]> git.saurik.com Git - apple/javascriptcore.git/blame - ChangeLog
JavaScriptCore-7600.1.4.9.tar.gz
[apple/javascriptcore.git] / ChangeLog
CommitLineData
81345200
A
12014-08-03 Babak Shafiei <bshafiei@apple.com>
2
3 Merge patch for <rdar://problem/17887398>.
4
5 2014-07-30 Filip Pizlo <fpizlo@apple.com>
6
7 NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
8 https://bugs.webkit.org/show_bug.cgi?id=135430
9
10 Reviewed by Mark Hahnenberg.
11
12 * dfg/DFGAbstractInterpreterInlines.h:
13 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
14 * tests/stress/new-function-expression-has-structures.js: Added.
15 (foo.f):
16 (foo.f.prototype.f):
17 (foo):
18
192014-08-03 Babak Shafiei <bshafiei@apple.com>
20
21 Merge r171949.
22
23 2014-08-01 Csaba Osztrogonác <ossy@webkit.org>
24
25 URTBF after r171946 to fix non-Apple builds.
26
27 * bytecode/InlineCallFrameSet.cpp:
28
292014-08-03 Babak Shafiei <bshafiei@apple.com>
30
31 Merge r171946.
32
33 2014-08-01 Mark Hahnenberg <mhahnenberg@apple.com>
34
35 CodeBlock fails to visit the Executables of its InlineCallFrames
36 https://bugs.webkit.org/show_bug.cgi?id=135471
37
38 Reviewed by Geoffrey Garen.
39
40 CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they
41 can be prematurely collected and cause crashes.
42
43 * bytecode/CodeBlock.cpp:
44 (JSC::CodeBlock::stronglyVisitStrongReferences):
45 * bytecode/CodeOrigin.h:
46 (JSC::InlineCallFrame::visitAggregate):
47 * bytecode/InlineCallFrameSet.cpp:
48 (JSC::InlineCallFrameSet::visitAggregate):
49 * bytecode/InlineCallFrameSet.h:
50
512014-07-29 Matthew Hanson <matthew_hanson@apple.com>
52
53 Merge r171689. <rdar://problem/17844890>
54
55 2014-07-28 Filip Pizlo <fpizlo@apple.com>
56
57 Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
58 https://bugs.webkit.org/show_bug.cgi?id=135350
59 <rdar://problem/17509889>
60
61 Reviewed by Mark Hahnenberg and Oliver Hunt.
62
63 If we have an exiting node that uses a conversion node, then that exiting node
64 needs to have a Phantom after it for the the original node. But we can't do that
65 for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
66
67 * dfg/DFGFixupPhase.cpp:
68 (JSC::DFG::FixupPhase::fixupNode):
69 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
70 * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
71 (foo):
72 (test):
73 * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
74 (foo):
75 (test):
76
772014-07-29 Matthew Hanson <matthew_hanson@apple.com>
78
79 Merge r171688. <rdar://problem/17364180>
80
81 2014-07-28 Joseph Pecoraro <pecoraro@apple.com>
82
83 JSContext Inspector: crash when using step-into
84 https://bugs.webkit.org/show_bug.cgi?id=135345
85
86 Reviewed by Timothy Hatcher.
87
88 * inspector/agents/InspectorDebuggerAgent.cpp:
89 (Inspector::InspectorDebuggerAgent::stepInto):
90 Null check m_listener since it may not be set.
91
922014-07-25 Lucas Forschler <lforschler@apple.com>
93
94 Merge r171578
95
96 2014-07-24 Brent Fulgham <bfulgham@apple.com>
97
98 [Win] Correct build order in JavaScriptCore.submit.sln
99 https://bugs.webkit.org/show_bug.cgi?id=135282
100 <rdar://problem/17805592>
101
102 Unreviewed build fix.
103
104 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
105 such that LLIntDesiredOffset is built prior to the rest of JSC.
106
1072014-07-24 Lucas Forschler <lforschler@apple.com>
108
109 Merge r171564
110
111 2014-07-24 Mark Lam <mark.lam@apple.com>
112
113 JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
114 <https://webkit.org/b/135258>
115
116 Reviewed by Mark Hahnenberg.
117
118 Where needed, we cache the prototype object pointer in a stack local var.
119 This allows it to be scanned by the GC, and hence be kept alive until
120 we use it. The constructor object will in turn be kept alive by the
121 prototype object.
122
123 Also added some comments to warn against future code additions that could
124 regress this issue.
125
126 * API/JSWrapperMap.mm:
127 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
128 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
129 (-[JSObjCClassInfo wrapperForObject:]):
130 (-[JSObjCClassInfo constructor]):
131
1322014-07-24 Lucas Forschler <lforschler@apple.com>
133
134 Merge r171558
135
136 2014-07-24 Joseph Pecoraro <pecoraro@apple.com>
137
138 JSLock release should only modify the AtomicStringTable if it modified in acquire
139 https://bugs.webkit.org/show_bug.cgi?id=135143
140
141 Reviewed by Darin Adler.
142
143 * runtime/JSLock.cpp:
144 (JSC::JSLock::JSLock):
145 Initialize the member variable to nullptr.
146
147 (JSC::JSLock::willDestroyVM):
148 Update style to use nullptr instead of 0.
149
150 (JSC::JSLock::willReleaseLock):
151 We should only reset the thread data's atomic string table if
152 didAcquireLock changed it. m_entryAtomicStringTable will have
153 been set by didAcquireLock if it changed, or nullptr if it didn't.
154 This way we are sure we are balanced, regardless of m_vm changes.
155
1562014-07-24 Lucas Forschler <lforschler@apple.com>
157
158 Merge r171543
159
160 2014-07-24 Mark Hahnenberg <mhahnenberg@apple.com>
161
162 Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
163 https://bugs.webkit.org/show_bug.cgi?id=135250
164
165 Reviewed by Geoffrey Garen.
166
167 JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its
168 JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype
169 chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
170 the JSProxy's prototype fixes the issue.
171
172 * API/JSValueRef.cpp:
173 (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
174 would claim it wasn't of the specified class, even if the target was of the specified class.
175 * API/tests/CustomGlobalObjectClassTest.c: Added.
176 (jsDoSomething):
177 (customGlobalObjectClassTest):
178 * API/tests/CustomGlobalObjectClassTest.h: Added.
179 * API/tests/testapi.c:
180 (assertTrue):
181 (main):
182 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
183 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
184 * JavaScriptCore.xcodeproj/project.pbxproj:
185 * runtime/JSGlobalObject.cpp:
186 (JSC::JSGlobalObject::resetPrototype):
187
1882014-07-24 Lucas Forschler <lforschler@apple.com>
189
190 Merge r171395
191
192 2014-07-22 Brent Fulgham <bfulgham@apple.com>
193
194 Build fix for non-clang compile.
195
196 * jsc.cpp:
197 (WTF::RuntimeArray::put): Remove incorrect return statement
198 I added.
199
2002014-07-24 Lucas Forschler <lforschler@apple.com>
201
202 Merge r171393
203
204 2014-07-22 Brent Fulgham <bfulgham@apple.com>
205
206 Build fix for non-clang compile.
207
208 * jsc.cpp:
209 (WTF::RuntimeArray::deleteProperty): Need (fake) return
210 value when NO_RETURN_DUE_TO_CRASH is not defined.
