <http://webkit.org/b/107503> 14857 14858 Reviewed by Darin Adler. 14859 14860 * runtime/JSDateMath.cpp: 14861 (JSC::parseDateFromNullTerminatedCharacters): Remove unneeded 14862 static_cast<int>(). 14863 148642013-01-22 Tim Horton <timothy_horton@apple.com> 14865 14866 PDFPlugin: Build PDFPlugin everywhere, enable at runtime 14867 https://bugs.webkit.org/show_bug.cgi?id=107117 14868 14869 Reviewed by Alexey Proskuryakov. 14870 14871 Since PDFLayerController SPI is all forward-declared, the plugin should build 14872 on all Mac platforms, and can be enabled at runtime. 14873 14874 * Configurations/FeatureDefines.xcconfig: 14875 148762013-01-21 Justin Schuh <jschuh@chromium.org> 14877 14878 [CHROMIUM] Suppress c4267 build warnings for Win64 targets 14879 https://bugs.webkit.org/show_bug.cgi?id=107499 14880 14881 Reviewed by Abhishek Arya. 14882 14883 * JavaScriptCore.gyp/JavaScriptCore.gyp: 14884 148852013-01-21 Dirk Schulze <dschulze@adobe.com> 14886 14887 Add build flag for Canvas's Path object (disabled by default) 14888 https://bugs.webkit.org/show_bug.cgi?id=107473 14889 14890 Reviewed by Dean Jackson. 14891 14892 Add CANVAS_PATH build flag to build systems. 14893 14894 * Configurations/FeatureDefines.xcconfig: 14895 148962013-01-20 Geoffrey Garen <ggaren@apple.com> 14897 14898 Weak GC maps should be easier to use 14899 https://bugs.webkit.org/show_bug.cgi?id=107312 14900 14901 Reviewed by Sam Weinig. 14902 14903 Follow-up fix. 14904 14905 * runtime/PrototypeMap.cpp: 14906 (JSC::PrototypeMap::emptyObjectStructureForPrototype): Restored this 14907 ASSERT, which was disabled because of a bug in WeakGCMap. 14908 14909 * runtime/WeakGCMap.h: 14910 (JSC::WeakGCMap::add): We can't pass our passed-in value to add() because 14911 a PassWeak() clears itself when passed to another function. So, we pass 14912 nullptr instead, and fix things up afterwards. 14913 149142013-01-20 Geoffrey Garen <ggaren@apple.com> 14915 14916 Unreviewed. 14917 14918 Temporarily disabling this ASSERT to get the bots green 14919 while I investigate a fix. 14920 14921 * runtime/PrototypeMap.cpp: 14922 (JSC::PrototypeMap::emptyObjectStructureForPrototype): 14923 149242013-01-20 Filip Pizlo <fpizlo@apple.com> 14925 14926 Inserting a node into the DFG graph should not require five lines of code 14927 https://bugs.webkit.org/show_bug.cgi?id=107381 14928 14929 Reviewed by Sam Weinig. 14930 14931 This adds fairly comprehensive support for inserting a node into a DFG graph in one 14932 method call. A common example of this is: 14933 14934 m_insertionSet.insertNode(indexInBlock, DontRefChildren, DontRefNode, SpecNone, ForceOSRExit, codeOrigin); 14935 14936 The arguments to insert() specify what reference counting you need to have happen 14937 (RefChildren => recursively refs all children, RefNode => non-recursively refs the node 14938 that was created), the prediction to set (SpecNone is a common default), followed by 14939 the arguments to the Node() constructor. InsertionSet::insertNode() and similar methods 14940 (Graph::addNode() and BasicBlock::appendNode()) all use a common variadic template 14941 function macro from DFGVariadicFunction.h. Also, all of these methods will automatically 14942 non-recursively ref() the node being created if the flags say NodeMustGenerate. 14943 14944 In all, this new mechanism retains the flexibility of the old approach (you get to 14945 manage ref counts yourself, albeit in less code) while ensuring that most code that adds 14946 nodes to the graph now needs less code to do it. 14947 14948 In the future, we should revisit the reference counting methodology in the DFG: we could 14949 do like most compilers and get rid of it entirely, or we could make it automatic. This 14950 patch doesn't attempt to make any such major changes, and only seeks to simplify the 14951 technique we were already using (manual ref counting). 14952 14953 * GNUmakefile.list.am: 14954 * JavaScriptCore.xcodeproj/project.pbxproj: 14955 * bytecode/Operands.h: 14956 (JSC::dumpOperands): 14957 * dfg/DFGAdjacencyList.h: 14958 (AdjacencyList): 14959 (JSC::DFG::AdjacencyList::kind): 14960 * dfg/DFGArgumentsSimplificationPhase.cpp: 14961 (JSC::DFG::ArgumentsSimplificationPhase::run): 14962 * dfg/DFGBasicBlock.h: 14963 (DFG): 14964 (BasicBlock): 14965 * dfg/DFGBasicBlockInlines.h: Added. 14966 (DFG): 14967 * dfg/DFGCFGSimplificationPhase.cpp: 14968 (JSC::DFG::CFGSimplificationPhase::run): 14969 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): 14970 * dfg/DFGCommon.h: 14971 * dfg/DFGConstantFoldingPhase.cpp: 14972 (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase): 14973 (JSC::DFG::ConstantFoldingPhase::foldConstants): 14974 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): 14975 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode): 14976 (ConstantFoldingPhase): 14977 * dfg/DFGFixupPhase.cpp: 14978 (JSC::DFG::FixupPhase::FixupPhase): 14979 (JSC::DFG::FixupPhase::fixupBlock): 14980 (JSC::DFG::FixupPhase::fixupNode): 14981 (FixupPhase): 14982 (JSC::DFG::FixupPhase::checkArray): 14983 (JSC::DFG::FixupPhase::blessArrayOperation): 14984 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 14985 * dfg/DFGGraph.h: 14986 (JSC::DFG::Graph::ref): 14987 (Graph): 14988 * dfg/DFGInsertionSet.h: 14989 (DFG): 14990 (JSC::DFG::Insertion::Insertion): 14991 (JSC::DFG::Insertion::element): 14992 (Insertion): 14993 (JSC::DFG::InsertionSet::InsertionSet): 14994 (JSC::DFG::InsertionSet::insert): 14995 (InsertionSet): 14996 (JSC::DFG::InsertionSet::execute): 14997 * dfg/DFGNode.h: 14998 (JSC::DFG::Node::Node): 14999 (Node): 15000 * dfg/DFGStructureCheckHoistingPhase.cpp: 15001 (JSC::DFG::StructureCheckHoistingPhase::run): 15002 * dfg/DFGVariadicFunction.h: Added. 15003 150042013-01-19 Geoffrey Garen <ggaren@apple.com> 15005 15006 Track inheritance structures in a side table, instead of using a private 15007 name in each prototype 15008 https://bugs.webkit.org/show_bug.cgi?id=107378 15009 15010 Reviewed by Sam Weinig and Phil Pizlo. 15011 15012 This is a step toward object size inference. 15013 15014 Using a side table frees us to use a more complex key (a pair of 15015 prototype and expected inline capacity). 15016 15017 It also avoids ruining inline caches for prototypes. (Adding a new private 15018 name for a new inline capacity would change the prototype's structure, 15019 possibly firing watchpoints, making inline caches go polymorphic, and 15020 generally causing us to have a bad time.) 15021 15022 * CMakeLists.txt: 15023 * GNUmakefile.list.am: 15024 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 15025 * JavaScriptCore.xcodeproj/project.pbxproj: 15026 * Target.pri: Buildage. 15027 15028 * runtime/ArrayPrototype.cpp: 15029 (JSC::ArrayPrototype::finishCreation): Updated to use new side table API. 15030 15031 * runtime/JSFunction.cpp: 15032 (JSC::JSFunction::cacheInheritorID): Updated to use new side table API. 15033 15034 (JSC::JSFunction::visitChildren): Fixed a long-standing bug where JSFunction 15035 forgot to visit one of its data members (m_cachedInheritorID). This 15036 wasn't a user-visible problem before because JSFunction would always 15037 visit its .prototype property, which visited its m_cachedInheritorID. 15038 But now, function.prototype only weakly owns function.m_cachedInheritorID. 15039 15040 * runtime/JSGlobalData.h: 15041 (JSGlobalData): Added the map, taking care to make sure that its 15042 destructor would run after the heap destructor. 15043 15044 * runtime/JSGlobalObject.cpp: 15045 (JSC::JSGlobalObject::reset): Updated to use new side table API. 15046 15047 * runtime/JSObject.cpp: 15048 (JSC::JSObject::notifyPresenceOfIndexedAccessors): 15049 (JSC::JSObject::setPrototype): 15050 * runtime/JSObject.h: 15051 (JSObject): Updated to use new side table API, and removed lots of code 15052 that used to manage the per-object private name. 15053 15054 * runtime/JSProxy.cpp: 15055 (JSC::JSProxy::setTarget): 15056 * runtime/ObjectConstructor.cpp: 15057 (JSC::objectConstructorCreate): 15058 * runtime/ObjectPrototype.cpp: 15059 (JSC::ObjectPrototype::finishCreation): Updated to use new side table API. 15060 15061 * runtime/PrototypeMap.cpp: Added. 15062 (JSC): 15063 (JSC::PrototypeMap::addPrototype): 15064 (JSC::PrototypeMap::emptyObjectStructureForPrototype): 15065 * runtime/PrototypeMap.h: Added. 15066 (PrototypeMap): 15067 (JSC::PrototypeMap::isPrototype): 15068 (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): New side table. 15069 This is a simple weak map, mapping an object to the structure you should 15070 use when inheriting from that object. (In future, inline capacity will 15071 be a part of the mapping.) 15072 15073 I used two maps to preserve existing behavior that allowed us to speculate 15074 about an object becoming a prototype, even if it wasn't one at the moment. 15075 However, I suspect that behavior can be removed without harm. 15076 15077 * runtime/WeakGCMap.h: 15078 (JSC::WeakGCMap::contains): 15079 (WeakGCMap): I would rate myself a 6 / 10 in C++. 15080 150812013-01-18 Dan Bernstein <mitz@apple.com> 15082 15083 Removed duplicate references to two headers in the project files. 15084 15085 Rubber-stamped by Mark Rowe. 15086 15087 * JavaScriptCore.xcodeproj/project.pbxproj: 15088 150892013-01-18 Michael Saboff <msaboff@apple.com> 15090 15091 Unreviewed build fix for building JSC with DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE enabled in DFGCommon.h. 15092 Fixes the case where the argument node in fixupNode is freed due to the Vector storage being reallocated. 15093 15094 * dfg/DFGFixupPhase.cpp: 15095 (JSC::DFG::FixupPhase::fixupNode): 15096 150972013-01-18 Michael Saboff <msaboff@apple.com> 15098 15099 Unreviewed build fix for release builds when DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE is set to 1 in DFGCommon.h. 15100 15101 * dfg/DFGCFAPhase.cpp: Added #include "Operations.h" 15102 151032013-01-18 Michael Saboff <msaboff@apple.com> 15104 15105 Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html 15106 https://bugs.webkit.org/show_bug.cgi?id=107340 15107 15108 Reviewed by Filip Pizlo. 15109 15110 Due to the change landed in r140201, more nodes might end up 15111 generating Int32ToDouble nodes. Therefore, changed the JSVALUE64 15112 constant path of compileInt32ToDouble() to use the more 15113 restrictive isInt32Constant() check on the input. This check was 15114 the same as the existing ASSERT() so the ASSERT was eliminated. 15115 15116 * dfg/DFGSpeculativeJIT.cpp: 15117 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 15118 151192013-01-18 Viatcheslav Ostapenko <sl.ostapenko@samsung.com> 15120 15121 Weak GC maps should be easier to use 15122 https://bugs.webkit.org/show_bug.cgi?id=107312 15123 15124 Reviewed by Ryosuke Niwa. 15125 15126 Build fix for linux platforms after r140194. 15127 15128 * runtime/WeakGCMap.h: 15129 (WeakGCMap): 15130 151312013-01-18 Michael Saboff <msaboff@apple.com> 15132 15133 Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly 15134 https://bugs.webkit.org/show_bug.cgi?id=107321 15135 15136 Reviewed by Filip Pizlo. 15137 15138 Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up 15139 an ArithDiv node with integer inputs and output for platforms that don't have integer division. 15140 Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node 15141 without any further checks. 15142 15143 * dfg/DFGFixupPhase.cpp: 15144 (JSC::DFG::FixupPhase::fixupNode): 15145 (JSC::DFG::FixupPhase::fixDoubleEdge): 15146 (FixupPhase): 15147 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): 15148 151492013-01-18 Michael Saboff <msaboff@apple.com> 15150 15151 Fix up of ArithDiv nodes for non-x86 CPUs is broken 15152 https://bugs.webkit.org/show_bug.cgi?id=107309 15153 15154 Reviewed by Filip Pizlo. 15155 15156 Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble. 15157 15158 * dfg/DFGFixupPhase.cpp: 15159 (JSC::DFG::FixupPhase::fixDoubleEdge): 15160 151612013-01-18 Dan Bernstein <mitz@apple.com> 15162 15163 Tried to fix the build after r140194. 15164 15165 * API/JSWrapperMap.mm: 15166 (-[JSWrapperMap wrapperForObject:]): 15167 151682013-01-18 Mark Hahnenberg <mhahnenberg@apple.com> 15169 15170 Objective-C API: Update documentation for JSValue and JSContext 15171 https://bugs.webkit.org/show_bug.cgi?id=107313 15172 15173 Reviewed by Geoffrey Garen. 15174 15175 After changing the semantics of object lifetime we need to update the API documentation to reflect the new semantics. 15176 15177 * API/APIJSValue.h: 15178 * API/JSContext.h: 15179 151802013-01-18 Balazs Kilvady <kilvadyb@homejinni.com> 15181 15182 r134080 causes heap problem on linux systems where PAGESIZE != 4096 15183 https://bugs.webkit.org/show_bug.cgi?id=102828 15184 15185 Reviewed by Mark Hahnenberg. 15186 15187 Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray. 15188 15189 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: 15190 * heap/MarkStack.cpp: 15191 (JSC): 15192 (JSC::MarkStackArray::MarkStackArray): 15193 (JSC::MarkStackArray::expand): 15194 (JSC::MarkStackArray::donateSomeCellsTo): 15195 (JSC::MarkStackArray::stealSomeCellsFrom): 15196 * heap/MarkStack.h: 15197 (JSC::MarkStackSegment::data): 15198 (CapacityFromSize): 15199 (MarkStackArray): 15200 * heap/MarkStackInlines.h: 15201 (JSC::MarkStackArray::setTopForFullSegment): 15202 (JSC::MarkStackArray::append): 15203 (JSC::MarkStackArray::isEmpty): 15204 (JSC::MarkStackArray::size): 15205 * runtime/Options.h: 15206 (JSC): 15207 152082013-01-18 Geoffrey Garen <ggaren@apple.com> 15209 15210 Weak GC maps should be easier to use 15211 https://bugs.webkit.org/show_bug.cgi?id=107312 15212 15213 Reviewed by Sam Weinig. 15214 15215 This patch changes WeakGCMap to not use a WeakImpl finalizer to remove 15216 items from the map, and to instead have the map automatically remove 15217 stale items itself upon insertion. This has a few advantages: 15218 15219 (1) WeakGCMap is now compatible with all the specializations you would 15220 use for HashMap. 15221 15222 (2) There's no need for clients to write special finalization munging 15223 functions. 15224 15225 (3) Clients can specify custom value finalizers if they like. 15226 15227 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Def! 15228 15229 * API/JSWeakObjectMapRefPrivate.cpp: Setter no longer requires a global 15230 data, since we've reduced interdependency. 15231 15232 * heap/Handle.h: No more need to forward declare, since we've reduced 15233 interdependency. 15234 15235 * heap/Weak.h: 15236 (Weak): Use explicit so we can assign directly to a weak map iterator 15237 without ambiguity between Weak<T> and PassWeak<T>. 15238 15239 * runtime/Structure.cpp: 15240 (JSC::StructureTransitionTable::add): See above. 15241 15242 * runtime/Structure.h: 15243 (JSC): 15244 * runtime/StructureTransitionTable.h: 15245 (StructureTransitionTable): Bad code goes away, programmer happy. 15246 15247 * runtime/WeakGCMap.h: 15248 (JSC): 15249 (WeakGCMap): 15250 (JSC::WeakGCMap::WeakGCMap): 15251 (JSC::WeakGCMap::set): 15252 (JSC::WeakGCMap::add): 15253 (JSC::WeakGCMap::find): 15254 (JSC::WeakGCMap::contains): 15255 (JSC::WeakGCMap::gcMap): 15256 (JSC::WeakGCMap::gcMapIfNeeded): Inherit from HashMap and override any 15257 function that might observe a Weak<T> that has died, just enough to 15258 make such items appear as if they are not in the table. 15259 152602013-01-18 Michael Saboff <msaboff@apple.com> 15261 15262 Refactor isPowerOf2() and add getLSBSet() 15263 https://bugs.webkit.org/show_bug.cgi?id=107306 15264 15265 Reviewed by Filip Pizlo. 15266 15267 Moved implementation of isPowerOf2() to new hasOneBitSet() in wtf/MathExtras.h. 15268 15269 * runtime/PropertyMapHashTable.h: 15270 (JSC::isPowerOf2): 15271 152722013-01-17 Mark Hahnenberg <mhahnenberg@apple.com> 15273 15274 Objective-C API: Clean up JSValue.mm 15275 https://bugs.webkit.org/show_bug.cgi?id=107163 15276 15277 Reviewed by Darin Adler. 15278 15279 m_context is no longer weak, so there is now a lot of dead code in in JSValue.mm, and a wasted message send 15280 on every API call. In the head of just about every method in JSValue.mm we're doing: 15281 15282 JSContext *context = [self context]; 15283 if (!context) 15284 return nil; 15285 15286 This is getting a retained copy of the context, which is no longer necessary now m_context is no longer weak. 15287 We can just delete all these lines from all functions doing this, and where they were referring to the local 15288 variable 'context', instead we can just access m_context directly. 15289 15290 Since we're already going to be modifying most of JSValue.mm, we'll also do the following: 15291 15292 1) context @property is no longer weak – the context property is declared as: 15293 15294 @property(readonly, weak) JSContext *context; 15295 15296 This is really only informative (since we're not presently synthesizing the ivar), but it is now misleading. 15297 We should change it to: 15298 15299 @property(readonly, retain) JSContext *context; 15300 15301 2) the JSContext ivar and accessor can be automatically generated. Since we're no longer doing anything 15302 special with m_context, we can just let the compiler handle the ivar for us. We'll delete: 15303 15304 JSContext *m_context; 15305 15306 and: 15307 15308 - (JSContext *)context 15309 { 15310 return m_context; 15311 15312 } 15313 15314 and find&replace "m_context" to "_context" in JSValue.mm. 15315 15316 * API/APIJSValue.h: 15317 * API/JSValue.mm: 15318 (-[JSValue toObject]): 15319 (-[JSValue toBool]): 15320 (-[JSValue toDouble]): 15321 (-[JSValue toNumber]): 15322 (-[JSValue toString]): 15323 (-[JSValue toDate]): 15324 (-[JSValue toArray]): 15325 (-[JSValue toDictionary]): 15326 (-[JSValue valueForProperty:]): 15327 (-[JSValue setValue:forProperty:]): 15328 (-[JSValue deleteProperty:]): 15329 (-[JSValue hasProperty:]): 15330 (-[JSValue defineProperty:descriptor:]): 15331 (-[JSValue valueAtIndex:]): 15332 (-[JSValue setValue:atIndex:]): 15333 (-[JSValue isUndefined]): 15334 (-[JSValue isNull]): 15335 (-[JSValue isBoolean]): 15336 (-[JSValue isNumber]): 15337 (-[JSValue isString]): 15338 (-[JSValue isObject]): 15339 (-[JSValue isEqualToObject:]): 15340 (-[JSValue isEqualWithTypeCoercionToObject:]): 15341 (-[JSValue isInstanceOf:]): 15342 (-[JSValue callWithArguments:]): 15343 (-[JSValue constructWithArguments:]): 15344 (-[JSValue invokeMethod:withArguments:]): 15345 (-[JSValue objectForKeyedSubscript:]): 15346 (-[JSValue setObject:forKeyedSubscript:]): 15347 (-[JSValue initWithValue:inContext:]): 15348 (-[JSValue dealloc]): 15349 (-[JSValue description]): 15350 153512013-01-17 Mark Hahnenberg <mhahnenberg@apple.com> 15352 15353 Objective-C API: Clean up JSValue 15354 https://bugs.webkit.org/show_bug.cgi?id=107156 15355 15356 Reviewed by Oliver Hunt. 15357 15358 JSContext m_protectCounts, protect, unprotect are all now unnecessary overhead, and should all be removed. 15359 These exist to handle the context going away before the value does; the context needs to be able to unprotect 15360 values early. Since the value is now keeping the context alive there is no longer any danger of this happening; 15361 instead we should just protect/unprotect the value in JSValue's init/dealloc methods. 15362 15363 * API/JSContext.mm: 15364 (-[JSContext dealloc]): 15365 * API/JSContextInternal.h: 15366 * API/JSValue.mm: 15367 (-[JSValue initWithValue:inContext:]): 15368 (-[JSValue dealloc]): 15369 153702013-01-17 Filip Pizlo <fpizlo@apple.com> 15371 15372 DFG Node::ref() and Node::deref() should not return bool, and should have postfixRef variants 15373 https://bugs.webkit.org/show_bug.cgi?id=107147 15374 15375 Reviewed by Mark Hahnenberg. 15376 15377 This small refactoring will enable a world where ref() returns Node*, which is useful for 15378 https://bugs.webkit.org/show_bug.cgi?id=106868. Also, while this refactoring does lead to 15379 slightly less terse code, it's also slightly more self-explanatory. I could never quite 15380 remember what the meaning of the bool return from ref() and deref() was. 15381 15382 * dfg/DFGGraph.cpp: 15383 (JSC::DFG::Graph::collectGarbage): 15384 * dfg/DFGGraph.h: 15385 (JSC::DFG::Graph::ref): 15386 (JSC::DFG::Graph::deref): 15387 * dfg/DFGNode.h: 15388 (JSC::DFG::Node::ref): 15389 (Node): 15390 (JSC::DFG::Node::postfixRef): 15391 (JSC::DFG::Node::deref): 15392 (JSC::DFG::Node::postfixDeref): 15393 153942013-01-17 Alexey Proskuryakov <ap@apple.com> 15395 15396 Added svn:ignore=*.pyc, so that ud_opcode.pyc and ud_optable.pyc don't show up 15397 in svn stat. 15398 15399 * disassembler/udis86: Added property svn:ignore. 15400 154012013-01-16 Filip Pizlo <fpizlo@apple.com> 15402 15403 DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize 15404 https://bugs.webkit.org/show_bug.cgi?id=107081 15405 15406 Reviewed by Michael Saboff. 15407 15408 This bug led to the 32_64 backend emitting contiguous allocation code to allocate 15409 ArrayStorage arrays. This then led to all manner of heap corruption, since 15410 subsequent array accesses would be accessing the contiguous array "as if" it was 15411 an arraystorage array. 15412 15413 * dfg/DFGSpeculativeJIT32_64.cpp: 15414 (JSC::DFG::SpeculativeJIT::compile): 15415 154162013-01-16 Jonathan Liu <net147@gmail.com> 15417 15418 Add missing sys/mman.h include on Mac 15419 https://bugs.webkit.org/show_bug.cgi?id=98089 15420 15421 Reviewed by Darin Adler. 15422 15423 The madvise function and MADV_FREE constant require sys/mman.h. 15424 15425 * jit/ExecutableAllocatorFixedVMPool.cpp: 15426 154272013-01-15 Michael Saboff <msaboff@apple.com> 15428 15429 DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1 15430 https://bugs.webkit.org/show_bug.cgi?id=106978 15431 15432 Reviewed by Filip Pizlo. 15433 15434 Changed the numerator equal to -2^31 check to just return if we expect an integer 15435 result, since the check is after we have determined that the denominator is -1. 15436 The int result of -2^31 / -1 is -2^31, so just return the numerator as the result. 15437 15438 * dfg/DFGSpeculativeJIT.cpp: 15439 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86): 15440 154412013-01-15 Levi Weintraub <leviw@chromium.org> 15442 15443 Unreviewed, rolling out r139792. 15444 http://trac.webkit.org/changeset/139792 15445 https://bugs.webkit.org/show_bug.cgi?id=106970 15446 15447 Broke the windows build. 15448 15449 * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo. 15450 154512013-01-15 Pratik Solanki <psolanki@apple.com> 15452 15453 Use MADV_FREE_REUSABLE to return JIT memory to OS 15454 https://bugs.webkit.org/show_bug.cgi?id=106830 15455 <rdar://problem/11437701> 15456 15457 Reviewed by Geoffrey Garen. 15458 15459 Use MADV_FREE_REUSABLE to return JIT memory on OSes that have the underlying madvise bug 15460 fixed. 15461 15462 * jit/ExecutableAllocatorFixedVMPool.cpp: 15463 (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree): 15464 154652013-01-15 Levi Weintraub <leviw@chromium.org> 15466 15467 Unreviewed, rolling out r139790. 15468 http://trac.webkit.org/changeset/139790 15469 https://bugs.webkit.org/show_bug.cgi?id=106948 15470 15471 The patch is failing its own test. 15472 15473 * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo. 15474 154752013-01-15 Zan Dobersek <zandobersek@gmail.com> 15476 15477 [Autotools] Unify JavaScriptCore sources list, regardless of target OS 15478 https://bugs.webkit.org/show_bug.cgi?id=106007 15479 15480 Reviewed by Gustavo Noronha Silva. 15481 15482 Include the Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp target 15483 in the general sources list as it is guarded by the ENABLE_EXECUTABLE_ALLOCATOR_FIXED 15484 feature define. This define is only used on 64-bit architecture and indirectly depends 15485 on enabling either JIT or YARR JIT feature. Both of these defines are disabled on 15486 Windows OS when using 64-bit architecture so there's no need to add this target to 15487 sources only when the target OS is Windows. 15488 15489 * GNUmakefile.list.am: 15490 154912013-01-11 Filip Pizlo <fpizlo@apple.com> 15492 15493 DFG should not forget that it had proved something to be a constant during a merge just because it's merging against the empty value 15494 https://bugs.webkit.org/show_bug.cgi?id=106727 15495 15496 Reviewed by Oliver Hunt. 15497 15498 The problem was this statement: 15499 15500 if (m_value != other.m_value) 15501 m_value = JSValue(); 15502 15503 This is well-intentioned, in the sense that if we want our abstract value (i.e. this) to become the superset of the other 15504 abstract value, and the two abstract values have proven different constants, then our abstract value should rescind its 15505 claim that it has been proven to be constant. But this misses the special case that if the other abstract value is 15506 completely clear (meaning that it wishes to contribute zero information and so the superset operation shouldn't change 15507 this), it will have a clear m_value. So, the code prior to this patch would rescind the constant proof even though it 15508 didn't have to. 15509 15510 This comes up rarely and I don't believe it will be a performance win, but it is good to have the CFA been consistently 15511 precise as often as possible. 15512 15513 * dfg/DFGAbstractValue.h: 15514 (JSC::DFG::AbstractValue::merge): 15515 155162013-01-11 Filip Pizlo <fpizlo@apple.com> 15517 15518 Python implementation reports "MemoryError" instead of doing things 15519 https://bugs.webkit.org/show_bug.cgi?id=106690 15520 15521 Reviewed by Oliver Hunt. 15522 15523 The bug was that the CFA was assuming that a variable is dead at the end of a basic block and hence doesn't need to 15524 be merged to the next block if the last mention of the variable was dead. This is almost correct, except that it 15525 doesn't work if the last mention is a GetLocal - the GetLocal itself may be dead, but that doesn't mean that the 15526 variable is dead - it may still be live. The appropriate thing to do is to look at the GetLocal's Phi. If the 15527 variable is used in the next block then the next block will have a reference to the last mention in our block unless 15528 that last mention is a GetLocal, in which case it will link to the Phi. Doing it this way captures everything that 15529 the CFA wants: if the last use is a live GetLocal then the CFA needs to consider the GetLocal itself for possible 15530 refinements to the proof of the value in the variable, but if the GetLocal is dead, then this must mean that the 15531 variable is not mentioned in the block but may still be "passed through" it, which is what the Phi will tell us. 15532 Note that it is not possible for the GetLocal to refer to anything other than a Phi, and it is also not possible 15533 for the last mention of a variable to be a dead GetLocal while there are other mentions that aren't dead - if 15534 there had been SetLocals or GetLocals prior to the dead one then the dead one wouldn't have been emitted by the 15535 parser. 15536 15537 This also fixes a similar bug in the handling of captured variables. If a variable is captured, then it doesn't 15538 matter if the last mention is dead, or not. Either way, we already know that a captured variable will be live in 15539 the next block, so we must merge it no matter what. 15540 15541 Finally, this change makes the output of Operands dumping a bit more verbose: it now prints the variable name next 15542 to each variable's dump. I've often found the lack of this information confusing particularly for operand dumps 15543 that involve a lot of variables. 15544 15545 * bytecode/Operands.h: 15546 (JSC::dumpOperands): 15547 * dfg/DFGAbstractState.cpp: 15548 (JSC::DFG::AbstractState::mergeStateAtTail): 15549 155502013-01-14 Roger Fong <roger_fong@apple.com> 15551 15552 Unreviewed. Fix vcproj file. Missing file tag after http://trac.webkit.org/changeset/139541. 15553 15554 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 15555 155562013-01-13 Filip Pizlo <fpizlo@apple.com> 15557 15558 DFG phases that store per-node information should store it in Node itself rather than using a secondary vector 15559 https://bugs.webkit.org/show_bug.cgi?id=106753 15560 15561 Reviewed by Geoffrey Garen. 15562 15563 * dfg/DFGAbstractState.cpp: 15564 (JSC::DFG::AbstractState::AbstractState): 15565 (JSC::DFG::AbstractState::beginBasicBlock): 15566 (JSC::DFG::AbstractState::dump): 15567 * dfg/DFGAbstractState.h: 15568 (JSC::DFG::AbstractState::forNode): 15569 (AbstractState): 15570 * dfg/DFGCFGSimplificationPhase.cpp: 15571 * dfg/DFGCSEPhase.cpp: 15572 (JSC::DFG::CSEPhase::CSEPhase): 15573 (JSC::DFG::CSEPhase::performSubstitution): 15574 (JSC::DFG::CSEPhase::setReplacement): 15575 (CSEPhase): 15576 * dfg/DFGNode.h: 15577 (Node): 15578 155792013-01-12 Tim Horton <timothy_horton@apple.com> 15580 15581 Unreviewed build fix. 15582 15583 * API/JSBlockAdaptor.mm: 15584 * API/JSContext.mm: 15585 * API/JSValue.mm: 15586 155872013-01-12 Csaba Osztrogonác <ossy@webkit.org> 15588 15589 Unreviewed 64 bit buildfix after r139496. 15590 15591 * dfg/DFGOperations.cpp: 15592 155932013-01-11 Filip Pizlo <fpizlo@apple.com> 15594 15595 Unreviewed, speculative build fix. 15596 15597 * API/JSWrapperMap.mm: 15598 155992013-01-10 Filip Pizlo <fpizlo@apple.com> 15600 15601 JITThunks should not compile only because of luck 15602 https://bugs.webkit.org/show_bug.cgi?id=105696 15603 15604 Rubber stamped by Sam Weinig and Geoffrey Garen. 15605 15606 This patch was supposed to just move JITThunks into its own file. But then I 15607 realized that there is a horrible circular dependency chain between JSCell, 15608 JSGlobalData, CallFrame, and Weak, which only works because of magical include 15609 order in JITStubs.h, and the fact that JSGlobalData.h includes JITStubs.h 15610 before it includes JSCell or JSValue. 15611 15612 I first tried to just get JITThunks.h to just magically do the same pointless 15613 includes that JITStubs.h had, but then I decided to actually fix the underflying 15614 problem, which was that JSCell needed CallFrame, CallFrame needed JSGlobalData, 15615 JSGlobalData needed JITThunks, JITThunks needed Weak, and Weak needed JSCell. 15616 Now, all of JSCell's outgoing dependencies are placed in JSCellInlines.h. This 15617 also gave me an opportunity to move JSValue inline methods from JSCell.h into 15618 JSValueInlines.h. But to make this really work, I needed to remove includes of 15619 *Inlines.h from other headers (CodeBlock.h for example included JSValueInlines.h, 15620 which defeats the whole entire purpose of having an Inlines.h file), and I needed 15621 to add includes of *Inlines.h into a bunch of .cpp files. I did this mostly by 15622 having .cpp files include Operations.h. In future, if you're adding a .cpp file 15623 to JSC, you'll almost certainly have to include Operations.h unless you enjoy 15624 link errors. 15625 15626 * API/JSBase.cpp: 15627 * API/JSCallbackConstructor.cpp: 15628 * API/JSCallbackFunction.cpp: 15629 * API/JSCallbackObject.cpp: 15630 * API/JSClassRef.cpp: 15631 * API/JSContextRef.cpp: 15632 * API/JSObjectRef.cpp: 15633 * API/JSScriptRef.cpp: 15634 * API/JSWeakObjectMapRefPrivate.cpp: 15635 * JSCTypedArrayStubs.h: 15636 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 15637 * JavaScriptCore.xcodeproj/project.pbxproj: 15638 * bytecode/ArrayAllocationProfile.cpp: 15639 * bytecode/CodeBlock.cpp: 15640 * bytecode/GetByIdStatus.cpp: 15641 * bytecode/LazyOperandValueProfile.cpp: 15642 * bytecode/ResolveGlobalStatus.cpp: 15643 * bytecode/SpeculatedType.cpp: 15644 * bytecode/UnlinkedCodeBlock.cpp: 15645 * bytecompiler/BytecodeGenerator.cpp: 15646 * debugger/Debugger.cpp: 15647 * debugger/DebuggerActivation.cpp: 15648 * debugger/DebuggerCallFrame.cpp: 15649 * dfg/DFGArgumentsSimplificationPhase.cpp: 15650 * dfg/DFGArrayMode.cpp: 15651 * dfg/DFGByteCodeParser.cpp: 15652 * dfg/DFGConstantFoldingPhase.cpp: 15653 * dfg/DFGDriver.cpp: 15654 * dfg/DFGFixupPhase.cpp: 15655 * dfg/DFGGraph.cpp: 15656 * dfg/DFGJITCompiler.cpp: 15657 * dfg/DFGOSREntry.cpp: 15658 * dfg/DFGOSRExitCompiler.cpp: 15659 * dfg/DFGOSRExitCompiler32_64.cpp: 15660 * dfg/DFGOSRExitCompiler64.cpp: 15661 * dfg/DFGPredictionPropagationPhase.cpp: 15662 * dfg/DFGSpeculativeJIT.cpp: 15663 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): 15664 (DFG): 15665 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR): 15666 (JSC::DFG::SpeculativeJIT::silentSpill): 15667 (JSC::DFG::SpeculativeJIT::silentFill): 15668 * dfg/DFGSpeculativeJIT.h: 15669 (SpeculativeJIT): 15670 * dfg/DFGSpeculativeJIT32_64.cpp: 15671 * dfg/DFGSpeculativeJIT64.cpp: 15672 * dfg/DFGStructureCheckHoistingPhase.cpp: 15673 * dfg/DFGVariableEventStream.cpp: 15674 * heap/CopiedBlock.h: 15675 * heap/CopiedSpace.cpp: 15676 * heap/HandleSet.cpp: 15677 * heap/Heap.cpp: 15678 * heap/HeapStatistics.cpp: 15679 * heap/SlotVisitor.cpp: 15680 * heap/WeakBlock.cpp: 15681 * interpreter/CallFrame.cpp: 15682 * interpreter/CallFrame.h: 15683 * jit/ClosureCallStubRoutine.cpp: 15684 * jit/GCAwareJITStubRoutine.cpp: 15685 * jit/JIT.cpp: 15686 * jit/JITArithmetic.cpp: 15687 * jit/JITArithmetic32_64.cpp: 15688 * jit/JITCall.cpp: 15689 * jit/JITCall32_64.cpp: 15690 * jit/JITCode.h: 15691 * jit/JITExceptions.cpp: 15692 * jit/JITStubs.h: 15693 * jit/JITThunks.h: 15694 * jsc.cpp: 15695 * llint/LLIntExceptions.cpp: 15696 * profiler/LegacyProfiler.cpp: 15697 * profiler/ProfileGenerator.cpp: 15698 * profiler/ProfilerBytecode.cpp: 15699 * profiler/ProfilerBytecodeSequence.cpp: 15700 * profiler/ProfilerBytecodes.cpp: 15701 * profiler/ProfilerCompilation.cpp: 15702 * profiler/ProfilerCompiledBytecode.cpp: 15703 * profiler/ProfilerDatabase.cpp: 15704 * profiler/ProfilerOSRExit.cpp: 15705 * profiler/ProfilerOSRExitSite.cpp: 15706 * profiler/ProfilerOrigin.cpp: 15707 * profiler/ProfilerOriginStack.cpp: 15708 * profiler/ProfilerProfiledBytecodes.cpp: 15709 * runtime/ArgList.cpp: 15710 * runtime/Arguments.cpp: 15711 * runtime/ArrayConstructor.cpp: 15712 * runtime/BooleanConstructor.cpp: 15713 * runtime/BooleanObject.cpp: 15714 * runtime/BooleanPrototype.cpp: 15715 * runtime/CallData.cpp: 15716 * runtime/CodeCache.cpp: 15717 * runtime/Completion.cpp: 15718 * runtime/ConstructData.cpp: 15719 * runtime/DateConstructor.cpp: 15720 * runtime/DateInstance.cpp: 15721 * runtime/DatePrototype.cpp: 15722 * runtime/Error.cpp: 15723 * runtime/ErrorConstructor.cpp: 15724 * runtime/ErrorInstance.cpp: 15725 * runtime/ErrorPrototype.cpp: 15726 * runtime/ExceptionHelpers.cpp: 15727 * runtime/Executable.cpp: 15728 * runtime/FunctionConstructor.cpp: 15729 * runtime/FunctionPrototype.cpp: 15730 * runtime/GetterSetter.cpp: 15731 * runtime/Identifier.cpp: 15732 * runtime/InternalFunction.cpp: 15733 * runtime/JSActivation.cpp: 15734 * runtime/JSBoundFunction.cpp: 15735 * runtime/JSCell.cpp: 15736 * runtime/JSCell.h: 15737 (JSC): 15738 * runtime/JSCellInlines.h: Added. 15739 (JSC): 15740 (JSC::JSCell::JSCell): 15741 (JSC::JSCell::finishCreation): 15742 (JSC::JSCell::structure): 15743 (JSC::JSCell::visitChildren): 15744 (JSC::allocateCell): 15745 (JSC::isZapped): 15746 (JSC::JSCell::isObject): 15747 (JSC::JSCell::isString): 15748 (JSC::JSCell::isGetterSetter): 15749 (JSC::JSCell::isProxy): 15750 (JSC::JSCell::isAPIValueWrapper): 15751 (JSC::JSCell::setStructure): 15752 (JSC::JSCell::methodTable): 15753 (JSC::JSCell::inherits): 15754 (JSC::JSCell::fastGetOwnPropertySlot): 15755 (JSC::JSCell::fastGetOwnProperty): 15756 (JSC::JSCell::toBoolean): 15757 * runtime/JSDateMath.cpp: 15758 * runtime/JSFunction.cpp: 15759 * runtime/JSFunction.h: 15760 (JSC): 15761 * runtime/JSGlobalData.h: 15762 (JSC): 15763 (JSGlobalData): 15764 * runtime/JSGlobalObject.cpp: 15765 * runtime/JSGlobalObjectFunctions.cpp: 15766 * runtime/JSLock.cpp: 15767 * runtime/JSNameScope.cpp: 15768 * runtime/JSNotAnObject.cpp: 15769 * runtime/JSONObject.cpp: 15770 * runtime/JSObject.h: 15771 (JSC): 15772 * runtime/JSProxy.cpp: 15773 * runtime/JSScope.cpp: 15774 * runtime/JSSegmentedVariableObject.cpp: 15775 * runtime/JSString.h: 15776 (JSC): 15777 * runtime/JSStringJoiner.cpp: 15778 * runtime/JSSymbolTableObject.cpp: 15779 * runtime/JSValue.cpp: 15780 * runtime/JSValueInlines.h: 15781 (JSC::JSValue::toInt32): 15782 (JSC::JSValue::toUInt32): 15783 (JSC): 15784 (JSC::JSValue::isUInt32): 15785 (JSC::JSValue::asUInt32): 15786 (JSC::JSValue::asNumber): 15787 (JSC::jsNaN): 15788 (JSC::JSValue::JSValue): 15789 (JSC::JSValue::encode): 15790 (JSC::JSValue::decode): 15791 (JSC::JSValue::operator bool): 15792 (JSC::JSValue::operator==): 15793 (JSC::JSValue::operator!=): 15794 (JSC::JSValue::isEmpty): 15795 (JSC::JSValue::isUndefined): 15796 (JSC::JSValue::isNull): 15797 (JSC::JSValue::isUndefinedOrNull): 15798 (JSC::JSValue::isCell): 15799 (JSC::JSValue::isInt32): 15800 (JSC::JSValue::isDouble): 15801 (JSC::JSValue::isTrue): 15802 (JSC::JSValue::isFalse): 15803 (JSC::JSValue::tag): 15804 (JSC::JSValue::payload): 15805 (JSC::JSValue::asInt32): 15806 (JSC::JSValue::asDouble): 15807 (JSC::JSValue::asCell): 15808 (JSC::JSValue::isNumber): 15809 (JSC::JSValue::isBoolean): 15810 (JSC::JSValue::asBoolean): 15811 (JSC::reinterpretDoubleToInt64): 15812 (JSC::reinterpretInt64ToDouble): 15813 (JSC::JSValue::isString): 15814 (JSC::JSValue::isPrimitive): 15815 (JSC::JSValue::isGetterSetter): 15816 (JSC::JSValue::isObject): 15817 (JSC::JSValue::getString): 15818 (JSC::::getString): 15819 (JSC::JSValue::getObject): 15820 (JSC::JSValue::getUInt32): 15821 (JSC::JSValue::toPrimitive): 15822 (JSC::JSValue::getPrimitiveNumber): 15823 (JSC::JSValue::toNumber): 15824 (JSC::JSValue::toObject): 15825 (JSC::JSValue::isFunction): 15826 (JSC::JSValue::inherits): 15827 (JSC::JSValue::toThisObject): 15828 (JSC::JSValue::get): 15829 (JSC::JSValue::put): 15830 (JSC::JSValue::putByIndex): 15831 (JSC::JSValue::structureOrUndefined): 15832 (JSC::JSValue::equal): 15833 (JSC::JSValue::equalSlowCaseInline): 15834 (JSC::JSValue::strictEqualSlowCaseInline): 15835 (JSC::JSValue::strictEqual): 15836 * runtime/JSVariableObject.cpp: 15837 * runtime/JSWithScope.cpp: 15838 * runtime/JSWrapperObject.cpp: 15839 * runtime/LiteralParser.cpp: 15840 * runtime/Lookup.cpp: 15841 * runtime/NameConstructor.cpp: 15842 * runtime/NameInstance.cpp: 15843 * runtime/NamePrototype.cpp: 15844 * runtime/NativeErrorConstructor.cpp: 15845 * runtime/NativeErrorPrototype.cpp: 15846 * runtime/NumberConstructor.cpp: 15847 * runtime/NumberObject.cpp: 15848 * runtime/ObjectConstructor.cpp: 15849 * runtime/ObjectPrototype.cpp: 15850 * runtime/Operations.h: 15851 (JSC): 15852 * runtime/PropertySlot.cpp: 15853 * runtime/RegExp.cpp: 15854 * runtime/RegExpCache.cpp: 15855 * runtime/RegExpCachedResult.cpp: 15856 * runtime/RegExpConstructor.cpp: 15857 * runtime/RegExpMatchesArray.cpp: 15858 * runtime/RegExpObject.cpp: 15859 * runtime/RegExpPrototype.cpp: 15860 * runtime/SmallStrings.cpp: 15861 * runtime/SparseArrayValueMap.cpp: 15862 * runtime/StrictEvalActivation.cpp: 15863 * runtime/StringConstructor.cpp: 15864 * runtime/StringObject.cpp: 15865 * runtime/StringRecursionChecker.cpp: 15866 * runtime/Structure.h: 15867 (JSC): 15868 * runtime/StructureChain.cpp: 15869 * runtime/TimeoutChecker.cpp: 15870 * testRegExp.cpp: 15871 158722013-01-11 Filip Pizlo <fpizlo@apple.com> 15873 15874 If you use Phantom to force something to be live across an OSR exit, you should put it after the OSR exit 15875 https://bugs.webkit.org/show_bug.cgi?id=106724 15876 15877 Reviewed by Oliver Hunt. 15878 15879 In cases where we were getting it wrong, I think it was benign because we would either already have an 15880 OSR exit prior to there, or the operand would be a constant. But still, it's good to get this right. 15881 15882 * dfg/DFGByteCodeParser.cpp: 15883 (JSC::DFG::ByteCodeParser::parseBlock): 15884 158852013-01-11 Filip Pizlo <fpizlo@apple.com> 15886 15887 Phantom(GetLocal) should be treated as relevant to OSR 15888 https://bugs.webkit.org/show_bug.cgi?id=106715 15889 15890 Reviewed by Mark Hahnenberg. 15891 15892 * dfg/DFGCSEPhase.cpp: 15893 (JSC::DFG::CSEPhase::performBlockCSE): 15894 158952013-01-11 Pratik Solanki <psolanki@apple.com> 15896 15897 Fix function name typo ProgramExecutable::initalizeGlobalProperties() 15898 https://bugs.webkit.org/show_bug.cgi?id=106701 15899 15900 Reviewed by Geoffrey Garen. 15901 15902 * interpreter/Interpreter.cpp: 15903 (JSC::Interpreter::execute): 15904 * runtime/Executable.cpp: 15905 (JSC::ProgramExecutable::initializeGlobalProperties): 15906 * runtime/Executable.h: 15907 159082013-01-11 Mark Hahnenberg <mhahnenberg@apple.com> 15909 15910 testapi is failing with a block-related error in the Objc API 15911 https://bugs.webkit.org/show_bug.cgi?id=106055 15912 15913 Reviewed by Filip Pizlo. 15914 15915 Same bug as in testapi.mm. We need to actually call the static block, rather than casting the block to a bool. 15916 15917 * API/ObjCCallbackFunction.mm: 15918 (blockSignatureContainsClass): 15919 159202013-01-11 Filip Pizlo <fpizlo@apple.com> 15921 15922 Add a run-time option to print bytecode at DFG compile time 15923 https://bugs.webkit.org/show_bug.cgi?id=106704 15924 15925 Reviewed by Mark Hahnenberg. 15926 15927 * dfg/DFGByteCodeParser.cpp: 15928 (JSC::DFG::ByteCodeParser::parseCodeBlock): 15929 * runtime/Options.h: 15930 (JSC): 15931 159322013-01-11 Filip Pizlo <fpizlo@apple.com> 15933 15934 It should be possible to enable verbose printing of each OSR exit at run-time (rather than compile-time) and it should print register state 15935 https://bugs.webkit.org/show_bug.cgi?id=106700 15936 15937 Reviewed by Mark Hahnenberg. 15938 15939 * dfg/DFGAssemblyHelpers.h: 15940 (DFG): 15941 (JSC::DFG::AssemblyHelpers::debugCall): 15942 * dfg/DFGCommon.h: 15943 * dfg/DFGOSRExit.h: 15944 (DFG): 15945 * dfg/DFGOSRExitCompiler32_64.cpp: 15946 (JSC::DFG::OSRExitCompiler::compileExit): 15947 * dfg/DFGOSRExitCompiler64.cpp: 15948 (JSC::DFG::OSRExitCompiler::compileExit): 15949 * dfg/DFGOperations.cpp: 15950 * dfg/DFGOperations.h: 15951 * runtime/Options.h: 15952 (JSC): 15953 159542013-01-11 Geoffrey Garen <ggaren@apple.com> 15955 15956 Removed getDirectLocation and offsetForLocation and all their uses 15957 https://bugs.webkit.org/show_bug.cgi?id=106692 15958 15959 Reviewed by Filip Pizlo. 15960 15961 getDirectLocation() and its associated offsetForLocation() relied on 15962 detailed knowledge of the rules of PropertyOffset, JSObject, and 15963 Structure, which is a hard thing to reverse-engineer reliably. Luckily, 15964 it wasn't needed, and all clients either wanted a true value or a 15965 PropertyOffset. So, I refactored accordingly. 15966 15967 * dfg/DFGOperations.cpp: Renamed putDirectOffset to putDirect, to clarify 15968 that we are not putting an offset. 15969 15970 * runtime/JSActivation.cpp: 15971 (JSC::JSActivation::getOwnPropertySlot): Get a value instead of a value 15972 pointer, since we never wanted a pointer to begin with. 15973 15974 * runtime/JSFunction.cpp: 15975 (JSC::JSFunction::getOwnPropertySlot): Use a PropertyOffset instead of a pointer, 15976 so we don't have to reverse-engineer the offset from the pointer. 15977 15978 * runtime/JSObject.cpp: 15979 (JSC::JSObject::put): 15980 (JSC::JSObject::resetInheritorID): 15981 (JSC::JSObject::inheritorID): 15982 (JSC::JSObject::removeDirect): 15983 (JSC::JSObject::fillGetterPropertySlot): 15984 (JSC::JSObject::getOwnPropertyDescriptor): Renamed getDirectOffset and 15985 putDirectOffset, as explaind above. We want to use the name "getDirectOffset" 15986 for when the thing you're getting is the offset. 15987 15988 * runtime/JSObject.h: 15989 (JSC::JSObject::getDirect): 15990 (JSC::JSObject::getDirectOffset): Changed getDirectLocation to getDirectOffset, 15991 since clients really wants PropertyOffsets and not locations. 15992 15993 (JSObject::offsetForLocation): Removed this function because it was hard 15994 to get right. 15995 15996 (JSC::JSObject::putDirect): 15997 (JSC::JSObject::putDirectUndefined): 15998 (JSC::JSObject::inlineGetOwnPropertySlot): 15999 (JSC::JSObject::putDirectInternal): 16000 (JSC::JSObject::putDirectWithoutTransition): 16001 * runtime/JSScope.cpp: 16002 (JSC::executeResolveOperations): 16003 (JSC::JSScope::resolvePut): 16004 * runtime/JSValue.cpp: 16005 (JSC::JSValue::putToPrimitive): Updated for renames. 16006 16007 * runtime/Lookup.cpp: 16008 (JSC::setUpStaticFunctionSlot): Use a PropertyOffset instead of a pointer, 16009 so we don't have to reverse-engineer the offset from the pointer. 16010 16011 * runtime/Structure.cpp: 16012 (JSC::Structure::flattenDictionaryStructure): Updated for renames. 16013 160142013-01-11 Geoffrey Garen <ggaren@apple.com> 16015 16016 Removed an unused version of getDirectLocation 16017 https://bugs.webkit.org/show_bug.cgi?id=106691 16018 16019 Reviewed by Gavin Barraclough. 16020 16021 getDirectLocation is a weird operation. Removing the unused version is 16022 the easy part. 16023 16024 * runtime/JSObject.h: 16025 (JSObject): 16026 160272013-01-11 Mark Hahnenberg <mhahnenberg@apple.com> 16028 16029 Objective-C objects that are passed to JavaScript leak (until the JSContext is destroyed) 16030 https://bugs.webkit.org/show_bug.cgi?id=106056 16031 16032 Reviewed by Darin Adler. 16033 16034 * API/APIJSValue.h: 16035 * API/JSValue.mm: Make the reference to the JSContext strong. 16036 (-[JSValue context]): 16037 (-[JSValue initWithValue:inContext:]): 16038 (-[JSValue dealloc]): 16039 * API/JSWrapperMap.mm: Make the reference back from wrappers to Obj-C objects weak instead of strong. 16040 Also add an explicit WeakGCMap in the JSWrapperMap rather than using Obj-C associated object API which 16041 was causing memory leaks. 16042 (wrapperClass): 16043 (-[JSObjCClassInfo wrapperForObject:]): 16044 (-[JSWrapperMap initWithContext:]): 16045 (-[JSWrapperMap dealloc]): 16046 (-[JSWrapperMap wrapperForObject:]): 16047 160482013-01-11 Geoffrey Garen <ggaren@apple.com> 16049 16050 Fixed some bogus PropertyOffset ASSERTs 16051 https://bugs.webkit.org/show_bug.cgi?id=106686 16052 16053 Reviewed by Gavin Barraclough. 16054 16055 The ASSERTs were passing a JSType instead of an inlineCapacity, due to 16056 an incomplete refactoring. 16057 16058 The compiler didn't catch this because both types are int underneath. 16059 16060 * runtime/JSObject.h: 16061 (JSC::JSObject::getDirect): 16062 (JSC::JSObject::getDirectLocation): 16063 (JSC::JSObject::offsetForLocation): 16064 * runtime/Structure.cpp: 16065 (JSC::Structure::addPropertyTransitionToExistingStructure): Validate against 16066 our inline capacity, as we intended. 16067 160682013-01-11 Geoffrey Garen <ggaren@apple.com> 16069 16070 Rename propertyOffsetFor => offsetForPropertyNumber 16071 https://bugs.webkit.org/show_bug.cgi?id=106685 16072 16073 Reviewed by Gavin Barraclough. 16074 16075 Since the argument is just a typedef and not an object, I wanted to clarify the meaning. 16076 16077 * runtime/PropertyMapHashTable.h: 16078 (JSC::PropertyTable::nextOffset): Updated for rename. 16079 16080 * runtime/PropertyOffset.h: 16081 (JSC::offsetForPropertyNumber): Renamed. Also changed some PropertyOffset variables 16082 to plain ints, because they're not actually on the PropertyOffsets number line. 16083 16084 * runtime/Structure.cpp: 16085 (JSC::Structure::flattenDictionaryStructure): 16086 * runtime/Structure.h: 16087 (JSC::Structure::lastValidOffset): Updated for rename. 16088 160892013-01-10 Zan Dobersek <zandobersek@gmail.com> 16090 16091 Remove the ENABLE_ANIMATION_API feature define occurences 16092 https://bugs.webkit.org/show_bug.cgi?id=106544 16093 16094 Reviewed by Simon Fraser. 16095 16096 The Animation API code was removed in r137243. The ENABLE_ANIMATION_API 16097 feature define handling still lingers in various build systems and configurations 16098 but is of no use, so it should be removed. 16099 16100 * Configurations/FeatureDefines.xcconfig: 16101 161022013-01-09 Roger Fong <roger_fong@apple.com> 16103 16104 Unreviewed. Just move the JavaScriptCore exports file around in the vcproj to make things clearer. 16105 16106 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 16107 161082013-01-09 Filip Pizlo <fpizlo@apple.com> 16109 16110 Dont use a node reference after appending to the graph. 16111 https://bugs.webkit.org/show_bug.cgi?id=103305 16112 <rdar://problem/12753096> 16113 16114 Reviewed by Mark Hahnenberg. 16115 16116 * dfg/DFGArgumentsSimplificationPhase.cpp: 16117 (JSC::DFG::ArgumentsSimplificationPhase::run): 16118 161192013-01-09 Roger Fong <roger_fong@apple.com> 16120 16121 Rename export files to make them more easily findable. 16122 https://bugs.webkit.org/show_bug.cgi?id=98695. 16123 16124 Reviewed by Timothy Horton. 16125 16126 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed. 16127 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 16128 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: 16129 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def. 16130 161312013-01-09 Carlos Garcia Campos <cgarcia@igalia.com> 16132 16133 Unreviewed. Fix make distcheck. 16134 16135 * GNUmakefile.list.am: Add mips.rb to offlineasm_nosources. 16136 161372013-01-08 Oliver Hunt <oliver@apple.com> 16138 16139 Support op_typeof in the DFG 16140 https://bugs.webkit.org/show_bug.cgi?id=98898 16141 16142 Reviewed by Filip Pizlo. 16143 16144 Adds a TypeOf node to the DFG to support op_typeof. 16145 16146 To avoid adding too much GC horror, this also makes the 16147 common strings portion of the SmallString cache strongly 16148 referenced. 16149 16150 * dfg/DFGAbstractState.cpp: 16151 (JSC::DFG::AbstractState::execute): 16152 We try to determine the result early here, and substitute in a constant. 16153 Otherwise we leave the node intact, and set the result type to SpecString. 16154 * dfg/DFGByteCodeParser.cpp: 16155 (JSC::DFG::ByteCodeParser::parseBlock): 16156 Parse op_typeof 16157 * dfg/DFGCSEPhase.cpp: 16158 (JSC::DFG::CSEPhase::performNodeCSE): 16159 TypeOf nodes can be subjected to pure CSE 16160 * dfg/DFGCapabilities.h: 16161 (JSC::DFG::canCompileOpcode): 16162 We can handle typeof. 16163 * dfg/DFGNodeType.h: 16164 (DFG): 16165 Define the node. 16166 * dfg/DFGOperations.cpp: 16167 * dfg/DFGOperations.h: 16168 Add operationTypeOf to support the non-trivial cases. 16169 * dfg/DFGPredictionPropagationPhase.cpp: 16170 (JSC::DFG::PredictionPropagationPhase::propagate): 16171 * dfg/DFGSpeculativeJIT32_64.cpp: 16172 (JSC::DFG::SpeculativeJIT::compile): 16173 * dfg/DFGSpeculativeJIT64.cpp: 16174 (JSC::DFG::SpeculativeJIT::compile): 16175 Actual codegen 16176 * runtime/Operations.cpp: 16177 (JSC::jsTypeStringForValue): 16178 (JSC): 16179 * runtime/Operations.h: 16180 (JSC): 16181 Some refactoring to allow us to get the type string for an 16182 object without needing a callframe. 16183 16184 161852013-01-08 Filip Pizlo <fpizlo@apple.com> 16186 16187 DFG shouldn't treat the 'this' argument as being captured if a code block uses arguments 16188 https://bugs.webkit.org/show_bug.cgi?id=106398 16189 <rdar://problem/12439776> 16190 16191 Reviewed by Mark Hahnenberg. 16192 16193 This is a possible optimization for inlined calls, and fixes crashes for inlined constructors, in the case 16194 that the inlined code used arguments. The problem was that assuming that 'this' was captured implies the 16195 assumption that it was initialized by the caller, which is wrong for constructors and this. 16196 16197 Also added a pretty essential DFG IR validation rule: we shouldn't have any live locals at the top of the 16198 root block. This helps to catch this bug: our assumption that 'this' was captured in an inlined constructor 16199 that used arguments led to liveness for the temporary that would have held 'this' in the caller being 16200 propagated all the way up to the entrypoint of the function. 16201 16202 * bytecode/CodeBlock.h: 16203 (JSC::CodeBlock::isCaptured): 16204 * dfg/DFGValidate.cpp: 16205 (JSC::DFG::Validate::validate): 16206 (JSC::DFG::Validate::reportValidationContext): 16207 (Validate): 16208 (JSC::DFG::Validate::dumpGraphIfAppropriate): 16209 162102013-01-08 Filip Pizlo <fpizlo@apple.com> 16211 16212 REGRESSION (r138921): Crash in JSC::Arguments::create 16213 https://bugs.webkit.org/show_bug.cgi?id=106329 16214 <rdar://problem/12974196> 16215 16216 Reviewed by Mark Hahnenberg. 16217 16218 Arguments::finishCreation() that takes an InlineCallFrame* needs to understand that the callee can 16219 be unset, indicating that the callee needs to be loaded from the true call frame. This adds a 16220 method to InlineCallFrame to do just that. 16221 16222 * bytecode/CodeOrigin.cpp: 16223 (JSC::InlineCallFrame::calleeForCallFrame): 16224 * bytecode/CodeOrigin.h: 16225 (InlineCallFrame): 16226 * runtime/Arguments.h: 16227 (JSC::Arguments::finishCreation): 16228 162292013-01-08 Filip Pizlo <fpizlo@apple.com> 16230 16231 DFG initrinsic handling should ensure that we backwards propagate the fact that all operands may escape 16232 https://bugs.webkit.org/show_bug.cgi?id=106365 16233 16234 Reviewed by Mark Hahnenberg. 16235 16236 Use the fact that Phantom means that things escaped, and just insert Phantoms for all 16237 of the operands. 16238 16239 * dfg/DFGByteCodeParser.cpp: 16240 (JSC::DFG::ByteCodeParser::handleCall): 16241 162422013-01-08 Filip Pizlo <fpizlo@apple.com> 16243 16244 If array allocation profiling causes a new_array to allocate double arrays, then the holes should end up being correctly initialized 16245 https://bugs.webkit.org/show_bug.cgi?id=106363 16246 16247 Reviewed by Mark Hahnenberg. 16248 16249 * runtime/JSArray.h: 16250 (JSC::JSArray::tryCreateUninitialized): 16251 162522013-01-07 Filip Pizlo <fpizlo@apple.com> 16253 16254 DFG should backwards-propagate NodeUsedAsValue for Phantom 16255 https://bugs.webkit.org/show_bug.cgi?id=106299 16256 16257 Reviewed by Mark Hahnenberg. 16258 16259 This is currently benign because Phantom is only inserted by the bytecode parser for 16260 things that already happen to be used in contexts that backwards propagate 16261 NodeUsedAsValue. But that doesn't change the fact that the semantics of Phantom are 16262 that the value can be arbitrarily used by the baseline JIT. 16263 16264 * dfg/DFGPredictionPropagationPhase.cpp: 16265 (JSC::DFG::PredictionPropagationPhase::propagate): 16266 162672013-01-07 Filip Pizlo <fpizlo@apple.com> 16268 16269 Rationalize closure call heuristics and profiling 16270 https://bugs.webkit.org/show_bug.cgi?id=106270 16271 16272 Reviewed by Oliver Hunt. 16273 16274 Did a number of things: 16275 16276 - CallLinkInfo now remembers if it was ever a closure call, and CallLinkStatus uses 16277 this. Reduces the likelihood that we will inline a closure call as if it was a 16278 normal call. 16279 16280 - Made InlineCallFrame print inferred function names, and refactored 16281 CodeBlock::inferredName() to better use FunctionExecutable's API. 16282 16283 - Made bytecode dumping print frequent exit sites that led to recompilation. 16284 16285 - Made bytecode dumping for op_call and op_construct print what the CallLinkStatus 16286 saw. 16287 16288 * bytecode/CallLinkInfo.h: 16289 (JSC::CallLinkInfo::CallLinkInfo): 16290 (CallLinkInfo): 16291 * bytecode/CallLinkStatus.cpp: 16292 (JSC::CallLinkStatus::computeFor): 16293 * bytecode/CodeBlock.cpp: 16294 (JSC::CodeBlock::inferredName): 16295 (JSC::CodeBlock::dumpBytecodeCommentAndNewLine): 16296 (JSC::CodeBlock::printCallOp): 16297 * bytecode/CodeOrigin.cpp: 16298 (JSC::CodeOrigin::dump): 16299 (JSC::InlineCallFrame::inferredName): 16300 (JSC): 16301 (JSC::InlineCallFrame::dumpBriefFunctionInformation): 16302 (JSC::InlineCallFrame::dump): 16303 * bytecode/CodeOrigin.h: 16304 (InlineCallFrame): 16305 * bytecode/DFGExitProfile.cpp: 16306 (JSC::DFG::ExitProfile::exitSitesFor): 16307 (DFG): 16308 * bytecode/DFGExitProfile.h: 16309 (ExitProfile): 16310 * jit/JITStubs.cpp: 16311 (JSC::DEFINE_STUB_FUNCTION): 16312 163132013-01-07 Ryosuke Niwa <rniwa@webkit.org> 16314 16315 Sorted the xcodeproj file. 16316 16317 * JavaScriptCore.xcodeproj/project.pbxproj: 16318 163192013-01-07 Filip Pizlo <fpizlo@apple.com> 16320 16321 Unreviewed, it should be possible to build JSC on ARM. 16322 16323 * API/JSBase.h: 16324 * jit/JITStubs.cpp: 16325 (JSC::performPlatformSpecificJITAssertions): 16326 (JSC): 16327 * jit/JITStubs.h: 16328 (JSC): 16329 * jit/JITThunks.cpp: 16330 (JSC::JITThunks::JITThunks): 16331 * jit/JITThunks.h: 16332 (JITThunks): 16333 * offlineasm/armv7.rb: 16334 * runtime/JSGlobalData.cpp: 16335 (JSC::JSGlobalData::JSGlobalData): 16336 163372013-01-07 Balazs Kilvady <kilvadyb@homejinni.com> 16338 16339 MIPS LLInt implementation. 16340 https://bugs.webkit.org/show_bug.cgi?id=99706 16341 16342 Reviewed by Filip Pizlo. 16343 16344 LLInt implementation for MIPS. 16345 16346 * assembler/MacroAssemblerMIPS.h: 16347 (JSC::MacroAssemblerMIPS::jump): 16348 * dfg/DFGOperations.cpp: 16349 (JSC): 16350 * jit/JITStubs.cpp: 16351 (JSC): 16352 * jit/JITStubs.h: 16353 (JITStackFrame): 16354 * llint/LLIntOfflineAsmConfig.h: 16355 * llint/LowLevelInterpreter.asm: 16356 * llint/LowLevelInterpreter32_64.asm: 16357 * offlineasm/backends.rb: 16358 * offlineasm/instructions.rb: 16359 * offlineasm/mips.rb: Added. 16360 163612013-01-07 Mark Hahnenberg <mhahnenberg@apple.com> 16362 16363 testapi is failing with a block-related error in the Objc API 16364 https://bugs.webkit.org/show_bug.cgi?id=106055 16365 16366 Reviewed by Geoffrey Garen. 16367 16368 Casting a block to a bool will always return true, which isn't the behavior that is intended here. 16369 Instead we need to call the block, but C semantics don't allow this, so we need to change 16370 testapi.m to be Objective-C++ and therefore testapi.mm. 16371 16372 * API/tests/testapi.m: Removed. 16373 * API/tests/testapi.mm: Copied from Source/JavaScriptCore/API/tests/testapi.m. 16374 (blockSignatureContainsClass): 16375 * JavaScriptCore.xcodeproj/project.pbxproj: 16376 163772013-01-06 Filip Pizlo <fpizlo@apple.com> 16378 16379 Simplify slow case profiling 16380 https://bugs.webkit.org/show_bug.cgi?id=106208 16381 16382 Reviewed by Mark Rowe. 16383 16384 Removing the minimum execution ratio portion of slow case profiling, which allows 16385 the removal of a field from CodeBlock. This appears to be performance neutral, 16386 implying that the complexity incurred by the previous heuristic was purely 16387 harmful: it made the code more complicated, and it made CodeBlock larger, without 16388 resulting in any measurable benefits. 16389 16390 * bytecode/CodeBlock.cpp: 16391 (JSC::CodeBlock::CodeBlock): 16392 * bytecode/CodeBlock.h: 16393 (JSC::CodeBlock::likelyToTakeSlowCase): 16394 (JSC::CodeBlock::couldTakeSlowCase): 16395 (JSC::CodeBlock::likelyToTakeSpecialFastCase): 16396 (JSC::CodeBlock::couldTakeSpecialFastCase): 16397 (JSC::CodeBlock::likelyToTakeDeepestSlowCase): 16398 (JSC::CodeBlock::likelyToTakeAnySlowCase): 16399 * jit/JIT.cpp: 16400 (JSC::JIT::privateCompile): 16401 * runtime/Options.h: 16402 164032013-01-05 Filip Pizlo <fpizlo@apple.com> 16404 16405 DFG should inline closure calls 16406 https://bugs.webkit.org/show_bug.cgi?id=106067 16407 16408 Reviewed by Gavin Barraclough. 16409 16410 This adds initial support for inlining closure calls to the DFG. A call is considered 16411 to be a closure call when the JSFunction* varies, but always has the same executable. 16412 We already have closure call inline caching in both JITs, which works by checking that 16413 the callee has an expected structure (as a cheap way of detecting that it is in fact 16414 a JSFunction) and an expected executable. Closure call inlining uses profiling data 16415 aggregated by CallLinkStatus to decide when to specialize the call to the particular 16416 structure/executable, and inline the call rather than emitting a call sequence. When 16417 we choose to do a closure inline rather than an ordinary inline, a number of things 16418 change about how inlining is performed: 16419 16420 - The inline is guarded by a CheckStructure/CheckExecutable rather than a 16421 CheckFunction. 16422 16423 - Instead of propagating a constant value for the scope, we emit GetMyScope every time 16424 that the scope is needed, which loads the scope from a local variable. We do similar 16425 things for the callee. 16426 16427 - The prologue of the inlined code includes SetMyScope and SetCallee nodes to eagerly 16428 plant the scope and callee into the "true call frame", i.e. the place on the stack 16429 where the call frame would have been if the call had been actually performed. This 16430 allows GetMyScope/GetCallee to work as they would if the code wasn't inlined. It 16431 also allows for trivial handling of scope and callee for call frame reconstruction 16432 upon stack introspection and during OSR. 16433 16434 - A new node called GetScope is introduced, which just gets the scope of a function. 16435 This node has the expected CSE support. This allows for the 16436 SetMyScope(GetScope(@function)) sequence to set up the scope in the true call frame. 16437 16438 - GetMyScope/GetCallee CSE can match against SetMyScope/SetCallee, which means that 16439 the GetMyScope/GetCallee nodes emitted during parsing are often removed during CSE, 16440 if we can prove that it is safe to do so. 16441 16442 - Inlining heuristics are adjusted to grok the cost of inlining a closure. We are 16443 less likely to inline a closure call than we are to inline a normal call, since we 16444 end up emitting more code for closures due to CheckStructure, CheckExecutable, 16445 GetScope, SetMyScope, and SetCallee. 16446 16447 Additionally, I've fixed the VariableEventStream to ensure that we don't attempt to 16448 plant Undefined into the true call frames. This was previously a harmless oversight, 16449 but it becomes quite bad if OSR is relying on the scope/callee already having been 16450 set and not subsequently clobbered by the OSR itself. 16451 16452 This is a ~60% speed-up on programs that frequently make calls to closures. It's 16453 neutral on V8v7 and other major benchmark suites. 16454 16455 The lack of a definite speed-up is likely due the fact that closure inlining currently 16456 does not do any cardinality [1] optimizations. We don't observe when a closure was 16457 constructed within its caller, and so used the scope from its caller; and furthermore 16458 we have no facility to detect when the scope is single. All scoped variable accesses 16459 are assumed to be multiple instead. A subsequent step will be to ensure that closure 16460 call inlining will be single and loving it. 16461 16462 [1] Single and loving it: Must-alias analysis for higher-order languages. Suresh 16463 Jagannathan, Peter Thiemann, Stephen Weeks, and Andrew Wright. In POPL '98. 16464 16465 * bytecode/CallLinkStatus.cpp: 16466 (JSC::CallLinkStatus::dump): 16467 * bytecode/CallLinkStatus.h: 16468 (JSC::CallLinkStatus::isClosureCall): 16469 (CallLinkStatus): 16470 * bytecode/CodeBlock.cpp: 16471 (JSC::CodeBlock::globalObjectFor): 16472 (JSC): 16473 * bytecode/CodeBlock.h: 16474 (CodeBlock): 16475 * bytecode/CodeOrigin.cpp: 16476 (JSC::InlineCallFrame::dump): 16477 * dfg/DFGAbstractState.cpp: 16478 (JSC::DFG::AbstractState::execute): 16479 * dfg/DFGByteCodeParser.cpp: 16480 (ByteCodeParser): 16481 (JSC::DFG::ByteCodeParser::handleCall): 16482 (JSC::DFG::ByteCodeParser::emitFunctionChecks): 16483 (JSC::DFG::ByteCodeParser::handleInlining): 16484 * dfg/DFGCSEPhase.cpp: 16485 (JSC::DFG::CSEPhase::pureCSE): 16486 (CSEPhase): 16487 (JSC::DFG::CSEPhase::getCalleeLoadElimination): 16488 (JSC::DFG::CSEPhase::checkExecutableElimination): 16489 (JSC::DFG::CSEPhase::getMyScopeLoadElimination): 16490 (JSC::DFG::CSEPhase::performNodeCSE): 16491 * dfg/DFGCapabilities.cpp: 16492 (JSC::DFG::mightInlineFunctionForClosureCall): 16493 * dfg/DFGCapabilities.h: 16494 (DFG): 16495 (JSC::DFG::mightInlineFunctionForClosureCall): 16496 (JSC::DFG::canInlineFunctionForClosureCall): 16497 (JSC::DFG::canInlineFunctionFor): 16498 * dfg/DFGNode.h: 16499 (Node): 16500 (JSC::DFG::Node::hasExecutable): 16501 (JSC::DFG::Node::executable): 16502 * dfg/DFGNodeType.h: 16503 (DFG): 16504 * dfg/DFGPredictionPropagationPhase.cpp: 16505 (JSC::DFG::PredictionPropagationPhase::propagate): 16506 * dfg/DFGSpeculativeJIT32_64.cpp: 16507 (JSC::DFG::SpeculativeJIT::compile): 16508 * dfg/DFGSpeculativeJIT64.cpp: 16509 (JSC::DFG::SpeculativeJIT::compile): 16510 * dfg/DFGVariableEventStream.cpp: 16511 (JSC::DFG::VariableEventStream::reconstruct): 16512 * runtime/Options.h: 16513 (JSC): 16514 165152013-01-05 Filip Pizlo <fpizlo@apple.com> 16516 16517 Data flow paths that carry non-numbers, non-undefined, non-null values should not cause subtractions and arithmetic additions (i.e. ++) to speculate double 16518 https://bugs.webkit.org/show_bug.cgi?id=106190 16519 16520 Reviewed by Sam Weinig. 16521 16522 The problem is that the DFG logic for deciding when to speculate integer was 16523 confusing the special case of ValueAdd (where non-numeric values should cause us 16524 to not speculate integer, because we want to fall off into the generic case) with 16525 the more normal case of ArithAdd and ArithSub (where we want to speculate integer 16526 unless we have evidence that the operands are doubles, since the DFG doesn't have 16527 generic handling of non-numeric arithmetic). Prior to this change doing a - b where 16528 either a or b were possibly non-numeric would always force the subtraction to be 16529 done using doubles. 16530 16531 * dfg/DFGGraph.h: 16532 (JSC::DFG::Graph::addSpeculationMode): 16533 (Graph): 16534 (JSC::DFG::Graph::valueAddSpeculationMode): 16535 (JSC::DFG::Graph::arithAddSpeculationMode): 16536 (JSC::DFG::Graph::addImmediateShouldSpeculateInteger): 16537 165382013-01-04 Filip Pizlo <fpizlo@apple.com> 16539 16540 DFG should trust array profiling over value profiling 16541 https://bugs.webkit.org/show_bug.cgi?id=106155 16542 16543 Reviewed by Gavin Barraclough. 16544 16545 The real problem is that prediction propagation is not flow-sensitive. We had code 16546 like: 16547 16548 var a = (some load from memory); // returns either an array or false 16549 if (a) 16550 a[i] = v; 16551 16552 Because 'a' could be 'false', we were emitting a fully generic unoptimized PutByVal. 16553 This patch changes ArrayMode to ignore the type of the base of an array access, if 16554 array profiling tells us that the array access can be optimized. 16555 16556 In the future, we could probably make this work even better with some flow 16557 sensitivity in the prediction propagator, but I also tend to think that this is a 16558 more robust overall solution. If we ever did want to support array accesses on 16559 array-or-false then we should change the array profiler to be able to tell us that 16560 this is what is going on. 16561 16562 3.7% speed-up on V8/earley. 16563 16564 * dfg/DFGArrayMode.cpp: 16565 (JSC::DFG::ArrayMode::refine): 16566 165672013-01-04 Filip Pizlo <fpizlo@apple.com> 16568 16569 Rationalize exit site profiling for calls 16570 https://bugs.webkit.org/show_bug.cgi?id=106150 16571 16572 Reviewed by Sam Weinig. 16573 16574 This adds two new exit kinds for calls: BadFunction and BadExecutable. The latter is not used 16575 yet, but is already integrated with profiling. CheckFunction uses a BadFunction speculation 16576 instead of BadCache, now. This allows CallLinkStatus to turn itself into a closure call status 16577 if we had a BadFunction exit site but the CallLinkInfo told us to use a non-closure call. This 16578 might happen if we had call unlinking that led to information loss along the way. 16579 16580 No performance impact. This is meant as another step towards inlining closure calls. 16581 16582 * bytecode/CallLinkStatus.cpp: 16583 * bytecode/CallLinkStatus.h: 16584 (JSC::CallLinkStatus::setIsProved): 16585 (JSC::CallLinkStatus::setHasBadFunctionExitSite): 16586 (CallLinkStatus): 16587 (JSC::CallLinkStatus::setHasBadCacheExitSite): 16588 (JSC::CallLinkStatus::setHasBadExecutableExitSite): 16589 * bytecode/ExitKind.cpp: 16590 (JSC::exitKindToString): 16591 * bytecode/ExitKind.h: 16592 * dfg/DFGByteCodeParser.cpp: 16593 (JSC::DFG::ByteCodeParser::handleCall): 16594 * dfg/DFGSpeculativeJIT32_64.cpp: 16595 (JSC::DFG::SpeculativeJIT::compile): 16596 * dfg/DFGSpeculativeJIT64.cpp: 16597 (JSC::DFG::SpeculativeJIT::compile): 16598 165992013-01-03 Filip Pizlo <fpizlo@apple.com> 16600 16601 DFG should not elide CheckStructure if it's needed to perform a cell check 16602 https://bugs.webkit.org/show_bug.cgi?id=106074 16603 16604 Reviewed by Ryosuke Niwa. 16605 16606 The problem here was that the constant folding phase was misinterpreting the meaning of the sets 16607 in DFG::AbstractValue. AbstractValue describes a constraint on the values that a variable (i.e. 16608 a DFG Node, or a virtual register, i.e. local or argument) may have. It does so by containing 16609 four sets: the set of JSValues (either empty, the singleton set containing one JSValue, or the 16610 set of all JSValues); the set of "current known" structures, i.e. the set of structures that you 16611 already know that this value may have right now (also either empty, the singleton set, or the set 16612 of all structures); the set of "future possible" structures, i.e. the set of structures that this 16613 value could have in the future if none of the structure transition watchpoints for those 16614 structures had fired (also empty, singleton, or all); and the set of types, which is a 16615 SpeculatedType bitmask. The correct way to interpret the sets is to think of the AbstractValue as 16616 the intersection of these three sets of values: 16617 16618 - The set of JSValues that have a type that belongs to the m_type set. 16619 - If m_value is not the empty value then: the set of all JSValues that are == m_value; 16620 else: the set of all JSValues. 16621 where '==' is as defined by JSValue::operator==. 16622 - Union of { the set of all cells that have a structure that belongs to m_currentKnownStructure } 16623 and { the set of all JSValues that are not cells }. 16624 16625 You can then further intersect this set with the following set, if you guard the code with 16626 watchpoints on all structures in the m_futurePossibleStructure: 16627 16628 - Union of { the set of all cells that have a structure that belongs to m_futurePossibleStructure } 16629 and { the set of all JSValues that are not cells }. 16630 16631 One way to think of this is that m_currentKnownStructure is filtered by m_futurePossibleStructure 16632 (i.e. is set to the intersection of m_currentKnownStructure and m_futurePossibleStructure), if the 16633 code for which you're doing this is always preceded by watchpoints on all structures in 16634 m_futurePossibleStructure, and is always before any side-effects that could change the structures 16635 of objects. 