211
2122014-07-24 Lucas Forschler <lforschler@apple.com>
213
214 Merge r171390
215
216 2014-07-22 Mark Lam <mark.lam@apple.com>
217
218 Array.concat() should work on runtime arrays too.
219 <https://webkit.org/b/135179>
220
221 Reviewed by Geoffrey Garen.
222
223 * jsc.cpp:
224 (WTF::RuntimeArray::create):
225 (WTF::RuntimeArray::~RuntimeArray):
226 (WTF::RuntimeArray::destroy):
227 (WTF::RuntimeArray::getOwnPropertySlot):
228 (WTF::RuntimeArray::getOwnPropertySlotByIndex):
229 (WTF::RuntimeArray::put):
230 (WTF::RuntimeArray::deleteProperty):
231 (WTF::RuntimeArray::getLength):
232 (WTF::RuntimeArray::createPrototype):
233 (WTF::RuntimeArray::createStructure):
234 (WTF::RuntimeArray::finishCreation):
235 (WTF::RuntimeArray::RuntimeArray):
236 (WTF::RuntimeArray::lengthGetter):
237 (GlobalObject::finishCreation):
238 (functionCreateRuntimeArray):
239 - Added support to create a runtime array for testing purpose.
240 * runtime/ArrayPrototype.cpp:
241 (JSC::getLength):
242 - Added fast case for when the array object is a JSArray.
243 (JSC::arrayProtoFuncJoin):
244 - Added a needed but missing exception check.
245 (JSC::arrayProtoFuncConcat):
246 - Use getLength() to compute the array length instead of assuming that
247 the array is a JSArray instance.
248 * tests/stress/regexp-matches-array.js: Added.
249 (testArrayConcat):
250 * tests/stress/runtime-array.js: Added.
251 (testArrayConcat):
252
2532014-07-24 Lucas Forschler <lforschler@apple.com>
254
255 Merge r171328
256
257 2014-07-21 Mark Lam <mark.lam@apple.com>
258
259 Refactor ArrayPrototype to use getLength() and putLength() utility functions.
260 https://bugs.webkit.org/show_bug.cgi?id=135139.
261
262 Reviewed by Oliver Hunt.
263
264 - Specialize putProperty() to putLength() because it is only used for setting
265 the length property.
266 - Added a getLength() utility function to get the value of the length property.
267 - Use these getLength() and putLength() functions instead of the existing code
268 to get and put the length property. Less code to read, easier to understand.
269
270 * runtime/ArrayPrototype.cpp:
271 (JSC::getLength):
272 (JSC::putLength):
273 (JSC::arrayProtoFuncToString):
274 (JSC::arrayProtoFuncToLocaleString):
275 (JSC::arrayProtoFuncJoin):
276 (JSC::arrayProtoFuncPop):
277 (JSC::arrayProtoFuncPush):
278 (JSC::arrayProtoFuncReverse):
279 (JSC::arrayProtoFuncShift):
280 (JSC::arrayProtoFuncSlice):
281 (JSC::arrayProtoFuncSort):
282 (JSC::arrayProtoFuncSplice):
283 (JSC::arrayProtoFuncUnShift):
284 (JSC::arrayProtoFuncReduce):
285 (JSC::arrayProtoFuncReduceRight):
286 (JSC::arrayProtoFuncIndexOf):
287 (JSC::arrayProtoFuncLastIndexOf):
288 (JSC::putProperty): Deleted.
289
2902014-07-23 Matthew Hanson <matthew_hanson@apple.com>
291
292 Merge r171474 (rollout r171367 from trunk)
293
2942014-07-23 Lucas Forschler <lforschler@apple.com>
295
296 Merge r171367
297
298 2014-07-22 Joseph Pecoraro <pecoraro@apple.com>
299
300 JSLock release should only modify the AtomicStringTable if it modified in acquire
301 https://bugs.webkit.org/show_bug.cgi?id=135143
302
303 Reviewed by Pratik Solanki.
304
305 * runtime/JSLock.cpp:
306 (JSC::JSLock::willDestroyVM):
307 (JSC::JSLock::willReleaseLock):
308 Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.
309
3102014-07-23 Lucas Forschler <lforschler@apple.com>
311
312 Merge r171355
313
314 2014-07-21 Sam Weinig <sam@webkit.org>
315
316 [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating
317 https://bugs.webkit.org/show_bug.cgi?id=135148
318
319 Reviewed by Geoffrey Garen.
320
321 * runtime/CommonIdentifiers.h:
322 Add a common identifier for the string "webkit".
323
3242014-07-23 Lucas Forschler <lforschler@apple.com>
325
326 Merge r171354
327
328 2014-07-22 Filip Pizlo <fpizlo@apple.com>
329
330 ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
331 https://bugs.webkit.org/show_bug.cgi?id=135155
332 <rdar://problem/17763909>
333
334 Reviewed by Oliver Hunt.
335
336 The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
337 contradiction, and that this is OK. In this case, we were speculating cell on an int.
338
339 * dfg/DFGSpeculativeJIT64.cpp:
340 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
341 * tests/stress/regress-135155.js: Added.
342 (run.t.length):
343 (run):
344
3452014-07-22 Dana Burkart <dburkart@apple.com>
346
347 Merge r171228.
348
349 2014-07-18 Filip Pizlo <fpizlo@apple.com>
350
351 Fix cloop build.
352
353 * jsc.cpp:
354 (jscmain):
355
3562014-07-22 Dana Burkart <dburkart@apple.com>
357
358 Merge r171213.
359
360 2014-07-15 Filip Pizlo <fpizlo@apple.com>
361
362 Need ability to fuzz exception throwing
363 https://bugs.webkit.org/show_bug.cgi?id=134945
364 <rdar://problem/17722027>
365
366 Reviewed by Sam Weinig.
367
368 Adds the ability to instrument exception checks, and to force some random
369 exception check to artificially throw an exception. Also adds new tests that
370 are suitable for testing this. Note that this is closely tied to the Tools
371 directory changes that are also part of this changeset.
372
373 This also fixes an activation tear-off bug that arises if we ever throw an
374 exception from operationOptimize, or if due to some other bug it's only due
375 to the operationOptimize exception check that we realize that there is an
376 exception to be thrown.
377
378 * dfg/DFGJITCompiler.h:
379 (JSC::DFG::JITCompiler::fastExceptionCheck):
380 * ftl/FTLIntrinsicRepository.h:
381 * ftl/FTLLowerDFGToLLVM.cpp:
382 (JSC::FTL::LowerDFGToLLVM::callCheck):
383 * interpreter/Interpreter.cpp:
384 (JSC::unwindCallFrame):
385 * jit/AssemblyHelpers.cpp:
386 (JSC::AssemblyHelpers::callExceptionFuzz):
387 (JSC::AssemblyHelpers::emitExceptionCheck):
388 * jit/AssemblyHelpers.h:
389 (JSC::AssemblyHelpers::emitExceptionCheck): Deleted.
390 * jit/JIT.cpp:
391 (JSC::JIT::privateCompileMainPass):
392 * jit/JITOpcodes.cpp:
393 (JSC::JIT::emit_op_enter):
394 * jit/JITOperations.cpp:
395 (JSC::numberOfExceptionFuzzChecks):
396 * jit/JITOperations.h:
397 * jsc.cpp:
398 (jscmain):
399 * runtime/Options.h:
400 * runtime/TestRunnerUtils.h:
401 * tests/exceptionFuzz.yaml: Added.
402 * tests/exceptionFuzz: Added.
403 * tests/exceptionFuzz/3d-cube.js: Added.
404 * tests/exceptionFuzz/date-format-xparb.js: Added.
405 * tests/exceptionFuzz/earley-boyer.js: Added.
406
4072014-07-22 Dana Burkart <dburkart@apple.com>
408
409 Merge r171204.
410
411 2014-07-17 Joseph Pecoraro <pecoraro@apple.com>
412
413 Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html
414
415 Rubber-stamped by Alexey Proskuryakov.
416
417 Null / empty titles should be fine. Tests pass in release builds
418 which allowed empty titles, and it looks like the LegacyProfiler
419 stopProfiling handles empty titles as expected already.