16636 16637 The incorrect optimization related to CheckStructure. CheckStructure checks that the value is a 16638 cell, and that it has a particular structure. It was incorrectly assuming that you could eliminate 16639 the CheckStructure, if m_currentKnownStructure contained the structure that CheckStructure was 16640 checking. But this is not the case, since m_currentKnownStructure does not prove that the value is 16641 a cell with a particular structure; it only proves that if the value was a cell then it would have 16642 a particular structure. Hence, to eliminate CheckStructure, it is also necessary to check that 16643 AbstractValue::m_type contains only cells (i.e. isCellSpeculation(m_type) == true). 16644 16645 It wasn't doing that, and this changes makes sure that it does do that. 16646 16647 * dfg/DFGConstantFoldingPhase.cpp: 16648 (JSC::DFG::ConstantFoldingPhase::foldConstants): 16649 166502013-01-04 Adam Klein <adamk@chromium.org> 16651 16652 Remove ENABLE_MUTATION_OBSERVERS #define 16653 https://bugs.webkit.org/show_bug.cgi?id=105459 16654 16655 Reviewed by Ryosuke Niwa. 16656 16657 * Configurations/FeatureDefines.xcconfig: 16658 166592013-01-03 Filip Pizlo <fpizlo@apple.com> 16660 16661 DFG::ByteCodeCache serves little or no purpose ever since we decided to keep bytecode around permanently 16662 https://bugs.webkit.org/show_bug.cgi?id=106058 16663 16664 Reviewed by Michael Saboff. 16665 16666 All baseline code blocks now always have bytecode, so the bytecode cache's ability to minimize the 16667 number of times that the DFG produces bytecode sequences for code blocks is superfluous. 16668 16669 * GNUmakefile.list.am: 16670 * JavaScriptCore.xcodeproj/project.pbxproj: 16671 * dfg/DFGByteCodeCache.h: Removed. 16672 * dfg/DFGByteCodeParser.cpp: 16673 (ByteCodeParser): 16674 (JSC::DFG::ByteCodeParser::handleInlining): 16675 * runtime/Executable.cpp: 16676 (JSC): 16677 * runtime/Executable.h: 16678 (FunctionExecutable): 16679 166802013-01-03 Filip Pizlo <fpizlo@apple.com> 16681 16682 Unreviewed, fix build for DFG JIT disabled. 16683 16684 * bytecode/CodeBlock.cpp: 16685 (JSC::CodeBlock::dumpValueProfiling): 16686 (JSC::CodeBlock::dumpArrayProfiling): 16687 * runtime/Executable.cpp: 16688 (JSC): 16689 (JSC::ExecutableBase::intrinsic): 16690 166912013-01-03 Filip Pizlo <fpizlo@apple.com> 16692 16693 CallLinkStatus should be aware of closure calls, and the DFG bytecode parser should use that as its sole internal notion of how to optimize calls 16694 https://bugs.webkit.org/show_bug.cgi?id=106027 16695 16696 Reviewed by Mark Hahnenberg. 16697 16698 Previously, the DFG bytecode parser had its own internal notion of exactly what CallLinkStatus was 16699 meant to do, in the form of a CallType, expectedFunction, intrinsic, etc. This change makes CallLinkStatus 16700 smart enough to do all of that, and also gives it the ability to understand closure calls. 16701 16702 * bytecode/CallLinkStatus.cpp: 16703 (JSC::CallLinkStatus::CallLinkStatus): 16704 (JSC): 16705 (JSC::CallLinkStatus::function): 16706 (JSC::CallLinkStatus::internalFunction): 16707 (JSC::CallLinkStatus::intrinsicFor): 16708 (JSC::CallLinkStatus::setIsProved): 16709 (JSC::CallLinkStatus::computeFromLLInt): 16710 (JSC::CallLinkStatus::computeFor): 16711 (JSC::CallLinkStatus::dump): 16712 * bytecode/CallLinkStatus.h: 16713 (JSC): 16714 (JSC::CallLinkStatus::CallLinkStatus): 16715 (CallLinkStatus): 16716 (JSC::CallLinkStatus::takesSlowPath): 16717 (JSC::CallLinkStatus::isSet): 16718 (JSC::CallLinkStatus::isClosureCall): 16719 (JSC::CallLinkStatus::callTarget): 16720 (JSC::CallLinkStatus::executable): 16721 (JSC::CallLinkStatus::structure): 16722 (JSC::CallLinkStatus::isProved): 16723 (JSC::CallLinkStatus::canOptimize): 16724 * dfg/DFGByteCodeParser.cpp: 16725 (JSC::DFG::ByteCodeParser::handleCall): 16726 * dfg/DFGGraph.h: 16727 (JSC::DFG::Graph::valueOfFunctionConstant): 16728 167292013-01-02 Simon Hausmann <simon.hausmann@digia.com> 16730 16731 [MinGW-w64] Centralize workaround for pow() implementation 16732 https://bugs.webkit.org/show_bug.cgi?id=105925 16733 16734 Reviewed by Sam Weinig. 16735 16736 As suggested by Sam, move the MinGW-w64 workaround into MathExtras.h 16737 away from the JSC usage. 16738 16739 * runtime/MathObject.cpp: 16740 (JSC::mathPow): 16741 167422013-01-02 Gavin Barraclough <barraclough@apple.com> 16743 16744 Objective-C API for JavaScriptCore 16745 https://bugs.webkit.org/show_bug.cgi?id=105889 16746 16747 Reviewed by Geoff Garen. 16748 16749 Fixes for more issues raised by Darin. 16750 16751 * API/JSBlockAdaptor.mm: 16752 (BlockArgument): 16753 (BlockArgumentStruct::BlockArgumentStruct): 16754 (BlockArgumentTypeDelegate::typeStruct): 16755 (BlockResult): 16756 (BlockResultStruct::BlockResultStruct): 16757 (buildBlockSignature): 16758 (-[JSBlockAdaptor initWithBlockSignatureFromProtocol:]): 16759 (-[JSBlockAdaptor blockFromValue:inContext:withException:]): 16760 - fix * position for Objective-C types 16761 * API/JSContext.h: 16762 - fix * position for Objective-C types 16763 * API/JSContext.mm: 16764 (-[JSContext initWithVirtualMachine:]): 16765 (-[JSContext virtualMachine]): 16766 (contextInternalContext): 16767 - fix * position for Objective-C types 16768 (-[JSContext dealloc]): 16769 (-[JSContext protect:]): 16770 (-[JSContext unprotect:]): 16771 - HashMap<JSValueRef, size_t> -> HashCountedSet<JSValueRef> 16772 * API/JSContextInternal.h: 16773 (WeakContextRef): 16774 - fix * position for Objective-C types 16775 * API/JSValue.mm: 16776 (valueToString): 16777 - fix * position for Objective-C types 16778 (isNSBoolean): 16779 - Added helper to check for booleans. 16780 (objectToValueWithoutCopy): 16781 - Added contextRef 16782 - fix * position for Objective-C types 16783 - Remove @YES, @NO literal usage, use isNSBoolean instead 16784 (objectToValue): 16785 - Added contextRef 16786 (+[JSValue valueWithValue:inContext:]): 16787 (-[JSValue initWithValue:inContext:]): 16788 - fix * position for Objective-C types 16789 (createStructHandlerMap): 16790 (handerForStructTag): 16791 - getStructTagHandler -> handerForStructTag 16792 - Split out createStructHandlerMap 16793 - strncmp -> memcmp 16794 - String(type).impl() -> StringImpl::create(type) 16795 (+[JSValue selectorForStructToValue:]): 16796 (+[JSValue selectorForValueToStruct:]): 16797 - getStructTagHandler -> handerForStructTag 16798 (typeToValueInvocationFor): 16799 (valueToTypeInvocationFor): 16800 - fix * position for Objective-C types 16801 * API/JSValueInternal.h: 16802 - fix * position for Objective-C types 16803 * API/JSVirtualMachineInternal.h: 16804 - fix * position for Objective-C types 16805 * API/JSWrapperMap.h: 16806 - fix * position for Objective-C types 16807 * API/JSWrapperMap.mm: 16808 (selectorToPropertyName): 16809 (createObjectWithCustomBrand): 16810 (createRenameMap): 16811 (putNonEnumerable): 16812 (copyMethodsToObject): 16813 (copyPrototypeProperties): 16814 (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): 16815 (-[JSWrapperMap initWithContext:]): 16816 (-[JSWrapperMap wrapperForObject:]): 16817 (getJSExportProtocol): 16818 - fix * position for Objective-C types 16819 * API/ObjCCallbackFunction.h: 16820 - fix * position for Objective-C types 16821 * API/ObjCCallbackFunction.mm: 16822 (CallbackArgument): 16823 (CallbackArgumentStruct::CallbackArgumentStruct): 16824 - fix * position for Objective-C types 16825 (CallbackArgumentBlockCallback::createAdoptingJSBlockAdaptor): 16826 - Added to make adopt explicit 16827 (CallbackArgumentBlockCallback): 16828 (CallbackArgumentBlockCallback::CallbackArgumentBlockCallback): 16829 (ArgumentTypeDelegate::typeBlock): 16830 - Call createAdoptingJSBlockAdaptor 16831 (ArgumentTypeDelegate::typeStruct): 16832 (CallbackResult): 16833 (CallbackResultStruct::CallbackResultStruct): 16834 (ResultTypeDelegate::typeStruct): 16835 (ObjCCallbackFunction::ObjCCallbackFunction): 16836 (ObjCCallbackFunction::context): 16837 (objCCallbackFunctionForInvocation): 16838 (objCCallbackFunctionForMethod): 16839 (objCCallbackFunctionForBlock): 16840 - fix * position for Objective-C types 16841 * API/ObjcRuntimeExtras.h: 16842 (protocolImplementsProtocol): 16843 (forEachProtocolImplementingProtocol): 16844 (forEachMethodInProtocol): 16845 (forEachPropertyInProtocol): 16846 - fix * position for Objective-C types 16847 * API/tests/testapi.m: 16848 (-[TestObject testArgumentTypesWithInt:double:boolean:string:number:array:dictionary:]): 16849 (testObjectiveCAPI): 16850 - fix * position for Objective-C types 16851 168522013-01-02 Geoffrey Garen <ggaren@apple.com> 16853 16854 Some renaming in the CodeCache 16855 https://bugs.webkit.org/show_bug.cgi?id=105966 16856 16857 Reviewed by Gavin Barraclough. 16858 16859 CodeBlockKey => SourceCodeKey because the key is not a CodeBlock. 16860 16861 m_recentlyUsedFunctionCode => m_recentlyUsedFunctions to match other names. 16862 16863 GlobalFunctionKey => FunctionKey because the key is not unique to globalness. 16864 16865 m_cachedGlobalFunctions => m_globalFunctions because "cached" is redundant 16866 for data members in an object called "CodeCache". 16867 16868 kMaxRootCodeBlockEntries => kMaxRootEntries because there are no non-CodeBlock 16869 entries in a CodeBlock cache. 16870 16871 kMaxFunctionCodeBlocks => kMaxChildFunctionEntries to clarify that this 16872 number models a parent-child relationship. 16873 16874 Also removed the initial "k" from enum constants. That's an interesting 16875 style for calling out constants, but it's not the WebKit style. 16876 16877 Finally, a behavior change: Use MaxRootEntries for the limit on global 16878 functions, and not MaxChildFunctionEntries. Previously, there was an 16879 unused constant that seemed to have been intended for this purpose. 16880 16881 * runtime/CodeCache.cpp: 16882 (JSC::CodeCache::makeSourceCodeKey): 16883 (JSC::CodeCache::getCodeBlock): 16884 (JSC::CodeCache::generateFunctionCodeBlock): 16885 (JSC::CodeCache::makeFunctionKey): 16886 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 16887 (JSC::CodeCache::usedFunctionCode): 16888 * runtime/CodeCache.h: 16889 (JSC::CodeCache::clear): 16890 168912013-01-02 Filip Pizlo <fpizlo@apple.com> 16892 16893 DFG inlining machinery should be robust against the inline callee varying while the executable stays the same 16894 https://bugs.webkit.org/show_bug.cgi?id=105953 16895 16896 Reviewed by Mark Hahnenberg. 16897 16898 This institutes the policy that if InlineCallFrame::callee is null, then the callee and scope have already 16899 been stored into the true call frame (i.e. the place where the call frame of the inlined call would have 16900 been) and so any attempt to access the callee or scope should do a load instead of assuming that the value 16901 is constant. This wires the changes through the bytecode parser, the stack scanning logic, and the compiler 16902 optimization phases and backends. 16903 16904 * bytecode/CodeOrigin.cpp: 16905 (JSC::InlineCallFrame::dump): 16906 * bytecode/CodeOrigin.h: 16907 (CodeOrigin): 16908 (InlineCallFrame): 16909 (JSC::InlineCallFrame::isClosureCall): 16910 (JSC::CodeOrigin::stackOffset): 16911 (JSC): 16912 * dfg/DFGAssemblyHelpers.h: 16913 * dfg/DFGByteCodeParser.cpp: 16914 (JSC::DFG::ByteCodeParser::get): 16915 (InlineStackEntry): 16916 (JSC::DFG::ByteCodeParser::getScope): 16917 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 16918 * dfg/DFGCSEPhase.cpp: 16919 (CSEPhase): 16920 (JSC::DFG::CSEPhase::genericPureCSE): 16921 (JSC::DFG::CSEPhase::pureCSE): 16922 (JSC::DFG::CSEPhase::pureCSERequiringSameInlineCallFrame): 16923 (JSC::DFG::CSEPhase::getMyScopeLoadElimination): 16924 (JSC::DFG::CSEPhase::performNodeCSE): 16925 * dfg/DFGOSRExitCompiler32_64.cpp: 16926 (JSC::DFG::OSRExitCompiler::compileExit): 16927 * dfg/DFGOSRExitCompiler64.cpp: 16928 (JSC::DFG::OSRExitCompiler::compileExit): 16929 * dfg/DFGSpeculativeJIT32_64.cpp: 16930 (JSC::DFG::SpeculativeJIT::compile): 16931 * dfg/DFGSpeculativeJIT64.cpp: 16932 (JSC::DFG::SpeculativeJIT::compile): 16933 * interpreter/CallFrame.cpp: 16934 (JSC::CallFrame::trueCallFrame): 16935 169362013-01-02 Gavin Barraclough <barraclough@apple.com> 16937 16938 Objective-C API for JavaScriptCore 16939 https://bugs.webkit.org/show_bug.cgi?id=105889 16940 16941 Reviewed by Geoff Garen. 16942 16943 Fixes for a number of issues raised by Darin. 16944 16945 * API/APIJSValue.h: 16946 - Fix typos in comment 16947 - Add newline before NS_CLASS_AVAILABLE(10_9, NA) 16948 - cls -> expectedClass 16949 - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> * 16950 * API/JSBase.h: 16951 - JS_OBJC_API_ENABLED no longer implies __OBJC__ 16952 * API/JSBlockAdaptor.mm: 16953 (BlockArgumentStruct::BlockArgumentStruct): 16954 (BlockArgumentStruct): 16955 - mark virtual functions as virtual, override, and private 16956 - refactor out buffer allocation for struct types 16957 (BlockArgumentTypeDelegate::typeVoid): 16958 (BlockArgumentTypeDelegate::typeBlock): 16959 (BlockArgumentTypeDelegate::typeStruct): 16960 - return nil -> return 0 16961 (BlockResultStruct::BlockResultStruct): 16962 (BlockResultStruct): 16963 - mark virtual functions as virtual, override, and private 16964 - refactor out buffer allocation for struct types 16965 (buildBlockSignature): 16966 - %lu is not an appropriate format specifier for NSInteger 16967 (-[JSBlockAdaptor initWithBlockSignatureFromProtocol:]): 16968 - nil check [super init] 16969 (-[JSBlockAdaptor blockMatchesSignature:]): 16970 (-[JSBlockAdaptor blockFromValue:inContext:withException:]): 16971 - ctx -> contextRef 16972 * API/JSContext.h: 16973 - Fix typos in comment 16974 - Add newline before NS_CLASS_AVAILABLE(10_9, NA) 16975 - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> * 16976 * API/JSContext.mm: 16977 (-[JSContext initWithVirtualMachine:]): 16978 - nil check [super init] 16979 (+[JSContext currentArguments]): 16980 - args -> argumentArray 16981 (-[JSContext setObject:forKeyedSubscript:]): 16982 - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> * 16983 (-[JSContext dealloc]): 16984 (-[JSContext protect:]): 16985 (-[JSContext unprotect:]): 16986 - m_protected -> m_protectCounts 16987 * API/JSValue.mm: 16988 (-[JSValue toObjectOfClass:]): 16989 - cls -> expectedClass 16990 (-[JSValue toBool]): 16991 (-[JSValue deleteProperty:]): 16992 (-[JSValue hasProperty:]): 16993 (-[JSValue isUndefined]): 16994 (-[JSValue isNull]): 16995 (-[JSValue isBoolean]): 16996 (-[JSValue isNumber]): 16997 (-[JSValue isString]): 16998 (-[JSValue isObject]): 16999 (-[JSValue isEqualToObject:]): 17000 (-[JSValue isEqualWithTypeCoercionToObject:]): 17001 (-[JSValue isInstanceOf:]): 17002 - removed ? YES : NO 17003 (-[JSValue callWithArguments:]): 17004 (-[JSValue constructWithArguments:]): 17005 (-[JSValue invokeMethod:withArguments:]): 17006 - args -> argumentArray 17007 (+[JSValue valueWithPoint:inContext:]): 17008 (+[JSValue valueWithRange:inContext:]): 17009 (+[JSValue valueWithRect:inContext:]): 17010 (+[JSValue valueWithSize:inContext:]): 17011 - [NSNumber numberWithFloat:] -> @() 17012 (-[JSValue objectForKeyedSubscript:]): 17013 (-[JSValue setObject:forKeyedSubscript:]): 17014 - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> * 17015 (JSContainerConvertor): 17016 (JSContainerConvertor::isWorkListEmpty): 17017 (JSContainerConvertor::convert): 17018 (ObjcContainerConvertor): 17019 (ObjcContainerConvertor::isWorkListEmpty): 17020 - remove WTF:: 17021 - isWorkListEmpty is const 17022 (objectToValue): 17023 - use fast enumeration 17024 (-[JSValue initWithValue:inContext:]): 17025 - nil check [super init] 17026 (getStructTagHandler): 17027 - m_structHandlers -> structHandlers 17028 * API/JSVirtualMachine.h: 17029 - Add newline before NS_CLASS_AVAILABLE(10_9, NA) 17030 * API/JSVirtualMachine.mm: 17031 (-[JSVirtualMachine init]): 17032 - nil check [super init] 17033 * API/JSWrapperMap.mm: 17034 (selectorToPropertyName): 17035 (copyPrototypeProperties): 17036 - remove WTF:: 17037 - use static_cast 17038 (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): 17039 (-[JSWrapperMap initWithContext:]): 17040 - nil check [super init] 17041 (-[JSWrapperMap wrapperForObject:]): 17042 (tryUnwrapObjcObject): 17043 - enable ASSERT 17044 (getJSExportProtocol): 17045 (getNSBlockClass): 17046 - remove if check on initializing static 17047 * API/JavaScriptCore.h: 17048 - JS_OBJC_API_ENABLED no longer implies __OBJC__ 17049 * API/ObjCCallbackFunction.mm: 17050 (CallbackArgumentOfClass): 17051 (CallbackArgumentOfClass::~CallbackArgumentOfClass): 17052 (CallbackArgumentStruct::CallbackArgumentStruct): 17053 (CallbackArgumentStruct): 17054 (CallbackArgumentBlockCallback): 17055 - mark virtual functions as virtual, override, and private 17056 - refactor out buffer allocation for struct types 17057 (ArgumentTypeDelegate::typeVoid): 17058 (ArgumentTypeDelegate::typeOfClass): 17059 (ArgumentTypeDelegate::typeStruct): 17060 - return nil -> return 0 17061 (CallbackResultStruct::CallbackResultStruct): 17062 (CallbackResultStruct): 17063 - mark virtual functions as virtual, override, and private 17064 - refactor out buffer allocation for struct types 17065 (ResultTypeDelegate::typeStruct): 17066 - return nil -> return 0 17067 (ObjCCallbackFunction): 17068 - remove WTF:: 17069 (objCCallbackFunctionFinalize): 17070 - use static_cast 17071 (objCCallbackFunctionCallAsFunction): 17072 - Fix typos in comment 17073 (createObjCCallbackFunctionClass): 17074 (objCCallbackFunctionClass): 17075 - Split out createObjCCallbackFunctionClass from objCCallbackFunctionClass 17076 (ObjCCallbackFunction::call): 17077 - ctx -> contextRef 17078 (blockSignatureContainsClass): 17079 - Remove tri-state enum. 17080 (skipNumber): 17081 - isdigit -> isASCIIDigit 17082 (objCCallbackFunctionForInvocation): 17083 - clean up & comment blockSignatureContainsClass() usage 17084 (tryUnwrapBlock): 17085 - use static_cast 17086 * API/ObjcRuntimeExtras.h: 17087 (forEachProtocolImplementingProtocol): 17088 (forEachMethodInClass): 17089 (forEachMethodInProtocol): 17090 (forEachPropertyInProtocol): 17091 - Remove WTF:: 17092 - Remove if (count) checks 17093 (skipPair): 17094 - NSUInteger -> size_t 17095 (StringRange): 17096 (StringRange::operator const char*): 17097 (StringRange::get): 17098 (StructBuffer): 17099 (StructBuffer::StructBuffer): 17100 (StructBuffer::~StructBuffer): 17101 (StructBuffer::operator void*): 17102 - Added helper for creating an aligned buffer, used by struct conversion invocations. 17103 (parseObjCType): 17104 - *(position++) -> *position++ 17105 * API/tests/testapi.c: 17106 - PLATFORM(MAC) -> JS_OBJC_API_ENABLED 17107 * API/tests/testapi.m: 17108 (blockSignatureContainsClass): 17109 - Remove tri-state enum. 17110 (testObjectiveCAPI): 17111 - Added more result type checks. 17112 171132013-01-02 Filip Pizlo <fpizlo@apple.com> 17114 17115 DFG should not use the InlineCallFrame's callee when it could have used the executable istead 17116 https://bugs.webkit.org/show_bug.cgi?id=105947 17117 17118 Reviewed by Mark Hahnenberg. 17119 17120 We shouldn't use the callee to get the executable when we have the executable already. Not only 17121 does this make the logic more clear, but it also allows for a world where the executable is known 17122 but the callee isn't. 17123 17124 * dfg/DFGAssemblyHelpers.h: 17125 (JSC::DFG::AssemblyHelpers::strictModeFor): 17126 171272013-01-02 Filip Pizlo <fpizlo@apple.com> 17128 17129 DFG inliner should not use the callee's bytecode variable for resolving references to the callee in inlined code 17130 https://bugs.webkit.org/show_bug.cgi?id=105938 17131 17132 Reviewed by Mark Hahnenberg. 17133 17134 This simplifies a bunch of code for referring to the callee. It also ought to simplify how we do 17135 closure call inlining: for inlined closure call frames we will simply require that the callee is 17136 already stashed on the stack in the Callee slot in the inline call frame header. 17137 17138 * dfg/DFGByteCodeParser.cpp: 17139 (ByteCodeParser): 17140 (JSC::DFG::ByteCodeParser::getDirect): 17141 (JSC::DFG::ByteCodeParser::get): 17142 (InlineStackEntry): 17143 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): 17144 (JSC::DFG::ByteCodeParser::handleCall): 17145 (JSC::DFG::ByteCodeParser::handleInlining): 17146 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 17147 (JSC::DFG::ByteCodeParser::parse): 17148 171492013-01-02 Ryosuke Niwa <rniwa@webkit.org> 17150 17151 Another Windows port build fix attempt. Try not exporting this symbol from JSC 17152 since it's also compiled in WebCore. 17153 17154 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 17155 171562013-01-02 Csaba Osztrogonác <ossy@webkit.org> 17157 17158 One more unreviewed buildfix after r138609. 17159 17160 * jit/JITCall.cpp: Add a missing include. 17161 171622013-01-02 Csaba Osztrogonác <ossy@webkit.org> 17163 17164 Unreviewed buildfix after r138609. 17165 17166 * jit/JITCall32_64.cpp: Add a missing include. 17167 171682013-01-01 Filip Pizlo <fpizlo@apple.com> 17169 17170 Baseline JIT should have closure call caching 17171 https://bugs.webkit.org/show_bug.cgi?id=105900 17172 17173 Reviewed by Gavin Barraclough. 17174 17175 This is not a speed-up by itself, but is meant to allow the DFG inliner to 17176 accurately discern between closure calls and non-closure calls, so that it can 17177 do closure call inlining in the future. 17178 17179 * bytecode/CallLinkStatus.cpp: 17180 (JSC::CallLinkStatus::computeFromLLInt): 17181 (JSC::CallLinkStatus::computeFor): 17182 * bytecode/CallLinkStatus.h: 17183 (JSC::CallLinkStatus::CallLinkStatus): 17184 (JSC::CallLinkStatus::isClosureCall): 17185 (CallLinkStatus): 17186 * dfg/DFGByteCodeParser.cpp: 17187 (JSC::DFG::ByteCodeParser::handleCall): 17188 * jit/JIT.cpp: 17189 (JSC::JIT::linkFor): 17190 (JSC::JIT::linkSlowCall): 17191 * jit/JIT.h: 17192 (JSC::JIT::compileClosureCall): 17193 * jit/JITCall.cpp: 17194 (JSC::JIT::privateCompileClosureCall): 17195 * jit/JITCall32_64.cpp: 17196 (JSC::JIT::privateCompileClosureCall): 17197 * jit/JITStubs.cpp: 17198 (JSC::DEFINE_STUB_FUNCTION): 17199 * jit/JITStubs.h: 17200 * jit/ThunkGenerators.cpp: 17201 (JSC::linkClosureCallGenerator): 17202 * jit/ThunkGenerators.h: 17203 172042013-01-01 Dan Bernstein <mitz@apple.com> 17205 17206 <rdar://problem/12942239> Update copyright strings 17207 17208 Reviewed by Sam Weinig. 17209 17210 * Info.plist: 17211 172122012-12-31 Gavin Barraclough <barraclough@apple.com> 17213 17214 Objective-C API for JavaScriptCore 17215 https://bugs.webkit.org/show_bug.cgi?id=105889 17216 17217 Reviewed by Filip Pizlo. 17218 17219 For a detailed description of the API implemented here, see: 17220 JSContext.h 17221 APIJSValue.h 17222 JSVirtualMachine.h 17223 JSExport.h 17224 Still to do - 17225 (1) Shoud rename APIJSValue.h -> JSValue.h (but we'll have to rename JSValue.h first). 17226 (2) Numerous FIXMEs, all with separate bugs filed. 17227 17228 * API/APIJSValue.h: Added. 17229 - this Objective-C class is used to reference a JavaScript object. 17230 * API/JSBase.h: 17231 - added JS_OBJC_API_ENABLED macro to control ObjC API support. 17232 * API/JSBlockAdaptor.h: Added. 17233 - this Objective-C class is used in creating a special NSBlock proxying a JavaScript function. 17234 * API/JSBlockAdaptor.mm: Added. 17235 (BlockArgument): 17236 (BlockArgument::~BlockArgument): 17237 (BlockArgumentBoolean): 17238 (BlockArgumentBoolean::get): 17239 (BlockArgumentNumeric): 17240 (BlockArgumentNumeric::get): 17241 (BlockArgumentId): 17242 (BlockArgumentId::get): 17243 (BlockArgumentStruct): 17244 (BlockArgumentStruct::BlockArgumentStruct): 17245 (BlockArgumentStruct::~BlockArgumentStruct): 17246 (BlockArgumentStruct::get): 17247 - decoded arguent type information of a JSBlockAdaptor. 17248 (BlockArgumentTypeDelegate): 17249 (BlockArgumentTypeDelegate::typeInteger): 17250 (BlockArgumentTypeDelegate::typeDouble): 17251 (BlockArgumentTypeDelegate::typeBool): 17252 (BlockArgumentTypeDelegate::typeVoid): 17253 (BlockArgumentTypeDelegate::typeId): 17254 (BlockArgumentTypeDelegate::typeOfClass): 17255 (BlockArgumentTypeDelegate::typeBlock): 17256 (BlockArgumentTypeDelegate::typeStruct): 17257 - delegate for use in conjunction with parseObjCType. 17258 (BlockResult): 17259 (BlockResult::~BlockResult): 17260 (BlockResultVoid): 17261 (BlockResultVoid::set): 17262 (BlockResultInteger): 17263 (BlockResultInteger::set): 17264 (BlockResultDouble): 17265 (BlockResultDouble::set): 17266 (BlockResultBoolean): 17267 (BlockResultBoolean::set): 17268 (BlockResultStruct): 17269 (BlockResultStruct::BlockResultStruct): 17270 (BlockResultStruct::~BlockResultStruct): 17271 (BlockResultStruct::set): 17272 - decoded result type information of a JSBlockAdaptor. 17273 (buildBlockSignature): 17274 - partial step in constructing a signature with stack offset information from one without. 17275 (-[JSBlockAdaptor initWithBlockSignatureFromProtocol:]): 17276 - constructor. 17277 (-[JSBlockAdaptor blockMatchesSignature:]): 17278 - check whether signature strings match, where only one contains stack frame offsets. 17279 (-[JSBlockAdaptor blockFromValue:inContext:withException:]): 17280 - use the adaptor to create a special forwarding block. 17281 * API/JSCallbackObjectFunctions.h: 17282 (JSC::::inherits): 17283 - add missing braces to multiline for statement. 17284 * API/JSContext.h: Added. 17285 - this Objective-C class is used to reference a JavaScript context. 17286 * API/JSContext.mm: Added. 17287 (-[JSContext init]): 17288 - constructor. 17289 (-[JSContext initWithVirtualMachine:]): 17290 - construct in a given VM (JSGlobalData). 17291 (-[JSContext evaluateScript:]): 17292 (-[JSContext globalObject]): 17293 - evaluate a script, global object accessor. 17294 (+[JSContext currentContext]): 17295 (+[JSContext currentThis]): 17296 (+[JSContext currentArguments]): 17297 - These methods obtain context, this, arguments from within a callback. 17298 (-[JSContext virtualMachine]): 17299 - implementation for .virtualMachine property. 17300 (-[JSContext objectForKeyedSubscript:]): 17301 (-[JSContext setObject:forKeyedSubscript:]): 17302 - support for subscript property access. 17303 (contextInternalContext): 17304 - internal accessor to m_context. 17305 (-[JSContext dealloc]): 17306 - desctructor. 17307 (-[JSContext notifyException:]): 17308 (-[JSContext valueFromNotifyException:]): 17309 (-[JSContext boolFromNotifyException:]): 17310 - internal method to record an exception was thrown. 17311 (-[JSContext beginCallbackWithData:thisValue:argumentCount:arguments:]): 17312 (-[JSContext endCallbackWithData:]): 17313 - internal methods to push/pop a callback record. 17314 (-[JSContext protect:]): 17315 (-[JSContext unprotect:]): 17316 - internal methods to add a value to a protect set (used to protect the internal property of JSValue). 17317 (-[JSContext wrapperForObject:]): 17318 - internal method to create a wrapper object. 17319 (WeakContextRef::WeakContextRef): 17320 (WeakContextRef::~WeakContextRef): 17321 (WeakContextRef::get): 17322 (WeakContextRef::set): 17323 - Helper class to implement a weak reference to a JSContext. 17324 * API/JSContextInternal.h: Added. 17325 (CallbackData): 17326 (WeakContextRef): 17327 - see API/JSContext.mm for description of internal methods. 17328 * API/JSExport.h: Added. 17329 - Provides JSExport protocol & JSExportAs macro. 17330 * API/JSValue.mm: Added. 17331 (+[JSValue valueWithObject:inContext:]): 17332 (+[JSValue valueWithBool:inContext:]): 17333 (+[JSValue valueWithDouble:inContext:]): 17334 (+[JSValue valueWithInt32:inContext:]): 17335 (+[JSValue valueWithUInt32:inContext:]): 17336 (+[JSValue valueWithNewObjectInContext:]): 17337 (+[JSValue valueWithNewArrayInContext:]): 17338 (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): 17339 (+[JSValue valueWithNewErrorFromMessage:inContext:]): 17340 (+[JSValue valueWithNullInContext:]): 17341 (+[JSValue valueWithUndefinedInContext:]): 17342 - Constructors. 17343 (-[JSValue toObject]): 17344 (-[JSValue toObjectOfClass:]): 17345 (-[JSValue toBool]): 17346 (-[JSValue toDouble]): 17347 (-[JSValue toInt32]): 17348 (-[JSValue toUInt32]): 17349 (-[JSValue toNumber]): 17350 (-[JSValue toString]): 17351 (-[JSValue toDate]): 17352 (-[JSValue toArray]): 17353 (-[JSValue toDictionary]): 17354 - Conversion to Objective-C types. 17355 (-[JSValue valueForProperty:]): 17356 (-[JSValue setValue:forProperty:]): 17357 (-[JSValue deleteProperty:]): 17358 (-[JSValue hasProperty:]): 17359 (-[JSValue defineProperty:descriptor:]): 17360 - Property access by property name. 17361 (-[JSValue valueAtIndex:]): 17362 (-[JSValue setValue:atIndex:]): 17363 - Property access by index. 17364 (-[JSValue isUndefined]): 17365 (-[JSValue isNull]): 17366 (-[JSValue isBoolean]): 17367 (-[JSValue isNumber]): 17368 (-[JSValue isString]): 17369 (-[JSValue isObject]): 17370 - Test JavaScript type. 17371 (-[JSValue isEqualToObject:]): 17372 (-[JSValue isEqualWithTypeCoercionToObject:]): 17373 (-[JSValue isInstanceOf:]): 17374 - ===, ==, instanceof operators. 17375 (-[JSValue callWithArguments:]): 17376 (-[JSValue constructWithArguments:]): 17377 (-[JSValue invokeMethod:withArguments:]): 17378 - Call & construct. 17379 (-[JSValue context]): 17380 - implementation for .context property. 17381 (-[JSValue toPoint]): 17382 (-[JSValue toRange]): 17383 (-[JSValue toRect]): 17384 (-[JSValue toSize]): 17385 (+[JSValue valueWithPoint:inContext:]): 17386 (+[JSValue valueWithRange:inContext:]): 17387 (+[JSValue valueWithRect:inContext:]): 17388 (+[JSValue valueWithSize:inContext:]): 17389 - Support for NS struct types. 17390 (-[JSValue objectForKeyedSubscript:]): 17391 (-[JSValue objectAtIndexedSubscript:]): 17392 (-[JSValue setObject:forKeyedSubscript:]): 17393 (-[JSValue setObject:atIndexedSubscript:]): 17394 - support for subscript property access. 17395 (isDate): 17396 (isArray): 17397 - internal helper functions to check for instances of JS Date, Array types. 17398 (JSContainerConvertor): 17399 (Task): 17400 (JSContainerConvertor::JSContainerConvertor): 17401 (JSContainerConvertor::isWorkListEmpty): 17402 (JSContainerConvertor::convert): 17403 (JSContainerConvertor::add): 17404 (JSContainerConvertor::take): 17405 - helper class for tracking state while converting to Array/Dictionary objects. 17406 (valueToObjectWithoutCopy): 17407 (containerValueToObject): 17408 (valueToObject): 17409 (valueToNumber): 17410 (valueToString): 17411 (valueToDate): 17412 (valueToArray): 17413 (valueToDictionary): 17414 - function for converting JavaScript values to Objective-C objects. 17415 (ObjcContainerConvertor): 17416 (ObjcContainerConvertor::ObjcContainerConvertor): 17417 (ObjcContainerConvertor::isWorkListEmpty): 17418 (ObjcContainerConvertor::convert): 17419 (ObjcContainerConvertor::add): 17420 (ObjcContainerConvertor::take): 17421 - helper class for tracking state while converting to Array/Dictionary values. 17422 (objectToValueWithoutCopy): 17423 (objectToValue): 17424 (valueInternalValue): 17425 - function for converting Objective-C objects to JavaScript values. 17426 (+[JSValue valueWithValue:inContext:]): 17427 (-[JSValue initWithValue:inContext:]): 17428 - internal constructors. 17429 (StructTagHandler): 17430 (getStructTagHandler): 17431 (+[JSValue selectorForStructToValue:]): 17432 (+[JSValue selectorForValueToStruct:]): 17433 - methods to tracking struct types that support conversion to/from JSValue. 17434 (-[JSValue dealloc]): 17435 - destructor. 17436 (-[JSValue description]): 17437 - Objective-C to-NSString conversion. 17438 (typeToValueInvocationFor): 17439 (valueToTypeInvocationFor): 17440 - create invocation objects for conversion to/from JSValue. 17441 * API/JSValueInternal.h: Added. 17442 - see API/JSValue.mm for description of internal methods. 17443 * API/JSVirtualMachine.h: Added. 17444 - this Objective-C class is used to reference a JavaScript virtual machine (JSGlobalData). 17445 * API/JSVirtualMachine.mm: Added. 17446 (-[JSVirtualMachine init]): 17447 (-[JSVirtualMachine dealloc]): 17448 - constructor & destructor. 17449 (getGroupFromVirtualMachine): 17450 - internal accessor for m_group property. 17451 * API/JSVirtualMachineInternal.h: Added. 17452 - see API/JSVirtualMachine.mm for description of internal methods. 17453 * API/JSWrapperMap.h: Added. 17454 * API/JSWrapperMap.mm: Added. 17455 (wrapperClass): 17456 - singleton root for detction (& unwrapping) of wrapper objects. 17457 (selectorToPropertyName): 17458 - default selector to property name conversion. 17459 (createObjectWithCustomBrand): 17460 - creates a JSObject with a custom NativeBrand (class name). 17461 (createRenameMap): 17462 - parse @optional properties of a JSExport protocol. 17463 (putNonEnumerable): 17464 - property put with enumerable=false. 17465 (copyMethodsToObject): 17466 - iterate methods in a protocol; add functions to a JSObject. 17467 (parsePropertyAttributes): 17468 - examine protocol property metadata. 17469 (makeSetterName): 17470 - "foo" -> "setFoo" 17471 (copyPrototypeProperties): 17472 - create properties on a Protocol object reflecting the instance methods & properties of a protocol. 17473 (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): 17474 (-[JSObjCClassInfo dealloc]): 17475 (-[JSObjCClassInfo wrapperForObject:]): 17476 (-[JSObjCClassInfo constructor]): 17477 - cache the Protocol/Constructor objects for an Objective-C type. 17478 (-[JSWrapperMap initWithContext:]): 17479 (-[JSWrapperMap dealloc]): 17480 - constructor & desctructor. 17481 (-[JSWrapperMap classInfoForClass:]): 17482 - maps Class -> JSObjCClassInfo. 17483 (-[JSWrapperMap wrapperForObject:]): 17484 - cretae or retrieve a cached wrapper value for an object. 17485 (tryUnwrapObjcObject): 17486 - check whether a value is a wrapper object; unwrap if so. 17487 * API/JavaScriptCore.h: 17488 - Added includes for new API headers. 17489 * API/ObjCCallbackFunction.h: Added. 17490 - this class is used to wrap Objective-C instance methods, class methods & blocks as JSFunction objects. 17491 * API/ObjCCallbackFunction.mm: Added. 17492 (CallbackArgument): 17493 (CallbackArgument::~CallbackArgument): 17494 (CallbackArgumentBoolean): 17495 (CallbackArgumentBoolean::set): 17496 (CallbackArgumentInteger): 17497 (CallbackArgumentInteger::set): 17498 (CallbackArgumentDouble): 17499 (CallbackArgumentDouble::set): 17500 (CallbackArgumentJSValue): 17501 (CallbackArgumentJSValue::set): 17502 (CallbackArgumentId): 17503 (CallbackArgumentId::set): 17504 (CallbackArgumentOfClass): 17505 (CallbackArgumentOfClass::CallbackArgumentOfClass): 17506 (CallbackArgumentOfClass::~CallbackArgumentOfClass): 17507 (CallbackArgumentOfClass::set): 17508 (CallbackArgumentNSNumber): 17509 (CallbackArgumentNSNumber::set): 17510 (CallbackArgumentNSString): 17511 (CallbackArgumentNSString::set): 17512 (CallbackArgumentNSDate): 17513 (CallbackArgumentNSDate::set): 17514 (CallbackArgumentNSArray): 17515 (CallbackArgumentNSArray::set): 17516 (CallbackArgumentNSDictionary): 17517 (CallbackArgumentNSDictionary::set): 17518 (CallbackArgumentStruct): 17519 (CallbackArgumentStruct::CallbackArgumentStruct): 17520 (CallbackArgumentStruct::~CallbackArgumentStruct): 17521 (CallbackArgumentStruct::set): 17522 (CallbackArgumentBlockCallback): 17523 (CallbackArgumentBlockCallback::CallbackArgumentBlockCallback): 17524 (CallbackArgumentBlockCallback::~CallbackArgumentBlockCallback): 17525 (CallbackArgumentBlockCallback::set): 17526 - decoded arguent type information of a ObjCCallbackFunction. 17527 (ArgumentTypeDelegate): 17528 (ArgumentTypeDelegate::typeInteger): 17529 (ArgumentTypeDelegate::typeDouble): 17530 (ArgumentTypeDelegate::typeBool): 17531 (ArgumentTypeDelegate::typeVoid): 17532 (ArgumentTypeDelegate::typeId): 17533 (ArgumentTypeDelegate::typeOfClass): 17534 (ArgumentTypeDelegate::typeBlock): 17535 (ArgumentTypeDelegate::typeStruct): 17536 - delegate for use in conjunction with parseObjCType. 17537 (CallbackResult): 17538 (CallbackResult::~CallbackResult): 17539 (CallbackResultVoid): 17540 (CallbackResultVoid::get): 17541 (CallbackResultId): 17542 (CallbackResultId::get): 17543 (CallbackResultNumeric): 17544 (CallbackResultNumeric::get): 17545 (CallbackResultBoolean): 17546 (CallbackResultBoolean::get): 17547 (CallbackResultStruct): 17548 (CallbackResultStruct::CallbackResultStruct): 17549 (CallbackResultStruct::~CallbackResultStruct): 17550 (CallbackResultStruct::get): 17551 - decoded result type information of a ObjCCallbackFunction. 17552 (ResultTypeDelegate): 17553 (ResultTypeDelegate::typeInteger): 17554 (ResultTypeDelegate::typeDouble): 17555 (ResultTypeDelegate::typeBool): 17556 (ResultTypeDelegate::typeVoid): 17557 (ResultTypeDelegate::typeId): 17558 (ResultTypeDelegate::typeOfClass): 17559 (ResultTypeDelegate::typeBlock): 17560 (ResultTypeDelegate::typeStruct): 17561 - delegate for use in conjunction with parseObjCType. 17562 (ObjCCallbackFunction): 17563 (ObjCCallbackFunction::ObjCCallbackFunction): 17564 (ObjCCallbackFunction::~ObjCCallbackFunction): 17565 - constructor & destructor. 17566 (ObjCCallbackFunction::context): 17567 - accessor. 17568 (ObjCCallbackFunction::wrappedBlock): 17569 - attemmpt to unwrap a block object. 17570 (objCCallbackFunctionFinalize): 17571 (objCCallbackFunctionCallAsFunction): 17572 (objCCallbackFunctionClass): 17573 - JSClassRef used to represent ObjCCallbackFunction objects. 17574 (ObjCCallbackFunction::call): 17575 (blockSignatureContainsClass): 17576 - helper function to determine if we're running on a recent Clang. 17577 (skipNumber): 17578 - helper used in parsing signature strings. 17579 (objCCallbackFunctionForInvocation): 17580 (objCCallbackFunctionForMethod): 17581 (objCCallbackFunctionForBlock): 17582 - functions to try to create ObjCCallbackFunction instances for methods/blocks. 17583 (tryUnwrapBlock): 17584 - attemmpt to unwrap a block object. 17585 * API/ObjcRuntimeExtras.h: Added. 17586 (protocolImplementsProtocol): 17587 (forEachProtocolImplementingProtocol): 17588 (forEachMethodInClass): 17589 (forEachMethodInProtocol): 17590 (forEachPropertyInProtocol): 17591 - functions used in reflecting on Objective-C types. 17592 (skipPair): 17593 - parsing helper used by parseObjCType, scans for matching parentheses. 17594 (StringRange): 17595 (StringRange::StringRange): 17596 (StringRange::~StringRange): 17597 (StringRange::operator const char*): 17598 (StringRange::get): 17599 - Helper class - create a c string copy of a range of an existing string. 17600 (parseObjCType): 17601 - function to parse Objective-C type strings, makes callbacks to a deleagte. 17602 * API/tests/testapi.c: 17603 (main): 17604 - added call to testObjectiveCAPI (in testapi.m). 17605 * API/tests/testapi.m: Added. 17606 (+[ParentObject parentTest]): 17607 (+[TestObject testObject]): 17608 (+[TestObject classTest]): 17609 (-[TestObject getString]): 17610 (-[TestObject testArgumentTypesWithInt:double:boolean:string:number:array:dictionary:]): 17611 (-[TestObject callback:]): 17612 (-[TextXYZ test:]): 17613 - test object, used in various test vases. 17614 (checkResult): 17615 - helper function. 17616 (blockSignatureContainsClass): 17617 - helper function to determine if we're running on a recent Clang. 17618 (testObjectiveCAPI): 17619 - new test cases. 17620 * JavaScriptCore.xcodeproj/project.pbxproj: 17621 - added new files. 17622 * runtime/JSGlobalData.cpp: 17623 (JSC::JSGlobalData::JSGlobalData): 17624 * runtime/JSGlobalData.h: 17625 (JSGlobalData): 17626 - added m_apiData - provide convenient storage for use by the API. 17627 * runtime/JSGlobalObject.cpp: 17628 (JSC::JSGlobalObject::JSGlobalObject): 17629 * runtime/JSGlobalObject.h: 17630 (JSGlobalObject): 17631 - added m_apiData - provide convenient storage for use by the API. 17632 176332012-12-27 Csaba Osztrogonác <ossy@webkit.org> 17634 17635 One more unreviwed holiday MIPS and SH4 buildfixes after r138516. 17636 17637 * jit/ThunkGenerators.cpp: 17638 176392012-12-27 Csaba Osztrogonác <ossy@webkit.org> 17640 17641 Unreviwed holiday ARM and SH4 buildfixes after r138516. 17642 17643 * jit/ThunkGenerators.cpp: 17644 (JSC::nativeForGenerator): 17645 176462012-12-26 Filip Pizlo <fpizlo@apple.com> 17647 17648 All JIT stubs should go through the getCTIStub API 17649 https://bugs.webkit.org/show_bug.cgi?id=105750 17650 17651 Reviewed by Sam Weinig. 17652 17653 Previously JITThunks had two sets of thunks: one static set stored in a struct, 17654 which was filled by JIT::privateCompileCTITrampolines, and another set stored in 17655 a HashMap. Moreover, the code to generate the code for the CTI trampoline struct 17656 had loads of copy-paste between JSVALUE32_64 and JSVALUE64, and was total 17657 unmodular with respect to calls versus constructors, among other things. 17658 17659 This changeset removes this struct and rationalizes the code that generates those 17660 thunks. All of thunks are now generated through the getCTIStub HashMap API. All 17661 thunks for the baseline JIT now use the JSInterfaceJIT and have their codegen 17662 located in ThunkGenerators.cpp. All thunks now share as much code as possible - 17663 it turns out that they are almost 100% identical between 32_64 and 64, so that 17664 works out great. A bunch of call vs. construct duplication was eliminated. And, 17665 most of the call link versus virtual call duplication was also eliminated. 17666 17667 This does not change behavior but it does make it easier to add more thunks in 17668 the future. 17669 17670 * bytecode/CallLinkInfo.cpp: 17671 (JSC::CallLinkInfo::unlink): 17672 * jit/JIT.cpp: 17673 (JSC::JIT::linkFor): 17674 * jit/JIT.h: 17675 (JIT): 17676 * jit/JITCall.cpp: 17677 (JSC::JIT::compileCallEvalSlowCase): 17678 (JSC::JIT::compileOpCallSlowCase): 17679 * jit/JITCall32_64.cpp: 17680 (JSC::JIT::compileCallEvalSlowCase): 17681 (JSC::JIT::compileOpCallSlowCase): 17682 * jit/JITInlines.h: 17683 (JSC): 17684 * jit/JITOpcodes.cpp: 17685 (JSC): 17686 (JSC::JIT::privateCompileCTINativeCall): 17687 * jit/JITOpcodes32_64.cpp: 17688 (JSC): 17689 * jit/JITStubs.cpp: 17690 (JSC::tryCacheGetByID): 17691 * jit/JITThunks.cpp: 17692 (JSC::JITThunks::JITThunks): 17693 (JSC::JITThunks::ctiNativeCall): 17694 (JSC::JITThunks::ctiNativeConstruct): 17695 (JSC): 17696 (JSC::JITThunks::hostFunctionStub): 17697 * jit/JITThunks.h: 17698 (JSC): 17699 (JITThunks): 17700 * jit/JSInterfaceJIT.h: 17701 (JSInterfaceJIT): 17702 (JSC::JSInterfaceJIT::emitJumpIfNotJSCell): 17703 (JSC): 17704 (JSC::JSInterfaceJIT::emitFastArithIntToImmNoCheck): 17705 (JSC::JSInterfaceJIT::emitJumpIfNotType): 17706 (JSC::JSInterfaceJIT::emitGetFromCallFrameHeaderPtr): 17707 (JSC::JSInterfaceJIT::emitPutToCallFrameHeader): 17708 (JSC::JSInterfaceJIT::emitPutImmediateToCallFrameHeader): 17709 (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader): 17710 (JSC::JSInterfaceJIT::preserveReturnAddressAfterCall): 17711 (JSC::JSInterfaceJIT::restoreReturnAddressBeforeReturn): 17712 (JSC::JSInterfaceJIT::restoreArgumentReference): 17713 * jit/ThunkGenerators.cpp: 17714 (JSC::generateSlowCaseFor): 17715 (JSC): 17716 (JSC::linkForGenerator): 17717 (JSC::linkCallGenerator): 17718 (JSC::linkConstructGenerator): 17719 (JSC::virtualForGenerator): 17720 (JSC::virtualCallGenerator): 17721 (JSC::virtualConstructGenerator): 17722 (JSC::stringLengthTrampolineGenerator): 17723 (JSC::nativeForGenerator): 17724 (JSC::nativeCallGenerator): 17725 (JSC::nativeConstructGenerator): 17726 (JSC::charCodeAtThunkGenerator): 17727 (JSC::charAtThunkGenerator): 17728 (JSC::fromCharCodeThunkGenerator): 17729 (JSC::sqrtThunkGenerator): 17730 (JSC::floorThunkGenerator): 17731 (JSC::ceilThunkGenerator): 17732 (JSC::roundThunkGenerator): 17733 (JSC::expThunkGenerator): 17734 (JSC::logThunkGenerator): 17735 (JSC::absThunkGenerator): 17736 (JSC::powThunkGenerator): 17737 * jit/ThunkGenerators.h: 17738 (JSC): 17739 * runtime/Executable.h: 17740 (NativeExecutable): 17741 (JSC::NativeExecutable::nativeFunctionFor): 17742 (JSC::NativeExecutable::offsetOfNativeFunctionFor): 17743 177442012-12-25 Gyuyoung Kim <gyuyoung.kim@samsung.com> 17745 17746 [CMAKE] Remove header files in JavaScriptCore/CMakeLists.txt 17747 https://bugs.webkit.org/show_bug.cgi?id=105753 17748 17749 Reviewed by Laszlo Gombos. 17750 17751 * CMakeLists.txt: Remove header files in source list. 17752 177532012-12-25 Filip Pizlo <fpizlo@apple.com> 17754 17755 JITThunks should be in its own file 17756 https://bugs.webkit.org/show_bug.cgi?id=105744 17757 17758 Rubber stamped by Sam Weinig. 17759 17760 Moved JITThunks into its own file and removed some static methods from it 17761 that were not related to what JITThunks currently does. Performed various 17762 pagan rituals to get it to build - apparently there is a circular dependency 17763 between JSCell, Weak, and JITThunks, which magically resolves itself if you 17764 make sure to first include Register.h. Making it so that fewer pagan rituals 17765 need to be performed if this code changes in the future is covered by 17766 https://bugs.webkit.org/show_bug.cgi?id=105696. 17767 17768 * CMakeLists.txt: 17769 * GNUmakefile.list.am: 17770 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 17771 * JavaScriptCore.xcodeproj/project.pbxproj: 17772 * Target.pri: 17773 * jit/JITStubs.cpp: 17774 (JSC::tryCachePutByID): 17775 (JSC::tryCacheGetByID): 17776 * jit/JITStubs.h: 17777 (JSC::JITStackFrame::returnAddressSlot): 17778 (JSC::returnAddressIsInCtiTrampoline): 17779 * jit/JITThunks.cpp: Added. 17780 (JSC::JITThunks::JITThunks): 17781 (JSC::JITThunks::~JITThunks): 17782 (JSC::JITThunks::ctiStub): 17783 (JSC::JITThunks::hostFunctionStub): 17784 (JSC::JITThunks::clearHostFunctionStubs): 17785 * jit/JITThunks.h: Added. 17786 (JSC::JITThunks::ctiStringLengthTrampoline): 17787 (JSC::JITThunks::ctiVirtualCallLink): 17788 (JSC::JITThunks::ctiVirtualConstructLink): 17789 (JSC::JITThunks::ctiVirtualCall): 17790 (JSC::JITThunks::ctiVirtualConstruct): 17791 (JSC::JITThunks::ctiNativeCall): 17792 (JSC::JITThunks::ctiNativeConstruct): 17793 * jit/ThunkGenerator.h: Added. 17794 * jit/ThunkGenerators.cpp: 17795 * jit/ThunkGenerators.h: 17796 * runtime/JSGlobalData.h: 17797 177982012-12-25 Ilya Tikhonovsky <loislo@chromium.org> 17799 17800 Unreviewed follow-up for r138455. 17801 17802 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 17803 178042012-12-24 Ilya Tikhonovsky <loislo@chromium.org> 17805 17806 Unreviewed compilation fix for r138452. 17807 17808 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 17809 178102012-12-24 Laszlo Gombos <l.gombos@samsung.com> 17811 17812 Remove wtf/Platform.h includes from {c|cpp} files 17813 https://bugs.webkit.org/show_bug.cgi?id=105678 17814 17815 Reviewed by Kentaro Hara. 17816 17817 Remove wtf/Platform.h from the include list as it is already 17818 included in config.h. 17819 17820 * disassembler/udis86/udis86.c: 17821 * disassembler/udis86/udis86_decode.c: 17822 * disassembler/udis86/udis86_input.c: 17823 * disassembler/udis86/udis86_itab_holder.c: 17824 * disassembler/udis86/udis86_syn-att.c: 17825 * disassembler/udis86/udis86_syn-intel.c: 17826 * disassembler/udis86/udis86_syn.c: 17827 * heap/VTableSpectrum.cpp: 17828 178292012-12-21 Filip Pizlo <fpizlo@apple.com> 17830 17831 DFG Arrayify slow path should be out-of-line 17832 https://bugs.webkit.org/show_bug.cgi?id=105400 17833 17834 Reviewed by Gavin Barraclough. 17835 17836 The interesting bit of this change is allowing out-of-line slow path generators 17837 to emit speculation checks. This is accomplished by having a version of 17838 speculationCheck() that returns a jump placeholder instead of taking a jump (or 17839 jump list) as an argument. You can then fill in that jump placeholder at a 17840 later time, so long as you do it before OSR exit linking. Slow path generators 17841 run before linking, so that just naturally ends up working. 17842 17843 This isn't really a big win, but we know that out-of-lining slow paths is 17844 generally a good thing to do, so it's fair to assume that this is a move in the 17845 right direction. 17846 17847 * CMakeLists.txt: 17848 * GNUmakefile.list.am: 17849 * JavaScriptCore.xcodeproj/project.pbxproj: 17850 * Target.pri: 17851 * dfg/DFGArrayifySlowPathGenerator.h: Added. 17852 (DFG): 17853 (ArrayifySlowPathGenerator): 17854 (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator): 17855 (JSC::DFG::ArrayifySlowPathGenerator::generateInternal): 17856 * dfg/DFGOSRExitJumpPlaceholder.cpp: Added. 17857 (DFG): 17858 (JSC::DFG::OSRExitJumpPlaceholder::fill): 17859 * dfg/DFGOSRExitJumpPlaceholder.h: Added. 17860 (DFG): 17861 (OSRExitJumpPlaceholder): 17862 (JSC::DFG::OSRExitJumpPlaceholder::OSRExitJumpPlaceholder): 17863 (JSC::DFG::OSRExitJumpPlaceholder::operator!): 17864 * dfg/DFGSpeculativeJIT.cpp: 17865 (JSC::DFG::SpeculativeJIT::speculationCheck): 17866 (DFG): 17867 (JSC::DFG::SpeculativeJIT::arrayify): 17868 * dfg/DFGSpeculativeJIT.h: 17869 (SpeculativeJIT): 17870 178712012-12-20 Oliver Hunt <oliver@apple.com> 17872 17873 Finally found the problem. Using the wrong JSContextGroup. 17874 17875 * API/tests/testapi.c: 17876 (main): 17877 178782012-12-20 Oliver Hunt <oliver@apple.com> 17879 17880 Try to convince bots to be happy with testapi. 17881 17882 * API/JSScriptRefPrivate.h: 17883 178842012-12-20 Michael Saboff <msaboff@apple.com> 17885 17886 JIT: Change uninitialized pointer value -1 to constant 17887 https://bugs.webkit.org/show_bug.cgi?id=105576 17888 17889 Rubber stamped by Gavin Barraclough. 17890 17891 Changed the use of -1 as a pointer value in the JITs to be the constant unusedPointer defined in the 17892 new file jit/UnusedPointer.h. Made it's value 0xd1e7beef, which is a bad pointer on most architectures 17893 because it is odd, and to distinguish it from other common values. 17894 17895 * GNUmakefile.list.am: 17896 * JavaScriptCore.xcodeproj/project.pbxproj: 17897 * dfg/DFGRepatch.cpp: 17898 (JSC::DFG::dfgResetGetByID): 17899 (JSC::DFG::dfgResetPutByID): 17900 * dfg/DFGSpeculativeJIT32_64.cpp: 17901 (JSC::DFG::SpeculativeJIT::cachedGetById): 17902 (JSC::DFG::SpeculativeJIT::cachedPutById): 17903 * dfg/DFGSpeculativeJIT64.cpp: 17904 (JSC::DFG::SpeculativeJIT::cachedGetById): 17905 (JSC::DFG::SpeculativeJIT::cachedPutById): 17906 * jit/JIT.h: 17907 * jit/JITPropertyAccess.cpp: 17908 (JSC::JIT::resetPatchGetById): 17909 (JSC::JIT::resetPatchPutById): 17910 * jit/JITPropertyAccess32_64.cpp: 17911 (JSC::JIT::resetPatchGetById): 17912 (JSC::JIT::resetPatchPutById): 17913 * jit/JITWriteBarrier.h: 17914 (JSC::JITWriteBarrierBase::clearToUnusedPointer): 17915 (JSC::JITWriteBarrierBase::get): 17916 * jit/UnusedPointer.h: Added. 17917 179182012-12-20 Filip Pizlo <fpizlo@apple.com> 17919 17920 DFG shouldn't emit CheckStructure on array accesses if exit profiling tells it not to 17921 https://bugs.webkit.org/show_bug.cgi?id=105577 17922 17923 Reviewed by Mark Hahnenberg. 17924 17925 I don't know why this wasn't there from the beginning. 17926 17927 * dfg/DFGByteCodeParser.cpp: 17928 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks): 17929 179302012-12-19 Filip Pizlo <fpizlo@apple.com> 17931 17932 DFG speculation checks that take JumpList should consolidate OSRExits 17933 https://bugs.webkit.org/show_bug.cgi?id=105401 17934 17935 Reviewed by Oliver Hunt. 17936 17937 Change OSRExitCompilationInfo to always contain a JumpList, and change JumpList 17938 to be more compact. This way, a speculationCheck that takes a JumpList only has 17939 to emit one OSRExit structure, and one OSRExit landing pad. 17940 17941 The downside is that we get less precise information about *where* we exited 17942 from. So, this also includes changes to the profiler to be more relaxed about 17943 what an ExitSite is. 17944 17945 * assembler/AbstractMacroAssembler.h: 17946 (JumpList): 17947 * dfg/DFGJITCompiler.cpp: 17948 (JSC::DFG::JITCompiler::linkOSRExits): 17949 (JSC::DFG::JITCompiler::link): 17950 * dfg/DFGJITCompiler.h: 17951 (DFG): 17952 (JSC::DFG::JITCompiler::appendExitInfo): 17953 (JITCompiler): 17954 * dfg/DFGOSRExitCompilationInfo.h: 17955 (OSRExitCompilationInfo): 17956 * dfg/DFGSpeculativeJIT.cpp: 17957 (JSC::DFG::SpeculativeJIT::speculationCheck): 17958 (JSC::DFG::SpeculativeJIT::speculationWatchpoint): 17959 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck): 17960 * profiler/ProfilerCompilation.cpp: 17961 (JSC::Profiler::Compilation::addOSRExitSite): 17962 * profiler/ProfilerCompilation.h: 17963 (Compilation): 17964 * profiler/ProfilerOSRExitSite.cpp: 17965 (JSC::Profiler::OSRExitSite::toJS): 17966 * profiler/ProfilerOSRExitSite.h: 17967 (JSC::Profiler::OSRExitSite::OSRExitSite): 17968 (JSC::Profiler::OSRExitSite::codeAddress): 17969 (OSRExitSite): 17970 179712012-12-19 Oliver Hunt <oliver@apple.com> 17972 17973 Fix some incorrect tests in testapi.c 17974 17975 Reviewed by Simon Fraser. 17976 17977 * API/tests/testapi.c: 17978 (main): 17979 179802012-12-19 Filip Pizlo <fpizlo@apple.com> 17981 17982 JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn..., and should never be called when the 'this' is not an object 17983 https://bugs.webkit.org/show_bug.cgi?id=105468 17984 17985 Reviewed by Mark Hahnenberg, Oliver Hunt, and Gavin Barraclough. 17986 17987 Changed JSObject::ensure<IndexingType> methods to gracefully handle 17988 InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero. Most of them handle it by returning 17989 null as a result of indexingShouldBeSparse() returning true, while ensureArrayStorage handles it 17990 by entering dictionary indexing mode, which forces the object to behave correctly even if there 17991 is proxying or weird prototype stuff going on. 17992 17993 Changed DFGOperations entrypoints to reject non-objects, so that JSObject doesn't have to deal 17994 with pretending to be JSString. In particular, this would go wrong in the ArrayStorage case 17995 since we'd try to resize a butterfly on a JSString, but JSString has something other than 17996 m_butterfly at that offset. 17997 17998 Finally, removed all InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero from JIT code 17999 since those are now redundant. 18000 18001 * dfg/DFGOperations.cpp: 18002 * dfg/DFGOperations.h: 18003 * dfg/DFGSpeculativeJIT.cpp: 18004 (JSC::DFG::SpeculativeJIT::arrayify): 18005 * dfg/DFGSpeculativeJIT.h: 18006 (JSC::DFG::SpeculativeJIT::callOperation): 18007 * runtime/JSObject.cpp: 18008 (JSC::JSObject::enterDictionaryIndexingMode): 18009 (JSC::JSObject::ensureInt32Slow): 18010 (JSC::JSObject::ensureDoubleSlow): 18011 (JSC::JSObject::ensureContiguousSlow): 18012 (JSC::JSObject::ensureArrayStorageSlow): 18013 (JSC): 18014 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): 18015 * runtime/JSObject.h: 18016 (JSObject): 18017 180182012-12-19 Oliver Hunt <oliver@apple.com> 18019 18020 Tidy up JSScriptRef API 18021 https://bugs.webkit.org/show_bug.cgi?id=105470 18022 18023 Reviewed by Anders Carlsson. 18024 18025 People found the API's use of a context confusing, so we'll switch to a JSContextGroup based 18026 API, and drop a number of the unnecessary uses of contexts. 18027 18028 * API/JSScriptRef.cpp: 18029 (OpaqueJSScript::globalData): 18030 (parseScript): 18031 * API/JSScriptRefPrivate.h: 18032 * API/tests/testapi.c: 18033 (main): 18034 180352012-12-19 Alexis Menard <alexis@webkit.org> 18036 18037 Implement CSS parsing for CSS transitions unprefixed. 18038 https://bugs.webkit.org/show_bug.cgi?id=104804 18039 18040 Reviewed by Dean Jackson. 18041 18042 Add a new flag ENABLE_CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED 18043 to cover the work of unprefixing Transforms, Animations and 18044 Transitions. It will let the possibility of each ports to turn it off 18045 in their release branches until we're confident that these CSS 18046 properties are ready to be unprefixed. 18047 18048 * Configurations/FeatureDefines.xcconfig: 18049 180502012-12-18 Filip Pizlo <fpizlo@apple.com> 18051 18052 Proxies should set InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero 18053 https://bugs.webkit.org/show_bug.cgi?id=105379 18054 18055 Reviewed by Gavin Barraclough. 18056 18057 Forgetting to set this flag led to the DFG trying to ensure array storage on a proxy. I've 18058 now hardened the code with a release assertion as well as fixing the bug. A release assertion 18059 is appropriate here since this is slow-path code. 18060 18061 * runtime/JSObject.cpp: 18062 (JSC::JSObject::enterDictionaryIndexingMode): 18063 (JSC::JSObject::ensureInt32Slow): 18064 (JSC::JSObject::ensureDoubleSlow): 18065 (JSC::JSObject::ensureContiguousSlow): 18066 (JSC::JSObject::ensureArrayStorageSlowNoCheck): 18067 (JSC::JSObject::ensureArrayStorageSlow): 18068 (JSC): 18069 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): 18070 * runtime/JSObject.h: 18071 (JSObject): 18072 * runtime/JSProxy.h: 18073 (JSProxy): 18074 180752012-12-18 Oliver Hunt <oliver@apple.com> 18076 18077 Add a JSScriptRef API to JSC so that we can allow API users to avoid the full cost of reparsing everytime the execute a script. 18078 https://bugs.webkit.org/show_bug.cgi?id=105340 18079 18080 Reviewed by Gavin Barraclough. 18081 18082 This patch adds a (currently private) API to allow users of the JSC API to create a JSScript object 18083 that references a reusable version of the script that they wish to evaluate. This can help us avoid 18084 numeorus copies that are otherwise induced by our existing API and gives us an opaque object that we 18085 can hang various caches off. Currently this is simply a simple SourceProvider, but in future we may 18086 be able to add more caching without requiring new/replacement APIs. 18087 18088 * API/JSScriptRef.cpp: Added. 18089 * API/JSScriptRefPrivate.h: Added. 18090 * API/tests/testapi.c: 18091 Add tests for new APIs. 18092 * JavaScriptCore.xcodeproj/project.pbxproj: 18093 180942012-12-18 Filip Pizlo <fpizlo@apple.com> 18095 18096 DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode incorrectly checks for non-array array storage when it should be checking for array array storage 18097 https://bugs.webkit.org/show_bug.cgi?id=105365 18098 18099 Reviewed by Mark Hahnenberg. 18100 18101 * dfg/DFGSpeculativeJIT.cpp: 18102 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): 18103 181042012-12-18 Filip Pizlo <fpizlo@apple.com> 18105 18106 SunSpider/date-format-tofte shouldn't compile each of the tiny worthless eval's only to OSR exit in the prologue every time 18107 https://bugs.webkit.org/show_bug.cgi?id=105335 18108 18109 Reviewed by Geoffrey Garen. 18110 18111 The first thing I did was restructure the logic of canInlineResolveOperations(), 18112 because I didn't understand it. This was relevant because the OSR exits are 18113 caused by a resolve that the DFG cannot handle. 18114 18115 I was then going to make it so that we didn't compile the resolve at all, but 18116 realized that this would not be the best fix: it didn't seem sensible to me to 18117 be optimizing these evals after only 60 invocations. Evals should have a higher 18118 threshold, since they often contain code for which the baseline JIT does a 18119 pretty good job already (if all you've got is a single heap access or a single 18120 hard-to-inline call, then the baseline JIT has got you covered), and typically 18121 if we see one eval code block we expect to see more (from the same eval site): 18122 so our typical low threshold could lead to a *lot* of compilation. As such, the 18123 main effect of this patch is to introduce an evalThresholdMultiplier, which is 18124 now set to 10. 18125 18126 This is a ~5% speed-up on data-format-tofte. No regressions anywhere as far as 18127 I can see. 18128 18129 * bytecode/CodeBlock.cpp: 18130 (JSC::CodeBlock::codeTypeThresholdMultiplier): 18131 (JSC): 18132 (JSC::CodeBlock::optimizationThresholdScalingFactor): 18133 (JSC::CodeBlock::exitCountThresholdForReoptimization): 18134 (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop): 18135 * bytecode/CodeBlock.h: 18136 (CodeBlock): 18137 * dfg/DFGCapabilities.h: 18138 (JSC::DFG::canInlineResolveOperations): 18139 * dfg/DFGOSRExitCompiler.cpp: 18140 * runtime/Options.h: 18141 (JSC): 18142 181432012-12-18 Filip Pizlo <fpizlo@apple.com> 18144 18145 Convert indexingTypeToString to IndexingTypeDump 18146 https://bugs.webkit.org/show_bug.cgi?id=105351 18147 18148 Reviewed by Mark Hahnenberg. 18149 18150 This gets rid of another case of static char buffer[thingy]. 18151 18152 * dfg/DFGGraph.cpp: 18153 (JSC::DFG::Graph::dump): 18154 * runtime/IndexingType.cpp: 18155 (JSC::dumpIndexingType): 18156 * runtime/IndexingType.h: 18157 (JSC): 18158 * runtime/JSValue.cpp: 18159 (JSC::JSValue::dump): 18160 181612012-12-18 Beth Dakin <bdakin@apple.com> 18162 18163 https://bugs.webkit.org/show_bug.cgi?id=102579 18164 [mac] Enable scaled cursors 18165 18166 Reviewed by Dean Jackson. 18167 18168 * Configurations/FeatureDefines.xcconfig: 18169 181702012-12-18 Mark Hahnenberg <mhahnenberg@apple.com> 18171 18172 Restrictions on oversize CopiedBlock allocations should be relaxed 18173 https://bugs.webkit.org/show_bug.cgi?id=105339 18174 18175 Reviewed by Filip Pizlo. 18176 18177 Currently the DFG has a single branch in the inline allocation path for property/array storage where 18178 it checks to see if the number of bytes requested will fit in the current block. This does not match 18179 what the C++ allocation path does; it checks if the requested number of bytes is oversize, and then 18180 if it's not, it tries to fit it in the current block. The garbage collector assumes that ALL allocations 18181 that are greater than 16KB are in oversize blocks. Therefore, this mismatch can lead to crashes when 18182 the collector tries to perform some operation on a CopiedBlock. 18183 18184 To avoid adding an extra branch to the inline allocation path in the JIT, we should make it so that 18185 oversize blocks are allocated on the same alignment boundaries so that there is a single mask to find 18186 the block header of any CopiedBlock (rather than two, one for normal and one for oversize blocks), and 18187 we should figure out if a block is oversize by some other method than just whatever the JSObject says 18188 it is. One way we could record this info Region of the block, since we allocate a one-off Region for 18189 oversize blocks. 18190 18191 * heap/BlockAllocator.h: 18192 (JSC::Region::isCustomSize): 18193 (Region): 18194 (JSC::Region::createCustomSize): 18195 (JSC::Region::Region): 18196 (JSC::BlockAllocator::deallocateCustomSize): 18197 * heap/CopiedBlock.h: 18198 (CopiedBlock): 18199 (JSC::CopiedBlock::isOversize): 18200 (JSC): 18201 * heap/CopiedSpace.cpp: 18202 (JSC::CopiedSpace::tryAllocateOversize): 18203 (JSC::CopiedSpace::tryReallocate): 18204 (JSC::CopiedSpace::tryReallocateOversize): 18205 * heap/CopiedSpace.h: 18206 (CopiedSpace): 18207 * heap/CopiedSpaceInlines.h: 18208 (JSC::CopiedSpace::contains): 18209 (JSC::CopiedSpace::tryAllocate): 18210 (JSC): 18211 * heap/CopyVisitor.h: 18212 (CopyVisitor): 18213 * heap/CopyVisitorInlines.h: 18214 (JSC::CopyVisitor::checkIfShouldCopy): 18215 (JSC::CopyVisitor::didCopy): 18216 * heap/SlotVisitorInlines.h: 18217 (JSC::SlotVisitor::copyLater): 18218 * runtime/JSObject.cpp: 18219 (JSC::JSObject::copyButterfly): 18220 182212012-12-18 Joseph Pecoraro <pecoraro@apple.com> 18222 18223 [Mac] Add Build Phase to Check Headers for Inappropriate Macros (Platform.h macros) 18224 https://bugs.webkit.org/show_bug.cgi?id=104279 18225 18226 Reviewed by David Kilzer. 18227 18228 Add a build phase to check the public JavaScriptCore headers for 18229 inappropriate macros. 18230 18231 * JavaScriptCore.xcodeproj/project.pbxproj: 18232 182332012-12-18 Michael Saboff <msaboff@apple.com> 18234 18235 [Qt] Fix the ARMv7 build after r137976 18236 https://bugs.webkit.org/show_bug.cgi?id=105270 18237 18238 Reviewed by Csaba Osztrogonác. 18239 18240 Add default value for Jump parameter to fix build. 18241 18242 * assembler/AbstractMacroAssembler.h: 18243 (JSC::AbstractMacroAssembler::Jump::Jump): 18244 182452012-12-17 Geoffrey Garen <ggaren@apple.com> 18246 18247 Constant fold !{number} in the parser 18248 https://bugs.webkit.org/show_bug.cgi?id=105232 18249 18250 Reviewed by Filip Pizlo. 18251 18252 Typically, we wait for hot execution and constant fold in the DFG. 18253 However, !0 and !1 are common enough in minifiers that it can be good 18254 to get them out of the way early, for faster/smaller parsing and startup. 18255 18256 * parser/ASTBuilder.h: 18257 (JSC::ASTBuilder::createLogicalNot): !{literal} is super simple, especially 18258 since there's no literal form of NaN or Inf. 18259 182602012-12-17 Filip Pizlo <fpizlo@apple.com> 18261 18262 DFG is too aggressive eliding overflow checks for additions involving large constants 18263 https://bugs.webkit.org/show_bug.cgi?id=105239 18264 18265 Reviewed by Gavin Barraclough. 18266 18267 If we elide overflow checks on an addition (or subtraction) involving a larger-than-2^32 immediate, 18268 then make sure that the non-constant child of the addition knows that he's got to do an overflow 18269 check, by flowing the UsedAsNumber property at him. 18270 18271 * dfg/DFGGraph.h: 18272 (JSC::DFG::Graph::addSpeculationMode): 18273 (Graph): 18274 (JSC::DFG::Graph::addShouldSpeculateInteger): 18275 (JSC::DFG::Graph::addImmediateShouldSpeculateInteger): 18276 * dfg/DFGPredictionPropagationPhase.cpp: 18277 (JSC::DFG::PredictionPropagationPhase::propagate): 18278 182792012-12-17 Michael Saboff <msaboff@apple.com> 18280 18281 DFG: Refactor DFGCorrectableJumpPoint to reduce size of OSRExit data 18282 https://bugs.webkit.org/show_bug.cgi?id=105237 18283 18284 Reviewed by Filip Pizlo. 18285 18286 Replaced DFGCorrectableJumpPoint with OSRExitCompilationInfo which is used and kept alive only while we are 18287 compiling in the DFG. Moved the patchable branch offset directly into OSRExit. 18288 18289 * CMakeLists.txt: 18290 * GNUmakefile.list.am: 18291 * JavaScriptCore.xcodeproj/project.pbxproj: 18292 * Target.pri: 18293 * assembler/AbstractMacroAssembler.h: 18294 * dfg/DFGCorrectableJumpPoint.cpp: Removed. 18295 * dfg/DFGCorrectableJumpPoint.h: Removed. 18296 * dfg/DFGJITCompiler.cpp: 18297 (JSC::DFG::JITCompiler::linkOSRExits): 18298 (JSC::DFG::JITCompiler::link): 18299 * dfg/DFGJITCompiler.h: 18300 (JSC::DFG::JITCompiler::appendExitJump): 18301 (JITCompiler): 18302 * dfg/DFGOSRExit.cpp: 18303 (JSC::DFG::OSRExit::OSRExit): 18304 (JSC::DFG::OSRExit::setPatchableCodeOffset): 18305 (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump): 18306 (JSC::DFG::OSRExit::codeLocationForRepatch): 18307 (JSC::DFG::OSRExit::correctJump): 18308 * dfg/DFGOSRExit.h: 18309 (OSRExit): 18310 * dfg/DFGOSRExitCompilationInfo.h: Added. 18311 (OSRExitCompilationInfo): 18312 (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo): 18313 (JSC::DFG::OSRExitCompilationInfo::failureJump): 18314 * dfg/DFGOSRExitCompiler.cpp: 18315 * dfg/DFGSpeculativeJIT.cpp: 18316 (JSC::DFG::SpeculativeJIT::speculationCheck): 18317 (JSC::DFG::SpeculativeJIT::speculationWatchpoint): 18318 183192012-12-17 Filip Pizlo <fpizlo@apple.com> 18320 18321 DFG is too aggressive with eliding overflow checks in loops 18322 https://bugs.webkit.org/show_bug.cgi?id=105226 18323 18324 Reviewed by Mark Hahnenberg and Oliver Hunt. 18325 18326 If we see a variable's live range cross basic block boundaries, conservatively assume that it may 18327 be part of a data-flow back-edge, and as a result, we may have entirely integer operations that 18328 could lead to the creation of an integer that is out of range of 2^52 (the significand of a double 18329 float). This does not seem to regress any of the benchmarks we care about, and it fixes the bug. 18330 18331 In future we may want to actually look at whether or not there was a data-flow back-edge instead 18332 of being super conservative about it. But we have no evidence, yet, that this would help us on 18333 real code. 18334 18335 * dfg/DFGNodeFlags.h: 18336 (DFG): 18337 * dfg/DFGPredictionPropagationPhase.cpp: 18338 (JSC::DFG::PredictionPropagationPhase::propagate): 18339 183402012-12-17 Mark Hahnenberg <mhahnenberg@apple.com> 18341 18342 Butterfly::growArrayRight shouldn't be called on null Butterfly objects 18343 https://bugs.webkit.org/show_bug.cgi?id=105221 18344 18345 Reviewed by Filip Pizlo. 18346 18347 Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly 18348 objects purely by coincidence. We should add a new static function that null checks the old 18349 Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for 18350 use in the couple of places in JSObject that expect such behavior to work. 18351 18352 * runtime/Butterfly.h: 18353 (Butterfly): 18354 * runtime/ButterflyInlines.h: 18355 (JSC::Butterfly::createOrGrowArrayRight): 18356 (JSC): 18357 * runtime/JSObject.cpp: 18358 (JSC::JSObject::createInitialIndexedStorage): 18359 (JSC::JSObject::createArrayStorage): 18360 183612012-12-17 Filip Pizlo <fpizlo@apple.com> 18362 18363 javascript integer overflow 18364 https://bugs.webkit.org/show_bug.cgi?id=104967 18365 18366 Reviewed by Mark Hahnenberg. 18367 18368 Fix PutScopedVar backward flow. 18369 18370 * dfg/DFGPredictionPropagationPhase.cpp: 18371 (JSC::DFG::PredictionPropagationPhase::propagate): 18372 183732012-12-16 Filip Pizlo <fpizlo@apple.com> 18374 18375 Rationalize array profiling for out-of-bounds and hole cases 18376 https://bugs.webkit.org/show_bug.cgi?id=105139 18377 18378 Reviewed by Geoffrey Garen. 18379 18380 This makes ArrayProfile track whether or not we had out-of-bounds, which allows 18381 for more precise decision-making in the DFG. 18382 18383 Also cleaned up ExitKinds for out-of-bounds and hole cases to make it easier to 18384 look at them in the profiler. 18385 18386 Slight speed-up (5-8%) on SunSpider/crypto-md5. 18387 18388 * bytecode/ArrayProfile.cpp: 18389 (JSC::ArrayProfile::computeUpdatedPrediction): 18390 (JSC::ArrayProfile::briefDescription): 18391 * bytecode/ArrayProfile.h: 18392 (JSC::ArrayProfile::ArrayProfile): 18393 (JSC::ArrayProfile::addressOfOutOfBounds): 18394 (JSC::ArrayProfile::expectedStructure): 18395 (JSC::ArrayProfile::structureIsPolymorphic): 18396 (JSC::ArrayProfile::outOfBounds): 18397 (JSC::ArrayProfile::polymorphicStructure): 18398 * bytecode/CodeBlock.cpp: 18399 (JSC::dumpChain): 18400 * bytecode/ExitKind.cpp: 18401 (JSC::exitKindToString): 18402 (JSC::exitKindIsCountable): 18403 * bytecode/ExitKind.h: 18404 * dfg/DFGByteCodeParser.cpp: 18405 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks): 18406 * dfg/DFGSpeculativeJIT.cpp: 18407 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): 18408 * dfg/DFGSpeculativeJIT32_64.cpp: 18409 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): 18410 (JSC::DFG::SpeculativeJIT::compile): 18411 * dfg/DFGSpeculativeJIT64.cpp: 18412 (JSC::DFG::SpeculativeJIT::compile): 18413 * jit/JIT.h: 18414 * jit/JITInlines.h: 18415 (JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase): 18416 * jit/JITPropertyAccess.cpp: 18417 (JSC::JIT::emitSlow_op_get_by_val): 18418 (JSC::JIT::emitSlow_op_put_by_val): 18419 * jit/JITPropertyAccess32_64.cpp: 18420 (JSC::JIT::emitSlow_op_get_by_val): 18421 (JSC::JIT::emitSlow_op_put_by_val): 18422 * llint/LowLevelInterpreter32_64.asm: 18423 * llint/LowLevelInterpreter64.asm: 18424 184252012-12-17 Balazs Kilvady <kilvadyb@homejinni.com> 18426 18427 Implement add64 for MIPS assembler after r136601 18428 https://bugs.webkit.org/show_bug.cgi?id=104106 18429 18430 Reviewed by Zoltan Herczeg. 18431 18432 Added add64 function to MacroAssebler of MIPS. 18433 18434 * assembler/MacroAssemblerMIPS.h: 18435 (JSC::MacroAssemblerMIPS::add32): 18436 (JSC::MacroAssemblerMIPS::add64): 18437 (MacroAssemblerMIPS): 18438 184392012-12-17 Jonathan Liu <net147@gmail.com> 18440 18441 Fix Math.pow implementation with MinGW-w64 18442 https://bugs.webkit.org/show_bug.cgi?id=105087 18443 18444 Reviewed by Simon Hausmann. 18445 18446 The MinGW-w64 runtime has different behaviour for pow() 18447 compared to other C runtimes. This results in the following 18448 test262 tests failing with the latest MinGW-w64 runtime: 18449 - S15.8.2.13_A14 18450 - S15.8.2.13_A16 18451 - S15.8.2.13_A20 18452 - S15.8.2.13_A22 18453 18454 Handle the special cases that are different with MinGW-w64. 18455 18456 * runtime/MathObject.cpp: 18457 (JSC::mathPow): 18458 184592012-12-16 Filip Pizlo <fpizlo@apple.com> 18460 18461 Bytecode dumping should show rare case profiles 18462 https://bugs.webkit.org/show_bug.cgi?id=105133 18463 18464 Reviewed by Geoffrey Garen. 18465 18466 Refactored the dumper to call dumpBytecodeCommandAndNewLine in just one place, 18467 rather than in all of the places. Changed the rare case profile getters to use 18468 tryBinarySearch rather than binarySearch, so that they can be used speculatively 18469 even if you don't know that the bytecode has rare case profiles. This actually 18470 increases our assertion level, since it means that in release builds we will get 18471 null and crash rather than getting some random adjacent profile. And then this 18472 adds some printing of the rare case profiles. 18473 18474 * bytecode/CodeBlock.cpp: 18475 (JSC::CodeBlock::printUnaryOp): 18476 (JSC::CodeBlock::printBinaryOp): 18477 (JSC::CodeBlock::printConditionalJump): 18478 (JSC::CodeBlock::printCallOp): 18479 (JSC::CodeBlock::printPutByIdOp): 18480 (JSC::CodeBlock::beginDumpProfiling): 18481 (JSC): 18482 (JSC::CodeBlock::dumpValueProfiling): 18483 (JSC::CodeBlock::dumpArrayProfiling): 18484 (JSC::CodeBlock::dumpRareCaseProfile): 18485 (JSC::CodeBlock::dumpBytecode): 18486 * bytecode/CodeBlock.h: 18487 (JSC::CodeBlock::rareCaseProfileForBytecodeOffset): 18488 (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset): 18489 184902012-12-13 Filip Pizlo <fpizlo@apple.com> 18491 18492 Attempt to rationalize and simplify WTF::binarySearch 18493 https://bugs.webkit.org/show_bug.cgi?id=104890 18494 18495 Reviewed by Maciej Stachowiak. 18496 18497 Switch to using the new binarySearch() API. No change in behavior. 18498 18499 * bytecode/CodeBlock.cpp: 18500 (JSC::CodeBlock::bytecodeOffset): 18501 (JSC::CodeBlock::codeOriginForReturn): 18502 * bytecode/CodeBlock.h: 18503 (JSC::CodeBlock::getStubInfo): 18504 (JSC::CodeBlock::getByValInfo): 18505 (JSC::CodeBlock::getCallLinkInfo): 18506 (JSC::CodeBlock::dfgOSREntryDataForBytecodeIndex): 18507 (JSC::CodeBlock::valueProfileForBytecodeOffset): 18508 (JSC::CodeBlock::rareCaseProfileForBytecodeOffset): 18509 (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset): 18510 * dfg/DFGGraph.h: 18511 (JSC::DFG::Graph::blockIndexForBytecodeOffset): 18512 * dfg/DFGMinifiedGraph.h: 18513 (JSC::DFG::MinifiedGraph::at): 18514 * dfg/DFGOSRExitCompiler32_64.cpp: 18515 (JSC::DFG::OSRExitCompiler::compileExit): 18516 * dfg/DFGOSRExitCompiler64.cpp: 18517 (JSC::DFG::OSRExitCompiler::compileExit): 18518 * llint/LLIntSlowPaths.cpp: 18519 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 18520 * profiler/ProfilerBytecodeSequence.cpp: 18521 (JSC::Profiler::BytecodeSequence::indexForBytecodeIndex): 18522 185232012-12-13 Filip Pizlo <fpizlo@apple.com> 18524 18525 Don't assert that flags <= 0x3ff in JSTypeInfo 18526 https://bugs.webkit.org/show_bug.cgi?id=104988 18527 18528 Reviewed by Sam Weinig. 18529 18530 This assertion doesn't accomplish anything other than crashes. 18531 18532 * runtime/JSTypeInfo.h: 18533 (JSC::TypeInfo::TypeInfo): 18534 185352012-12-13 Filip Pizlo <fpizlo@apple.com> 18536 18537 Named lookups on HTML documents produce inconsistent results in JavaScriptCore bindings 18538 https://bugs.webkit.org/show_bug.cgi?id=104623 18539 18540 Reviewed by Geoffrey Garen. 18541 18542 Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching 18543 in some cases. This appears to be perf-neutral on benchmarks that we track. 18544 18545 * dfg/DFGRepatch.cpp: 18546 (JSC::DFG::tryCacheGetByID): 18547 (JSC::DFG::tryBuildGetByIDProtoList): 18548 * jit/JITStubs.cpp: 18549 (JSC::JITThunks::tryCacheGetByID): 18550 (JSC::DEFINE_STUB_FUNCTION): 18551 * runtime/JSTypeInfo.h: 18552 (JSC): 18553 (JSC::TypeInfo::hasImpureGetOwnPropertySlot): 18554 * runtime/Operations.h: 18555 (JSC::normalizePrototypeChainForChainAccess): 18556 185572012-12-13 Filip Pizlo <fpizlo@apple.com> 18558 18559 Unreviewed, roll out http://trac.webkit.org/changeset/137683. 18560 It broke gmail. 18561 18562 * dfg/DFGAbstractState.cpp: 18563 (JSC::DFG::AbstractState::execute): 18564 * dfg/DFGByteCodeParser.cpp: 18565 (JSC::DFG::ByteCodeParser::parseBlock): 18566 * dfg/DFGCSEPhase.cpp: 18567 (JSC::DFG::CSEPhase::putStructureStoreElimination): 18568 (JSC::DFG::CSEPhase::performNodeCSE): 18569 * dfg/DFGCapabilities.h: 18570 (JSC::DFG::canCompileOpcode): 18571 * dfg/DFGNodeType.h: 18572 (DFG): 18573 * dfg/DFGOperations.cpp: 18574 * dfg/DFGOperations.h: 18575 * dfg/DFGPredictionPropagationPhase.cpp: 18576 (JSC::DFG::PredictionPropagationPhase::propagate): 18577 * dfg/DFGSpeculativeJIT32_64.cpp: 18578 (JSC::DFG::SpeculativeJIT::compile): 18579 * dfg/DFGSpeculativeJIT64.cpp: 18580 (JSC::DFG::SpeculativeJIT::compile): 18581 * runtime/Operations.cpp: 18582 (JSC::jsTypeStringForValue): 18583 (JSC): 18584 * runtime/Operations.h: 18585 (JSC): 18586 185872012-13-11 Oliver Hunt <oliver@apple.com> 18588 18589 Support op_typeof in the DFG 18590 https://bugs.webkit.org/show_bug.cgi?id=98898 18591 18592 Reviewed by Filip Pizlo. 18593 18594 Adds a TypeOf node to the DFG to support op_typeof. 18595 18596 * dfg/DFGAbstractState.cpp: 18597 (JSC::DFG::AbstractState::execute): 18598 We try to determine the result early here, and substitute in a constant. 18599 Otherwise we leave the node intact, and set the result type to SpecString. 18600 * dfg/DFGByteCodeParser.cpp: 18601 (JSC::DFG::ByteCodeParser::parseBlock): 18602 Parse op_typeof 18603 * dfg/DFGCSEPhase.cpp: 18604 (JSC::DFG::CSEPhase::performNodeCSE): 18605 TypeOf nodes can be subjected to pure CSE 18606 * dfg/DFGCapabilities.h: 18607 (JSC::DFG::canCompileOpcode): 18608 We can handle typeof. 18609 * dfg/DFGNodeType.h: 18610 (DFG): 18611 Define the node. 18612 * dfg/DFGOperations.cpp: 18613 * dfg/DFGOperations.h: 18614 Add operationTypeOf to support the non-trivial cases. 18615 * dfg/DFGPredictionPropagationPhase.cpp: 18616 (JSC::DFG::PredictionPropagationPhase::propagate): 18617 * dfg/DFGSpeculativeJIT32_64.cpp: 18618 (JSC::DFG::SpeculativeJIT::compile): 18619 * dfg/DFGSpeculativeJIT64.cpp: 18620 (JSC::DFG::SpeculativeJIT::compile): 18621 Actual codegen 18622 * runtime/Operations.cpp: 18623 (JSC::jsTypeStringForValue): 18624 (JSC): 18625 * runtime/Operations.h: 18626 (JSC): 18627 Some refactoring to allow us to get the type string for an 18628 object without needing a callframe. 18629 186302012-12-12 Filip Pizlo <fpizlo@apple.com> 18631 18632 OSR exit compiler should emit code for resetting the execution counter that matches the logic of ExecutionCounter.cpp 18633 https://bugs.webkit.org/show_bug.cgi?id=104791 18634 18635 Reviewed by Oliver Hunt. 18636 18637 The OSR exit compiler wants to make it so that every OSR exit does the equivalent 18638 of: 18639 18640 codeBlock->m_jitExecuteCounter.setNewThreshold( 18641 codeBlock->counterValueForOptimizeAfterLongWarmUp()); 18642 18643 This logically involves: 18644 18645 - Resetting the counter to zero. 18646 - Setting m_activeThreshold to counterValueForOptimizeAfterLongWarmUp(). 18647 - Figuring out the scaled threshold, subtracting the count so far (which is zero, 18648 so this part is a no-op), and clipping (ExecuteCounter::clippedThreshold()). 18649 - Setting m_counter to the negated clipped threshold. 18650 - Setting m_totalCount to the previous count so far (which is zero) plus the 18651 clipped threshold. 18652 18653 Because of the reset, which sets the count-so-far to zero, this amounts to: 18654 18655 - Setting m_activeThreshold to counterValueForOptimizeAfterLongWarmUp(). 18656 - Figuring out the clipped scaled threshold. 18657 - Setting m_counter to the negated clipped scaled threshold. 18658 - Setting m_totalCount to the (positive) clipped scaled threshold. 18659 18660 The code was previously not doing this, but now is. This is performance neutral. 18661 The only change in behavior over what the code was previously doing (setting the 18662 m_counter to the negated scaled threshold, without clipping, and then setting 18663 the m_totalCount to the clipped scaled threshold) is that this will respond more 18664 gracefully under memory pressure and will ensure that we get more value profile 18665 LUBing before triggering recompilation. More LUBing is almost always a good 18666 thing. 18667 18668 * dfg/DFGOSRExitCompiler.cpp: 18669 (JSC::DFG::OSRExitCompiler::handleExitCounts): 18670 186712012-12-12 Ilya Tikhonovsky <loislo@chromium.org> 18672 18673 Web Inspector: Native Memory Instrumentation: remove fake root MemoryObjectInfo. 18674 https://bugs.webkit.org/show_bug.cgi?id=104796 18675 18676 Reviewed by Yury Semikhatsky. 18677 18678 It was not a good idea to introduce a fake root MemoryObjectInfo. 18679 It makes a problem when we visit an object without its own MemoryObjectType. 18680 18681 Example: RenderBox has a global pointer to a hash map. 18682 HashMap doesn't have its own object type because it is a generic container. 18683 It will inherit object type from the fake root memory object info. 18684 The same could happen for another container in another class with other MemoryObjectType. 18685 18686 This fact forces me to create custom process method for root objects 18687 because they need to have their own MemoryObjectInfo with customisable memory object type. 18688 18689 Drive by fix: InstrumentedPointer* was replaced with Wrapper* because actually it is using 18690 for instrumented and not instrumented object classes. 18691 18692 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 18693 186942012-12-11 Gabor Ballabas <gaborb@inf.u-szeged.hu> 18695 18696 Implement add64 for ARM traditional assembler after r136601 18697 https://bugs.webkit.org/show_bug.cgi?id=104103 18698 18699 Reviewed by Zoltan Herczeg. 18700 18701 Implement add64 function for ARM traditional macroassembler. 18702 18703 * assembler/MacroAssemblerARM.h: 18704 (JSC::MacroAssemblerARM::add64): 18705 (MacroAssemblerARM): 18706 187072012-12-11 Filip Pizlo <fpizlo@apple.com> 18708 18709 Unreviewed. Fix build with DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE). 18710 18711 * bytecode/CodeBlock.cpp: 18712 (JSC::CodeBlock::tallyFrequentExitSites): 18713 187142012-12-11 Filip Pizlo <fpizlo@apple.com> 18715 18716 Profiler should show bytecode dumps as they would have been visible to the JITs, including the profiling data that the JITs would see 18717 https://bugs.webkit.org/show_bug.cgi?id=104647 18718 18719 Reviewed by Oliver Hunt. 18720 18721 Adds more profiling data to bytecode dumps, and adds the ability to do a secondary 18722 bytecode dump for each JIT compilation of a code block. This is relevant because both 18723 the bytecodes, and the profiling data, may change after some number of executions. 18724 18725 Also fixes some random dumping code to use PrintStream& rather than 18726 static const char[thingy]. 18727 18728 * CMakeLists.txt: 18729 * GNUmakefile.list.am: 18730 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 18731 * JavaScriptCore.xcodeproj/project.pbxproj: 18732 * Target.pri: 18733 * bytecode/ArrayProfile.cpp: 18734 (JSC::dumpArrayModes): 18735 (JSC::ArrayProfile::briefDescription): 18736 * bytecode/ArrayProfile.h: 18737 * bytecode/CodeBlock.cpp: 18738 (JSC::CodeBlock::printGetByIdOp): 18739 (JSC::CodeBlock::printGetByIdCacheStatus): 18740 (JSC::CodeBlock::printCallOp): 18741 (JSC::CodeBlock::dumpValueProfiling): 18742 (JSC::CodeBlock::dumpArrayProfiling): 18743 (JSC::CodeBlock::dumpBytecode): 18744 * bytecode/CodeBlock.h: 18745 * bytecode/ValueProfile.h: 18746 (JSC::ValueProfileBase::briefDescription): 18747 * dfg/DFGAbstractValue.h: 18748 (JSC::DFG::AbstractValue::dump): 18749 * dfg/DFGByteCodeParser.cpp: 18750 (JSC::DFG::ByteCodeParser::parseCodeBlock): 18751 * jit/JIT.cpp: 18752 (JSC::JIT::privateCompile): 18753 * profiler/ProfilerBytecodeSequence.cpp: Added. 18754 (JSC::Profiler::BytecodeSequence::BytecodeSequence): 18755 (JSC::Profiler::BytecodeSequence::~BytecodeSequence): 18756 (JSC::Profiler::BytecodeSequence::indexForBytecodeIndex): 18757 (JSC::Profiler::BytecodeSequence::forBytecodeIndex): 18758 (JSC::Profiler::BytecodeSequence::addSequenceProperties): 18759 * profiler/ProfilerBytecodeSequence.h: Added. 18760 (JSC::Profiler::BytecodeSequence::size): 18761 (JSC::Profiler::BytecodeSequence::at): 18762 * profiler/ProfilerBytecodes.cpp: 18763 (JSC::Profiler::Bytecodes::Bytecodes): 18764 (JSC::Profiler::Bytecodes::toJS): 18765 * profiler/ProfilerBytecodes.h: 18766 (JSC::Profiler::Bytecodes::instructionCount): 18767 * profiler/ProfilerCompilation.cpp: 18768 (JSC::Profiler::Compilation::addProfiledBytecodes): 18769 (JSC::Profiler::Compilation::toJS): 18770 * profiler/ProfilerCompilation.h: 18771 (JSC::Profiler::Compilation::profiledBytecodesSize): 18772 (JSC::Profiler::Compilation::profiledBytecodesAt): 18773 * profiler/ProfilerDatabase.cpp: 18774 (JSC::Profiler::Database::ensureBytecodesFor): 18775 * profiler/ProfilerDatabase.h: 18776 * profiler/ProfilerProfiledBytecodes.cpp: Added. 18777 (JSC::Profiler::ProfiledBytecodes::ProfiledBytecodes): 18778 (JSC::Profiler::ProfiledBytecodes::~ProfiledBytecodes): 18779 (JSC::Profiler::ProfiledBytecodes::toJS): 18780 * profiler/ProfilerProfiledBytecodes.h: Added. 18781 (JSC::Profiler::ProfiledBytecodes::bytecodes): 18782 * runtime/CommonIdentifiers.h: 18783 187842012-12-11 Oswald Buddenhagen <oswald.buddenhagen@digia.com> 18785 18786 [Qt] delete dead include paths 18787 18788 Reviewed by Simon Hausmann. 18789 18790 followup to https://bugs.webkit.org/show_bug.cgi?id=93446 18791 18792 * JavaScriptCore.pri: 18793 187942012-12-11 Julien BRIANCEAU <jbrianceau@nds.com> 18795 18796 Implement add64 for SH4 assembler to fix build after r136601 18797 https://bugs.webkit.org/show_bug.cgi?id=104377 18798 18799 Reviewed by Zoltan Herczeg. 18800 18801 * assembler/MacroAssemblerSH4.h: 18802 (JSC::MacroAssemblerSH4::add64): 18803 (MacroAssemblerSH4): 18804 188052012-12-10 Yury Semikhatsky <yurys@chromium.org> 18806 18807 Memory instrumentation: make sure each edge is reported only once 18808 https://bugs.webkit.org/show_bug.cgi?id=104630 18809 18810 Reviewed by Pavel Feldman. 18811 18812 Changed exported symbols for MemoryInstrumentation. 18813 18814 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 18815 188162012-12-10 Filip Pizlo <fpizlo@apple.com> 18817 18818 Don't OSR exit just because a string is a rope 18819 https://bugs.webkit.org/show_bug.cgi?id=104621 18820 18821 Reviewed by Michael Saboff. 18822 18823 Slight SunSpider speed-up at around the 0.7% level. This patch does the obvious 18824 thing of calling a slow path to resolve ropes rather than OSR exiting if the 18825 string is a rope. 18826 18827 * dfg/DFGAbstractState.cpp: 18828 (JSC::DFG::AbstractState::execute): 18829 * dfg/DFGArrayMode.h: 18830 (JSC::DFG::ArrayMode::getIndexedPropertyStorageMayTriggerGC): 18831 (ArrayMode): 18832 * dfg/DFGCSEPhase.cpp: 18833 (JSC::DFG::CSEPhase::putStructureStoreElimination): 18834 * dfg/DFGOperations.cpp: 18835 * dfg/DFGOperations.h: 18836 * dfg/DFGSpeculativeJIT.cpp: 18837 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): 18838 * dfg/DFGSpeculativeJIT.h: 18839 (JSC::DFG::SpeculativeJIT::callOperation): 18840 188412012-12-10 Gustavo Noronha Silva <gns@gnome.org> 18842 18843 Unreviewed distcheck fix. 18844 18845 * GNUmakefile.list.am: 18846 188472012-12-10 Filip Pizlo <fpizlo@apple.com> 18848 18849 JSC profiling and debug dump code should use inferred names when possible 18850 https://bugs.webkit.org/show_bug.cgi?id=104519 18851 18852 Reviewed by Oliver Hunt. 18853 18854 This does as advertised: the profiler now knows the inferred name of all code blocks, 18855 and all uses of CodeBlock::dump() dump it along with the hash. 18856 18857 * bytecode/CodeBlock.cpp: 18858 (JSC::CodeBlock::inferredName): 18859 (JSC::CodeBlock::dumpAssumingJITType): 18860 * bytecode/CodeBlock.h: 18861 * profiler/ProfilerBytecodes.cpp: 18862 (JSC::Profiler::Bytecodes::Bytecodes): 18863 (JSC::Profiler::Bytecodes::toJS): 18864 * profiler/ProfilerBytecodes.h: 18865 (JSC::Profiler::Bytecodes::inferredName): 18866 * profiler/ProfilerDatabase.cpp: 18867 (JSC::Profiler::Database::addBytecodes): 18868 (JSC::Profiler::Database::ensureBytecodesFor): 18869 * profiler/ProfilerDatabase.h: 18870 * runtime/CommonIdentifiers.h: 18871 188722012-12-09 Filip Pizlo <fpizlo@apple.com> 18873 18874 Profiler should say things about OSR exits 18875 https://bugs.webkit.org/show_bug.cgi?id=104497 18876 18877 Reviewed by Oliver Hunt. 18878 18879 This adds support for profiling OSR exits. For each exit that is taken, the profiler 18880 records the machine code address that the exit occurred on, the exit kind, the origin 18881 stack, and the number of times that it happened. 18882 18883 * CMakeLists.txt: 18884 * GNUmakefile.list.am: 18885 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 18886 * JavaScriptCore.xcodeproj/project.pbxproj: 18887 * Target.pri: 18888 * assembler/AbstractMacroAssembler.h: 18889 (Jump): 18890 (JSC::AbstractMacroAssembler::Jump::label): 18891 * bytecode/CodeBlock.h: 18892 (JSC::CodeBlock::saveCompilation): 18893 (CodeBlock): 18894 (JSC::CodeBlock::compilation): 18895 (DFGData): 18896 * bytecode/DFGExitProfile.h: 18897 (DFG): 18898 * bytecode/ExitKind.cpp: Added. 18899 (JSC): 18900 (JSC::exitKindToString): 18901 (JSC::exitKindIsCountable): 18902 (WTF): 18903 (WTF::printInternal): 18904 * bytecode/ExitKind.h: Added. 18905 (JSC): 18906 (WTF): 18907 * dfg/DFGGraph.h: 18908 (Graph): 18909 * dfg/DFGJITCompiler.cpp: 18910 (JSC::DFG::JITCompiler::linkOSRExits): 18911 (JSC::DFG::JITCompiler::link): 18912 (JSC::DFG::JITCompiler::compile): 18913 (JSC::DFG::JITCompiler::compileFunction): 18914 * dfg/DFGJITCompiler.h: 18915 (JITCompiler): 18916 * dfg/DFGOSRExitCompiler.cpp: 18917 * jit/JIT.cpp: 18918 (JSC::JIT::JIT): 18919 (JSC::JIT::privateCompile): 18920 * jit/JIT.h: 18921 (JIT): 18922 * jit/JumpReplacementWatchpoint.h: 18923 (JSC::JumpReplacementWatchpoint::sourceLabel): 18924 (JumpReplacementWatchpoint): 18925 * profiler/ProfilerCompilation.cpp: 18926 (JSC::Profiler::Compilation::addOSRExitSite): 18927 (Profiler): 18928 (JSC::Profiler::Compilation::addOSRExit): 18929 (JSC::Profiler::Compilation::toJS): 18930 * profiler/ProfilerCompilation.h: 18931 (Compilation): 18932 * profiler/ProfilerDatabase.cpp: 18933 (JSC::Profiler::Database::newCompilation): 18934 * profiler/ProfilerDatabase.h: 18935 (Database): 18936 * profiler/ProfilerOSRExit.cpp: Added. 18937 (Profiler): 18938 (JSC::Profiler::OSRExit::OSRExit): 18939 (JSC::Profiler::OSRExit::~OSRExit): 18940 (JSC::Profiler::OSRExit::toJS): 18941 * profiler/ProfilerOSRExit.h: Added. 18942 (Profiler): 18943 (OSRExit): 18944 (JSC::Profiler::OSRExit::id): 18945 (JSC::Profiler::OSRExit::origin): 18946 (JSC::Profiler::OSRExit::exitKind): 18947 (JSC::Profiler::OSRExit::isWatchpoint): 18948 (JSC::Profiler::OSRExit::counterAddress): 18949 (JSC::Profiler::OSRExit::count): 18950 * profiler/ProfilerOSRExitSite.cpp: Added. 18951 (Profiler): 18952 (JSC::Profiler::OSRExitSite::toJS): 18953 * profiler/ProfilerOSRExitSite.h: Added. 18954 (Profiler): 18955 (OSRExitSite): 18956 (JSC::Profiler::OSRExitSite::OSRExitSite): 18957 (JSC::Profiler::OSRExitSite::codeAddress): 18958 * runtime/CommonIdentifiers.h: 18959 189602012-12-10 Alexis Menard <alexis@webkit.org> 18961 18962 [CSS3 Backgrounds and Borders] Remove CSS3_BACKGROUND feature flag. 18963 https://bugs.webkit.org/show_bug.cgi?id=104539 18964 18965 Reviewed by Antonio Gomes. 18966 18967 As discussed on webkit-dev it is not needed to keep this feature flag 18968 as support for <position> type is a small feature that is already 18969 implemented by three other UAs. It was useful while landing this 18970 feature as partial bits were landed one after one. 18971 18972 * Configurations/FeatureDefines.xcconfig: 18973 189742012-12-09 Filip Pizlo <fpizlo@apple.com> 18975 18976 DFG ArrayPush/Pop should not pass their second child as the index for blessArrayOperation() 18977 https://bugs.webkit.org/show_bug.cgi?id=104500 18978 18979 Reviewed by Oliver Hunt. 18980 18981 Slight across-the-board speed-up. 18982 18983 * dfg/DFGAbstractState.cpp: 18984 (JSC::DFG::AbstractState::execute): 18985 * dfg/DFGFixupPhase.cpp: 18986 (JSC::DFG::FixupPhase::fixupNode): 18987 189882012-12-08 Filip Pizlo <fpizlo@apple.com> 18989 18990 JSC should scale the optimization threshold for a code block according to the cost of compiling it 18991 https://bugs.webkit.org/show_bug.cgi?id=104406 18992 18993 Reviewed by Oliver Hunt. 18994 18995 We've long known that we want to scale the execution count threshold needed for the DFG 18996 to kick in to scale according to some estimate of the cost of compiling that code block. 18997 This institutes a relationship like this: 18998 18999 threshold = thresholdSetting * (a * sqrt(instructionCount + b) + abs(c * instructionCount) + d 19000 19001 Where a, b, c, d are coefficients derived from fitting the above expression to various 19002 data points, which I chose based on looking at one benchmark (3d-cube) and from my 19003 own intuitions. 19004 19005 Making this work well also required changing the thresholdForOptimizeAfterLongWarmUp 19006 from 5000 to 1000. 19007 19008 This is a >1% speed-up on SunSpider, a >3% speed-up on V8Spider, ~1% speed-up on V8v7, 19009 neutral on Octane, and neutral on Kraken. 19010 19011 I also out-of-lined a bunch of methods related to these heuristics, because I couldn't 19012 stand having them defined in the header anymore. I also made improvements to debugging 19013 code because I needed it for tuning this change. 19014 19015 * CMakeLists.txt: 19016 * GNUmakefile.list.am: 19017 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 19018 * JavaScriptCore.xcodeproj/project.pbxproj: 19019 * Target.pri: 19020 * bytecode/CodeBlock.cpp: 19021 (JSC::CodeBlock::sourceCodeForTools): 19022 (JSC::CodeBlock::sourceCodeOnOneLine): 19023 (JSC::CodeBlock::dumpBytecode): 19024 (JSC::CodeBlock::CodeBlock): 19025 (JSC::CodeBlock::reoptimizationRetryCounter): 19026 (JSC::CodeBlock::countReoptimization): 19027 (JSC::CodeBlock::optimizationThresholdScalingFactor): 19028 (JSC::clipThreshold): 19029 (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp): 19030 (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp): 19031 (JSC::CodeBlock::counterValueForOptimizeSoon): 19032 (JSC::CodeBlock::checkIfOptimizationThresholdReached): 19033 (JSC::CodeBlock::optimizeNextInvocation): 19034 (JSC::CodeBlock::dontOptimizeAnytimeSoon): 19035 (JSC::CodeBlock::optimizeAfterWarmUp): 19036 (JSC::CodeBlock::optimizeAfterLongWarmUp): 19037 (JSC::CodeBlock::optimizeSoon): 19038 (JSC::CodeBlock::adjustedExitCountThreshold): 19039 (JSC::CodeBlock::exitCountThresholdForReoptimization): 19040 (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop): 19041 (JSC::CodeBlock::shouldReoptimizeNow): 19042 (JSC::CodeBlock::shouldReoptimizeFromLoopNow): 19043 * bytecode/CodeBlock.h: 19044 * bytecode/ExecutionCounter.cpp: 19045 (JSC::ExecutionCounter::hasCrossedThreshold): 19046 * bytecode/ReduceWhitespace.cpp: Added. 19047 (JSC::reduceWhitespace): 19048 * bytecode/ReduceWhitespace.h: Added. 19049 * dfg/DFGCapabilities.cpp: 19050 (JSC::DFG::mightCompileEval): 19051 (JSC::DFG::mightCompileProgram): 19052 (JSC::DFG::mightCompileFunctionForCall): 19053 (JSC::DFG::mightCompileFunctionForConstruct): 19054 (JSC::DFG::mightInlineFunctionForCall): 19055 (JSC::DFG::mightInlineFunctionForConstruct): 19056 * dfg/DFGCapabilities.h: 19057 * dfg/DFGDisassembler.cpp: 19058 (JSC::DFG::Disassembler::dumpHeader): 19059 * dfg/DFGOSREntry.cpp: 19060 (JSC::DFG::prepareOSREntry): 19061 * jit/JITDisassembler.cpp: 19062 (JSC::JITDisassembler::dumpHeader): 19063 * jit/JITStubs.cpp: 19064 (JSC::DEFINE_STUB_FUNCTION): 19065 * llint/LLIntSlowPaths.cpp: 19066 (JSC::LLInt::entryOSR): 19067 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 19068 * profiler/ProfilerDatabase.cpp: 19069 (JSC::Profiler::Database::ensureBytecodesFor): 19070 * runtime/Options.h: 19071 190722012-12-07 Jonathan Liu <net147@gmail.com> 19073 19074 Add missing forward declaration for JSC::ArrayAllocationProfile 19075 https://bugs.webkit.org/show_bug.cgi?id=104425 19076 19077 Reviewed by Kentaro Hara. 19078 19079 The header for the JSC::ArrayConstructor class is missing a forward 19080 declaration for the JSC::ArrayAllocationProfile class which causes 19081 compilation to fail when compiling with MinGW-w64. 19082 19083 * runtime/ArrayConstructor.h: 19084 (JSC): 19085 190862012-12-07 Jonathan Liu <net147@gmail.com> 19087 19088 Add missing const qualifier to JSC::CodeBlock::getJITType() 19089 https://bugs.webkit.org/show_bug.cgi?id=104424 19090 19091 Reviewed by Laszlo Gombos. 19092 19093 JSC::CodeBlock::getJITType() has the const qualifier when JIT is 19094 enabled but is missing the const qualifier when JIT is disabled. 19095 19096 * bytecode/CodeBlock.h: 19097 (JSC::CodeBlock::getJITType): 19098 190992012-12-07 Oliver Hunt <oliver@apple.com> 19100 19101 Make function code cache proportional to main codeblock cache 19102 https://bugs.webkit.org/show_bug.cgi?id=104420 19103 19104 Reviewed by Geoffrey Garen. 19105 19106 Makes the constants determining the recently used function cache proportional 19107 to the number of root codeblocks in the cache. Also renames the constants to 19108 make them more clear. 19109 19110 * runtime/CodeCache.h: 19111 191122012-12-06 Filip Pizlo <fpizlo@apple.com> 19113 19114 Strange results calculating a square root in a loop 19115 https://bugs.webkit.org/show_bug.cgi?id=104247 19116 <rdar://problem/12826880> 19117 19118 Reviewed by Oliver Hunt. 19119 19120 Fixed the CFG simplification phase to ignore dead GetLocals in the first of the blocks 19121 under the merge. This fixes the assertion, and is also cleaner: our general rule is 19122 to not "revive" things that we've already proved to be dead. 19123 19124 Also fixed some rotted debug code. 19125 19126 * dfg/DFGCFGSimplificationPhase.cpp: 19127 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal): 19128 * dfg/DFGStructureCheckHoistingPhase.cpp: 19129 (JSC::DFG::StructureCheckHoistingPhase::run): 19130 191312012-12-07 Geoffrey Garen <ggaren@apple.com> 19132 19133 Crash in JSC::Bindings::RootObject::globalObject() sync'ing notes in Evernote 19134 https://bugs.webkit.org/show_bug.cgi?id=104321 19135 <rdar://problem/12770497> 19136 19137 Reviewed by Sam Weinig. 19138 19139 Work around a JSValueUnprotect(NULL) in Evernote. 19140 19141 * API/JSValueRef.cpp: 19142 (evernoteHackNeeded): 19143 (JSValueUnprotect): 19144 191452012-12-06 Filip Pizlo <fpizlo@apple.com> 19146 19147 Incorrect inequality for checking whether a statement is within bounds of a handler 19148 https://bugs.webkit.org/show_bug.cgi?id=104313 19149 <rdar://problem/12808934> 19150 19151 Reviewed by Geoffrey Garen. 19152 19153 The most relevant change is in handlerForBytecodeOffset(), which fixes the inequality 19154 used for checking whether a handler is pertinent to the current instruction. '<' is 19155 correct, but '<=' isn't, since the 'end' is not inclusive. 19156 19157 Also found, and addressed, a benign goof in how the finally inliner works: sometimes 19158 we will have end > start. This falls out naturally from how the inliner works and how 19159 we pop scopes in the bytecompiler, but it's sufficiently surprising that, to avoid any 19160 future confusion, I added a comment and some code to prune those handlers out. Because 19161 of how the handler resolution works, these handlers would have been skipped anyway. 19162 19163 Also made various fixes to debugging code, which was necessary for tracking this down. 19164 19165 * bytecode/CodeBlock.cpp: 19166 (JSC::CodeBlock::dumpBytecode): 19167 (JSC::CodeBlock::handlerForBytecodeOffset): 19168 * bytecompiler/BytecodeGenerator.cpp: 19169 (JSC::BytecodeGenerator::generate): 19170 * bytecompiler/Label.h: 19171 (JSC::Label::bind): 19172 * interpreter/Interpreter.cpp: 19173 (JSC::Interpreter::throwException): 19174 * llint/LLIntExceptions.cpp: 19175 (JSC::LLInt::interpreterThrowInCaller): 19176 (JSC::LLInt::returnToThrow): 19177 (JSC::LLInt::callToThrow): 19178 * llint/LLIntSlowPaths.cpp: 19179 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 19180 (JSC::LLInt::handleHostCall): 19181 191822012-12-06 Rick Byers <rbyers@chromium.org> 19183 19184 CSS cursor property should support webkit-image-set 19185 https://bugs.webkit.org/show_bug.cgi?id=99493 19186 19187 Reviewed by Beth Dakin. 19188 19189 Add ENABLE_MOUSE_CURSOR_SCALE (disabled by default) 19190 19191 * Configurations/FeatureDefines.xcconfig: 19192 191932012-12-06 Laszlo Gombos <l.gombos@samsung.com> 19194 19195 [CMake] Consolidate list of files to build for JavaScriptCore 19196 https://bugs.webkit.org/show_bug.cgi?id=104287 19197 19198 Reviewed by Gyuyoung Kim. 19199 19200 Add MemoryStatistics.cpp and ExecutableAllocator.cpp to the common 19201 list of files and remove them from the port specific lists. 19202 19203 * CMakeLists.txt: 19204 * PlatformBlackBerry.cmake: 19205 * PlatformEfl.cmake: 19206 * PlatformWinCE.cmake: 19207 192082012-12-06 Oliver Hunt <oliver@apple.com> 19209 19210 Tell heap that we've released all the compiled code. 19211 19212 Reviewed by Geoff Garen. 19213 19214 When we discard compiled code, inform the heap that we've 19215 released an entire object graph. This informs the heap that 19216 it might want to perform a GC soon. 19217 19218 * runtime/JSGlobalData.cpp: 19219 (JSC::JSGlobalData::discardAllCode): 19220 192212012-12-06 Laszlo Gombos <l.gombos@samsung.com> 19222 19223 [EFL] Remove ENABLE_GLIB_SUPPORT CMake variable 19224 https://bugs.webkit.org/show_bug.cgi?id=104278 19225 19226 Reviewed by Brent Fulgham. 19227 19228 The conditional is not required as it is always set for EFL. 19229 19230 * PlatformEfl.cmake: 19231 192322012-12-06 Oliver Hunt <oliver@apple.com> 19233 19234 Build fix, last patch rolled out logic that is now needed on ToT. 19235 19236 * parser/ASTBuilder.h: 19237 (ASTBuilder): 19238 (JSC::ASTBuilder::setFunctionStart): 19239 * parser/Nodes.h: 19240 (JSC::FunctionBodyNode::setFunctionStart): 19241 (JSC::FunctionBodyNode::functionStart): 19242 (FunctionBodyNode): 19243 * parser/Parser.cpp: 19244 (JSC::::parseFunctionInfo): 19245 * parser/SyntaxChecker.h: 19246 (JSC::SyntaxChecker::setFunctionStart): 19247 192482012-12-05 Oliver Hunt <oliver@apple.com> 19249 19250 Remove harmful string->function cache 19251 https://bugs.webkit.org/show_bug.cgi?id=104193 19252 19253 Reviewed by Alexey Proskuryakov. 19254 19255 Remove the string->function code cache that turned out to actually 19256 be quite harmful. 19257 19258 * runtime/CodeCache.cpp: 19259 (JSC::CodeCache::getFunctionCodeBlock): 19260 * runtime/CodeCache.h: 19261 (JSC::CodeCache::clear): 19262 192632012-12-05 Halton Huo <halton.huo@intel.com> 19264 19265 [CMake] Unify coding style for CMake files 19266 https://bugs.webkit.org/show_bug.cgi?id=103605 19267 19268 Reviewed by Laszlo Gombos. 19269 19270 Update cmake files(.cmake, CMakeLists.txt) with following style rules: 19271 1. Indentation 19272 1.1 Use spaces, not tabs. 19273 1.2 Four spaces as indent. 19274 2. Spacing 19275 2.1 Place one space between control statements and their parentheses. 19276 For eg, if (), else (), elseif (), endif (), foreach (), 19277 endforeach (), while (), endwhile (), break (). 19278 2.2 Do not place spaces between function and macro statements and 19279 their parentheses. For eg, macro(), endmacro(), function(), 19280 endfunction(). 19281 2.3 Do not place spaces between a command or function or macro and its 19282 parentheses, or between a parenthesis and its content. For eg, 19283 message("testing") not message( "testing") or message ("testing" ) 19284 2.4 No space at line ending. 19285 3. Lowercase when call commands macros and functions. For eg, 19286 add_executable() not ADD_EXECUTABLE(), set() not SET(). 19287 19288 * CMakeLists.txt: 19289 * PlatformBlackBerry.cmake: 19290 * PlatformEfl.cmake: 19291 * PlatformWinCE.cmake: 19292 * shell/CMakeLists.txt: 19293 * shell/PlatformBlackBerry.cmake: 19294 * shell/PlatformEfl.cmake: 19295 * shell/PlatformWinCE.cmake: 19296 192972012-12-05 Oliver Hunt <oliver@apple.com> 19298 19299 Empty parse cache when receiving a low memory warning 19300 https://bugs.webkit.org/show_bug.cgi?id=104161 19301 19302 Reviewed by Filip Pizlo. 19303 19304 This adds a function to the globaldata to empty all code related data 19305 structures (code in the heap and the code cache). 19306 It also adds a function to allow the CodeCache to actually be cleared 19307 at all. 19308 19309 * runtime/CodeCache.h: 19310 (CacheMap): 19311 (JSC::CacheMap::clear): 19312 (JSC::CodeCache::clear): 19313 (CodeCache): 19314 * runtime/JSGlobalData.cpp: 19315 (JSC::JSGlobalData::discardAllCode): 19316 (JSC): 19317 * runtime/JSGlobalData.h: 19318 (JSGlobalData): 19319 193202012-12-05 Filip Pizlo <fpizlo@apple.com> 19321 19322 JSC profiler should not count executions of op_call_put_result because doing so changes DFG codegen 19323 https://bugs.webkit.org/show_bug.cgi?id=104102 19324 19325 Reviewed by Oliver Hunt. 19326 19327 This removes op_call_put_result from profiling, since profiling it has an effect on 19328 codegen. This fix enables all of SunSpider, V8, and Kraken to be profiled with the 19329 new profiler. 19330 19331 To make this all fit together, the profiler now also reports in its output the exact 19332 bytecode opcode name for each instruction (in addition to the stringified dump of that 19333 bytecode), so that tools that grok the output can take note of op_call_put_result and 19334 work around the fact that it has no counts. 19335 19336 * dfg/DFGByteCodeParser.cpp: 19337 (JSC::DFG::ByteCodeParser::parseBlock): 19338 (JSC::DFG::ByteCodeParser::parseCodeBlock): 19339 * dfg/DFGDriver.cpp: 19340 (JSC::DFG::compile): 19341 * jit/JIT.cpp: 19342 (JSC::JIT::privateCompileMainPass): 19343 * profiler/ProfilerBytecode.cpp: 19344 (JSC::Profiler::Bytecode::toJS): 19345 * profiler/ProfilerBytecode.h: 19346 (JSC::Profiler::Bytecode::Bytecode): 19347 (JSC::Profiler::Bytecode::opcodeID): 19348 (Bytecode): 19349 * profiler/ProfilerDatabase.cpp: 19350 (JSC::Profiler::Database::ensureBytecodesFor): 19351 * runtime/CommonIdentifiers.h: 19352 193532012-12-04 Filip Pizlo <fpizlo@apple.com> 19354 19355 display-profiler-output should be able to show source code 19356 https://bugs.webkit.org/show_bug.cgi?id=104073 19357 19358 Reviewed by Oliver Hunt. 19359 19360 Modify the profiler database to store source code. For functions, we store the 19361 function including the function signature. 19362 19363 * bytecode/CodeBlock.h: 19364 (JSC::CodeBlock::unlinkedCodeBlock): 19365 (CodeBlock): 19366 * profiler/ProfilerBytecodes.cpp: 19367 (JSC::Profiler::Bytecodes::Bytecodes): 19368 (JSC::Profiler::Bytecodes::toJS): 19369 * profiler/ProfilerBytecodes.h: 19370 (Bytecodes): 19371 (JSC::Profiler::Bytecodes::sourceCode): 19372 * profiler/ProfilerDatabase.cpp: 19373 (JSC::Profiler::Database::addBytecodes): 19374 (JSC::Profiler::Database::ensureBytecodesFor): 19375 * profiler/ProfilerDatabase.h: 19376 (Database): 19377 * runtime/CommonIdentifiers.h: 19378 * runtime/Executable.h: 19379 (FunctionExecutable): 19380 (JSC::FunctionExecutable::unlinkedExecutable): 19381 193822012-12-02 Filip Pizlo <fpizlo@apple.com> 19383 19384 JSC should be able to report profiling data associated with the IR dumps and disassembly 19385 https://bugs.webkit.org/show_bug.cgi?id=102999 19386 19387 Reviewed by Gavin Barraclough. 19388 19389 Added a new profiler to JSC. It's simply called "Profiler" in anticipation of it 19390 ultimately replacing the previous profiling infrastructure. This profiler counts the 19391 number of times that a bytecode executes in various engines, and will record both the 19392 counts and all disassembly and bytecode dumps, into a database that can be at any 19393 time turned into either a JS object using any global object or global data of your 19394 choice, or can be turned into a JSON string, or saved to a file. 19395 19396 Currently the only use of this is the new '-p <file>' flag to the jsc command-line. 19397 19398 The profiler is always compiled in and normally incurs no execution time cost, but is 19399 only activated when you create a Profiler::Database and install it in 19400 JSGlobalData::m_perBytecodeProfiler. From that point on, all code blocks will be 19401 compiled along with disassembly and bytecode dumps stored into the Profiler::Database, 19402 and all code blocks will have execution counts, which are also stored in the database. 19403 The database will continue to keep information about code blocks alive even after they 19404 are otherwise GC'd. 19405 19406 This currently still has some glitches, like the fact that it only counts executions 19407 in the JITs. Doing execution counting in the LLInt might require a bit of a rethink 19408 about how the counting is expressed - currently it is implicit in bytecode, so there 19409 is no easy way to "turn it on" in the LLInt. Also, right now there is no information 19410 recorded about OSR exits or out-of-line stubs. But, even so, it's quite cool, and 19411 gives you a peek into what JSC is doing that would otherwise not be possible. 19412 19413 * CMakeLists.txt: 19414 * GNUmakefile.list.am: 19415 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 19416 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 19417 * JavaScriptCore.xcodeproj/project.pbxproj: 19418 * Target.pri: 19419 * bytecode/CodeBlock.cpp: 19420 (JSC::CodeBlock::~CodeBlock): 19421 * bytecode/CodeBlock.h: 19422 (CodeBlock): 19423 (JSC::CodeBlock::baselineVersion): 19424 * bytecode/CodeOrigin.cpp: 19425 (JSC::InlineCallFrame::baselineCodeBlock): 19426 (JSC): 19427 * bytecode/CodeOrigin.h: 19428 (InlineCallFrame): 19429 * dfg/DFGAbstractState.cpp: 19430 (JSC::DFG::AbstractState::execute): 19431 * dfg/DFGByteCodeParser.cpp: 19432 (JSC::DFG::ByteCodeParser::parseBlock): 19433 * dfg/DFGDisassembler.cpp: 19434 (JSC::DFG::Disassembler::dump): 19435 (DFG): 19436 (JSC::DFG::Disassembler::reportToProfiler): 19437 (JSC::DFG::Disassembler::dumpHeader): 19438 (JSC::DFG::Disassembler::append): 19439 (JSC::DFG::Disassembler::createDumpList): 19440 * dfg/DFGDisassembler.h: 19441 (Disassembler): 19442 (JSC::DFG::Disassembler::DumpedOp::DumpedOp): 19443 (DumpedOp): 19444 * dfg/DFGGraph.cpp: 19445 (JSC::DFG::Graph::Graph): 19446 (JSC::DFG::Graph::dumpCodeOrigin): 19447 (JSC::DFG::Graph::dump): 19448 * dfg/DFGGraph.h: 19449 (Graph): 19450 * dfg/DFGJITCompiler.cpp: 19451 (JSC::DFG::JITCompiler::JITCompiler): 19452 (JSC::DFG::JITCompiler::compile): 19453 (JSC::DFG::JITCompiler::compileFunction): 19454 * dfg/DFGNode.h: 19455 (Node): 19456 (JSC::DFG::Node::hasExecutionCounter): 19457 (JSC::DFG::Node::executionCounter): 19458 * dfg/DFGNodeType.h: 19459 (DFG): 19460 * dfg/DFGPredictionPropagationPhase.cpp: 19461 (JSC::DFG::PredictionPropagationPhase::propagate): 19462 * dfg/DFGSpeculativeJIT32_64.cpp: 19463 (JSC::DFG::SpeculativeJIT::compile): 19464 * dfg/DFGSpeculativeJIT64.cpp: 19465 (JSC::DFG::SpeculativeJIT::compile): 19466 * jit/JIT.cpp: 19467 (JSC::JIT::JIT): 19468 (JSC::JIT::privateCompileMainPass): 19469 (JSC::JIT::privateCompile): 19470 * jit/JIT.h: 19471 (JIT): 19472 * jit/JITDisassembler.cpp: 19473 (JSC::JITDisassembler::dump): 19474 (JSC::JITDisassembler::reportToProfiler): 19475 (JSC): 19476 (JSC::JITDisassembler::dumpHeader): 19477 (JSC::JITDisassembler::firstSlowLabel): 19478 (JSC::JITDisassembler::dumpVectorForInstructions): 19479 (JSC::JITDisassembler::dumpForInstructions): 19480 (JSC::JITDisassembler::reportInstructions): 19481 * jit/JITDisassembler.h: 19482 (JITDisassembler): 19483 (DumpedOp): 19484 * jsc.cpp: 19485 (CommandLine::CommandLine): 19486 (CommandLine): 19487 (printUsageStatement): 19488 (CommandLine::parseArguments): 19489 (jscmain): 19490 * profiler/ProfilerBytecode.cpp: Added. 19491 (Profiler): 19492 (JSC::Profiler::Bytecode::toJS): 19493 * profiler/ProfilerBytecode.h: Added. 19494 (Profiler): 19495 (Bytecode): 19496 (JSC::Profiler::Bytecode::Bytecode): 19497 (JSC::Profiler::Bytecode::bytecodeIndex): 19498 (JSC::Profiler::Bytecode::description): 19499 (JSC::Profiler::getBytecodeIndexForBytecode): 19500 * profiler/ProfilerBytecodes.cpp: Added. 19501 (Profiler): 19502 (JSC::Profiler::Bytecodes::Bytecodes): 19503 (JSC::Profiler::Bytecodes::~Bytecodes): 19504 (JSC::Profiler::Bytecodes::indexForBytecodeIndex): 19505 (JSC::Profiler::Bytecodes::forBytecodeIndex): 19506 (JSC::Profiler::Bytecodes::dump): 19507 (JSC::Profiler::Bytecodes::toJS): 19508 * profiler/ProfilerBytecodes.h: Added. 19509 (Profiler): 19510 (Bytecodes): 19511 (JSC::Profiler::Bytecodes::append): 19512 (JSC::Profiler::Bytecodes::id): 19513 (JSC::Profiler::Bytecodes::hash): 19514 (JSC::Profiler::Bytecodes::size): 19515 (JSC::Profiler::Bytecodes::at): 19516 * profiler/ProfilerCompilation.cpp: Added. 19517 (Profiler): 19518 (JSC::Profiler::Compilation::Compilation): 19519 (JSC::Profiler::Compilation::~Compilation): 19520 (JSC::Profiler::Compilation::addDescription): 19521 (JSC::Profiler::Compilation::executionCounterFor): 19522 (JSC::Profiler::Compilation::toJS): 19523 * profiler/ProfilerCompilation.h: Added. 19524 (Profiler): 19525 (Compilation): 19526 (JSC::Profiler::Compilation::bytecodes): 19527 (JSC::Profiler::Compilation::kind): 19528 * profiler/ProfilerCompilationKind.cpp: Added. 19529 (WTF): 19530 (WTF::printInternal): 19531 * profiler/ProfilerCompilationKind.h: Added. 19532 (Profiler): 19533 (WTF): 19534 * profiler/ProfilerCompiledBytecode.cpp: Added. 19535 (Profiler): 19536 (JSC::Profiler::CompiledBytecode::CompiledBytecode): 19537 (JSC::Profiler::CompiledBytecode::~CompiledBytecode): 19538 (JSC::Profiler::CompiledBytecode::toJS): 19539 * profiler/ProfilerCompiledBytecode.h: Added. 19540 (Profiler): 19541 (CompiledBytecode): 19542 (JSC::Profiler::CompiledBytecode::originStack): 19543 (JSC::Profiler::CompiledBytecode::description): 19544 * profiler/ProfilerDatabase.cpp: Added. 19545 (Profiler): 19546 (JSC::Profiler::Database::Database): 19547 (JSC::Profiler::Database::~Database): 19548 (JSC::Profiler::Database::addBytecodes): 19549 (JSC::Profiler::Database::ensureBytecodesFor): 19550 (JSC::Profiler::Database::notifyDestruction): 19551 (JSC::Profiler::Database::newCompilation): 19552 (JSC::Profiler::Database::toJS): 19553 (JSC::Profiler::Database::toJSON): 19554 (JSC::Profiler::Database::save): 19555 * profiler/ProfilerDatabase.h: Added. 19556 (Profiler): 19557 (Database): 19558 * profiler/ProfilerExecutionCounter.h: Added. 19559 (Profiler): 19560 (ExecutionCounter): 19561 (JSC::Profiler::ExecutionCounter::ExecutionCounter): 19562 (JSC::Profiler::ExecutionCounter::address): 19563 (JSC::Profiler::ExecutionCounter::count): 19564 * profiler/ProfilerOrigin.cpp: Added. 19565 (Profiler): 19566 (JSC::Profiler::Origin::Origin): 19567 (JSC::Profiler::Origin::dump): 19568 (JSC::Profiler::Origin::toJS): 19569 * profiler/ProfilerOrigin.h: Added. 19570 (JSC): 19571 (Profiler): 19572 (Origin): 19573 (JSC::Profiler::Origin::Origin): 19574 (JSC::Profiler::Origin::operator!): 19575 (JSC::Profiler::Origin::bytecodes): 19576 (JSC::Profiler::Origin::bytecodeIndex): 19577 (JSC::Profiler::Origin::operator!=): 19578 (JSC::Profiler::Origin::operator==): 19579 (JSC::Profiler::Origin::hash): 19580 (JSC::Profiler::Origin::isHashTableDeletedValue): 19581 (JSC::Profiler::OriginHash::hash): 19582 (JSC::Profiler::OriginHash::equal): 19583 (OriginHash): 19584 (WTF): 19585 * profiler/ProfilerOriginStack.cpp: Added. 19586 (Profiler): 19587 (JSC::Profiler::OriginStack::OriginStack): 19588 (JSC::Profiler::OriginStack::~OriginStack): 19589 (JSC::Profiler::OriginStack::append): 19590 (JSC::Profiler::OriginStack::operator==): 19591 (JSC::Profiler::OriginStack::hash): 19592 (JSC::Profiler::OriginStack::dump): 19593 (JSC::Profiler::OriginStack::toJS): 19594 * profiler/ProfilerOriginStack.h: Added. 19595 (JSC): 19596 (Profiler): 19597 (OriginStack): 19598 (JSC::Profiler::OriginStack::OriginStack): 19599 (JSC::Profiler::OriginStack::operator!): 19600 (JSC::Profiler::OriginStack::size): 19601 (JSC::Profiler::OriginStack::fromBottom): 19602 (JSC::Profiler::OriginStack::fromTop): 19603 (JSC::Profiler::OriginStack::isHashTableDeletedValue): 19604 (JSC::Profiler::OriginStackHash::hash): 19605 (JSC::Profiler::OriginStackHash::equal): 19606 (OriginStackHash): 19607 (WTF): 19608 * runtime/CommonIdentifiers.h: 19609 * runtime/ExecutionHarness.h: 19610 (JSC::prepareForExecution): 19611 (JSC::prepareFunctionForExecution): 19612 * runtime/JSGlobalData.cpp: 19613 (JSC::JSGlobalData::JSGlobalData): 19614 (JSC::JSGlobalData::~JSGlobalData): 19615 * runtime/JSGlobalData.h: 19616 (JSGlobalData): 19617 * runtime/Options.h: 19618 (JSC): 19619 196202012-12-04 Filip Pizlo <fpizlo@apple.com> 19621 19622 Rename Profiler to LegacyProfiler 19623 https://bugs.webkit.org/show_bug.cgi?id=104031 19624 19625 Rubber stamped by Mark Hahnenberg 19626 19627 Make room in the namespace for https://bugs.webkit.org/show_bug.cgi?id=102999. 19628 19629 * API/JSProfilerPrivate.cpp: 19630 (JSStartProfiling): 19631 (JSEndProfiling): 19632 * CMakeLists.txt: 19633 * GNUmakefile.list.am: 19634 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 19635 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 19636 * JavaScriptCore.xcodeproj/project.pbxproj: 19637 * Target.pri: 19638 * interpreter/Interpreter.cpp: 19639 (JSC::Interpreter::throwException): 19640 (JSC::Interpreter::execute): 19641 (JSC::Interpreter::executeCall): 19642 (JSC::Interpreter::executeConstruct): 19643 * jit/JIT.h: 19644 * jit/JITCode.h: 19645 * jit/JITStubs.cpp: 19646 (JSC::DEFINE_STUB_FUNCTION): 19647 * jit/JITStubs.h: 19648 (JSC): 19649 * llint/LLIntSlowPaths.cpp: 19650 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 19651 * profiler/LegacyProfiler.cpp: Added. 19652 (JSC): 19653 (JSC::LegacyProfiler::profiler): 19654 (JSC::LegacyProfiler::startProfiling): 19655 (JSC::LegacyProfiler::stopProfiling): 19656 (JSC::dispatchFunctionToProfiles): 19657 (JSC::LegacyProfiler::willExecute): 19658 (JSC::LegacyProfiler::didExecute): 19659 (JSC::LegacyProfiler::exceptionUnwind): 19660 (JSC::LegacyProfiler::createCallIdentifier): 19661 (JSC::createCallIdentifierFromFunctionImp): 19662 * profiler/LegacyProfiler.h: Added. 19663 (JSC): 19664 (LegacyProfiler): 19665 (JSC::LegacyProfiler::currentProfiles): 19666 * profiler/ProfileGenerator.cpp: 19667 (JSC::ProfileGenerator::addParentForConsoleStart): 19668 * profiler/ProfileNode.cpp: 19669 * profiler/Profiler.cpp: Removed. 19670 * profiler/Profiler.h: Removed. 19671 * runtime/JSGlobalData.h: 19672 (JSC): 19673 (JSC::JSGlobalData::enabledProfiler): 19674 (JSGlobalData): 19675 * runtime/JSGlobalObject.cpp: 19676 (JSC::JSGlobalObject::~JSGlobalObject): 19677 196782012-12-03 Filip Pizlo <fpizlo@apple.com> 19679 19680 DFG should inline code blocks that use scoped variable access 19681 https://bugs.webkit.org/show_bug.cgi?id=103974 19682 19683 Reviewed by Oliver Hunt. 19684 19685 This mostly just turns on something we could have done all along, but also adds a few key 19686 necessities to make this right: 19687 19688 1) Constant folding of SkipScope, since if we inline with a known JSFunction* then the 19689 scope is constant. 19690 19691 2) Interference analysis for GetLocal<->PutScopedVar and SetLocal<->GetScopedVar. 19692 19693 This is not meant to be a speed-up on major benchmarks since we don't yet inline most 19694 closure calls for entirely unrelated reasons. But on toy programs it can be >2x faster. 19695 19696 * dfg/DFGAbstractState.cpp: 19697 (JSC::DFG::AbstractState::execute): 19698 * dfg/DFGByteCodeParser.cpp: 19699 (JSC::DFG::ByteCodeParser::getScope): 19700 (JSC::DFG::ByteCodeParser::parseResolveOperations): 19701 * dfg/DFGCSEPhase.cpp: 19702 (JSC::DFG::CSEPhase::scopedVarLoadElimination): 19703 (JSC::DFG::CSEPhase::scopedVarStoreElimination): 19704 (JSC::DFG::CSEPhase::getLocalLoadElimination): 19705 (JSC::DFG::CSEPhase::setLocalStoreElimination): 19706 * dfg/DFGCapabilities.h: 19707 (JSC::DFG::canInlineResolveOperations): 19708 197092012-12-03 Filip Pizlo <fpizlo@apple.com> 19710 19711 Replace JSValue::description() with JSValue::dump(PrintStream&) 19712 https://bugs.webkit.org/show_bug.cgi?id=103866 19713 19714 Reviewed by Darin Adler. 19715 19716 JSValue now has a dump() method. Anywhere that you would have wanted to use 19717 description(), you can either do toCString(value).data(), or if the callee 19718 is a print()/dataLog() method then you just pass the value directly. 19719 19720 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 19721 * bytecode/CodeBlock.cpp: 19722 (JSC::valueToSourceString): 19723 (JSC::CodeBlock::finalizeUnconditionally): 19724 * bytecode/ValueProfile.h: 19725 (JSC::ValueProfileBase::dump): 19726 * bytecode/ValueRecovery.h: 19727 (JSC::ValueRecovery::dump): 19728 * dfg/DFGAbstractValue.h: 19729 (JSC::DFG::AbstractValue::dump): 19730 * dfg/DFGGraph.cpp: 19731 (JSC::DFG::Graph::dump): 19732 * interpreter/Interpreter.cpp: 19733 (JSC::Interpreter::dumpRegisters): 19734 * jsc.cpp: 19735 (functionDescribe): 19736 * llint/LLIntSlowPaths.cpp: 19737 (JSC::LLInt::llint_trace_value): 19738 * runtime/JSValue.cpp: 19739 (JSC::JSValue::dump): 19740 * runtime/JSValue.h: 19741 197422012-12-04 Filip Pizlo <fpizlo@apple.com> 19743 19744 jsc command line tool's support for typed arrays should be robust against array buffer allocation errors 19745 https://bugs.webkit.org/show_bug.cgi?id=104020 19746 <rdar://problem/12802478> 19747 19748 Reviewed by Mark Hahnenberg. 19749 19750 Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it, 19751 and that is indeed the contract of ArrayBuffer and TypedArrayBase. 19752 19753 * JSCTypedArrayStubs.h: 19754 (JSC): 19755 197562012-12-03 Peter Rybin <prybin@chromium.org> 19757 19758 Web Inspector: make ASSERTION FAILED: foundPropertiesCount == object->size() more useful 19759 https://bugs.webkit.org/show_bug.cgi?id=103254 19760 19761 Reviewed by Pavel Feldman. 19762 19763 Missing symbol WTFReportFatalError is added to the linker list. 19764 19765 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 19766 197672012-12-03 Alexis Menard <alexis@webkit.org> 19768 19769 [Mac] Enable CSS3 background-position offset by default. 19770 https://bugs.webkit.org/show_bug.cgi?id=103905 19771 19772 Reviewed by Simon Fraser. 19773 19774 Turn the flag on by default. 19775 19776 * Configurations/FeatureDefines.xcconfig: 19777 197782012-12-02 Filip Pizlo <fpizlo@apple.com> 19779 19780 DFG should trigger rage conversion from double to contiguous if it sees a GetByVal on Double being used in an integer context 19781 https://bugs.webkit.org/show_bug.cgi?id=103858 19782 19783 Reviewed by Gavin Barraclough. 19784 19785 A rage conversion from double to contiguous is one where you try to convert each 19786 double to an int32. 19787 19788 This is probably not the last we'll hear of rage conversion from double to contiguous. 19789 It may be better to do this right during parsing, which will result in fewer cases of 19790 Arrayification. But even so, this looks like a straight win already - 1% speed-up on 19791 Kraken, no major regression anywhere else. 19792 19793 * dfg/DFGAbstractState.cpp: 19794 (JSC::DFG::AbstractState::execute): 19795 * dfg/DFGArrayMode.cpp: 19796 (JSC::DFG::ArrayMode::refine): 19797 (JSC::DFG::arrayConversionToString): 19798 (JSC::DFG::ArrayMode::dump): 19799 (WTF): 19800 (WTF::printInternal): 19801 * dfg/DFGArrayMode.h: 19802 (JSC::DFG::ArrayMode::withConversion): 19803 (ArrayMode): 19804 (JSC::DFG::ArrayMode::doesConversion): 19805 (WTF): 19806 * dfg/DFGFixupPhase.cpp: 19807 (JSC::DFG::FixupPhase::fixupBlock): 19808 (JSC::DFG::FixupPhase::fixupNode): 19809 (JSC::DFG::FixupPhase::checkArray): 19810 (FixupPhase): 19811 * dfg/DFGGraph.cpp: 19812 (JSC::DFG::Graph::dump): 19813 * dfg/DFGNodeFlags.h: 19814 (DFG): 19815 * dfg/DFGOperations.cpp: 19816 * dfg/DFGOperations.h: 19817 * dfg/DFGPredictionPropagationPhase.cpp: 19818 (JSC::DFG::PredictionPropagationPhase::propagate): 19819 * dfg/DFGSpeculativeJIT.cpp: 19820 (JSC::DFG::SpeculativeJIT::arrayify): 19821 * dfg/DFGStructureCheckHoistingPhase.cpp: 19822 (JSC::DFG::StructureCheckHoistingPhase::run): 19823 * runtime/JSObject.cpp: 19824 (JSC): 19825 (JSC::JSObject::genericConvertDoubleToContiguous): 19826 (JSC::JSObject::convertDoubleToContiguous): 19827 (JSC::JSObject::rageConvertDoubleToContiguous): 19828 (JSC::JSObject::ensureContiguousSlow): 19829 (JSC::JSObject::rageEnsureContiguousSlow): 19830 * runtime/JSObject.h: 19831 (JSObject): 19832 (JSC::JSObject::rageEnsureContiguous): 19833 198342012-12-02 Filip Pizlo <fpizlo@apple.com> 19835 19836 DFG CSE should not keep alive things that aren't relevant to OSR 19837 https://bugs.webkit.org/show_bug.cgi?id=103849 19838 19839 Reviewed by Oliver Hunt. 19840 19841 Most Phantom nodes are inserted by CSE, and by default have the same children as the 19842 node that CSE had eliminated. This change makes CSE inspect all Phantom nodes (both 19843 those it creates and those that were created by other phases) to see if they have 19844 children that are redundant - i.e. children that are not interesting to OSR, which 19845 is the only reason why Phantoms exist in the first place. Being relevant to OSR is 19846 defined as one of: (1) you're a Phi, (2) you're a SetLocal, (3) somewhere between 19847 your definition and the Phantom there was a SetLocal that referred to you. 19848 19849 This is a slight speed-up in a few places. 19850 19851 * dfg/DFGCSEPhase.cpp: 19852 (JSC::DFG::CSEPhase::CSEPhase): 19853 (JSC::DFG::CSEPhase::run): 19854 (JSC::DFG::CSEPhase::performSubstitution): 19855 (CSEPhase): 19856 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): 19857 (JSC::DFG::CSEPhase::setReplacement): 19858 (JSC::DFG::CSEPhase::eliminate): 19859 (JSC::DFG::CSEPhase::performNodeCSE): 19860 (JSC::DFG::CSEPhase::performBlockCSE): 19861 198622012-12-02 Filip Pizlo <fpizlo@apple.com> 19863 19864 It should be possible to build and run with DFG_ENABLE(PROPAGATION_VERBOSE) 19865 https://bugs.webkit.org/show_bug.cgi?id=103848 19866 19867 Reviewed by Sam Weinig. 19868 19869 Fix random dataLog() and print() statements. 19870 19871 * dfg/DFGArgumentsSimplificationPhase.cpp: 19872 (JSC::DFG::ArgumentsSimplificationPhase::run): 19873 * dfg/DFGByteCodeParser.cpp: 19874 (JSC::DFG::ByteCodeParser::parseCodeBlock): 19875 * dfg/DFGGraph.cpp: 19876 (JSC::DFG::Graph::dumpBlockHeader): 19877 * dfg/DFGPredictionPropagationPhase.cpp: 19878 (JSC::DFG::PredictionPropagationPhase::propagate): 19879 * dfg/DFGStructureCheckHoistingPhase.cpp: 19880 (JSC::DFG::StructureCheckHoistingPhase::run): 19881 198822012-12-01 Filip Pizlo <fpizlo@apple.com> 19883 19884 CodeBlock should be able to dump bytecode to something other than WTF::dataFile() 19885 https://bugs.webkit.org/show_bug.cgi?id=103832 19886 19887 Reviewed by Oliver Hunt. 19888 19889 Add a PrintStream& argument to all of the CodeBlock bytecode dumping methods. 19890 19891 * bytecode/CodeBlock.cpp: 19892 (JSC::CodeBlock::dumpBytecodeCommentAndNewLine): 19893 (JSC::CodeBlock::printUnaryOp): 19894 (JSC::CodeBlock::printBinaryOp): 19895 (JSC::CodeBlock::printConditionalJump): 19896 (JSC::CodeBlock::printGetByIdOp): 19897 (JSC::dumpStructure): 19898 (JSC::dumpChain): 19899 (JSC::CodeBlock::printGetByIdCacheStatus): 19900 (JSC::CodeBlock::printCallOp): 19901 (JSC::CodeBlock::printPutByIdOp): 19902 (JSC::CodeBlock::printStructure): 19903 (JSC::CodeBlock::printStructures): 19904 (JSC::CodeBlock::dumpBytecode): 19905 * bytecode/CodeBlock.h: 19906 (CodeBlock): 19907 * jit/JITDisassembler.cpp: 19908 (JSC::JITDisassembler::dumpForInstructions): 19909 199102012-11-30 Pierre Rossi <pierre.rossi@gmail.com> 19911 19912 [Qt] Unreviewed speculative Mac build fix after r136232 19913 19914 Update the include path so that LLIntAssembly.h is picked up. 19915 The bot didn't break until later when a clean build was triggered. 19916 19917 * JavaScriptCore.pri: 19918 199192012-11-30 Oliver Hunt <oliver@apple.com> 19920 19921 Optimise more cases of op_typeof 19922 https://bugs.webkit.org/show_bug.cgi?id=103783 19923 19924 Reviewed by Mark Hahnenberg. 19925 19926 Increase our coverage of typeof based typechecks by 19927 making sure that the codegenerators always uses 19928 consistent operand ordering when feeding typeof operations 19929 into equality operations. 19930 19931 * bytecompiler/NodesCodegen.cpp: 19932 (JSC::BinaryOpNode::emitBytecode): 19933 (JSC::EqualNode::emitBytecode): 19934 (JSC::StrictEqualNode::emitBytecode): 19935 199362012-11-30 Filip Pizlo <fpizlo@apple.com> 19937 19938 Rationalize and clean up DFG handling of scoped accesses 19939 https://bugs.webkit.org/show_bug.cgi?id=103715 19940 19941 Reviewed by Oliver Hunt. 19942 19943 Previously, we had a GetScope node that specified the depth to which you wanted 19944 to travel to get a JSScope, and the backend implementation of the node would 19945 perform all of the necessary footwork, including potentially skipping the top 19946 scope if necessary, and doing however many loads were needed. But there were 19947 strange things. First, if you had accesses at different scope depths, then the 19948 loads to get to the common depth could not be CSE'd - CSE would match only 19949 GetScope's that had identical depth. Second, GetScope would be emitted even if 19950 we already had the scope, for example in put_to_base. And finally, even though 19951 the ResolveOperations could tell us whether or not we had to skip the top scope, 19952 the backend would recompute this information itself, often pessimistically. 19953 19954 This eliminates GetScope and replaces it with the following: 19955 19956 GetMyScope: just get the JSScope from the call frame header. This will forever 19957 mean getting the JSScope associated with the machine call frame; it will not 19958 mean getting the scope of an inlined function. Or at least that's the intent. 19959 19960 SkipTopScope: check if there is an activation, and if so, skip a scope. This 19961 takes a scope as a child and returns a scope. 19962 19963 SkipScope: skip one scope level. 19964 19965 The bytecode parser now emits the right combination of the above, and 19966 potentially emits multiple SkipScope's, based on the ResolveOperations. 19967 19968 This change also includes some fixups to debug logging. We now always print 19969 the ExecutableBase* in addition to the CodeBlock* in the CodeBlock's dump, 19970 and we are now more verbose when dumping CodeOrigins and InlineCallFrames. 19971 19972 This is performance-neutral. It's just meant to be a clean-up. 19973 19974 * bytecode/CodeBlock.cpp: 19975 (JSC::CodeBlock::dumpAssumingJITType): 19976 * bytecode/CodeOrigin.cpp: 19977 (JSC::CodeOrigin::inlineStack): 19978 (JSC::CodeOrigin::dump): 19979 (JSC): 19980 (JSC::InlineCallFrame::dump): 19981 * bytecode/CodeOrigin.h: 19982 (CodeOrigin): 19983 (InlineCallFrame): 19984 * dfg/DFGAbstractState.cpp: 19985 (JSC::DFG::AbstractState::execute): 19986 * dfg/DFGByteCodeParser.cpp: 19987 (ByteCodeParser): 19988 (JSC::DFG::ByteCodeParser::getScope): 19989 (DFG): 19990 (JSC::DFG::ByteCodeParser::parseResolveOperations): 19991 (JSC::DFG::ByteCodeParser::parseBlock): 19992 * dfg/DFGCSEPhase.cpp: 19993 (JSC::DFG::CSEPhase::scopedVarLoadElimination): 19994 (JSC::DFG::CSEPhase::scopedVarStoreElimination): 19995 (JSC::DFG::CSEPhase::getMyScopeLoadElimination): 19996 (JSC::DFG::CSEPhase::setLocalStoreElimination): 19997 (JSC::DFG::CSEPhase::performNodeCSE): 19998 * dfg/DFGDisassembler.cpp: 19999 (JSC::DFG::Disassembler::dump): 20000 * dfg/DFGGraph.cpp: 20001 (JSC::DFG::Graph::dumpCodeOrigin): 20002 (JSC::DFG::Graph::dumpBlockHeader): 20003 * dfg/DFGNode.h: 20004 (Node): 20005 * dfg/DFGNodeType.h: 20006 (DFG): 20007 * dfg/DFGPredictionPropagationPhase.cpp: 20008 (JSC::DFG::PredictionPropagationPhase::propagate): 20009 * dfg/DFGSpeculativeJIT32_64.cpp: 20010 (JSC::DFG::SpeculativeJIT::compile): 20011 * dfg/DFGSpeculativeJIT64.cpp: 20012 (JSC::DFG::SpeculativeJIT::compile): 20013 * jit/JITDisassembler.cpp: 20014 (JSC::JITDisassembler::dump): 20015 200162012-11-30 Oliver Hunt <oliver@apple.com> 20017 20018 Add direct string->function code cache 20019 https://bugs.webkit.org/show_bug.cgi?id=103764 20020 20021 Reviewed by Michael Saboff. 20022 20023 A fairly logically simple patch. We now track the start of the 20024 unique portion of a functions body, and use that as our key for 20025 unlinked function code. This allows us to cache identical code 20026 in different contexts, leading to a small but consistent improvement 20027 on the benchmarks we track. 20028 20029 * bytecode/UnlinkedCodeBlock.cpp: 20030 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): 20031 * bytecode/UnlinkedCodeBlock.h: 20032 (JSC::UnlinkedFunctionExecutable::functionStartOffset): 20033 (UnlinkedFunctionExecutable): 20034 * parser/ASTBuilder.h: 20035 (ASTBuilder): 20036 (JSC::ASTBuilder::setFunctionStart): 20037 * parser/Nodes.cpp: 20038 * parser/Nodes.h: 20039 (JSC::FunctionBodyNode::setFunctionStart): 20040 (JSC::FunctionBodyNode::functionStart): 20041 (FunctionBodyNode): 20042 * parser/Parser.cpp: 20043 (JSC::::parseFunctionInfo): 20044 * parser/Parser.h: 20045 (JSC::Parser::findCachedFunctionInfo): 20046 * parser/SyntaxChecker.h: 20047 (JSC::SyntaxChecker::setFunctionStart): 20048 * runtime/CodeCache.cpp: 20049 (JSC::CodeCache::generateFunctionCodeBlock): 20050 (JSC::CodeCache::getFunctionCodeBlock): 20051 (JSC::CodeCache::usedFunctionCode): 20052 * runtime/CodeCache.h: 20053 200542012-11-30 Allan Sandfeld Jensen <allan.jensen@digia.com> 20055 20056 Crash in conversion of empty OpaqueJSString to Identifier 20057 https://bugs.webkit.org/show_bug.cgi?id=101867 20058 20059 Reviewed by Michael Saboff. 20060 20061 The constructor call used for both null and empty OpaqueJSStrings results 20062 in an assertion voilation and crash. This patch instead uses the Identifier 20063 constructors which are specifically for null and empty Identifier. 20064 20065 * API/OpaqueJSString.cpp: 20066 (OpaqueJSString::identifier): 20067 200682012-11-30 Tor Arne Vestbø <tor.arne.vestbo@digia.com> 20069 20070 [Qt] Place the LLIntOffsetsExtractor binaries in debug/release subdirs on Mac 20071 20072 Otherwise we'll end up using the same LLIntAssembly.h for both build 20073 configs of JavaScriptCore -- one of them which will be for the wrong 20074 config. 20075 20076 Reviewed by Simon Hausmann. 20077 20078 * LLIntOffsetsExtractor.pro: 20079 200802012-11-30 Julien BRIANCEAU <jbrianceau@nds.com> 20081 20082 [sh4] Fix compilation warnings in JavaScriptCore JIT for sh4 arch 20083 https://bugs.webkit.org/show_bug.cgi?id=103378 20084 20085 Reviewed by Filip Pizlo. 20086 20087 * assembler/MacroAssemblerSH4.h: 20088 (JSC::MacroAssemblerSH4::branchTest32): 20089 (JSC::MacroAssemblerSH4::branchAdd32): 20090 (JSC::MacroAssemblerSH4::branchMul32): 20091 (JSC::MacroAssemblerSH4::branchSub32): 20092 (JSC::MacroAssemblerSH4::branchOr32): 20093 200942012-11-29 Rafael Weinstein <rafaelw@chromium.org> 20095 20096 [HTMLTemplateElement] Add feature flag 20097 https://bugs.webkit.org/show_bug.cgi?id=103694 20098 20099 Reviewed by Adam Barth. 20100 20101 This flag will guard the implementation of the HTMLTemplateElement. 20102 http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html 20103 20104 * Configurations/FeatureDefines.xcconfig: 20105 201062012-11-29 Filip Pizlo <fpizlo@apple.com> 20107 20108 It should be easy to find code blocks in debug dumps 20109 https://bugs.webkit.org/show_bug.cgi?id=103623 20110 20111 Reviewed by Goeffrey Garen. 20112 20113 This gives CodeBlock a relatively strong, but also relatively compact, hash. We compute 20114 it lazily so that it only impacts run-time when debug support is enabled. We stringify 20115 it smartly so that it's short and easy to type. We base it on the source code so that 20116 the optimization level is irrelevant. And, we use SHA1 since it's already in our code 20117 base. Now, when a piece of code wants to print some debugging to say that it's operating 20118 on some code block, it can use this CodeBlockHash instead of memory addresses. 20119 20120 This also takes CodeBlock debugging into the new world of print() and dataLog(). In 20121 particular, CodeBlock::dump() corresponds to the thing you want printed if you do: 20122 20123 dataLog("I heart ", *myCodeBlock); 20124 20125 Probably, you want to just print some identifying information at this point rather than 20126 the full bytecode dump. So, the existing CodeBlock::dump() has been renamed to 20127 CodeBlock::dumpBytecode(), and CodeBlock::dump() now prints the CodeBlockHash plus just 20128 a few little tidbits. 20129 20130 Here's an example of CodeBlock::dump() output: 20131 20132 EkILzr:[0x103883a00, BaselineFunctionCall] 20133 20134 EkILzr is the CodeBlockHash. 0x103883a00 is the CodeBlock's address in memory. The other 20135 part is self-explanatory. 20136 20137 Finally, this new notion of CodeBlockHash is available for other purposes like bisecting 20138 breakage. As such CodeBlockHash has all of the comparison operator overloads. When 20139 bisecting in DFGDriver.cpp, you can now say things like: 20140 20141 if (codeBlock->hash() < CodeBlockHash("CAAAAA")) 20142 return false; 20143 20144 And yes, CAAAAA is near the median hash, and the largest one is smaller than E99999. Such 20145 is life when you use base 62 to encode a 32-bit number. 20146 20147 * CMakeLists.txt: 20148 * GNUmakefile.list.am: 20149 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 20150 * JavaScriptCore.xcodeproj/project.pbxproj: 20151 * Target.pri: 20152 * bytecode/CallLinkInfo.h: 20153 (CallLinkInfo): 20154 (JSC::CallLinkInfo::specializationKind): 20155 * bytecode/CodeBlock.cpp: 20156 (JSC::CodeBlock::hash): 20157 (JSC): 20158 (JSC::CodeBlock::dumpAssumingJITType): 20159 (JSC::CodeBlock::dump): 20160 (JSC::CodeBlock::dumpBytecode): 20161 (JSC::CodeBlock::CodeBlock): 20162 (JSC::CodeBlock::finalizeUnconditionally): 20163 (JSC::CodeBlock::resetStubInternal): 20164 (JSC::CodeBlock::reoptimize): 20165 (JSC::ProgramCodeBlock::jettison): 20166 (JSC::EvalCodeBlock::jettison): 20167 (JSC::FunctionCodeBlock::jettison): 20168 (JSC::CodeBlock::shouldOptimizeNow): 20169 (JSC::CodeBlock::tallyFrequentExitSites): 20170 (JSC::CodeBlock::dumpValueProfiles): 20171 * bytecode/CodeBlock.h: 20172 (JSC::CodeBlock::specializationKind): 20173 (CodeBlock): 20174 (JSC::CodeBlock::getJITType): 20175 * bytecode/CodeBlockHash.cpp: Added. 20176 (JSC): 20177 (JSC::CodeBlockHash::CodeBlockHash): 20178 (JSC::CodeBlockHash::dump): 20179 * bytecode/CodeBlockHash.h: Added. 20180 (JSC): 20181 (CodeBlockHash): 20182 (JSC::CodeBlockHash::CodeBlockHash): 20183 (JSC::CodeBlockHash::hash): 20184 (JSC::CodeBlockHash::operator==): 20185 (JSC::CodeBlockHash::operator!=): 20186 (JSC::CodeBlockHash::operator<): 20187 (JSC::CodeBlockHash::operator>): 20188 (JSC::CodeBlockHash::operator<=): 20189 (JSC::CodeBlockHash::operator>=): 20190 * bytecode/CodeBlockWithJITType.h: Added. 20191 (JSC): 20192 (CodeBlockWithJITType): 20193 (JSC::CodeBlockWithJITType::CodeBlockWithJITType): 20194 (JSC::CodeBlockWithJITType::dump): 20195 * bytecode/CodeOrigin.cpp: Added. 20196 (JSC): 20197 (JSC::CodeOrigin::inlineDepthForCallFrame): 20198 (JSC::CodeOrigin::inlineDepth): 20199 (JSC::CodeOrigin::inlineStack): 20200 (JSC::InlineCallFrame::hash): 20201 * bytecode/CodeOrigin.h: 20202 (InlineCallFrame): 20203 (JSC::InlineCallFrame::specializationKind): 20204 (JSC): 20205 * bytecode/CodeType.cpp: Added. 20206 (WTF): 20207 (WTF::printInternal): 20208 * bytecode/CodeType.h: 20209 (WTF): 20210 * bytecode/ExecutionCounter.cpp: 20211 (JSC::ExecutionCounter::dump): 20212 * bytecode/ExecutionCounter.h: 20213 (ExecutionCounter): 20214 * dfg/DFGByteCodeParser.cpp: 20215 (JSC::DFG::ByteCodeParser::parseCodeBlock): 20216 * dfg/DFGDisassembler.cpp: 20217 (JSC::DFG::Disassembler::dump): 20218 * dfg/DFGGraph.cpp: 20219 (JSC::DFG::Graph::dumpCodeOrigin): 20220 * dfg/DFGOSRExitCompiler.cpp: 20221 * dfg/DFGOperations.cpp: 20222 * dfg/DFGRepatch.cpp: 20223 (JSC::DFG::generateProtoChainAccessStub): 20224 (JSC::DFG::tryCacheGetByID): 20225 (JSC::DFG::tryBuildGetByIDList): 20226 (JSC::DFG::emitPutReplaceStub): 20227 (JSC::DFG::emitPutTransitionStub): 20228 (JSC::DFG::dfgLinkClosureCall): 20229 * interpreter/Interpreter.cpp: 20230 (JSC::Interpreter::dumpCallFrame): 20231 * jit/JITCode.cpp: Added. 20232 (WTF): 20233 (WTF::printInternal): 20234 * jit/JITCode.h: 20235 (JSC::JITCode::jitType): 20236 (WTF): 20237 * jit/JITDisassembler.cpp: 20238 (JSC::JITDisassembler::dump): 20239 (JSC::JITDisassembler::dumpForInstructions): 20240 * jit/JITPropertyAccess.cpp: 20241 (JSC::JIT::privateCompilePutByIdTransition): 20242 (JSC::JIT::privateCompilePatchGetArrayLength): 20243 (JSC::JIT::privateCompileGetByIdProto): 20244 (JSC::JIT::privateCompileGetByIdSelfList): 20245 (JSC::JIT::privateCompileGetByIdProtoList): 20246 (JSC::JIT::privateCompileGetByIdChainList): 20247 (JSC::JIT::privateCompileGetByIdChain): 20248 (JSC::JIT::privateCompileGetByVal): 20249 (JSC::JIT::privateCompilePutByVal): 20250 * jit/JITPropertyAccess32_64.cpp: 20251 (JSC::JIT::privateCompilePutByIdTransition): 20252 (JSC::JIT::privateCompilePatchGetArrayLength): 20253 (JSC::JIT::privateCompileGetByIdProto): 20254 (JSC::JIT::privateCompileGetByIdSelfList): 20255 (JSC::JIT::privateCompileGetByIdProtoList): 20256 (JSC::JIT::privateCompileGetByIdChainList): 20257 (JSC::JIT::privateCompileGetByIdChain): 20258 * jit/JITStubs.cpp: 20259 (JSC::DEFINE_STUB_FUNCTION): 20260 * runtime/CodeSpecializationKind.cpp: Added. 