420
421 * profiler/LegacyProfiler.cpp:
422 (JSC::LegacyProfiler::startProfiling):
423
4242014-07-22 Dana Burkart <dburkart@apple.com>
425
426 Merge r171190.
427
428 2014-07-16 Filip Pizlo <fpizlo@apple.com>
429
430 DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw
431 https://bugs.webkit.org/show_bug.cgi?id=134988
432 <rdar://problem/17706349>
433
434 Reviewed by Oliver Hunt.
435
436 Luckily, we also don't need this optimization to be super powerful: the only place
437 where it really matters is for getting rid of the redundancy between op_enter and
438 op_init_lazy_reg, and in that case, there is a small set of possible nodes between the
439 two things. This change updates the store eliminator to know about only that small,
440 obviously safe, set of nodes over which we can store-eliminate.
441
442 This shouldn't have any performance impact in the DFG because this optimization kicks
443 in relatively rarely already. And once we tier up into the FTL, we get a much better
444 store elimination over LLVM IR, so this really shouldn't matter at all.
445
446 The tricky part of this patch is that there is a close relative of this optimization,
447 for uncaptured variables that got flushed. This happens for arguments to inlined calls.
448 I make this work by splitting it into two different store eliminators.
449
450 Note that in the process of crafting the tests, I realized that we were incorrectly
451 DCEing NewArrayWithSize. That's not cool, since that can throw an exception for
452 negative array sizes. If we ever did want to DCE this node, we'd need to lower the node
453 to a check node followed by the actual allocation.
454
455 * dfg/DFGCSEPhase.cpp:
456 (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination):
457 (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination):
458 (JSC::DFG::CSEPhase::setLocalStoreElimination):
459 (JSC::DFG::CSEPhase::performNodeCSE):
460 (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
461 * dfg/DFGNodeType.h:
462 * tests/stress/capture-escape-and-throw.js: Added.
463 (foo.f):
464 (foo):
465 * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
466 (foo):
467 (bar):
468
4692014-07-17 Dean Jackson <dino@apple.com>
470
471 <rdar://problem/17675068> Disable some features on this branch.
472
473 Reviewed originally by Simon Fraser.
474
475 Disable:
476 - CSS_EXCLUSIONS
477 - CSS_GRID_LAYOUT
478 - INPUT_TYPE_COLOR
479 - INPUT_TYPE_COLOR_POPUP
480 - CANVAS_PATH
481 - CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED
482 - INDIE_UI
483 - SHARED_WORKERS
484 - NAVIGATOR_HWCONCURRENCY
485 - GAMEPAD
486 - PICTURE_SIZES
487 - CSS3_CONDITIONAL_RULES
488 - WILL_REVEAL_EDGE_EVENTS
489
490 * Configurations/FeatureDefines.xcconfig:
491
4922014-07-15 Benjamin Poulain <benjamin@webkit.org>
493
494 Reduce the overhead of updating the AssemblerBuffer
495 https://bugs.webkit.org/show_bug.cgi?id=134659
496
497 Reviewed by Gavin Barraclough.
498
499 In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler.
500 That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly
501 there.
502
503 On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able
504 to get the real address of a lable. That is done by reusing the memory of AssemblerData.
505
506 To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into
507 a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough
508 to make clang give up a bunch of optimizations.
509
510 This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures.
511 In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used.
512
513 Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of
514 the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very
515 specific way that would make it unusable for the Assembler.
516
517 -- Technical details --
518
519 From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything
520 into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode().
521 To make this easier to work with, I changed all the assembler specific function to be static. This way we know
522 exactly what code access the Assembler instance. The code that does access the instance is then moved
523 at the beginning, before we modify anything.
524
525 The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly
526 to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific
527 to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()).
528
529 -- Perf impact --
530
531 This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close.
532 On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation
533 time by ~20%.
534
535 I could not measure any difference on x86_64.
536
537 * assembler/ARM64Assembler.h:
538 (JSC::ARM64Assembler::jumpSizeDelta):
539 (JSC::ARM64Assembler::canCompact):
540 (JSC::ARM64Assembler::computeJumpType):
541 (JSC::ARM64Assembler::link):
542 (JSC::ARM64Assembler::recordLinkOffsets): Deleted.
543 * assembler/ARMv7Assembler.h:
544 (JSC::ARMv7Assembler::ifThenElseConditionBit):
545 (JSC::ARMv7Assembler::ifThenElse):
546 (JSC::ARMv7Assembler::jumpSizeDelta):
547 (JSC::ARMv7Assembler::canCompact):
548 (JSC::ARMv7Assembler::computeJumpType):
549 (JSC::ARMv7Assembler::link):
550 (JSC::ARMv7Assembler::linkJumpT1):
551 (JSC::ARMv7Assembler::linkJumpT3):
552 (JSC::ARMv7Assembler::linkConditionalJumpT4):
553 (JSC::ARMv7Assembler::linkConditionalBX):
554 (JSC::ARMv7Assembler::recordLinkOffsets): Deleted.
555 * assembler/AssemblerBuffer.h:
556 (JSC::AssemblerData::AssemblerData):
557 (JSC::AssemblerData::operator=):
558 (JSC::AssemblerData::~AssemblerData):
559 (JSC::AssemblerData::buffer):
560 (JSC::AssemblerData::capacity):
561 (JSC::AssemblerData::grow):
562 (JSC::AssemblerBuffer::AssemblerBuffer):
563 (JSC::AssemblerBuffer::isAvailable):
564 (JSC::AssemblerBuffer::data):
565 (JSC::AssemblerBuffer::releaseAssemblerData):
566 (JSC::AssemblerBuffer::putIntegral):
567 (JSC::AssemblerBuffer::putIntegralUnchecked):
568 (JSC::AssemblerBuffer::append):
569 (JSC::AssemblerBuffer::grow):
570 (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted.
571 (JSC::AssemblerBuffer::storage): Deleted.
572 * assembler/LinkBuffer.cpp:
573 (JSC::recordLinkOffsets):
574 (JSC::LinkBuffer::copyCompactAndLinkCode):
575 * assembler/LinkBuffer.h:
576 (JSC::LinkBuffer::LinkBuffer):
577 (JSC::LinkBuffer::executableOffsetFor):
578 * assembler/MacroAssemblerARM64.h:
579 (JSC::MacroAssemblerARM64::canCompact):
580 (JSC::MacroAssemblerARM64::computeJumpType):
581 (JSC::MacroAssemblerARM64::jumpSizeDelta):
582 (JSC::MacroAssemblerARM64::link):
583 (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted.
584 * assembler/MacroAssemblerARMv7.h:
585 (JSC::MacroAssemblerARMv7::canCompact):
586 (JSC::MacroAssemblerARMv7::computeJumpType):
587 (JSC::MacroAssemblerARMv7::jumpSizeDelta):
588 (JSC::MacroAssemblerARMv7::link):
589 (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted.