20261 (WTF): 20262 (WTF::printInternal): 20263 * runtime/CodeSpecializationKind.h: 20264 (JSC::specializationFromIsCall): 20265 (JSC): 20266 (JSC::specializationFromIsConstruct): 20267 (WTF): 20268 * runtime/Executable.cpp: 20269 (JSC::ExecutableBase::hashFor): 20270 (JSC): 20271 (JSC::NativeExecutable::hashFor): 20272 (JSC::ScriptExecutable::hashFor): 20273 * runtime/Executable.h: 20274 (ExecutableBase): 20275 (NativeExecutable): 20276 (ScriptExecutable): 20277 (JSC::ScriptExecutable::source): 20278 202792012-11-29 Michael Saboff <msaboff@apple.com> 20280 20281 Speculative Windows build fix after r136086. 20282 20283 Unreviewed build fix. 20284 20285 Suspect that ?setDumpsGeneratedCode@BytecodeGenerator@JSC@@SAX_N@Z needs to be removed from Windows 20286 export list since the symbol was removed in r136086. 20287 20288 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 20289 202902012-11-28 Filip Pizlo <fpizlo@apple.com> 20291 20292 SpeculatedType dumping should not use the static char buffer[thingy] idiom 20293 https://bugs.webkit.org/show_bug.cgi?id=103584 20294 20295 Reviewed by Michael Saboff. 20296 20297 Changed SpeculatedType to be "dumpable" by saying things like: 20298 20299 dataLog("thingy = ", SpeculationDump(thingy)) 20300 20301 Removed the old stringification functions, and changed all code that referred to them 20302 to use the new dataLog()/print() style. 20303 20304 * CMakeLists.txt: 20305 * GNUmakefile.list.am: 20306 * JavaScriptCore.xcodeproj/project.pbxproj: 20307 * Target.pri: 20308 * bytecode/SpeculatedType.cpp: 20309 (JSC::dumpSpeculation): 20310 (JSC::speculationToAbbreviatedString): 20311 (JSC::dumpSpeculationAbbreviated): 20312 * bytecode/SpeculatedType.h: 20313 * bytecode/ValueProfile.h: 20314 (JSC::ValueProfileBase::dump): 20315 * bytecode/VirtualRegister.h: 20316 (WTF::printInternal): 20317 * dfg/DFGAbstractValue.h: 20318 (JSC::DFG::AbstractValue::dump): 20319 * dfg/DFGByteCodeParser.cpp: 20320 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): 20321 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit): 20322 * dfg/DFGGraph.cpp: 20323 (JSC::DFG::Graph::dump): 20324 (JSC::DFG::Graph::predictArgumentTypes): 20325 * dfg/DFGGraph.h: 20326 (Graph): 20327 * dfg/DFGStructureAbstractValue.h: 20328 * dfg/DFGVariableAccessDataDump.cpp: Added. 20329 (JSC::DFG::VariableAccessDataDump::VariableAccessDataDump): 20330 (JSC::DFG::VariableAccessDataDump::dump): 20331 * dfg/DFGVariableAccessDataDump.h: Added. 20332 (VariableAccessDataDump): 20333 203342012-11-28 Michael Saboff <msaboff@apple.com> 20335 20336 Change Bytecompiler s_dumpsGeneratedCode to an Options value 20337 https://bugs.webkit.org/show_bug.cgi?id=103588 20338 20339 Reviewed by Filip Pizlo. 20340 20341 Moved the control of dumping bytecodes to Options::dumpGeneratedBytecodes. 20342 20343 * bytecode/CodeBlock.cpp: 20344 (JSC::CodeBlock::CodeBlock): 20345 * bytecompiler/BytecodeGenerator.cpp: 20346 * bytecompiler/BytecodeGenerator.h: 20347 * jsc.cpp: 20348 (runWithScripts): 20349 * runtime/Options.h: 20350 203512012-11-28 Mark Hahnenberg <mhahnenberg@apple.com> 20352 20353 Copying phase should use work lists 20354 https://bugs.webkit.org/show_bug.cgi?id=101390 20355 20356 Reviewed by Filip Pizlo. 20357 20358 * JavaScriptCore.xcodeproj/project.pbxproj: 20359 * heap/BlockAllocator.cpp: 20360 (JSC::BlockAllocator::BlockAllocator): 20361 * heap/BlockAllocator.h: New RegionSet for CopyWorkListSegments. 20362 (BlockAllocator): 20363 (JSC::CopyWorkListSegment): 20364 * heap/CopiedBlock.h: Added a per-block CopyWorkList to keep track of the JSCells that need to be revisited during the copying 20365 phase to copy their backing stores. 20366 (CopiedBlock): 20367 (JSC::CopiedBlock::CopiedBlock): 20368 (JSC::CopiedBlock::didSurviveGC): 20369 (JSC::CopiedBlock::didEvacuateBytes): There is now a one-to-one relationship between GCThreads and the CopiedBlocks they're 20370 responsible for evacuating, we no longer need any of that fancy compare and swap stuff. 20371 (JSC::CopiedBlock::pin): 20372 (JSC::CopiedBlock::hasWorkList): 20373 (JSC::CopiedBlock::workList): 20374 * heap/CopiedBlockInlines.h: Added. 20375 (JSC::CopiedBlock::reportLiveBytes): Since we now have to grab a SpinLock to perform operations on the CopyWorkList during marking, 20376 we don't need to do any of that fancy compare and swap stuff we were doing for tracking live bytes. 20377 * heap/CopiedSpace.h: 20378 (CopiedSpace): 20379 * heap/CopiedSpaceInlines.h: 20380 (JSC::CopiedSpace::pin): 20381 * heap/CopyVisitor.cpp: 20382 (JSC::CopyVisitor::copyFromShared): We now iterate over a range of CopiedBlocks rather than MarkedBlocks and revisit the cells in those 20383 blocks' CopyWorkLists. 20384 * heap/CopyVisitor.h: 20385 (CopyVisitor): 20386 * heap/CopyVisitorInlines.h: 20387 (JSC::CopyVisitor::visitCell): The function responsible for calling the correct copyBackingStore() function for each JSCell from 20388 a CopiedBlock's CopyWorkList. 20389 (JSC::CopyVisitor::didCopy): We no longer need to check if the block is empty here because we know exactly when we're done 20390 evacuating a CopiedBlock, which is when we've gone through all of the CopiedBlock's CopyWorkList. 20391 * heap/CopyWorkList.h: Added. 20392 (CopyWorkListSegment): Individual chunk of a CopyWorkList that is allocated from the BlockAllocator. 20393 (JSC::CopyWorkListSegment::create): 20394 (JSC::CopyWorkListSegment::size): 20395 (JSC::CopyWorkListSegment::isFull): 20396 (JSC::CopyWorkListSegment::get): 20397 (JSC::CopyWorkListSegment::append): 20398 (JSC::CopyWorkListSegment::CopyWorkListSegment): 20399 (JSC::CopyWorkListSegment::data): 20400 (JSC::CopyWorkListSegment::endOfBlock): 20401 (CopyWorkListIterator): Responsible for giving CopyVisitors a contiguous notion of access across the separate CopyWorkListSegments 20402 that make up each CopyWorkList. 20403 (JSC::CopyWorkListIterator::get): 20404 (JSC::CopyWorkListIterator::operator*): 20405 (JSC::CopyWorkListIterator::operator->): 20406 (JSC::CopyWorkListIterator::operator++): 20407 (JSC::CopyWorkListIterator::operator==): 20408 (JSC::CopyWorkListIterator::operator!=): 20409 (JSC::CopyWorkListIterator::CopyWorkListIterator): 20410 (CopyWorkList): Data structure that keeps track of the JSCells that need copying in a particular CopiedBlock. 20411 (JSC::CopyWorkList::CopyWorkList): 20412 (JSC::CopyWorkList::~CopyWorkList): 20413 (JSC::CopyWorkList::append): 20414 (JSC::CopyWorkList::begin): 20415 (JSC::CopyWorkList::end): 20416 * heap/GCThreadSharedData.cpp: 20417 (JSC::GCThreadSharedData::GCThreadSharedData): We no longer use the m_blockSnapshot from the Heap during the copying phase. 20418 (JSC::GCThreadSharedData::didStartCopying): We now copy the set of all blocks in the CopiedSpace to a separate vector for 20419 iterating over during the copying phase since the set stored in the CopiedSpace will change as blocks are evacuated and 20420 recycled throughout the copying phase. 20421 * heap/GCThreadSharedData.h: 20422 (GCThreadSharedData): 20423 * heap/Heap.h: 20424 (Heap): 20425 * heap/SlotVisitor.h: We now need to know the object who is being marked that has a backing store so that we can store it 20426 in a CopyWorkList to revisit later during the copying phase. 20427 * heap/SlotVisitorInlines.h: 20428 (JSC::SlotVisitor::copyLater): 20429 * runtime/JSObject.cpp: 20430 (JSC::JSObject::visitButterfly): 20431 204322012-11-28 Filip Pizlo <fpizlo@apple.com> 20433 20434 Disassembly methods should be able to disassemble to any PrintStream& rather than always using WTF::dataFile() 20435 https://bugs.webkit.org/show_bug.cgi?id=103492 20436 20437 Reviewed by Mark Hahnenberg. 20438 20439 Switched disassembly code to use PrintStream&, and to use print() rather than printf(). 20440 20441 * dfg/DFGDisassembler.cpp: 20442 (JSC::DFG::Disassembler::dump): 20443 (DFG): 20444 (JSC::DFG::Disassembler::dumpDisassembly): 20445 * dfg/DFGDisassembler.h: 20446 (Disassembler): 20447 * dfg/DFGGraph.cpp: 20448 (JSC::DFG::printWhiteSpace): 20449 (JSC::DFG::Graph::dumpCodeOrigin): 20450 (JSC::DFG::Graph::printNodeWhiteSpace): 20451 (JSC::DFG::Graph::dump): 20452 (DFG): 20453 (JSC::DFG::Graph::dumpBlockHeader): 20454 * dfg/DFGGraph.h: 20455 (Graph): 20456 * jit/JITDisassembler.cpp: 20457 (JSC::JITDisassembler::dump): 20458 (JSC::JITDisassembler::dumpForInstructions): 20459 (JSC::JITDisassembler::dumpDisassembly): 20460 * jit/JITDisassembler.h: 20461 (JITDisassembler): 20462 204632012-11-28 Filip Pizlo <fpizlo@apple.com> 20464 20465 It should be possible to say dataLog("count = ", count, "\n") instead of dataLogF("count = %d\n", count) 20466 https://bugs.webkit.org/show_bug.cgi?id=103009 20467 20468 Reviewed by Michael Saboff. 20469 20470 Instead of converting all of JSC to use the new dataLog()/print() methods, I just changed 20471 one place: dumping of abstract values. This is mainly just to ensure that the code I 20472 added to WTF is actually doing things. 20473 20474 * bytecode/CodeBlock.cpp: 20475 (JSC::CodeBlock::dump): 20476 * dfg/DFGAbstractValue.h: 20477 (JSC::DFG::AbstractValue::dump): 20478 (WTF): 20479 (WTF::printInternal): 20480 * dfg/DFGStructureAbstractValue.h: 20481 (JSC::DFG::StructureAbstractValue::dump): 20482 (WTF): 20483 (WTF::printInternal): 20484 204852012-11-28 Oliver Hunt <oliver@apple.com> 20486 20487 Make source cache include more information about the function extent. 20488 https://bugs.webkit.org/show_bug.cgi?id=103552 20489 20490 Reviewed by Gavin Barraclough. 20491 20492 Add a bit more information to the source cache. 20493 20494 * parser/Parser.cpp: 20495 (JSC::::parseFunctionInfo): 20496 Store the function start offset 20497 * parser/SourceProviderCacheItem.h: 20498 (JSC::SourceProviderCacheItem::SourceProviderCacheItem): 20499 (SourceProviderCacheItem): 20500 Add additional field for the start of the real function string, and re-arrange 20501 fields to avoid growing the struct. 20502 205032012-11-27 Filip Pizlo <fpizlo@apple.com> 20504 20505 Convert some remaining uses of FILE* to PrintStream&. 20506 20507 Rubber stamped by Mark Hahnenberg. 20508 20509 * bytecode/ValueProfile.h: 20510 (JSC::ValueProfileBase::dump): 20511 * bytecode/ValueRecovery.h: 20512 (JSC::ValueRecovery::dump): 20513 * dfg/DFGByteCodeParser.cpp: 20514 (JSC::DFG::ByteCodeParser::parseCodeBlock): 20515 * dfg/DFGNode.h: 20516 (JSC::DFG::Node::dumpChildren): 20517 205182012-11-27 Filip Pizlo <fpizlo@apple.com> 20519 20520 Fix indentation in JSValue.h 20521 20522 Rubber stamped by Mark Hahnenberg. 20523 20524 * runtime/JSValue.h: 20525 205262012-11-26 Filip Pizlo <fpizlo@apple.com> 20527 20528 DFG SetLocal should use forwardSpeculationCheck instead of its own half-baked version of same 20529 https://bugs.webkit.org/show_bug.cgi?id=103353 20530 20531 Reviewed by Oliver Hunt and Gavin Barraclough. 20532 20533 Made it possible to use forward speculations for most of the operand classes. Changed the conditional 20534 direction parameter from being 'bool isForward' to an enum (SpeculationDirection). Changed SetLocal 20535 to use forward speculations and got rid of its half-baked version of same. 20536 20537 Also added the ability to force the DFG's disassembler to dump all nodes, even ones that are dead. 20538 20539 * dfg/DFGByteCodeParser.cpp: 20540 (JSC::DFG::ByteCodeParser::parseBlock): 20541 * dfg/DFGDisassembler.cpp: 20542 (JSC::DFG::Disassembler::dump): 20543 * dfg/DFGDriver.cpp: 20544 (JSC::DFG::compile): 20545 * dfg/DFGSpeculativeJIT.cpp: 20546 (JSC::DFG::SpeculativeJIT::speculationCheck): 20547 (DFG): 20548 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 20549 (JSC::DFG::SpeculativeJIT::speculationWatchpoint): 20550 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): 20551 (JSC::DFG::SpeculativeJIT::fillStorage): 20552 * dfg/DFGSpeculativeJIT.h: 20553 (SpeculativeJIT): 20554 (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand): 20555 (JSC::DFG::SpeculateIntegerOperand::gpr): 20556 (SpeculateIntegerOperand): 20557 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand): 20558 (JSC::DFG::SpeculateDoubleOperand::fpr): 20559 (SpeculateDoubleOperand): 20560 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand): 20561 (JSC::DFG::SpeculateCellOperand::gpr): 20562 (SpeculateCellOperand): 20563 (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand): 20564 (JSC::DFG::SpeculateBooleanOperand::gpr): 20565 (SpeculateBooleanOperand): 20566 * dfg/DFGSpeculativeJIT32_64.cpp: 20567 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 20568 (JSC::DFG::SpeculativeJIT::fillSpeculateInt): 20569 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 20570 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 20571 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 20572 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 20573 (JSC::DFG::SpeculativeJIT::compile): 20574 * dfg/DFGSpeculativeJIT64.cpp: 20575 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 20576 (JSC::DFG::SpeculativeJIT::fillSpeculateInt): 20577 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict): 20578 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 20579 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 20580 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 20581 (JSC::DFG::SpeculativeJIT::compile): 20582 * runtime/Options.h: 20583 (JSC): 20584 205852012-11-26 Daniel Bates <dbates@webkit.org> 20586 20587 Substitute "allSeparators8Bit" for "allSeperators8Bit" in JSC::jsSpliceSubstringsWithSeparators() 20588 <https://bugs.webkit.org/show_bug.cgi?id=103303> 20589 20590 Reviewed by Simon Fraser. 20591 20592 Fix misspelled word, "Seperators" [sic], in a local variable name in JSC::jsSpliceSubstringsWithSeparators(). 20593 20594 * runtime/StringPrototype.cpp: 20595 (JSC::jsSpliceSubstringsWithSeparators): 20596 205972012-11-26 Daniel Bates <dbates@webkit.org> 20598 20599 JavaScript fails to handle String.replace() with large replacement string 20600 https://bugs.webkit.org/show_bug.cgi?id=102956 20601 <rdar://problem/12738012> 20602 20603 Reviewed by Oliver Hunt. 20604 20605 Fix an issue where we didn't check for overflow when computing the length 20606 of the result of String.replace() with a large replacement string. 20607 20608 * runtime/StringPrototype.cpp: 20609 (JSC::jsSpliceSubstringsWithSeparators): 20610 206112012-11-26 Zeno Albisser <zeno@webkit.org> 20612 20613 [Qt] Fix the LLInt build on Mac 20614 https://bugs.webkit.org/show_bug.cgi?id=97587 20615 20616 Reviewed by Simon Hausmann. 20617 20618 * DerivedSources.pri: 20619 * JavaScriptCore.pro: 20620 206212012-11-26 Oliver Hunt <oliver@apple.com> 20622 20623 32-bit build fix. Move the method decalration outside of the X86_64 only section. 20624 20625 * assembler/MacroAssembler.h: 20626 (MacroAssembler): 20627 (JSC::MacroAssembler::shouldConsiderBlinding): 20628 206292012-11-26 Oliver Hunt <oliver@apple.com> 20630 20631 Don't blind all the things. 20632 https://bugs.webkit.org/show_bug.cgi?id=102572 20633 20634 Reviewed by Gavin Barraclough. 20635 20636 No longer blind all the constants in the instruction stream. We use a 20637 simple non-deterministic filter to avoid blinding everything. Also modified 20638 the basic integer blinding logic to avoid blinding small negative values. 20639 20640 * assembler/MacroAssembler.h: 20641 (MacroAssembler): 20642 (JSC::MacroAssembler::shouldConsiderBlinding): 20643 (JSC::MacroAssembler::shouldBlind): 20644 206452012-11-26 Mark Hahnenberg <mhahnenberg@apple.com> 20646 20647 JSObject::copyButterfly doesn't handle undecided indexing types correctly 20648 https://bugs.webkit.org/show_bug.cgi?id=102573 20649 20650 Reviewed by Filip Pizlo. 20651 20652 We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks 20653 during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing 20654 types. We should just do the actual memcpy from the old block to the new one. 20655 20656 * runtime/JSObject.cpp: 20657 (JSC::JSObject::copyButterfly): Just do the same thing that we do for other contiguous indexing types. 20658 206592012-11-26 Julien BRIANCEAU <jbrianceau@nds.com> 20660 20661 [sh4] JavaScriptCore JIT build is broken since r135330 20662 Add missing implementation for sh4 arch. 20663 https://bugs.webkit.org/show_bug.cgi?id=103145 20664 20665 Reviewed by Oliver Hunt. 20666 20667 * assembler/MacroAssemblerSH4.h: 20668 (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranchPtrWithPatch): 20669 (MacroAssemblerSH4): 20670 (JSC::MacroAssemblerSH4::startOfBranchPtrWithPatchOnRegister): 20671 (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch): 20672 (JSC::MacroAssemblerSH4::startOfPatchableBranchPtrWithPatchOnAddress): 20673 (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch): 20674 * assembler/SH4Assembler.h: 20675 (JSC::SH4Assembler::revertJump): 20676 (SH4Assembler): 20677 (JSC::SH4Assembler::printInstr): 20678 206792012-11-26 Yuqiang Xian <yuqiang.xian@intel.com> 20680 20681 Use load64 instead of loadPtr to load a JSValue on JSVALUE64 platforms 20682 https://bugs.webkit.org/show_bug.cgi?id=100909 20683 20684 Reviewed by Brent Fulgham. 20685 20686 This is a (trivial) fix after r132701. 20687 20688 * dfg/DFGOSRExitCompiler64.cpp: 20689 (JSC::DFG::OSRExitCompiler::compileExit): 20690 206912012-11-26 Gabor Ballabas <gaborb@inf.u-szeged.hu> 20692 20693 [Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash 20694 https://bugs.webkit.org/show_bug.cgi?id=98857 20695 20696 Reviewed by Zoltan Herczeg. 20697 20698 Implement a new version of patchableBranch32 to fix crashing JSC 20699 tests. 20700 20701 * assembler/MacroAssembler.h: 20702 (MacroAssembler): 20703 * assembler/MacroAssemblerARM.h: 20704 (JSC::MacroAssemblerARM::patchableBranch32): 20705 (MacroAssemblerARM): 20706 207072012-11-21 Filip Pizlo <fpizlo@apple.com> 20708 20709 Any function that can log things should be able to easily log them to a memory buffer as well 20710 https://bugs.webkit.org/show_bug.cgi?id=103000 20711 20712 Reviewed by Sam Weinig. 20713 20714 Change all users of WTF::dataFile() to expect a PrintStream& rather than a FILE*. 20715 20716 * bytecode/Operands.h: 20717 (JSC::OperandValueTraits::dump): 20718 (JSC::dumpOperands): 20719 (JSC): 20720 * dfg/DFGAbstractState.cpp: 20721 (JSC::DFG::AbstractState::dump): 20722 * dfg/DFGAbstractState.h: 20723 (AbstractState): 20724 * dfg/DFGAbstractValue.h: 20725 (JSC::DFG::AbstractValue::dump): 20726 * dfg/DFGCommon.h: 20727 (JSC::DFG::NodeIndexTraits::dump): 20728 * dfg/DFGStructureAbstractValue.h: 20729 (JSC::DFG::StructureAbstractValue::dump): 20730 * dfg/DFGVariableEvent.cpp: 20731 (JSC::DFG::VariableEvent::dump): 20732 (JSC::DFG::VariableEvent::dumpFillInfo): 20733 (JSC::DFG::VariableEvent::dumpSpillInfo): 20734 * dfg/DFGVariableEvent.h: 20735 (VariableEvent): 20736 * disassembler/Disassembler.h: 20737 (JSC): 20738 (JSC::tryToDisassemble): 20739 * disassembler/UDis86Disassembler.cpp: 20740 (JSC::tryToDisassemble): 20741 207422012-11-23 Alexis Menard <alexis@webkit.org> 20743 20744 [CSS3 Backgrounds and Borders] Implement new CSS3 background-position parsing. 20745 https://bugs.webkit.org/show_bug.cgi?id=102104 20746 20747 Reviewed by Julien Chaffraix. 20748 20749 Protect the new feature behind a feature flag. 20750 20751 * Configurations/FeatureDefines.xcconfig: 20752 207532012-11-23 Gabor Ballabas <gaborb@inf.u-szeged.hu> 20754 20755 Fix the ARM traditional build after r135330 20756 https://bugs.webkit.org/show_bug.cgi?id=102871 20757 20758 Reviewed by Zoltan Herczeg. 20759 20760 Added missing functionality to traditional ARM architecture. 20761 20762 * assembler/ARMAssembler.h: 20763 (JSC::ARMAssembler::revertJump): 20764 (ARMAssembler): 20765 * assembler/MacroAssemblerARM.h: 20766 (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress): 20767 (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister): 20768 (MacroAssemblerARM): 20769 (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch): 20770 207712012-11-16 Yury Semikhatsky <yurys@chromium.org> 20772 20773 Memory instrumentation: extract MemoryObjectInfo declaration into a separate file 20774 https://bugs.webkit.org/show_bug.cgi?id=102510 20775 20776 Reviewed by Pavel Feldman. 20777 20778 Added new symbols for the methods that have moved into .../wtf/MemoryInstrumentation.cpp 20779 20780 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 20781 207822012-11-23 Julien BRIANCEAU <jbrianceau@nds.com> 20783 20784 [sh4] JavaScriptCore JIT build is broken since r130839 20785 Add missing implementation for sh4 arch. 20786 https://bugs.webkit.org/show_bug.cgi?id=101479 20787 20788 Reviewed by Filip Pizlo. 20789 20790 * assembler/MacroAssemblerSH4.h: 20791 (JSC::MacroAssemblerSH4::load8Signed): 20792 (MacroAssemblerSH4): 20793 (JSC::MacroAssemblerSH4::load16Signed): 20794 (JSC::MacroAssemblerSH4::store8): 20795 (JSC::MacroAssemblerSH4::store16): 20796 (JSC::MacroAssemblerSH4::moveDoubleToInts): 20797 (JSC::MacroAssemblerSH4::moveIntsToDouble): 20798 (JSC::MacroAssemblerSH4::loadFloat): 20799 (JSC::MacroAssemblerSH4::loadDouble): 20800 (JSC::MacroAssemblerSH4::storeFloat): 20801 (JSC::MacroAssemblerSH4::storeDouble): 20802 (JSC::MacroAssemblerSH4::addDouble): 20803 (JSC::MacroAssemblerSH4::convertFloatToDouble): 20804 (JSC::MacroAssemblerSH4::convertDoubleToFloat): 20805 (JSC::MacroAssemblerSH4::urshift32): 20806 * assembler/SH4Assembler.h: 20807 (JSC::SH4Assembler::sublRegReg): 20808 (JSC::SH4Assembler::subvlRegReg): 20809 (JSC::SH4Assembler::floatfpulfrn): 20810 (JSC::SH4Assembler::fldsfpul): 20811 (JSC::SH4Assembler::fstsfpul): 20812 (JSC::SH4Assembler::dcnvsd): 20813 (SH4Assembler): 20814 (JSC::SH4Assembler::movbRegMem): 20815 (JSC::SH4Assembler::sizeOfConstantPool): 20816 (JSC::SH4Assembler::linkJump): 20817 (JSC::SH4Assembler::printInstr): 20818 (JSC::SH4Assembler::printBlockInstr): 20819 208202012-11-22 Balazs Kilvady <kilvadyb@homejinni.com> 20821 20822 Fix the MIPS build after r135330 20823 https://bugs.webkit.org/show_bug.cgi?id=102872 20824 20825 Reviewed by Gavin Barraclough. 20826 20827 Revert/replace functions added to MIPS port. 20828 20829 * assembler/MIPSAssembler.h: 20830 (JSC::MIPSAssembler::revertJumpToMove): 20831 (MIPSAssembler): 20832 (JSC::MIPSAssembler::replaceWithJump): 20833 * assembler/MacroAssemblerMIPS.h: 20834 (MacroAssemblerMIPS): 20835 (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister): 20836 (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch): 20837 (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress): 20838 208392012-11-21 Filip Pizlo <fpizlo@apple.com> 20840 20841 Rename dataLog() and dataLogV() to dataLogF() and dataLogFV() 20842 https://bugs.webkit.org/show_bug.cgi?id=103001 20843 20844 Rubber stamped by Dan Bernstein. 20845 20846 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 20847 * assembler/LinkBuffer.cpp: 20848 (JSC::LinkBuffer::finalizeCodeWithDisassembly): 20849 (JSC::LinkBuffer::dumpLinkStatistics): 20850 (JSC::LinkBuffer::dumpCode): 20851 * assembler/LinkBuffer.h: 20852 (JSC): 20853 * assembler/SH4Assembler.h: 20854 (JSC::SH4Assembler::vprintfStdoutInstr): 20855 * bytecode/CodeBlock.cpp: 20856 (JSC::CodeBlock::dumpBytecodeCommentAndNewLine): 20857 (JSC::CodeBlock::printUnaryOp): 20858 (JSC::CodeBlock::printBinaryOp): 20859 (JSC::CodeBlock::printConditionalJump): 20860 (JSC::CodeBlock::printGetByIdOp): 20861 (JSC::dumpStructure): 20862 (JSC::dumpChain): 20863 (JSC::CodeBlock::printGetByIdCacheStatus): 20864 (JSC::CodeBlock::printCallOp): 20865 (JSC::CodeBlock::printPutByIdOp): 20866 (JSC::CodeBlock::printStructure): 20867 (JSC::CodeBlock::printStructures): 20868 (JSC::CodeBlock::dump): 20869 (JSC::CodeBlock::dumpStatistics): 20870 (JSC::CodeBlock::finalizeUnconditionally): 20871 (JSC::CodeBlock::resetStubInternal): 20872 (JSC::CodeBlock::reoptimize): 20873 (JSC::ProgramCodeBlock::jettison): 20874 (JSC::EvalCodeBlock::jettison): 20875 (JSC::FunctionCodeBlock::jettison): 20876 (JSC::CodeBlock::shouldOptimizeNow): 20877 (JSC::CodeBlock::tallyFrequentExitSites): 20878 (JSC::CodeBlock::dumpValueProfiles): 20879 * bytecode/Opcode.cpp: 20880 (JSC::OpcodeStats::~OpcodeStats): 20881 * bytecode/SamplingTool.cpp: 20882 (JSC::SamplingFlags::stop): 20883 (JSC::SamplingRegion::dumpInternal): 20884 (JSC::SamplingTool::dump): 20885 * dfg/DFGAbstractState.cpp: 20886 (JSC::DFG::AbstractState::initialize): 20887 (JSC::DFG::AbstractState::endBasicBlock): 20888 (JSC::DFG::AbstractState::mergeStateAtTail): 20889 (JSC::DFG::AbstractState::mergeToSuccessors): 20890 * dfg/DFGAbstractValue.h: 20891 (JSC::DFG::AbstractValue::dump): 20892 * dfg/DFGArgumentsSimplificationPhase.cpp: 20893 (JSC::DFG::ArgumentsSimplificationPhase::run): 20894 * dfg/DFGByteCodeParser.cpp: 20895 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation): 20896 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit): 20897 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks): 20898 (JSC::DFG::ByteCodeParser::makeSafe): 20899 (JSC::DFG::ByteCodeParser::makeDivSafe): 20900 (JSC::DFG::ByteCodeParser::handleCall): 20901 (JSC::DFG::ByteCodeParser::handleInlining): 20902 (JSC::DFG::ByteCodeParser::parseBlock): 20903 (JSC::DFG::ByteCodeParser::processPhiStack): 20904 (JSC::DFG::ByteCodeParser::linkBlock): 20905 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 20906 (JSC::DFG::ByteCodeParser::parseCodeBlock): 20907 (JSC::DFG::ByteCodeParser::parse): 20908 * dfg/DFGCFAPhase.cpp: 20909 (JSC::DFG::CFAPhase::performBlockCFA): 20910 (JSC::DFG::CFAPhase::performForwardCFA): 20911 * dfg/DFGCFGSimplificationPhase.cpp: 20912 (JSC::DFG::CFGSimplificationPhase::run): 20913 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal): 20914 (JSC::DFG::CFGSimplificationPhase::fixPhis): 20915 (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors): 20916 (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference): 20917 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 20918 * dfg/DFGCSEPhase.cpp: 20919 (JSC::DFG::CSEPhase::endIndexForPureCSE): 20920 (JSC::DFG::CSEPhase::setReplacement): 20921 (JSC::DFG::CSEPhase::eliminate): 20922 (JSC::DFG::CSEPhase::performNodeCSE): 20923 * dfg/DFGCapabilities.cpp: 20924 (JSC::DFG::debugFail): 20925 * dfg/DFGConstantFoldingPhase.cpp: 20926 (JSC::DFG::ConstantFoldingPhase::foldConstants): 20927 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode): 20928 * dfg/DFGDisassembler.cpp: 20929 (JSC::DFG::Disassembler::dump): 20930 * dfg/DFGDriver.cpp: 20931 (JSC::DFG::compile): 20932 * dfg/DFGFixupPhase.cpp: 20933 (JSC::DFG::FixupPhase::fixupNode): 20934 (JSC::DFG::FixupPhase::fixDoubleEdge): 20935 * dfg/DFGGraph.cpp: 20936 (JSC::DFG::printWhiteSpace): 20937 (JSC::DFG::Graph::dumpCodeOrigin): 20938 (JSC::DFG::Graph::dump): 20939 (JSC::DFG::Graph::dumpBlockHeader): 20940 (JSC::DFG::Graph::predictArgumentTypes): 20941 * dfg/DFGJITCompiler.cpp: 20942 (JSC::DFG::JITCompiler::link): 20943 * dfg/DFGOSREntry.cpp: 20944 (JSC::DFG::prepareOSREntry): 20945 * dfg/DFGOSRExitCompiler.cpp: 20946 * dfg/DFGOSRExitCompiler32_64.cpp: 20947 (JSC::DFG::OSRExitCompiler::compileExit): 20948 * dfg/DFGOSRExitCompiler64.cpp: 20949 (JSC::DFG::OSRExitCompiler::compileExit): 20950 * dfg/DFGOperations.cpp: 20951 * dfg/DFGPhase.cpp: 20952 (JSC::DFG::Phase::beginPhase): 20953 * dfg/DFGPhase.h: 20954 (JSC::DFG::runAndLog): 20955 * dfg/DFGPredictionPropagationPhase.cpp: 20956 (JSC::DFG::PredictionPropagationPhase::propagate): 20957 (JSC::DFG::PredictionPropagationPhase::propagateForward): 20958 (JSC::DFG::PredictionPropagationPhase::propagateBackward): 20959 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): 20960 * dfg/DFGRegisterBank.h: 20961 (JSC::DFG::RegisterBank::dump): 20962 * dfg/DFGScoreBoard.h: 20963 (JSC::DFG::ScoreBoard::use): 20964 (JSC::DFG::ScoreBoard::dump): 20965 * dfg/DFGSlowPathGenerator.h: 20966 (JSC::DFG::SlowPathGenerator::generate): 20967 * dfg/DFGSpeculativeJIT.cpp: 20968 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): 20969 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecutionWithConditionalDirection): 20970 (JSC::DFG::SpeculativeJIT::runSlowPathGenerators): 20971 (JSC::DFG::SpeculativeJIT::dump): 20972 (JSC::DFG::SpeculativeJIT::checkConsistency): 20973 (JSC::DFG::SpeculativeJIT::compile): 20974 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): 20975 * dfg/DFGSpeculativeJIT32_64.cpp: 20976 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 20977 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 20978 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 20979 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 20980 * dfg/DFGSpeculativeJIT64.cpp: 20981 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 20982 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 20983 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 20984 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 20985 * dfg/DFGStructureCheckHoistingPhase.cpp: 20986 (JSC::DFG::StructureCheckHoistingPhase::run): 20987 * dfg/DFGValidate.cpp: 20988 (Validate): 20989 (JSC::DFG::Validate::reportValidationContext): 20990 (JSC::DFG::Validate::dumpData): 20991 (JSC::DFG::Validate::dumpGraphIfAppropriate): 20992 * dfg/DFGVariableEventStream.cpp: 20993 (JSC::DFG::VariableEventStream::logEvent): 20994 (JSC::DFG::VariableEventStream::reconstruct): 20995 * dfg/DFGVirtualRegisterAllocationPhase.cpp: 20996 (JSC::DFG::VirtualRegisterAllocationPhase::run): 20997 * heap/Heap.cpp: 20998 * heap/HeapStatistics.cpp: 20999 (JSC::HeapStatistics::logStatistics): 21000 (JSC::HeapStatistics::showObjectStatistics): 21001 * heap/MarkStack.h: 21002 * heap/MarkedBlock.h: 21003 * heap/SlotVisitor.cpp: 21004 (JSC::SlotVisitor::validate): 21005 * interpreter/CallFrame.cpp: 21006 (JSC::CallFrame::dumpCaller): 21007 * interpreter/Interpreter.cpp: 21008 (JSC::Interpreter::dumpRegisters): 21009 * jit/JIT.cpp: 21010 (JSC::JIT::privateCompileMainPass): 21011 (JSC::JIT::privateCompileSlowCases): 21012 (JSC::JIT::privateCompile): 21013 * jit/JITDisassembler.cpp: 21014 (JSC::JITDisassembler::dump): 21015 (JSC::JITDisassembler::dumpForInstructions): 21016 * jit/JITStubRoutine.h: 21017 (JSC): 21018 * jit/JITStubs.cpp: 21019 (JSC::DEFINE_STUB_FUNCTION): 21020 * jit/JumpReplacementWatchpoint.cpp: 21021 (JSC::JumpReplacementWatchpoint::fireInternal): 21022 * llint/LLIntExceptions.cpp: 21023 (JSC::LLInt::interpreterThrowInCaller): 21024 (JSC::LLInt::returnToThrow): 21025 (JSC::LLInt::callToThrow): 21026 * llint/LLIntSlowPaths.cpp: 21027 (JSC::LLInt::llint_trace_operand): 21028 (JSC::LLInt::llint_trace_value): 21029 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 21030 (JSC::LLInt::traceFunctionPrologue): 21031 (JSC::LLInt::jitCompileAndSetHeuristics): 21032 (JSC::LLInt::entryOSR): 21033 (JSC::LLInt::handleHostCall): 21034 (JSC::LLInt::setUpCall): 21035 * profiler/Profile.cpp: 21036 (JSC::Profile::debugPrintData): 21037 (JSC::Profile::debugPrintDataSampleStyle): 21038 * profiler/ProfileNode.cpp: 21039 (JSC::ProfileNode::debugPrintData): 21040 (JSC::ProfileNode::debugPrintDataSampleStyle): 21041 * runtime/JSGlobalData.cpp: 21042 (JSC::JSGlobalData::dumpRegExpTrace): 21043 * runtime/RegExp.cpp: 21044 (JSC::RegExp::matchCompareWithInterpreter): 21045 * runtime/SamplingCounter.cpp: 21046 (JSC::AbstractSamplingCounter::dump): 21047 * runtime/Structure.cpp: 21048 (JSC::Structure::dumpStatistics): 21049 (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger): 21050 * tools/CodeProfile.cpp: 21051 (JSC::CodeProfile::report): 21052 * tools/ProfileTreeNode.h: 21053 (JSC::ProfileTreeNode::dumpInternal): 21054 * yarr/YarrInterpreter.cpp: 21055 (JSC::Yarr::ByteCompiler::dumpDisjunction): 21056 210572012-11-21 Filip Pizlo <fpizlo@apple.com> 21058 21059 It should be possible to say disassemble(stuff) instead of having to say if (!tryToDisassemble(stuff)) dataLog("I failed") 21060 https://bugs.webkit.org/show_bug.cgi?id=103010 21061 21062 Reviewed by Anders Carlsson. 21063 21064 You can still say tryToDisassemble(), which will tell you if it failed; you can then 21065 decide what to do instead. But it's better to say disassemble(), which will just print 21066 the instruction ranges if tryToDisassemble() failed. This is particularly appropriate 21067 since that's what all previous users of tryToDisassemble() would have done in some 21068 form or another. 21069 21070 * CMakeLists.txt: 21071 * GNUmakefile.list.am: 21072 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 21073 * JavaScriptCore.xcodeproj/project.pbxproj: 21074 * Target.pri: 21075 * assembler/LinkBuffer.cpp: 21076 (JSC::LinkBuffer::finalizeCodeWithDisassembly): 21077 * dfg/DFGDisassembler.cpp: 21078 (JSC::DFG::Disassembler::dumpDisassembly): 21079 * disassembler/Disassembler.cpp: Added. 21080 (JSC): 21081 (JSC::disassemble): 21082 * disassembler/Disassembler.h: 21083 (JSC): 21084 * jit/JITDisassembler.cpp: 21085 (JSC::JITDisassembler::dumpDisassembly): 21086 210872012-11-21 Filip Pizlo <fpizlo@apple.com> 21088 21089 dumpOperands() claims that it needs a non-const Operands& when that is completely false 21090 https://bugs.webkit.org/show_bug.cgi?id=103005 21091 21092 Reviewed by Eric Carlson. 21093 21094 * bytecode/Operands.h: 21095 (JSC::dumpOperands): 21096 (JSC): 21097 210982012-11-20 Filip Pizlo <fpizlo@apple.com> 21099 21100 Baseline JIT's disassembly should be just as pretty as the DFG's 21101 https://bugs.webkit.org/show_bug.cgi?id=102873 21102 21103 Reviewed by Sam Weinig. 21104 21105 Integrated the CodeBlock's bytecode dumper with the JIT's disassembler. Also fixed 21106 some type goof-ups (instructions are not in a Vector<Instruction> so using a Vector 21107 iterator makes no sense) and stream-lined some things (you don't actually need a 21108 full-fledged ExecState* to dump bytecode). 21109 21110 * CMakeLists.txt: 21111 * GNUmakefile.list.am: 21112 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 21113 * JavaScriptCore.xcodeproj/project.pbxproj: 21114 * Target.pri: 21115 * bytecode/CodeBlock.cpp: 21116 (JSC::CodeBlock::printUnaryOp): 21117 (JSC::CodeBlock::printBinaryOp): 21118 (JSC::CodeBlock::printConditionalJump): 21119 (JSC::CodeBlock::printGetByIdOp): 21120 (JSC::CodeBlock::printCallOp): 21121 (JSC::CodeBlock::printPutByIdOp): 21122 (JSC::CodeBlock::dump): 21123 (JSC): 21124 (JSC::CodeBlock::CodeBlock): 21125 * bytecode/CodeBlock.h: 21126 (CodeBlock): 21127 * interpreter/Interpreter.cpp: 21128 (JSC::Interpreter::dumpCallFrame): 21129 * jit/JIT.cpp: 21130 (JSC::JIT::privateCompileMainPass): 21131 (JSC::JIT::privateCompileSlowCases): 21132 (JSC::JIT::privateCompile): 21133 * jit/JIT.h: 21134 (JIT): 21135 * jit/JITDisassembler.cpp: Added. 21136 (JSC): 21137 (JSC::JITDisassembler::JITDisassembler): 21138 (JSC::JITDisassembler::~JITDisassembler): 21139 (JSC::JITDisassembler::dump): 21140 (JSC::JITDisassembler::dumpForInstructions): 21141 (JSC::JITDisassembler::dumpDisassembly): 21142 * jit/JITDisassembler.h: Added. 21143 (JSC): 21144 (JITDisassembler): 21145 (JSC::JITDisassembler::setStartOfCode): 21146 (JSC::JITDisassembler::setForBytecodeMainPath): 21147 (JSC::JITDisassembler::setForBytecodeSlowPath): 21148 (JSC::JITDisassembler::setEndOfSlowPath): 21149 (JSC::JITDisassembler::setEndOfCode): 21150 211512012-11-21 Daniel Bates <dbates@webkit.org> 21152 21153 JavaScript fails to concatenate large strings 21154 <https://bugs.webkit.org/show_bug.cgi?id=102963> 21155 21156 Reviewed by Michael Saboff. 21157 21158 Fixes an issue where we inadvertently didn't check the length of 21159 a JavaScript string for overflow. 21160 21161 * runtime/Operations.h: 21162 (JSC::jsString): 21163 (JSC::jsStringFromArguments): 21164 211652012-11-20 Filip Pizlo <fpizlo@apple.com> 21166 21167 DFG should be able to cache closure calls (part 2/2) 21168 https://bugs.webkit.org/show_bug.cgi?id=102662 21169 21170 Reviewed by Gavin Barraclough. 21171 21172 Added caching of calls where the JSFunction* varies, but the Structure* and ExecutableBase* 21173 stay the same. This is accomplished by replacing the branch that compares against a constant 21174 JSFunction* with a jump to a closure call stub. The closure call stub contains a fast path, 21175 and jumps slow directly to the virtual call thunk. 21176 21177 Looks like a 1% win on V8v7. 21178 21179 * CMakeLists.txt: 21180 * GNUmakefile.list.am: 21181 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 21182 * JavaScriptCore.xcodeproj/project.pbxproj: 21183 * Target.pri: 21184 * bytecode/CallLinkInfo.cpp: 21185 (JSC::CallLinkInfo::unlink): 21186 * bytecode/CallLinkInfo.h: 21187 (CallLinkInfo): 21188 (JSC::CallLinkInfo::isLinked): 21189 (JSC::getCallLinkInfoBytecodeIndex): 21190 * bytecode/CodeBlock.cpp: 21191 (JSC::CodeBlock::finalizeUnconditionally): 21192 (JSC): 21193 (JSC::CodeBlock::findClosureCallForReturnPC): 21194 (JSC::CodeBlock::bytecodeOffset): 21195 (JSC::CodeBlock::codeOriginForReturn): 21196 * bytecode/CodeBlock.h: 21197 (JSC::CodeBlock::getCallLinkInfo): 21198 (CodeBlock): 21199 (JSC::CodeBlock::isIncomingCallAlreadyLinked): 21200 * dfg/DFGJITCompiler.cpp: 21201 (JSC::DFG::JITCompiler::link): 21202 * dfg/DFGJITCompiler.h: 21203 (JSC::DFG::JITCompiler::addJSCall): 21204 (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord): 21205 (JSCallRecord): 21206 * dfg/DFGOperations.cpp: 21207 * dfg/DFGOperations.h: 21208 * dfg/DFGRepatch.cpp: 21209 (JSC::DFG::linkSlowFor): 21210 (DFG): 21211 (JSC::DFG::dfgLinkFor): 21212 (JSC::DFG::dfgLinkSlowFor): 21213 (JSC::DFG::dfgLinkClosureCall): 21214 * dfg/DFGRepatch.h: 21215 (DFG): 21216 * dfg/DFGSpeculativeJIT32_64.cpp: 21217 (JSC::DFG::SpeculativeJIT::emitCall): 21218 * dfg/DFGSpeculativeJIT64.cpp: 21219 (JSC::DFG::SpeculativeJIT::emitCall): 21220 * dfg/DFGThunks.cpp: 21221 (DFG): 21222 (JSC::DFG::linkClosureCallThunkGenerator): 21223 * dfg/DFGThunks.h: 21224 (DFG): 21225 * heap/Heap.h: 21226 (Heap): 21227 (JSC::Heap::jitStubRoutines): 21228 * heap/JITStubRoutineSet.h: 21229 (JSC::JITStubRoutineSet::size): 21230 (JSC::JITStubRoutineSet::at): 21231 (JITStubRoutineSet): 21232 * jit/ClosureCallStubRoutine.cpp: Added. 21233 (JSC): 21234 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine): 21235 (JSC::ClosureCallStubRoutine::~ClosureCallStubRoutine): 21236 (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal): 21237 * jit/ClosureCallStubRoutine.h: Added. 21238 (JSC): 21239 (ClosureCallStubRoutine): 21240 (JSC::ClosureCallStubRoutine::structure): 21241 (JSC::ClosureCallStubRoutine::executable): 21242 (JSC::ClosureCallStubRoutine::codeOrigin): 21243 * jit/GCAwareJITStubRoutine.cpp: 21244 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine): 21245 * jit/GCAwareJITStubRoutine.h: 21246 (GCAwareJITStubRoutine): 21247 (JSC::GCAwareJITStubRoutine::isClosureCall): 21248 * jit/JIT.cpp: 21249 (JSC::JIT::privateCompile): 21250 212512012-11-20 Filip Pizlo <fpizlo@apple.com> 21252 21253 DFG should be able to cache closure calls (part 1/2) 21254 https://bugs.webkit.org/show_bug.cgi?id=102662 21255 21256 Reviewed by Gavin Barraclough. 21257 21258 Add ability to revert a jump replacement back to 21259 branchPtrWithPatch(Condition, RegisterID, TrustedImmPtr). This is meant to be 21260 a mandatory piece of functionality for all assemblers. I also renamed some of 21261 the functions for reverting jump replacements back to 21262 patchableBranchPtrWithPatch(Condition, Address, TrustedImmPtr), so as to avoid 21263 confusion. 21264 21265 * assembler/ARMv7Assembler.h: 21266 (JSC::ARMv7Assembler::BadReg): 21267 (ARMv7Assembler): 21268 (JSC::ARMv7Assembler::revertJumpTo_movT3): 21269 * assembler/LinkBuffer.h: 21270 (JSC): 21271 * assembler/MacroAssemblerARMv7.h: 21272 (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister): 21273 (MacroAssemblerARMv7): 21274 (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch): 21275 (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress): 21276 * assembler/MacroAssemblerX86.h: 21277 (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister): 21278 (MacroAssemblerX86): 21279 (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress): 21280 (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch): 21281 * assembler/MacroAssemblerX86_64.h: 21282 (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister): 21283 (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress): 21284 (MacroAssemblerX86_64): 21285 (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch): 21286 * assembler/RepatchBuffer.h: 21287 (JSC::RepatchBuffer::startOfBranchPtrWithPatchOnRegister): 21288 (RepatchBuffer): 21289 (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatchOnAddress): 21290 (JSC::RepatchBuffer::revertJumpReplacementToBranchPtrWithPatch): 21291 * assembler/X86Assembler.h: 21292 (JSC::X86Assembler::revertJumpTo_cmpl_ir_force32): 21293 (X86Assembler): 21294 * dfg/DFGRepatch.cpp: 21295 (JSC::DFG::replaceWithJump): 21296 (JSC::DFG::dfgResetGetByID): 21297 (JSC::DFG::dfgResetPutByID): 21298 212992012-11-20 Yong Li <yoli@rim.com> 21300 21301 [ARMv7] Neither linkCall() nor linkPointer() should flush code. 21302 https://bugs.webkit.org/show_bug.cgi?id=99213 21303 21304 Reviewed by George Staikos. 21305 21306 LinkBuffer doesn't need to flush code during linking. It will 21307 eventually flush the whole executable. Fixing this gives >%5 21308 sunspider boost (on QNX). 21309 21310 Also make replaceWithLoad() and replaceWithAddressComputation() flush 21311 only when necessary. 21312 21313 * assembler/ARMv7Assembler.h: 21314 (JSC::ARMv7Assembler::linkCall): 21315 (JSC::ARMv7Assembler::linkPointer): 21316 (JSC::ARMv7Assembler::relinkCall): 21317 (JSC::ARMv7Assembler::repatchInt32): 21318 (JSC::ARMv7Assembler::repatchPointer): 21319 (JSC::ARMv7Assembler::replaceWithLoad): Flush only after it did write. 21320 (JSC::ARMv7Assembler::replaceWithAddressComputation): Flush only after it did write. 21321 (JSC::ARMv7Assembler::setInt32): 21322 (JSC::ARMv7Assembler::setPointer): 21323 213242012-11-19 Filip Pizlo <fpizlo@apple.com> 21325 21326 Remove support for ARMv7 errata from the jump code 21327 https://bugs.webkit.org/show_bug.cgi?id=102759 21328 21329 Reviewed by Oliver Hunt. 21330 21331 The jump replacement code was wrong to begin with since it wasn't doing 21332 a cache flush on the inserted padding. And, to my knowledge, we don't need 21333 this anymore, so this patch removes all errata code from the ARMv7 port. 21334 21335 * assembler/ARMv7Assembler.h: 21336 (JSC::ARMv7Assembler::computeJumpType): 21337 (JSC::ARMv7Assembler::replaceWithJump): 21338 (JSC::ARMv7Assembler::maxJumpReplacementSize): 21339 (JSC::ARMv7Assembler::canBeJumpT3): 21340 (JSC::ARMv7Assembler::canBeJumpT4): 21341 213422012-11-19 Patrick Gansterer <paroga@webkit.org> 21343 21344 [CMake] Create JavaScriptCore ForwardingHeaders 21345 https://bugs.webkit.org/show_bug.cgi?id=92665 21346 21347 Reviewed by Brent Fulgham. 21348 21349 When using CMake to build the Windows port, we need 21350 to generate the forwarding headers with it too. 21351 21352 * CMakeLists.txt: 21353 213542012-11-19 Kihong Kwon <kihong.kwon@samsung.com> 21355 21356 Add PROXIMITY_EVENTS feature 21357 https://bugs.webkit.org/show_bug.cgi?id=102658 21358 21359 Reviewed by Kentaro Hara. 21360 21361 Add PROXIMITY_EVENTS feature to xcode project for JavaScriptCore. 21362 21363 * Configurations/FeatureDefines.xcconfig: 21364 213652012-11-18 Dan Bernstein <mitz@apple.com> 21366 21367 Try to fix the DFG build after r135099. 21368 21369 * dfg/DFGCommon.h: 21370 (JSC::DFG::shouldShowDisassembly): 21371 213722012-11-18 Filip Pizlo <fpizlo@apple.com> 21373 21374 Unreviewed, build fix for !ENABLE(DFG_JIT). 21375 21376 * dfg/DFGCommon.h: 21377 (JSC::DFG::shouldShowDisassembly): 21378 (DFG): 21379 213802012-11-18 Filip Pizlo <fpizlo@apple.com> 21381 21382 JSC should have more logging in structure-related code 21383 https://bugs.webkit.org/show_bug.cgi?id=102630 21384 21385 Reviewed by Simon Fraser. 21386 21387 - JSValue::description() now tells you if something is a structure, and if so, 21388 what kind of structure it is. 21389 21390 - Jettisoning logic now tells you why things are being jettisoned. 21391 21392 - It's now possible to turn off GC-triggered jettisoning entirely. 21393 21394 * bytecode/CodeBlock.cpp: 21395 (JSC::CodeBlock::finalizeUnconditionally): 21396 (JSC::CodeBlock::reoptimize): 21397 (JSC::ProgramCodeBlock::jettison): 21398 (JSC::EvalCodeBlock::jettison): 21399 (JSC::FunctionCodeBlock::jettison): 21400 * bytecode/CodeBlock.h: 21401 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): 21402 * runtime/JSValue.cpp: 21403 (JSC::JSValue::description): 21404 * runtime/Options.h: 21405 (JSC): 21406 214072012-11-18 Filip Pizlo <fpizlo@apple.com> 21408 21409 DFG constant folding phase should say 'changed = true' whenever it changes the graph 21410 https://bugs.webkit.org/show_bug.cgi?id=102550 21411 21412 Rubber stamped by Mark Hahnenberg. 21413 21414 * dfg/DFGConstantFoldingPhase.cpp: 21415 (JSC::DFG::ConstantFoldingPhase::foldConstants): 21416 214172012-11-17 Elliott Sprehn <esprehn@chromium.org> 21418 21419 Expose JSObject removeDirect and PrivateName to WebCore 21420 https://bugs.webkit.org/show_bug.cgi?id=102546 21421 21422 Reviewed by Geoffrey Garen. 21423 21424 Export removeDirect for use in WebCore so JSDependentRetained works. 21425 21426 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 21427 214282012-11-16 Filip Pizlo <fpizlo@apple.com> 21429 21430 Given a PutById or GetById with a proven structure, the DFG should be able to emit a PutByOffset or GetByOffset instead 21431 https://bugs.webkit.org/show_bug.cgi?id=102327 21432 21433 Reviewed by Mark Hahnenberg. 21434 21435 If the profiler tells us that a GetById or PutById may be polymorphic but our 21436 control flow analysis proves that it isn't, we should trust the control flow 21437 analysis over the profiler. This arises in cases where GetById or PutById were 21438 inlined: the inlined function may have been called from other places that led 21439 to polymorphism, but in the current inlined context, there is no polymorphism. 21440 21441 * bytecode/CodeBlock.cpp: 21442 (JSC::CodeBlock::dump): 21443 * bytecode/GetByIdStatus.cpp: 21444 (JSC::GetByIdStatus::computeFor): 21445 (JSC): 21446 * bytecode/GetByIdStatus.h: 21447 (JSC::GetByIdStatus::GetByIdStatus): 21448 (GetByIdStatus): 21449 * bytecode/PutByIdStatus.cpp: 21450 (JSC::PutByIdStatus::computeFor): 21451 (JSC): 21452 * bytecode/PutByIdStatus.h: 21453 (JSC): 21454 (JSC::PutByIdStatus::PutByIdStatus): 21455 (PutByIdStatus): 21456 * dfg/DFGAbstractState.cpp: 21457 (JSC::DFG::AbstractState::execute): 21458 * dfg/DFGAbstractValue.h: 21459 (JSC::DFG::AbstractValue::bestProvenStructure): 21460 (AbstractValue): 21461 * dfg/DFGConstantFoldingPhase.cpp: 21462 (JSC::DFG::ConstantFoldingPhase::foldConstants): 21463 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): 21464 (ConstantFoldingPhase): 21465 * dfg/DFGNode.h: 21466 (JSC::DFG::Node::convertToGetByOffset): 21467 (Node): 21468 (JSC::DFG::Node::convertToPutByOffset): 21469 (JSC::DFG::Node::hasStorageResult): 21470 * runtime/JSGlobalObject.h: 21471 (JSC::Structure::prototypeChain): 21472 (JSC): 21473 (JSC::Structure::isValid): 21474 * runtime/Operations.h: 21475 (JSC::isPrototypeChainNormalized): 21476 (JSC): 21477 * runtime/Structure.h: 21478 (Structure): 21479 (JSC::Structure::transitionDidInvolveSpecificValue): 21480 214812012-11-16 Tony Chang <tony@chromium.org> 21482 21483 Remove ENABLE_CSS_HIERARCHIES since it's no longer in use 21484 https://bugs.webkit.org/show_bug.cgi?id=102554 21485 21486 Reviewed by Andreas Kling. 21487 21488 As mentioned in https://bugs.webkit.org/show_bug.cgi?id=79939#c41 , 21489 we're going to revist this feature once additional vendor support is 21490 achieved. 21491 21492 * Configurations/FeatureDefines.xcconfig: 21493 214942012-11-16 Patrick Gansterer <paroga@webkit.org> 21495 21496 Build fix for WinCE after r133688. 21497 21498 Use numeric_limits<uint32_t>::max() instead of UINT32_MAX. 21499 21500 * runtime/CodeCache.h: 21501 (JSC::CacheMap::CacheMap): 21502 215032012-11-15 Filip Pizlo <fpizlo@apple.com> 21504 21505 ClassInfo.h should have correct indentation. 21506 21507 Rubber stamped by Mark Hahnenberg. 21508 21509 ClassInfo.h had some true creativity in its use of whitespace. Some things within 21510 the namespace were indented four spaces and others where not. One #define had its 21511 contents indented four spaces, while another didn't. I applied the following rule: 21512 21513 - Non-macro things in the namespace should not be indented (that's our current 21514 accepted practice). 21515 21516 - Macros should never be indented but if they are multi-line then their subsequent 21517 bodies should be indented four spaces. I believe that is consistent with what we 21518 do elsewhere. 21519 21520 * runtime/ClassInfo.h: 21521 (JSC): 21522 (MethodTable): 21523 (ClassInfo): 21524 (JSC::ClassInfo::propHashTable): 21525 (JSC::ClassInfo::isSubClassOf): 21526 (JSC::ClassInfo::hasStaticProperties): 21527 215282012-11-15 Filip Pizlo <fpizlo@apple.com> 21529 21530 DFG should copy propagate trivially no-op ConvertThis 21531 https://bugs.webkit.org/show_bug.cgi?id=102445 21532 21533 Reviewed by Oliver Hunt. 21534 21535 Copy propagation is always a good thing, since it reveals must-alias relationships 21536 to the CFA and CSE. This accomplishes copy propagation for ConvertThis by first 21537 converting it to an Identity node (which is done by the constant folder since it 21538 has access to CFA results) and then performing substitution of references to 21539 Identity with references to Identity's child in the CSE. 21540 21541 I'm not aiming for a big speed-up here; I just think that this will be useful for 21542 the work on https://bugs.webkit.org/show_bug.cgi?id=102327. 21543 21544 * dfg/DFGAbstractState.cpp: 21545 (JSC::DFG::AbstractState::execute): 21546 * dfg/DFGCSEPhase.cpp: 21547 (JSC::DFG::CSEPhase::performNodeCSE): 21548 * dfg/DFGConstantFoldingPhase.cpp: 21549 (JSC::DFG::ConstantFoldingPhase::foldConstants): 21550 * dfg/DFGNodeType.h: 21551 (DFG): 21552 * dfg/DFGPredictionPropagationPhase.cpp: 21553 (JSC::DFG::PredictionPropagationPhase::propagate): 21554 * dfg/DFGSpeculativeJIT32_64.cpp: 21555 (JSC::DFG::SpeculativeJIT::compile): 21556 * dfg/DFGSpeculativeJIT64.cpp: 21557 (JSC::DFG::SpeculativeJIT::compile): 21558 215592012-11-15 Filip Pizlo <fpizlo@apple.com> 21560 21561 CallData.h should have correct indentation. 21562 21563 Rubber stamped by Mark Hahneberg. 21564 21565 * runtime/CallData.h: 21566 (JSC): 21567 215682012-11-15 Filip Pizlo <fpizlo@apple.com> 21569 21570 Remove methodCallDummy since it is not used anymore. 21571 21572 Rubber stamped by Mark Hahnenberg. 21573 21574 * runtime/JSGlobalObject.cpp: 21575 (JSC::JSGlobalObject::reset): 21576 (JSC): 21577 (JSC::JSGlobalObject::visitChildren): 21578 * runtime/JSGlobalObject.h: 21579 (JSGlobalObject): 21580 215812012-11-14 Filip Pizlo <fpizlo@apple.com> 21582 21583 Structure should be able to easily tell if the prototype chain might intercept a store 21584 https://bugs.webkit.org/show_bug.cgi?id=102326 21585 21586 Reviewed by Geoffrey Garen. 21587 21588 This improves our ability to reason about the correctness of the more optimized 21589 prototype chain walk in JSObject::put(), while also making it straight forward to 21590 check if the prototype chain will do strange things to a property store by just 21591 looking at the structure. 21592 21593 * runtime/JSObject.cpp: 21594 (JSC::JSObject::put): 21595 * runtime/Structure.cpp: 21596 (JSC::Structure::prototypeChainMayInterceptStoreTo): 21597 (JSC): 21598 * runtime/Structure.h: 21599 (Structure): 21600 216012012-11-15 Thiago Marcos P. Santos <thiago.santos@intel.com> 21602 21603 [CMake] Do not regenerate LLIntAssembly.h on every incremental build 21604 https://bugs.webkit.org/show_bug.cgi?id=102248 21605 21606 Reviewed by Kenneth Rohde Christiansen. 21607 21608 Update LLIntAssembly.h's mtime after running asm.rb to make the build 21609 system dependency tracking consistent. 21610 21611 * CMakeLists.txt: 21612 216132012-11-15 Thiago Marcos P. Santos <thiago.santos@intel.com> 21614 21615 Fix compiler warnings about signed/unsigned comparison on i386 21616 https://bugs.webkit.org/show_bug.cgi?id=102249 21617 21618 Reviewed by Kenneth Rohde Christiansen. 21619 21620 Add casting to unsigned to shut up gcc warnings. Build was broken on 21621 JSVALUE32_64 ports compiling with -Werror. 21622 21623 * llint/LLIntData.cpp: 21624 (JSC::LLInt::Data::performAssertions): 21625 216262012-11-14 Brent Fulgham <bfulgham@webkit.org> 21627 21628 [Windows, WinCairo] Unreviewed build fix. 21629 21630 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 21631 Missed one of the exports that was part of the WebKit2.def. 21632 216332012-11-14 Brent Fulgham <bfulgham@webkit.org> 21634 21635 [Windows, WinCairo] Correct build failure. 21636 https://bugs.webkit.org/show_bug.cgi?id=102302 21637 21638 WebCore symbols were mistakenly added to the JavaScriptCore 21639 library definition file. 21640 21641 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove 21642 WebCore symbols that were incorrectly added to the export file. 21643 216442012-11-14 Mark Lam <mark.lam@apple.com> 21645 21646 Change JSEventListener::m_jsFunction to be a weak ref. 21647 https://bugs.webkit.org/show_bug.cgi?id=101989. 21648 21649 Reviewed by Geoffrey Garen. 21650 21651 Added infrastructure for scanning weak ref slots. 21652 21653 * heap/SlotVisitor.cpp: Added #include "SlotVisitorInlines.h". 21654 * heap/SlotVisitor.h: 21655 (SlotVisitor): Added SlotVisitor::appendUnbarrieredWeak(). 21656 * heap/SlotVisitorInlines.h: Added #include "Weak.h". 21657 (JSC::SlotVisitor::appendUnbarrieredWeak): Added. 21658 * heap/Weak.h: 21659 (JSC::operator==): Added operator==() for Weak. 21660 * runtime/JSCell.h: Removed #include "SlotVisitorInlines.h". 21661 * runtime/JSObject.h: Added #include "SlotVisitorInlines.h". 21662 216632012-11-14 Filip Pizlo <fpizlo@apple.com> 21664 21665 Read-only properties created with putDirect() should tell the structure that there are read-only properties 21666 https://bugs.webkit.org/show_bug.cgi?id=102292 21667 21668 Reviewed by Gavin Barraclough. 21669 21670 This mostly affects things like function.length. 21671 21672 * runtime/JSObject.h: 21673 (JSC::JSObject::putDirectInternal): 21674 216752012-11-13 Filip Pizlo <fpizlo@apple.com> 21676 21677 Don't access Node& after adding nodes to the graph. 21678 https://bugs.webkit.org/show_bug.cgi?id=102005 21679 21680 Reviewed by Oliver Hunt. 21681 21682 * dfg/DFGFixupPhase.cpp: 21683 (JSC::DFG::FixupPhase::fixupNode): 21684 216852012-11-14 Valery Ignatyev <valery.ignatyev@ispras.ru> 21686 21687 Replace (typeof(x) != <"object", "undefined", ...>) with 21688 !(typeof(x) == <"object",..>). Later is_object, is_<...> bytecode operation 21689 will be used. 21690 21691 https://bugs.webkit.org/show_bug.cgi?id=98893 21692 21693 Reviewed by Filip Pizlo. 21694 21695 This eliminates expensive typeof implementation and 21696 allows to use DFG optimizations, which doesn't support 'typeof'. 21697 21698 * bytecompiler/NodesCodegen.cpp: 21699 (JSC::BinaryOpNode::emitBytecode): 21700 217012012-11-14 Peter Gal <galpeter@inf.u-szeged.hu> 21702 21703 [Qt][ARM]REGRESSION(r133985): It broke the build 21704 https://bugs.webkit.org/show_bug.cgi?id=101740 21705 21706 Reviewed by Csaba Osztrogonác. 21707 21708 Changed the emitGenericContiguousPutByVal to accept the additional IndexingType argument. 21709 This information was passed as a template parameter. 21710 21711 * jit/JIT.h: 21712 (JSC::JIT::emitInt32PutByVal): 21713 (JSC::JIT::emitDoublePutByVal): 21714 (JSC::JIT::emitContiguousPutByVal): 21715 (JIT): 21716 * jit/JITPropertyAccess.cpp: 21717 (JSC::JIT::emitGenericContiguousPutByVal): 21718 * jit/JITPropertyAccess32_64.cpp: 21719 (JSC::JIT::emitGenericContiguousPutByVal): 21720 217212012-11-14 Peter Gal <galpeter@inf.u-szeged.hu> 21722 21723 Fix the MIPS build after r134332 21724 https://bugs.webkit.org/show_bug.cgi?id=102227 21725 21726 Reviewed by Csaba Osztrogonác. 21727 21728 Added missing methods for the MacroAssemblerMIPS, based on the MacroAssemblerARMv7. 21729 21730 * assembler/MacroAssemblerMIPS.h: 21731 (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranchPtrWithPatch): 21732 (MacroAssemblerMIPS): 21733 (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatch): 21734 (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch): 21735 217362012-11-14 Peter Gal <galpeter@inf.u-szeged.hu> 21737 21738 Fix the [-Wreturn-type] warning in JavaScriptCore/assembler/MacroAssemblerARM.h 21739 https://bugs.webkit.org/show_bug.cgi?id=102206 21740 21741 Reviewed by Csaba Osztrogonác. 21742 21743 Add a return value for the function to suppress the warning. 21744 21745 * assembler/MacroAssemblerARM.h: 21746 (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch): 21747 217482012-11-14 Sheriff Bot <webkit.review.bot@gmail.com> 21749 21750 Unreviewed, rolling out r134599. 21751 http://trac.webkit.org/changeset/134599 21752 https://bugs.webkit.org/show_bug.cgi?id=102225 21753 21754 It broke the 32 bit EFL build (Requested by Ossy on #webkit). 21755 21756 * jit/JITPropertyAccess.cpp: 21757 * jit/JITPropertyAccess32_64.cpp: 21758 (JSC): 21759 (JSC::JIT::emitGenericContiguousPutByVal): 21760 217612012-11-14 Balazs Kilvady <kilvadyb@homejinni.com> 21762 21763 [Qt][ARM]REGRESSION(r133985): It broke the build 21764 https://bugs.webkit.org/show_bug.cgi?id=101740 21765 21766 Reviewed by Csaba Osztrogonác. 21767 21768 Template function body moved to fix VALUE_PROFILER disabled case. 21769 21770 * jit/JITPropertyAccess.cpp: 21771 (JSC): 21772 (JSC::JIT::emitGenericContiguousPutByVal): 21773 * jit/JITPropertyAccess32_64.cpp: 21774 217752012-11-13 Filip Pizlo <fpizlo@apple.com> 21776 21777 DFG CreateThis should be able to statically account for the structure of the object it creates, if profiling indicates that this structure is always the same 21778 https://bugs.webkit.org/show_bug.cgi?id=102017 21779 21780 Reviewed by Geoffrey Garen. 21781 21782 This adds a watchpoint in JSFunction on the cached inheritor ID. It also changes 21783 NewObject to take a structure as an operand (previously it implicitly used the owning 21784 global object's empty object structure). Any GetCallee where the callee is predictable 21785 is turned into a CheckFunction + WeakJSConstant, and any CreateThis on a WeakJSConstant 21786 where the inheritor ID watchpoint is still valid is turned into an InheritorIDWatchpoint 21787 followed by a NewObject. NewObject already accounts for the structure it uses for object 21788 creation in the CFA. 21789 21790 * dfg/DFGAbstractState.cpp: 21791 (JSC::DFG::AbstractState::execute): 21792 * dfg/DFGByteCodeParser.cpp: 21793 (JSC::DFG::ByteCodeParser::parseBlock): 21794 * dfg/DFGCSEPhase.cpp: 21795 (JSC::DFG::CSEPhase::checkFunctionElimination): 21796 * dfg/DFGGraph.cpp: 21797 (JSC::DFG::Graph::dump): 21798 * dfg/DFGNode.h: 21799 (JSC::DFG::Node::hasFunction): 21800 (JSC::DFG::Node::function): 21801 (JSC::DFG::Node::hasStructure): 21802 * dfg/DFGNodeType.h: 21803 (DFG): 21804 * dfg/DFGOperations.cpp: 21805 * dfg/DFGOperations.h: 21806 * dfg/DFGPredictionPropagationPhase.cpp: 21807 (JSC::DFG::PredictionPropagationPhase::propagate): 21808 * dfg/DFGSpeculativeJIT.h: 21809 (JSC::DFG::SpeculativeJIT::callOperation): 21810 * dfg/DFGSpeculativeJIT32_64.cpp: 21811 (JSC::DFG::SpeculativeJIT::compile): 21812 * dfg/DFGSpeculativeJIT64.cpp: 21813 (JSC::DFG::SpeculativeJIT::compile): 21814 * runtime/Executable.h: 21815 (JSC::JSFunction::JSFunction): 21816 * runtime/JSBoundFunction.cpp: 21817 (JSC): 21818 * runtime/JSFunction.cpp: 21819 (JSC::JSFunction::JSFunction): 21820 (JSC::JSFunction::put): 21821 (JSC::JSFunction::defineOwnProperty): 21822 * runtime/JSFunction.h: 21823 (JSC::JSFunction::tryGetKnownInheritorID): 21824 (JSFunction): 21825 (JSC::JSFunction::addInheritorIDWatchpoint): 21826 218272012-11-13 Filip Pizlo <fpizlo@apple.com> 21828 21829 JSFunction and its descendants should be destructible 21830 https://bugs.webkit.org/show_bug.cgi?id=102062 21831 21832 Reviewed by Mark Hahnenberg. 21833 21834 This will make it easy to place an InlineWatchpointSet inside JSFunction. In the 21835 future, we could make JSFunction non-destructible again by making a version of 21836 WatchpointSet that is entirely GC'd, but this seems like overkill for now. 21837 21838 This is performance-neutral. 21839 21840 * runtime/JSBoundFunction.cpp: 21841 (JSC::JSBoundFunction::destroy): 21842 (JSC): 21843 * runtime/JSBoundFunction.h: 21844 (JSBoundFunction): 21845 * runtime/JSFunction.cpp: 21846 (JSC): 21847 (JSC::JSFunction::destroy): 21848 * runtime/JSFunction.h: 21849 (JSFunction): 21850 218512012-11-13 Cosmin Truta <ctruta@rim.com> 21852 21853 Uninitialized fields in class JSLock 21854 https://bugs.webkit.org/show_bug.cgi?id=101695 21855 21856 Reviewed by Mark Hahnenberg. 21857 21858 Initialize JSLock::m_ownerThread and JSLock::m_lockDropDepth. 21859 21860 * runtime/JSLock.cpp: 21861 (JSC::JSLock::JSLock): 21862 218632012-11-13 Peter Gal <galpeter@inf.u-szeged.hu> 21864 21865 Fix the ARM traditional build after r134332 21866 https://bugs.webkit.org/show_bug.cgi?id=102044 21867 21868 Reviewed by Zoltan Herczeg. 21869 21870 Added missing methods for the MacroAssemblerARM, based on the MacroAssemblerARMv7. 21871 21872 * assembler/MacroAssemblerARM.h: 21873 (JSC::MacroAssemblerARM::canJumpReplacePatchableBranchPtrWithPatch): 21874 (MacroAssemblerARM): 21875 (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch): 21876 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch): 21877 218782012-11-12 Filip Pizlo <fpizlo@apple.com> 21879 21880 op_get_callee should have value profiling 21881 https://bugs.webkit.org/show_bug.cgi?id=102047 21882 21883 Reviewed by Sam Weinig. 21884 21885 This will allow us to detect if the callee is always the same, which is probably 21886 the common case for a lot of constructors. 21887 21888 * bytecode/CodeBlock.cpp: 21889 (JSC::CodeBlock::CodeBlock): 21890 * bytecode/Opcode.h: 21891 (JSC): 21892 (JSC::padOpcodeName): 21893 * bytecompiler/BytecodeGenerator.cpp: 21894 (JSC::BytecodeGenerator::BytecodeGenerator): 21895 * jit/JITOpcodes.cpp: 21896 (JSC::JIT::emit_op_get_callee): 21897 * jit/JITOpcodes32_64.cpp: 21898 (JSC::JIT::emit_op_get_callee): 21899 * llint/LowLevelInterpreter32_64.asm: 21900 * llint/LowLevelInterpreter64.asm: 21901 219022012-11-12 Filip Pizlo <fpizlo@apple.com> 21903 21904 The act of getting the callee during 'this' construction should be explicit in bytecode 21905 https://bugs.webkit.org/show_bug.cgi?id=102016 21906 21907 Reviewed by Michael Saboff. 21908 21909 This is mostly a rollout of http://trac.webkit.org/changeset/116673, but also includes 21910 changes to have create_this use the result of get_callee. 21911 21912 No performance or behavioral impact. This is just meant to allow us to profile 21913 get_callee in the future. 21914 21915 * bytecode/CodeBlock.cpp: 21916 (JSC::CodeBlock::dump): 21917 * bytecode/Opcode.h: 21918 (JSC): 21919 (JSC::padOpcodeName): 21920 * bytecompiler/BytecodeGenerator.cpp: 21921 (JSC::BytecodeGenerator::BytecodeGenerator): 21922 * dfg/DFGByteCodeParser.cpp: 21923 (JSC::DFG::ByteCodeParser::parseBlock): 21924 * dfg/DFGCapabilities.h: 21925 (JSC::DFG::canCompileOpcode): 21926 * jit/JIT.cpp: 21927 (JSC::JIT::privateCompileMainPass): 21928 * jit/JIT.h: 21929 (JIT): 21930 * jit/JITOpcodes.cpp: 21931 (JSC::JIT::emit_op_get_callee): 21932 (JSC): 21933 (JSC::JIT::emit_op_create_this): 21934 * jit/JITOpcodes32_64.cpp: 21935 (JSC::JIT::emit_op_get_callee): 21936 (JSC): 21937 (JSC::JIT::emit_op_create_this): 21938 * llint/LLIntSlowPaths.cpp: 21939 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 21940 * llint/LowLevelInterpreter32_64.asm: 21941 * llint/LowLevelInterpreter64.asm: 21942 219432012-11-12 Filip Pizlo <fpizlo@apple.com> 21944 21945 Unreviewed, fix ARMv7 build. 21946 21947 * assembler/MacroAssemblerARMv7.h: 21948 (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch): 21949 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch): 21950 219512012-11-12 Filip Pizlo <fpizlo@apple.com> 21952 21953 Patching of jumps to stubs should use jump replacement rather than branch destination overwrite 21954 https://bugs.webkit.org/show_bug.cgi?id=101909 21955 21956 Reviewed by Geoffrey Garen. 21957 21958 This saves a few instructions in inline cases, on those architectures where it is 21959 easy to figure out where to put the jump replacement. Sub-1% speed-up across the 21960 board. 21961 21962 * assembler/MacroAssemblerARMv7.h: 21963 (MacroAssemblerARMv7): 21964 (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranchPtrWithPatch): 21965 (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch): 21966 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch): 21967 * assembler/MacroAssemblerX86.h: 21968 (JSC::MacroAssemblerX86::canJumpReplacePatchableBranchPtrWithPatch): 21969 (MacroAssemblerX86): 21970 (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatch): 21971 (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch): 21972 * assembler/MacroAssemblerX86_64.h: 21973 (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranchPtrWithPatch): 21974 (MacroAssemblerX86_64): 21975 (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatch): 21976 (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch): 21977 * assembler/RepatchBuffer.h: 21978 (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatch): 21979 (RepatchBuffer): 21980 (JSC::RepatchBuffer::replaceWithJump): 21981 (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranchPtrWithPatch): 21982 * assembler/X86Assembler.h: 21983 (X86Assembler): 21984 (JSC::X86Assembler::revertJumpTo_movq_i64r): 21985 (JSC::X86Assembler::revertJumpTo_cmpl_im_force32): 21986 (X86InstructionFormatter): 21987 * bytecode/StructureStubInfo.h: 21988 * dfg/DFGRepatch.cpp: 21989 (JSC::DFG::replaceWithJump): 21990 (DFG): 21991 (JSC::DFG::tryCacheGetByID): 21992 (JSC::DFG::tryBuildGetByIDList): 21993 (JSC::DFG::tryBuildGetByIDProtoList): 21994 (JSC::DFG::tryCachePutByID): 21995 (JSC::DFG::dfgResetGetByID): 21996 (JSC::DFG::dfgResetPutByID): 21997 219982012-11-11 Filip Pizlo <fpizlo@apple.com> 21999 22000 DFG ArithMul overflow check elimination is too aggressive 22001 https://bugs.webkit.org/show_bug.cgi?id=101871 22002 22003 Reviewed by Oliver Hunt. 22004 22005 The code was ignoring the fact that ((a * b) | 0) == (((a | 0) * (b | 0)) | 0) 22006 only holds if a * b < 2^53. So, I changed it to only enable the optimization 22007 when a < 2^22 and b is an int32 (and vice versa), using a super trivial peephole 22008 analysis to prove the inequality. I considered writing an epic forward flow 22009 formulation that tracks the ranges of integer values but then I thought better 22010 of it. 22011 22012 This also rewires the ArithMul integer speculation logic. Previously, we would 22013 assume that an ArithMul was only UsedAsNumber if it escaped, and separately we 22014 would decide whether to speculate integer based on a proof of the <2^22 22015 inequality. Now, we treat the double rounding behavior of ArithMul as if the 22016 result was UsedAsNumber even if it did not escape. Then we try to prove that 22017 double rounding cannot happen by attemping to prove that a < 2^22. This then 22018 feeds back into the decision of whether or not to speculate integer (if we fail 22019 to prove a < 2^22 then we're UsedAsNumber, and if we're also MayOverflow then 22020 that forces double speculation). 22021 22022 No performance impact. It just fixes a bug. 22023 22024 * dfg/DFGGraph.h: 22025 (JSC::DFG::Graph::mulShouldSpeculateInteger): 22026 * dfg/DFGPredictionPropagationPhase.cpp: 22027 (PredictionPropagationPhase): 22028 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant): 22029 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive): 22030 (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo): 22031 (JSC::DFG::PredictionPropagationPhase::propagate): 22032 220332012-11-11 Filip Pizlo <fpizlo@apple.com> 22034 22035 DFG should not emit function checks if we've already proved that the operand is that exact function 22036 https://bugs.webkit.org/show_bug.cgi?id=101885 22037 22038 Reviewed by Oliver Hunt. 22039 22040 * dfg/DFGAbstractState.cpp: 22041 (JSC::DFG::AbstractState::execute): 22042 * dfg/DFGAbstractValue.h: 22043 (JSC::DFG::AbstractValue::filterByValue): 22044 (AbstractValue): 22045 * dfg/DFGConstantFoldingPhase.cpp: 22046 (JSC::DFG::ConstantFoldingPhase::foldConstants): 22047 220482012-11-12 Kentaro Hara <haraken@chromium.org> 22049 22050 [V8][JSC] ScriptProfileNode::callUID needs not to be [Custom] 22051 https://bugs.webkit.org/show_bug.cgi?id=101892 22052 22053 Reviewed by Adam Barth. 22054 22055 Added callUID(), which enables us to kill custom bindings for ScriptProfileNode::callUID. 22056 22057 * profiler/ProfileNode.h: 22058 (JSC::ProfileNode::callUID): 22059 220602012-11-12 Carlos Garcia Campos <cgarcia@igalia.com> 22061 22062 Unreviewed. Fix make distcheck. 22063 22064 * GNUmakefile.list.am: Add missing header. 22065 220662012-11-11 Michael Pruett <michael@68k.org> 22067 22068 Fix assertion failure in JSObject::tryGetIndexQuickly() 22069 https://bugs.webkit.org/show_bug.cgi?id=101869 22070 22071 Reviewed by Filip Pizlo. 22072 22073 Currently JSObject::tryGetIndexQuickly() triggers an assertion 22074 failure when the object has an undecided indexing type. This 22075 case should be treated the same as a blank indexing type. 22076 22077 * runtime/JSObject.h: 22078 (JSC::JSObject::tryGetIndexQuickly): 22079 220802012-11-11 Filip Pizlo <fpizlo@apple.com> 22081 22082 DFG register allocation should be greedy rather than round-robin 22083 https://bugs.webkit.org/show_bug.cgi?id=101870 22084 22085 Reviewed by Geoffrey Garen. 22086 22087 This simplifies the code, reduces some code duplication, and shows some slight 22088 performance improvements in a few places, likely due to the fact that lower-numered 22089 registers also typically have smaller encodings. 22090 22091 * dfg/DFGRegisterBank.h: 22092 (JSC::DFG::RegisterBank::RegisterBank): 22093 (JSC::DFG::RegisterBank::tryAllocate): 22094 (JSC::DFG::RegisterBank::allocate): 22095 (JSC::DFG::RegisterBank::allocateInternal): 22096 (RegisterBank): 22097 220982012-11-11 Kenichi Ishibashi <bashi@chromium.org> 22099 22100 WTFString::utf8() should have a mode of conversion to use replacement character 22101 https://bugs.webkit.org/show_bug.cgi?id=101678 22102 22103 Reviewed by Alexey Proskuryakov. 22104 22105 Follow the change on String::utf8() 22106 22107 * runtime/JSGlobalObjectFunctions.cpp: 22108 (JSC::encode): Pass String::StrictConversion instead of true to String::utf8(). 22109 221102012-11-10 Filip Pizlo <fpizlo@apple.com> 22111 22112 DFG should optimize out the NaN check on loads from double arrays if the array prototype chain is having a great time 22113 https://bugs.webkit.org/show_bug.cgi?id=101718 22114 22115 Reviewed by Geoffrey Garen. 22116 22117 If we're reading from a JSArray in double mode, where the array's structure is 22118 primordial (all aspects of the structure are unchanged except for indexing type), 22119 and the result of the load is used in arithmetic that is known to not distinguish 22120 between NaN and undefined, then we should not emit a NaN check. Looks like a 5% 22121 win on navier-stokes. 22122 22123 Also fixed an OpInfo initialization goof for String ops that was revealed by this 22124 change. 22125 22126 * dfg/DFGAbstractState.cpp: 22127 (JSC::DFG::AbstractState::execute): 22128 * dfg/DFGArrayMode.cpp: 22129 (JSC::DFG::arraySpeculationToString): 22130 * dfg/DFGArrayMode.h: 22131 (JSC::DFG::ArrayMode::isSaneChain): 22132 (ArrayMode): 22133 (JSC::DFG::ArrayMode::isInBounds): 22134 * dfg/DFGByteCodeParser.cpp: 22135 (JSC::DFG::ByteCodeParser::handleIntrinsic): 22136 * dfg/DFGFixupPhase.cpp: 22137 (JSC::DFG::FixupPhase::fixupNode): 22138 * dfg/DFGNodeFlags.cpp: 22139 (JSC::DFG::nodeFlagsAsString): 22140 * dfg/DFGNodeFlags.h: 22141 (DFG): 22142 * dfg/DFGPredictionPropagationPhase.cpp: 22143 (JSC::DFG::PredictionPropagationPhase::propagate): 22144 * dfg/DFGSpeculativeJIT32_64.cpp: 22145 (JSC::DFG::SpeculativeJIT::compile): 22146 * dfg/DFGSpeculativeJIT64.cpp: 22147 (JSC::DFG::SpeculativeJIT::compile): 22148 * runtime/JSGlobalObject.cpp: 22149 (JSC::JSGlobalObject::arrayPrototypeChainIsSane): 22150 (JSC): 22151 * runtime/JSGlobalObject.h: 22152 (JSGlobalObject): 22153 221542012-11-10 Filip Pizlo <fpizlo@apple.com> 22155 22156 DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true 22157 https://bugs.webkit.org/show_bug.cgi?id=101511 22158 22159 Reviewed by Geoffrey Garen. 22160 22161 This is the second attempt at this patch, which fixes the !"" case. 22162 22163 To make life easier, this moves BranchDirection into BasicBlock so that after 22164 running the CFA, we always know, for each block, what direction the CFA 22165 proved. CFG simplification now both uses and preserves cfaBranchDirection in 22166 its transformations. 22167 22168 Also made both LogicalNot and Branch check whether the operand is a known cell 22169 with a known structure, and if so, made them do the appropriate folding. 22170 22171 5% speed-up on V8/raytrace because it makes raytrace's own null checks 22172 evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact 22173 that we were already doing structure check hoisting. 22174 22175 * JavaScriptCore.xcodeproj/project.pbxproj: 22176 * dfg/DFGAbstractState.cpp: 22177 (JSC::DFG::AbstractState::endBasicBlock): 22178 (JSC::DFG::AbstractState::execute): 22179 (JSC::DFG::AbstractState::mergeToSuccessors): 22180 * dfg/DFGAbstractState.h: 22181 (AbstractState): 22182 * dfg/DFGBasicBlock.h: 22183 (JSC::DFG::BasicBlock::BasicBlock): 22184 (BasicBlock): 22185 * dfg/DFGBranchDirection.h: Added. 22186 (DFG): 22187 (JSC::DFG::branchDirectionToString): 22188 (JSC::DFG::isKnownDirection): 22189 (JSC::DFG::branchCondition): 22190 * dfg/DFGCFGSimplificationPhase.cpp: 22191 (JSC::DFG::CFGSimplificationPhase::run): 22192 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 22193 221942012-11-10 Sheriff Bot <webkit.review.bot@gmail.com> 22195 22196 Unreviewed, rolling out r133971. 22197 http://trac.webkit.org/changeset/133971 22198 https://bugs.webkit.org/show_bug.cgi?id=101839 22199 22200 Causes WebProcess to hang at 100% on www.apple.com (Requested 22201 by kling on #webkit). 22202 22203 * JavaScriptCore.xcodeproj/project.pbxproj: 22204 * dfg/DFGAbstractState.cpp: 22205 (JSC::DFG::AbstractState::endBasicBlock): 22206 (JSC::DFG::AbstractState::execute): 22207 (JSC::DFG::AbstractState::mergeToSuccessors): 22208 * dfg/DFGAbstractState.h: 22209 (JSC::DFG::AbstractState::branchDirectionToString): 22210 (AbstractState): 22211 * dfg/DFGBasicBlock.h: 22212 (JSC::DFG::BasicBlock::BasicBlock): 22213 (BasicBlock): 22214 * dfg/DFGBranchDirection.h: Removed. 22215 * dfg/DFGCFGSimplificationPhase.cpp: 22216 (JSC::DFG::CFGSimplificationPhase::run): 22217 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 22218 222192012-11-09 Filip Pizlo <fpizlo@apple.com> 22220 22221 If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this 22222 https://bugs.webkit.org/show_bug.cgi?id=101720 22223 22224 Reviewed by Mark Hahnenberg. 22225 22226 Previously, "original" arrays was just a hint that we could find the structure 22227 of the array if we needed to even if the array profile didn't have it due to 22228 polymorphism. Now, "original" arrays are a property that is actually checked: 22229 if an array access has ArrayMode::arrayClass() == Array::OriginalArray, then we 22230 can be sure that the code performing the access is dealing with not just a 22231 JSArray, but a JSArray that has no named properties, no indexed accessors, and 22232 the ArrayPrototype as its prototype. This will be useful for optimizations that 22233 are being done as part of https://bugs.webkit.org/show_bug.cgi?id=101720. 22234 22235 * dfg/DFGAbstractState.cpp: 22236 (JSC::DFG::AbstractState::execute): 22237 * dfg/DFGArrayMode.cpp: 22238 (JSC::DFG::ArrayMode::originalArrayStructure): 22239 (DFG): 22240 (JSC::DFG::ArrayMode::alreadyChecked): 22241 * dfg/DFGArrayMode.h: 22242 (JSC): 22243 (DFG): 22244 (JSC::DFG::ArrayMode::withProfile): 22245 (ArrayMode): 22246 (JSC::DFG::ArrayMode::benefitsFromOriginalArray): 22247 * dfg/DFGConstantFoldingPhase.cpp: 22248 (JSC::DFG::ConstantFoldingPhase::foldConstants): 22249 * dfg/DFGFixupPhase.cpp: 22250 (JSC::DFG::FixupPhase::checkArray): 22251 * dfg/DFGSpeculativeJIT.cpp: 22252 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): 22253 (JSC::DFG::SpeculativeJIT::checkArray): 22254 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 22255 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 22256 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): 22257 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): 22258 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): 22259 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): 22260 222612012-11-09 Filip Pizlo <fpizlo@apple.com> 22262 22263 Fix indentation of BooleanPrototype.h 22264 22265 Rubber stamped by Mark Hahnenberg. 22266 22267 * runtime/BooleanPrototype.h: 22268 222692012-11-09 Filip Pizlo <fpizlo@apple.com> 22270 22271 Fix indentation of BooleanObject.h 22272 22273 Rubber stamped by Mark Hahnenberg. 22274 22275 * runtime/BooleanObject.h: 22276 222772012-11-09 Filip Pizlo <fpizlo@apple.com> 22278 22279 Fix indentation of BooleanConstructor.h 22280 22281 Rubber stamped by Mark Hahnenberg. 22282 22283 * runtime/BooleanConstructor.h: 22284 222852012-11-09 Filip Pizlo <fpizlo@apple.com> 22286 22287 Fix indentation of BatchedTransitionOptimizer.h 22288 22289 Rubber stamped by Mark Hahnenberg. 22290 22291 * runtime/BatchedTransitionOptimizer.h: 22292 222932012-11-09 Oliver Hunt <oliver@apple.com> 22294 22295 So Thingy probably isn't the best name for a class, so 22296 renamed to CacheMap. 22297 22298 RS=Geoff 22299 22300 * runtime/CodeCache.h: 22301 (JSC::CacheMap::CacheMap): 22302 223032012-11-09 Filip Pizlo <fpizlo@apple.com> 22304 22305 ArrayPrototype should start out with a blank indexing type 22306 https://bugs.webkit.org/show_bug.cgi?id=101719 22307 22308 Reviewed by Mark Hahnenberg. 22309 22310 This allows us to track if the array prototype ever ends up with indexed 22311 properties. 22312 22313 * runtime/ArrayPrototype.cpp: 22314 (JSC::ArrayPrototype::create): 22315 (JSC::ArrayPrototype::ArrayPrototype): 22316 * runtime/ArrayPrototype.h: 22317 (ArrayPrototype): 22318 (JSC::ArrayPrototype::createStructure): 22319 223202012-11-08 Mark Hahnenberg <mhahnenberg@apple.com> 22321 22322 MarkStackArray should use the BlockAllocator instead of the MarkStackSegmentAllocator 22323 https://bugs.webkit.org/show_bug.cgi?id=101642 22324 22325 Reviewed by Filip Pizlo. 22326 22327 MarkStackSegmentAllocator is like a miniature version of the BlockAllocator. Now that the BlockAllocator has support 22328 for a variety of block sizes, we should get rid of the MarkStackSegmentAllocator in favor of the BlockAllocator. 22329 22330 * heap/BlockAllocator.h: Add new specializations of regionSetFor for the new MarkStackSegments. 22331 (JSC): 22332 (JSC::MarkStackSegment): 22333 * heap/GCThreadSharedData.cpp: 22334 (JSC::GCThreadSharedData::GCThreadSharedData): 22335 (JSC::GCThreadSharedData::reset): 22336 * heap/GCThreadSharedData.h: 22337 (GCThreadSharedData): 22338 * heap/MarkStack.cpp: 22339 (JSC::MarkStackArray::MarkStackArray): We now have a doubly linked list of MarkStackSegments, so we need to refactor 22340 all the places that used the old custom tail/previous logic. 22341 (JSC::MarkStackArray::~MarkStackArray): 22342 (JSC::MarkStackArray::expand): 22343 (JSC::MarkStackArray::refill): 22344 (JSC::MarkStackArray::donateSomeCellsTo): Refactor to use the new linked list. 22345 (JSC::MarkStackArray::stealSomeCellsFrom): Ditto. 22346 * heap/MarkStack.h: 22347 (JSC): 22348 (MarkStackSegment): 22349 (JSC::MarkStackSegment::MarkStackSegment): 22350 (JSC::MarkStackSegment::sizeFromCapacity): 22351 (MarkStackArray): 22352 * heap/MarkStackInlines.h: 22353 (JSC::MarkStackSegment::create): 22354 (JSC): 22355 (JSC::MarkStackArray::postIncTop): 22356 (JSC::MarkStackArray::preDecTop): 22357 (JSC::MarkStackArray::setTopForFullSegment): 22358 (JSC::MarkStackArray::setTopForEmptySegment): 22359 (JSC::MarkStackArray::top): 22360 (JSC::MarkStackArray::validatePrevious): 22361 (JSC::MarkStackArray::append): 22362 (JSC::MarkStackArray::removeLast): 22363 (JSC::MarkStackArray::isEmpty): 22364 (JSC::MarkStackArray::size): 22365 * heap/SlotVisitor.cpp: 22366 (JSC::SlotVisitor::SlotVisitor): 22367 223682012-11-09 Gabor Ballabas <gaborb@inf.u-szeged.hu> 22369 22370 [Qt] r133953 broke the ARM_TRADITIONAL build 22371 https://bugs.webkit.org/show_bug.cgi?id=101706 22372 22373 Reviewed by Csaba Osztrogonác. 22374 22375 Fix for both hardfp and softfp. 22376 22377 * dfg/DFGCCallHelpers.h: 22378 (CCallHelpers): 22379 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 22380 223812012-11-09 Sheriff Bot <webkit.review.bot@gmail.com> 22382 22383 Unreviewed, rolling out r134051. 22384 http://trac.webkit.org/changeset/134051 22385 https://bugs.webkit.org/show_bug.cgi?id=101757 22386 22387 It didn't fix the build (Requested by Ossy on #webkit). 22388 22389 * dfg/DFGCCallHelpers.h: 22390 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 22391 223922012-11-09 Gabor Ballabas <gaborb@inf.u-szeged.hu> 22393 22394 [Qt] r133953 broke the ARM_TRADITIONAL build 22395 https://bugs.webkit.org/show_bug.cgi?id=101706 22396 22397 Reviewed by Csaba Osztrogonác. 22398 22399 Fix the ARM_TRADITIONAL build after r133953 22400 22401 * dfg/DFGCCallHelpers.h: 22402 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 22403 (CCallHelpers): 22404 224052012-11-09 Csaba Osztrogonác <ossy@webkit.org> 22406 22407 [Qt] Fix the LLINT build from ARMv7 platform 22408 https://bugs.webkit.org/show_bug.cgi?id=101712 22409 22410 Reviewed by Simon Hausmann. 22411 22412 Enable generating of LLIntAssembly.h on ARM platforms. 22413 22414 * DerivedSources.pri: 22415 * JavaScriptCore.pro: 22416 224172012-11-08 Filip Pizlo <fpizlo@apple.com> 22418 22419 ArrayPrototype.h should have correct indentation 22420 22421 Rubber stamped by Sam Weinig. 22422 22423 * runtime/ArrayPrototype.h: 22424 224252012-11-08 Mark Lam <mark.lam@apple.com> 22426 22427 Renamed ...InlineMethods.h files to ...Inlines.h. 22428 https://bugs.webkit.org/show_bug.cgi?id=101145. 22429 22430 Reviewed by Geoffrey Garen. 22431 22432 This is only a refactoring effort to rename the files. There are no 22433 functionality changes. 22434 22435 * API/JSObjectRef.cpp: 22436 * GNUmakefile.list.am: 22437 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 22438 * JavaScriptCore.xcodeproj/project.pbxproj: 22439 * bytecode/CodeBlock.cpp: 22440 * dfg/DFGOperations.cpp: 22441 * heap/ConservativeRoots.cpp: 22442 * heap/CopiedBlock.h: 22443 * heap/CopiedSpace.cpp: 22444 * heap/CopiedSpaceInlineMethods.h: Removed. 22445 * heap/CopiedSpaceInlines.h: Copied from Source/JavaScriptCore/heap/CopiedSpaceInlineMethods.h. 22446 * heap/CopyVisitor.cpp: 22447 * heap/CopyVisitorInlineMethods.h: Removed. 22448 * heap/CopyVisitorInlines.h: Copied from Source/JavaScriptCore/heap/CopyVisitorInlineMethods.h. 22449 * heap/GCThread.cpp: 22450 * heap/GCThreadSharedData.cpp: 22451 * heap/HandleStack.cpp: 22452 * heap/Heap.cpp: 22453 * heap/HeapRootVisitor.h: 22454 * heap/MarkStack.cpp: 22455 * heap/MarkStackInlineMethods.h: Removed. 22456 * heap/MarkStackInlines.h: Copied from Source/JavaScriptCore/heap/MarkStackInlineMethods.h. 22457 * heap/SlotVisitor.cpp: 22458 * heap/SlotVisitor.h: 22459 * heap/SlotVisitorInlineMethods.h: Removed. 22460 * heap/SlotVisitorInlines.h: Copied from Source/JavaScriptCore/heap/SlotVisitorInlineMethods.h. 22461 * jit/HostCallReturnValue.cpp: 22462 * jit/JIT.cpp: 22463 * jit/JITArithmetic.cpp: 22464 * jit/JITArithmetic32_64.cpp: 22465 * jit/JITCall.cpp: 22466 * jit/JITCall32_64.cpp: 22467 * jit/JITInlineMethods.h: Removed. 22468 * jit/JITInlines.h: Copied from Source/JavaScriptCore/jit/JITInlineMethods.h. 22469 * jit/JITOpcodes.cpp: 22470 * jit/JITOpcodes32_64.cpp: 22471 * jit/JITPropertyAccess.cpp: 22472 * jit/JITPropertyAccess32_64.cpp: 22473 * jsc.cpp: 22474 * runtime/ArrayConstructor.cpp: 22475 * runtime/ArrayPrototype.cpp: 22476 * runtime/ButterflyInlineMethods.h: Removed. 22477 * runtime/ButterflyInlines.h: Copied from Source/JavaScriptCore/runtime/ButterflyInlineMethods.h. 22478 * runtime/IndexingHeaderInlineMethods.h: Removed. 22479 * runtime/IndexingHeaderInlines.h: Copied from Source/JavaScriptCore/runtime/IndexingHeaderInlineMethods.h. 22480 * runtime/JSActivation.h: 22481 * runtime/JSArray.cpp: 22482 * runtime/JSArray.h: 22483 * runtime/JSCell.h: 22484 * runtime/JSObject.cpp: 22485 * runtime/JSValueInlineMethods.h: Removed. 22486 * runtime/JSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlineMethods.h. 22487 * runtime/LiteralParser.cpp: 22488 * runtime/ObjectConstructor.cpp: 22489 * runtime/Operations.h: 22490 * runtime/RegExpMatchesArray.cpp: 22491 * runtime/RegExpObject.cpp: 22492 * runtime/StringPrototype.cpp: 22493 224942012-11-08 Filip Pizlo <fpizlo@apple.com> 22495 22496 ArrayConstructor.h should have correct indentation 22497 22498 Rubber stamped by Sam Weinig. 22499 22500 * runtime/ArrayConstructor.h: 22501 225022012-11-08 Filip Pizlo <fpizlo@apple.com> 22503 22504 DFG should know that int == null is always false 22505 https://bugs.webkit.org/show_bug.cgi?id=101665 22506 22507 Reviewed by Oliver Hunt. 22508 22509 * dfg/DFGAbstractState.cpp: 22510 (JSC::DFG::AbstractState::execute): 22511 225122012-11-08 Filip Pizlo <fpizlo@apple.com> 22513 22514 Arguments.h should have correct indentation 22515 22516 Rubber stamped by Sam Weinig. 22517 22518 * runtime/Arguments.h: 22519 225202012-11-08 Filip Pizlo <fpizlo@apple.com> 22521 22522 It should be possible to JIT compile get_by_vals and put_by_vals even if the DFG is disabled. 22523 22524 Reviewed by Oliver Hunt. 22525 22526 * jit/JITInlineMethods.h: 22527 (JSC::JIT::chooseArrayMode): 22528 225292012-11-08 Filip Pizlo <fpizlo@apple.com> 22530 22531 op_call should have LLInt call link info even if the DFG is disabled 22532 https://bugs.webkit.org/show_bug.cgi?id=101672 22533 22534 Reviewed by Oliver Hunt. 22535 22536 Get rid of the evil uses of fall-through. 22537 22538 * bytecode/CodeBlock.cpp: 22539 (JSC::CodeBlock::CodeBlock): 22540 225412012-11-08 Oliver Hunt <oliver@apple.com> 22542 22543 Improve effectiveness of function-level caching 22544 https://bugs.webkit.org/show_bug.cgi?id=101667 22545 22546 Reviewed by Filip Pizlo. 22547 22548 Added a random-eviction based cache for unlinked functions, and switch 22549 UnlinkedFunctionExecutable's code references to Weak<>, thereby letting 22550 us remove the explicit UnlinkedFunctionExecutable::clearCode() calls that 22551 were being triggered by GC. 22552 22553 Refactored the random eviction part of the CodeCache into a separate data 22554 structure so that I didn't have to duplicate the code again, and then used 22555 that for the new function cache. 22556 22557 * bytecode/UnlinkedCodeBlock.cpp: 22558 (JSC::UnlinkedFunctionExecutable::visitChildren): 22559 (JSC::UnlinkedFunctionExecutable::codeBlockFor): 22560 * bytecode/UnlinkedCodeBlock.h: 22561 (JSC::UnlinkedFunctionExecutable::clearCodeForRecompilation): 22562 (UnlinkedFunctionExecutable): 22563 * debugger/Debugger.cpp: 22564 * runtime/CodeCache.cpp: 22565 (JSC::CodeCache::getCodeBlock): 22566 (JSC::CodeCache::generateFunctionCodeBlock): 22567 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): 22568 (JSC::CodeCache::usedFunctionCode): 22569 (JSC): 22570 * runtime/Executable.cpp: 22571 (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling): 22572 (JSC::FunctionExecutable::clearCode): 22573 * runtime/Executable.h: 22574 (FunctionExecutable): 22575 225762012-11-07 Filip Pizlo <fpizlo@apple.com> 22577 22578 DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true 22579 https://bugs.webkit.org/show_bug.cgi?id=101511 22580 22581 Reviewed by Oliver Hunt. 22582 22583 To make life easier, this moves BranchDirection into BasicBlock so that after 22584 running the CFA, we always know, for each block, what direction the CFA 22585 proved. CFG simplification now both uses and preserves cfaBranchDirection in 22586 its transformations. 22587 22588 Also made both LogicalNot and Branch check whether the operand is a known cell 22589 with a known structure, and if so, made them do the appropriate folding. 22590 22591 5% speed-up on V8/raytrace because it makes raytrace's own null checks 22592 evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact 22593 that we were already doing structure check hoisting. 22594 22595 * JavaScriptCore.xcodeproj/project.pbxproj: 22596 * dfg/DFGAbstractState.cpp: 22597 (JSC::DFG::AbstractState::endBasicBlock): 22598 (JSC::DFG::AbstractState::execute): 22599 (JSC::DFG::AbstractState::mergeToSuccessors): 22600 * dfg/DFGAbstractState.h: 22601 (AbstractState): 22602 * dfg/DFGBasicBlock.h: 22603 (JSC::DFG::BasicBlock::BasicBlock): 22604 (BasicBlock): 22605 * dfg/DFGBranchDirection.h: Added. 22606 (DFG): 22607 (JSC::DFG::branchDirectionToString): 22608 (JSC::DFG::isKnownDirection): 22609 (JSC::DFG::branchCondition): 22610 * dfg/DFGCFGSimplificationPhase.cpp: 22611 (JSC::DFG::CFGSimplificationPhase::run): 22612 (JSC::DFG::CFGSimplificationPhase::mergeBlocks): 22613 226142012-11-08 Christophe Dumez <christophe.dumez@intel.com> 22615 22616 [JSC] HTML extensions to String.prototype should escape " as " in argument values 22617 https://bugs.webkit.org/show_bug.cgi?id=90667 22618 22619 Reviewed by Benjamin Poulain. 22620 22621 Escape quotation mark as " in argument values to: 22622 - String.prototype.anchor(name) 22623 - String.prototype.fontcolor(color) 22624 - String.prototype.fontsize(size) 22625 - String.prototype.link(href) 22626 22627 This behavior matches Chromium/V8 and Firefox/Spidermonkey 22628 implementations and is requited by: 22629 http://mathias.html5.org/specs/javascript/#escapeattributevalue 22630 22631 This also fixes a potential security risk (XSS vector). 22632 22633 * runtime/StringPrototype.cpp: 22634 (JSC::stringProtoFuncFontcolor): 22635 (JSC::stringProtoFuncFontsize): 22636 (JSC::stringProtoFuncAnchor): 22637 (JSC::stringProtoFuncLink): 22638 226392012-11-08 Anders Carlsson <andersca@apple.com> 22640 22641 HeapStatistics::s_pauseTimeStarts and s_pauseTimeEnds should be Vectors 22642 https://bugs.webkit.org/show_bug.cgi?id=101651 22643 22644 Reviewed by Andreas Kling. 22645 22646 HeapStatistics uses Deques when Vectors would work just as good. 22647 22648 * heap/HeapStatistics.cpp: 22649 * heap/HeapStatistics.h: 22650 (HeapStatistics): 22651 226522012-11-07 Filip Pizlo <fpizlo@apple.com> 22653 22654 DFG should not assume that something is a double just because it might be undefined 22655 https://bugs.webkit.org/show_bug.cgi?id=101438 22656 22657 Reviewed by Oliver Hunt. 22658 22659 This changes all non-bitop arithmetic to (a) statically expect that variables are 22660 defined prior to use in arithmetic and (b) not fall off into double paths just 22661 because a value may not be a number. This is accomplished with two new notions of 22662 speculation: 22663 22664 shouldSpeculateIntegerExpectingDefined: Should we speculate that the value is an 22665 integer if we ignore undefined (i.e. SpecOther) predictions? 22666 22667 shouldSpeculateIntegerForArithmetic: Should we speculate that the value is an 22668 integer if we ignore non-numeric predictions? 22669 22670 This is a ~2x speed-up on programs that seem to our prediction propagator to have 22671 paths in which otherwise numeric variables are undefined. 22672 22673 * bytecode/SpeculatedType.h: 22674 (JSC::isInt32SpeculationForArithmetic): 22675 (JSC): 22676 (JSC::isInt32SpeculationExpectingDefined): 22677 (JSC::isDoubleSpeculationForArithmetic): 22678 (JSC::isNumberSpeculationExpectingDefined): 22679 * dfg/DFGAbstractState.cpp: 22680 (JSC::DFG::AbstractState::execute): 22681 * dfg/DFGFixupPhase.cpp: 22682 (JSC::DFG::FixupPhase::fixupNode): 22683 * dfg/DFGGraph.h: 22684 (JSC::DFG::Graph::addShouldSpeculateInteger): 22685 (JSC::DFG::Graph::mulShouldSpeculateInteger): 22686 (JSC::DFG::Graph::negateShouldSpeculateInteger): 22687 (JSC::DFG::Graph::addImmediateShouldSpeculateInteger): 22688 (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger): 22689 * dfg/DFGNode.h: 22690 (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic): 22691 (Node): 22692 (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined): 22693 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): 22694 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): 22695 * dfg/DFGPredictionPropagationPhase.cpp: 22696 (JSC::DFG::PredictionPropagationPhase::propagate): 22697 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): 22698 * dfg/DFGSpeculativeJIT.cpp: 22699 (JSC::DFG::SpeculativeJIT::compileAdd): 22700 (JSC::DFG::SpeculativeJIT::compileArithMod): 22701 * dfg/DFGSpeculativeJIT32_64.cpp: 22702 (JSC::DFG::SpeculativeJIT::compile): 22703 * dfg/DFGSpeculativeJIT64.cpp: 22704 (JSC::DFG::SpeculativeJIT::compile): 22705 * jit/JITArithmetic.cpp: 22706 (JSC::JIT::emit_op_div): 22707 227082012-11-06 Filip Pizlo <fpizlo@apple.com> 22709 22710 JSC should infer when indexed storage contains only integers or doubles 22711 https://bugs.webkit.org/show_bug.cgi?id=98606 22712 22713 Reviewed by Oliver Hunt. 22714 22715 This adds two new indexing types: int32 and double. It also adds array allocation profiling, 22716 which allows array allocations to converge to allocating arrays using those types to which 22717 those arrays would have been converted. 22718 22719 20% speed-up on navier-stokes. 40% speed-up on various Kraken DSP tests. Some slow-downs too, 22720 but a performance win overall on all benchmarks we track. 22721 22722 * API/JSObjectRef.cpp: 22723 (JSObjectMakeArray): 22724 * CMakeLists.txt: 22725 * GNUmakefile.list.am: 22726 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 22727 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 22728 * JavaScriptCore.xcodeproj/project.pbxproj: 22729 * Target.pri: 22730 * assembler/AbstractMacroAssembler.h: 22731 (JumpList): 22732 (JSC::AbstractMacroAssembler::JumpList::JumpList): 22733 * assembler/MacroAssemblerX86Common.h: 22734 (JSC::MacroAssemblerX86Common::branchDouble): 22735 * assembler/X86Assembler.h: 22736 (JSC::X86Assembler::jnp): 22737 (X86Assembler): 22738 (JSC::X86Assembler::X86InstructionFormatter::emitRex): 22739 * bytecode/ArrayAllocationProfile.cpp: Added. 22740 (JSC): 22741 (JSC::ArrayAllocationProfile::updateIndexingType): 22742 * bytecode/ArrayAllocationProfile.h: Added. 22743 (JSC): 22744 (ArrayAllocationProfile): 22745 (JSC::ArrayAllocationProfile::ArrayAllocationProfile): 22746 (JSC::ArrayAllocationProfile::selectIndexingType): 22747 (JSC::ArrayAllocationProfile::updateLastAllocation): 22748 (JSC::ArrayAllocationProfile::selectIndexingTypeFor): 22749 (JSC::ArrayAllocationProfile::updateLastAllocationFor): 22750 * bytecode/ArrayProfile.cpp: 22751 (JSC::ArrayProfile::updatedObservedArrayModes): 22752 (JSC): 22753 * bytecode/ArrayProfile.h: 22754 (JSC): 22755 (JSC::arrayModesInclude): 22756 (JSC::shouldUseSlowPutArrayStorage): 22757 (JSC::shouldUseFastArrayStorage): 22758 (JSC::shouldUseContiguous): 22759 (JSC::shouldUseDouble): 22760 (JSC::shouldUseInt32): 22761 (ArrayProfile): 22762 * bytecode/ByValInfo.h: 22763 (JSC::isOptimizableIndexingType): 22764 (JSC::jitArrayModeForIndexingType): 22765 * bytecode/CodeBlock.cpp: 22766 (JSC::CodeBlock::dump): 22767 (JSC::CodeBlock::CodeBlock): 22768 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): 22769 (JSC): 22770 (JSC::CodeBlock::updateAllValueProfilePredictions): 22771 (JSC::CodeBlock::updateAllArrayPredictions): 22772 (JSC::CodeBlock::updateAllPredictions): 22773 (JSC::CodeBlock::shouldOptimizeNow): 22774 * bytecode/CodeBlock.h: 22775 (CodeBlock): 22776 (JSC::CodeBlock::numberOfArrayAllocationProfiles): 22777 (JSC::CodeBlock::addArrayAllocationProfile): 22778 (JSC::CodeBlock::updateAllValueProfilePredictions): 22779 (JSC::CodeBlock::updateAllArrayPredictions): 22780 * bytecode/DFGExitProfile.h: 22781 (JSC::DFG::exitKindToString): 22782 * bytecode/Instruction.h: 22783 (JSC): 22784 (JSC::Instruction::Instruction): 22785 * bytecode/Opcode.h: 22786 (JSC): 22787 (JSC::padOpcodeName): 22788 * bytecode/SpeculatedType.h: 22789 (JSC): 22790 (JSC::isRealNumberSpeculation): 22791 * bytecode/UnlinkedCodeBlock.cpp: 22792 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): 22793 * bytecode/UnlinkedCodeBlock.h: 22794 (JSC): 22795 (JSC::UnlinkedCodeBlock::addArrayAllocationProfile): 22796 (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles): 22797 (UnlinkedCodeBlock): 22798 * bytecompiler/BytecodeGenerator.cpp: 22799 (JSC::BytecodeGenerator::newArrayAllocationProfile): 22800 (JSC): 22801 (JSC::BytecodeGenerator::emitNewArray): 22802 (JSC::BytecodeGenerator::emitExpectedFunctionSnippet): 22803 * bytecompiler/BytecodeGenerator.h: 22804 (BytecodeGenerator): 22805 * dfg/DFGAbstractState.cpp: 22806 (JSC::DFG::AbstractState::execute): 22807 * dfg/DFGArrayMode.cpp: 22808 (JSC::DFG::ArrayMode::fromObserved): 22809 (JSC::DFG::ArrayMode::refine): 22810 (DFG): 22811 (JSC::DFG::ArrayMode::alreadyChecked): 22812 (JSC::DFG::arrayTypeToString): 22813 * dfg/DFGArrayMode.h: 22814 (JSC::DFG::ArrayMode::withType): 22815 (ArrayMode): 22816 (JSC::DFG::ArrayMode::withTypeAndConversion): 22817 (JSC::DFG::ArrayMode::usesButterfly): 22818 (JSC::DFG::ArrayMode::isSpecific): 22819 (JSC::DFG::ArrayMode::supportsLength): 22820 (JSC::DFG::ArrayMode::arrayModesThatPassFiltering): 22821 * dfg/DFGByteCodeParser.cpp: 22822 (JSC::DFG::ByteCodeParser::getArrayMode): 22823 (ByteCodeParser): 22824 (JSC::DFG::ByteCodeParser::handleIntrinsic): 22825 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): 22826 (JSC::DFG::ByteCodeParser::parseBlock): 22827 * dfg/DFGCCallHelpers.h: 22828 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 22829 (CCallHelpers): 22830 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: 22831 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal): 22832 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal): 22833 * dfg/DFGFixupPhase.cpp: 22834 (JSC::DFG::FixupPhase::fixupNode): 22835 (JSC::DFG::FixupPhase::checkArray): 22836 * dfg/DFGGraph.cpp: 22837 (JSC::DFG::Graph::dump): 22838 * dfg/DFGGraph.h: 22839 (JSC::DFG::Graph::byValIsPure): 22840 * dfg/DFGNode.h: 22841 (NewArrayBufferData): 22842 (JSC::DFG::Node::hasIndexingType): 22843 (Node): 22844 (JSC::DFG::Node::indexingType): 22845 (JSC::DFG::Node::setIndexingType): 22846 * dfg/DFGOperations.cpp: 22847 * dfg/DFGOperations.h: 22848 * dfg/DFGPredictionPropagationPhase.cpp: 22849 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): 22850 * dfg/DFGSpeculativeJIT.cpp: 22851 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): 22852 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): 22853 (DFG): 22854 (JSC::DFG::SpeculativeJIT::checkArray): 22855 (JSC::DFG::SpeculativeJIT::arrayify): 22856 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): 22857 (JSC::DFG::SpeculativeJIT::compileGetArrayLength): 22858 * dfg/DFGSpeculativeJIT.h: 22859 (JSC::DFG::SpeculativeJIT::callOperation): 22860 (SpeculativeJIT): 22861 (SpeculateIntegerOperand): 22862 (JSC::DFG::SpeculateIntegerOperand::use): 22863 (SpeculateDoubleOperand): 22864 (JSC::DFG::SpeculateDoubleOperand::use): 22865 * dfg/DFGSpeculativeJIT32_64.cpp: 22866 (DFG): 22867 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): 22868 (JSC::DFG::SpeculativeJIT::compile): 22869 * dfg/DFGSpeculativeJIT64.cpp: 22870 (JSC::DFG::SpeculativeJIT::compile): 22871 * jit/JIT.h: 22872 (JSC::JIT::emitInt32GetByVal): 22873 (JIT): 22874 (JSC::JIT::emitInt32PutByVal): 22875 (JSC::JIT::emitDoublePutByVal): 22876 (JSC::JIT::emitContiguousPutByVal): 22877 * jit/JITExceptions.cpp: 22878 (JSC::genericThrow): 22879 * jit/JITInlineMethods.h: 22880 (JSC::arrayProfileSaw): 22881 (JSC::JIT::chooseArrayMode): 22882 * jit/JITOpcodes.cpp: 22883 (JSC::JIT::emit_op_new_array): 22884 (JSC::JIT::emit_op_new_array_with_size): 22885 (JSC::JIT::emit_op_new_array_buffer): 22886 * jit/JITPropertyAccess.cpp: 22887 (JSC::JIT::emit_op_get_by_val): 22888 (JSC::JIT::emitDoubleGetByVal): 22889 (JSC): 22890 (JSC::JIT::emitContiguousGetByVal): 22891 (JSC::JIT::emit_op_put_by_val): 22892 (JSC::JIT::emitGenericContiguousPutByVal): 22893 (JSC::JIT::emitSlow_op_put_by_val): 22894 (JSC::JIT::privateCompileGetByVal): 22895 (JSC::JIT::privateCompilePutByVal): 22896 * jit/JITPropertyAccess32_64.cpp: 22897 (JSC::JIT::emit_op_get_by_val): 22898 (JSC::JIT::emitContiguousGetByVal): 22899 (JSC::JIT::emitDoubleGetByVal): 22900 (JSC): 22901 (JSC::JIT::emit_op_put_by_val): 22902 (JSC::JIT::emitGenericContiguousPutByVal): 22903 (JSC::JIT::emitSlow_op_put_by_val): 22904 * jit/JITStubs.cpp: 22905 (JSC::DEFINE_STUB_FUNCTION): 22906 * jit/JITStubs.h: 22907 (JSC): 22908 * jsc.cpp: 22909 (GlobalObject::finishCreation): 22910 * llint/LLIntSlowPaths.cpp: 22911 (JSC::LLInt::jitCompileAndSetHeuristics): 22912 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 22913 * llint/LowLevelInterpreter.asm: 22914 * llint/LowLevelInterpreter32_64.asm: 22915 * llint/LowLevelInterpreter64.asm: 22916 * offlineasm/x86.rb: 22917 * runtime/ArrayConstructor.cpp: 22918 (JSC::constructArrayWithSizeQuirk): 22919 * runtime/ArrayConstructor.h: 22920 (JSC): 22921 * runtime/ArrayPrototype.cpp: 22922 (JSC::arrayProtoFuncConcat): 22923 (JSC::arrayProtoFuncSlice): 22924 (JSC::arrayProtoFuncSplice): 22925 (JSC::arrayProtoFuncFilter): 22926 (JSC::arrayProtoFuncMap): 22927 * runtime/Butterfly.h: 22928 (JSC::Butterfly::contiguousInt32): 22929 (JSC::Butterfly::contiguousDouble): 22930 (JSC::Butterfly::fromContiguous): 22931 * runtime/ButterflyInlineMethods.h: 22932 (JSC::Butterfly::createUninitializedDuringCollection): 22933 * runtime/FunctionPrototype.cpp: 22934 (JSC::functionProtoFuncBind): 22935 * runtime/IndexingHeaderInlineMethods.h: 22936 (JSC::IndexingHeader::indexingPayloadSizeInBytes): 22937 * runtime/IndexingType.cpp: 22938 (JSC::leastUpperBoundOfIndexingTypes): 22939 (JSC): 22940 (JSC::leastUpperBoundOfIndexingTypeAndType): 22941 (JSC::leastUpperBoundOfIndexingTypeAndValue): 22942 (JSC::indexingTypeToString): 22943 * runtime/IndexingType.h: 22944 (JSC): 22945 (JSC::hasUndecided): 22946 (JSC::hasInt32): 22947 (JSC::hasDouble): 22948 * runtime/JSArray.cpp: 22949 (JSC::JSArray::setLength): 22950 (JSC::JSArray::pop): 22951 (JSC::JSArray::push): 22952 (JSC::JSArray::shiftCountWithAnyIndexingType): 22953 (JSC::JSArray::unshiftCountWithAnyIndexingType): 22954 (JSC::compareNumbersForQSortWithInt32): 22955 (JSC): 22956 (JSC::compareNumbersForQSortWithDouble): 22957 (JSC::JSArray::sortNumericVector): 22958 (JSC::JSArray::sortNumeric): 22959 (JSC::JSArray::sortCompactedVector): 22960 (JSC::JSArray::sort): 22961 (JSC::JSArray::sortVector): 22962 (JSC::JSArray::fillArgList): 22963 (JSC::JSArray::copyToArguments): 22964 (JSC::JSArray::compactForSorting): 22965 * runtime/JSArray.h: 22966 (JSArray): 22967 (JSC::createContiguousArrayButterfly): 22968 (JSC::JSArray::create): 22969 (JSC::JSArray::tryCreateUninitialized): 22970 * runtime/JSGlobalObject.cpp: 22971 (JSC::JSGlobalObject::reset): 22972 (JSC): 22973 (JSC::JSGlobalObject::haveABadTime): 22974 (JSC::JSGlobalObject::visitChildren): 22975 * runtime/JSGlobalObject.h: 22976 (JSGlobalObject): 22977 (JSC::JSGlobalObject::originalArrayStructureForIndexingType): 22978 (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation): 22979 (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation): 22980 (JSC::JSGlobalObject::isOriginalArrayStructure): 22981 (JSC::constructEmptyArray): 22982 (JSC::constructArray): 22983 * runtime/JSObject.cpp: 22984 (JSC::JSObject::copyButterfly): 22985 (JSC::JSObject::getOwnPropertySlotByIndex): 22986 (JSC::JSObject::putByIndex): 22987 (JSC::JSObject::enterDictionaryIndexingMode): 22988 (JSC::JSObject::createInitialIndexedStorage): 22989 (JSC): 22990 (JSC::JSObject::createInitialUndecided): 22991 (JSC::JSObject::createInitialInt32): 22992 (JSC::JSObject::createInitialDouble): 22993 (JSC::JSObject::createInitialContiguous): 22994 (JSC::JSObject::convertUndecidedToInt32): 22995 (JSC::JSObject::convertUndecidedToDouble): 22996 (JSC::JSObject::convertUndecidedToContiguous): 22997 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): 22998 (JSC::JSObject::convertUndecidedToArrayStorage): 22999 (JSC::JSObject::convertInt32ToDouble): 23000 (JSC::JSObject::convertInt32ToContiguous): 23001 (JSC::JSObject::convertInt32ToArrayStorage): 23002 (JSC::JSObject::convertDoubleToContiguous): 23003 (JSC::JSObject::convertDoubleToArrayStorage): 23004 (JSC::JSObject::convertContiguousToArrayStorage): 23005 (JSC::JSObject::convertUndecidedForValue): 23006 (JSC::JSObject::convertInt32ForValue): 23007 (JSC::JSObject::setIndexQuicklyToUndecided): 23008 (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex): 23009 (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex): 23010 (JSC::JSObject::ensureInt32Slow): 23011 (JSC::JSObject::ensureDoubleSlow): 23012 (JSC::JSObject::ensureContiguousSlow): 23013 (JSC::JSObject::ensureArrayStorageSlow): 23014 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode): 23015 (JSC::JSObject::switchToSlowPutArrayStorage): 23016 (JSC::JSObject::deletePropertyByIndex): 23017 (JSC::JSObject::getOwnPropertyNames): 23018 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): 23019 (JSC::JSObject::putByIndexBeyondVectorLength): 23020 (JSC::JSObject::putDirectIndexBeyondVectorLength): 23021 (JSC::JSObject::getNewVectorLength): 23022 (JSC::JSObject::countElements): 23023 (JSC::JSObject::ensureLengthSlow): 23024 (JSC::JSObject::getOwnPropertyDescriptor): 23025 * runtime/JSObject.h: 23026 (JSC::JSObject::getArrayLength): 23027 (JSC::JSObject::getVectorLength): 23028 (JSC::JSObject::canGetIndexQuickly): 23029 (JSC::JSObject::getIndexQuickly): 23030 (JSC::JSObject::tryGetIndexQuickly): 23031 (JSC::JSObject::canSetIndexQuickly): 23032 (JSC::JSObject::canSetIndexQuicklyForPutDirect): 23033 (JSC::JSObject::setIndexQuickly): 23034 (JSC::JSObject::initializeIndex): 23035 (JSC::JSObject::hasSparseMap): 23036 (JSC::JSObject::inSparseIndexingMode): 23037 (JSObject): 23038 (JSC::JSObject::ensureInt32): 23039 (JSC::JSObject::ensureDouble): 23040 (JSC::JSObject::ensureLength): 23041 (JSC::JSObject::indexingData): 23042 (JSC::JSObject::currentIndexingData): 23043 (JSC::JSObject::getHolyIndexQuickly): 23044 (JSC::JSObject::relevantLength): 23045 (JSC::JSObject::currentRelevantLength): 23046 * runtime/JSValue.cpp: 23047 (JSC::JSValue::description): 23048 * runtime/LiteralParser.cpp: 23049 (JSC::::parse): 23050 * runtime/ObjectConstructor.cpp: 23051 (JSC::objectConstructorGetOwnPropertyNames): 23052 (JSC::objectConstructorKeys): 23053 * runtime/StringPrototype.cpp: 23054 (JSC::stringProtoFuncMatch): 23055 (JSC::stringProtoFuncSplit): 23056 * runtime/Structure.cpp: 23057 (JSC::Structure::nonPropertyTransition): 23058 * runtime/StructureTransitionTable.h: 23059 (JSC::newIndexingType): 23060 230612012-11-08 Balazs Kilvady <kilvadyb@homejinni.com> 23062 23063 ASSERT problem on MIPS 23064 https://bugs.webkit.org/show_bug.cgi?id=100589 23065 23066 Reviewed by Oliver Hunt. 23067 23068 ASSERT fix for MIPS arch. 23069 23070 * jit/JITOpcodes.cpp: 23071 (JSC::JIT::emit_resolve_operations): 23072 230732012-11-08 Michael Saboff <msaboff@apple.com> 23074 23075 OpaqueJSClassContextData() should use StringImpl::isolatedCopy() to make string copies 23076 https://bugs.webkit.org/show_bug.cgi?id=101507 23077 23078 Reviewed by Andreas Kling. 23079 23080 Changed to use isolatedCopy() for key Strings. 23081 23082 * API/JSClassRef.cpp: 23083 (OpaqueJSClassContextData::OpaqueJSClassContextData): 23084 230852012-11-07 Mark Hahnenberg <mhahnenberg@apple.com> 23086 23087 WeakBlocks should be HeapBlocks 23088 https://bugs.webkit.org/show_bug.cgi?id=101411 23089 23090 Reviewed by Oliver Hunt. 23091 23092 Currently WeakBlocks use fastMalloc memory. They are very similar to the other HeapBlocks, however, 23093 so we should change them to being allocated with the BlockAllocator. 23094 23095 * heap/BlockAllocator.cpp: 23096 (JSC::BlockAllocator::BlockAllocator): 23097 * heap/BlockAllocator.h: Added a new RegionSet for WeakBlocks. 23098 (JSC): 23099 (BlockAllocator): 23100 (JSC::WeakBlock): 23101 * heap/Heap.h: Friended WeakSet to allow access to the BlockAllocator. 23102 (Heap): 23103 * heap/WeakBlock.cpp: 23104 (JSC::WeakBlock::create): Refactored to use HeapBlocks rather than fastMalloc. 23105 (JSC::WeakBlock::WeakBlock): 23106 * heap/WeakBlock.h: Changed the WeakBlock size to 4 KB so that it divides evenly into the Region size. 23107 (JSC): 23108 (WeakBlock): 23109 * heap/WeakSet.cpp: 23110 (JSC::WeakSet::~WeakSet): 23111 (JSC::WeakSet::addAllocator): 23112 231132012-11-07 Filip Pizlo <fpizlo@apple.com> 23114 23115 Indentation of ArgList.h is wrong 23116 https://bugs.webkit.org/show_bug.cgi?id=101441 23117 23118 Reviewed by Andreas Kling. 23119 23120 Just unindented by 4 spaces. 23121 23122 * runtime/ArgList.h: 23123 231242012-11-07 Gabor Ballabas <gaborb@inf.u-szeged.hu> 23125 23126 [Qt][ARM] REGRESSION(r133688): It made all JSC and layout tests crash on ARM traditional platform 23127 https://bugs.webkit.org/show_bug.cgi?id=101465 23128 23129 Reviewed by Oliver Hunt. 23130 23131 Fix failing javascriptcore tests on ARM after r133688 23132 23133 * bytecode/CodeBlock.cpp: 23134 (JSC::CodeBlock::CodeBlock): 23135 231362012-11-06 Oliver Hunt <oliver@apple.com> 23137 23138 Reduce parser overhead in JSC 23139 https://bugs.webkit.org/show_bug.cgi?id=101127 23140 23141 Reviewed by Filip Pizlo. 23142 23143 An exciting journey into the world of architecture in which our hero 23144 adds yet another layer to JSC codegeneration. 23145 23146 This patch adds a marginally more compact form of bytecode that is 23147 free from any data specific to a given execution context, and that 23148 does store any data structures necessary for execution. To actually 23149 execute this UnlinkedBytecode we still need to instantiate a real 23150 CodeBlock, but this is a much faster linear time operation than any 23151 of the earlier parsing or code generation passes. 23152 23153 As the unlinked code is context free we can then simply use a cache 23154 from source to unlinked code mapping to completely avoid all of the 23155 old parser overhead. The cache is currently very simple and memory 23156 heavy, using the complete source text as a key (rather than SourceCode 23157 or equivalent), and a random eviction policy. 23158 23159 This seems to produce a substantial win when loading identical content 23160 in different contexts. 23161 23162 * API/tests/testapi.c: 23163 (main): 23164 * CMakeLists.txt: 23165 * GNUmakefile.list.am: 23166 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 23167 * JavaScriptCore.xcodeproj/project.pbxproj: 23168 * bytecode/CodeBlock.cpp: 23169 * bytecode/CodeBlock.h: 23170 Moved a number of fields, and a bunch of logic to UnlinkedCodeBlock.h/cpp 23171 * bytecode/Opcode.h: 23172 Added a global const init no op instruction needed to get correct 23173 behaviour without any associated semantics. 23174 * bytecode/UnlinkedCodeBlock.cpp: Added. 23175 * bytecode/UnlinkedCodeBlock.h: Added. 23176 A fairly shallow, GC allocated version of the old CodeBlock 23177 classes with a 32bit instruction size, and just metadata 23178 size tracking. 23179 * bytecompiler/BytecodeGenerator.cpp: 23180 * bytecompiler/BytecodeGenerator.h: 23181 Replace direct access to m_symbolTable with access through 23182 symbolTable(). ProgramCode no longer has a symbol table at 23183 all so some previously unconditional (and pointless) uses 23184 of symbolTable get null checks. 23185 A few other changes to deal with type changes due to us generating 23186 unlinked code (eg. pointer free, so profile indices rather than 23187 pointers). 23188 * dfg/DFGByteCodeParser.cpp: 23189 * dfg/DFGCapabilities.h: 23190 Support global_init_nop 23191 * interpreter/Interpreter.cpp: 23192 Now get the ProgramExecutable to initialise new global properties 23193 before starting execution. 23194 * jit/JIT.cpp: 23195 * jit/JITDriver.h: 23196 * jit/JITStubs.cpp: 23197 * llint/LLIntData.cpp: 23198 * llint/LLIntSlowPaths.cpp: 23199 * llint/LowLevelInterpreter.asm: 23200 * llint/LowLevelInterpreter32_64.asm: 23201 * llint/LowLevelInterpreter64.asm: 23202 Adding init_global_const_nop everywhere else 23203 * parser/Parser.h: 23204 * parser/ParserModes.h: Added. 23205 * parser/ParserTokens.h: 23206 Parser no longer needs a global object or callframe to function 23207 * runtime/CodeCache.cpp: Added. 23208 * runtime/CodeCache.h: Added. 23209 A simple, random eviction, Source->UnlinkedCode cache 23210 * runtime/Executable.cpp: 23211 * runtime/Executable.h: 23212 Executables now reference their unlinked counterparts, and 23213 request code specifically for the target global object. 23214 * runtime/JSGlobalData.cpp: 23215 * runtime/JSGlobalData.h: 23216 GlobalData now owns a CodeCache and a set of new structures 23217 for the unlinked code types. 23218 * runtime/JSGlobalObject.cpp: 23219 * runtime/JSGlobalObject.h: 23220 Utility functions used by executables to perform compilation 23221 23222 * runtime/JSType.h: 23223 Add new JSTypes for unlinked code 23224 232252012-11-06 Michael Saboff <msaboff@apple.com> 23226 23227 JSStringCreateWithCFString() Should create an 8 bit String if possible 23228 https://bugs.webkit.org/show_bug.cgi?id=101104 23229 23230 Reviewed by Darin Adler. 23231 23232 Try converting the CFString to an 8 bit string using CFStringGetBytes(..., 23233 kCFStringEncodingISOLatin1, ...) and return the 8 bit string if successful. 23234 If not proceed with 16 bit conversion. 23235 23236 * API/JSStringRefCF.cpp: 23237 (JSStringCreateWithCFString): 23238 232392012-11-06 Oliver Hunt <oliver@apple.com> 23240 23241 Reduce direct m_symbolTable usage in CodeBlock 23242 https://bugs.webkit.org/show_bug.cgi?id=101391 23243 23244 Reviewed by Sam Weinig. 23245 23246 Simple refactoring. 23247 23248 * bytecode/CodeBlock.cpp: 23249 (JSC::CodeBlock::dump): 23250 (JSC::CodeBlock::dumpStatistics): 23251 (JSC::CodeBlock::nameForRegister): 23252 * bytecode/CodeBlock.h: 23253 (JSC::CodeBlock::isCaptured): 23254 232552012-11-06 Michael Saboff <msaboff@apple.com> 23256 23257 Lexer::scanRegExp, create 8 bit pattern and flag Identifiers from 16 bit source when possible 23258 https://bugs.webkit.org/show_bug.cgi?id=101013 23259 23260 Reviewed by Darin Adler. 23261 23262 Changed scanRegExp so that it will create 8 bit identifiers from 8 bit sources and from 16 bit sources 23263 whan all the characters are 8 bit. Using two templated helpers, the "is all 8 bit" check is only performed 23264 on 16 bit sources. The first helper is orCharacter() that will accumulate the or value of all characters 23265 only for 16 bit sources. Replaced the helper Lexer::makeIdentifierSameType() with Lexer::makeRightSizedIdentifier(). 23266 23267 * parser/Lexer.cpp: 23268 (JSC::orCharacter<LChar>): Explicit template that serves as a placeholder. 23269 (JSC::orCharacter<UChar>): Explicit template that actually or accumulates characters. 23270 (JSC::Lexer::scanRegExp): 23271 * parser/Lexer.h: 23272 (Lexer): 23273 (JSC::Lexer::makeRightSizedIdentifier<LChar>): New template that always creates an 8 bit Identifier. 23274 (JSC::Lexer::makeRightSizedIdentifier<UChar>): New template that creates an 8 bit Identifier for 8 bit 23275 data in a 16 bit source. 23276 232772012-11-06 Filip Pizlo <fpizlo@apple.com> 23278 23279 Indentation of JSCell.h is wrong 23280 https://bugs.webkit.org/show_bug.cgi?id=101379 23281 23282 Rubber stamped by Alexey Proskuryakov. 23283 23284 Just removed four spaces on a bunch of lines. 23285 23286 * runtime/JSCell.h: 23287 232882012-11-05 Filip Pizlo <fpizlo@apple.com> 23289 23290 Indentation of JSObject.h is wrong 23291 https://bugs.webkit.org/show_bug.cgi?id=101313 23292 23293 Rubber stamped by Alexey Proskuryakov. 23294 23295 Just unindented code, since namespace bodies shouldn't be indented. 23296 23297 * runtime/JSObject.h: 23298 232992012-11-05 Filip Pizlo <fpizlo@apple.com> 23300 23301 Indentation of JSArray.h is wrong 23302 https://bugs.webkit.org/show_bug.cgi?id=101314 23303 23304 Rubber stamped by Alexey Proskuryakov. 23305 23306 Just removing the indentation inside the namespace body. 23307 23308 * runtime/JSArray.h: 23309 233102012-11-05 Filip Pizlo <fpizlo@apple.com> 23311 23312 DFG should not fall down to patchable GetById just because a prototype had things added to it 23313 https://bugs.webkit.org/show_bug.cgi?id=101299 23314 23315 Reviewed by Geoffrey Garen. 23316 23317 This looks like a slight win on V8v7 and SunSpider. 23318 23319 * bytecode/DFGExitProfile.h: 23320 (JSC::DFG::exitKindToString): 23321 * dfg/DFGSpeculativeJIT64.cpp: 23322 (JSC::DFG::SpeculativeJIT::compile): 23323 233242012-11-05 Filip Pizlo <fpizlo@apple.com> 23325 23326 Get rid of method_check 23327 https://bugs.webkit.org/show_bug.cgi?id=101147 23328 23329 Reviewed by Geoffrey Garen. 23330 23331 op_method_check no longer buys us anything, since get_by_id proto caching 23332 gives just as much profiling information and the DFG inlines monomorphic 23333 proto accesses anyway. 23334 23335 This also has the potential for a speed-up since it makes parsing of 23336 profiling data easier. No longer do we have to deal with the confusion of 23337 the get_by_id portion of a method_check appearing monomorphic even though 23338 we're really dealing with a bimorphic access (method_check specializes for 23339 one case and get_by_id for another). 23340 23341 This looks like a 1% speed-up on both SunSpider and V8v7. 23342 23343 * CMakeLists.txt: 23344 * GNUmakefile.list.am: 23345 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 23346 * JavaScriptCore.xcodeproj/project.pbxproj: 23347 * Target.pri: 23348 * bytecode/CodeBlock.cpp: 23349 (JSC::CodeBlock::printGetByIdCacheStatus): 23350 (JSC::CodeBlock::dump): 23351 (JSC::CodeBlock::finalizeUnconditionally): 23352 (JSC::CodeBlock::shrinkToFit): 23353 (JSC::CodeBlock::unlinkCalls): 23354 * bytecode/CodeBlock.h: 23355 (JSC::CodeBlock::getCallLinkInfo): 23356 (JSC::CodeBlock::callLinkInfo): 23357 (CodeBlock): 23358 * bytecode/GetByIdStatus.cpp: 23359 (JSC::GetByIdStatus::computeFromLLInt): 23360 * bytecode/MethodCallLinkInfo.cpp: Removed. 23361 * bytecode/MethodCallLinkInfo.h: Removed. 23362 * bytecode/MethodCallLinkStatus.cpp: Removed. 23363 * bytecode/MethodCallLinkStatus.h: Removed. 23364 * bytecode/Opcode.h: 23365 (JSC): 23366 (JSC::padOpcodeName): 23367 * bytecompiler/BytecodeGenerator.cpp: 23368 (JSC): 23369 * bytecompiler/BytecodeGenerator.h: 23370 (BytecodeGenerator): 23371 * bytecompiler/NodesCodegen.cpp: 23372 (JSC::FunctionCallDotNode::emitBytecode): 23373 * dfg/DFGByteCodeParser.cpp: 23374 (JSC::DFG::ByteCodeParser::parseBlock): 23375 * dfg/DFGCapabilities.h: 23376 (JSC::DFG::canCompileOpcode): 23377 * jit/JIT.cpp: 23378 (JSC::JIT::privateCompileMainPass): 23379 (JSC::JIT::privateCompileSlowCases): 23380 (JSC::PropertyStubCompilationInfo::copyToStubInfo): 23381 (JSC::JIT::privateCompile): 23382 * jit/JIT.h: 23383 (JSC::PropertyStubCompilationInfo::slowCaseInfo): 23384 (PropertyStubCompilationInfo): 23385 (JSC): 23386 (JIT): 23387 * jit/JITPropertyAccess.cpp: 23388 (JSC): 23389 (JSC::JIT::emitSlow_op_get_by_id): 23390 (JSC::JIT::compileGetByIdSlowCase): 23391 * jit/JITPropertyAccess32_64.cpp: 23392 (JSC): 23393 (JSC::JIT::compileGetByIdSlowCase): 23394 * jit/JITStubs.cpp: 23395 (JSC): 23396 * jit/JITStubs.h: 23397 * llint/LowLevelInterpreter.asm: 23398 233992012-11-05 Yuqiang Xian <yuqiang.xian@intel.com> 23400 23401 Refactor LLInt64 to distinguish the pointer operations from the 64-bit integer operations 23402 https://bugs.webkit.org/show_bug.cgi?id=100321 23403 23404 Reviewed by Filip Pizlo. 23405 23406 We have refactored the MacroAssembler and JIT compilers to distinguish 23407 the pointer operations from the 64-bit integer operations (see bug #99154). 23408 Now we want to do the similar work for LLInt, and the goal is same as 23409 the one mentioned in 99154. 23410 23411 This is the second part of the modification: in the low level interpreter, 23412 changing the operations on 64-bit integers to use the "<foo>q" instructions. 23413 This also removes some unused/meaningless "<foo>p" instructions. 23414 23415 * llint/LowLevelInterpreter.asm: 23416 * llint/LowLevelInterpreter.cpp: 23417 (JSC::CLoop::execute): 23418 * llint/LowLevelInterpreter64.asm: 23419 * offlineasm/armv7.rb: 23420 * offlineasm/cloop.rb: 23421 * offlineasm/instructions.rb: 23422 * offlineasm/x86.rb: 23423 234242012-11-05 Filip Pizlo <fpizlo@apple.com> 23425 23426 Prototype chain caching should check that the path from the base object to the slot base involves prototype hops only 23427 https://bugs.webkit.org/show_bug.cgi?id=101276 23428 23429 Reviewed by Gavin Barraclough. 23430 23431 Changed normalizePrototypeChain() to report an invalid prototype chain if any object is a proxy. 23432 This catches cases where our prototype chain checks would have been insufficient to guard against 23433 newly introduced properties, despecialized properties, or deleted properties in the chain of 23434 objects involved in the access. 23435 23436 * dfg/DFGRepatch.cpp: 23437 (JSC::DFG::tryCacheGetByID): 23438 (JSC::DFG::tryBuildGetByIDProtoList): 23439 (JSC::DFG::tryCachePutByID): 23440 (JSC::DFG::tryBuildPutByIdList): 23441 * jit/JITStubs.cpp: 23442 (JSC::JITThunks::tryCachePutByID): 23443 (JSC::JITThunks::tryCacheGetByID): 23444 (JSC::DEFINE_STUB_FUNCTION): 23445 * llint/LLIntSlowPaths.cpp: 23446 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 23447 * runtime/Operations.h: 23448 (JSC): 23449 (JSC::normalizePrototypeChain): 23450 234512012-11-05 Dima Gorbik <dgorbik@apple.com> 23452 23453 Back out controversial changes from Bug 98665. 23454 https://bugs.webkit.org/show_bug.cgi?id=101244 23455 23456 Reviewed by David Kilzer. 23457 23458 Backing out changes from Bug 98665 until further discussions take place on rules for including Platform.h in Assertions.h. 23459 23460 * API/tests/minidom.c: 23461 * API/tests/testapi.c: 23462 234632012-11-04 Filip Pizlo <fpizlo@apple.com> 23464 23465 Reduce the verbosity of referring to QNaN in JavaScriptCore 23466 https://bugs.webkit.org/show_bug.cgi?id=101174 23467 23468 Reviewed by Geoffrey Garen. 23469 23470 Introduces a #define QNaN in JSValue.h, and replaces all previous uses of 23471 std::numeric_limits<double>::quiet_NaN() with QNaN. 23472 23473 * API/JSValueRef.cpp: 23474 (JSValueMakeNumber): 23475 (JSValueToNumber): 23476 * dfg/DFGSpeculativeJIT.cpp: 23477 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): 23478 * jit/JITPropertyAccess.cpp: 23479 (JSC::JIT::emitFloatTypedArrayGetByVal): 23480 * runtime/CachedTranscendentalFunction.h: 23481 (JSC::CachedTranscendentalFunction::initialize): 23482 * runtime/DateConstructor.cpp: 23483 (JSC::constructDate): 23484 * runtime/DateInstanceCache.h: 23485 (JSC::DateInstanceData::DateInstanceData): 23486 (JSC::DateInstanceCache::reset): 23487 * runtime/ExceptionHelpers.cpp: 23488 (JSC::InterruptedExecutionError::defaultValue): 23489 (JSC::TerminatedExecutionError::defaultValue): 23490 * runtime/JSCell.h: 23491 (JSC::JSValue::getPrimitiveNumber): 23492 * runtime/JSDateMath.cpp: 23493 (JSC::parseDateFromNullTerminatedCharacters): 23494 * runtime/JSGlobalData.cpp: 23495 (JSC::JSGlobalData::JSGlobalData): 23496 (JSC::JSGlobalData::resetDateCache): 23497 * runtime/JSGlobalObjectFunctions.cpp: 23498 (JSC::parseInt): 23499 (JSC::jsStrDecimalLiteral): 23500 (JSC::toDouble): 23501 (JSC::jsToNumber): 23502 (JSC::parseFloat): 23503 * runtime/JSValue.cpp: 23504 (JSC::JSValue::toNumberSlowCase): 23505 * runtime/JSValue.h: 23506 (JSC): 23507 * runtime/JSValueInlineMethods.h: 23508 (JSC::jsNaN): 23509 * runtime/MathObject.cpp: 23510 (JSC::mathProtoFuncMax): 23511 (JSC::mathProtoFuncMin): 23512 235132012-11-03 Filip Pizlo <fpizlo@apple.com> 23514 23515 Baseline JIT should use structure watchpoints whenever possible 23516 https://bugs.webkit.org/show_bug.cgi?id=101146 23517 23518 Reviewed by Sam Weinig. 23519 23520 No speed-up yet except on toy programs. I think that it will start to show 23521 speed-ups with https://bugs.webkit.org/show_bug.cgi?id=101147, which this is 23522 a step towards. 23523 23524 * jit/JIT.h: 23525 (JIT): 23526 * jit/JITPropertyAccess.cpp: 23527 (JSC::JIT::privateCompilePutByIdTransition): 23528 (JSC::JIT::privateCompileGetByIdProto): 23529 (JSC::JIT::privateCompileGetByIdProtoList): 23530 (JSC::JIT::privateCompileGetByIdChainList): 23531 (JSC::JIT::privateCompileGetByIdChain): 23532 (JSC::JIT::addStructureTransitionCheck): 23533 (JSC): 23534 (JSC::JIT::testPrototype): 23535 * jit/JITPropertyAccess32_64.cpp: 23536 (JSC::JIT::privateCompilePutByIdTransition): 23537 (JSC::JIT::privateCompileGetByIdProto): 23538 (JSC::JIT::privateCompileGetByIdProtoList): 23539 (JSC::JIT::privateCompileGetByIdChainList): 23540 (JSC::JIT::privateCompileGetByIdChain): 23541 235422012-11-04 Csaba Osztrogonác <ossy@webkit.org> 23543 23544 [Qt] udis86_itab.c is always regenerated 23545 https://bugs.webkit.org/show_bug.cgi?id=100756 23546 23547 Reviewed by Simon Hausmann. 23548 23549 * DerivedSources.pri: Generate sources to the generated directory. 23550 * disassembler/udis86/differences.txt: 23551 * disassembler/udis86/itab.py: Add --outputDir option. 23552 (UdItabGenerator.__init__): 23553 (genItabH): 23554 (genItabC): 23555 (main): 23556 235572012-11-02 Filip Pizlo <fpizlo@apple.com> 23558 23559 LLInt 32-bit put_by_val ArrayStorage case should use the right register (t3, not t2) for the index in the publicLength updating path 23560 https://bugs.webkit.org/show_bug.cgi?id=101118 23561 23562 Reviewed by Gavin Barraclough. 23563 23564 * llint/LowLevelInterpreter32_64.asm: 23565 235662012-11-02 Filip Pizlo <fpizlo@apple.com> 23567 23568 DFG::Node::converToStructureTransitionWatchpoint should take kindly to ArrayifyToStructure 23569 https://bugs.webkit.org/show_bug.cgi?id=101117 23570 23571 Reviewed by Gavin Barraclough. 23572 23573 We have logic to convert ArrayifyToStructure to StructureTransitionWatchpoint, which is awesome, except 23574 that previously convertToStructureTransitionWatchpoint was (a) asserting that it never saw an 23575 ArrayifyToStructure and (b) would incorrectly create a ForwardStructureTransitionWatchpoint if it did. 23576 23577 * dfg/DFGNode.h: 23578 (JSC::DFG::Node::convertToStructureTransitionWatchpoint): 23579 235802012-11-02 Filip Pizlo <fpizlo@apple.com> 23581 23582 DFG::SpeculativeJIT::typedArrayDescriptor should use the Float64Array descriptor for Float64Arrays 23583 https://bugs.webkit.org/show_bug.cgi?id=101114 23584 23585 Reviewed by Gavin Barraclough. 23586 23587 As in https://bugs.webkit.org/show_bug.cgi?id=101112, this was only wrong when Float64Array descriptors 23588 hadn't been initialized yet. That happens rarely, but when it does happen, we would crash. 23589 23590 This would also become much more wrong if we ever put type size info (num bytes, etc) in the descriptor 23591 and used that directly. So it's good to fix it. 23592 23593 * dfg/DFGSpeculativeJIT.cpp: 23594 (JSC::DFG::SpeculativeJIT::typedArrayDescriptor): 23595 235962012-11-02 Filip Pizlo <fpizlo@apple.com> 23597 23598 JIT::privateCompileGetByVal should use the uint8ClampedArrayDescriptor for compiling accesses to Uint8ClampedArrays 23599 https://bugs.webkit.org/show_bug.cgi?id=101112 23600 23601 Reviewed by Gavin Barraclough. 23602 23603 The only reason why the code was wrong to use uint8ArrayDescriptor instead is that if we're just using 23604 Uint8ClampedArrays then the descriptor for Uint8Array may not have been initialized. 23605 23606 * jit/JITPropertyAccess.cpp: 23607 (JSC::JIT::privateCompileGetByVal): 23608 236092012-11-02 Mark Hahnenberg <mhahnenberg@apple.com> 23610 23611 MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects 23612 https://bugs.webkit.org/show_bug.cgi?id=100877 23613 23614 Reviewed by Filip Pizlo. 23615 23616 Currently when we canonicalize cell liveness data in MarkedBlocks, we set the mark bit for every cell in the 23617 block except for those in the free list. This allows us to consider objects that were allocated since the 23618 previous collection to be considered live until they have a chance to be properly marked by the collector. 23619 23620 If we want to use the mark bits to signify other types of information, e.g. using sticky mark bits for generational 23621 collection, we will have to keep track of newly allocated objects in a different fashion when we canonicalize cell liveness. 23622 23623 One method would be to allocate a separate set of bits while canonicalizing liveness data. These bits would 23624 track the newly allocated objects in the block separately from those objects who had already been marked. We would 23625 then check these bits, along with the mark bits, when determining liveness. 23626 23627 * heap/Heap.h: 23628 (Heap): 23629 (JSC::Heap::isLive): We now check for the presence of the newlyAllocated Bitmap. 23630 (JSC): 23631 * heap/MarkedBlock.cpp: 23632 (JSC::MarkedBlock::specializedSweep): We clear the newlyAllocated Bitmap if we're creating a free list. This 23633 will happen if we canonicalize liveness data for some other reason than collection (e.g. forEachCell) and 23634 then start allocating again. 23635 (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): 23636 (SetNewlyAllocatedFunctor): 23637 (JSC::SetNewlyAllocatedFunctor::operator()): We set the newlyAllocated bits for all the objects 23638 that aren't already marked. We undo the bits for the objects in the free list later in canonicalizeCellLivenessData. 23639 (JSC::MarkedBlock::canonicalizeCellLivenessData): We should never have a FreeListed block with a newlyAllocated Bitmap. 23640 We allocate the new Bitmap, set the bits for all the objects that aren't already marked, and then unset all of the 23641 bits for the items currently in the FreeList. 23642 * heap/MarkedBlock.h: 23643 (JSC::MarkedBlock::clearMarks): We clear the newlyAllocated bitmap if it exists because at this point we don't need it 23644 any more. 23645 (JSC::MarkedBlock::isEmpty): If we have some objects that are newlyAllocated, we are not empty. 23646 (JSC::MarkedBlock::isNewlyAllocated): 23647 (JSC): 23648 (JSC::MarkedBlock::setNewlyAllocated): 23649 (JSC::MarkedBlock::clearNewlyAllocated): 23650 (JSC::MarkedBlock::isLive): We now check the newlyAllocated Bitmap, if it exists, when determining liveness of a cell in 23651 a block that is Marked. 23652 * heap/WeakBlock.cpp: 23653 (JSC::WeakBlock::visit): We need to make sure we don't finalize objects that are in the newlyAllocated Bitmap. 23654 (JSC::WeakBlock::reap): Ditto. 23655 236562012-11-02 Filip Pizlo <fpizlo@apple.com> 23657 23658 JIT::privateCompileGetByVal should use MacroAssemblerCodePtr::createFromExecutableAddress like JIT::privateCompilePutByVal 23659 https://bugs.webkit.org/show_bug.cgi?id=101109 23660 23661 Reviewed by Gavin Barraclough. 23662 23663 This fixes crashes on ARMv7 resulting from the return address already being tagged with the THUMB2 bit. 23664 23665 * jit/JITPropertyAccess.cpp: 23666 (JSC::JIT::privateCompileGetByVal): 23667 236682012-11-02 Simon Fraser <simon.fraser@apple.com> 23669 23670 Enable SUBPIXEL_LAYOUT on Mac 23671 https://bugs.webkit.org/show_bug.cgi?id=101076 23672 23673 Reviewed by Dave Hyatt. 23674 23675 Define ENABLE_SUBPIXEL_LAYOUT and include it in FEATURE_DEFINES. 23676 23677 * Configurations/FeatureDefines.xcconfig: 23678 236792012-11-02 Michael Saboff <msaboff@apple.com> 23680 23681 RegExp.prototype.toString Should Produce an 8 bit JSString if possible. 23682 https://bugs.webkit.org/show_bug.cgi?id=101003 23683 23684 Reviewed by Geoffrey Garen. 23685 23686 Took the logic of regExpObjectSource() and created two templated helpers that uses the 23687 source character type when appending to the StringBuilder. 23688 23689 * runtime/RegExpObject.cpp: 23690 (JSC::appendLineTerminatorEscape): Checks line terminate type to come up with escaped version. 23691 (JSC::regExpObjectSourceInternal): Templated version of original. 23692 (JSC::regExpObjectSource): Wrapper function. 23693 236942012-11-02 Adam Barth <abarth@webkit.org> 23695 23696 ENABLE(UNDO_MANAGER) is disabled everywhere and is not under active development 23697 https://bugs.webkit.org/show_bug.cgi?id=100711 23698 23699 Reviewed by Eric Seidel. 23700 23701 * Configurations/FeatureDefines.xcconfig: 23702 237032012-11-02 Simon Hausmann <simon.hausmann@digia.com> 23704 23705 [Qt] Fix build on Windows when Qt is configured with -release 23706 https://bugs.webkit.org/show_bug.cgi?id=101041 23707 23708 Reviewed by Jocelyn Turcotte. 23709 23710 When Qt is configured with -debug or -release, the release/debug build of for example 23711 QtCore is not available by default. For LLIntExtractor we always need to build debug 23712 _and_ release versions, but we do not actually need any Qt libraries nor qtmain(d).lib. 23713 Therefore we can disable all these features but need to keep $$QT.core.includes in the 23714 INCLUDEPATH for some defines from qglobal.h. 23715 23716 * LLIntOffsetsExtractor.pro: 23717 237182012-11-01 Mark Lam <mark.lam@apple.com> 23719 23720 A llint workaround for a toolchain issue. 23721 https://bugs.webkit.org/show_bug.cgi?id=101012. 23722 23723 Reviewed by Michael Saboff. 23724 23725 * llint/LowLevelInterpreter.asm: 23726 - use a local label to workaround the toolchain issue with undeclared 23727 global labels. 23728 237292012-11-01 Oliver Hunt <oliver@apple.com> 23730 23731 Remove GlobalObject constant register that is typically unused 23732 https://bugs.webkit.org/show_bug.cgi?id=101005 23733 23734 Reviewed by Geoffrey Garen. 23735 23736 The GlobalObject constant register is frequently allocated even when it 23737 is not used, it is also getting in the way of some other optimisations. 23738 23739 * bytecode/CodeBlock.cpp: 23740 (JSC::CodeBlock::CodeBlock): 23741 * bytecode/CodeBlock.h: 23742 (CodeBlock): 23743 * bytecompiler/BytecodeGenerator.cpp: 23744 (JSC::BytecodeGenerator::BytecodeGenerator): 23745 * dfg/DFGByteCodeParser.cpp: 23746 (JSC::DFG::ByteCodeParser::parseResolveOperations): 23747 237482012-10-31 Filip Pizlo <fpizlo@apple.com> 23749 23750 DFG optimized string access code should be enabled 23751 https://bugs.webkit.org/show_bug.cgi?id=100825 23752 23753 Reviewed by Oliver Hunt. 23754 23755 - Removes prediction checks from the parser. 23756 23757 - Fixes the handling of array mode refinement for strings. I.e. we don't do 23758 any refinement - we already know it's going to be a string. We could 23759 revisit this in the future, but for now the DFG lacks the ability to 23760 handle any array modes other than Array::String for string intrinsics, so 23761 this is as good as it gets. 23762 23763 - Removes uses of isBlahSpeculation for checking if a mode is already 23764 checked. isBlahSpeculation implicitly checks if the SpeculatedType is not 23765 BOTTOM ("empty"), which breaks for checking if a mode is already checked 23766 since a mode may already be "checked" in the sense that we've proven that 23767 the code is unreachable. 23768 23769 ~1% speed-up on V8v7, mostly from a speed-up on crypto, which uses string 23770 intrinsics in one of the hot functions. 23771 23772 * bytecode/SpeculatedType.h: 23773 (JSC::speculationChecked): 23774 (JSC): 23775 * dfg/DFGArrayMode.cpp: 23776 (JSC::DFG::ArrayMode::alreadyChecked): 23777 * dfg/DFGByteCodeParser.cpp: 23778 (JSC::DFG::ByteCodeParser::handleIntrinsic): 23779 * dfg/DFGFixupPhase.cpp: 23780 (JSC::DFG::FixupPhase::fixupNode): 23781 * dfg/DFGSpeculativeJIT.cpp: 23782 (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt): 23783 237842012-10-31 Filip Pizlo <fpizlo@apple.com> 23785 23786 Sparse array size threshold should be increased to 100000 23787 https://bugs.webkit.org/show_bug.cgi?id=100827 23788 23789 Reviewed by Oliver Hunt. 23790 23791 This enables the use of contiguous arrays in programs that previously 23792 couldn't use them. And I so far can't see any examples of this being 23793 a downside. To the extent that there is a downside, it ought to be 23794 addressed by GC: https://bugs.webkit.org/show_bug.cgi?id=100828 23795 23796 * runtime/ArrayConventions.h: 23797 (JSC): 23798 237992012-10-31 Mark Lam <mark.lam@apple.com> 23800 23801 C++ llint 64-bit backend needs to zero extend results of int32 operations. 23802 https://bugs.webkit.org/show_bug.cgi?id=100899. 23803 23804 Reviewed by Filip Pizlo. 23805 23806 llint asm instructions ending in "i" for a 64-bit machine expects the 23807 high 32-bit of registers to be zero'ed out when a 32-bit instruction 23808 writes into a register. Fixed the C++ llint to honor this. 23809 23810 Fixed the index register used in BaseIndex addressing to be of size 23811 intptr_t as expected. 23812 23813 Updated CLoopRegister to handle different endiannesss configurations. 23814 23815 * llint/LowLevelInterpreter.cpp: 23816 (JSC::CLoopRegister::clearHighWord): 23817 - new method to clear the high 32-bit of a 64-bit register. 23818 It's a no-op for the 32-bit build. 23819 (CLoopRegister): 23820 - CLoopRegister now takes care of packing and byte endianness order. 23821 (JSC::CLoop::execute): - Added an assert. 23822 * offlineasm/cloop.rb: 23823 - Add calls to clearHighWord() wherever needed. 23824 238252012-10-31 Mark Lam <mark.lam@apple.com> 23826 23827 A JSC printf (support for %J+s and %b). 23828 https://bugs.webkit.org/show_bug.cgi?id=100566. 23829 23830 Reviewed by Michael Saboff. 23831 23832 Added VMInspector::printf(), fprintf(), sprintf(), and snprintf(). 23833 - %b prints ints as boolean TRUE (non-zero) or FALSE (zero). 23834 - %Js prints a WTF::String* like a %s prints a char*. 23835 Also works for 16bit WTF::Strings (prints wchar_t* using %S). 23836 - '+' is a modifier meaning 'use verbose mode', and %J+s is an example 23837 of its use. 23838 23839 * JavaScriptCore.xcodeproj/project.pbxproj: 23840 * interpreter/VMInspector.cpp: 23841 (FormatPrinter): 23842 (JSC::FormatPrinter::~FormatPrinter): 23843 (JSC::FormatPrinter::print): 23844 (JSC::FormatPrinter::printArg): 23845 (JSC::FormatPrinter::printWTFString): 23846 (JSC::FileFormatPrinter::FileFormatPrinter): 23847 (JSC::FileFormatPrinter::printArg): 23848 (JSC::StringFormatPrinter::StringFormatPrinter): 23849 (JSC::StringFormatPrinter::printArg): 23850 (JSC::StringNFormatPrinter::StringNFormatPrinter): 23851 (JSC::StringNFormatPrinter::printArg): 23852 (JSC::VMInspector::fprintf): 23853 (JSC::VMInspector::printf): 23854 (JSC::VMInspector::sprintf): 23855 (JSC::VMInspector::snprintf): 23856 * interpreter/VMInspector.h: 23857 (VMInspector): 23858 238592012-10-31 Mark Lam <mark.lam@apple.com> 23860 23861 64-bit llint PC offset can be negative: using an unsigned shift is a bug. 23862 https://bugs.webkit.org/show_bug.cgi?id=100896. 23863 23864 Reviewed by Filip Pizlo. 23865 23866 Fixed the PC offset divisions in the 64-bit llint asm to use rshift instead of urshift. 23867 23868 * llint/LowLevelInterpreter64.asm: 23869 238702012-10-30 Yuqiang Xian <yuqiang.xian@intel.com> 23871 23872 glsl-function-atan.html WebGL conformance test fails after https://bugs.webkit.org/show_bug.cgi?id=99154 23873 https://bugs.webkit.org/show_bug.cgi?id=100789 23874 23875 Reviewed by Filip Pizlo. 23876 23877 We accidently missed a bitwise double to int64 conversion. 23878 23879 * dfg/DFGSpeculativeJIT.h: 23880 (JSC::DFG::SpeculativeJIT::silentFill): 23881 238822012-10-30 Joseph Pecoraro <pecoraro@apple.com> 23883 23884 [Mac] Sync up FeatureDefine Configuration Files 23885 https://bugs.webkit.org/show_bug.cgi?id=100171 23886 23887 Reviewed by David Kilzer. 23888 23889 Follow up to better coordinate with iOS feature defines. Make: 23890 23891 - ENABLE_FILTERS always on 23892 - ENABLE_INPUT_* iphonesimulator values point to the iphoneos values 23893 23894 * Configurations/FeatureDefines.xcconfig: 23895 238962012-10-30 Joseph Pecoraro <pecoraro@apple.com> 23897 23898 [Mac] Sync up FeatureDefine Configuration Files 23899 https://bugs.webkit.org/show_bug.cgi?id=100171 23900 23901 Reviewed by David Kilzer. 23902 23903 Ensure an identical FeatureDefine files across all projects. Changes: 23904 23905 - ENABLE_CSS_BOX_DECORATION_BREAK should be in all 23906 - ENABLE_PDFKIT_PLUGIN should be in all 23907 - ENABLE_RESOLUTION_MEDIA_QUERY should be in all 23908 - ENABLE_ENCRYPTED_MEDIA should be in all 23909 - ENABLE_HIDDEN_PAGE_DOM_TIMER_THROTTLING with corrected value 23910 - Some alphabetical ordering cleanup 23911 23912 * Configurations/FeatureDefines.xcconfig: 23913 239142012-10-30 Mark Hahnenberg <mhahnenberg@apple.com> 23915 23916 Arrays can change IndexingType in the middle of sorting 23917 https://bugs.webkit.org/show_bug.cgi?id=100773 23918 23919 Reviewed by Filip Pizlo. 23920 23921 Instead of giving up, we just fetch the appropriate vector based on the current 23922 IndexingType of the array. 