590
5912014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
592
593 Stores to PropertyTable use the Structure as the owner
594 https://bugs.webkit.org/show_bug.cgi?id=134595
595
596 Reviewed by Darin Adler.
597
598 Since PropertyTable is the object that does the marking of these references, it should be the owner.
599
600 Also removed some unused parameters to other methods that historically used the Structure as the owner.
601
602 * runtime/JSPropertyNameIterator.h:
603 (JSC::StructureRareData::setEnumerationCache):
604 * runtime/ObjectPrototype.cpp:
605 (JSC::objectProtoFuncToString):
606 * runtime/PropertyMapHashTable.h:
607 (JSC::PropertyTable::copy):
608 * runtime/PropertyTable.cpp:
609 (JSC::PropertyTable::clone):
610 (JSC::PropertyTable::PropertyTable):
611 * runtime/Structure.cpp:
612 (JSC::Structure::Structure):
613 (JSC::Structure::materializePropertyMap):
614 (JSC::Structure::addPropertyTransition):
615 (JSC::Structure::changePrototypeTransition):
616 (JSC::Structure::despecifyFunctionTransition):
617 (JSC::Structure::attributeChangeTransition):
618 (JSC::Structure::toDictionaryTransition):
619 (JSC::Structure::preventExtensionsTransition):
620 (JSC::Structure::takePropertyTableOrCloneIfPinned):
621 (JSC::Structure::nonPropertyTransition):
622 (JSC::Structure::copyPropertyTable):
623 (JSC::Structure::copyPropertyTableForPinning):
624 (JSC::Structure::putSpecificValue):
625 * runtime/Structure.h:
626 (JSC::Structure::setObjectToStringValue):
627 (JSC::Structure::setPreviousID):
628 * runtime/StructureInlines.h:
629 (JSC::Structure::setEnumerationCache):
630 * runtime/StructureRareData.h:
631 * runtime/StructureRareDataInlines.h:
632 (JSC::StructureRareData::setPreviousID):
633 (JSC::StructureRareData::setObjectToStringValue):
634
6352014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
636
637 ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks
638 https://bugs.webkit.org/show_bug.cgi?id=134928
639
640 Reviewed by Andreas Kling.
641
642 * bytecode/CodeBlock.h:
643 (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock.
644
6452014-07-15 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
646
647 Buildfix if LLINT_SLOW_PATH_TRACING is enabled
648 https://bugs.webkit.org/show_bug.cgi?id=133790
649
650 Reviewed by Mark Lam.
651
652 * llint/LLIntSlowPaths.cpp:
653 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
654
6552014-07-14 Filip Pizlo <fpizlo@apple.com>
656
657 Allow for Int52Rep to see things other than Int32, and make this testable
658 https://bugs.webkit.org/show_bug.cgi?id=134873
659 <rdar://problem/17641915>
660
661 Reviewed by Geoffrey Garen and Mark Hahnenberg.
662
663 A major premise of our type inference is that prediction propagation can say whatever it
664 wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s.
665 We required some kind of agreement between prediction propagation and fixup over which
666 data flow paths were Int52 and which weren't.
667
668 It turns out that we basically had such an agreement, with the exception of code that was
669 unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It
670 might be nice to fix that bug - but it's only in the case of Int52 that such a thing would
671 be a bug! Normally, we allow sloppiness in prediction propagation.
672
673 This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the
674 ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see
675 int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly
676 empowered Int52Rep is actually correct - in case we end up using it on paths other than
677 ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces
678 us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress
679 this intrinsic. This means that we're now stressing Int52Rep more so than ever before!
680
681 Note that it would still be a bug for prediction propagation to ever cause us to create an
682 Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than
683 a crash bug.
684
685 * dfg/DFGAbstractInterpreterInlines.h:
686 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
687 * dfg/DFGAbstractValue.cpp:
688 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
689 * dfg/DFGByteCodeParser.cpp:
690 (JSC::DFG::ByteCodeParser::handleIntrinsic):
691 * dfg/DFGClobberize.h:
692 (JSC::DFG::clobberize):
693 * dfg/DFGFixupPhase.cpp:
694 (JSC::DFG::FixupPhase::fixupNode):
695 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
696 * dfg/DFGGraph.h:
697 (JSC::DFG::Graph::isMachineIntConstant):
698 * dfg/DFGNode.h:
699 (JSC::DFG::Node::isMachineIntConstant):
700 * dfg/DFGNodeType.h:
701 * dfg/DFGOperations.cpp:
702 * dfg/DFGOperations.h:
703 * dfg/DFGPredictionPropagationPhase.cpp:
704 (JSC::DFG::PredictionPropagationPhase::propagate):
705 * dfg/DFGSafeToExecute.h:
706 (JSC::DFG::SafeToExecuteEdge::operator()):
707 (JSC::DFG::safeToExecute):
708 * dfg/DFGSpeculativeJIT.cpp:
709 (JSC::DFG::SpeculativeJIT::speculate):
710 * dfg/DFGSpeculativeJIT.h:
711 (JSC::DFG::SpeculativeJIT::callOperation):
712 * dfg/DFGSpeculativeJIT32_64.cpp:
713 (JSC::DFG::SpeculativeJIT::compile):
714 * dfg/DFGSpeculativeJIT64.cpp:
715 (JSC::DFG::SpeculativeJIT::compile):
716 (JSC::DFG::SpeculativeJIT::convertMachineInt):
717 (JSC::DFG::SpeculativeJIT::speculateMachineInt):
718 (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
719 * dfg/DFGStrengthReductionPhase.cpp:
720 (JSC::DFG::StrengthReductionPhase::handleNode):
721 * dfg/DFGUseKind.cpp:
722 (WTF::printInternal):
723 * dfg/DFGUseKind.h:
724 (JSC::DFG::typeFilterFor):
725 (JSC::DFG::isNumerical):
726 (JSC::DFG::isDouble):
727 * dfg/DFGValidate.cpp:
728 (JSC::DFG::Validate::validate):
729 * ftl/FTLCapabilities.cpp:
730 (JSC::FTL::canCompile):
731 * ftl/FTLIntrinsicRepository.h:
732 * ftl/FTLLowerDFGToLLVM.cpp:
733 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
734 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
735 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
736 (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
737 (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52):
738 (JSC::FTL::LowerDFGToLLVM::speculate):
739 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
740 (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt):
741 * jit/JITOperations.h:
742 * jsc.cpp:
743 (GlobalObject::finishCreation):
744 (functionIdentity):
745 * runtime/Intrinsic.h:
746 * runtime/JSCJSValue.h:
747 * runtime/JSCJSValueInlines.h:
748 (JSC::tryConvertToInt52):
749 (JSC::isInt52):
750 (JSC::JSValue::isMachineInt):
751 * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added.
752 (foo):
753 * tests/stress/dead-fiat-double-to-int52.js: Added.
754 (foo):
755 * tests/stress/dead-fiat-int32-to-int52.js: Added.
756 (foo):
757 * tests/stress/dead-fiat-value-to-int52-double-path.js: Added.
758 (foo):
759 (bar):
760 * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added.
761 (foo):
762 (bar):
763 * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added.
764 (foo):
765 (bar):
766 * tests/stress/dead-fiat-value-to-int52.js: Added.
767 (foo):
768 (bar):
769 * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added.
770 (foo):
771 * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added.
772 (foo):
773 * tests/stress/fiat-double-to-int52-then-fold.js: Added.
774 (foo):
775 * tests/stress/fiat-double-to-int52.js: Added.
776 (foo):
777 * tests/stress/fiat-int32-to-int52.js: Added.
778 (foo):
779 * tests/stress/fiat-value-to-int52-double-path.js: Added.
780 (foo):
781 (bar):
782 * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added.
783 (foo):
784 (bar):
785 * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added.
786 (foo):
787 (bar):
788 * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added.
789 (foo):
790 * tests/stress/fiat-value-to-int52-then-fold.js: Added.
791 (foo):
792 * tests/stress/fiat-value-to-int52.js: Added.
793 (foo):
794 (bar):
795 * tests/stress/int52-force-osr-exit-path.js: Added.
796 (foo):
797
7982014-07-14 Mark Hahnenberg <mhahnenberg@apple.com>
799
800 Flattening dictionaries with oversize backing stores can cause crashes
801 https://bugs.webkit.org/show_bug.cgi?id=134906
802
803 Reviewed by Filip Pizlo.
804
805 The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB
806 of the CopiedBlock header. This was always the case except for when flattening a dictionary
807 caused the size of the Butterfly to decrease. This was equivalent to moving the base of the
808 Butterfly to higher addresses. If the object was reduced sufficiently in size, the base
809 would no longer be within the first 32 KB of the CopiedBlock and the next collection would
810 choke on the Butterfly pointer.