23923 23924 * runtime/JSArray.cpp: 23925 (JSC::JSArray::sortVector): 23926 * runtime/JSObject.h: 23927 (JSObject): 23928 (JSC::JSObject::currentIndexingData): 23929 (JSC::JSObject::currentRelevantLength): 23930 239312012-10-29 Anders Carlsson <andersca@apple.com> 23932 23933 Build WebKit as C++11 on Mac 23934 https://bugs.webkit.org/show_bug.cgi?id=100720 23935 23936 Reviewed by Daniel Bates. 23937 23938 * Configurations/Base.xcconfig: 23939 Add CLANG_CXX_LANGUAGE_STANDARD=gnu++0x. 23940 23941 * bytecompiler/BytecodeGenerator.cpp: 23942 (JSC::BytecodeGenerator::generate): 23943 (JSC::BytecodeGenerator::pushFinallyContext): 23944 (JSC::BytecodeGenerator::beginSwitch): 23945 * llint/LLIntOffsetsExtractor.cpp: 23946 * runtime/Identifier.cpp: 23947 (JSC::Identifier::add8): 23948 * runtime/Identifier.h: 23949 (JSC::Identifier::add): 23950 * runtime/JSONObject.cpp: 23951 (JSC::appendStringToStringBuilder): 23952 * runtime/StringPrototype.cpp: 23953 (JSC::replaceUsingStringSearch): 23954 Add static_casts to prevent implicit type conversions in non-constant initializer lists. 23955 239562012-10-28 Mark Rowe <mrowe@apple.com> 23957 23958 Simplify Xcode configuration settings that used to vary between OS versions. 23959 23960 Reviewed by Dan Bernstein. 23961 23962 * Configurations/Base.xcconfig: 23963 * Configurations/DebugRelease.xcconfig: 23964 * Configurations/JavaScriptCore.xcconfig: 23965 239662012-10-28 Mark Rowe <mrowe@apple.com> 23967 23968 Remove references to unsupported OS and Xcode versions. 23969 23970 Reviewed by Anders Carlsson. 23971 23972 * Configurations/Base.xcconfig: 23973 * Configurations/CompilerVersion.xcconfig: Removed. 23974 * Configurations/DebugRelease.xcconfig: 23975 * Configurations/Version.xcconfig: 23976 * JavaScriptCore.xcodeproj/project.pbxproj: 23977 239782012-10-29 Michael Saboff <msaboff@apple.com> 23979 23980 Non-special escape character sequences cause JSC::Lexer::parseString to create 16 bit strings 23981 https://bugs.webkit.org/show_bug.cgi?id=100576 23982 23983 Reviewed by Darin Adler. 23984 23985 Changed singleEscape() processing to be based on a lookup of a static table. The table 23986 covers ASCII characters SPACE through DEL. If a character can be a single character escape, 23987 then the table provides the non-zero result of that escape. Updated the result of 23988 singleEscape to be an LChar to make the table as small as possible. 23989 Added a new test fast/js/normal-character-escapes-in-string-literals.html to validated 23990 the behavior. 23991 23992 * parser/Lexer.cpp: 23993 (JSC::singleEscape): 23994 (JSC::Lexer::parseString): 23995 (JSC::Lexer::parseStringSlowCase): 23996 239972012-10-29 Enrica Casucci <enrica@apple.com> 23998 23999 Add ENABLE_USERSELECT_ALL feature flag. 24000 https://bugs.webkit.org/show_bug.cgi?id=100559 24001 24002 Reviewed by Eric Seidel. 24003 24004 * Configurations/FeatureDefines.xcconfig: 24005 240062012-10-28 Filip Pizlo <fpizlo@apple.com> 24007 24008 DFG should be able to emit effectful structure checks 24009 https://bugs.webkit.org/show_bug.cgi?id=99260 24010 24011 Reviewed by Oliver Hunt. 24012 24013 This change allows us to find out if an array access that has gone polymorphic 24014 is operating over known structures - i.e. the primordial array structures of the 24015 global object that the code block containing the array access belongs to. We 24016 term this state "OriginalArray" for short. The fact that the access has gone 24017 polymorphic means that the array profile will not be able to report the set of 24018 structures it had seen - but if it can tell us that all of the structures were 24019 primordial then it just so happens that we can deduce what the structure set 24020 would have been by just querying the code block's global object. This allows us 24021 to emit an ArrayifyToStructure instead of an Arrayify if we find that we need to 24022 do conversions. The fast path of an ArrayifyToStructure is exactly like the fast 24023 path of a CheckStructure and is mostly subject to the same optimizations. It 24024 also burns one fewer registers. 24025 24026 Essentially the notion of OriginalArray is a super cheap way of getting the 24027 array profile to tell us a structure set instead of a singleton structure. 24028 Currently, the array profile can only tell us the structure seen at an array 24029 access if there was exactly one structure. If there were multiple structures, it 24030 won't tell us anything other than the array modes and other auxiliary profiling 24031 data (whether there were stores to holes, for example). With OriginalArray, we 24032 cheaply get a structure set if all of the structures were primordial for the 24033 code block's global object, since in that case the array mode set (ArrayModes) 24034 can directly tell us the structure set. In the future, we might consider adding 24035 complete structure sets to the array profiles, but I suspect that we would hit 24036 diminishing returns if we did so - it would only help if we have array accesses 24037 that are both polymorphic and are cross-global-object accesses (rare) or if the 24038 arrays had named properties or other structure transitions that are unrelated to 24039 indexing type (also rare). 24040 24041 This also does away with Arrayify (and the new ArrayifyToStructure) returning 24042 the butterfly pointer. This turns out to be faster and easier to CSE. 24043 24044 And, this also changes constant folding to be able to eliminate CheckStructure, 24045 ForwardCheckStructure, and ArrayifyToStructure in addition to being able to 24046 transform them into structure transition watchpoints. This is great for 24047 ArrayifyToStructure because then CSE and CFA know that there is no side effect. 24048 Converting CheckStructure and ForwardCheckStructure to also behave this way is 24049 just a matter of elegance. 24050 24051 This has no performance impact right now. It's intended to alleviate some of the 24052 regressions seen in the early implementation of 24053 https://bugs.webkit.org/show_bug.cgi?id=98606. 24054 24055 * bytecode/ArrayProfile.cpp: 24056 (JSC::ArrayProfile::computeUpdatedPrediction): 24057 * bytecode/ArrayProfile.h: 24058 (JSC): 24059 (JSC::ArrayProfile::ArrayProfile): 24060 (ArrayProfile): 24061 (JSC::ArrayProfile::usesOriginalArrayStructures): 24062 * bytecode/CodeBlock.cpp: 24063 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): 24064 * dfg/DFGAbstractState.cpp: 24065 (JSC::DFG::AbstractState::execute): 24066 * dfg/DFGArrayMode.cpp: 24067 (JSC::DFG::ArrayMode::fromObserved): 24068 (JSC::DFG::ArrayMode::alreadyChecked): 24069 (JSC::DFG::arrayClassToString): 24070 * dfg/DFGArrayMode.h: 24071 (JSC::DFG::ArrayMode::withProfile): 24072 (JSC::DFG::ArrayMode::isJSArray): 24073 (ArrayMode): 24074 (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure): 24075 (JSC::DFG::ArrayMode::supportsLength): 24076 (JSC::DFG::ArrayMode::arrayModesWithIndexingShape): 24077 * dfg/DFGByteCodeParser.cpp: 24078 (JSC::DFG::ByteCodeParser::getArrayMode): 24079 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks): 24080 (JSC::DFG::ByteCodeParser::handleGetByOffset): 24081 * dfg/DFGCSEPhase.cpp: 24082 (JSC::DFG::CSEPhase::checkStructureElimination): 24083 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): 24084 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): 24085 (JSC::DFG::CSEPhase::checkArrayElimination): 24086 (JSC::DFG::CSEPhase::getScopeRegistersLoadElimination): 24087 * dfg/DFGConstantFoldingPhase.cpp: 24088 (JSC::DFG::ConstantFoldingPhase::foldConstants): 24089 * dfg/DFGFixupPhase.cpp: 24090 (JSC::DFG::FixupPhase::fixupNode): 24091 (JSC::DFG::FixupPhase::checkArray): 24092 * dfg/DFGNode.h: 24093 (JSC::DFG::Node::hasStructure): 24094 (JSC::DFG::Node::hasArrayMode): 24095 (JSC::DFG::Node::arrayMode): 24096 * dfg/DFGNodeType.h: 24097 (DFG): 24098 * dfg/DFGPredictionPropagationPhase.cpp: 24099 (JSC::DFG::PredictionPropagationPhase::propagate): 24100 * dfg/DFGSpeculativeJIT.cpp: 24101 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): 24102 (JSC::DFG::SpeculativeJIT::arrayify): 24103 * dfg/DFGSpeculativeJIT.h: 24104 (SpeculativeJIT): 24105 * dfg/DFGSpeculativeJIT32_64.cpp: 24106 (JSC::DFG::SpeculativeJIT::compile): 24107 * dfg/DFGSpeculativeJIT64.cpp: 24108 (JSC::DFG::SpeculativeJIT::compile): 24109 * runtime/JSGlobalObject.h: 24110 (JSC::JSGlobalObject::isOriginalArrayStructure): 24111 * runtime/Structure.cpp: 24112 (JSC::Structure::nonPropertyTransition): 24113 241142012-10-28 Filip Pizlo <fpizlo@apple.com> 24115 24116 There should not be blind spots in array length array profiling 24117 https://bugs.webkit.org/show_bug.cgi?id=100620 24118 24119 Reviewed by Oliver Hunt. 24120 24121 I don't think this has any performance impact. But it's good to not have random 24122 programs occasionally emit a GetById for array length accesses. 24123 24124 * jit/JITPropertyAccess.cpp: 24125 (JSC::JIT::compileGetByIdHotPath): 24126 (JSC::JIT::privateCompilePatchGetArrayLength): 24127 * jit/JITPropertyAccess32_64.cpp: 24128 (JSC::JIT::compileGetByIdHotPath): 24129 (JSC::JIT::privateCompilePatchGetArrayLength): 24130 241312012-10-28 Filip Pizlo <fpizlo@apple.com> 24132 24133 Unreviewed, make always-true enum-to-int comparisons use casts. 24134 24135 * dfg/DFGFPRInfo.h: 24136 (JSC::DFG::FPRInfo::debugName): 24137 * dfg/DFGGPRInfo.h: 24138 (JSC::DFG::JSValueSource::tagGPR): 24139 (JSC::DFG::GPRInfo::toIndex): 24140 (JSC::DFG::GPRInfo::debugName): 24141 * runtime/JSTypeInfo.h: 24142 (JSC::TypeInfo::TypeInfo): 24143 241442012-10-27 Filip Pizlo <fpizlo@apple.com> 24145 24146 OSR exit compilation should defend against argument recoveries from code blocks that are no longer on the inline stack 24147 https://bugs.webkit.org/show_bug.cgi?id=100601 24148 24149 Reviewed by Oliver Hunt. 24150 24151 This happened to me while I was fixing bugs for https://bugs.webkit.org/show_bug.cgi?id=100599. 24152 I'm not sure how to reproduce this. 24153 24154 * dfg/DFGAssemblyHelpers.h: 24155 (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor): 24156 (AssemblyHelpers): 24157 * dfg/DFGOSRExitCompiler32_64.cpp: 24158 (JSC::DFG::OSRExitCompiler::compileExit): 24159 * dfg/DFGOSRExitCompiler64.cpp: 24160 (JSC::DFG::OSRExitCompiler::compileExit): 24161 241622012-10-27 Filip Pizlo <fpizlo@apple.com> 24163 24164 DFG::Array::Mode needs to be cleaned up 24165 https://bugs.webkit.org/show_bug.cgi?id=100599 24166 24167 Reviewed by Oliver Hunt. 24168 24169 Turn the previous massive Array::Mode enum into a class that contains four 24170 fields, the type, whether it's a JSArray, the level of speculation, and the 24171 kind of conversion to perform. 24172 24173 No performance or behavioral change. 24174 24175 * dfg/DFGAbstractState.cpp: 24176 (JSC::DFG::AbstractState::execute): 24177 * dfg/DFGArgumentsSimplificationPhase.cpp: 24178 (JSC::DFG::ArgumentsSimplificationPhase::run): 24179 * dfg/DFGArrayMode.cpp: 24180 (JSC::DFG::ArrayMode::fromObserved): 24181 (JSC::DFG::ArrayMode::refine): 24182 (JSC::DFG::ArrayMode::alreadyChecked): 24183 (JSC::DFG::arrayTypeToString): 24184 (JSC::DFG::arrayClassToString): 24185 (DFG): 24186 (JSC::DFG::arraySpeculationToString): 24187 (JSC::DFG::arrayConversionToString): 24188 (JSC::DFG::ArrayMode::toString): 24189 * dfg/DFGArrayMode.h: 24190 (DFG): 24191 (ArrayMode): 24192 (JSC::DFG::ArrayMode::ArrayMode): 24193 (JSC::DFG::ArrayMode::type): 24194 (JSC::DFG::ArrayMode::arrayClass): 24195 (JSC::DFG::ArrayMode::speculation): 24196 (JSC::DFG::ArrayMode::conversion): 24197 (JSC::DFG::ArrayMode::asWord): 24198 (JSC::DFG::ArrayMode::fromWord): 24199 (JSC::DFG::ArrayMode::withSpeculation): 24200 (JSC::DFG::ArrayMode::usesButterfly): 24201 (JSC::DFG::ArrayMode::isJSArray): 24202 (JSC::DFG::ArrayMode::isInBounds): 24203 (JSC::DFG::ArrayMode::mayStoreToHole): 24204 (JSC::DFG::ArrayMode::isOutOfBounds): 24205 (JSC::DFG::ArrayMode::isSlowPut): 24206 (JSC::DFG::ArrayMode::canCSEStorage): 24207 (JSC::DFG::ArrayMode::lengthNeedsStorage): 24208 (JSC::DFG::ArrayMode::modeForPut): 24209 (JSC::DFG::ArrayMode::isSpecific): 24210 (JSC::DFG::ArrayMode::supportsLength): 24211 (JSC::DFG::ArrayMode::benefitsFromStructureCheck): 24212 (JSC::DFG::ArrayMode::doesConversion): 24213 (JSC::DFG::ArrayMode::arrayModesThatPassFiltering): 24214 (JSC::DFG::ArrayMode::operator==): 24215 (JSC::DFG::ArrayMode::operator!=): 24216 (JSC::DFG::ArrayMode::arrayModesWithIndexingShape): 24217 (JSC::DFG::canCSEStorage): 24218 (JSC::DFG::lengthNeedsStorage): 24219 * dfg/DFGByteCodeParser.cpp: 24220 (JSC::DFG::ByteCodeParser::getArrayMode): 24221 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks): 24222 (JSC::DFG::ByteCodeParser::handleIntrinsic): 24223 (JSC::DFG::ByteCodeParser::parseBlock): 24224 * dfg/DFGCSEPhase.cpp: 24225 (JSC::DFG::CSEPhase::getArrayLengthElimination): 24226 (JSC::DFG::CSEPhase::checkArrayElimination): 24227 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): 24228 (JSC::DFG::CSEPhase::performNodeCSE): 24229 * dfg/DFGConstantFoldingPhase.cpp: 24230 (JSC::DFG::ConstantFoldingPhase::foldConstants): 24231 * dfg/DFGFixupPhase.cpp: 24232 (JSC::DFG::FixupPhase::fixupNode): 24233 (JSC::DFG::FixupPhase::checkArray): 24234 (JSC::DFG::FixupPhase::blessArrayOperation): 24235 * dfg/DFGGraph.cpp: 24236 (JSC::DFG::Graph::dump): 24237 * dfg/DFGGraph.h: 24238 (JSC::DFG::Graph::byValIsPure): 24239 * dfg/DFGNode.h: 24240 (JSC::DFG::Node::arrayMode): 24241 (JSC::DFG::Node::setArrayMode): 24242 * dfg/DFGSpeculativeJIT.cpp: 24243 (JSC::DFG::SpeculativeJIT::typedArrayDescriptor): 24244 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): 24245 (JSC::DFG::SpeculativeJIT::checkArray): 24246 (JSC::DFG::SpeculativeJIT::arrayify): 24247 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 24248 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 24249 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): 24250 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): 24251 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): 24252 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): 24253 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): 24254 (JSC::DFG::SpeculativeJIT::compileGetArrayLength): 24255 (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal): 24256 * dfg/DFGSpeculativeJIT.h: 24257 (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister): 24258 (SpeculativeJIT): 24259 * dfg/DFGSpeculativeJIT32_64.cpp: 24260 (JSC::DFG::SpeculativeJIT::compile): 24261 * dfg/DFGSpeculativeJIT64.cpp: 24262 (JSC::DFG::SpeculativeJIT::compile): 24263 242642012-10-27 Dan Bernstein <mitz@apple.com> 24265 24266 REAL_PLATFORM_NAME build setting is no longer needed 24267 https://bugs.webkit.org/show_bug.cgi?id=100587 24268 24269 Reviewed by Mark Rowe. 24270 24271 Removed the definition of REAL_PLATFORM_NAME and replaced references to it with references 24272 to PLATFORM_NAME. 24273 24274 * Configurations/Base.xcconfig: 24275 * Configurations/CompilerVersion.xcconfig: 24276 * Configurations/DebugRelease.xcconfig: 24277 * Configurations/FeatureDefines.xcconfig: 24278 * Configurations/JSC.xcconfig: 24279 * Configurations/JavaScriptCore.xcconfig: 24280 * Configurations/ToolExecutable.xcconfig: 24281 242822012-10-25 Filip Pizlo <fpizlo@apple.com> 24283 24284 Forward OSR calculation is wrong in the presence of multiple SetLocals, or a mix of SetLocals and Phantoms 24285 https://bugs.webkit.org/show_bug.cgi?id=100461 24286 24287 Reviewed by Oliver Hunt and Gavin Barraclough. 24288 24289 This does a couple of things. First, it removes the part of the change in r131822 that made the forward 24290 OSR exit calculator capable of handling multiple SetLocals. That change was wrong, because it would 24291 blindly assume that all SetLocals had the same ValueRecovery, and would ignore the possibility that if 24292 there is no value recovery then a ForwardCheckStructure on the first SetLocal would not know how to 24293 recover the state associated with the second SetLocal. Then, it introduces the invariant that any bytecode 24294 op that decomposes into multiple SetLocals must first emit dead SetLocals as hints and then emit a second 24295 set of SetLocals to actually do the setting of the locals. This means that if a ForwardCheckStructure (or 24296 any other hoisted forward speculation) is inserted, it will always be inserted on the second set of 24297 SetLocals (since hoisting only touches the live ones), at which point OSR will already know about the 24298 mov hints implied by the first set of (dead) SetLocals. This gives us the behavior we wanted, namely, that 24299 a ForwardCheckStructure applied to a variant set by a resolve_with_base-like operation can correctly do a 24300 forward exit while also ensuring that prior to exiting we set the appropriate locals. 24301 24302 * dfg/DFGByteCodeParser.cpp: 24303 (JSC::DFG::ByteCodeParser::parseBlock): 24304 * dfg/DFGOSRExit.cpp: 24305 (JSC::DFG::OSRExit::OSRExit): 24306 * dfg/DFGOSRExit.h: 24307 (OSRExit): 24308 * dfg/DFGOSRExitCompiler.cpp: 24309 * dfg/DFGOSRExitCompiler32_64.cpp: 24310 (JSC::DFG::OSRExitCompiler::compileExit): 24311 * dfg/DFGOSRExitCompiler64.cpp: 24312 (JSC::DFG::OSRExitCompiler::compileExit): 24313 * dfg/DFGSpeculativeJIT.cpp: 24314 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 24315 243162012-10-26 Simon Hausmann <simon.hausmann@digia.com> 24317 24318 [Qt] Fix the LLInt build on Windows 24319 https://bugs.webkit.org/show_bug.cgi?id=97648 24320 24321 Reviewed by Tor Arne Vestbø. 24322 24323 The main change for the port on Windows is changing the way offsets are extracted 24324 and the LLIntAssembly.h is generated to accomodate release and debug configurations. 24325 24326 Firstly the LLIntOffsetsExtractor binary is now built as-is (no DESTDIR set) and 24327 placed into debug\LLIntOffsetsExtractor.exe and release\LLIntOffsetsExtractor.exe 24328 on Windows debug_and_release builds. On other patforms it remainds in the regular 24329 out directory. 24330 24331 Secondly the LLIntAssembly.h files must be different for different build types, 24332 so the LLIntAssembly.h generator in DerivedSources.pri operates no on the extractor 24333 binary files as input. Using a simple exists() check we verify the presence of either 24334 a regular, a debug\LLIntOffsetsExtractor and a release\LLIntOffsetsExtractor binary 24335 and process all of them. The resulting assembly files consequently end up in 24336 generated\debug\LLIntAssembly.h and generated\release\LLIntAssembly.h. 24337 24338 In Target.pri we have to also make sure that those directories are in the include 24339 path according to the release or debug configuration. 24340 24341 Lastly a small tweak - swapping WTF.pri and JSC.pri inclusions - in the 24342 LLIntOffsetsExtractor build was needed to make sure that we include 24343 JavaScriptCore/config.h instead of WTF/config.h, required to fix the 24344 build issues originally pasted in bug #97648. 24345 24346 * DerivedSources.pri: 24347 * JavaScriptCore.pro: 24348 * LLIntOffsetsExtractor.pro: 24349 * Target.pri: 24350 243512012-10-26 Gabor Ballabas <gaborb@inf.u-szeged.hu> 24352 24353 [Qt] Enable JSC's disassembler on x86, x86_64 Linux 24354 https://bugs.webkit.org/show_bug.cgi?id=100386 24355 24356 Reviewed by Simon Hausmann. 24357 24358 It works fine on Linux x86, x86_64 just needs to be enabled in the 24359 QtWebKit build system. 24360 24361 * DerivedSources.pri: 24362 * JavaScriptCore.pri: 24363 * Target.pri: 24364 243652012-10-26 Thiago Marcos P. Santos <thiago.santos@intel.com> 24366 24367 Add feature flags for CSS Device Adaptation 24368 https://bugs.webkit.org/show_bug.cgi?id=95960 24369 24370 Reviewed by Kenneth Rohde Christiansen. 24371 24372 * Configurations/FeatureDefines.xcconfig: 24373 243742012-10-26 Simon Hausmann <simon.hausmann@digia.com> 24375 24376 [WIN] Make LLInt offsets extractor work on Windows 24377 https://bugs.webkit.org/show_bug.cgi?id=100369 24378 24379 Reviewed by Kenneth Rohde Christiansen. 24380 24381 Open the input file explicitly in binary mode to prevent ruby/Windows from thinking that 24382 it's a text mode file that needs even new line conversions. The binary mode parameter is 24383 ignored on other platforms. 24384 24385 * offlineasm/offsets.rb: 24386 243872012-10-25 Michael Saboff <msaboff@apple.com> 24388 24389 SymbolTableIndexHashTraits::needsDestruction should be set to true 24390 https://bugs.webkit.org/show_bug.cgi?id=100437 24391 24392 Reviewed by Mark Hahnenberg. 24393 24394 For correctness, set SymbolTableIndexHashTraits::needsDestruction to true since SymbolTableEntry's do 24395 need to have their destructor called due to the possibility of rare data. 24396 24397 * runtime/SymbolTable.h: 24398 (SymbolTableIndexHashTraits): 24399 244002012-10-25 Filip Pizlo <fpizlo@apple.com> 24401 24402 DFG Arrayify elimination should replace it with GetButterfly rather than Phantom 24403 https://bugs.webkit.org/show_bug.cgi?id=100441 24404 24405 Reviewed by Oliver Hunt and Gavin Barraclough. 24406 24407 Made array profiler's to-string helper behave correctly. 24408 24409 Made Arrayify elimination do the right thing (convert to GetButterfly). 24410 24411 Made CFA's interference analysis track clobbered array modes correctly, mostly by 24412 simplifying the machinery. 24413 24414 * bytecode/ArrayProfile.cpp: 24415 (JSC::arrayModesToString): 24416 * dfg/DFGAbstractState.cpp: 24417 (JSC::DFG::AbstractState::execute): 24418 * dfg/DFGAbstractValue.h: 24419 (JSC::DFG::AbstractValue::clobberArrayModes): 24420 (AbstractValue): 24421 * dfg/DFGConstantFoldingPhase.cpp: 24422 (JSC::DFG::ConstantFoldingPhase::foldConstants): 24423 244242012-10-25 Filip Pizlo <fpizlo@apple.com> 24425 24426 REGRESSION (r131793-r131826): Crash going to wikifonia.org 24427 https://bugs.webkit.org/show_bug.cgi?id=100281 24428 24429 Reviewed by Oliver Hunt. 24430 24431 Restore something that got lost in the resolve refactoring: the ability to give up on life if 24432 we see a resolve of 'arguments'. 24433 24434 * runtime/JSScope.cpp: 24435 (JSC::JSScope::resolveContainingScopeInternal): 24436 244372012-10-25 Dominik Röttsches <dominik.rottsches@intel.com> 24438 24439 Conditionalize XHR timeout support 24440 https://bugs.webkit.org/show_bug.cgi?id=100356 24441 24442 Reviewed by Adam Barth. 24443 24444 Adding XHR_TIMEOUT feature to conditionalize this on ports without network backend support. 24445 24446 * Configurations/FeatureDefines.xcconfig: 24447 244482012-10-25 Michael Saboff <msaboff@apple.com> 24449 24450 REGRESSION (r131836): failures in list styles tests on EFL, GTK 24451 https://bugs.webkit.org/show_bug.cgi?id=99824 24452 24453 Reviewed by Oliver Hunt. 24454 24455 Saved start of string since it is modified by call convertUTF8ToUTF16(). 24456 24457 * API/JSStringRef.cpp: 24458 (JSStringCreateWithUTF8CString): 24459 244602012-10-24 Filip Pizlo <fpizlo@apple.com> 24461 24462 DFG NewArrayBuffer node should keep its data in a structure on the side to free up one of the opInfos 24463 https://bugs.webkit.org/show_bug.cgi?id=100328 24464 24465 Reviewed by Oliver Hunt. 24466 24467 * dfg/DFGByteCodeParser.cpp: 24468 (JSC::DFG::ByteCodeParser::parseBlock): 24469 * dfg/DFGGraph.h: 24470 (Graph): 24471 * dfg/DFGNode.h: 24472 (NewArrayBufferData): 24473 (DFG): 24474 (JSC::DFG::Node::newArrayBufferData): 24475 (Node): 24476 (JSC::DFG::Node::startConstant): 24477 (JSC::DFG::Node::numConstants): 24478 244792012-10-25 Mark Lam <mark.lam@apple.com> 24480 24481 Update the C++ llint to work with the latest op_resolve... changes. 24482 https://bugs.webkit.org/show_bug.cgi?id=100345. 24483 24484 Reviewed by Oliver Hunt. 24485 24486 * llint/LowLevelInterpreter.cpp: 24487 (JSC::CLoop::execute): 24488 - emit opcode name as label when not using COMPUTED_GOTOs. The new op_resolve 24489 opcodes have jumps to these labels. 24490 - declare all opcode labels as UNUSED_LABEL()s to keep the compiler happy 24491 for opcodes that are not referenced by anyone. 24492 * offlineasm/asm.rb: 24493 - strip llint_ prefix from opcode names used as labels. 24494 244952012-10-24 Yuqiang Xian <yuqiang.xian@intel.com> 24496 24497 Refactor LLInt64 to distinguish the pointer operations from the 64-bit integer operations 24498 https://bugs.webkit.org/show_bug.cgi?id=100321 24499 24500 Reviewed by Filip Pizlo. 24501 24502 We have refactored the MacroAssembler and JIT compilers to distinguish 24503 the pointer operations from the 64-bit integer operations (see bug #99154). 24504 Now we want to do the similar work for LLInt, and the goal is same as 24505 the one mentioned in 99154. 24506 24507 This is the first part of the modification: in the offline assembler, 24508 adding the support of the "<foo>q" instructions which will be used for 24509 64-bit integer operations. 24510 24511 * llint/LowLevelInterpreter.cpp: 24512 (JSC::CLoop::execute): 24513 * offlineasm/cloop.rb: 24514 * offlineasm/instructions.rb: 24515 * offlineasm/x86.rb: 24516 245172012-10-24 Filip Pizlo <fpizlo@apple.com> 24518 24519 DFG compileBlahBlahByVal methods for Contiguous and ArrayStorage have only one caller and should be removed 24520 https://bugs.webkit.org/show_bug.cgi?id=100311 24521 24522 Reviewed by Mark Hahnenberg. 24523 24524 Just trying to simplify things before I make them more complicated again. 24525 24526 * dfg/DFGSpeculativeJIT.h: 24527 (SpeculativeJIT): 24528 (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal): 24529 * dfg/DFGSpeculativeJIT32_64.cpp: 24530 (DFG): 24531 (JSC::DFG::SpeculativeJIT::compile): 24532 * dfg/DFGSpeculativeJIT64.cpp: 24533 (DFG): 24534 (JSC::DFG::SpeculativeJIT::compile): 24535 245362012-10-23 Andreas Kling <kling@webkit.org> 24537 24538 CodeBlock: Give m_putToBaseOperations an inline capacity. 24539 <http://webkit.org/b/100190> 24540 <rdar://problem/12562466> 24541 24542 Reviewed by Oliver Hunt. 24543 24544 Since the CodeBlock constructor always inserts a single PutToBaseOperation, but there's no 24545 guarantee that more will follow, give the m_putToBaseOperations vector an inline capacity of 1. 24546 There are 4009 of these Vectors on Membuster3, and only 126 of them have more than a single entry. 24547 24548 This change yields a 1.90MB reduction in memory usage. 24549 24550 * bytecode/CodeBlock.h: 24551 (CodeBlock): 24552 245532012-10-23 Christophe Dumez <christophe.dumez@intel.com> 24554 24555 Regression(r132143): Assertion hit in JSC::Interpreter::StackPolicy::StackPolicy(JSC::Interpreter&, const WTF::StackBounds&) 24556 https://bugs.webkit.org/show_bug.cgi?id=100109 24557 24558 Reviewed by Oliver Hunt. 24559 24560 Fix possible integer overflow in StackPolicy constructor by 24561 using size_t type instead of int for stack sizes. The value 24562 returned by StackBounds::size() is of type size_t but was 24563 assigned to an int, which may overflow. 24564 24565 * interpreter/Interpreter.cpp: 24566 (JSC): 24567 (JSC::Interpreter::StackPolicy::StackPolicy): 24568 245692012-10-23 Carlos Garcia Campos <cgarcia@igalia.com> 24570 24571 Unreviewed. Fix make distcheck. 24572 24573 * GNUmakefile.list.am: Add missing header file. 24574 245752012-10-23 Mark Lam <mark.lam@apple.com> 24576 24577 Make topCallFrame reliable. 24578 https://bugs.webkit.org/show_bug.cgi?id=98928. 24579 24580 Reviewed by Geoffrey Garen. 24581 24582 - VM entry points and the GC now uses topCallFrame. 24583 - The callerFrame value in CallFrames are now always the previous 24584 frame on the stack, except for the first frame which has a 24585 callerFrame of 0 (not counting the HostCallFrameFlag). 24586 Hence, we can now traverse every frame on the stack all the way 24587 back to the first frame. 24588 - GlobalExec's will no longer be used as the callerFrame values in 24589 call frames. 24590 - Added fences and traps for debugging the JSStack in debug builds. 24591 24592 * bytecode/SamplingTool.h: 24593 (SamplingTool): 24594 (JSC::SamplingTool::CallRecord::CallRecord): 24595 * dfg/DFGOperations.cpp: 24596 - Fixed 2 DFG helper functions to flush topCallFrame as expected. 24597 * dfg/DFGSpeculativeJIT.h: 24598 (JSC::DFG::SpeculativeJIT::prepareForExternalCall): 24599 * interpreter/CallFrame.h: 24600 (JSC::ExecState::callerFrameNoFlags): 24601 (ExecState): 24602 (JSC::ExecState::argIndexForRegister): 24603 (JSC::ExecState::getArgumentUnsafe): 24604 * interpreter/CallFrameClosure.h: 24605 (CallFrameClosure): 24606 * interpreter/Interpreter.cpp: 24607 (JSC): 24608 (JSC::eval): 24609 (JSC::Interpreter::Interpreter): 24610 (JSC::Interpreter::throwException): 24611 (JSC::Interpreter::execute): 24612 (JSC::Interpreter::executeCall): 24613 (JSC::Interpreter::executeConstruct): 24614 (JSC::Interpreter::prepareForRepeatCall): 24615 (JSC::Interpreter::endRepeatCall): 24616 * interpreter/Interpreter.h: 24617 (JSC): 24618 (Interpreter): 24619 * interpreter/JSStack.cpp: 24620 (JSC::JSStack::JSStack): 24621 (JSC::JSStack::gatherConservativeRoots): 24622 (JSC::JSStack::disableErrorStackReserve): 24623 * interpreter/JSStack.h: 24624 (JSC): 24625 (JSStack): 24626 (JSC::JSStack::installFence): 24627 (JSC::JSStack::validateFence): 24628 (JSC::JSStack::installTrapsAfterFrame): 24629 * interpreter/JSStackInlines.h: Added. 24630 (JSC): 24631 (JSC::JSStack::getTopOfFrame): 24632 (JSC::JSStack::getTopOfStack): 24633 (JSC::JSStack::getStartOfFrame): 24634 (JSC::JSStack::pushFrame): 24635 (JSC::JSStack::popFrame): 24636 (JSC::JSStack::generateFenceValue): 24637 (JSC::JSStack::installFence): 24638 (JSC::JSStack::validateFence): 24639 (JSC::JSStack::installTrapsAfterFrame): 24640 * jit/JITStubs.cpp: 24641 (JSC::jitCompileFor): 24642 (JSC::lazyLinkFor): 24643 - Set frame->codeBlock to 0 for both the above because they are called 24644 with partially intitialized frames (cb uninitialized), but may 24645 trigger a GC. 24646 (JSC::DEFINE_STUB_FUNCTION): 24647 * runtime/JSGlobalData.cpp: 24648 (JSC::JSGlobalData::JSGlobalData): 24649 246502012-10-22 Filip Pizlo <fpizlo@apple.com> 24651 24652 DFG::Array::Undecided should be called DFG::Array::SelectUsingPredictions 24653 https://bugs.webkit.org/show_bug.cgi?id=100052 24654 24655 Reviewed by Oliver Hunt. 24656 24657 No functional change, just renaming. It's a clearer name that more accurately 24658 reflects the meaning, and it eliminates the namespace confusion that will happen 24659 with the Undecided indexing type in https://bugs.webkit.org/show_bug.cgi?id=98606 24660 24661 * dfg/DFGAbstractState.cpp: 24662 (JSC::DFG::AbstractState::execute): 24663 * dfg/DFGArrayMode.cpp: 24664 (JSC::DFG::fromObserved): 24665 (JSC::DFG::refineArrayMode): 24666 (JSC::DFG::modeAlreadyChecked): 24667 (JSC::DFG::modeToString): 24668 * dfg/DFGArrayMode.h: 24669 (JSC::DFG::canCSEStorage): 24670 (JSC::DFG::modeIsSpecific): 24671 (JSC::DFG::modeSupportsLength): 24672 (JSC::DFG::benefitsFromStructureCheck): 24673 * dfg/DFGFixupPhase.cpp: 24674 (JSC::DFG::FixupPhase::fixupNode): 24675 (JSC::DFG::FixupPhase::blessArrayOperation): 24676 * dfg/DFGSpeculativeJIT.cpp: 24677 (JSC::DFG::SpeculativeJIT::arrayify): 24678 * dfg/DFGSpeculativeJIT32_64.cpp: 24679 (JSC::DFG::SpeculativeJIT::compile): 24680 * dfg/DFGSpeculativeJIT64.cpp: 24681 (JSC::DFG::SpeculativeJIT::compile): 24682 246832012-10-22 Mark Lam <mark.lam@apple.com> 24684 24685 Change stack recursion checks to be based on stack availability. 24686 https://bugs.webkit.org/show_bug.cgi?id=99872. 24687 24688 Reviewed by Filip Pizlo and Geoffrey Garen. 24689 24690 - Remove m_reentryDepth, ThreadStackType which are now obsolete. 24691 - Replaced the reentryDepth checks with a StackBounds check. 24692 - Added the Interpreter::StackPolicy class to compute a reasonable 24693 stack capacity requirement given the native stack that the 24694 interpreter is executing on at that time. 24695 - Reserved an amount of JSStack space for the use of error handling 24696 and enable its use (using Interpreter::ErrorHandlingMode) when 24697 we're about to throw or report an exception. 24698 - Interpreter::StackPolicy also allows more native stack space 24699 to be used when in ErrorHandlingMode. This is needed in the case 24700 of native stack overflows. 24701 - Fixed the parser so that it throws a StackOverflowError instead of 24702 a SyntaxError when it encounters a stack overflow. 24703 24704 * API/JSContextRef.cpp: 24705 (JSContextGroupCreate): 24706 (JSGlobalContextCreateInGroup): 24707 * JavaScriptCore.order: 24708 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 24709 * interpreter/Interpreter.cpp: 24710 (JSC::Interpreter::ErrorHandlingMode::ErrorHandlingMode): 24711 (JSC): 24712 (JSC::Interpreter::ErrorHandlingMode::~ErrorHandlingMode): 24713 (JSC::Interpreter::StackPolicy::StackPolicy): 24714 (JSC::Interpreter::Interpreter): 24715 (JSC::Interpreter::execute): 24716 (JSC::Interpreter::executeCall): 24717 (JSC::Interpreter::executeConstruct): 24718 (JSC::Interpreter::prepareForRepeatCall): 24719 * interpreter/Interpreter.h: 24720 (JSC): 24721 (Interpreter): 24722 (ErrorHandlingMode): 24723 (StackPolicy): 24724 (JSC::Interpreter::StackPolicy::requiredCapacity): 24725 * interpreter/JSStack.cpp: 24726 (JSC): 24727 (JSC::JSStack::JSStack): 24728 (JSC::JSStack::growSlowCase): 24729 (JSC::JSStack::enableErrorStackReserve): 24730 (JSC::JSStack::disableErrorStackReserve): 24731 * interpreter/JSStack.h: 24732 (JSStack): 24733 (JSC::JSStack::reservationEnd): 24734 (JSC): 24735 * jsc.cpp: 24736 (jscmain): 24737 * parser/Parser.cpp: 24738 (JSC::::Parser): 24739 * parser/Parser.h: 24740 (Parser): 24741 (JSC::::parse): 24742 * runtime/ExceptionHelpers.cpp: 24743 (JSC::throwStackOverflowError): 24744 * runtime/JSGlobalData.cpp: 24745 (JSC::JSGlobalData::JSGlobalData): 24746 (JSC::JSGlobalData::createContextGroup): 24747 (JSC::JSGlobalData::create): 24748 (JSC::JSGlobalData::createLeaked): 24749 (JSC::JSGlobalData::sharedInstance): 24750 * runtime/JSGlobalData.h: 24751 (JSC): 24752 (JSGlobalData): 24753 * runtime/StringRecursionChecker.h: 24754 (JSC::StringRecursionChecker::performCheck): 24755 * testRegExp.cpp: 24756 (realMain): 24757 247582012-10-20 Martin Robinson <mrobinson@igalia.com> 24759 24760 Fix 'make dist' for the GTK+ port 24761 24762 * GNUmakefile.list.am: Add missing files to the source list. 24763 247642012-10-21 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com> 24765 24766 [CMake][JSC] Depend on risc.rb to decide when to run the LLInt scripts. 24767 https://bugs.webkit.org/show_bug.cgi?id=99917 24768 24769 Reviewed by Geoffrey Garen. 24770 24771 Depend on the newly-added risc.rb to make sure we always run the 24772 LLInt scripts when one of them changes. 24773 24774 * CMakeLists.txt: 24775 247762012-10-20 Filip Pizlo <fpizlo@apple.com> 24777 24778 LLInt backends of non-ARM RISC platforms should be able to share code with the existing ARMv7 backend 24779 https://bugs.webkit.org/show_bug.cgi?id=99745 24780 24781 Reviewed by Geoffrey Garen. 24782 24783 This moves all of the things in armv7.rb that I thought are generally useful out 24784 into risc.rb. It also separates some phases (branch ops is separated into one 24785 phase that does sensible things, and another that does things that are painfully 24786 ARM-specific), and removes ARM assumptions from others by using a callback to 24787 drive exactly what lowering must happen. The goal here is to minimize the future 24788 maintenance burden of LLInt by ensuring that the various platforms share as much 24789 lowering code as possible. 24790 24791 * offlineasm/armv7.rb: 24792 * offlineasm/risc.rb: Added. 24793 247942012-10-19 Filip Pizlo <fpizlo@apple.com> 24795 24796 DFG should have some facility for recognizing redundant CheckArrays and Arrayifies 24797 https://bugs.webkit.org/show_bug.cgi?id=99287 24798 24799 Reviewed by Mark Hahnenberg. 24800 24801 Adds reasoning about indexing type sets (i.e. ArrayModes) to AbstractValue, which 24802 then enables us to fold away CheckArray's and Arrayify's that are redundant. 24803 24804 * bytecode/ArrayProfile.cpp: 24805 (JSC::arrayModesToString): 24806 (JSC): 24807 * bytecode/ArrayProfile.h: 24808 (JSC): 24809 (JSC::mergeArrayModes): 24810 (JSC::arrayModesAlreadyChecked): 24811 * bytecode/StructureSet.h: 24812 (JSC::StructureSet::arrayModesFromStructures): 24813 (StructureSet): 24814 * dfg/DFGAbstractState.cpp: 24815 (JSC::DFG::AbstractState::execute): 24816 * dfg/DFGAbstractValue.h: 24817 (JSC::DFG::AbstractValue::AbstractValue): 24818 (JSC::DFG::AbstractValue::clear): 24819 (JSC::DFG::AbstractValue::isClear): 24820 (JSC::DFG::AbstractValue::makeTop): 24821 (JSC::DFG::AbstractValue::clobberStructures): 24822 (AbstractValue): 24823 (JSC::DFG::AbstractValue::setMostSpecific): 24824 (JSC::DFG::AbstractValue::set): 24825 (JSC::DFG::AbstractValue::operator==): 24826 (JSC::DFG::AbstractValue::merge): 24827 (JSC::DFG::AbstractValue::filter): 24828 (JSC::DFG::AbstractValue::filterArrayModes): 24829 (JSC::DFG::AbstractValue::validate): 24830 (JSC::DFG::AbstractValue::checkConsistency): 24831 (JSC::DFG::AbstractValue::dump): 24832 (JSC::DFG::AbstractValue::clobberArrayModes): 24833 (JSC::DFG::AbstractValue::clobberArrayModesSlow): 24834 (JSC::DFG::AbstractValue::setFuturePossibleStructure): 24835 (JSC::DFG::AbstractValue::filterFuturePossibleStructure): 24836 * dfg/DFGArrayMode.cpp: 24837 (JSC::DFG::modeAlreadyChecked): 24838 * dfg/DFGArrayMode.h: 24839 (JSC::DFG::arrayModesFor): 24840 (DFG): 24841 * dfg/DFGConstantFoldingPhase.cpp: 24842 (JSC::DFG::ConstantFoldingPhase::foldConstants): 24843 * dfg/DFGSpeculativeJIT.cpp: 24844 (JSC::DFG::SpeculativeJIT::arrayify): 24845 248462012-10-19 Filip Pizlo <fpizlo@apple.com> 24847 24848 Baseline JIT should not inline array allocations, to make them easier to instrument 24849 https://bugs.webkit.org/show_bug.cgi?id=99905 24850 24851 Reviewed by Mark Hahnenberg. 24852 24853 This will make it easier to instrument array allocations for the purposes of profiling. 24854 It also allows us to kill off a bunch of code. And, this doesn't appear to hurt 24855 performance at all. That's expected because these days any hot allocation will end up 24856 in the DFG JIT, which does inline these allocations. 24857 24858 * jit/JIT.cpp: 24859 (JSC::JIT::privateCompileSlowCases): 24860 * jit/JIT.h: 24861 (JIT): 24862 * jit/JITInlineMethods.h: 24863 (JSC): 24864 * jit/JITOpcodes.cpp: 24865 (JSC::JIT::emit_op_new_array): 24866 248672012-10-19 Oliver Hunt <oliver@apple.com> 24868 24869 Fix some of the regression cause by the non-local variable reworking 24870 https://bugs.webkit.org/show_bug.cgi?id=99896 24871 24872 Reviewed by Filip Pizlo. 24873 24874 The non0local variable reworking led to some of the optimisations performed by 24875 the bytecode generator being dropped. This in turn put more pressure on the DFG 24876 optimisations. This exposed a short coming in our double speculation propogation. 24877 Now we try to distinguish between places where we should SpecDoubleReal vs generic 24878 SpecDouble. 24879 24880 * dfg/DFGPredictionPropagationPhase.cpp: 24881 (PredictionPropagationPhase): 24882 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): 24883 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPredictions): 24884 (JSC::DFG::PredictionPropagationPhase::propagate): 24885 248862012-10-19 Michael Saboff <msaboff@apple.com> 24887 24888 Lexer should create 8 bit Identifiers for RegularExpressions and ASCII identifiers 24889 https://bugs.webkit.org/show_bug.cgi?id=99855 24890 24891 Reviewed by Filip Pizlo. 24892 24893 Added makeIdentifier helpers that will always make an 8 bit Identifier or make an 24894 Identifier that is the same size as the template parameter. Used the first in the fast 24895 path when looking for a JS identifier and the second when scanning regular expressions. 24896 24897 * parser/Lexer.cpp: 24898 (JSC::::scanRegExp): 24899 * parser/Lexer.h: 24900 (Lexer): 24901 (JSC::::makeIdentifierSameType): 24902 (JSC::::makeLCharIdentifier): 24903 (JSC::::lexExpectIdentifier): 24904 249052012-10-19 Mark Lam <mark.lam@apple.com> 24906 24907 Added WTF::StackStats mechanism. 24908 https://bugs.webkit.org/show_bug.cgi?id=99805. 24909 24910 Reviewed by Geoffrey Garen. 24911 24912 Added StackStats checkpoints and probes. 24913 24914 * bytecompiler/BytecodeGenerator.h: 24915 (JSC::BytecodeGenerator::emitNode): 24916 (JSC::BytecodeGenerator::emitNodeInConditionContext): 24917 * heap/SlotVisitor.cpp: 24918 (JSC::SlotVisitor::append): 24919 (JSC::visitChildren): 24920 (JSC::SlotVisitor::donateKnownParallel): 24921 (JSC::SlotVisitor::drain): 24922 (JSC::SlotVisitor::drainFromShared): 24923 (JSC::SlotVisitor::mergeOpaqueRoots): 24924 (JSC::SlotVisitor::internalAppend): 24925 (JSC::SlotVisitor::harvestWeakReferences): 24926 (JSC::SlotVisitor::finalizeUnconditionalFinalizers): 24927 * interpreter/Interpreter.cpp: 24928 (JSC::Interpreter::execute): 24929 (JSC::Interpreter::executeCall): 24930 (JSC::Interpreter::executeConstruct): 24931 (JSC::Interpreter::prepareForRepeatCall): 24932 * parser/Parser.h: 24933 (JSC::Parser::canRecurse): 24934 * runtime/StringRecursionChecker.h: 24935 (StringRecursionChecker): 24936 249372012-10-19 Oliver Hunt <oliver@apple.com> 24938 24939 REGRESSION(r131822): It made 500+ tests crash on 32 bit platforms 24940 https://bugs.webkit.org/show_bug.cgi?id=99814 24941 24942 Reviewed by Filip Pizlo. 24943 24944 Call the correct macro in 32bit. 24945 24946 * llint/LowLevelInterpreter.asm: 24947 249482012-10-19 Dongwoo Joshua Im <dw.im@samsung.com> 24949 24950 Rename ENABLE_CSS3_TEXT_DECORATION to ENABLE_CSS3_TEXT 24951 https://bugs.webkit.org/show_bug.cgi?id=99804 24952 24953 Reviewed by Julien Chaffraix. 24954 24955 CSS3 text related properties will be implemented under this flag, 24956 including text decoration, text-align-last, and text-justify. 24957 24958 * Configurations/FeatureDefines.xcconfig: 24959 249602012-10-18 Anders Carlsson <andersca@apple.com> 24961 24962 Clean up RegExpKey 24963 https://bugs.webkit.org/show_bug.cgi?id=99798 24964 24965 Reviewed by Darin Adler. 24966 24967 RegExpHash doesn't need to be a class template specialization when the class template is specialized 24968 for JSC::RegExpKey only. Make it a nested class of RegExp instead. Also, make operator== a friend function 24969 so Hash::equal can see it. 24970 24971 * runtime/RegExpKey.h: 24972 (JSC::RegExpKey::RegExpKey): 24973 (JSC::RegExpKey::operator==): 24974 (RegExpKey): 24975 (JSC::RegExpKey::Hash::hash): 24976 (JSC::RegExpKey::Hash::equal): 24977 (Hash): 24978 249792012-10-19 Mark Lam <mark.lam@apple.com> 24980 24981 Bot greening: Follow up to r131877 to fix the Windows build. 24982 https://bugs.webkit.org/show_bug.cgi?id=99739. 24983 24984 Not reviewed. 24985 24986 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 24987 249882012-10-19 Mark Lam <mark.lam@apple.com> 24989 24990 Bot greening: Attempt to fix broken Window build after r131836. 24991 https://bugs.webkit.org/show_bug.cgi?id=99739. 24992 24993 Not reviewed. 24994 24995 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 24996 249972012-10-19 Yuqiang Xian <yuqiang.xian@intel.com> 24998 24999 Unreviewed fix after r131868. 25000 25001 On JSVALUE64 platforms, JSValue constants can be Imm64 instead of ImmPtr for JIT compilers. 25002 25003 * dfg/DFGOSRExitCompiler64.cpp: 25004 (JSC::DFG::OSRExitCompiler::compileExit): 25005 250062012-10-18 Filip Pizlo <fpizlo@apple.com> 25007 25008 Baseline array profiling should be less accurate, and DFG OSR exit should update array profiles on CheckArray and CheckStructure failure 25009 https://bugs.webkit.org/show_bug.cgi?id=99261 25010 25011 Reviewed by Oliver Hunt. 25012 25013 This makes array profiling stochastic, like value profiling. The point is to avoid 25014 noticing one-off indexing types that we'll never see again, but instead to: 25015 25016 Notice the big ones: We want the DFG to compile based on the things that happen with 25017 high probability. So, this change makes array profiling do like value profiling and 25018 only notice a random subsampling of indexing types that flowed through an array 25019 access. Prior to this patch array profiles noticed all indexing types and weighted 25020 them identically. 25021 25022 Bias the recent: Often an array access will see awkward indexing types during the 25023 first handful of executions because of artifacts of program startup. So, we want to 25024 bias towards the indexing types that we saw most recently. With this change, array 25025 profiling does like value profiling and usually tells use a random sampling that 25026 is biased to what happened recently. 25027 25028 Have a backup plan: The above two things don't work by themselves because our 25029 randomness is not that random (nor do we care enough to make it more random), and 25030 because some procedures will have a <1/10 probability event that we must handle 25031 without bailing because it dominates a hot loop. So, like value profiling, this 25032 patch makes array profiling use OSR exits to tell us why we are bailing out, so 25033 that we don't make the same mistake again in the future. 25034 25035 This change also makes the way that the 32-bit OSR exit compiler snatches scratch 25036 registers more uniform. We don't need a scratch buffer when we can push and pop. 25037 25038 * bytecode/DFGExitProfile.h: 25039 * dfg/DFGOSRExitCompiler32_64.cpp: 25040 (JSC::DFG::OSRExitCompiler::compileExit): 25041 * dfg/DFGOSRExitCompiler64.cpp: 25042 (JSC::DFG::OSRExitCompiler::compileExit): 25043 * dfg/DFGSpeculativeJIT.cpp: 25044 (JSC::DFG::SpeculativeJIT::checkArray): 25045 (JSC::DFG::SpeculativeJIT::arrayify): 25046 * dfg/DFGSpeculativeJIT32_64.cpp: 25047 (JSC::DFG::SpeculativeJIT::compile): 25048 * dfg/DFGSpeculativeJIT64.cpp: 25049 (JSC::DFG::SpeculativeJIT::compile): 25050 * jit/JITInlineMethods.h: 25051 (JSC::JIT::emitArrayProfilingSite): 25052 * llint/LowLevelInterpreter.asm: 25053 250542012-10-18 Yuqiang Xian <yuqiang.xian@intel.com> 25055 25056 [Qt] REGRESSION(r131858): It broke the ARM build 25057 https://bugs.webkit.org/show_bug.cgi?id=99809 25058 25059 Reviewed by Csaba Osztrogonác. 25060 25061 * dfg/DFGCCallHelpers.h: 25062 (CCallHelpers): 25063 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 25064 250652012-10-18 Yuqiang Xian <yuqiang.xian@intel.com> 25066 25067 Refactor MacroAssembler interfaces to differentiate the pointer operands from the 64-bit integer operands 25068 https://bugs.webkit.org/show_bug.cgi?id=99154 25069 25070 Reviewed by Gavin Barraclough. 25071 25072 In current JavaScriptCore implementation for JSVALUE64 platform (i.e., 25073 the X64 platform), we assume that the JSValue size is same to the 25074 pointer size, and thus EncodedJSValue is simply type defined as a 25075 "void*". In the JIT compiler, we also take this assumption and invoke 25076 the same macro assembler interfaces for both JSValue and pointer 25077 operands. We need to differentiate the operations on pointers from the 25078 operations on JSValues, and let them invoking different macro 25079 assembler interfaces. For example, we now use the interface of 25080 "loadPtr" to load either a pointer or a JSValue, and we need to switch 25081 to using "loadPtr" to load a pointer and some new "load64" interface 25082 to load a JSValue. This would help us supporting other JSVALUE64 25083 platforms where pointer size is not necessarily 64-bits, for example 25084 x32 (bug #99153). 25085 25086 The major modification I made is to introduce the "*64" interfaces in 25087 the MacroAssembler for those operations on JSValues, keep the "*Ptr" 25088 interfaces for those operations on real pointers, and go through all 25089 the JIT compiler code to correct the usage. 25090 25091 This is the second part of the work, i.e, to correct the usage of the 25092 new MacroAssembler interfaces in the JIT compilers, which also means 25093 that now EncodedJSValue is defined as a 64-bit integer, and the "*64" 25094 interfaces are used for it. 25095 25096 * assembler/MacroAssembler.h: JSValue immediates should be in Imm64 instead of ImmPtr. 25097 (MacroAssembler): 25098 (JSC::MacroAssembler::shouldBlind): 25099 * dfg/DFGAssemblyHelpers.cpp: Correct the JIT compilers usage of the new interfaces. 25100 (JSC::DFG::AssemblyHelpers::jitAssertIsInt32): 25101 (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32): 25102 (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber): 25103 (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble): 25104 (JSC::DFG::AssemblyHelpers::jitAssertIsCell): 25105 * dfg/DFGAssemblyHelpers.h: 25106 (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader): 25107 (JSC::DFG::AssemblyHelpers::branchIfNotCell): 25108 (JSC::DFG::AssemblyHelpers::debugCall): 25109 (JSC::DFG::AssemblyHelpers::boxDouble): 25110 (JSC::DFG::AssemblyHelpers::unboxDouble): 25111 (JSC::DFG::AssemblyHelpers::emitExceptionCheck): 25112 * dfg/DFGCCallHelpers.h: 25113 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 25114 (CCallHelpers): 25115 * dfg/DFGOSRExitCompiler64.cpp: 25116 (JSC::DFG::OSRExitCompiler::compileExit): 25117 * dfg/DFGRepatch.cpp: 25118 (JSC::DFG::generateProtoChainAccessStub): 25119 (JSC::DFG::tryCacheGetByID): 25120 (JSC::DFG::tryBuildGetByIDList): 25121 (JSC::DFG::emitPutReplaceStub): 25122 (JSC::DFG::emitPutTransitionStub): 25123 * dfg/DFGScratchRegisterAllocator.h: 25124 (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer): 25125 (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer): 25126 * dfg/DFGSilentRegisterSavePlan.h: 25127 * dfg/DFGSpeculativeJIT.cpp: 25128 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 25129 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 25130 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): 25131 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): 25132 (JSC::DFG::SpeculativeJIT::compileInstanceOf): 25133 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant): 25134 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): 25135 * dfg/DFGSpeculativeJIT.h: 25136 (SpeculativeJIT): 25137 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): 25138 (JSC::DFG::SpeculativeJIT::silentSpill): 25139 (JSC::DFG::SpeculativeJIT::silentFill): 25140 (JSC::DFG::SpeculativeJIT::spill): 25141 (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64): 25142 (JSC::DFG::SpeculativeJIT::callOperation): 25143 (JSC::DFG::SpeculativeJIT::branch64): 25144 * dfg/DFGSpeculativeJIT64.cpp: 25145 (JSC::DFG::SpeculativeJIT::fillInteger): 25146 (JSC::DFG::SpeculativeJIT::fillDouble): 25147 (JSC::DFG::SpeculativeJIT::fillJSValue): 25148 (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber): 25149 (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32): 25150 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber): 25151 (JSC::DFG::SpeculativeJIT::cachedGetById): 25152 (JSC::DFG::SpeculativeJIT::cachedPutById): 25153 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): 25154 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): 25155 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): 25156 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): 25157 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq): 25158 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): 25159 (JSC::DFG::SpeculativeJIT::emitCall): 25160 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 25161 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 25162 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 25163 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 25164 (JSC::DFG::SpeculativeJIT::convertToDouble): 25165 (JSC::DFG::SpeculativeJIT::compileObjectEquality): 25166 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): 25167 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): 25168 (JSC::DFG::SpeculativeJIT::compileDoubleCompare): 25169 (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot): 25170 (JSC::DFG::SpeculativeJIT::compileLogicalNot): 25171 (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch): 25172 (JSC::DFG::SpeculativeJIT::emitBranch): 25173 (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal): 25174 (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal): 25175 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): 25176 (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal): 25177 (JSC::DFG::SpeculativeJIT::compile): 25178 * dfg/DFGThunks.cpp: 25179 (JSC::DFG::osrExitGenerationThunkGenerator): 25180 (JSC::DFG::throwExceptionFromCallSlowPathGenerator): 25181 (JSC::DFG::slowPathFor): 25182 (JSC::DFG::virtualForThunkGenerator): 25183 * interpreter/Interpreter.cpp: 25184 (JSC::Interpreter::dumpRegisters): 25185 * jit/JIT.cpp: 25186 (JSC::JIT::privateCompile): 25187 * jit/JIT.h: 25188 (JIT): 25189 * jit/JITArithmetic.cpp: 25190 (JSC::JIT::emit_op_negate): 25191 (JSC::JIT::emitSlow_op_negate): 25192 (JSC::JIT::emit_op_rshift): 25193 (JSC::JIT::emitSlow_op_urshift): 25194 (JSC::JIT::emit_compareAndJumpSlow): 25195 (JSC::JIT::emit_op_bitand): 25196 (JSC::JIT::compileBinaryArithOpSlowCase): 25197 (JSC::JIT::emit_op_div): 25198 * jit/JITCall.cpp: 25199 (JSC::JIT::compileLoadVarargs): 25200 (JSC::JIT::compileCallEval): 25201 (JSC::JIT::compileCallEvalSlowCase): 25202 (JSC::JIT::compileOpCall): 25203 * jit/JITInlineMethods.h: Have some clean-up work as well. 25204 (JSC): 25205 (JSC::JIT::emitPutCellToCallFrameHeader): 25206 (JSC::JIT::emitPutIntToCallFrameHeader): 25207 (JSC::JIT::emitPutToCallFrameHeader): 25208 (JSC::JIT::emitGetFromCallFrameHeader32): 25209 (JSC::JIT::emitGetFromCallFrameHeader64): 25210 (JSC::JIT::emitAllocateJSArray): 25211 (JSC::JIT::emitValueProfilingSite): 25212 (JSC::JIT::emitGetJITStubArg): 25213 (JSC::JIT::emitGetVirtualRegister): 25214 (JSC::JIT::emitPutVirtualRegister): 25215 (JSC::JIT::emitInitRegister): 25216 (JSC::JIT::emitJumpIfJSCell): 25217 (JSC::JIT::emitJumpIfBothJSCells): 25218 (JSC::JIT::emitJumpIfNotJSCell): 25219 (JSC::JIT::emitLoadInt32ToDouble): 25220 (JSC::JIT::emitJumpIfImmediateInteger): 25221 (JSC::JIT::emitJumpIfNotImmediateInteger): 25222 (JSC::JIT::emitJumpIfNotImmediateIntegers): 25223 (JSC::JIT::emitFastArithReTagImmediate): 25224 (JSC::JIT::emitFastArithIntToImmNoCheck): 25225 * jit/JITOpcodes.cpp: 25226 (JSC::JIT::privateCompileCTINativeCall): 25227 (JSC::JIT::emit_op_mov): 25228 (JSC::JIT::emit_op_instanceof): 25229 (JSC::JIT::emit_op_is_undefined): 25230 (JSC::JIT::emit_op_is_boolean): 25231 (JSC::JIT::emit_op_is_number): 25232 (JSC::JIT::emit_op_tear_off_activation): 25233 (JSC::JIT::emit_op_not): 25234 (JSC::JIT::emit_op_jfalse): 25235 (JSC::JIT::emit_op_jeq_null): 25236 (JSC::JIT::emit_op_jneq_null): 25237 (JSC::JIT::emit_op_jtrue): 25238 (JSC::JIT::emit_op_bitxor): 25239 (JSC::JIT::emit_op_bitor): 25240 (JSC::JIT::emit_op_get_pnames): 25241 (JSC::JIT::emit_op_next_pname): 25242 (JSC::JIT::compileOpStrictEq): 25243 (JSC::JIT::emit_op_catch): 25244 (JSC::JIT::emit_op_throw_static_error): 25245 (JSC::JIT::emit_op_eq_null): 25246 (JSC::JIT::emit_op_neq_null): 25247 (JSC::JIT::emit_op_create_activation): 25248 (JSC::JIT::emit_op_create_arguments): 25249 (JSC::JIT::emit_op_init_lazy_reg): 25250 (JSC::JIT::emitSlow_op_convert_this): 25251 (JSC::JIT::emitSlow_op_not): 25252 (JSC::JIT::emit_op_get_argument_by_val): 25253 (JSC::JIT::emit_op_put_to_base): 25254 (JSC::JIT::emit_resolve_operations): 25255 * jit/JITPropertyAccess.cpp: 25256 (JSC::JIT::emit_op_get_by_val): 25257 (JSC::JIT::emitContiguousGetByVal): 25258 (JSC::JIT::emitArrayStorageGetByVal): 25259 (JSC::JIT::emitSlow_op_get_by_val): 25260 (JSC::JIT::compileGetDirectOffset): 25261 (JSC::JIT::emit_op_get_by_pname): 25262 (JSC::JIT::emitContiguousPutByVal): 25263 (JSC::JIT::emitArrayStoragePutByVal): 25264 (JSC::JIT::compileGetByIdHotPath): 25265 (JSC::JIT::emit_op_put_by_id): 25266 (JSC::JIT::compilePutDirectOffset): 25267 (JSC::JIT::emit_op_init_global_const): 25268 (JSC::JIT::emit_op_init_global_const_check): 25269 (JSC::JIT::emitIntTypedArrayGetByVal): 25270 (JSC::JIT::emitFloatTypedArrayGetByVal): 25271 (JSC::JIT::emitFloatTypedArrayPutByVal): 25272 * jit/JITStubCall.h: 25273 (JITStubCall): 25274 (JSC::JITStubCall::JITStubCall): 25275 (JSC::JITStubCall::addArgument): 25276 (JSC::JITStubCall::call): 25277 (JSC::JITStubCall::callWithValueProfiling): 25278 * jit/JSInterfaceJIT.h: 25279 (JSC::JSInterfaceJIT::emitJumpIfImmediateNumber): 25280 (JSC::JSInterfaceJIT::emitJumpIfNotImmediateNumber): 25281 (JSC::JSInterfaceJIT::emitLoadJSCell): 25282 (JSC::JSInterfaceJIT::emitLoadInt32): 25283 (JSC::JSInterfaceJIT::emitLoadDouble): 25284 * jit/SpecializedThunkJIT.h: 25285 (JSC::SpecializedThunkJIT::returnDouble): 25286 (JSC::SpecializedThunkJIT::tagReturnAsInt32): 25287 * runtime/JSValue.cpp: 25288 (JSC::JSValue::description): 25289 * runtime/JSValue.h: Define JSVALUE64 EncodedJSValue as int64_t, which is also unified with JSVALUE32_64. 25290 (JSC): 25291 * runtime/JSValueInlineMethods.h: New implementation of some JSValue methods to make them more conformant 25292 with the new rule that "JSValue is a 64-bit integer rather than a pointer" for JSVALUE64 platforms. 25293 (JSC): 25294 (JSC::JSValue::JSValue): 25295 (JSC::JSValue::operator bool): 25296 (JSC::JSValue::operator==): 25297 (JSC::JSValue::operator!=): 25298 (JSC::reinterpretDoubleToInt64): 25299 (JSC::reinterpretInt64ToDouble): 25300 (JSC::JSValue::asDouble): 25301 253022012-10-18 Michael Saboff <msaboff@apple.com> 25303 25304 convertUTF8ToUTF16() Should Check for ASCII Input 25305 ihttps://bugs.webkit.org/show_bug.cgi?id=99739 25306 25307 Reviewed by Geoffrey Garen. 25308 25309 Using the updated convertUTF8ToUTF16() , we can determine if is makes more sense to 25310 create a string using the 8 bit source. Added a new OpaqueJSString::create(LChar*, unsigned). 25311 Had to add a cast n JSStringCreateWithCFString to differentiate which create() to call. 25312 25313 * API/JSStringRef.cpp: 25314 (JSStringCreateWithUTF8CString): 25315 * API/JSStringRefCF.cpp: 25316 (JSStringCreateWithCFString): 25317 * API/OpaqueJSString.h: 25318 (OpaqueJSString::create): 25319 (OpaqueJSString): 25320 (OpaqueJSString::OpaqueJSString): 25321 253222012-10-18 Oliver Hunt <oliver@apple.com> 25323 25324 Unbreak jsc tests. Last minute "clever"-ness is clearly just not 25325 a good plan. 25326 25327 * dfg/DFGByteCodeParser.cpp: 25328 (JSC::DFG::ByteCodeParser::parseBlock): 25329 253302012-10-18 Oliver Hunt <oliver@apple.com> 25331 25332 Bytecode should not have responsibility for determining how to perform non-local resolves 25333 https://bugs.webkit.org/show_bug.cgi?id=99349 25334 25335 Reviewed by Gavin Barraclough. 25336 25337 This patch removes lexical analysis from the bytecode generation. This allows 25338 us to delay lookup of a non-local variables until the lookup is actually necessary, 25339 and simplifies a lot of the resolve logic in BytecodeGenerator. 25340 25341 Once a lookup is performed we cache the lookup information in a set of out-of-line 25342 buffers in CodeBlock. This allows subsequent lookups to avoid unnecessary hashing, 25343 etc, and allows the respective JITs to recreated optimal lookup code. 25344 25345 This is currently still a performance regression in LLInt, but most of the remaining 25346 regression is caused by a lot of indirection that I'll remove in future work, as well 25347 as some work necessary to allow LLInt to perform in line instruction repatching. 25348 We will also want to improve the behaviour of the baseline JIT for some of the lookup 25349 operations, however this patch was getting quite large already so I'm landing it now 25350 that we've reached the bar of "performance-neutral". 25351 25352 Basic browsing seems to work. 25353 25354 * GNUmakefile.list.am: 25355 * JavaScriptCore.xcodeproj/project.pbxproj: 25356 * bytecode/CodeBlock.cpp: 25357 (JSC::CodeBlock::printStructures): 25358 (JSC::CodeBlock::dump): 25359 (JSC::CodeBlock::CodeBlock): 25360 (JSC::CodeBlock::visitStructures): 25361 (JSC): 25362 (JSC::CodeBlock::finalizeUnconditionally): 25363 (JSC::CodeBlock::shrinkToFit): 25364 * bytecode/CodeBlock.h: 25365 (JSC::CodeBlock::addResolve): 25366 (JSC::CodeBlock::addPutToBase): 25367 (CodeBlock): 25368 (JSC::CodeBlock::resolveOperations): 25369 (JSC::CodeBlock::putToBaseOperation): 25370 (JSC::CodeBlock::numberOfResolveOperations): 25371 (JSC::CodeBlock::numberOfPutToBaseOperations): 25372 (JSC::CodeBlock::addPropertyAccessInstruction): 25373 (JSC::CodeBlock::globalObjectConstant): 25374 (JSC::CodeBlock::setGlobalObjectConstant): 25375 * bytecode/Opcode.h: 25376 (JSC): 25377 (JSC::padOpcodeName): 25378 * bytecode/ResolveGlobalStatus.cpp: 25379 (JSC::computeForStructure): 25380 (JSC::ResolveGlobalStatus::computeFor): 25381 * bytecode/ResolveGlobalStatus.h: 25382 (JSC): 25383 (ResolveGlobalStatus): 25384 * bytecompiler/BytecodeGenerator.cpp: 25385 (JSC::ResolveResult::checkValidity): 25386 (JSC): 25387 (JSC::BytecodeGenerator::BytecodeGenerator): 25388 (JSC::BytecodeGenerator::resolve): 25389 (JSC::BytecodeGenerator::resolveConstDecl): 25390 (JSC::BytecodeGenerator::shouldAvoidResolveGlobal): 25391 (JSC::BytecodeGenerator::emitResolve): 25392 (JSC::BytecodeGenerator::emitResolveBase): 25393 (JSC::BytecodeGenerator::emitResolveBaseForPut): 25394 (JSC::BytecodeGenerator::emitResolveWithBaseForPut): 25395 (JSC::BytecodeGenerator::emitResolveWithThis): 25396 (JSC::BytecodeGenerator::emitGetLocalVar): 25397 (JSC::BytecodeGenerator::emitInitGlobalConst): 25398 (JSC::BytecodeGenerator::emitPutToBase): 25399 * bytecompiler/BytecodeGenerator.h: 25400 (JSC::ResolveResult::registerResolve): 25401 (JSC::ResolveResult::dynamicResolve): 25402 (ResolveResult): 25403 (JSC::ResolveResult::ResolveResult): 25404 (JSC): 25405 (NonlocalResolveInfo): 25406 (JSC::NonlocalResolveInfo::NonlocalResolveInfo): 25407 (JSC::NonlocalResolveInfo::~NonlocalResolveInfo): 25408 (JSC::NonlocalResolveInfo::resolved): 25409 (JSC::NonlocalResolveInfo::put): 25410 (BytecodeGenerator): 25411 (JSC::BytecodeGenerator::getResolveOperations): 25412 (JSC::BytecodeGenerator::getResolveWithThisOperations): 25413 (JSC::BytecodeGenerator::getResolveBaseOperations): 25414 (JSC::BytecodeGenerator::getResolveBaseForPutOperations): 25415 (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations): 25416 (JSC::BytecodeGenerator::getPutToBaseOperation): 25417 * bytecompiler/NodesCodegen.cpp: 25418 (JSC::ResolveNode::isPure): 25419 (JSC::FunctionCallResolveNode::emitBytecode): 25420 (JSC::PostfixNode::emitResolve): 25421 (JSC::PrefixNode::emitResolve): 25422 (JSC::ReadModifyResolveNode::emitBytecode): 25423 (JSC::AssignResolveNode::emitBytecode): 25424 (JSC::ConstDeclNode::emitCodeSingle): 25425 (JSC::ForInNode::emitBytecode): 25426 * dfg/DFGAbstractState.cpp: 25427 (JSC::DFG::AbstractState::execute): 25428 * dfg/DFGByteCodeParser.cpp: 25429 (ByteCodeParser): 25430 (InlineStackEntry): 25431 (JSC::DFG::ByteCodeParser::handleGetByOffset): 25432 (DFG): 25433 (JSC::DFG::ByteCodeParser::parseResolveOperations): 25434 (JSC::DFG::ByteCodeParser::parseBlock): 25435 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 25436 * dfg/DFGCapabilities.h: 25437 (JSC::DFG::canInlineResolveOperations): 25438 (DFG): 25439 (JSC::DFG::canCompileOpcode): 25440 (JSC::DFG::canInlineOpcode): 25441 * dfg/DFGGraph.h: 25442 (ResolveGlobalData): 25443 (ResolveOperationData): 25444 (DFG): 25445 (PutToBaseOperationData): 25446 (Graph): 25447 * dfg/DFGNode.h: 25448 (JSC::DFG::Node::hasIdentifier): 25449 (JSC::DFG::Node::resolveOperationsDataIndex): 25450 (Node): 25451 * dfg/DFGNodeType.h: 25452 (DFG): 25453 * dfg/DFGOSRExit.cpp: 25454 (JSC::DFG::OSRExit::OSRExit): 25455 * dfg/DFGOSRExit.h: 25456 (OSRExit): 25457 * dfg/DFGOSRExitCompiler.cpp: 25458 * dfg/DFGOSRExitCompiler32_64.cpp: 25459 (JSC::DFG::OSRExitCompiler::compileExit): 25460 * dfg/DFGOSRExitCompiler64.cpp: 25461 (JSC::DFG::OSRExitCompiler::compileExit): 25462 * dfg/DFGOperations.cpp: 25463 * dfg/DFGOperations.h: 25464 * dfg/DFGPredictionPropagationPhase.cpp: 25465 (JSC::DFG::PredictionPropagationPhase::propagate): 25466 * dfg/DFGRepatch.cpp: 25467 (JSC::DFG::tryCacheGetByID): 25468 * dfg/DFGSpeculativeJIT.cpp: 25469 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 25470 * dfg/DFGSpeculativeJIT.h: 25471 (JSC::DFG::SpeculativeJIT::resolveOperations): 25472 (SpeculativeJIT): 25473 (JSC::DFG::SpeculativeJIT::putToBaseOperation): 25474 (JSC::DFG::SpeculativeJIT::callOperation): 25475 * dfg/DFGSpeculativeJIT32_64.cpp: 25476 (JSC::DFG::SpeculativeJIT::compile): 25477 * dfg/DFGSpeculativeJIT64.cpp: 25478 (JSC::DFG::SpeculativeJIT::compile): 25479 * dfg/DFGStructureCheckHoistingPhase.cpp: 25480 (JSC::DFG::StructureCheckHoistingPhase::run): 25481 * jit/JIT.cpp: 25482 (JSC::JIT::privateCompileMainPass): 25483 (JSC::JIT::privateCompileSlowCases): 25484 * jit/JIT.h: 25485 (JIT): 25486 * jit/JITOpcodes.cpp: 25487 (JSC::JIT::emit_op_put_to_base): 25488 (JSC): 25489 (JSC::JIT::emit_resolve_operations): 25490 (JSC::JIT::emitSlow_link_resolve_operations): 25491 (JSC::JIT::emit_op_resolve): 25492 (JSC::JIT::emitSlow_op_resolve): 25493 (JSC::JIT::emit_op_resolve_base): 25494 (JSC::JIT::emitSlow_op_resolve_base): 25495 (JSC::JIT::emit_op_resolve_with_base): 25496 (JSC::JIT::emitSlow_op_resolve_with_base): 25497 (JSC::JIT::emit_op_resolve_with_this): 25498 (JSC::JIT::emitSlow_op_resolve_with_this): 25499 (JSC::JIT::emitSlow_op_put_to_base): 25500 * jit/JITOpcodes32_64.cpp: 25501 (JSC::JIT::emit_op_put_to_base): 25502 (JSC): 25503 * jit/JITPropertyAccess.cpp: 25504 (JSC::JIT::emit_op_init_global_const): 25505 (JSC::JIT::emit_op_init_global_const_check): 25506 (JSC::JIT::emitSlow_op_init_global_const_check): 25507 * jit/JITPropertyAccess32_64.cpp: 25508 (JSC::JIT::emit_op_init_global_const): 25509 (JSC::JIT::emit_op_init_global_const_check): 25510 (JSC::JIT::emitSlow_op_init_global_const_check): 25511 * jit/JITStubs.cpp: 25512 (JSC::DEFINE_STUB_FUNCTION): 25513 (JSC): 25514 * jit/JITStubs.h: 25515 * llint/LLIntSlowPaths.cpp: 25516 (LLInt): 25517 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 25518 * llint/LLIntSlowPaths.h: 25519 (LLInt): 25520 * llint/LowLevelInterpreter.asm: 25521 * llint/LowLevelInterpreter32_64.asm: 25522 * llint/LowLevelInterpreter64.asm: 25523 * runtime/JSScope.cpp: 25524 (JSC::LookupResult::base): 25525 (JSC::LookupResult::value): 25526 (JSC::LookupResult::setBase): 25527 (JSC::LookupResult::setValue): 25528 (LookupResult): 25529 (JSC): 25530 (JSC::setPutPropertyAccessOffset): 25531 (JSC::executeResolveOperations): 25532 (JSC::JSScope::resolveContainingScopeInternal): 25533 (JSC::JSScope::resolveContainingScope): 25534 (JSC::JSScope::resolve): 25535 (JSC::JSScope::resolveBase): 25536 (JSC::JSScope::resolveWithBase): 25537 (JSC::JSScope::resolveWithThis): 25538 (JSC::JSScope::resolvePut): 25539 (JSC::JSScope::resolveGlobal): 25540 * runtime/JSScope.h: 25541 (JSScope): 25542 * runtime/JSVariableObject.cpp: 25543 (JSC): 25544 * runtime/JSVariableObject.h: 25545 (JSVariableObject): 25546 * runtime/Structure.h: 25547 (JSC::Structure::propertyAccessesAreCacheable): 25548 (Structure): 25549 255502012-10-18 Mark Hahnenberg <mhahnenberg@apple.com> 25551 25552 Live oversize copied blocks should count toward overall heap fragmentation 25553 https://bugs.webkit.org/show_bug.cgi?id=99548 25554 25555 Reviewed by Filip Pizlo. 25556 25557 The CopiedSpace uses overall heap fragmentation to determine whether or not it should do any copying. 25558 Currently it doesn't include live oversize CopiedBlocks in the calculation, but it should. We should 25559 treat them as 100% utilized, since running a copying phase won't be able to free/compact any of their 25560 memory. We can also free any dead oversize CopiedBlocks while we're iterating over them, rather than 25561 iterating over them again at the end of the copying phase. 25562 25563 * heap/CopiedSpace.cpp: 25564 (JSC::CopiedSpace::doneFillingBlock): 25565 (JSC::CopiedSpace::startedCopying): 25566 (JSC::CopiedSpace::doneCopying): Also removed a branch when iterating over from-space at the end of 25567 copying. Since we eagerly recycle blocks as soon as they're fully evacuated, we should see no 25568 unpinned blocks in from-space at the end of copying. 25569 * heap/CopiedSpaceInlineMethods.h: 25570 (JSC::CopiedSpace::recycleBorrowedBlock): 25571 * heap/CopyVisitorInlineMethods.h: 25572 (JSC::CopyVisitor::checkIfShouldCopy): 25573 255742012-10-18 Roger Fong <roger_fong@apple.com> 25575 25576 Unreviewed. Build fix after r131701 and r131777. 25577 25578 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 25579 255802012-10-18 Mark Hahnenberg <mhahnenberg@apple.com> 25581 25582 Race condition between GCThread and main thread during copying phase 25583 https://bugs.webkit.org/show_bug.cgi?id=99641 25584 25585 Reviewed by Filip Pizlo. 25586 25587 When a GCThread returns from copyFromShared(), it then calls doneCopying(), which returns 25588 its borrowed CopiedBlock to the CopiedSpace. This final block allows the CopiedSpace to 25589 continue and finish the cleanup of the copying phase. However, the GCThread can loop back 25590 around, see that m_currentPhase is still "Copy", and try to go through the copying phase again. 25591 This can cause all sorts of issues. To fix this, we should add a cyclic barrier to GCThread::waitForNextPhase(). 25592 25593 * heap/GCThread.cpp: 25594 (JSC::GCThread::waitForNextPhase): All GCThreads will wait when they finish one iteration until the main thread 25595 notifies them to move down to the second while loop, where they wait for the next GCPhase to start. They also 25596 decrement the m_numberOfActiveGCThreads counter as they begin to wait for the next phase and increment it as 25597 they enter the next phase. This allows the main thread to wait in endCurrentPhase() until all the threads have 25598 finished the current phase and are waiting on the next phase to begin. Without the counter, there would be 25599 no way to ensure that every thread was available for each GCPhase. 25600 (JSC::GCThread::gcThreadMain): We now use the m_phaseLock to synchronize with the main thread when we're being created. 25601 * heap/GCThreadSharedData.cpp: 25602 (JSC::GCThreadSharedData::GCThreadSharedData): As we create each GCThread, we increment the m_numberOfActiveGCThreads 25603 counter. When we are done creating the threads, we wait until they're all waiting for the next GCPhase. This prevents 25604 us from leaving some GCThreads behind during the first GCPhase, which could hurt us on our very short-running 25605 benchmarks (e.g. SunSpider). 25606 (JSC::GCThreadSharedData::~GCThreadSharedData): 25607 (JSC::GCThreadSharedData::startNextPhase): We atomically swap the two flags, m_gcThreadsShouldWait and m_currentPhase, 25608 so that if the threads finish very quickly, they will wait until the main thread is ready to end the current phase. 25609 (JSC::GCThreadSharedData::endCurrentPhase): Here atomically we swap the two flags again to allow the threads to 25610 advance to waiting on the next GCPhase. We wait until all of the GCThreads have settled into the second wait loop 25611 before allowing the main thread to continue. This prevents us from leaving one of the GCThreads stuck in the first 25612 wait loop if we were to call startNextPhase() before it had time to wake up and move on to the second wait loop. 25613 (JSC): 25614 (JSC::GCThreadSharedData::didStartMarking): We now use startNextPhase() to properly swap the flags. 25615 (JSC::GCThreadSharedData::didFinishMarking): Ditto for endCurrentPhase(). 25616 (JSC::GCThreadSharedData::didStartCopying): Ditto. 25617 (JSC::GCThreadSharedData::didFinishCopying): Ditto. 25618 * heap/GCThreadSharedData.h: 25619 (GCThreadSharedData): 25620 * heap/Heap.cpp: 25621 (JSC::Heap::copyBackingStores): No reason to use the extra reference. 25622 256232012-10-18 Pablo Flouret <pablof@motorola.com> 25624 25625 Implement css3-conditional's @supports rule 25626 https://bugs.webkit.org/show_bug.cgi?id=86146 25627 25628 Reviewed by Antti Koivisto. 25629 25630 * Configurations/FeatureDefines.xcconfig: 25631 Add an ENABLE_CSS3_CONDITIONAL_RULES flag. 25632 256332012-10-18 Michael Saboff <msaboff@apple.com> 25634 25635 Make conversion between JSStringRef and WKStringRef work without character size conversions 25636 https://bugs.webkit.org/show_bug.cgi?id=99727 25637 25638 Reviewed by Anders Carlsson. 25639 25640 Export the string() method for use in WebKit. 25641 25642 * API/OpaqueJSString.h: 25643 (OpaqueJSString::string): 25644 256452012-10-18 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com> 25646 25647 [CMake] Avoid unnecessarily running the LLInt generation commands. 25648 https://bugs.webkit.org/show_bug.cgi?id=99708 25649 25650 Reviewed by Rob Buis. 25651 25652 As described in the comments in the change itself, in some cases 25653 the Ruby generation scripts used when LLInt is on would each be 25654 run twice in every build even if nothing had changed. 25655 25656 Fix that by not setting the OBJECT_DEPENDS property of some source 25657 files to depend on the generated headers; instead, they are now 25658 just part of the final binaries/libraries which use them. 25659 25660 * CMakeLists.txt: 25661 256622012-10-17 Zoltan Horvath <zoltan@webkit.org> 25663 25664 Remove the JSHeap memory measurement of the PageLoad performacetests since it creates bogus JSGlobalDatas 25665 https://bugs.webkit.org/show_bug.cgi?id=99609 25666 25667 Reviewed by Ryosuke Niwa. 25668 25669 Remove the implementation since it creates bogus JSGlobalDatas in the layout tests. 25670 25671 * heap/HeapStatistics.cpp: 25672 (JSC): 25673 * heap/HeapStatistics.h: 25674 (HeapStatistics): 25675 256762012-10-17 Sam Weinig <sam@webkit.org> 25677 25678 Attempt to fix the build. 25679 25680 * bytecode/GlobalResolveInfo.h: Copied from bytecode/GlobalResolveInfo.h. 25681 256822012-10-17 Filip Pizlo <fpizlo@apple.com> 25683 25684 REGRESSION (r130826 or r130828): Twitter top bar is dysfunctional 25685 https://bugs.webkit.org/show_bug.cgi?id=99577 25686 <rdar://problem/12518883> 25687 25688 Reviewed by Mark Hahnenberg. 25689 25690 It turns out that it's a good idea to maintain the invariants of your object model, such as that 25691 elements past publicLength should have the hole value. 25692 25693 * dfg/DFGGraph.cpp: 25694 (JSC::DFG::Graph::dump): 25695 * dfg/DFGSpeculativeJIT32_64.cpp: 25696 (JSC::DFG::SpeculativeJIT::compile): 25697 * dfg/DFGSpeculativeJIT64.cpp: 25698 (JSC::DFG::SpeculativeJIT::compile): 25699 257002012-10-17 Anders Carlsson <andersca@apple.com> 25701 25702 Clean up Vector.h 25703 https://bugs.webkit.org/show_bug.cgi?id=99622 25704 25705 Reviewed by Benjamin Poulain. 25706 25707 Fix fallout from removing std::max and std::min using declarations. 25708 25709 * runtime/StringPrototype.cpp: 25710 (JSC::jsSpliceSubstrings): 25711 (JSC::jsSpliceSubstringsWithSeparators): 25712 (JSC::stringProtoFuncIndexOf): 25713 * yarr/YarrPattern.cpp: 25714 (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): 25715 257162012-10-17 Oliver Hunt <oliver@apple.com> 25717 25718 Committing new files is so overrated. 25719 25720 * bytecode/ResolveOperation.h: Added. 25721 (JSC): 25722 (JSC::ResolveOperation::getAndReturnScopedVar): 25723 (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope): 25724 (ResolveOperation): 25725 (JSC::ResolveOperation::getAndReturnGlobalVar): 25726 (JSC::ResolveOperation::getAndReturnGlobalProperty): 25727 (JSC::ResolveOperation::resolveFail): 25728 (JSC::ResolveOperation::skipTopScopeNode): 25729 (JSC::ResolveOperation::skipScopes): 25730 (JSC::ResolveOperation::returnGlobalObjectAsBase): 25731 (JSC::ResolveOperation::setBaseToGlobal): 25732 (JSC::ResolveOperation::setBaseToUndefined): 25733 (JSC::ResolveOperation::setBaseToScope): 25734 (JSC::ResolveOperation::returnScopeAsBase): 25735 (JSC::PutToBaseOperation::PutToBaseOperation): 25736 257372012-10-17 Michael Saboff <msaboff@apple.com> 25738 25739 StringPrototype::jsSpliceSubstringsWithSeparators() doesn't optimally handle 8 bit strings 25740 https://bugs.webkit.org/show_bug.cgi?id=99230 25741 25742 Reviewed by Geoffrey Garen. 25743 25744 Added code to select characters8() or characters16() on the not all 8 bit path for both the 25745 processing of the source and the separators. 25746 25747 * runtime/StringPrototype.cpp: 25748 (JSC::jsSpliceSubstringsWithSeparators): 25749 257502012-10-17 Filip Pizlo <fpizlo@apple.com> 25751 25752 Array and object allocations via 'new Object' or 'new Array' should be inlined in bytecode to allow allocation site profiling 25753 https://bugs.webkit.org/show_bug.cgi?id=99557 25754 25755 Reviewed by Geoffrey Garen. 25756 25757 Removed an inaccurate and misleading comment as per Geoff's review. (I forgot 25758 to make this change as part of http://trac.webkit.org/changeset/131644). 25759 25760 * bytecompiler/NodesCodegen.cpp: 25761 (JSC::FunctionCallResolveNode::emitBytecode): 25762 257632012-10-17 Oliver Hunt <oliver@apple.com> 25764 25765 Bytecode should not have responsibility for determining how to perform non-local resolves 25766 https://bugs.webkit.org/show_bug.cgi?id=99349 25767 25768 Reviewed by Gavin Barraclough. 25769 25770 This patch removes lexical analysis from the bytecode generation. This allows 25771 us to delay lookup of a non-local variables until the lookup is actually necessary, 25772 and simplifies a lot of the resolve logic in BytecodeGenerator. 25773 25774 Once a lookup is performed we cache the lookup information in a set of out-of-line 25775 buffers in CodeBlock. This allows subsequent lookups to avoid unnecessary hashing, 25776 etc, and allows the respective JITs to recreated optimal lookup code. 25777 25778 This is currently still a performance regression in LLInt, but most of the remaining 25779 regression is caused by a lot of indirection that I'll remove in future work, as well 25780 as some work necessary to allow LLInt to perform in line instruction repatching. 25781 We will also want to improve the behaviour of the baseline JIT for some of the lookup 25782 operations, however this patch was getting quite large already so I'm landing it now 25783 that we've reached the bar of "performance-neutral". 25784 25785 * GNUmakefile.list.am: 25786 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 25787 * JavaScriptCore.xcodeproj/project.pbxproj: 25788 * bytecode/CodeBlock.cpp: 25789 (JSC::CodeBlock::printStructures): 25790 (JSC::CodeBlock::dump): 25791 (JSC::CodeBlock::CodeBlock): 25792 (JSC::CodeBlock::visitStructures): 25793 (JSC): 25794 (JSC::CodeBlock::finalizeUnconditionally): 25795 (JSC::CodeBlock::shrinkToFit): 25796 * bytecode/CodeBlock.h: 25797 (JSC::CodeBlock::addResolve): 25798 (JSC::CodeBlock::addPutToBase): 25799 (CodeBlock): 25800 (JSC::CodeBlock::resolveOperations): 25801 (JSC::CodeBlock::putToBaseOperation): 25802 (JSC::CodeBlock::numberOfResolveOperations): 25803 (JSC::CodeBlock::numberOfPutToBaseOperations): 25804 (JSC::CodeBlock::addPropertyAccessInstruction): 25805 (JSC::CodeBlock::globalObjectConstant): 25806 (JSC::CodeBlock::setGlobalObjectConstant): 25807 * bytecode/GlobalResolveInfo.h: Removed. 25808 * bytecode/Opcode.h: 25809 (JSC): 25810 (JSC::padOpcodeName): 25811 * bytecode/ResolveGlobalStatus.cpp: 25812 (JSC::computeForStructure): 25813 (JSC::ResolveGlobalStatus::computeFor): 25814 * bytecode/ResolveGlobalStatus.h: 25815 (JSC): 25816 (ResolveGlobalStatus): 25817 * bytecode/ResolveOperation.h: Added. 25818 The new types and logic we use to perform the cached lookups. 25819 (JSC): 25820 (ResolveOperation): 25821 (JSC::ResolveOperation::getAndReturnScopedVar): 25822 (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope): 25823 (JSC::ResolveOperation::getAndReturnGlobalVar): 25824 (JSC::ResolveOperation::getAndReturnGlobalProperty): 25825 (JSC::ResolveOperation::resolveFail): 25826 (JSC::ResolveOperation::skipTopScopeNode): 25827 (JSC::ResolveOperation::skipScopes): 25828 (JSC::ResolveOperation::returnGlobalObjectAsBase): 25829 (JSC::ResolveOperation::setBaseToGlobal): 25830 (JSC::ResolveOperation::setBaseToUndefined): 25831 (JSC::ResolveOperation::setBaseToScope): 25832 (JSC::ResolveOperation::returnScopeAsBase): 25833 (JSC::PutToBaseOperation::PutToBaseOperation): 25834 * bytecompiler/BytecodeGenerator.cpp: 25835 (JSC::ResolveResult::checkValidity): 25836 (JSC): 25837 (JSC::BytecodeGenerator::BytecodeGenerator): 25838 (JSC::BytecodeGenerator::resolve): 25839 (JSC::BytecodeGenerator::resolveConstDecl): 25840 (JSC::BytecodeGenerator::shouldAvoidResolveGlobal): 25841 (JSC::BytecodeGenerator::emitResolve): 25842 (JSC::BytecodeGenerator::emitResolveBase): 25843 (JSC::BytecodeGenerator::emitResolveBaseForPut): 25844 (JSC::BytecodeGenerator::emitResolveWithBaseForPut): 25845 (JSC::BytecodeGenerator::emitResolveWithThis): 25846 (JSC::BytecodeGenerator::emitGetLocalVar): 25847 (JSC::BytecodeGenerator::emitInitGlobalConst): 25848 (JSC::BytecodeGenerator::emitPutToBase): 25849 * bytecompiler/BytecodeGenerator.h: 25850 (JSC::ResolveResult::registerResolve): 25851 (JSC::ResolveResult::dynamicResolve): 25852 (ResolveResult): 25853 (JSC::ResolveResult::ResolveResult): 25854 (JSC): 25855 (NonlocalResolveInfo): 25856 (JSC::NonlocalResolveInfo::NonlocalResolveInfo): 25857 (JSC::NonlocalResolveInfo::~NonlocalResolveInfo): 25858 (JSC::NonlocalResolveInfo::resolved): 25859 (JSC::NonlocalResolveInfo::put): 25860 (BytecodeGenerator): 25861 (JSC::BytecodeGenerator::getResolveOperations): 25862 (JSC::BytecodeGenerator::getResolveWithThisOperations): 25863 (JSC::BytecodeGenerator::getResolveBaseOperations): 25864 (JSC::BytecodeGenerator::getResolveBaseForPutOperations): 25865 (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations): 25866 (JSC::BytecodeGenerator::getPutToBaseOperation): 25867 * bytecompiler/NodesCodegen.cpp: 25868 (JSC::ResolveNode::isPure): 25869 (JSC::FunctionCallResolveNode::emitBytecode): 25870 (JSC::PostfixNode::emitResolve): 25871 (JSC::PrefixNode::emitResolve): 25872 (JSC::ReadModifyResolveNode::emitBytecode): 25873 (JSC::AssignResolveNode::emitBytecode): 25874 (JSC::ConstDeclNode::emitCodeSingle): 25875 (JSC::ForInNode::emitBytecode): 25876 * dfg/DFGAbstractState.cpp: 25877 (JSC::DFG::AbstractState::execute): 25878 * dfg/DFGByteCodeParser.cpp: 25879 (ByteCodeParser): 25880 (InlineStackEntry): 25881 (JSC::DFG::ByteCodeParser::handleGetByOffset): 25882 (DFG): 25883 (JSC::DFG::ByteCodeParser::parseResolveOperations): 25884 (JSC::DFG::ByteCodeParser::parseBlock): 25885 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 25886 * dfg/DFGCapabilities.h: 25887 (JSC::DFG::canCompileResolveOperations): 25888 (DFG): 25889 (JSC::DFG::canCompilePutToBaseOperation): 25890 (JSC::DFG::canCompileOpcode): 25891 (JSC::DFG::canInlineOpcode): 25892 * dfg/DFGGraph.h: 25893 (ResolveGlobalData): 25894 (ResolveOperationData): 25895 (DFG): 25896 (PutToBaseOperationData): 25897 (Graph): 25898 * dfg/DFGNode.h: 25899 (JSC::DFG::Node::hasIdentifier): 25900 (JSC::DFG::Node::resolveOperationsDataIndex): 25901 (Node): 25902 * dfg/DFGNodeType.h: 25903 (DFG): 25904 * dfg/DFGOSRExit.cpp: 25905 (JSC::DFG::OSRExit::OSRExit): 25906 * dfg/DFGOSRExit.h: 25907 (OSRExit): 25908 * dfg/DFGOSRExitCompiler.cpp: 25909 * dfg/DFGOSRExitCompiler32_64.cpp: 25910 (JSC::DFG::OSRExitCompiler::compileExit): 25911 * dfg/DFGOSRExitCompiler64.cpp: 25912 (JSC::DFG::OSRExitCompiler::compileExit): 25913 * dfg/DFGOperations.cpp: 25914 * dfg/DFGOperations.h: 25915 * dfg/DFGPredictionPropagationPhase.cpp: 25916 (JSC::DFG::PredictionPropagationPhase::propagate): 25917 * dfg/DFGRepatch.cpp: 25918 (JSC::DFG::tryCacheGetByID): 25919 * dfg/DFGSpeculativeJIT.cpp: 25920 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 25921 * dfg/DFGSpeculativeJIT.h: 25922 (JSC::DFG::SpeculativeJIT::resolveOperations): 25923 (SpeculativeJIT): 25924 (JSC::DFG::SpeculativeJIT::putToBaseOperation): 25925 (JSC::DFG::SpeculativeJIT::callOperation): 25926 * dfg/DFGSpeculativeJIT32_64.cpp: 25927 (JSC::DFG::SpeculativeJIT::compile): 25928 * dfg/DFGSpeculativeJIT64.cpp: 25929 (JSC::DFG::SpeculativeJIT::compile): 25930 * dfg/DFGStructureCheckHoistingPhase.cpp: 25931 (JSC::DFG::StructureCheckHoistingPhase::run): 25932 * jit/JIT.cpp: 25933 (JSC::JIT::privateCompileMainPass): 25934 (JSC::JIT::privateCompileSlowCases): 25935 * jit/JIT.h: 25936 (JIT): 25937 * jit/JITOpcodes.cpp: 25938 (JSC::JIT::emit_op_put_to_base): 25939 (JSC): 25940 (JSC::JIT::emit_resolve_operations): 25941 (JSC::JIT::emitSlow_link_resolve_operations): 25942 (JSC::JIT::emit_op_resolve): 25943 (JSC::JIT::emitSlow_op_resolve): 25944 (JSC::JIT::emit_op_resolve_base): 25945 (JSC::JIT::emitSlow_op_resolve_base): 25946 (JSC::JIT::emit_op_resolve_with_base): 25947 (JSC::JIT::emitSlow_op_resolve_with_base): 25948 (JSC::JIT::emit_op_resolve_with_this): 25949 (JSC::JIT::emitSlow_op_resolve_with_this): 25950 (JSC::JIT::emitSlow_op_put_to_base): 25951 * jit/JITOpcodes32_64.cpp: 25952 (JSC::JIT::emit_op_put_to_base): 25953 (JSC): 25954 * jit/JITPropertyAccess.cpp: 25955 (JSC::JIT::emit_op_init_global_const): 25956 (JSC::JIT::emit_op_init_global_const_check): 25957 (JSC::JIT::emitSlow_op_init_global_const_check): 25958 * jit/JITPropertyAccess32_64.cpp: 25959 (JSC::JIT::emit_op_init_global_const): 25960 (JSC::JIT::emit_op_init_global_const_check): 25961 (JSC::JIT::emitSlow_op_init_global_const_check): 25962 * jit/JITStubs.cpp: 25963 (JSC::DEFINE_STUB_FUNCTION): 25964 (JSC): 25965 * jit/JITStubs.h: 25966 * llint/LLIntSlowPaths.cpp: 25967 (LLInt): 25968 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 25969 * llint/LLIntSlowPaths.h: 25970 (LLInt): 25971 * llint/LowLevelInterpreter.asm: 25972 * llint/LowLevelInterpreter32_64.asm: 25973 * llint/LowLevelInterpreter64.asm: 25974 * runtime/JSScope.cpp: 25975 (JSC::LookupResult::base): 25976 (JSC::LookupResult::value): 25977 (JSC::LookupResult::setBase): 25978 (JSC::LookupResult::setValue): 25979 (LookupResult): 25980 (JSC): 25981 (JSC::setPutPropertyAccessOffset): 25982 (JSC::executeResolveOperations): 25983 (JSC::JSScope::resolveContainingScopeInternal): 25984 (JSC::JSScope::resolveContainingScope): 25985 (JSC::JSScope::resolve): 25986 (JSC::JSScope::resolveBase): 25987 (JSC::JSScope::resolveWithBase): 25988 (JSC::JSScope::resolveWithThis): 25989 (JSC::JSScope::resolvePut): 25990 (JSC::JSScope::resolveGlobal): 25991 * runtime/JSScope.h: 25992 (JSScope): 25993 * runtime/JSVariableObject.cpp: 25994 (JSC): 25995 * runtime/JSVariableObject.h: 25996 (JSVariableObject): 25997 * runtime/Structure.h: 25998 (JSC::Structure::propertyAccessesAreCacheable): 25999 (Structure): 26000 260012012-10-17 Filip Pizlo <fpizlo@apple.com> 26002 26003 Array and object allocations via 'new Object' or 'new Array' should be inlined in bytecode to allow allocation site profiling 26004 https://bugs.webkit.org/show_bug.cgi?id=99557 26005 26006 Reviewed by Geoffrey Garen. 26007 26008 This uses the old jneq_ptr trick to allow for the bytecode to "see" that the 26009 operation in question is what we almost certainly know it to be. 26010 26011 * bytecode/CodeBlock.cpp: 26012 (JSC::CodeBlock::dump): 26013 * bytecode/Opcode.h: 26014 (JSC): 26015 (JSC::padOpcodeName): 26016 * bytecode/SpecialPointer.h: 26017 * bytecompiler/BytecodeGenerator.cpp: 26018 (JSC::BytecodeGenerator::emitCall): 26019 (JSC::BytecodeGenerator::emitCallEval): 26020 (JSC::BytecodeGenerator::expectedFunctionForIdentifier): 26021 (JSC): 26022 (JSC::BytecodeGenerator::emitExpectedFunctionSnippet): 26023 (JSC::BytecodeGenerator::emitConstruct): 26024 * bytecompiler/BytecodeGenerator.h: 26025 (BytecodeGenerator): 26026 * bytecompiler/NodesCodegen.cpp: 26027 (JSC::NewExprNode::emitBytecode): 26028 (JSC::FunctionCallValueNode::emitBytecode): 26029 (JSC::FunctionCallResolveNode::emitBytecode): 26030 (JSC::FunctionCallBracketNode::emitBytecode): 26031 (JSC::FunctionCallDotNode::emitBytecode): 26032 (JSC::CallFunctionCallDotNode::emitBytecode): 26033 (JSC::ApplyFunctionCallDotNode::emitBytecode): 26034 * dfg/DFGByteCodeParser.cpp: 26035 (JSC::DFG::ByteCodeParser::parseBlock): 26036 * dfg/DFGCapabilities.h: 26037 (JSC::DFG::canCompileOpcode): 26038 * jit/JIT.cpp: 26039 (JSC::JIT::privateCompileMainPass): 26040 * jit/JIT.h: 26041 (JIT): 26042 * jit/JITOpcodes.cpp: 26043 (JSC::JIT::emit_op_new_array_with_size): 26044 (JSC): 26045 * jit/JITStubs.cpp: 26046 (JSC::DEFINE_STUB_FUNCTION): 26047 (JSC): 26048 * jit/JITStubs.h: 26049 * llint/LLIntSlowPaths.cpp: 26050 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 26051 (LLInt): 26052 * llint/LLIntSlowPaths.h: 26053 (LLInt): 26054 * llint/LowLevelInterpreter.asm: 26055 * runtime/ArrayConstructor.cpp: 26056 (JSC::constructArrayWithSizeQuirk): 26057 (JSC): 26058 * runtime/ArrayConstructor.h: 26059 (JSC): 26060 * runtime/CommonIdentifiers.h: 26061 * runtime/JSGlobalObject.cpp: 26062 (JSC::JSGlobalObject::reset): 26063 (JSC): 26064 260652012-10-17 Filip Pizlo <fpizlo@apple.com> 26066 26067 JIT op_get_by_pname should call cti_get_by_val_generic and not cti_get_by_val 26068 https://bugs.webkit.org/show_bug.cgi?id=99631 26069 <rdar://problem/12483221> 26070 26071 Reviewed by Mark Hahnenberg. 26072 26073 cti_get_by_val assumes that the return address has patching metadata associated with it, which won't 26074 be true for op_get_by_pname. cti_get_by_val_generic makes no such assumptions. 26075 26076 * jit/JITPropertyAccess.cpp: 26077 (JSC::JIT::emitSlow_op_get_by_pname): 26078 * jit/JITPropertyAccess32_64.cpp: 26079 (JSC::JIT::emitSlow_op_get_by_pname): 26080 260812012-10-17 Mark Hahnenberg <mhahnenberg@apple.com> 26082 26083 Block freeing thread should sleep indefinitely when there's no work to do 26084 https://bugs.webkit.org/show_bug.cgi?id=98084 26085 26086 Reviewed by Geoffrey Garen. 26087 26088 r130212 didn't fully fix the problem. 26089 26090 * heap/BlockAllocator.cpp: 26091 (JSC::BlockAllocator::blockFreeingThreadMain): We would just continue to the next iteration if 26092 we found that we had zero blocks to copy. We should move the indefinite wait up to where that 26093 check is done so that we properly detect the "no more blocks to copy, wait for more" condition. 26094 260952012-10-16 Csaba Osztrogonác <ossy@webkit.org> 26096 26097 Unreviewed, rolling out r131516 and r131550. 26098 http://trac.webkit.org/changeset/131516 26099 http://trac.webkit.org/changeset/131550 26100 https://bugs.webkit.org/show_bug.cgi?id=99349 26101 26102 It caused zillion different problem on different platforms 26103 26104 * GNUmakefile.list.am: 26105 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 26106 * JavaScriptCore.xcodeproj/project.pbxproj: 26107 * bytecode/CodeBlock.cpp: 26108 (JSC): 26109 (JSC::isGlobalResolve): 26110 (JSC::instructionOffsetForNth): 26111 (JSC::printGlobalResolveInfo): 26112 (JSC::CodeBlock::printStructures): 26113 (JSC::CodeBlock::dump): 26114 (JSC::CodeBlock::CodeBlock): 26115 (JSC::CodeBlock::visitStructures): 26116 (JSC::CodeBlock::finalizeUnconditionally): 26117 (JSC::CodeBlock::hasGlobalResolveInfoAtBytecodeOffset): 26118 (JSC::CodeBlock::globalResolveInfoForBytecodeOffset): 26119 (JSC::CodeBlock::shrinkToFit): 26120 * bytecode/CodeBlock.h: 26121 (CodeBlock): 26122 (JSC::CodeBlock::addGlobalResolveInstruction): 26123 (JSC::CodeBlock::addGlobalResolveInfo): 26124 (JSC::CodeBlock::globalResolveInfo): 26125 (JSC::CodeBlock::numberOfGlobalResolveInfos): 26126 (JSC::CodeBlock::globalResolveInfoCount): 26127 * bytecode/GlobalResolveInfo.h: Copied from Source/JavaScriptCore/bytecode/ResolveGlobalStatus.cpp. 26128 (JSC): 26129 (JSC::GlobalResolveInfo::GlobalResolveInfo): 26130 (GlobalResolveInfo): 26131 (JSC::getGlobalResolveInfoBytecodeOffset): 26132 * bytecode/Opcode.h: 26133 (JSC): 26134 (JSC::padOpcodeName): 26135 * bytecode/ResolveGlobalStatus.cpp: 26136 (JSC): 26137 (JSC::computeForStructure): 26138 (JSC::computeForLLInt): 26139 (JSC::ResolveGlobalStatus::computeFor): 26140 * bytecode/ResolveGlobalStatus.h: 26141 (JSC): 26142 (ResolveGlobalStatus): 26143 * bytecode/ResolveOperation.h: Removed. 26144 * bytecompiler/BytecodeGenerator.cpp: 26145 (JSC::ResolveResult::checkValidity): 26146 (JSC::ResolveResult::registerPointer): 26147 (JSC): 26148 (JSC::BytecodeGenerator::BytecodeGenerator): 26149 (JSC::BytecodeGenerator::resolve): 26150 (JSC::BytecodeGenerator::resolveConstDecl): 26151 (JSC::BytecodeGenerator::shouldAvoidResolveGlobal): 26152 (JSC::BytecodeGenerator::emitResolve): 26153 (JSC::BytecodeGenerator::emitResolveBase): 26154 (JSC::BytecodeGenerator::emitResolveBaseForPut): 26155 (JSC::BytecodeGenerator::emitResolveWithBase): 26156 (JSC::BytecodeGenerator::emitResolveWithThis): 26157 (JSC::BytecodeGenerator::emitGetStaticVar): 26158 (JSC::BytecodeGenerator::emitInitGlobalConst): 26159 (JSC::BytecodeGenerator::emitPutStaticVar): 26160 * bytecompiler/BytecodeGenerator.h: 26161 (JSC::ResolveResult::registerResolve): 26162 (JSC::ResolveResult::dynamicResolve): 26163 (JSC::ResolveResult::lexicalResolve): 26164 (JSC::ResolveResult::indexedGlobalResolve): 26165 (JSC::ResolveResult::dynamicIndexedGlobalResolve): 26166 (JSC::ResolveResult::globalResolve): 26167 (JSC::ResolveResult::dynamicGlobalResolve): 26168 (JSC::ResolveResult::type): 26169 (JSC::ResolveResult::index): 26170 (JSC::ResolveResult::depth): 26171 (JSC::ResolveResult::globalObject): 26172 (ResolveResult): 26173 (JSC::ResolveResult::isStatic): 26174 (JSC::ResolveResult::isIndexed): 26175 (JSC::ResolveResult::isScoped): 26176 (JSC::ResolveResult::isGlobal): 26177 (JSC::ResolveResult::ResolveResult): 26178 (BytecodeGenerator): 26179 * bytecompiler/NodesCodegen.cpp: 26180 (JSC::ResolveNode::isPure): 26181 (JSC::FunctionCallResolveNode::emitBytecode): 26182 (JSC::PostfixNode::emitResolve): 26183 (JSC::PrefixNode::emitResolve): 26184 (JSC::ReadModifyResolveNode::emitBytecode): 26185 (JSC::AssignResolveNode::emitBytecode): 26186 (JSC::ConstDeclNode::emitCodeSingle): 26187 (JSC::ForInNode::emitBytecode): 26188 * dfg/DFGAbstractState.cpp: 26189 (JSC::DFG::AbstractState::execute): 26190 * dfg/DFGByteCodeParser.cpp: 26191 (ByteCodeParser): 26192 (InlineStackEntry): 26193 (JSC::DFG::ByteCodeParser::handleGetByOffset): 26194 (JSC::DFG::ByteCodeParser::parseBlock): 26195 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 26196 * dfg/DFGCapabilities.h: 26197 (JSC::DFG::canCompileOpcode): 26198 (JSC::DFG::canInlineOpcode): 26199 * dfg/DFGGraph.h: 26200 (ResolveGlobalData): 26201 (DFG): 26202 (Graph): 26203 * dfg/DFGNode.h: 26204 (JSC::DFG::Node::hasIdentifier): 26205 * dfg/DFGNodeType.h: 26206 (DFG): 26207 * dfg/DFGOSRExit.cpp: 26208 (JSC::DFG::OSRExit::OSRExit): 26209 * dfg/DFGOSRExit.h: 26210 (OSRExit): 26211 * dfg/DFGOSRExitCompiler.cpp: 26212 * dfg/DFGOSRExitCompiler32_64.cpp: 26213 (JSC::DFG::OSRExitCompiler::compileExit): 26214 * dfg/DFGOSRExitCompiler64.cpp: 26215 (JSC::DFG::OSRExitCompiler::compileExit): 26216 * dfg/DFGOperations.cpp: 26217 * dfg/DFGOperations.h: 26218 (JSC): 26219 * dfg/DFGPredictionPropagationPhase.cpp: 26220 (JSC::DFG::PredictionPropagationPhase::propagate): 26221 * dfg/DFGRepatch.cpp: 26222 (JSC::DFG::tryCacheGetByID): 26223 * dfg/DFGSpeculativeJIT.cpp: 26224 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 26225 * dfg/DFGSpeculativeJIT.h: 26226 (JSC::DFG::SpeculativeJIT::callOperation): 26227 * dfg/DFGSpeculativeJIT32_64.cpp: 26228 (JSC::DFG::SpeculativeJIT::compile): 26229 * dfg/DFGSpeculativeJIT64.cpp: 26230 (JSC::DFG::SpeculativeJIT::compile): 26231 * dfg/DFGStructureCheckHoistingPhase.cpp: 26232 (JSC::DFG::StructureCheckHoistingPhase::run): 26233 * jit/JIT.cpp: 26234 (JSC::JIT::privateCompileMainPass): 26235 (JSC::JIT::privateCompileSlowCases): 26236 * jit/JIT.h: 26237 (JIT): 26238 (JSC::JIT::emit_op_get_global_var_watchable): 26239 * jit/JITOpcodes.cpp: 26240 (JSC::JIT::emit_op_resolve): 26241 (JSC): 26242 (JSC::JIT::emit_op_resolve_base): 26243 (JSC::JIT::emit_op_resolve_skip): 26244 (JSC::JIT::emit_op_resolve_global): 26245 (JSC::JIT::emitSlow_op_resolve_global): 26246 (JSC::JIT::emit_op_resolve_with_base): 26247 (JSC::JIT::emit_op_resolve_with_this): 26248 (JSC::JIT::emit_op_resolve_global_dynamic): 26249 (JSC::JIT::emitSlow_op_resolve_global_dynamic): 26250 * jit/JITOpcodes32_64.cpp: 26251 (JSC::JIT::emit_op_resolve): 26252 (JSC): 26253 (JSC::JIT::emit_op_resolve_base): 26254 (JSC::JIT::emit_op_resolve_skip): 26255 (JSC::JIT::emit_op_resolve_global): 26256 (JSC::JIT::emitSlow_op_resolve_global): 26257 (JSC::JIT::emit_op_resolve_with_base): 26258 (JSC::JIT::emit_op_resolve_with_this): 26259 * jit/JITPropertyAccess.cpp: 26260 (JSC::JIT::emit_op_get_scoped_var): 26261 (JSC): 26262 (JSC::JIT::emit_op_put_scoped_var): 26263 (JSC::JIT::emit_op_get_global_var): 26264 (JSC::JIT::emit_op_put_global_var): 26265 (JSC::JIT::emit_op_put_global_var_check): 26266 (JSC::JIT::emitSlow_op_put_global_var_check): 26267 * jit/JITPropertyAccess32_64.cpp: 26268 (JSC::JIT::emit_op_get_scoped_var): 26269 (JSC): 26270 (JSC::JIT::emit_op_put_scoped_var): 26271 (JSC::JIT::emit_op_get_global_var): 26272 (JSC::JIT::emit_op_put_global_var): 26273 (JSC::JIT::emit_op_put_global_var_check): 26274 (JSC::JIT::emitSlow_op_put_global_var_check): 26275 * jit/JITStubs.cpp: 26276 (JSC::DEFINE_STUB_FUNCTION): 26277 (JSC): 26278 * jit/JITStubs.h: 26279 * llint/LLIntSlowPaths.cpp: 26280 (LLInt): 26281 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 26282 * llint/LLIntSlowPaths.h: 26283 (LLInt): 26284 * llint/LowLevelInterpreter.asm: 26285 * llint/LowLevelInterpreter32_64.asm: 26286 * llint/LowLevelInterpreter64.asm: 26287 * runtime/JSScope.cpp: 26288 (JSC::JSScope::resolve): 26289 (JSC::JSScope::resolveSkip): 26290 (JSC::JSScope::resolveGlobal): 26291 (JSC::JSScope::resolveGlobalDynamic): 26292 (JSC::JSScope::resolveBase): 26293 (JSC::JSScope::resolveWithBase): 26294 (JSC::JSScope::resolveWithThis): 26295 * runtime/JSScope.h: 26296 (JSScope): 26297 * runtime/JSVariableObject.cpp: 26298 * runtime/JSVariableObject.h: 26299 * runtime/Structure.h: 26300 263012012-10-16 Dongwoo Joshua Im <dw.im@samsung.com> 26302 26303 [GTK] Fix build break - ResolveOperations.h is not in WebKit. 26304 https://bugs.webkit.org/show_bug.cgi?id=99538 26305 26306 Unreviewed build fix. 26307 26308 There are some files including ResolveOperations.h which is not exist at all. 26309 26310 * GNUmakefile.list.am: s/ResolveOperations.h/ResolveOperation.h/ 26311 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: s/ResolveOperations.h/ResolveOperation.h/ 26312 263132012-10-16 Jian Li <jianli@chromium.org> 26314 26315 Rename feature define ENABLE_WIDGET_REGION to ENABLE_DRAGGBALE_REGION 26316 https://bugs.webkit.org/show_bug.cgi?id=98975 26317 26318 Reviewed by Adam Barth. 26319 26320 Renaming is needed to better match with the draggable region code. 26321 26322 * Configurations/FeatureDefines.xcconfig: 26323 263242012-10-15 Oliver Hunt <oliver@apple.com> 26325 26326 Bytecode should not have responsibility for determining how to perform non-local resolves 26327 https://bugs.webkit.org/show_bug.cgi?id=99349 26328 26329 Reviewed by Gavin Barraclough. 26330 26331 This patch removes lexical analysis from the bytecode generation. This allows 26332 us to delay lookup of a non-local variables until the lookup is actually necessary, 26333 and simplifies a lot of the resolve logic in BytecodeGenerator. 26334 26335 Once a lookup is performed we cache the lookup information in a set of out-of-line 26336 buffers in CodeBlock. This allows subsequent lookups to avoid unnecessary hashing, 26337 etc, and allows the respective JITs to recreated optimal lookup code. 26338 26339 This is currently still a performance regression in LLInt, but most of the remaining 26340 regression is caused by a lot of indirection that I'll remove in future work, as well 26341 as some work necessary to allow LLInt to perform in line instruction repatching. 26342 We will also want to improve the behaviour of the baseline JIT for some of the lookup 26343 operations, however this patch was getting quite large already so I'm landing it now 26344 that we've reached the bar of "performance-neutral". 26345 26346 * GNUmakefile.list.am: 26347 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 26348 * JavaScriptCore.xcodeproj/project.pbxproj: 26349 * bytecode/CodeBlock.cpp: 26350 (JSC::CodeBlock::printStructures): 26351 (JSC::CodeBlock::dump): 26352 (JSC::CodeBlock::CodeBlock): 26353 (JSC::CodeBlock::visitStructures): 26354 (JSC): 26355 (JSC::CodeBlock::finalizeUnconditionally): 26356 (JSC::CodeBlock::shrinkToFit): 26357 * bytecode/CodeBlock.h: 26358 (JSC::CodeBlock::addResolve): 26359 (JSC::CodeBlock::addPutToBase): 26360 (CodeBlock): 26361 (JSC::CodeBlock::resolveOperations): 26362 (JSC::CodeBlock::putToBaseOperation): 26363 (JSC::CodeBlock::numberOfResolveOperations): 26364 (JSC::CodeBlock::numberOfPutToBaseOperations): 26365 (JSC::CodeBlock::addPropertyAccessInstruction): 26366 (JSC::CodeBlock::globalObjectConstant): 26367 (JSC::CodeBlock::setGlobalObjectConstant): 26368 * bytecode/GlobalResolveInfo.h: Removed. 26369 * bytecode/Opcode.h: 26370 (JSC): 26371 (JSC::padOpcodeName): 26372 * bytecode/ResolveGlobalStatus.cpp: 26373 (JSC::computeForStructure): 26374 (JSC::ResolveGlobalStatus::computeFor): 26375 * bytecode/ResolveGlobalStatus.h: 26376 (JSC): 26377 (ResolveGlobalStatus): 26378 * bytecode/ResolveOperation.h: Added. 26379 The new types and logic we use to perform the cached lookups. 26380 (JSC): 26381 (ResolveOperation): 26382 (JSC::ResolveOperation::getAndReturnScopedVar): 26383 (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope): 26384 (JSC::ResolveOperation::getAndReturnGlobalVar): 26385 (JSC::ResolveOperation::getAndReturnGlobalProperty): 26386 (JSC::ResolveOperation::resolveFail): 26387 (JSC::ResolveOperation::skipTopScopeNode): 26388 (JSC::ResolveOperation::skipScopes): 26389 (JSC::ResolveOperation::returnGlobalObjectAsBase): 26390 (JSC::ResolveOperation::setBaseToGlobal): 26391 (JSC::ResolveOperation::setBaseToUndefined): 26392 (JSC::ResolveOperation::setBaseToScope): 26393 (JSC::ResolveOperation::returnScopeAsBase): 26394 (JSC::PutToBaseOperation::PutToBaseOperation): 26395 * bytecompiler/BytecodeGenerator.cpp: 26396 (JSC::ResolveResult::checkValidity): 26397 (JSC): 26398 (JSC::BytecodeGenerator::BytecodeGenerator): 26399 (JSC::BytecodeGenerator::resolve): 26400 (JSC::BytecodeGenerator::resolveConstDecl): 26401 (JSC::BytecodeGenerator::shouldAvoidResolveGlobal): 26402 (JSC::BytecodeGenerator::emitResolve): 26403 (JSC::BytecodeGenerator::emitResolveBase): 26404 (JSC::BytecodeGenerator::emitResolveBaseForPut): 26405 (JSC::BytecodeGenerator::emitResolveWithBaseForPut): 26406 (JSC::BytecodeGenerator::emitResolveWithThis): 26407 (JSC::BytecodeGenerator::emitGetLocalVar): 26408 (JSC::BytecodeGenerator::emitInitGlobalConst): 26409 (JSC::BytecodeGenerator::emitPutToBase): 26410 * bytecompiler/BytecodeGenerator.h: 26411 (JSC::ResolveResult::registerResolve): 26412 (JSC::ResolveResult::dynamicResolve): 26413 (ResolveResult): 26414 (JSC::ResolveResult::ResolveResult): 26415 (JSC): 26416 (NonlocalResolveInfo): 26417 (JSC::NonlocalResolveInfo::NonlocalResolveInfo): 26418 (JSC::NonlocalResolveInfo::~NonlocalResolveInfo): 26419 (JSC::NonlocalResolveInfo::resolved): 26420 (JSC::NonlocalResolveInfo::put): 26421 (BytecodeGenerator): 26422 (JSC::BytecodeGenerator::getResolveOperations): 26423 (JSC::BytecodeGenerator::getResolveWithThisOperations): 26424 (JSC::BytecodeGenerator::getResolveBaseOperations): 26425 (JSC::BytecodeGenerator::getResolveBaseForPutOperations): 26426 (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations): 26427 (JSC::BytecodeGenerator::getPutToBaseOperation): 26428 * bytecompiler/NodesCodegen.cpp: 26429 (JSC::ResolveNode::isPure): 26430 (JSC::FunctionCallResolveNode::emitBytecode): 26431 (JSC::PostfixNode::emitResolve): 26432 (JSC::PrefixNode::emitResolve): 26433 (JSC::ReadModifyResolveNode::emitBytecode): 26434 (JSC::AssignResolveNode::emitBytecode): 26435 (JSC::ConstDeclNode::emitCodeSingle): 26436 (JSC::ForInNode::emitBytecode): 26437 * dfg/DFGAbstractState.cpp: 26438 (JSC::DFG::AbstractState::execute): 26439 * dfg/DFGByteCodeParser.cpp: 26440 (ByteCodeParser): 26441 (InlineStackEntry): 26442 (JSC::DFG::ByteCodeParser::handleGetByOffset): 26443 (DFG): 26444 (JSC::DFG::ByteCodeParser::parseResolveOperations): 26445 (JSC::DFG::ByteCodeParser::parseBlock): 26446 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 26447 * dfg/DFGCapabilities.h: 26448 (JSC::DFG::canCompileResolveOperations): 26449 (DFG): 26450 (JSC::DFG::canCompilePutToBaseOperation): 26451 (JSC::DFG::canCompileOpcode): 26452 (JSC::DFG::canInlineOpcode): 26453 * dfg/DFGGraph.h: 26454 (ResolveGlobalData): 26455 (ResolveOperationData): 26456 (DFG): 26457 (PutToBaseOperationData): 26458 (Graph): 26459 * dfg/DFGNode.h: 26460 (JSC::DFG::Node::hasIdentifier): 26461 (JSC::DFG::Node::resolveOperationsDataIndex): 26462 (Node): 26463 * dfg/DFGNodeType.h: 26464 (DFG): 26465 * dfg/DFGOSRExit.cpp: 26466 (JSC::DFG::OSRExit::OSRExit): 26467 * dfg/DFGOSRExit.h: 26468 (OSRExit): 26469 * dfg/DFGOSRExitCompiler.cpp: 26470 * dfg/DFGOSRExitCompiler32_64.cpp: 26471 (JSC::DFG::OSRExitCompiler::compileExit): 26472 * dfg/DFGOSRExitCompiler64.cpp: 26473 (JSC::DFG::OSRExitCompiler::compileExit): 26474 * dfg/DFGOperations.cpp: 26475 * dfg/DFGOperations.h: 26476 * dfg/DFGPredictionPropagationPhase.cpp: 26477 (JSC::DFG::PredictionPropagationPhase::propagate): 26478 * dfg/DFGRepatch.cpp: 26479 (JSC::DFG::tryCacheGetByID): 26480 * dfg/DFGSpeculativeJIT.cpp: 26481 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward): 26482 * dfg/DFGSpeculativeJIT.h: 26483 (JSC::DFG::SpeculativeJIT::resolveOperations): 26484 (SpeculativeJIT): 26485 (JSC::DFG::SpeculativeJIT::putToBaseOperation): 26486 (JSC::DFG::SpeculativeJIT::callOperation): 26487 * dfg/DFGSpeculativeJIT32_64.cpp: 26488 (JSC::DFG::SpeculativeJIT::compile): 26489 * dfg/DFGSpeculativeJIT64.cpp: 26490 (JSC::DFG::SpeculativeJIT::compile): 26491 * dfg/DFGStructureCheckHoistingPhase.cpp: 26492 (JSC::DFG::StructureCheckHoistingPhase::run): 26493 * jit/JIT.cpp: 26494 (JSC::JIT::privateCompileMainPass): 26495 (JSC::JIT::privateCompileSlowCases): 26496 * jit/JIT.h: 26497 (JIT): 26498 * jit/JITOpcodes.cpp: 26499 (JSC::JIT::emit_op_put_to_base): 26500 (JSC): 26501 (JSC::JIT::emit_resolve_operations): 26502 (JSC::JIT::emitSlow_link_resolve_operations): 26503 (JSC::JIT::emit_op_resolve): 26504 (JSC::JIT::emitSlow_op_resolve): 26505 (JSC::JIT::emit_op_resolve_base): 26506 (JSC::JIT::emitSlow_op_resolve_base): 26507 (JSC::JIT::emit_op_resolve_with_base): 26508 (JSC::JIT::emitSlow_op_resolve_with_base): 26509 (JSC::JIT::emit_op_resolve_with_this): 26510 (JSC::JIT::emitSlow_op_resolve_with_this): 26511 (JSC::JIT::emitSlow_op_put_to_base): 26512 * jit/JITOpcodes32_64.cpp: 26513 (JSC::JIT::emit_op_put_to_base): 26514 (JSC): 26515 * jit/JITPropertyAccess.cpp: 26516 (JSC::JIT::emit_op_init_global_const): 26517 (JSC::JIT::emit_op_init_global_const_check): 26518 (JSC::JIT::emitSlow_op_init_global_const_check): 26519 * jit/JITPropertyAccess32_64.cpp: 26520 (JSC::JIT::emit_op_init_global_const): 26521 (JSC::JIT::emit_op_init_global_const_check): 26522 (JSC::JIT::emitSlow_op_init_global_const_check): 26523 * jit/JITStubs.cpp: 26524 (JSC::DEFINE_STUB_FUNCTION): 26525 (JSC): 26526 * jit/JITStubs.h: 26527 * llint/LLIntSlowPaths.cpp: 26528 (LLInt): 26529 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 26530 * llint/LLIntSlowPaths.h: 26531 (LLInt): 26532 * llint/LowLevelInterpreter.asm: 26533 * llint/LowLevelInterpreter32_64.asm: 26534 * llint/LowLevelInterpreter64.asm: 26535 * runtime/JSScope.cpp: 26536 (JSC::LookupResult::base): 26537 (JSC::LookupResult::value): 26538 (JSC::LookupResult::setBase): 26539 (JSC::LookupResult::setValue): 26540 (LookupResult): 26541 (JSC): 26542 (JSC::setPutPropertyAccessOffset): 26543 (JSC::executeResolveOperations): 26544 (JSC::JSScope::resolveContainingScopeInternal): 26545 (JSC::JSScope::resolveContainingScope): 26546 (JSC::JSScope::resolve): 26547 (JSC::JSScope::resolveBase): 26548 (JSC::JSScope::resolveWithBase): 26549 (JSC::JSScope::resolveWithThis): 26550 (JSC::JSScope::resolvePut): 26551 (JSC::JSScope::resolveGlobal): 26552 * runtime/JSScope.h: 26553 (JSScope): 26554 * runtime/JSVariableObject.cpp: 26555 (JSC): 26556 * runtime/JSVariableObject.h: 26557 (JSVariableObject): 26558 * runtime/Structure.h: 26559 (JSC::Structure::propertyAccessesAreCacheable): 26560 (Structure): 26561 265622012-10-16 Filip Pizlo <fpizlo@apple.com> 26563 26564 Accidental switch fall-through in DFG::FixupPhase 26565 https://bugs.webkit.org/show_bug.cgi?id=96956 26566 <rdar://problem/12313242> 26567 26568 Reviewed by Mark Hahnenberg. 26569 26570 * dfg/DFGFixupPhase.cpp: 26571 (JSC::DFG::FixupPhase::fixupNode): 26572 265732012-10-16 Filip Pizlo <fpizlo@apple.com> 26574 26575 GetScopedVar CSE matches dead GetScopedVar's leading to IR corruption 26576 https://bugs.webkit.org/show_bug.cgi?id=99470 26577 <rdar://problem/12363698> 26578 26579 Reviewed by Mark Hahnenberg. 26580 26581 All it takes is to follow the "if (!shouldGenerate) continue" idiom and everything will be OK. 26582 26583 * dfg/DFGCSEPhase.cpp: 26584 (JSC::DFG::CSEPhase::globalVarLoadElimination): 26585 (JSC::DFG::CSEPhase::scopedVarLoadElimination): 26586 (JSC::DFG::CSEPhase::globalVarWatchpointElimination): 26587 (JSC::DFG::CSEPhase::getByValLoadElimination): 26588 (JSC::DFG::CSEPhase::checkStructureElimination): 26589 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): 26590 (JSC::DFG::CSEPhase::getByOffsetLoadElimination): 26591 265922012-10-16 Dima Gorbik <dgorbik@apple.com> 26593 26594 Remove Platform.h include from the header files. 26595 https://bugs.webkit.org/show_bug.cgi?id=98665 26596 26597 Reviewed by Eric Seidel. 26598 26599 We don't want other clients that include WebKit headers to know about Platform.h. 26600 26601 * API/tests/minidom.c: 26602 * API/tests/testapi.c: 26603 266042012-10-16 Balazs Kilvady <kilvadyb@homejinni.com> 26605 26606 Add missing MIPS functions to assembler. 26607 https://bugs.webkit.org/show_bug.cgi?id=98856 26608 26609 Reviewed by Oliver Hunt. 26610 26611 Implement missing functions in MacroAssemblerMIPS and MIPSAssembler. 26612 26613 * assembler/MIPSAssembler.h: 26614 (JSC::MIPSAssembler::lb): 26615 (MIPSAssembler): 26616 (JSC::MIPSAssembler::lh): 26617 (JSC::MIPSAssembler::cvtds): 26618 (JSC::MIPSAssembler::cvtsd): 26619 (JSC::MIPSAssembler::vmov): 26620 * assembler/MacroAssemblerMIPS.h: 26621 (MacroAssemblerMIPS): 26622 (JSC::MacroAssemblerMIPS::load8Signed): 26623 (JSC::MacroAssemblerMIPS::load16Signed): 26624 (JSC::MacroAssemblerMIPS::moveDoubleToInts): 26625 (JSC::MacroAssemblerMIPS::moveIntsToDouble): 26626 (JSC::MacroAssemblerMIPS::loadFloat): 26627 (JSC::MacroAssemblerMIPS::loadDouble): 26628 (JSC::MacroAssemblerMIPS::storeFloat): 26629 (JSC::MacroAssemblerMIPS::storeDouble): 26630 (JSC::MacroAssemblerMIPS::addDouble): 26631 (JSC::MacroAssemblerMIPS::convertFloatToDouble): 26632 (JSC::MacroAssemblerMIPS::convertDoubleToFloat): 26633 266342012-10-16 Balazs Kilvady <kilvadyb@homejinni.com> 26635 26636 MIPS assembler coding-style fix. 26637 https://bugs.webkit.org/show_bug.cgi?id=99359 26638 26639 Reviewed by Oliver Hunt. 26640 26641 Coding style fix of existing MIPS assembler header files. 26642 26643 * assembler/MIPSAssembler.h: 26644 (JSC::MIPSAssembler::addiu): 26645 (JSC::MIPSAssembler::addu): 26646 (JSC::MIPSAssembler::subu): 26647 (JSC::MIPSAssembler::mul): 26648 (JSC::MIPSAssembler::andInsn): 26649 (JSC::MIPSAssembler::andi): 26650 (JSC::MIPSAssembler::nor): 26651 (JSC::MIPSAssembler::orInsn): 26652 (JSC::MIPSAssembler::ori): 26653 (JSC::MIPSAssembler::xorInsn): 26654 (JSC::MIPSAssembler::xori): 26655 (JSC::MIPSAssembler::slt): 26656 (JSC::MIPSAssembler::sltu): 26657 (JSC::MIPSAssembler::sltiu): 26658 (JSC::MIPSAssembler::sll): 26659 (JSC::MIPSAssembler::sllv): 26660 (JSC::MIPSAssembler::sra): 26661 (JSC::MIPSAssembler::srav): 26662 (JSC::MIPSAssembler::srl): 26663 (JSC::MIPSAssembler::srlv): 26664 (JSC::MIPSAssembler::lbu): 26665 (JSC::MIPSAssembler::lw): 26666 (JSC::MIPSAssembler::lwl): 26667 (JSC::MIPSAssembler::lwr): 26668 (JSC::MIPSAssembler::lhu): 26669 (JSC::MIPSAssembler::sb): 26670 (JSC::MIPSAssembler::sh): 26671 (JSC::MIPSAssembler::sw): 26672 (JSC::MIPSAssembler::addd): 26673 (JSC::MIPSAssembler::subd): 26674 (JSC::MIPSAssembler::muld): 26675 (JSC::MIPSAssembler::divd): 26676 (JSC::MIPSAssembler::lwc1): 26677 (JSC::MIPSAssembler::ldc1): 26678 (JSC::MIPSAssembler::swc1): 26679 (JSC::MIPSAssembler::sdc1): 26680 (MIPSAssembler): 26681 (JSC::MIPSAssembler::relocateJumps): 26682 (JSC::MIPSAssembler::linkWithOffset): 26683 * assembler/MacroAssemblerMIPS.h: 26684 (JSC::MacroAssemblerMIPS::add32): 26685 (JSC::MacroAssemblerMIPS::and32): 26686 (JSC::MacroAssemblerMIPS::sub32): 26687 (MacroAssemblerMIPS): 26688 (JSC::MacroAssemblerMIPS::load8): 26689 (JSC::MacroAssemblerMIPS::load32): 26690 (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords): 26691 (JSC::MacroAssemblerMIPS::load16): 26692 (JSC::MacroAssemblerMIPS::store8): 26693 (JSC::MacroAssemblerMIPS::store16): 26694 (JSC::MacroAssemblerMIPS::store32): 26695 (JSC::MacroAssemblerMIPS::nearCall): 26696 (JSC::MacroAssemblerMIPS::test8): 26697 (JSC::MacroAssemblerMIPS::test32): 26698 266992012-10-16 Yuqiang Xian <yuqiang.xian@intel.com> 26700 26701 Refactor MacroAssembler interfaces to differentiate the pointer operands from the 64-bit integer operands 26702 https://bugs.webkit.org/show_bug.cgi?id=99154 26703 26704 Reviewed by Gavin Barraclough. 26705 26706 In current JavaScriptCore implementation for JSVALUE64 platform (i.e., 26707 the X64 platform), we assume that the JSValue size is same to the 26708 pointer size, and thus EncodedJSValue is simply type defined as a 26709 "void*". In the JIT compiler, we also take this assumption and invoke 26710 the same macro assembler interfaces for both JSValue and pointer 26711 operands. We need to differentiate the operations on pointers from the 26712 operations on JSValues, and let them invoking different macro 26713 assembler interfaces. For example, we now use the interface of 26714 "loadPtr" to load either a pointer or a JSValue, and we need to switch 26715 to using "loadPtr" to load a pointer and some new "load64" interface 26716 to load a JSValue. This would help us supporting other JSVALUE64 26717 platforms where pointer size is not necessarily 64-bits, for example 26718 x32 (bug #99153). 26719 26720 The major modification I made is to introduce the "*64" interfaces in 26721 the MacroAssembler for those operations on JSValues, keep the "*Ptr" 26722 interfaces for those operations on real pointers, and go through all 26723 the JIT compiler code to correct the usage. 26724 26725 This is the first part of the work, i.e, to add the *64 interfaces to 26726 the MacroAssembler. 26727 26728 * assembler/AbstractMacroAssembler.h: Add the Imm64 interfaces. 26729 (AbstractMacroAssembler): 26730 (JSC::AbstractMacroAssembler::TrustedImm64::TrustedImm64): 26731 (TrustedImm64): 26732 (JSC::AbstractMacroAssembler::Imm64::Imm64): 26733 (Imm64): 26734 (JSC::AbstractMacroAssembler::Imm64::asTrustedImm64): 26735 * assembler/MacroAssembler.h: map <foo>Ptr methods to <foo>64 for X86_64. 26736 (MacroAssembler): 26737 (JSC::MacroAssembler::peek64): 26738 (JSC::MacroAssembler::poke): 26739 (JSC::MacroAssembler::poke64): 26740 (JSC::MacroAssembler::addPtr): 26741 (JSC::MacroAssembler::andPtr): 26742 (JSC::MacroAssembler::negPtr): 26743 (JSC::MacroAssembler::orPtr): 26744 (JSC::MacroAssembler::rotateRightPtr): 26745 (JSC::MacroAssembler::subPtr): 26746 (JSC::MacroAssembler::xorPtr): 26747 (JSC::MacroAssembler::loadPtr): 26748 (JSC::MacroAssembler::loadPtrWithAddressOffsetPatch): 26749 (JSC::MacroAssembler::loadPtrWithCompactAddressOffsetPatch): 26750 (JSC::MacroAssembler::storePtr): 26751 (JSC::MacroAssembler::storePtrWithAddressOffsetPatch): 26752 (JSC::MacroAssembler::movePtrToDouble): 26753 (JSC::MacroAssembler::moveDoubleToPtr): 26754 (JSC::MacroAssembler::comparePtr): 26755 (JSC::MacroAssembler::testPtr): 26756 (JSC::MacroAssembler::branchPtr): 26757 (JSC::MacroAssembler::branchTestPtr): 26758 (JSC::MacroAssembler::branchAddPtr): 26759 (JSC::MacroAssembler::branchSubPtr): 26760 (JSC::MacroAssembler::shouldBlindDouble): 26761 (JSC::MacroAssembler::shouldBlind): 26762 (JSC::MacroAssembler::RotatedImm64::RotatedImm64): 26763 (RotatedImm64): 26764 (JSC::MacroAssembler::rotationBlindConstant): 26765 (JSC::MacroAssembler::loadRotationBlindedConstant): 26766 (JSC::MacroAssembler::move): 26767 (JSC::MacroAssembler::and64): 26768 (JSC::MacroAssembler::store64): 26769 * assembler/MacroAssemblerX86Common.h: 26770 (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch): 26771 (MacroAssemblerX86Common): 26772 (JSC::MacroAssemblerX86Common::move): 26773 * assembler/MacroAssemblerX86_64.h: Add the <foo>64 methods for X86_64. 26774 (JSC::MacroAssemblerX86_64::branchAdd32): 26775 (JSC::MacroAssemblerX86_64::add64): 26776 (MacroAssemblerX86_64): 26777 (JSC::MacroAssemblerX86_64::and64): 26778 (JSC::MacroAssemblerX86_64::neg64): 26779 (JSC::MacroAssemblerX86_64::or64): 26780 (JSC::MacroAssemblerX86_64::rotateRight64): 26781 (JSC::MacroAssemblerX86_64::sub64): 26782 (JSC::MacroAssemblerX86_64::xor64): 26783 (JSC::MacroAssemblerX86_64::load64): 26784 (JSC::MacroAssemblerX86_64::load64WithAddressOffsetPatch): 26785 (JSC::MacroAssemblerX86_64::load64WithCompactAddressOffsetPatch): 26786 (JSC::MacroAssemblerX86_64::store64): 26787 (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch): 26788 (JSC::MacroAssemblerX86_64::move64ToDouble): 26789 (JSC::MacroAssemblerX86_64::moveDoubleTo64): 26790 (JSC::MacroAssemblerX86_64::compare64): 26791 (JSC::MacroAssemblerX86_64::branch64): 26792 (JSC::MacroAssemblerX86_64::branchTest64): 26793 (JSC::MacroAssemblerX86_64::test64): 26794 (JSC::MacroAssemblerX86_64::branchAdd64): 26795 (JSC::MacroAssemblerX86_64::branchSub64): 26796 (JSC::MacroAssemblerX86_64::branchPtrWithPatch): 26797 (JSC::MacroAssemblerX86_64::storePtrWithPatch): 26798 267992012-10-15 Mark Hahnenberg <mhahnenberg@apple.com> 26800 26801 Make CopiedSpace and MarkedSpace regions independent 26802 https://bugs.webkit.org/show_bug.cgi?id=99222 26803 26804 Reviewed by Filip Pizlo. 26805 26806 Right now CopiedSpace and MarkedSpace have the same block size and share the same regions, 26807 but there's no reason that they can't have different block sizes while still sharing the 26808 same underlying regions. We should factor the two "used" lists of regions apart so that 26809 MarkedBlocks and CopiedBlocks can be different sizes. Regions will still be a uniform size 26810 so that when they become empty they may be shared between the CopiedSpace and the MarkedSpace, 26811 since benchmarks indicate that sharing is a boon for performance. 26812 26813 * heap/BlockAllocator.cpp: 26814 (JSC::BlockAllocator::BlockAllocator): 26815 * heap/BlockAllocator.h: 26816 (JSC): 26817 (Region): 26818 (JSC::Region::create): We now have a fixed size for Regions so that empty regions can continue to 26819 be shared between the MarkedSpace and CopiedSpace. Once they are used for a specific type of block, 26820 however, they can only be used for that type of block until they become empty again. 26821 (JSC::Region::createCustomSize): 26822 (JSC::Region::Region): 26823 (JSC::Region::~Region): 26824 (JSC::Region::reset): 26825 (BlockAllocator): 26826 (JSC::BlockAllocator::RegionSet::RegionSet): 26827 (RegionSet): 26828 (JSC::BlockAllocator::tryAllocateFromRegion): We change this function so that it correctly 26829 moves blocks between empty, partial, and full lists. 26830 (JSC::BlockAllocator::allocate): 26831 (JSC::BlockAllocator::allocateCustomSize): 26832 (JSC::BlockAllocator::deallocate): Ditto. 26833 (JSC::CopiedBlock): 26834 (JSC::MarkedBlock): 26835 (JSC::BlockAllocator::regionSetFor): We use this so that we can use the same allocate/deallocate 26836 functions with different RegionSets. We specialize the function for each type of block that we 26837 want to allocate. 26838 * heap/CopiedBlock.h: 26839 (CopiedBlock): 26840 * heap/CopiedSpace.h: 26841 (CopiedSpace): 26842 * heap/HeapBlock.h: 26843 (HeapBlock): 26844 * heap/MarkedBlock.cpp: 26845 (JSC::MarkedBlock::MarkedBlock): For oversize MarkedBlocks, if the block size gets too big we can 26846 underflow the endAtom, which will cause us to segfault when we try to sweep a block. If we're a 26847 custom size MarkedBlock we need to calculate endAtom so it doesn't underflow. 26848 268492012-10-14 Filip Pizlo <fpizlo@apple.com> 26850 26851 JIT::JIT fails to initialize all of its fields 26852 https://bugs.webkit.org/show_bug.cgi?id=99283 26853 26854 Reviewed by Andreas Kling. 26855 26856 There were two groups of such fields, all of which are eventually initialized 26857 prior to use inside of privateCompile(). But it's safer to make sure that they 26858 are initialized in the constructor as well, since we may use the JIT to do a 26859 stub compile without calling into privateCompile(). 26860 26861 Unsigned index fields for dynamic repatching meta-data: this change 26862 initializes them to UINT_MAX, so we should crash if we try to use those 26863 indices without initializing them. 26864 26865 Boolean flags for value profiling: this change initializes them to false, so 26866 we at worst turn off value profiling. 26867 26868 * jit/JIT.cpp: 26869 (JSC::JIT::JIT): 26870 268712012-10-15 Mark Hahnenberg <mhahnenberg@apple.com> 26872 26873 We should avoid weakCompareAndSwap when parallel GC is disabled 26874 https://bugs.webkit.org/show_bug.cgi?id=99331 26875 26876 Reviewed by Filip Pizlo. 26877 26878 CopiedBlock::reportLiveBytes and didEvacuateBytes uses weakCompareAndSwap, which some platforms 26879 don't support. For platforms that don't have parallel GC enabled, we should just use a normal store. 26880 26881 * heap/CopiedBlock.h: 26882 (JSC::CopiedBlock::reportLiveBytes): 26883 (JSC::CopiedBlock::didEvacuateBytes): 26884 268852012-10-15 Carlos Garcia Campos <cgarcia@igalia.com> 26886 26887 Unreviewed. Fix make distcheck. 26888 26889 * GNUmakefile.list.am: Add missing header file. 26890 268912012-10-14 Filip Pizlo <fpizlo@apple.com> 26892 26893 DFG should handle polymorphic array modes by eagerly transforming arrays into the most general applicable form 26894 https://bugs.webkit.org/show_bug.cgi?id=99269 26895 26896 Reviewed by Geoffrey Garen. 26897 26898 This kills off a bunch of code for "polymorphic" array modes in the DFG. It should 26899 also be a performance win for code that uses a lot of array storage arrays. 26900 26901 * dfg/DFGAbstractState.cpp: 26902 (JSC::DFG::AbstractState::execute): 26903 * dfg/DFGArrayMode.cpp: 26904 (JSC::DFG::fromObserved): 26905 (JSC::DFG::modeAlreadyChecked): 26906 (JSC::DFG::modeToString): 26907 * dfg/DFGArrayMode.h: 26908 (DFG): 26909 (JSC::DFG::modeUsesButterfly): 26910 (JSC::DFG::modeIsJSArray): 26911 (JSC::DFG::mayStoreToTail): 26912 (JSC::DFG::mayStoreToHole): 26913 (JSC::DFG::canCSEStorage): 26914 (JSC::DFG::modeSupportsLength): 26915 (JSC::DFG::benefitsFromStructureCheck): 26916 * dfg/DFGFixupPhase.cpp: 26917 (JSC::DFG::FixupPhase::checkArray): 26918 (JSC::DFG::FixupPhase::blessArrayOperation): 26919 * dfg/DFGGraph.h: 26920 (JSC::DFG::Graph::byValIsPure): 26921 * dfg/DFGSpeculativeJIT.cpp: 26922 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): 26923 (JSC::DFG::SpeculativeJIT::checkArray): 26924 (JSC::DFG::SpeculativeJIT::arrayify): 26925 (DFG): 26926 (JSC::DFG::SpeculativeJIT::compileGetArrayLength): 26927 * dfg/DFGSpeculativeJIT.h: 26928 (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister): 26929 (SpeculativeJIT): 26930 * dfg/DFGSpeculativeJIT32_64.cpp: 26931 (JSC::DFG::SpeculativeJIT::compile): 26932 * dfg/DFGSpeculativeJIT64.cpp: 26933 (JSC::DFG::SpeculativeJIT::compile): 26934 269352012-10-14 Filip Pizlo <fpizlo@apple.com> 26936 26937 REGRESSION(126886): Fat binary builds don't know how to handle architecture variants to which the LLInt is agnostic 26938 https://bugs.webkit.org/show_bug.cgi?id=99270 26939 26940 Reviewed by Geoffrey Garen. 26941 26942 The fix is to hash cons the offsets based on configuration index, not the offsets 26943 themselves. 26944 26945 * offlineasm/offsets.rb: 26946 269472012-10-13 Filip Pizlo <fpizlo@apple.com> 26948 26949 IndexingType should not have a bit for each type 26950 https://bugs.webkit.org/show_bug.cgi?id=98997 26951 26952 Reviewed by Oliver Hunt. 26953 26954 Somewhat incidentally, the introduction of butterflies led to each indexing 26955 type being represented by a unique bit. This is superficially nice since it 26956 allows you to test if a structure corresponds to a particular indexing type 26957 by saying !!(structure->indexingType() & TheType). But the downside is that 26958 given the 8 bits we have for the m_indexingType field, that leaves only a 26959 small number of possible indexing types if we have one per bit. 26960 26961 This changeset changes the indexing type to be: 26962 26963 Bit #1: Tells you if you're an array. 26964 26965 Bits #2 - #5: 16 possible indexing types, including the blank type for 26966 objects that don't have indexed properties. 26967 26968 Bits #6-8: Auxiliary bits that we could use for other things. Currently we 26969 just use one of those bits, for MayHaveIndexedAccessors. 26970 26971 This is performance-neutral, and is primarily intended to give us more 26972 breathing room for introducing new inferred array modes. 26973 26974 * assembler/AbstractMacroAssembler.h: 26975 (JSC::AbstractMacroAssembler::JumpList::jumps): 26976 * assembler/MacroAssembler.h: 26977 (MacroAssembler): 26978 (JSC::MacroAssembler::patchableBranch32): 26979 * assembler/MacroAssemblerARMv7.h: 26980 (JSC::MacroAssemblerARMv7::patchableBranch32): 26981 (MacroAssemblerARMv7): 26982 * dfg/DFGArrayMode.cpp: 26983 (JSC::DFG::modeAlreadyChecked): 26984 * dfg/DFGRepatch.cpp: 26985 (JSC::DFG::tryCacheGetByID): 26986 * dfg/DFGSpeculativeJIT.cpp: 26987 (JSC::DFG::SpeculativeJIT::speculationCheck): 26988 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck): 26989 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): 26990 (DFG): 26991 (JSC::DFG::SpeculativeJIT::checkArray): 26992 (JSC::DFG::SpeculativeJIT::arrayify): 26993 * dfg/DFGSpeculativeJIT.h: 26994 (SpeculativeJIT): 26995 * dfg/DFGSpeculativeJIT32_64.cpp: 26996 (JSC::DFG::SpeculativeJIT::compile): 26997 * dfg/DFGSpeculativeJIT64.cpp: 26998 (JSC::DFG::SpeculativeJIT::compile): 26999 * jit/JITInlineMethods.h: 27000 (JSC::JIT::emitAllocateJSArray): 27001 (JSC::JIT::chooseArrayMode): 27002 * jit/JITPropertyAccess.cpp: 27003 (JSC::JIT::emit_op_get_by_val): 27004 (JSC::JIT::emitContiguousGetByVal): 27005 (JSC::JIT::emitArrayStorageGetByVal): 27006 (JSC::JIT::emit_op_put_by_val): 27007 (JSC::JIT::emitContiguousPutByVal): 27008 (JSC::JIT::emitArrayStoragePutByVal): 27009 (JSC::JIT::privateCompilePatchGetArrayLength): 27010 * jit/JITPropertyAccess32_64.cpp: 27011 (JSC::JIT::emit_op_get_by_val): 27012 (JSC::JIT::emitContiguousGetByVal): 27013 (JSC::JIT::emitArrayStorageGetByVal): 27014 (JSC::JIT::emit_op_put_by_val): 27015 (JSC::JIT::emitContiguousPutByVal): 27016 (JSC::JIT::emitArrayStoragePutByVal): 27017 (JSC::JIT::privateCompilePatchGetArrayLength): 27018 * llint/LowLevelInterpreter.asm: 27019 * llint/LowLevelInterpreter32_64.asm: 27020 * llint/LowLevelInterpreter64.asm: 27021 * runtime/IndexingType.h: 27022 (JSC): 27023 (JSC::hasIndexedProperties): 27024 (JSC::hasContiguous): 27025 (JSC::hasFastArrayStorage): 27026 (JSC::hasArrayStorage): 27027 (JSC::shouldUseSlowPut): 27028 * runtime/JSGlobalObject.cpp: 27029 (JSC): 27030 * runtime/StructureTransitionTable.h: 27031 (JSC::newIndexingType): 27032 270332012-10-14 Filip Pizlo <fpizlo@apple.com> 27034 27035 DFG structure check hoisting should attempt to ignore side effects and make transformations that are sound even in their presence 27036 https://bugs.webkit.org/show_bug.cgi?id=99262 27037 27038 Reviewed by Oliver Hunt. 27039 27040 This hugely simplifies the structure check hoisting phase. It will no longer be necessary 27041 to modify it when the effectfulness of operations changes. This also enables the hoister 27042 to hoist effectful things in the future. 27043 27044 The downside is that the hoister may end up adding strictly more checks than were present 27045 in the original code, if the code truly has a lot of side-effects. I don't see evidence 27046 of this happening. This patch does have some speed-ups and some slow-downs, but is 27047 neutral in the average, and the slow-downs do not appear to have more structure checks 27048 than ToT. 27049 27050 * dfg/DFGStructureCheckHoistingPhase.cpp: 27051 (JSC::DFG::StructureCheckHoistingPhase::run): 27052 (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck): 27053 (StructureCheckHoistingPhase): 27054 (CheckData): 27055 (JSC::DFG::StructureCheckHoistingPhase::CheckData::CheckData): 27056 270572012-10-14 Filip Pizlo <fpizlo@apple.com> 27058 27059 Fix the build of universal binary with ARMv7s of JavaScriptCore 27060 27061 * llint/LLIntOfflineAsmConfig.h: 27062 * llint/LowLevelInterpreter.asm: 27063 270642012-10-13 Filip Pizlo <fpizlo@apple.com> 27065 27066 Array length array profiling is broken in the baseline JIT 27067 https://bugs.webkit.org/show_bug.cgi?id=99258 27068 27069 Reviewed by Oliver Hunt. 27070 27071 The code generator for array length stubs calls into 27072 emitArrayProfilingSiteForBytecodeIndex(), which emits profiling only if 27073 canBeOptimized() returns true. But m_canBeOptimized is only initialized during 27074 full method compiles, so in a stub compile it may (or may not) be false, meaning 27075 that we may, or may not, get meaningful profiling info. 27076 27077 This appeared to not affect too many programs since the LLInt has good array 27078 length array profiling. 27079 27080 * jit/JIT.h: 27081 (JSC::JIT::compilePatchGetArrayLength): 27082 270832012-10-14 Patrick Gansterer <paroga@webkit.org> 27084 27085 Build fix for WinCE after r131089. 27086 27087 WinCE does not support getenv(). 27088 27089 * runtime/Options.cpp: 27090 (JSC::overrideOptionWithHeuristic): 27091 270922012-10-12 Kangil Han <kangil.han@samsung.com> 27093 27094 Fix build error on DFGSpeculativeJIT32_64.cpp 27095 https://bugs.webkit.org/show_bug.cgi?id=99234 27096 27097 Reviewed by Anders Carlsson. 27098 27099 Seems BUG 98608 causes build error on 32bit machine so fix it. 27100 27101 * dfg/DFGSpeculativeJIT32_64.cpp: 27102 (JSC::DFG::SpeculativeJIT::compile): 27103 271042012-10-12 Filip Pizlo <fpizlo@apple.com> 27105 27106 Contiguous array allocation should always be inlined 27107 https://bugs.webkit.org/show_bug.cgi?id=98608 27108 27109 Reviewed by Oliver Hunt and Mark Hahnenberg. 27110 27111 This inlines contiguous array allocation in the most obvious way possible. 27112 27113 * JavaScriptCore.xcodeproj/project.pbxproj: 27114 * assembler/MacroAssembler.h: 27115 (JSC::MacroAssembler::branchSubPtr): 27116 (MacroAssembler): 27117 * assembler/MacroAssemblerX86_64.h: 27118 (JSC::MacroAssemblerX86_64::branchSubPtr): 27119 (MacroAssemblerX86_64): 27120 * dfg/DFGAbstractState.cpp: 27121 (JSC::DFG::AbstractState::execute): 27122 * dfg/DFGCCallHelpers.h: 27123 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState): 27124 (CCallHelpers): 27125 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: Added. 27126 (DFG): 27127 (CallArrayAllocatorSlowPathGenerator): 27128 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator): 27129 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal): 27130 (CallArrayAllocatorWithVariableSizeSlowPathGenerator): 27131 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator): 27132 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal): 27133 * dfg/DFGSpeculativeJIT.cpp: 27134 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): 27135 (DFG): 27136 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): 27137 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): 27138 * dfg/DFGSpeculativeJIT.h: 27139 (JSC::DFG::SpeculativeJIT::callOperation): 27140 (SpeculativeJIT): 27141 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): 27142 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): 27143 (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): 27144 * dfg/DFGSpeculativeJIT32_64.cpp: 27145 (JSC::DFG::SpeculativeJIT::compile): 27146 * dfg/DFGSpeculativeJIT64.cpp: 27147 (JSC::DFG::SpeculativeJIT::compile): 27148 271492012-10-12 Mark Hahnenberg <mhahnenberg@apple.com> 27150 27151 Race condition during CopyingPhase can lead to deadlock 27152 https://bugs.webkit.org/show_bug.cgi?id=99226 27153 27154 Reviewed by Filip Pizlo. 27155 27156 The main thread calls startCopying() for each of the GCThreads at the beginning of the copy phase. 27157 It then proceeds to start copying. If copying completes before one of the GCThreads wakes up, the 27158 main thread will set m_currentPhase back to NoPhase, the GCThread will wake up, see that there's 27159 nothing to do, and then it will go back to sleep without ever calling CopyVisitor::doneCopying() 27160 to return its borrowed block to the CopiedSpace. CopiedSpace::doneCopying() will then sleep forever 27161 waiting on the block. 27162 27163 The fix for this is to make sure we call CopiedSpace::doneCopying() on the main thread before we 27164 call GCThreadSharedData::didFinishCopying(), which sets the m_currentPhase flag to NoPhase. This 27165 way we will wait until all threads have woken up and given back their borrowed blocks before 27166 clearing the flag. 27167 27168 * heap/Heap.cpp: 27169 (JSC::Heap::copyBackingStores): 27170 271712012-10-12 Anders Carlsson <andersca@apple.com> 27172 27173 Move macros from Parser.h to Parser.cpp 27174 https://bugs.webkit.org/show_bug.cgi?id=99217 27175 27176 Reviewed by Andreas Kling. 27177 27178 There are a bunch of macros in Parser.h that are only used in Parser.cpp. Move them to Parser.cpp 27179 so they won't pollute the global namespace. 27180 * parser/Parser.cpp: 27181 * parser/Parser.h: 27182 (JSC): 27183 271842012-10-12 Mark Hahnenberg <mhahnenberg@apple.com> 27185 27186 Another build fix after r131213 27187 27188 Added some symbol magic to placate the linker on some platforms. 27189 27190 * JavaScriptCore.order: 27191 271922012-10-12 Mark Hahnenberg <mhahnenberg@apple.com> 27193 27194 Build fix after r131213 27195 27196 Removed an unused variable that was making compilers unhappy. 27197 27198 * heap/GCThread.cpp: 27199 (JSC::GCThread::GCThread): 27200 * heap/GCThread.h: 27201 (GCThread): 27202 * heap/GCThreadSharedData.cpp: 27203 (JSC::GCThreadSharedData::GCThreadSharedData): 27204 272052012-10-09 Mark Hahnenberg <mhahnenberg@apple.com> 27206 27207 Copying collection shouldn't require O(live bytes) memory overhead 27208 https://bugs.webkit.org/show_bug.cgi?id=98792 27209 27210 Reviewed by Filip Pizlo. 27211 27212 Currently our copying collection occurs simultaneously with the marking phase. We'd like 27213 to be able to reuse CopiedBlocks as soon as they become fully evacuated, but this is not 27214 currently possible because we don't know the liveness statistics of each old CopiedBlock 27215 until marking/copying has already finished. Instead, we have to allocate additional memory 27216 from the OS to use as our working set of CopiedBlocks while copying. We then return the 27217 fully evacuated old CopiedBlocks back to the block allocator, thus giving our copying phase 27218 an O(live bytes) overhead. 27219 27220 To fix this, we should instead split the copying phase apart from the marking phase. This 27221 way we have full liveness data for each CopiedBlock during the copying phase so that we 27222 can reuse them the instant they become fully evacuated. With the additional liveness data 27223 that each CopiedBlock accumulates, we can add some additional heuristics to the collector. 27224 For example, we can calculate our global Heap fragmentation and only choose to do a copying 27225 phase if that fragmentation exceeds some limit. As another example, we can skip copying 27226 blocks that are already above a particular fragmentation limit, which allows older objects 27227 to coalesce into blocks that are rarely copied. 27228 27229 * JavaScriptCore.xcodeproj/project.pbxproj: 27230 * heap/CopiedBlock.h: 27231 (CopiedBlock): 27232 (JSC::CopiedBlock::CopiedBlock): Added support for tracking live bytes in a CopiedBlock in a 27233 thread-safe fashion. 27234 (JSC::CopiedBlock::reportLiveBytes): Adds a number of live bytes to the block in a thread-safe 27235 fashion using compare and swap. 27236 (JSC): 27237 (JSC::CopiedBlock::didSurviveGC): Called when a block survives a single GC without being 27238 evacuated. This could be called for a couple reasons: (a) the block was pinned or (b) we 27239 decided not to do any copying. A block can become pinned for a few reasons: (1) a pointer into 27240 the block was found during the conservative scan. (2) the block was deemed full enough to 27241 not warrant any copying. (3) The block is oversize and was found to be live. 27242 (JSC::CopiedBlock::didEvacuateBytes): Called when some number of bytes are copied from this 27243 block. If the number of live bytes ever hits zero, the block will return itself to the 27244 BlockAllocator to be recycled. 27245 (JSC::CopiedBlock::canBeRecycled): Indicates that a block has no live bytes and can be 27246 immediately recycled. This is used for blocks that are found to have zero live bytes at the 27247 beginning of the copying phase. 27248 (JSC::CopiedBlock::shouldEvacuate): This function returns true if the current fragmentation 27249 of the block is above our fragmentation threshold, and false otherwise. 27250 (JSC::CopiedBlock::isPinned): Added an accessor for the pinned flag 27251 (JSC::CopiedBlock::liveBytes): 27252 * heap/CopiedSpace.cpp: 27253 (JSC::CopiedSpace::CopiedSpace): 27254 (JSC::CopiedSpace::doneFillingBlock): Changed so that we can exchange our filled block for a 27255 fresh block. This avoids the situation where a thread returns its borrowed block, it's the last 27256 borrowed block, so CopiedSpace thinks that copying has completed, and it starts doing all of the 27257 copying phase cleanup. In actuality, the thread wanted another block after returning the current 27258 block. So we allow the thread to atomically exchange its block for another block. 27259 (JSC::CopiedSpace::startedCopying): Added the calculation of global Heap fragmentation to 27260 determine if the copying phase should commence. We include the MarkedSpace in our fragmentation 27261 calculation by assuming that the MarkedSpace is 0% fragmented since we can reuse any currently 27262 free memory in it (i.e. we ignore any internal fragmentation in the MarkedSpace). While we're 27263 calculating the fragmentation of CopiedSpace, we also return any free blocks we find along the 27264 way (meaning liveBytes() == 0). 27265 (JSC): 27266 (JSC::CopiedSpace::doneCopying): We still have to iterate over all the blocks, regardless of 27267 whether the copying phase took place or not so that we can reset all of the live bytes counters 27268 and un-pin any pinned blocks. 27269 * heap/CopiedSpace.h: 27270 (CopiedSpace): 27271 (JSC::CopiedSpace::shouldDoCopyPhase): 27272 * heap/CopiedSpaceInlineMethods.h: 27273 (JSC::CopiedSpace::recycleEvacuatedBlock): This function is distinct from recycling a borrowed block 27274 because a borrowed block hasn't been added to the CopiedSpace yet, but an evacuated block is still 27275 currently in CopiedSpace, so we have to make sure we properly remove all traces of the block from 27276 CopiedSpace before returning it to BlockAllocator. 27277 (JSC::CopiedSpace::recycleBorrowedBlock): Renamed to indicate the distinction mentioned above. 27278 * heap/CopyVisitor.cpp: Added. 27279 (JSC): 27280 (JSC::CopyVisitor::CopyVisitor): 27281 (JSC::CopyVisitor::copyFromShared): Main function for any thread participating in the copying phase. 27282 Grabs chunks of MarkedBlocks from the shared list and copies the backing store of anybody who needs 27283 it until there are no more chunks to copy. 27284 * heap/CopyVisitor.h: Added. 27285 (JSC): 27286 (CopyVisitor): 27287 * heap/CopyVisitorInlineMethods.h: Added. 27288 (JSC): 27289 (GCCopyPhaseFunctor): 27290 (JSC::GCCopyPhaseFunctor::GCCopyPhaseFunctor): 27291 (JSC::GCCopyPhaseFunctor::operator()): 27292 (JSC::CopyVisitor::checkIfShouldCopy): We don't have to check shouldEvacuate() because all of those 27293 checks are done during the marking phase. 27294 (JSC::CopyVisitor::allocateNewSpace): 27295 (JSC::CopyVisitor::allocateNewSpaceSlow): 27296 (JSC::CopyVisitor::startCopying): Initialization function for a thread that is about to start copying. 27297 (JSC::CopyVisitor::doneCopying): 27298 (JSC::CopyVisitor::didCopy): This callback is called by an object that has just successfully copied its 27299 backing store. It indicates to the CopiedBlock that somebody has just finished evacuating some number of 27300 bytes from it, and, if the CopiedBlock now has no more live bytes, can be recycled immediately. 27301 * heap/GCThread.cpp: Added. 27302 (JSC): 27303 (JSC::GCThread::GCThread): This is a new class that encapsulates a single thread responsible for participating 27304 in a specific set of GC phases. Currently, that set of phases includes Mark, Copy, and Exit. Each thread 27305 monitors a shared variable in its associated GCThreadSharedData. The main thread updates this m_currentPhase 27306 variable as collection progresses through the various phases. Parallel marking still works exactly like it 27307 has. In other words, the "run loop" for each of the GC threads sits above any individual phase, thus keeping 27308 the separate phases of the collector orthogonal. 