811
812 This patch fixes this issue by detect this situation during flattening and memmove-ing
813 the Butterfly down to where the old base was.
814
815 * runtime/JSObject.cpp:
816 (JSC::JSObject::shiftButterflyAfterFlattening):
817 * runtime/JSObject.h:
818 (JSC::JSObject::butterflyPreCapacity):
819 (JSC::JSObject::butterflyTotalSize):
820 * runtime/Structure.cpp:
821 (JSC::Structure::flattenDictionaryStructure):
822 * tests/stress/flatten-oversize-dictionary-object.js: Added.
823 (foo):
824
8252014-07-14 Benjamin Poulain <benjamin@webkit.org>
826
827 Remove some dead code from FTLJITFinalizer
828 https://bugs.webkit.org/show_bug.cgi?id=134874
829
830 Reviewed by Geoffrey Garen.
831
832 Not sure what that code was for...but it does not do anything :)
833
834 * ftl/FTLJITFinalizer.cpp:
835 (JSC::FTL::JITFinalizer::finalizeFunction):
836 The pointer of the label is computed but never used.
837
838 * ftl/FTLJITFinalizer.h:
839 * ftl/FTLLink.cpp:
840 (JSC::FTL::link):
841 The label is never set to anything.
842
8432014-07-14 Bear Travis <betravis@adobe.com>
844
845 [Feature Queries] Enable Feature Queries on Mac
846 https://bugs.webkit.org/show_bug.cgi?id=134404
847
848 Reviewed by Antti Koivisto.
849
850 Enable Feature Queries on Mac and resume running the
851 feature tests.
852
853 * Configurations/FeatureDefines.xcconfig: Turn on
854 ENABLE_CSS3_CONDITIONAL_RULES.
855
8562014-07-11 Joseph Pecoraro <pecoraro@apple.com>
857
858 Web Inspector: Debugger Pause button does not work
859 https://bugs.webkit.org/show_bug.cgi?id=134785
860
861 Reviewed by Timothy Hatcher.
862
863 * CMakeLists.txt:
864 * DerivedSources.make:
865 Minification strips the sourceURL command. Add it back with minification.
866
8672014-07-11 peavo@outlook.com <peavo@outlook.com>
868
869 [Win] Enable DFG JIT.
870 https://bugs.webkit.org/show_bug.cgi?id=123615
871
872 Reviewed by Mark Lam.
873
874 When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType),
875 the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case.
876 Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers,
877 since the register allocation differs on 64-bit Windows.
878
879 * assembler/MacroAssemblerX86_64.h:
880 (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit.
881 * jit/CCallHelpers.h:
882 (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments.
883 (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method.
884 * jit/JIT.h:
885 (JSC::JIT::appendCallWithSlowPathReturnType): Added method.
886 * jit/JITInlines.h:
887 (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method.
888 (JSC::JIT::callOperation): Call new method.
889
8902014-07-09 Benjamin Poulain <benjamin@webkit.org>
891
892 Use 16bits instructions for push/pop on ARMv7 when possible
893 https://bugs.webkit.org/show_bug.cgi?id=134753
894
895 Reviewed by Geoffrey Garen.
896
897 The patch r170839 mixed the code for push/pop pair and single push/pop.
898 That part was reverted in r170909.
899
900 This patch puts the code back but specialized for single push/pop.
901
902 * assembler/ARMv7Assembler.h:
903 (JSC::ARMv7Assembler::pop):
904 (JSC::ARMv7Assembler::push):
905 * assembler/MacroAssemblerARMv7.h:
906 (JSC::MacroAssemblerARMv7::pop):
907 (JSC::MacroAssemblerARMv7::push):
908
9092014-07-09 Brent Fulgham <bfulgham@apple.com>
910
911 [Win] Remove uses of 'bash' in build system
912 https://bugs.webkit.org/show_bug.cgi?id=134782
913 <rdar://problem/17615533>
914
915 Reviewed by Dean Jackson.
916
917 Remove uses of 'bash' by replacing Windows-specific bash scripts
918 with Perl equivalents.
919
920 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
921 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
922 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
923 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
924 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
925 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
926 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh.
927 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed.
928 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
929 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
930 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh.
931 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
932 * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh.
933 * JavaScriptCore.vcxproj/build-generated-files.sh: Removed.
934 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
935 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
936 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
937
9382014-07-09 Brent Fulgham <bfulgham@apple.com>
939
940 [Win] Remove use of 'grep' in build steps
941 https://bugs.webkit.org/show_bug.cgi?id=134770
942 <rdar://problem/17608783>
943
944 Reviewed by Tim Horton.
945
946 Replace uses of the grep command in Windows builds with the equivalent
947 Perl program.
948
949 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
950 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
951 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
952 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
953
9542014-07-08 Benjamin Poulain <benjamin@webkit.org>
955
956 Restore the assertion changed with 170839
957
958 * assembler/ARMv7Assembler.h:
959 (JSC::ARMv7Assembler::pop):
960 (JSC::ARMv7Assembler::push):
961 Revert the Assembler part of 170839. The assertions do not match both encoding.
962
963 I'll add specific version of push and pop instead.
964
9652014-07-08 Jon Honeycutt <jhoneycutt@apple.com>
966
967 RemoteInspector::shared() should not call WTF::initializeMainThread()
968 <https://bugs.webkit.org/show_bug.cgi?id=134747>
969 <rdar://problem/17161482>
970
971 Reviewed by Joseph Pecoraro.
972
973 * inspector/remote/RemoteInspector.mm:
974 (Inspector::RemoteInspector::shared):
975 Don't call WTF::initializeMainThread(). WTF threading is initialized by
976 JSC::initializeThreading().
977
9782014-07-08 Andreas Kling <akling@apple.com>
979
980 VM::lastCachedString should be a Strong, not a Weak.
981 <https://webkit.org/b/134746>
982
983 Using Weak<JSString> for this regressed some of our bindings perf tests
984 due to Weak having to allocate a new WeakImpl every time the last cached
985 string changed. Make it a Strong instead should make that problem go away.
986
987 Reviewed by Geoffrey Garen.
988
989 * runtime/JSString.cpp:
990 (JSC::jsStringWithCacheSlowCase):
991 * runtime/VM.h:
992
9932014-07-07 Benjamin Poulain <bpoulain@apple.com>
994
995 Fix the build after r170876
996
997 * assembler/LinkBuffer.cpp:
998 (JSC::LinkBuffer::linkCode):
999
10002014-07-07 Benjamin Poulain <benjamin@webkit.org>
1001
1002 LinkBuffer should not keep a reference to the MacroAssembler
1003 https://bugs.webkit.org/show_bug.cgi?id=134668
1004
1005 Reviewed by Geoffrey Garen.
1006
1007 In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
1008 When that happens, the pointer m_assembler points to released memory. That was not causing
1009 issues because the attribute is not used after linking, but that was not particularily
1010 future proof.
1011
1012 This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
1013 as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.
1014
1015 While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
1016 everywhere. I refactored some #include to avoid that.
1017
1018 * assembler/LinkBuffer.cpp:
1019 (JSC::LinkBuffer::copyCompactAndLinkCode):
1020 (JSC::LinkBuffer::linkCode):
1021 * assembler/LinkBuffer.h:
1022 (JSC::LinkBuffer::LinkBuffer):
1023 * bytecode/Watchpoint.cpp:
1024 * dfg/DFGDisassembler.cpp:
1025 * dfg/DFGDisassembler.h:
1026 * dfg/DFGJITCompiler.cpp:
1027 (JSC::DFG::JITCompiler::link):
1028 (JSC::DFG::JITCompiler::linkFunction):
1029 * dfg/DFGOSRExitCompiler.cpp:
1030 * dfg/DFGPlan.cpp:
1031 * dfg/DFGThunks.cpp:
1032 (JSC::DFG::osrExitGenerationThunkGenerator):
1033 (JSC::DFG::osrEntryThunkGenerator):
1034 * ftl/FTLCompile.cpp:
1035 (JSC::FTL::generateICFastPath):
1036 (JSC::FTL::fixFunctionBasedOnStackMaps):
1037 * ftl/FTLJSCall.cpp:
1038 * ftl/FTLJSCall.h:
1039 * ftl/FTLLink.cpp:
1040 (JSC::FTL::link):
1041 * ftl/FTLLowerDFGToLLVM.cpp:
1042 * ftl/FTLOSRExitCompiler.cpp:
1043 (JSC::FTL::compileStub):
1044 * ftl/FTLThunks.cpp:
1045 (JSC::FTL::osrExitGenerationThunkGenerator):
1046 (JSC::FTL::slowPathCallThunkGenerator):
1047 * jit/ArityCheckFailReturnThunks.cpp:
1048 (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1049 * jit/JIT.cpp:
1050 (JSC::JIT::privateCompile):
1051 * jit/JITCall.cpp:
1052 (JSC::JIT::privateCompileClosureCall):
1053 * jit/JITCall32_64.cpp:
1054 (JSC::JIT::privateCompileClosureCall):
1055 * jit/JITDisassembler.cpp:
1056 * jit/JITDisassembler.h:
1057 * jit/JITOpcodes.cpp:
1058 * jit/JITPropertyAccess.cpp:
1059 (JSC::JIT::stringGetByValStubGenerator):
1060 (JSC::JIT::privateCompileGetByVal):
1061 (JSC::JIT::privateCompilePutByVal):
1062 * jit/JITPropertyAccess32_64.cpp:
1063 (JSC::JIT::stringGetByValStubGenerator):
1064 * jit/RegisterPreservationWrapperGenerator.cpp:
1065 (JSC::generateRegisterPreservationWrapper):
1066 (JSC::registerRestorationThunkGenerator):
1067 * jit/Repatch.cpp:
1068 (JSC::generateByIdStub):
1069 (JSC::tryCacheGetByID):
1070 (JSC::emitPutReplaceStub):
1071 (JSC::emitPutTransitionStub):
1072 (JSC::tryRepatchIn):
1073 (JSC::linkClosureCall):
1074 * jit/SpecializedThunkJIT.h:
1075 (JSC::SpecializedThunkJIT::finalize):
1076 * jit/ThunkGenerators.cpp:
1077 (JSC::throwExceptionFromCallSlowPathGenerator):
1078 (JSC::linkForThunkGenerator):
1079 (JSC::linkClosureCallForThunkGenerator):
1080 (JSC::virtualForThunkGenerator):
1081 (JSC::nativeForGenerator):
1082 (JSC::arityFixup):
1083 * llint/LLIntThunks.cpp:
1084 (JSC::LLInt::generateThunkWithJumpTo):
1085 * yarr/YarrJIT.cpp:
1086 (JSC::Yarr::YarrGenerator::compile):
1087
10882014-07-07 Andreas Kling <akling@apple.com>
1089
1090 Fast path for jsStringWithCache() when asked for the same string repeatedly.
1091 <https://webkit.org/b/134635>
1092
1093 Reviewed by Darin Adler.
1094
1095 Follow-up to r170818 addressing a review comment by Geoff Garen.
1096
1097 * runtime/JSString.cpp:
1098 (JSC::jsStringWithCacheSlowCase):
1099
11002014-07-07 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
1101
1102 Add missing ENABLE(FTL_JIT) guards
1103 https://bugs.webkit.org/show_bug.cgi?id=134680
1104
1105 Reviewed by Darin Adler.
1106
1107 * ftl/FTLDWARFDebugLineInfo.cpp:
1108 * ftl/FTLDWARFDebugLineInfo.h:
1109 * ftl/FTLGeneratedFunction.h:
1110
11112014-07-07 Zan Dobersek <zdobersek@igalia.com>
1112
1113 Enable ARMv7 disassembler for the GTK port
1114 https://bugs.webkit.org/show_bug.cgi?id=134676
1115
1116 Reviewed by Benjamin Poulain.
1117
1118 * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
1119 * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().
1120
11212014-07-06 Benjamin Poulain <benjamin@webkit.org>
1122
1123 [ARMv7] Use 16 bits instructions for push/pop when possible
1124 https://bugs.webkit.org/show_bug.cgi?id=134656
1125
1126 Reviewed by Andreas Kling.
1127
1128 * assembler/ARMv7Assembler.h:
1129 (JSC::ARMv7Assembler::pop):
1130 (JSC::ARMv7Assembler::push):
1131 (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
1132 Add the 16 bits version of push and pop.
1133
1134 * assembler/MacroAssemblerARMv7.h:
1135 (JSC::MacroAssemblerARMv7::pop):
1136 (JSC::MacroAssemblerARMv7::push):
1137 Use the new push/pop instead of a regular load/store.
1138
1139 * disassembler/ARMv7/ARMv7DOpcode.cpp:
1140 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
1141 * disassembler/ARMv7/ARMv7DOpcode.h:
1142 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
1143 Fix the disassembler for push/pop:
1144 -The register mask was on 7 bits for some reason.
1145 -The code printing the registers was comparing a register ID with a register
1146 mask.
1147
11482014-07-06 Yoav Weiss <yoav@yoav.ws>
1149
1150 Turn on img@sizes compile flag
1151 https://bugs.webkit.org/show_bug.cgi?id=134634
1152
1153 Reviewed by Benjamin Poulain.
1154
1155 * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.
1156
11572014-07-06 Daewoong Jang <daewoong.jang@navercorp.com>
1158
1159 Flags value of SourceCodeKey should be unique for each case.
1160 https://bugs.webkit.org/show_bug.cgi?id=134435
1161
1162 Reviewed by Darin Adler.
1163
1164 Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
1165 the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
1166 Shift the value of CodeType one bit farther to the left so those values don't overlap.
1167
1168 * runtime/CodeCache.h:
1169 (JSC::SourceCodeKey::SourceCodeKey):
1170
11712014-07-04 Andreas Kling <akling@apple.com>
1172
1173 Fast path for jsStringWithCache() when asked for the same string repeatedly.
1174 <https://webkit.org/b/134635>
1175
1176 Also moved the whole thing from WebCore to JavaScriptCore since it
1177 makes more sense here, and inline the lightweight checks, leaving only
1178 the hashmap stuff out of line.
1179
1180 Reviewed by Darin Adler.
1181
1182 * runtime/JSString.cpp:
1183 (JSC::jsStringWithCacheSlowCase):
1184 * runtime/JSString.h:
1185 (JSC::jsStringWithCache):
1186 * runtime/VM.h:
1187
11882014-07-03 Daniel Bates <dabates@apple.com>
1189
1190 Add WTF::move()
1191 https://bugs.webkit.org/show_bug.cgi?id=134500
1192
1193 Rubber-stamped by Anders Carlsson.
1194
1195 Substitute WTF::move() for std::move().
1196
1197 * bytecode/CodeBlock.h:
1198 * bytecode/UnlinkedCodeBlock.cpp:
1199 * bytecompiler/BytecodeGenerator.cpp:
1200 * dfg/DFGGraph.cpp:
1201 * dfg/DFGJITCompiler.cpp:
1202 * dfg/DFGStackLayoutPhase.cpp:
1203 * dfg/DFGWorklist.cpp:
1204 * heap/DelayedReleaseScope.h:
1205 * heap/HeapInlines.h:
1206 [...]