27309 (JSC::GCThread::threadID): 27310 (JSC::GCThread::initializeThreadID): 27311 (JSC::GCThread::slotVisitor): 27312 (JSC::GCThread::copyVisitor): 27313 (JSC::GCThread::waitForNextPhase): 27314 (JSC::GCThread::gcThreadMain): 27315 (JSC::GCThread::gcThreadStartFunc): 27316 * heap/GCThread.h: Added. 27317 (JSC): 27318 (GCThread): 27319 * heap/GCThreadSharedData.cpp: The GCThreadSharedData now has a list of GCThread objects rather than raw 27320 ThreadIdentifiers. 27321 (JSC::GCThreadSharedData::resetChildren): 27322 (JSC::GCThreadSharedData::childVisitCount): 27323 (JSC::GCThreadSharedData::GCThreadSharedData): 27324 (JSC::GCThreadSharedData::~GCThreadSharedData): 27325 (JSC::GCThreadSharedData::reset): 27326 (JSC::GCThreadSharedData::didStartMarking): Callback to let the GCThreadSharedData know that marking has 27327 started and updates the m_currentPhase variable and notifies the GCThreads accordingly. 27328 (JSC::GCThreadSharedData::didFinishMarking): Ditto for finishing marking. 27329 (JSC::GCThreadSharedData::didStartCopying): Ditto for starting the copying phase. 27330 (JSC::GCThreadSharedData::didFinishCopying): Ditto for finishing copying. 27331 * heap/GCThreadSharedData.h: 27332 (JSC): 27333 (GCThreadSharedData): 27334 (JSC::GCThreadSharedData::getNextBlocksToCopy): Atomically gets the next chunk of work for a copying thread. 27335 * heap/Heap.cpp: 27336 (JSC::Heap::Heap): 27337 (JSC::Heap::markRoots): 27338 (JSC): 27339 (JSC::Heap::copyBackingStores): Responsible for setting up the copying phase, notifying the copying threads, 27340 and doing any copying work if necessary. 27341 (JSC::Heap::collect): 27342 * heap/Heap.h: 27343 (Heap): 27344 (JSC): 27345 (JSC::CopyFunctor::CopyFunctor): 27346 (CopyFunctor): 27347 (JSC::CopyFunctor::operator()): 27348 * heap/IncrementalSweeper.cpp: Changed the incremental sweeper to have a reference to the list of MarkedBlocks 27349 that need sweeping, since this now resides in the Heap so that it can be easily shared by the GCThreads. 27350 (JSC::IncrementalSweeper::IncrementalSweeper): 27351 (JSC::IncrementalSweeper::startSweeping): 27352 * heap/IncrementalSweeper.h: 27353 (JSC): 27354 (IncrementalSweeper): 27355 * heap/SlotVisitor.cpp: 27356 (JSC::SlotVisitor::setup): 27357 (JSC::SlotVisitor::drainFromShared): We no longer do any copying-related work here. 27358 (JSC): 27359 * heap/SlotVisitor.h: 27360 (SlotVisitor): 27361 * heap/SlotVisitorInlineMethods.h: 27362 (JSC): 27363 (JSC::SlotVisitor::copyLater): Notifies the CopiedBlock that there are some live bytes that may need 27364 to be copied. 27365 * runtime/Butterfly.h: 27366 (JSC): 27367 (Butterfly): 27368 * runtime/ButterflyInlineMethods.h: 27369 (JSC::Butterfly::createUninitializedDuringCollection): Uses the new CopyVisitor. 27370 * runtime/ClassInfo.h: 27371 (MethodTable): Added new "virtual" function copyBackingStore to method table. 27372 (JSC): 27373 * runtime/JSCell.cpp: 27374 (JSC::JSCell::copyBackingStore): Default implementation that does nothing. 27375 (JSC): 27376 * runtime/JSCell.h: 27377 (JSC): 27378 (JSCell): 27379 * runtime/JSObject.cpp: 27380 (JSC::JSObject::copyButterfly): Does the actual copying of the butterfly. 27381 (JSC): 27382 (JSC::JSObject::visitButterfly): Calls copyLater for the butterfly. 27383 (JSC::JSObject::copyBackingStore): 27384 * runtime/JSObject.h: 27385 (JSObject): 27386 (JSC::JSCell::methodTable): 27387 (JSC::JSCell::inherits): 27388 * runtime/Options.h: Added two new constants, minHeapUtilization and minCopiedBlockUtilization, 27389 to govern the amount of fragmentation we allow before doing copying. 27390 (JSC): 27391 273922012-10-12 Filip Pizlo <fpizlo@apple.com> 27393 27394 DFG array allocation calls should not return an encoded JSValue 27395 https://bugs.webkit.org/show_bug.cgi?id=99196 27396 27397 Reviewed by Mark Hahnenberg. 27398 27399 The array allocation operations now return a pointer instead. This makes it 27400 easier to share code between 32-bit and 64-bit. 27401 27402 * dfg/DFGOperations.cpp: 27403 * dfg/DFGOperations.h: 27404 * dfg/DFGSpeculativeJIT.h: 27405 (JSC::DFG::SpeculativeJIT::callOperation): 27406 * dfg/DFGSpeculativeJIT32_64.cpp: 27407 (JSC::DFG::SpeculativeJIT::compile): 27408 274092012-10-01 Jer Noble <jer.noble@apple.com> 27410 27411 Enable ENCRYPTED_MEDIA support on Mac. 27412 https://bugs.webkit.org/show_bug.cgi?id=98044 27413 27414 Reviewed by Anders Carlsson. 27415 27416 Enable the ENCRYPTED_MEDIA flag. 27417 27418 * Configurations/FeatureDefines.xcconfig: 27419 274202012-10-12 Filip Pizlo <fpizlo@apple.com> 27421 27422 Unreviewed. It should be possible to build JSC on ARMv7. 27423 27424 * assembler/MacroAssemblerARMv7.h: 27425 (JSC::MacroAssemblerARMv7::patchableBranchPtr): 27426 274272012-10-11 Mark Hahnenberg <mhahnenberg@apple.com> 27428 27429 BlockAllocator should use regions as its VM allocation abstraction 27430 https://bugs.webkit.org/show_bug.cgi?id=99107 27431 27432 Reviewed by Geoffrey Garen. 27433 27434 Currently the BlockAllocator allocates a single block at a time directly from the OS. Our block 27435 allocations are on the large-ish side (64 KB) to amortize across many allocations the expense of 27436 mapping new virtual memory from the OS. These large blocks are then shared between the MarkedSpace 27437 and the CopiedSpace. This design makes it difficult to vary the size of the blocks in different 27438 parts of the Heap while still allowing us to amortize the VM allocation costs. 27439 27440 We should redesign the BlockAllocator so that it has a layer of indirection between blocks that are 27441 used by the allocator/collector and our primary unit of VM allocation from the OS. In particular, 27442 the BlockAllocator should allocate Regions of virtual memory from the OS, which are then subdivided 27443 into one or more Blocks to be used in our custom allocators. This design has the following nice properties: 27444 27445 1) We can remove the knowledge of PageAllocationAligned from HeapBlocks. Each HeapBlock will now 27446 only know what Region it belongs to. The Region maintains all the metadata for how to allocate 27447 and deallocate virtual memory from the OS. 27448 27449 2) We can easily allocate in larger chunks than we need to satisfy a particular request for a Block. 27450 We can then continue to amortize our VM allocation costs while allowing for smaller block sizes, 27451 which should increase locality in the mutator when allocating, lazy sweeping, etc. 27452 27453 3) By encapsulating the logic of where our memory comes from inside of the Region class, we can more 27454 easily transition over to allocating VM from a specific range of pre-reserved address space. This 27455 will be a necessary step along the way to 32-bit pointers. 27456 27457 This particular patch will not change the size of MarkedBlocks or CopiedBlocks, nor will it change how 27458 much VM we allocate per failed Block request. It only sets up the data structures that we need to make 27459 these changes in future patches. 27460 27461 Most of the changes in this patch relate to the addition of the Region class to be used by the 27462 BlockAllocator and the threading of changes made to BlockAllocator's interface through to the call sites. 27463 27464 * heap/BlockAllocator.cpp: The BlockAllocator now has three lists that track the three disjoint sets of 27465 Regions that it cares about: empty regions, partially full regions, and completely full regions. 27466 Empty regions have no blocks currently in use and can be freed immediately if the freeing thread 27467 determines they should be. Partial regions have some blocks used, but aren't completely in use yet. 27468 These regions are preferred for recycling before empty regions to mitigate fragmentation within regions. 27469 Completely full regions are no longer able to be used for allocations. Regions move between these 27470 three lists as they are created and their constituent blocks are allocated and deallocated. 27471 (JSC::BlockAllocator::BlockAllocator): 27472 (JSC::BlockAllocator::~BlockAllocator): 27473 (JSC::BlockAllocator::releaseFreeRegions): 27474 (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock): 27475 (JSC::BlockAllocator::waitForRelativeTime): 27476 (JSC::BlockAllocator::blockFreeingThreadMain): 27477 * heap/BlockAllocator.h: 27478 (JSC): 27479 (DeadBlock): 27480 (JSC::DeadBlock::DeadBlock): 27481 (Region): 27482 (JSC::Region::blockSize): 27483 (JSC::Region::isFull): 27484 (JSC::Region::isEmpty): 27485 (JSC::Region::create): This function is responsible for doing the actual VM allocation. This should be the 27486 only function in the entire JSC object runtime that calls out the OS for virtual memory allocation. 27487 (JSC::Region::Region): 27488 (JSC::Region::~Region): 27489 (JSC::Region::allocate): 27490 (JSC::Region::deallocate): 27491 (BlockAllocator): 27492 (JSC::BlockAllocator::tryAllocateFromRegion): Helper function that encapsulates checking a particular list 27493 of regions for a free block. 27494 (JSC::BlockAllocator::allocate): 27495 (JSC::BlockAllocator::allocateCustomSize): This function is responsible for allocating one-off custom size 27496 regions for use in oversize allocations in both the MarkedSpace and the CopiedSpace. These regions are not 27497 tracked by the BlockAllocator. The only pointer to them is in the HeapBlock that is returned. These regions 27498 contain exactly one block. 27499 (JSC::BlockAllocator::deallocate): 27500 (JSC::BlockAllocator::deallocateCustomSize): This function is responsible for deallocating one-off custom size 27501 regions. The regions are deallocated back to the OS eagerly. 27502 * heap/CopiedBlock.h: Re-worked CopiedBlocks to use Regions instead of PageAllocationAligned. 27503 (CopiedBlock): 27504 (JSC::CopiedBlock::createNoZeroFill): 27505 (JSC::CopiedBlock::create): 27506 (JSC::CopiedBlock::CopiedBlock): 27507 (JSC::CopiedBlock::payloadEnd): 27508 (JSC::CopiedBlock::capacity): 27509 * heap/CopiedSpace.cpp: 27510 (JSC::CopiedSpace::~CopiedSpace): 27511 (JSC::CopiedSpace::tryAllocateOversize): 27512 (JSC::CopiedSpace::tryReallocateOversize): 27513 (JSC::CopiedSpace::doneCopying): 27514 * heap/CopiedSpaceInlineMethods.h: 27515 (JSC::CopiedSpace::allocateBlockForCopyingPhase): 27516 (JSC::CopiedSpace::allocateBlock): 27517 * heap/HeapBlock.h: 27518 (JSC::HeapBlock::destroy): 27519 (JSC::HeapBlock::HeapBlock): 27520 (JSC::HeapBlock::region): 27521 (HeapBlock): 27522 * heap/MarkedAllocator.cpp: 27523 (JSC::MarkedAllocator::allocateBlock): 27524 * heap/MarkedBlock.cpp: 27525 (JSC::MarkedBlock::create): 27526 (JSC::MarkedBlock::MarkedBlock): 27527 * heap/MarkedBlock.h: 27528 (JSC::MarkedBlock::capacity): 27529 * heap/MarkedSpace.cpp: 27530 (JSC::MarkedSpace::freeBlock): 27531 275322012-10-11 Filip Pizlo <fpizlo@apple.com> 27533 27534 UInt32ToNumber and OSR exit should be aware of copy propagation and correctly recover both versions of a variable that was subject to a UInt32ToNumber cast 27535 https://bugs.webkit.org/show_bug.cgi?id=99100 27536 <rdar://problem/12480955> 27537 27538 Reviewed by Michael Saboff and Mark Hahnenberg. 27539 27540 Fixed by forcing UInt32ToNumber to use a different register. This "undoes" the copy propagation that we 27541 would have been doing, since it has no performance effect in this case and has the benefit of making the 27542 OSR exit compiler a lot simpler. 27543 27544 * dfg/DFGSpeculativeJIT.cpp: 27545 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber): 27546 275472012-10-11 Geoffrey Garen <ggaren@apple.com> 27548 27549 Removed some more static assumptions about inline object capacity 27550 https://bugs.webkit.org/show_bug.cgi?id=98603 27551 27552 Reviewed by Filip Pizlo. 27553 27554 * dfg/DFGSpeculativeJIT.h: 27555 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): Use JSObject::allocationSize() 27556 for a little more flexibility. We still pass it a constant inline capacity 27557 because the JIT doesn't have a strategy for selecting a size class based 27558 on non-constant capacity yet. "INLINE_STORAGE_CAPACITY" is a marker for 27559 code that makes static assumptions about object size. 27560 27561 * jit/JITInlineMethods.h: 27562 (JSC::JIT::emitAllocateBasicJSObject): 27563 * llint/LLIntData.cpp: 27564 (JSC::LLInt::Data::performAssertions): 27565 * llint/LowLevelInterpreter32_64.asm: 27566 * llint/LowLevelInterpreter64.asm: Ditto for the rest of our many execution engines. 27567 27568 * runtime/JSObject.h: 27569 (JSC::JSObject::allocationSize): 27570 (JSC::JSFinalObject::finishCreation): 27571 (JSC::JSFinalObject::create): New helper function for computing object 27572 size dynamically, since we plan to have objects of different sizes. 27573 27574 (JSC::JSFinalObject::JSFinalObject): Note that our m_inlineStorage used 27575 to auto-generate an implicit C++ constructor with default null initialization. 27576 This memory is not observed in its uninitialized state, and our LLInt and 27577 JIT allocators do not initialize it, so I did not add any explicit code 27578 to do so, now that the implicit code is gone. 27579 27580 (JSC::JSObject::offsetOfInlineStorage): Changed the math here to match 27581 inlineStorageUnsafe(), since we can rely on an explicit data member anymore. 27582 275832012-10-11 Geoffrey Garen <ggaren@apple.com> 27584 27585 Enable RUNTIME_HEURISTICS all the time, for easier testing 27586 https://bugs.webkit.org/show_bug.cgi?id=99090 27587 27588 Reviewed by Filip Pizlo. 27589 27590 I find myself using this a lot, and there doesn't seem to be an obvious 27591 reason to compile it out, since it only runs once at startup. 27592 27593 * runtime/Options.cpp: 27594 (JSC::overrideOptionWithHeuristic): 27595 (JSC::Options::initialize): 27596 * runtime/Options.h: Removed the #ifdef. 27597 275982012-10-11 Geoffrey Garen <ggaren@apple.com> 27599 27600 Removed ASSERT_CLASS_FITS_IN_CELL 27601 https://bugs.webkit.org/show_bug.cgi?id=97634 27602 27603 Reviewed by Mark Hahnenberg. 27604 27605 Our collector now supports arbitrarily sized objects, so the ASSERT is not needed. 27606 27607 * API/JSCallbackFunction.cpp: 27608 * API/JSCallbackObject.cpp: 27609 * heap/MarkedSpace.h: 27610 * jsc.cpp: 27611 * runtime/Arguments.cpp: 27612 * runtime/ArrayConstructor.cpp: 27613 * runtime/ArrayPrototype.cpp: 27614 * runtime/BooleanConstructor.cpp: 27615 * runtime/BooleanObject.cpp: 27616 * runtime/BooleanPrototype.cpp: 27617 * runtime/DateConstructor.cpp: 27618 * runtime/DatePrototype.cpp: 27619 * runtime/Error.cpp: 27620 * runtime/ErrorConstructor.cpp: 27621 * runtime/ErrorPrototype.cpp: 27622 * runtime/FunctionConstructor.cpp: 27623 * runtime/FunctionPrototype.cpp: 27624 * runtime/InternalFunction.cpp: 27625 * runtime/JSActivation.cpp: 27626 * runtime/JSArray.cpp: 27627 * runtime/JSBoundFunction.cpp: 27628 * runtime/JSFunction.cpp: 27629 * runtime/JSGlobalObject.cpp: 27630 * runtime/JSGlobalThis.cpp: 27631 * runtime/JSNameScope.cpp: 27632 * runtime/JSNotAnObject.cpp: 27633 * runtime/JSONObject.cpp: 27634 * runtime/JSObject.cpp: 27635 * runtime/JSPropertyNameIterator.cpp: 27636 * runtime/JSScope.cpp: 27637 * runtime/JSWithScope.cpp: 27638 * runtime/JSWrapperObject.cpp: 27639 * runtime/MathObject.cpp: 27640 * runtime/NameConstructor.cpp: 27641 * runtime/NamePrototype.cpp: 27642 * runtime/NativeErrorConstructor.cpp: 27643 * runtime/NativeErrorPrototype.cpp: 27644 * runtime/NumberConstructor.cpp: 27645 * runtime/NumberObject.cpp: 27646 * runtime/NumberPrototype.cpp: 27647 * runtime/ObjectConstructor.cpp: 27648 * runtime/ObjectPrototype.cpp: 27649 * runtime/RegExpConstructor.cpp: 27650 * runtime/RegExpMatchesArray.cpp: 27651 * runtime/RegExpObject.cpp: 27652 * runtime/RegExpPrototype.cpp: 27653 * runtime/StringConstructor.cpp: 27654 * runtime/StringObject.cpp: 27655 * runtime/StringPrototype.cpp: 27656 * testRegExp.cpp: Removed the ASSERT. 27657 276582012-10-11 Filip Pizlo <fpizlo@apple.com> 27659 27660 DFG should inline code blocks that use new_array_buffer 27661 https://bugs.webkit.org/show_bug.cgi?id=98996 27662 27663 Reviewed by Geoffrey Garen. 27664 27665 This adds plumbing to drop in constant buffers from the inlinees to the inliner. 27666 It's smart about not duplicating buffers needlessly but doesn't try to completely 27667 hash-cons them, either. 27668 27669 * bytecode/CodeBlock.h: 27670 (JSC::CodeBlock::numberOfConstantBuffers): 27671 (JSC::CodeBlock::addConstantBuffer): 27672 (JSC::CodeBlock::constantBufferAsVector): 27673 (JSC::CodeBlock::constantBuffer): 27674 * dfg/DFGAbstractState.cpp: 27675 (JSC::DFG::AbstractState::execute): 27676 * dfg/DFGByteCodeParser.cpp: 27677 (ConstantBufferKey): 27678 (JSC::DFG::ConstantBufferKey::ConstantBufferKey): 27679 (JSC::DFG::ConstantBufferKey::operator==): 27680 (JSC::DFG::ConstantBufferKey::hash): 27681 (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue): 27682 (JSC::DFG::ConstantBufferKey::codeBlock): 27683 (JSC::DFG::ConstantBufferKey::index): 27684 (DFG): 27685 (JSC::DFG::ConstantBufferKeyHash::hash): 27686 (JSC::DFG::ConstantBufferKeyHash::equal): 27687 (ConstantBufferKeyHash): 27688 (WTF): 27689 (ByteCodeParser): 27690 (InlineStackEntry): 27691 (JSC::DFG::ByteCodeParser::parseBlock): 27692 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 27693 * dfg/DFGCapabilities.h: 27694 (JSC::DFG::canInlineOpcode): 27695 * dfg/DFGOperations.cpp: 27696 * dfg/DFGOperations.h: 27697 * dfg/DFGSpeculativeJIT.h: 27698 (JSC::DFG::SpeculativeJIT::callOperation): 27699 * dfg/DFGSpeculativeJIT32_64.cpp: 27700 (JSC::DFG::SpeculativeJIT::compile): 27701 * dfg/DFGSpeculativeJIT64.cpp: 27702 (JSC::DFG::SpeculativeJIT::compile): 27703 277042012-10-10 Zoltan Horvath <zoltan@webkit.org> 27705 27706 Pageload tests should measure memory usage 27707 https://bugs.webkit.org/show_bug.cgi?id=93958 27708 27709 Reviewed by Ryosuke Niwa. 27710 27711 Add JS Heap and Heap memory measurement to PageLoad tests. 27712 27713 * heap/HeapStatistics.cpp: 27714 (JSC::HeapStatistics::usedJSHeap): Add new private function to expose the used JS Heap size. 27715 (JSC): 27716 * heap/HeapStatistics.h: 27717 (HeapStatistics): Add new private function to expose the used JS Heap size. 27718 277192012-10-10 Balazs Kilvady <kilvadyb@homejinni.com> 27720 27721 RegisterFile to JSStack rename fix for a struct member. 27722 27723 Compilation problem in debug build on MIPS 27724 https://bugs.webkit.org/show_bug.cgi?id=98808 27725 27726 Reviewed by Alexey Proskuryakov. 27727 27728 In ASSERT conditions structure field name "registerFile" was replaced 27729 with type name "JSStack" and it should be "stack". 27730 27731 * jit/JITStubs.cpp: 27732 (JSC::JITThunks::JITThunks): structure member name fix. 27733 277342012-10-10 Michael Saboff <msaboff@apple.com> 27735 27736 After r130344, OpaqueJSString::string() shouldn't directly return the wrapped String 27737 https://bugs.webkit.org/show_bug.cgi?id=98801 27738 27739 Reviewed by Geoffrey Garen. 27740 27741 Return a copy of the wrapped String so that the wrapped string cannot be turned into 27742 an Identifier. 27743 27744 * API/OpaqueJSString.cpp: 27745 (OpaqueJSString::string): 27746 * API/OpaqueJSString.h: 27747 (OpaqueJSString): 27748 277492012-10-10 Peter Gal <galpeter@inf.u-szeged.hu> 27750 27751 Add moveDoubleToInts and moveIntsToDouble to MacroAssemblerARM 27752 https://bugs.webkit.org/show_bug.cgi?id=98855 27753 27754 Reviewed by Filip Pizlo. 27755 27756 Implement the missing moveDoubleToInts and moveIntsToDouble 27757 methods in the MacroAssemblerARM after r130839. 27758 27759 * assembler/MacroAssemblerARM.h: 27760 (JSC::MacroAssemblerARM::moveDoubleToInts): 27761 (MacroAssemblerARM): 27762 (JSC::MacroAssemblerARM::moveIntsToDouble): 27763 277642012-10-09 Filip Pizlo <fpizlo@apple.com> 27765 27766 Typed arrays should not be 20x slower in the baseline JIT than in the DFG JIT 27767 https://bugs.webkit.org/show_bug.cgi?id=98605 27768 27769 Reviewed by Oliver Hunt and Gavin Barraclough. 27770 27771 This adds typed array get_by_val/put_by_val patching to the baseline JIT. It's 27772 a big (~40%) win on benchmarks that have trouble staying in the DFG JIT. Even 27773 if we fix those benchmarks, this functionality gives us the insurance that we 27774 typically desire with all speculative optimizations: even if we bail to 27775 baseline, we're still reasonably performant. 27776 27777 * CMakeLists.txt: 27778 * GNUmakefile.list.am: 27779 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 27780 * JavaScriptCore.xcodeproj/project.pbxproj: 27781 * Target.pri: 27782 * assembler/MacroAssembler.cpp: Added. 27783 (JSC): 27784 * assembler/MacroAssembler.h: 27785 (MacroAssembler): 27786 (JSC::MacroAssembler::patchableBranchPtr): 27787 * assembler/MacroAssemblerARMv7.h: 27788 (MacroAssemblerARMv7): 27789 (JSC::MacroAssemblerARMv7::moveDoubleToInts): 27790 (JSC::MacroAssemblerARMv7::moveIntsToDouble): 27791 (JSC::MacroAssemblerARMv7::patchableBranchPtr): 27792 * assembler/MacroAssemblerX86.h: 27793 (MacroAssemblerX86): 27794 (JSC::MacroAssemblerX86::moveDoubleToInts): 27795 (JSC::MacroAssemblerX86::moveIntsToDouble): 27796 * bytecode/ByValInfo.h: 27797 (JSC::hasOptimizableIndexingForClassInfo): 27798 (JSC): 27799 (JSC::hasOptimizableIndexing): 27800 (JSC::jitArrayModeForClassInfo): 27801 (JSC::jitArrayModeForStructure): 27802 (JSC::ByValInfo::ByValInfo): 27803 (ByValInfo): 27804 * dfg/DFGAssemblyHelpers.cpp: 27805 (DFG): 27806 * dfg/DFGAssemblyHelpers.h: 27807 (AssemblyHelpers): 27808 (JSC::DFG::AssemblyHelpers::boxDouble): 27809 (JSC::DFG::AssemblyHelpers::unboxDouble): 27810 * dfg/DFGSpeculativeJIT.cpp: 27811 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): 27812 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): 27813 * dfg/DFGSpeculativeJIT.h: 27814 (SpeculativeJIT): 27815 * jit/JIT.h: 27816 (JIT): 27817 * jit/JITPropertyAccess.cpp: 27818 (JSC::JIT::emit_op_get_by_val): 27819 (JSC::JIT::emit_op_put_by_val): 27820 (JSC::JIT::privateCompileGetByVal): 27821 (JSC::JIT::privateCompilePutByVal): 27822 (JSC::JIT::emitIntTypedArrayGetByVal): 27823 (JSC): 27824 (JSC::JIT::emitFloatTypedArrayGetByVal): 27825 (JSC::JIT::emitIntTypedArrayPutByVal): 27826 (JSC::JIT::emitFloatTypedArrayPutByVal): 27827 * jit/JITPropertyAccess32_64.cpp: 27828 (JSC::JIT::emit_op_get_by_val): 27829 (JSC::JIT::emit_op_put_by_val): 27830 * jit/JITStubs.cpp: 27831 (JSC::DEFINE_STUB_FUNCTION): 27832 * runtime/JSCell.h: 27833 * runtime/JSGlobalData.h: 27834 (JSGlobalData): 27835 (JSC::JSGlobalData::typedArrayDescriptor): 27836 * runtime/TypedArrayDescriptor.h: Added. 27837 (JSC): 27838 (JSC::TypedArrayDescriptor::TypedArrayDescriptor): 27839 (TypedArrayDescriptor): 27840 278412012-10-09 Michael Saboff <msaboff@apple.com> 27842 27843 Add tests to testapi for null OpaqueJSStrings 27844 https://bugs.webkit.org/show_bug.cgi?id=98805 27845 27846 Reviewed by Geoffrey Garen. 27847 27848 Added tests that check that OpaqueJSString, which is wrapped via JSStringRef, properly returns 27849 null strings and that a null string in a JSStringRef will return a NULL JSChar* and 0 length 27850 via the JSStringGetCharactersPtr() and JSStringGetLength() APIs respectively. Added a check that 27851 JSValueMakeFromJSONString() properly handles a null string as well. 27852 27853 * API/tests/testapi.c: 27854 (main): 27855 278562012-10-09 Jian Li <jianli@chromium.org> 27857 27858 Update the CSS property used to support draggable regions. 27859 https://bugs.webkit.org/show_bug.cgi?id=97156 27860 27861 Reviewed by Adam Barth. 27862 27863 The CSS property to support draggable regions, guarded under 27864 WIDGET_REGION is now disabled from Mac WebKit, in order not to cause 27865 confusion with DASHBOARD_SUPPORT feature. 27866 27867 * Configurations/FeatureDefines.xcconfig: Disable WIDGET_REGION feature. 27868 278692012-10-09 Filip Pizlo <fpizlo@apple.com> 27870 27871 Unreviewed, adding forgotten files. 27872 27873 * bytecode/ByValInfo.h: Added. 27874 (JSC): 27875 (JSC::isOptimizableIndexingType): 27876 (JSC::jitArrayModeForIndexingType): 27877 (JSC::ByValInfo::ByValInfo): 27878 (ByValInfo): 27879 (JSC::getByValInfoBytecodeIndex): 27880 * runtime/IndexingType.cpp: Added. 27881 (JSC): 27882 (JSC::indexingTypeToString): 27883 278842012-10-08 Filip Pizlo <fpizlo@apple.com> 27885 27886 JSC should infer when indexed storage is contiguous, and optimize for it 27887 https://bugs.webkit.org/show_bug.cgi?id=97288 27888 27889 Reviewed by Mark Hahnenberg. 27890 27891 This introduces a new kind of indexed property storage called Contiguous, 27892 which has the following properties: 27893 27894 - No header bits beyond IndexedHeader. This results in a 16 byte reduction 27895 in memory usage per array versus an ArrayStorage array. It also means 27896 that the total memory usage for an empty array is now just 3 * 8 on both 27897 32-bit and 64-bit. Of that, only 8 bytes are array-specific; the rest is 27898 our standard object header overhead. 27899 27900 - No need for hole checks on store. This results in a ~4% speed-up on 27901 Kraken and a ~1% speed-up on V8v7. 27902 27903 - publicLength <= vectorLength. This means that doing new Array(blah) 27904 immediately allocates room for blah elements. 27905 27906 - No sparse map or index bias. 27907 27908 If you ever do things to an array that would require publicLength > 27909 vectorLength, a sparse map, or index bias, then we switch to ArrayStorage 27910 mode. This seems to never happen in any benchmark we track, and is unlikely 27911 to happen very frequently on any website. 27912 27913 * CMakeLists.txt: 27914 * GNUmakefile.list.am: 27915 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 27916 * JavaScriptCore.xcodeproj/project.pbxproj: 27917 * Target.pri: 27918 * assembler/AbstractMacroAssembler.h: 27919 (JSC::AbstractMacroAssembler::JumpList::append): 27920 * assembler/MacroAssembler.h: 27921 (MacroAssembler): 27922 (JSC::MacroAssembler::patchableBranchTest32): 27923 * bytecode/ByValInfo.h: Added. 27924 (JSC): 27925 (JSC::isOptimizableIndexingType): 27926 (JSC::jitArrayModeForIndexingType): 27927 (JSC::ByValInfo::ByValInfo): 27928 (ByValInfo): 27929 (JSC::getByValInfoBytecodeIndex): 27930 * bytecode/CodeBlock.h: 27931 (CodeBlock): 27932 (JSC::CodeBlock::getByValInfo): 27933 (JSC::CodeBlock::setNumberOfByValInfos): 27934 (JSC::CodeBlock::numberOfByValInfos): 27935 (JSC::CodeBlock::byValInfo): 27936 * bytecode/SamplingTool.h: 27937 * dfg/DFGAbstractState.cpp: 27938 (JSC::DFG::AbstractState::execute): 27939 * dfg/DFGArrayMode.cpp: 27940 (JSC::DFG::fromObserved): 27941 (JSC::DFG::modeAlreadyChecked): 27942 (JSC::DFG::modeToString): 27943 * dfg/DFGArrayMode.h: 27944 (DFG): 27945 (JSC::DFG::modeUsesButterfly): 27946 (JSC::DFG::modeIsJSArray): 27947 (JSC::DFG::isInBoundsAccess): 27948 (JSC::DFG::mayStoreToTail): 27949 (JSC::DFG::mayStoreToHole): 27950 (JSC::DFG::modeIsPolymorphic): 27951 (JSC::DFG::polymorphicIncludesContiguous): 27952 (JSC::DFG::polymorphicIncludesArrayStorage): 27953 (JSC::DFG::canCSEStorage): 27954 (JSC::DFG::modeSupportsLength): 27955 (JSC::DFG::benefitsFromStructureCheck): 27956 (JSC::DFG::isEffectful): 27957 * dfg/DFGByteCodeParser.cpp: 27958 (JSC::DFG::ByteCodeParser::handleIntrinsic): 27959 * dfg/DFGCSEPhase.cpp: 27960 (JSC::DFG::CSEPhase::getArrayLengthElimination): 27961 (JSC::DFG::CSEPhase::getByValLoadElimination): 27962 (JSC::DFG::CSEPhase::performNodeCSE): 27963 * dfg/DFGFixupPhase.cpp: 27964 (JSC::DFG::FixupPhase::fixupNode): 27965 (JSC::DFG::FixupPhase::checkArray): 27966 (JSC::DFG::FixupPhase::blessArrayOperation): 27967 * dfg/DFGGraph.h: 27968 (JSC::DFG::Graph::byValIsPure): 27969 * dfg/DFGOperations.cpp: 27970 * dfg/DFGOperations.h: 27971 * dfg/DFGRepatch.cpp: 27972 (JSC::DFG::tryCacheGetByID): 27973 * dfg/DFGSpeculativeJIT.cpp: 27974 (JSC::DFG::SpeculativeJIT::checkArray): 27975 (JSC::DFG::SpeculativeJIT::arrayify): 27976 (JSC::DFG::SpeculativeJIT::compileGetArrayLength): 27977 (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal): 27978 (DFG): 27979 * dfg/DFGSpeculativeJIT.h: 27980 (DFG): 27981 (JSC::DFG::SpeculativeJIT::callOperation): 27982 (SpeculativeJIT): 27983 (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister): 27984 (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal): 27985 * dfg/DFGSpeculativeJIT32_64.cpp: 27986 (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal): 27987 (DFG): 27988 (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal): 27989 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): 27990 (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal): 27991 (JSC::DFG::SpeculativeJIT::compile): 27992 * dfg/DFGSpeculativeJIT64.cpp: 27993 (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal): 27994 (DFG): 27995 (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal): 27996 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): 27997 (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal): 27998 (JSC::DFG::SpeculativeJIT::compile): 27999 * interpreter/Interpreter.cpp: 28000 (SamplingScope): 28001 (JSC::SamplingScope::SamplingScope): 28002 (JSC::SamplingScope::~SamplingScope): 28003 (JSC): 28004 (JSC::Interpreter::execute): 28005 * jit/JIT.cpp: 28006 (JSC::JIT::privateCompileSlowCases): 28007 (JSC::JIT::privateCompile): 28008 * jit/JIT.h: 28009 (JSC::ByValCompilationInfo::ByValCompilationInfo): 28010 (ByValCompilationInfo): 28011 (JSC): 28012 (JIT): 28013 (JSC::JIT::compileGetByVal): 28014 (JSC::JIT::compilePutByVal): 28015 * jit/JITInlineMethods.h: 28016 (JSC::JIT::emitAllocateJSArray): 28017 (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase): 28018 (JSC): 28019 (JSC::arrayProfileSaw): 28020 (JSC::JIT::chooseArrayMode): 28021 * jit/JITOpcodes.cpp: 28022 (JSC::JIT::emitSlow_op_get_argument_by_val): 28023 (JSC::JIT::emit_op_new_array): 28024 (JSC::JIT::emitSlow_op_new_array): 28025 * jit/JITOpcodes32_64.cpp: 28026 (JSC::JIT::emitSlow_op_get_argument_by_val): 28027 * jit/JITPropertyAccess.cpp: 28028 (JSC::JIT::emit_op_get_by_val): 28029 (JSC): 28030 (JSC::JIT::emitContiguousGetByVal): 28031 (JSC::JIT::emitArrayStorageGetByVal): 28032 (JSC::JIT::emitSlow_op_get_by_val): 28033 (JSC::JIT::emit_op_put_by_val): 28034 (JSC::JIT::emitContiguousPutByVal): 28035 (JSC::JIT::emitArrayStoragePutByVal): 28036 (JSC::JIT::emitSlow_op_put_by_val): 28037 (JSC::JIT::privateCompilePatchGetArrayLength): 28038 (JSC::JIT::privateCompileGetByVal): 28039 (JSC::JIT::privateCompilePutByVal): 28040 * jit/JITPropertyAccess32_64.cpp: 28041 (JSC::JIT::emit_op_get_by_val): 28042 (JSC): 28043 (JSC::JIT::emitContiguousGetByVal): 28044 (JSC::JIT::emitArrayStorageGetByVal): 28045 (JSC::JIT::emitSlow_op_get_by_val): 28046 (JSC::JIT::emit_op_put_by_val): 28047 (JSC::JIT::emitContiguousPutByVal): 28048 (JSC::JIT::emitArrayStoragePutByVal): 28049 (JSC::JIT::emitSlow_op_put_by_val): 28050 * jit/JITStubs.cpp: 28051 (JSC::getByVal): 28052 (JSC): 28053 (JSC::DEFINE_STUB_FUNCTION): 28054 (JSC::putByVal): 28055 * jit/JITStubs.h: 28056 * llint/LowLevelInterpreter.asm: 28057 * llint/LowLevelInterpreter32_64.asm: 28058 * llint/LowLevelInterpreter64.asm: 28059 * runtime/ArrayConventions.h: 28060 (JSC::isDenseEnoughForVector): 28061 * runtime/ArrayPrototype.cpp: 28062 (JSC): 28063 (JSC::shift): 28064 (JSC::unshift): 28065 (JSC::arrayProtoFuncPush): 28066 (JSC::arrayProtoFuncShift): 28067 (JSC::arrayProtoFuncSplice): 28068 (JSC::arrayProtoFuncUnShift): 28069 * runtime/Butterfly.h: 28070 (Butterfly): 28071 (JSC::Butterfly::fromPointer): 28072 (JSC::Butterfly::pointer): 28073 (JSC::Butterfly::publicLength): 28074 (JSC::Butterfly::vectorLength): 28075 (JSC::Butterfly::setPublicLength): 28076 (JSC::Butterfly::setVectorLength): 28077 (JSC::Butterfly::contiguous): 28078 (JSC::Butterfly::fromContiguous): 28079 * runtime/ButterflyInlineMethods.h: 28080 (JSC::Butterfly::unshift): 28081 (JSC::Butterfly::shift): 28082 * runtime/IndexingHeaderInlineMethods.h: 28083 (JSC::IndexingHeader::indexingPayloadSizeInBytes): 28084 * runtime/IndexingType.cpp: Added. 28085 (JSC): 28086 (JSC::indexingTypeToString): 28087 * runtime/IndexingType.h: 28088 (JSC): 28089 (JSC::hasContiguous): 28090 * runtime/JSArray.cpp: 28091 (JSC::JSArray::setLengthWithArrayStorage): 28092 (JSC::JSArray::setLength): 28093 (JSC): 28094 (JSC::JSArray::pop): 28095 (JSC::JSArray::push): 28096 (JSC::JSArray::shiftCountWithArrayStorage): 28097 (JSC::JSArray::shiftCountWithAnyIndexingType): 28098 (JSC::JSArray::unshiftCountWithArrayStorage): 28099 (JSC::JSArray::unshiftCountWithAnyIndexingType): 28100 (JSC::JSArray::sortNumericVector): 28101 (JSC::JSArray::sortNumeric): 28102 (JSC::JSArray::sortCompactedVector): 28103 (JSC::JSArray::sort): 28104 (JSC::JSArray::sortVector): 28105 (JSC::JSArray::fillArgList): 28106 (JSC::JSArray::copyToArguments): 28107 (JSC::JSArray::compactForSorting): 28108 * runtime/JSArray.h: 28109 (JSC::JSArray::shiftCountForShift): 28110 (JSC::JSArray::shiftCountForSplice): 28111 (JSArray): 28112 (JSC::JSArray::shiftCount): 28113 (JSC::JSArray::unshiftCountForShift): 28114 (JSC::JSArray::unshiftCountForSplice): 28115 (JSC::JSArray::unshiftCount): 28116 (JSC::JSArray::isLengthWritable): 28117 (JSC::createContiguousArrayButterfly): 28118 (JSC): 28119 (JSC::JSArray::create): 28120 (JSC::JSArray::tryCreateUninitialized): 28121 * runtime/JSGlobalObject.cpp: 28122 (JSC::JSGlobalObject::reset): 28123 (JSC): 28124 (JSC::JSGlobalObject::haveABadTime): 28125 (JSC::JSGlobalObject::visitChildren): 28126 * runtime/JSGlobalObject.h: 28127 (JSGlobalObject): 28128 (JSC::JSGlobalObject::arrayStructureWithArrayStorage): 28129 (JSC::JSGlobalObject::addressOfArrayStructureWithArrayStorage): 28130 (JSC::constructEmptyArray): 28131 * runtime/JSObject.cpp: 28132 (JSC::JSObject::visitButterfly): 28133 (JSC::JSObject::getOwnPropertySlotByIndex): 28134 (JSC::JSObject::putByIndex): 28135 (JSC::JSObject::enterDictionaryIndexingMode): 28136 (JSC::JSObject::createInitialContiguous): 28137 (JSC): 28138 (JSC::JSObject::createArrayStorage): 28139 (JSC::JSObject::convertContiguousToArrayStorage): 28140 (JSC::JSObject::ensureContiguousSlow): 28141 (JSC::JSObject::ensureArrayStorageSlow): 28142 (JSC::JSObject::ensureIndexedStorageSlow): 28143 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode): 28144 (JSC::JSObject::switchToSlowPutArrayStorage): 28145 (JSC::JSObject::setPrototype): 28146 (JSC::JSObject::deletePropertyByIndex): 28147 (JSC::JSObject::getOwnPropertyNames): 28148 (JSC::JSObject::defineOwnIndexedProperty): 28149 (JSC::JSObject::putByIndexBeyondVectorLengthContiguousWithoutAttributes): 28150 (JSC::JSObject::putByIndexBeyondVectorLength): 28151 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): 28152 (JSC::JSObject::putDirectIndexBeyondVectorLength): 28153 (JSC::JSObject::getNewVectorLength): 28154 (JSC::JSObject::countElementsInContiguous): 28155 (JSC::JSObject::increaseVectorLength): 28156 (JSC::JSObject::ensureContiguousLengthSlow): 28157 (JSC::JSObject::getOwnPropertyDescriptor): 28158 * runtime/JSObject.h: 28159 (JSC::JSObject::getArrayLength): 28160 (JSC::JSObject::getVectorLength): 28161 (JSC::JSObject::canGetIndexQuickly): 28162 (JSC::JSObject::getIndexQuickly): 28163 (JSC::JSObject::tryGetIndexQuickly): 28164 (JSC::JSObject::canSetIndexQuickly): 28165 (JSC::JSObject::canSetIndexQuicklyForPutDirect): 28166 (JSC::JSObject::setIndexQuickly): 28167 (JSC::JSObject::initializeIndex): 28168 (JSC::JSObject::hasSparseMap): 28169 (JSC::JSObject::inSparseIndexingMode): 28170 (JSObject): 28171 (JSC::JSObject::ensureContiguous): 28172 (JSC::JSObject::ensureIndexedStorage): 28173 (JSC::JSObject::ensureContiguousLength): 28174 (JSC::JSObject::indexingData): 28175 (JSC::JSObject::relevantLength): 28176 * runtime/JSValue.cpp: 28177 (JSC::JSValue::description): 28178 * runtime/Options.cpp: 28179 (JSC::Options::initialize): 28180 * runtime/Structure.cpp: 28181 (JSC::Structure::needsSlowPutIndexing): 28182 (JSC): 28183 (JSC::Structure::suggestedArrayStorageTransition): 28184 * runtime/Structure.h: 28185 (Structure): 28186 * runtime/StructureTransitionTable.h: 28187 (JSC::newIndexingType): 28188 281892012-10-09 Michael Saboff <msaboff@apple.com> 28190 28191 After r130344, OpaqueJSString::identifier() adds wrapped String to identifier table 28192 https://bugs.webkit.org/show_bug.cgi?id=98693 28193 REGRESSION (r130344): Install failed in Install Environment 28194 <rdar://problem/12450118> 28195 28196 Reviewed by Mark Rowe. 28197 28198 Use Identifier(LChar*, length) or Identifier(UChar*, length) constructors so that we don't 28199 add the String instance in the OpaqueJSString to any identifier tables. 28200 28201 * API/OpaqueJSString.cpp: 28202 (OpaqueJSString::identifier): 28203 282042012-10-08 Mark Lam <mark.lam@apple.com> 28205 28206 Renamed RegisterFile to JSStack, and removed prototype of the 28207 previously deleted Interpreter::privateExecute(). 28208 https://bugs.webkit.org/show_bug.cgi?id=98717. 28209 28210 Reviewed by Filip Pizlo. 28211 28212 * CMakeLists.txt: 28213 * GNUmakefile.list.am: 28214 * JavaScriptCore.order: 28215 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: 28216 * JavaScriptCore.xcodeproj/project.pbxproj: 28217 * Target.pri: 28218 * bytecode/BytecodeConventions.h: 28219 * bytecode/CodeBlock.cpp: 28220 (JSC::CodeBlock::nameForRegister): 28221 * bytecode/CodeBlock.h: 28222 (CodeBlock): 28223 * bytecode/ValueRecovery.h: 28224 (JSC::ValueRecovery::alreadyInJSStack): 28225 (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt32): 28226 (JSC::ValueRecovery::alreadyInJSStackAsUnboxedCell): 28227 (JSC::ValueRecovery::alreadyInJSStackAsUnboxedBoolean): 28228 (JSC::ValueRecovery::alreadyInJSStackAsUnboxedDouble): 28229 (JSC::ValueRecovery::displacedInJSStack): 28230 (JSC::ValueRecovery::isAlreadyInJSStack): 28231 (JSC::ValueRecovery::virtualRegister): 28232 (JSC::ValueRecovery::dump): 28233 * bytecompiler/BytecodeGenerator.cpp: 28234 (JSC::BytecodeGenerator::resolveCallee): 28235 (JSC::BytecodeGenerator::emitCall): 28236 (JSC::BytecodeGenerator::emitConstruct): 28237 * bytecompiler/BytecodeGenerator.h: 28238 (JSC::BytecodeGenerator::registerFor): 28239 * dfg/DFGAbstractState.h: 28240 (AbstractState): 28241 * dfg/DFGAssemblyHelpers.h: 28242 (JSC::DFG::AssemblyHelpers::emitGetFromCallFrameHeaderPtr): 28243 (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader): 28244 (JSC::DFG::AssemblyHelpers::emitPutImmediateToCallFrameHeader): 28245 * dfg/DFGByteCodeParser.cpp: 28246 (JSC::DFG::ByteCodeParser::getDirect): 28247 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal): 28248 (JSC::DFG::ByteCodeParser::addCall): 28249 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): 28250 (JSC::DFG::ByteCodeParser::handleInlining): 28251 (JSC::DFG::ByteCodeParser::parseBlock): 28252 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 28253 * dfg/DFGGenerationInfo.h: 28254 (GenerationInfo): 28255 (JSC::DFG::GenerationInfo::needsSpill): 28256 * dfg/DFGGraph.h: 28257 * dfg/DFGJITCompiler.cpp: 28258 (JSC::DFG::JITCompiler::compileEntry): 28259 (JSC::DFG::JITCompiler::compileFunction): 28260 * dfg/DFGJITCompiler.h: 28261 (JSC::DFG::JITCompiler::beginCall): 28262 * dfg/DFGOSREntry.cpp: 28263 (JSC::DFG::prepareOSREntry): 28264 * dfg/DFGOSRExitCompiler32_64.cpp: 28265 (JSC::DFG::OSRExitCompiler::compileExit): 28266 * dfg/DFGOSRExitCompiler64.cpp: 28267 (JSC::DFG::OSRExitCompiler::compileExit): 28268 * dfg/DFGRepatch.cpp: 28269 (JSC::DFG::tryBuildGetByIDList): 28270 * dfg/DFGSpeculativeJIT.cpp: 28271 (JSC::DFG::SpeculativeJIT::compile): 28272 (JSC::DFG::SpeculativeJIT::checkArgumentTypes): 28273 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor): 28274 * dfg/DFGSpeculativeJIT.h: 28275 (SpeculativeJIT): 28276 (JSC::DFG::SpeculativeJIT::spill): 28277 * dfg/DFGSpeculativeJIT32_64.cpp: 28278 (JSC::DFG::SpeculativeJIT::emitCall): 28279 (JSC::DFG::SpeculativeJIT::compile): 28280 * dfg/DFGSpeculativeJIT64.cpp: 28281 (JSC::DFG::SpeculativeJIT::fillInteger): 28282 (JSC::DFG::SpeculativeJIT::emitCall): 28283 (JSC::DFG::SpeculativeJIT::compile): 28284 * dfg/DFGThunks.cpp: 28285 (JSC::DFG::throwExceptionFromCallSlowPathGenerator): 28286 (JSC::DFG::slowPathFor): 28287 (JSC::DFG::virtualForThunkGenerator): 28288 * dfg/DFGValueSource.cpp: 28289 (JSC::DFG::ValueSource::dump): 28290 * dfg/DFGValueSource.h: 28291 (JSC::DFG::dataFormatToValueSourceKind): 28292 (JSC::DFG::valueSourceKindToDataFormat): 28293 (JSC::DFG::isInJSStack): 28294 (JSC::DFG::ValueSource::forSpeculation): 28295 (JSC::DFG::ValueSource::isInJSStack): 28296 (JSC::DFG::ValueSource::valueRecovery): 28297 * dfg/DFGVariableEventStream.cpp: 28298 (JSC::DFG::VariableEventStream::reconstruct): 28299 * heap/Heap.cpp: 28300 (JSC::Heap::stack): 28301 (JSC::Heap::getConservativeRegisterRoots): 28302 (JSC::Heap::markRoots): 28303 * heap/Heap.h: 28304 (JSC): 28305 (Heap): 28306 * interpreter/CallFrame.cpp: 28307 (JSC::CallFrame::stack): 28308 * interpreter/CallFrame.h: 28309 (JSC::ExecState::calleeAsValue): 28310 (JSC::ExecState::callee): 28311 (JSC::ExecState::codeBlock): 28312 (JSC::ExecState::scope): 28313 (JSC::ExecState::callerFrame): 28314 (JSC::ExecState::returnPC): 28315 (JSC::ExecState::hasReturnPC): 28316 (JSC::ExecState::clearReturnPC): 28317 (JSC::ExecState::bytecodeOffsetForNonDFGCode): 28318 (JSC::ExecState::setBytecodeOffsetForNonDFGCode): 28319 (JSC::ExecState::inlineCallFrame): 28320 (JSC::ExecState::codeOriginIndexForDFG): 28321 (JSC::ExecState::currentVPC): 28322 (JSC::ExecState::setCurrentVPC): 28323 (JSC::ExecState::setCallerFrame): 28324 (JSC::ExecState::setScope): 28325 (JSC::ExecState::init): 28326 (JSC::ExecState::argumentCountIncludingThis): 28327 (JSC::ExecState::offsetFor): 28328 (JSC::ExecState::setArgumentCountIncludingThis): 28329 (JSC::ExecState::setCallee): 28330 (JSC::ExecState::setCodeBlock): 28331 (JSC::ExecState::setReturnPC): 28332 (JSC::ExecState::setInlineCallFrame): 28333 (ExecState): 28334 * interpreter/Interpreter.cpp: 28335 (JSC::Interpreter::slideRegisterWindowForCall): 28336 (JSC::eval): 28337 (JSC::loadVarargs): 28338 (JSC::Interpreter::dumpRegisters): 28339 (JSC::Interpreter::throwException): 28340 (JSC::Interpreter::execute): 28341 (JSC::Interpreter::executeCall): 28342 (JSC::Interpreter::executeConstruct): 28343 (JSC::Interpreter::prepareForRepeatCall): 28344 (JSC::Interpreter::endRepeatCall): 28345 * interpreter/Interpreter.h: 28346 (JSC::Interpreter::stack): 28347 (Interpreter): 28348 (JSC::Interpreter::execute): 28349 (JSC): 28350 * interpreter/JSStack.cpp: Copied from Source/JavaScriptCore/interpreter/RegisterFile.cpp. 28351 (JSC::stackStatisticsMutex): 28352 (JSC::JSStack::~JSStack): 28353 (JSC::JSStack::growSlowCase): 28354 (JSC::JSStack::gatherConservativeRoots): 28355 (JSC::JSStack::releaseExcessCapacity): 28356 (JSC::JSStack::initializeThreading): 28357 (JSC::JSStack::committedByteCount): 28358 (JSC::JSStack::addToCommittedByteCount): 28359 * interpreter/JSStack.h: Copied from Source/JavaScriptCore/interpreter/RegisterFile.h. 28360 (JSStack): 28361 (JSC::JSStack::JSStack): 28362 (JSC::JSStack::shrink): 28363 (JSC::JSStack::grow): 28364 * interpreter/RegisterFile.cpp: Removed. 28365 * interpreter/RegisterFile.h: Removed. 28366 * interpreter/VMInspector.cpp: 28367 (JSC::VMInspector::dumpFrame): 28368 * jit/JIT.cpp: 28369 (JSC::JIT::JIT): 28370 (JSC::JIT::privateCompile): 28371 * jit/JIT.h: 28372 (JSC): 28373 (JIT): 28374 * jit/JITCall.cpp: 28375 (JSC::JIT::compileLoadVarargs): 28376 (JSC::JIT::compileCallEval): 28377 (JSC::JIT::compileCallEvalSlowCase): 28378 (JSC::JIT::compileOpCall): 28379 * jit/JITCall32_64.cpp: 28380 (JSC::JIT::emit_op_ret): 28381 (JSC::JIT::emit_op_ret_object_or_this): 28382 (JSC::JIT::compileLoadVarargs): 28383 (JSC::JIT::compileCallEval): 28384 (JSC::JIT::compileCallEvalSlowCase): 28385 (JSC::JIT::compileOpCall): 28386 * jit/JITCode.h: 28387 (JSC): 28388 (JSC::JITCode::execute): 28389 * jit/JITInlineMethods.h: 28390 (JSC::JIT::emitPutToCallFrameHeader): 28391 (JSC::JIT::emitPutCellToCallFrameHeader): 28392 (JSC::JIT::emitPutIntToCallFrameHeader): 28393 (JSC::JIT::emitPutImmediateToCallFrameHeader): 28394 (JSC::JIT::emitGetFromCallFrameHeaderPtr): 28395 (JSC::JIT::emitGetFromCallFrameHeader32): 28396 (JSC::JIT::updateTopCallFrame): 28397 (JSC::JIT::unmap): 28398 * jit/JITOpcodes.cpp: 28399 (JSC::JIT::privateCompileCTIMachineTrampolines): 28400 (JSC::JIT::privateCompileCTINativeCall): 28401 (JSC::JIT::emit_op_end): 28402 (JSC::JIT::emit_op_ret): 28403 (JSC::JIT::emit_op_ret_object_or_this): 28404 (JSC::JIT::emit_op_create_this): 28405 (JSC::JIT::emit_op_get_arguments_length): 28406 (JSC::JIT::emit_op_get_argument_by_val): 28407 (JSC::JIT::emit_op_resolve_global_dynamic): 28408 * jit/JITOpcodes32_64.cpp: 28409 (JSC::JIT::privateCompileCTIMachineTrampolines): 28410 (JSC::JIT::privateCompileCTINativeCall): 28411 (JSC::JIT::emit_op_end): 28412 (JSC::JIT::emit_op_create_this): 28413 (JSC::JIT::emit_op_get_arguments_length): 28414 (JSC::JIT::emit_op_get_argument_by_val): 28415 * jit/JITPropertyAccess.cpp: 28416 (JSC::JIT::emit_op_get_scoped_var): 28417 (JSC::JIT::emit_op_put_scoped_var): 28418 * jit/JITPropertyAccess32_64.cpp: 28419 (JSC::JIT::emit_op_get_scoped_var): 28420 (JSC::JIT::emit_op_put_scoped_var): 28421 * jit/JITStubs.cpp: 28422 (JSC::ctiTrampoline): 28423 (JSC::JITThunks::JITThunks): 28424 (JSC): 28425 (JSC::DEFINE_STUB_FUNCTION): 28426 * jit/JITStubs.h: 28427 (JSC): 28428 (JITStackFrame): 28429 * jit/JSInterfaceJIT.h: 28430 * jit/SpecializedThunkJIT.h: 28431 (JSC::SpecializedThunkJIT::SpecializedThunkJIT): 28432 (JSC::SpecializedThunkJIT::returnJSValue): 28433 (JSC::SpecializedThunkJIT::returnDouble): 28434 (JSC::SpecializedThunkJIT::returnInt32): 28435 (JSC::SpecializedThunkJIT::returnJSCell): 28436 * llint/LLIntData.cpp: 28437 (JSC::LLInt::Data::performAssertions): 28438 * llint/LLIntOffsetsExtractor.cpp: 28439 * llint/LLIntSlowPaths.cpp: 28440 (JSC::LLInt::LLINT_SLOW_PATH_DECL): 28441 (JSC::LLInt::genericCall): 28442 * llint/LLIntSlowPaths.h: 28443 (LLInt): 28444 * llint/LowLevelInterpreter.asm: 28445 * runtime/Arguments.cpp: 28446 (JSC::Arguments::tearOffForInlineCallFrame): 28447 * runtime/CommonSlowPaths.h: 28448 (JSC::CommonSlowPaths::arityCheckFor): 28449 * runtime/InitializeThreading.cpp: 28450 (JSC::initializeThreadingOnce): 28451 * runtime/JSActivation.cpp: 28452 (JSC::JSActivation::visitChildren): 28453 * runtime/JSGlobalObject.cpp: 28454 (JSC::JSGlobalObject::globalExec): 28455 * runtime/JSGlobalObject.h: 28456 (JSC): 28457 (JSGlobalObject): 28458 * runtime/JSLock.cpp: 28459 (JSC): 28460 * runtime/JSVariableObject.h: 28461 (JSVariableObject): 28462 * runtime/MemoryStatistics.cpp: 28463 (JSC::globalMemoryStatistics): 28464 284652012-10-08 Kiran Muppala <cmuppala@apple.com> 28466 28467 Throttle DOM timers on hidden pages. 28468 https://bugs.webkit.org/show_bug.cgi?id=98474 28469 28470 Reviewed by Maciej Stachowiak. 28471 28472 Add HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define. 28473 28474 * Configurations/FeatureDefines.xcconfig: 28475 284762012-10-08 Michael Saboff <msaboff@apple.com> 28477 28478 After r130344, OpaqueJSString() creates an empty string which should be a null string 28479 https://bugs.webkit.org/show_bug.cgi?id=98417 28480 28481 Reviewed by Sam Weinig. 28482 28483 Changed create() of a null string to return 0. This is the same behavior as before r130344. 28484 28485 * API/OpaqueJSString.cpp: 28486 (OpaqueJSString::create): 28487 284882012-10-07 Caio Marcelo de Oliveira Filho <caio.oliveira@openbossa.org> 28489 28490 Rename first/second to key/value in HashMap iterators 28491 https://bugs.webkit.org/show_bug.cgi?id=82784 28492 28493 Reviewed by Eric Seidel. 28494 28495 * API/JSCallbackObject.h: 28496 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty): 28497 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty): 28498 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren): 28499 * API/JSCallbackObjectFunctions.h: 28500 (JSC::::getOwnNonIndexPropertyNames): 28501 * API/JSClassRef.cpp: 28502 (OpaqueJSClass::~OpaqueJSClass): 28503 (OpaqueJSClassContextData::OpaqueJSClassContextData): 28504 (OpaqueJSClass::contextData): 28505 * bytecode/CodeBlock.cpp: 28506 (JSC::CodeBlock::dump): 28507 (JSC::EvalCodeCache::visitAggregate): 28508 (JSC::CodeBlock::nameForRegister): 28509 * bytecode/JumpTable.h: 28510 (JSC::StringJumpTable::offsetForValue): 28511 (JSC::StringJumpTable::ctiForValue): 28512 * bytecode/LazyOperandValueProfile.cpp: 28513 (JSC::LazyOperandValueProfileParser::getIfPresent): 28514 * bytecode/SamplingTool.cpp: 28515 (JSC::SamplingTool::dump): 28516 * bytecompiler/BytecodeGenerator.cpp: 28517 (JSC::BytecodeGenerator::addVar): 28518 (JSC::BytecodeGenerator::addGlobalVar): 28519 (JSC::BytecodeGenerator::addConstant): 28520 (JSC::BytecodeGenerator::addConstantValue): 28521 (JSC::BytecodeGenerator::emitLoad): 28522 (JSC::BytecodeGenerator::addStringConstant): 28523 (JSC::BytecodeGenerator::emitLazyNewFunction): 28524 * bytecompiler/NodesCodegen.cpp: 28525 (JSC::PropertyListNode::emitBytecode): 28526 * debugger/Debugger.cpp: 28527 * dfg/DFGArgumentsSimplificationPhase.cpp: 28528 (JSC::DFG::ArgumentsSimplificationPhase::run): 28529 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse): 28530 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse): 28531 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize): 28532 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild): 28533 * dfg/DFGAssemblyHelpers.cpp: 28534 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor): 28535 * dfg/DFGByteCodeCache.h: 28536 (JSC::DFG::ByteCodeCache::~ByteCodeCache): 28537 (JSC::DFG::ByteCodeCache::get): 28538 * dfg/DFGByteCodeParser.cpp: 28539 (JSC::DFG::ByteCodeParser::cellConstant): 28540 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): 28541 * dfg/DFGStructureCheckHoistingPhase.cpp: 28542 (JSC::DFG::StructureCheckHoistingPhase::run): 28543 (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck): 28544 (JSC::DFG::StructureCheckHoistingPhase::noticeClobber): 28545 * heap/Heap.cpp: 28546 (JSC::Heap::markProtectedObjects): 28547 * heap/Heap.h: 28548 (JSC::Heap::forEachProtectedCell): 28549 * heap/JITStubRoutineSet.cpp: 28550 (JSC::JITStubRoutineSet::markSlow): 28551 (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines): 28552 * heap/SlotVisitor.cpp: 28553 (JSC::SlotVisitor::internalAppend): 28554 * heap/Weak.h: 28555 (JSC::weakRemove): 28556 * jit/JIT.cpp: 28557 (JSC::JIT::privateCompile): 28558 * jit/JITStubs.cpp: 28559 (JSC::JITThunks::ctiStub): 28560 * parser/Parser.cpp: 28561 (JSC::::parseStrictObjectLiteral): 28562 * profiler/Profile.cpp: 28563 (JSC::functionNameCountPairComparator): 28564 (JSC::Profile::debugPrintDataSampleStyle): 28565 * runtime/Identifier.cpp: 28566 (JSC::Identifier::add): 28567 * runtime/JSActivation.cpp: 28568 (JSC::JSActivation::getOwnNonIndexPropertyNames): 28569 (JSC::JSActivation::symbolTablePutWithAttributes): 28570 * runtime/JSArray.cpp: 28571 (JSC::JSArray::setLength): 28572 * runtime/JSObject.cpp: 28573 (JSC::JSObject::getOwnPropertySlotByIndex): 28574 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): 28575 (JSC::JSObject::deletePropertyByIndex): 28576 (JSC::JSObject::getOwnPropertyNames): 28577 (JSC::JSObject::defineOwnIndexedProperty): 28578 (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype): 28579 (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage): 28580 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): 28581 (JSC::JSObject::getOwnPropertyDescriptor): 28582 * runtime/JSSymbolTableObject.cpp: 28583 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): 28584 * runtime/JSSymbolTableObject.h: 28585 (JSC::symbolTableGet): 28586 (JSC::symbolTablePut): 28587 (JSC::symbolTablePutWithAttributes): 28588 * runtime/RegExpCache.cpp: 28589 (JSC::RegExpCache::invalidateCode): 28590 * runtime/SparseArrayValueMap.cpp: 28591 (JSC::SparseArrayValueMap::putEntry): 28592 (JSC::SparseArrayValueMap::putDirect): 28593 (JSC::SparseArrayValueMap::visitChildren): 28594 * runtime/WeakGCMap.h: 28595 (JSC::WeakGCMap::clear): 28596 (JSC::WeakGCMap::set): 28597 * tools/ProfileTreeNode.h: 28598 (JSC::ProfileTreeNode::sampleChild): 28599 (JSC::ProfileTreeNode::childCount): 28600 (JSC::ProfileTreeNode::dumpInternal): 28601 (JSC::ProfileTreeNode::compareEntries): 28602 286032012-10-05 Mark Hahnenberg <mhahnenberg@apple.com> 28604 28605 JSC should have a way to gather and log Heap memory use and pause times 28606 https://bugs.webkit.org/show_bug.cgi?id=98431 28607 28608 Reviewed by Geoffrey Garen. 28609 28610 In order to improve our infrastructure for benchmark-driven development, we should 28611 have a centralized method of gathering and logging various statistics about the state 28612 of the JS heap. This would allow us to create and to use other tools to analyze the 28613 output of the VM after running various workloads. 28614 28615 The first two statistics that might be interesting is memory use by JSC and GC pause 28616 times. We can control whether this recording happens through the use of the Options 28617 class, allowing us to either use environment variables or command line flags. 28618 28619 * JavaScriptCore.xcodeproj/project.pbxproj: 28620 * heap/Heap.cpp: 28621 (JSC::Heap::collect): If we finish a collection and are still over our set GC heap size, 28622 we end the program immediately and report an error. Also added recording of pause times. 28623 * heap/Heap.h: 28624 (Heap): 28625 (JSC::Heap::shouldCollect): When we set a specific GC heap size through Options, we 28626 ignore all other heuristics on when we should collect and instead only ask if we're 28627 greater than the amount specified in the Option value. This allows us to view time/memory 28628 tradeoffs more clearly. 28629 * heap/HeapStatistics.cpp: Added. 28630 (JSC): 28631 (JSC::HeapStatistics::initialize): 28632 (JSC::HeapStatistics::recordGCPauseTime): 28633 (JSC::HeapStatistics::logStatistics): 28634 (JSC::HeapStatistics::exitWithFailure): 28635 (JSC::HeapStatistics::reportSuccess): 28636 (JSC::HeapStatistics::parseMemoryAmount): 28637 (StorageStatistics): 28638 (JSC::StorageStatistics::StorageStatistics): 28639 (JSC::StorageStatistics::operator()): 28640 (JSC::StorageStatistics::objectWithOutOfLineStorageCount): 28641 (JSC::StorageStatistics::objectCount): 28642 (JSC::StorageStatistics::storageSize): 28643 (JSC::StorageStatistics::storageCapacity): 28644 (JSC::HeapStatistics::showObjectStatistics): Moved the old showHeapStatistics (renamed to showObjectStatistics) 28645 to try to start collecting our various memory statistics gathering/reporting mechanisms scattered throughout the 28646 codebase into one place. 28647 * heap/HeapStatistics.h: Added. 28648 (JSC): 28649 (HeapStatistics): 28650 * jsc.cpp: 28651 (main): 28652 * runtime/InitializeThreading.cpp: 28653 (JSC::initializeThreadingOnce): We need to initialize our data structures for recording 28654 statistics if necessary. 28655 * runtime/Options.cpp: Add new Options for the various types of statistics we'll be gathering. 28656 (JSC::parse): 28657 (JSC): 28658 (JSC::Options::initialize): Initialize the various new options using environment variables. 28659 (JSC::Options::dumpOption): 28660 * runtime/Options.h: 28661 (JSC): 28662 286632012-10-04 Rik Cabanier <cabanier@adobe.com> 28664 28665 Turn Compositing on by default in WebKit build 28666 https://bugs.webkit.org/show_bug.cgi?id=98315 28667 28668 Reviewed by Simon Fraser. 28669 28670 enable -webkit-blend-mode on trunk. 28671 28672 * Configurations/FeatureDefines.xcconfig: 28673 286742012-10-04 Michael Saboff <msaboff@apple.com> 28675 28676 Crash in Safari at com.apple.JavaScriptCore: WTF::StringImpl::is8Bit const + 12 28677 https://bugs.webkit.org/show_bug.cgi?id=98433 28678 28679 Reviewed by Jessie Berlin. 28680 28681 The problem is due to a String with a null StringImpl (i.e. a null string). 28682 Added a length check before the is8Bit() check since length() checks for a null StringImpl. Changed the 28683 characters16() call to characters() since it can handle a null StringImpl as well. 28684 28685 * API/JSValueRef.cpp: 28686 (JSValueMakeFromJSONString): 28687 286882012-10-04 Benjamin Poulain <bpoulain@apple.com> 28689 28690 Use copyLCharsFromUCharSource() for IdentifierLCharFromUCharTranslator translation 28691 https://bugs.webkit.org/show_bug.cgi?id=98335 28692 28693 Reviewed by Michael Saboff. 28694 28695 Michael Saboff added an optimized version of UChar->LChar conversion in r125846. 28696 Use this function in JSC::Identifier. 28697 28698 * runtime/Identifier.cpp: 28699 (JSC::IdentifierLCharFromUCharTranslator::translate): 28700 287012012-10-04 Michael Saboff <msaboff@apple.com> 28702 28703 After r130344, OpaqueJSString() creates a empty string which should be a null string 28704 https://bugs.webkit.org/show_bug.cgi?id=98417 28705 28706 Reviewed by Alexey Proskuryakov. 28707 28708 Removed the setting of enclosed string to an empty string from default constructor. 28709 Before changeset r130344, the semantic was the default constructor produced a null 28710 string. 28711 28712 * API/OpaqueJSString.h: 28713 (OpaqueJSString::OpaqueJSString): 28714 287152012-10-04 Csaba Osztrogonác <ossy@webkit.org> 28716 28717 [Qt] Add missing LLInt dependencies to the build system 28718 https://bugs.webkit.org/show_bug.cgi?id=98394 28719 28720 Reviewed by Geoffrey Garen. 28721 28722 * DerivedSources.pri: 28723 * LLIntOffsetsExtractor.pro: 28724 287252012-10-03 Geoffrey Garen <ggaren@apple.com> 28726 28727 Next step toward fixing Windows: add new symbol. 28728 28729 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 28730 287312012-10-03 Geoffrey Garen <ggaren@apple.com> 28732 28733 First step toward fixing Windows: remove old symbol. 28734 28735 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 28736 287372012-10-03 Geoffrey Garen <ggaren@apple.com> 28738 28739 Removed the assumption that "final" objects have a fixed number of inline slots 28740 https://bugs.webkit.org/show_bug.cgi?id=98332 28741 28742 Reviewed by Filip Pizlo. 28743 28744 This is a step toward object size inference. 28745 28746 I replaced the inline storage capacity constant with a data member per 28747 structure, set the the maximum supported value for the constant to 100, 28748 then fixed what broke. (Note that even though this patch increases the 28749 theoretical maximum inline capacity, it doesn't change any actual inline 28750 capacity.) 28751 28752 * dfg/DFGSpeculativeJIT32_64.cpp: 28753 (JSC::DFG::SpeculativeJIT::compile): 28754 * dfg/DFGSpeculativeJIT64.cpp: 28755 (JSC::DFG::SpeculativeJIT::compile): 28756 * jit/JITPropertyAccess.cpp: 28757 (JSC::JIT::compileGetDirectOffset): These functions just get a rename: 28758 the constant they need is the first out of line offset along the offset 28759 number line, which is not necessarily the same thing (and is, in this 28760 patch, never the same thing) as the inline capacity of any given object. 28761 28762 (JSC::JIT::emit_op_get_by_pname): 28763 * jit/JITPropertyAccess32_64.cpp: This function changes functionality, 28764 since it needs to convert from the abstract offset number line to an 28765 actual offset in memory, and it can't assume that inline and out-of-line 28766 offsets are contiguous on the number line. 28767 28768 (JSC::JIT::compileGetDirectOffset): Updated for rename. 28769 28770 (JSC::JIT::emit_op_get_by_pname): Same as emit_op_get_by_pname above. 28771 28772 * llint/LowLevelInterpreter.asm: Updated to mirror changes in PropertyOffset.h, 28773 since we duplicate values from there. 28774 28775 * llint/LowLevelInterpreter32_64.asm: 28776 * llint/LowLevelInterpreter64.asm: Just like the JIT, most things are just 28777 renames, and get_by_pname changes to do more math. I also standardized 28778 offset calculations to use a hard-coded "-2", to match the JIT. This 28779 isn't really better, but it makes global search and replace easier, 28780 should we choose to refactor this code not to hard-code constants. 28781 28782 I also renamed loadPropertyAtVariableOffsetKnownNotFinal to 28783 loadPropertyAtVariableOffsetKnownNotInline in order to sever the assumption 28784 that inline capacity is tied to object type, and I changed the 64bit LLInt 28785 to use this -- not using this previously seems to have been an oversight. 28786 28787 * runtime/JSObject.cpp: 28788 (JSC::JSObject::visitChildren): 28789 (JSC::JSFinalObject::visitChildren): 28790 * runtime/JSObject.h: 28791 (JSC::JSObject::offsetForLocation): 28792 (JSNonFinalObject): 28793 (JSC::JSFinalObject::createStructure): 28794 (JSFinalObject): 28795 (JSC::JSFinalObject::finishCreation): Updated for above changes. 28796 28797 * runtime/JSPropertyNameIterator.h: 28798 (JSPropertyNameIterator): 28799 (JSC::JSPropertyNameIterator::finishCreation): Store the inline capacity 28800 of our object, since it's not a constant. 28801 28802 (JSC::JSPropertyNameIterator::getOffset): Removed. This function was 28803 wrong. Luckily, it was also unused, since the C++ interpreter is gone. 28804 28805 * runtime/PropertyMapHashTable.h: 28806 (PropertyTable): Use a helper function instead of hard-coding assumptions 28807 about object types. 28808 28809 (JSC::PropertyTable::nextOffset): 28810 * runtime/PropertyOffset.h: 28811 (JSC): 28812 (JSC::checkOffset): 28813 (JSC::validateOffset): 28814 (JSC::isInlineOffset): 28815 (JSC::numberOfSlotsForLastOffset): 28816 (JSC::propertyOffsetFor): Refactored these functions to take inline capacity 28817 as an argument, since it's not fixed at compile time anymore. 28818 28819 * runtime/Structure.cpp: 28820 (JSC::Structure::Structure): 28821 (JSC::Structure::flattenDictionaryStructure): 28822 (JSC::Structure::putSpecificValue): 28823 * runtime/Structure.h: 28824 (Structure): 28825 (JSC::Structure::outOfLineCapacity): 28826 (JSC::Structure::hasInlineStorage): 28827 (JSC::Structure::inlineCapacity): 28828 (JSC::Structure::inlineSize): 28829 (JSC::Structure::firstValidOffset): 28830 (JSC::Structure::lastValidOffset): 28831 (JSC::Structure::create): Removed some hard-coded assumptions about inline 28832 capacity and object type, and replaced with more liberal use of helper functions. 28833 288342012-10-03 Michael Saboff <msaboff@apple.com> 28835 28836 OpaqueJSString doesn't optimally handle 8 bit strings 28837 https://bugs.webkit.org/show_bug.cgi?id=98300 28838 28839 Reviewed by Geoffrey Garen. 28840 28841 Change OpaqueJSString to store and manage a String instead of a UChar buffer. 28842 The member string is a copy of any string used during creation. 28843 28844 * API/OpaqueJSString.cpp: 28845 (OpaqueJSString::create): 28846 (OpaqueJSString::identifier): 28847 * API/OpaqueJSString.h: 28848 (OpaqueJSString::characters): 28849 (OpaqueJSString::length): 28850 (OpaqueJSString::string): 28851 (OpaqueJSString::OpaqueJSString): 28852 (OpaqueJSString): 28853 288542012-10-03 Filip Pizlo <fpizlo@apple.com> 28855 28856 Array.splice should be fast when it is used to remove elements other than the very first 28857 https://bugs.webkit.org/show_bug.cgi?id=98236 28858 28859 Reviewed by Michael Saboff. 28860 28861 Applied the same technique that was used to optimize the unshift case of splice in 28862 http://trac.webkit.org/changeset/129676. This is a >20x speed-up on programs that 28863 use splice for element removal. 28864 28865 * runtime/ArrayPrototype.cpp: 28866 (JSC::shift): 28867 * runtime/JSArray.cpp: 28868 (JSC::JSArray::shiftCount): 28869 * runtime/JSArray.h: 28870 (JSArray): 28871 288722012-09-16 Mark Hahnenberg <mhahnenberg@apple.com> 28873 28874 Delayed structure sweep can leak structures without bound 28875 https://bugs.webkit.org/show_bug.cgi?id=96546 28876 28877 Reviewed by Geoffrey Garen. 28878 28879 This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only 28880 allocators. We now have separate allocators for our three types of objects: those objects with no destructors, 28881 those objects with destructors and with immortal structures, and those objects with destructors that don't have 28882 immortal structures. All of the objects of the third type (destructors without immortal structures) now 28883 inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores 28884 the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction. 28885 28886 * API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor. 28887 (JSC): 28888 (JSC::JSCallbackConstructor::JSCallbackConstructor): 28889 * API/JSCallbackConstructor.h: 28890 (JSCallbackConstructor): 28891 * API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for 28892 JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer. 28893 (JSC): 28894 (JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add 28895 the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides 28896 to subclass this. We use this same technique for many other subclasses of JSGlobalObject. 28897 (JSC::::createStructure): 28898 * API/JSCallbackObject.h: 28899 (JSCallbackObject): 28900 (JSC): 28901 * API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead. 28902 (OpaqueJSClass::prototype): 28903 * API/JSObjectRef.cpp: Ditto. 28904 (JSObjectMake): 28905 (JSObjectGetPrivate): 28906 (JSObjectSetPrivate): 28907 (JSObjectGetPrivateProperty): 28908 (JSObjectSetPrivateProperty): 28909 (JSObjectDeletePrivateProperty): 28910 * API/JSValueRef.cpp: Ditto. 28911 (JSValueIsObjectOfClass): 28912 * API/JSWeakObjectMapRefPrivate.cpp: Ditto. 28913 * JSCTypedArrayStubs.h: 28914 (JSC): 28915 * JavaScriptCore.xcodeproj/project.pbxproj: 28916 * dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG. 28917 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): 28918 (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): 28919 * heap/Heap.cpp: 28920 (JSC): 28921 * heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function 28922 since it's always safe to sweep Structures now. 28923 (JSC::Heap::allocatorForObjectWithNormalDestructor): 28924 (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): 28925 (Heap): 28926 (JSC::Heap::allocateWithNormalDestructor): 28927 (JSC): 28928 (JSC::Heap::allocateWithImmortalStructureDestructor): 28929 * heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the 28930 IncrementalSweeper since it's always safe to sweep Structures now. 28931 (JSC::IncrementalSweeper::IncrementalSweeper): 28932 (JSC::IncrementalSweeper::sweepNextBlock): 28933 (JSC::IncrementalSweeper::startSweeping): 28934 (JSC::IncrementalSweeper::willFinishSweeping): 28935 (JSC): 28936 * heap/IncrementalSweeper.h: 28937 (IncrementalSweeper): 28938 * heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add 28939 tracking of the specific destructor type of allocator. 28940 (JSC::MarkedAllocator::tryAllocateHelper): 28941 (JSC::MarkedAllocator::allocateBlock): 28942 * heap/MarkedAllocator.h: 28943 (JSC::MarkedAllocator::destructorType): 28944 (MarkedAllocator): 28945 (JSC::MarkedAllocator::MarkedAllocator): 28946 (JSC::MarkedAllocator::init): 28947 * heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping. 28948 We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls. 28949 (JSC::MarkedBlock::create): 28950 (JSC::MarkedBlock::MarkedBlock): 28951 (JSC): 28952 (JSC::MarkedBlock::specializedSweep): 28953 (JSC::MarkedBlock::sweep): 28954 (JSC::MarkedBlock::sweepHelper): 28955 * heap/MarkedBlock.h: 28956 (JSC): 28957 (JSC::MarkedBlock::allocator): 28958 (JSC::MarkedBlock::destructorType): 28959 * heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace. 28960 (JSC::MarkedSpace::MarkedSpace): 28961 (JSC::MarkedSpace::resetAllocators): 28962 (JSC::MarkedSpace::canonicalizeCellLivenessData): 28963 (JSC::MarkedSpace::isPagedOut): 28964 (JSC::MarkedSpace::freeBlock): 28965 * heap/MarkedSpace.h: 28966 (MarkedSpace): 28967 (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): 28968 (JSC::MarkedSpace::normalDestructorAllocatorFor): 28969 (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): 28970 (JSC::MarkedSpace::allocateWithNormalDestructor): 28971 (JSC::MarkedSpace::forEachBlock): 28972 * heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function. 28973 * jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT. 28974 * jit/JITInlineMethods.h: 28975 (JSC::JIT::emitAllocateBasicJSObject): 28976 (JSC::JIT::emitAllocateJSFinalObject): 28977 (JSC::JIT::emitAllocateJSArray): 28978 * jsc.cpp: 28979 (GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from 28980 JSDestructibleObject. 28981 * runtime/Arguments.cpp: Inherit from JSDestructibleObject. 28982 (JSC): 28983 * runtime/Arguments.h: 28984 (Arguments): 28985 (JSC::Arguments::Arguments): 28986 * runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor. 28987 (JSC): 28988 * runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures. 28989 (JSC): 28990 * runtime/InternalFunction.cpp: Inherit from JSDestructibleObject. 28991 (JSC): 28992 (JSC::InternalFunction::InternalFunction): 28993 * runtime/InternalFunction.h: 28994 (InternalFunction): 28995 * runtime/JSCell.h: Added two static bools, needsDestruction and hasImmortalStructure, that classes can override 28996 to indicate at compile time which part of the heap they should be allocated in. 28997 (JSC::allocateCell): Use the appropriate allocator depending on the destructor type. 28998 * runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be 28999 accessed safely when the object is being destroyed. 29000 (JSC): 29001 (JSDestructibleObject): 29002 (JSC::JSDestructibleObject::classInfo): 29003 (JSC::JSDestructibleObject::JSDestructibleObject): 29004 (JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe. 29005 * runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all 29006 of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well. 29007 (JSC::JSGlobalObject::reset): 29008 * runtime/JSGlobalObject.h: 29009 (JSGlobalObject): 29010 (JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one 29011 for the m_rareData field when it's created. 29012 (JSC::JSGlobalObject::create): 29013 (JSC): 29014 * runtime/JSGlobalThis.h: Inherit from JSDestructibleObject. 29015 (JSGlobalThis): 29016 (JSC::JSGlobalThis::JSGlobalThis): 29017 * runtime/JSPropertyNameIterator.h: Has an immortal Structure. 29018 (JSC): 29019 * runtime/JSScope.cpp: 29020 (JSC): 29021 * runtime/JSString.h: Has an immortal Structure. 29022 (JSC): 29023 * runtime/JSWrapperObject.h: Inherit from JSDestructibleObject. 29024 (JSWrapperObject): 29025 (JSC::JSWrapperObject::JSWrapperObject): 29026 * runtime/MathObject.cpp: Cleaning up some of the inheritance stuff. 29027 (JSC): 29028 * runtime/NameInstance.h: Inherit from JSDestructibleObject. 29029 (NameInstance): 29030 * runtime/RegExp.h: Has immortal Structure. 29031 (JSC): 29032 * runtime/RegExpObject.cpp: Inheritance cleanup. 29033 (JSC): 29034 * runtime/SparseArrayValueMap.h: Has immortal Structure. 29035 (JSC): 29036 * runtime/Structure.h: Has immortal Structure. 29037 (JSC): 29038 * runtime/StructureChain.h: Ditto. 29039 (JSC): 29040 * runtime/SymbolTable.h: Ditto. 29041 (SharedSymbolTable): 29042 (JSC): 29043 29044== Rolled over to ChangeLog-2012-10-02 == 29045