1207
12082014-07-03 Filip Pizlo <fpizlo@apple.com>
1209
1210 SSA DCE should process blocks in forward order
1211 https://bugs.webkit.org/show_bug.cgi?id=134611
1212
1213 Reviewed by Andreas Kling.
1214
1215 * dfg/DFGDCEPhase.cpp:
1216 (JSC::DFG::DCEPhase::run):
1217 * ftl/FTLLowerDFGToLLVM.cpp:
1218 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1219 * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
1220 (foo):
1221
12222014-07-03 Filip Pizlo <fpizlo@apple.com>
1223
1224 JSActivation::symbolTablePut() should invalidate variable watchpoints
1225 https://bugs.webkit.org/show_bug.cgi?id=134602
1226
1227 Reviewed by Oliver Hunt.
1228
1229 Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
1230 during linking - we essentially assume that if it's at all possible for an inner function to store to a
1231 variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
1232 JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
1233 JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
1234 duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
1235
1236 * runtime/JSActivation.cpp:
1237 (JSC::JSActivation::symbolTablePut):
1238 * runtime/JSSymbolTableObject.h:
1239 (JSC::symbolTablePut):
1240 * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
1241 (.):
1242
12432014-07-01 Mark Lam <mark.lam@apple.com>
1244
1245 Debugger's breakpoint list should not be a Vector.
1246 <https://webkit.org/b/134514>
1247
1248 Reviewed by Geoffrey Garen.
1249
1250 The debugger currently stores breakpoint data as entries in a Vector (see
1251 BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to
1252 the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can
1253 compact or reallocate its backing store, this can causes all sorts of havoc.
1254 The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
1255 move in memory.
1256
1257 The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
1258 doubly linked list.
1259
1260 * debugger/Breakpoint.h:
1261 (JSC::Breakpoint::Breakpoint):
1262 (JSC::BreakpointsList::~BreakpointsList):
1263 * debugger/Debugger.cpp:
1264 (JSC::Debugger::setBreakpoint):
1265 (JSC::Debugger::removeBreakpoint):
1266 (JSC::Debugger::hasBreakpoint):
1267 * debugger/Debugger.h:
1268
12692014-06-30 Michael Saboff <msaboff@apple.com>
1270
1271 Add option to run-jsc-stress-testes to filter out tests that use large heaps
1272 https://bugs.webkit.org/show_bug.cgi?id=134458
1273
1274 Reviewed by Filip Pizlo.
1275
1276 Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
1277
1278 * tests/mozilla/mozilla-tests.yaml:
1279
12802014-06-30 Daniel Bates <dabates@apple.com>
1281
1282 Avoid copying closed variables vector; actually use move semantics
1283
1284 Rubber-stamped by Oliver Hunt.
1285
1286 Currently we always copy the closed variables vector passed by Parser::closedVariables()
1287 to ProgramNode::setClosedVariables() because these member functions return and take a const
1288 rvalue reference, respectively. Instead, these member functions should take an return a non-
1289 constant rvalue reference so that we actually move the closed variables vector from the Parser
1290 object to the Node object.
1291
1292 * parser/Nodes.cpp:
1293 (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
1294 * parser/Nodes.h:
1295 (JSC::ScopeNode::setClosedVariables): Ditto.
1296 * parser/Parser.h:
1297 (JSC::Parser::closedVariables): Remove const qualifier on return type.
1298 (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
1299 because Parser::closedVariables() returns an rvalue reference.
1300
13012014-06-30 Joseph Pecoraro <pecoraro@apple.com>
1302
1303 JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
1304 https://bugs.webkit.org/show_bug.cgi?id=134371
1305
1306 Reviewed by Timothy Hatcher.
1307
1308 * API/JSContextPrivate.h:
1309 * API/JSContext.mm:
1310 (-[JSContext _debuggerRunLoop]):
1311 (-[JSContext _setDebuggerRunLoop:]):
1312 Private API for setting the CFRunLoop for a debugger to evaluate in.
1313
1314 * API/JSContextRefInternal.h: Added.
1315 * API/JSContextRef.cpp:
1316 (JSGlobalContextGetDebuggerRunLoop):
1317 (JSGlobalContextSetDebuggerRunLoop):
1318 Internal API for setting a CFRunLoop on a JSContextRef.
1319 Set this on the debuggable.
1320
1321 * inspector/remote/RemoteInspectorDebuggable.h:
1322 * inspector/remote/RemoteInspectorDebuggableConnection.h:
1323 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
1324 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
1325 (Inspector::RemoteInspectorBlock::operator=):
1326 (Inspector::RemoteInspectorBlock::operator()):
1327 Moved into the header.
1328
1329 * runtime/JSGlobalObject.h:
1330 (JSC::JSGlobalObject::inspectorDebuggable):
1331 Lets store the RunLoop on the debuggable instead of this core
1332 platform agnostic class, so expose the debuggable.
1333
1334 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1335 (Inspector::RemoteInspectorHandleRunSourceGlobal):
1336 (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
1337 (Inspector::RemoteInspectorInitializeGlobalQueue):
1338 Rename the global functions for clarity.
1339
1340 (Inspector::RemoteInspectorHandleRunSourceWithInfo):
1341 Handler for private run loops.
1342
1343 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
1344 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
1345 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
1346 (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
1347 (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
1348 (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
1349 Setup and teardown and use private run loop sources if the debuggable needs it.
1350
13512014-06-30 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
1352
1353 Add missing ENABLE(DFG_JIT) guards
1354 https://bugs.webkit.org/show_bug.cgi?id=134444
1355
1356 Reviewed by Darin Adler.
1357
1358 * dfg/DFGFunctionWhitelist.cpp:
1359 * dfg/DFGFunctionWhitelist.h:
1360
13612014-06-29 Yoav Weiss <yoav@yoav.ws>
1362
1363 Add support for HTMLImageElement's sizes attribute
1364 https://bugs.webkit.org/show_bug.cgi?id=133620
1365
1366 Reviewed by Dean Jackson.
1367
1368 Added an ENABLE_PICTURE_SIZES compile flag.
1369
1370 * Configurations/FeatureDefines.xcconfig:
1371
13722014-06-27 Filip Pizlo <fpizlo@apple.com>
1373
1374 Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
1375 https://bugs.webkit.org/show_bug.cgi?id=134412
1376
1377 Reviewed by Mark Hahnenberg.
1378
1379 * dfg/DFGCSEPhase.cpp:
1380 (JSC::DFG::CSEPhase::setReplacement):
1381 * dfg/DFGStrengthReductionPhase.cpp:
1382 (JSC::DFG::StrengthReductionPhase::handleNode):
1383 * dfg/DFGValidate.cpp:
1384 (JSC::DFG::Validate::validate):
1385 * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
1386 (foo):
1387 (bar):
1388 (baz):
1389
13902014-06-27 Peyton Randolph <prandolph@apple.com>
1391
1392 Add feature flag for link long-press gesture.
1393 https://bugs.webkit.org/show_bug.cgi?id=134262
1394
1395 Reviewed by Enrica Casucci.
1396
1397 * Configurations/FeatureDefines.xcconfig:
1398 Add ENABLE_LINK_LONG_PRESS.
1399
14002014-06-27 László Langó <llango.u-szeged@partner.samsung.com>
1401
1402 [JavaScriptCore] FTL buildfix for EFL platform.
1403 https://bugs.webkit.org/show_bug.cgi?id=133546
1404
1405 Reviewed by Darin Adler.
1406
1407 * ftl/FTLAbstractHeap.cpp:
1408 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
1409 * ftl/FTLLocation.cpp:
1410 (JSC::FTL::Location::forStackmaps):
1411 * ftl/FTLLowerDFGToLLVM.cpp:
1412 (JSC::FTL::LowerDFGToLLVM::opposite):
1413 * ftl/FTLOSRExitCompiler.cpp:
1414 (JSC::FTL::compileStub):
1415 * ftl/FTLStackMaps.cpp:
1416 (JSC::FTL::StackMaps::Constant::dump):
1417 * llvm/InitializeLLVMPOSIX.cpp:
1418 (JSC::initializeLLVMPOSIX):
1419
14202014-06-26 Benjamin Poulain <benjamin@webkit.org>
1421
1422 iOS 8 beta 2 ES6 'Set' clear() broken
1423 https://bugs.webkit.org/show_bug.cgi?id=134346
1424
1425 Reviewed by Oliver Hunt.
1426
1427 The object map was not cleared :(.
1428
1429 Kudos to Ashley Gullen for tracking this and making a regression test.
1430 Credit to Oliver for finding the missing code.
1431
1432 * runtime/MapData.h:
1433 (JSC::MapData::clear):
1434
14352014-06-25 Brent Fulgham <bfulgham@apple.com>
1436
1437 [Win] Expose Cache Information to WinLauncher
1438 https://bugs.webkit.org/show_bug.cgi?id=134318
1439
1440 Reviewed by Dean Jackson.
1441
1442 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
1443 MemoryStatistics files to the WIndows build.
1444 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1445
14462014-06-26 David Kilzer <ddkilzer@apple.com>
1447
1448 DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
1449 <http://webkit.org/b/134343>
1450 <rdar://problem/17459487>
1451
1452 Reviewed by Michael Saboff.
1453
1454 * dfg/DFGFunctionWhitelist.cpp:
1455 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
1456 Close the file handle, and log an error on failure.
1457
14582014-06-25 Dana Burkart <dburkart@apple.com>
1459
1460 Add support for 5-tuple versioning.
1461
1462 Reviewed by David Farler.
1463
1464 * Configurations/Version.xcconfig:
1465
14662014-06-25 Geoffrey Garen <ggaren@apple.com>
1467
1468 Build fix.
1469
1470 Unreviewed.
1471
1472 * runtime/JSDateMath.cpp:
1473 (JSC::parseDateFromNullTerminatedCharacters):
1474 * runtime/VM.cpp:
1475 (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
1476 constant since that constant doesn't exist anymore.
1477
14782014-06-25 Geoffrey Garen <ggaren@apple.com>
1479
1480 Unreviewed, rolling out r166876.
1481
1482 Caused some ECMA test262 failures
1483
1484 Reverted changeset:
1485
1486 "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
1487 https://bugs.webkit.org/show_bug.cgi?id=131248
1488 http://trac.webkit.org/changeset/166876
1489
14902014-06-25 Brent Fulgham <bfulgham@apple.com>
1491
1492 [Win] Unreviewed gardening.
1493
1494 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
1495 put various files in proper IDE categories.
1496
14972014-06-25 peavo@outlook.com <peavo@outlook.com>
1498
1499 [Win64] ASM LLINT is not enabled.
1500 https://bugs.webkit.org/show_bug.cgi?id=130638
1501
1502 This patch adds a new LLINT assembler backend for Win64, and implements it.
1503 It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
1504 Also, LLINT and JIT is enabled for Win64.
1505
1506 Reviewed by Mark Lam.
1507
1508 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
1509 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1510 * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
1511 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
1512 * assembler/MacroAssemblerX86_64.h:
1513 (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
1514 * jit/JITStubsMSVC64.asm: Added.
1515 * jit/Repatch.cpp:
1516 (JSC::emitPutTransitionStub): Compile fix.
1517 * jit/ThunkGenerators.cpp:
1518 (JSC::nativeForGenerator): Follow Win64 ABI spec.
1519 * llint/LLIntData.cpp:
1520 (JSC::LLInt::Data::performAssertions): Ditto.
1521 * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
1522 * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
1523 * llint/LowLevelInterpreter64.asm: Ditto.
1524 * offlineasm/asm.rb: Compile fix.
1525 * offlineasm/backends.rb: Add new llint backend for Win64.
1526 * offlineasm/settings.rb: Compile fix.
1527 * offlineasm/x86.rb: Implement new llint Win64 backend.
1528
15292014-06-25 Laszlo Gombos <l.gombos@samsung.com>
1530
1531 Remove build guard for progress element
1532 https://bugs.webkit.org/show_bug.cgi?id=134292
1533
1534 Reviewed by Benjamin Poulain.
1535
1536 * Configurations/FeatureDefines.xcconfig:
1537
15382014-06-24 Michael Saboff <msaboff@apple.com>
1539
1540 Add support routines to provide descriptive JavaScript backtraces
1541 https://bugs.webkit.org/show_bug.cgi?id=134278
1542
1543 Reviewed by Mark Lam.
1544
1545 * interpreter/CallFrame.cpp:
1546 (JSC::CallFrame::dump):
1547 (JSC::CallFrame::describeFrame):
1548 * interpreter/CallFrame.h:
1549 * runtime/JSCJSValue.cpp:
1550 (JSC::JSValue::dumpForBacktrace):
1551 * runtime/JSCJSValue.h:
1552
15532014-06-24 Brady Eidson <beidson@apple.com>
1554
1555 Enable GAMEPAD in the Mac build, but disabled at runtime.
1556 https://bugs.webkit.org/show_bug.cgi?id=134255
1557
1558 Reviewed by Dean Jackson.
1559
1560 * Configurations/FeatureDefines.xcconfig:
1561
1562 * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
1563 functions at runtime.
1564
15652014-06-24 Mark Hahnenberg <mhahnenberg@apple.com>
1566
1567 REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
1568 https://bugs.webkit.org/show_bug.cgi?id=134046
1569
1570 Reviewed by Filip Pizlo.
1571
1572 * runtime/GetterSetter.h:
1573 (JSC::asGetterSetter):
1574 * runtime/JSObject.cpp:
1575 (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
1576 a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
1577 and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
1578
15792014-06-24 Brent Fulgham <bfulgham@apple.com>
1580
1581 [Win] MSVC mishandles enums in bitfields
1582 https://bugs.webkit.org/show_bug.cgi?id=134237
1583
1584 Reviewed by Michael Saboff.
1585
1586 Replace uses of enum types in bit fields with unsigned to
1587 avoid losing a bit to hold the sign value. This can result
1588 in Windows interpreting the value of the field improperly.
1589
1590 * bytecode/StructureStubInfo.h:
1591 * parser/Nodes.h:
1592
15932014-06-23 Andreas Kling <akling@apple.com>
1594
1595 Inline the UnlinkedInstructionStream::Reader logic.
1596 <https://webkit.org/b/134203>
1597
1598 This class is only used by CodeBlock to unpack the unlinked instructions,
1599 and we were spending 0.5% of total time on PLT calling Reader::next().
1600 Move the logic to the header file and mark it ALWAYS_INLINE.
1601
1602 Reviewed by Geoffrey Garen.
1603
1604 * bytecode/UnlinkedInstructionStream.cpp:
1605 * bytecode/UnlinkedInstructionStream.h:
1606 (JSC::UnlinkedInstructionStream::Reader::Reader):
1607 (JSC::UnlinkedInstructionStream::Reader::read8):
1608 (JSC::UnlinkedInstructionStream::Reader::read32):
1609 (JSC::UnlinkedInstructionStream::Reader::next):
1610
16112014-06-20 Sam Weinig <sam@webkit.org>
1612
1613 Remove static tables for bindings that use eager reification
1614 https://bugs.webkit.org/show_bug.cgi?id=134126
1615
1616 Reviewed by Oliver Hunt.
1617
1618 * runtime/JSObject.cpp:
1619 (JSC::JSObject::putDirectCustomAccessor):
1620 * runtime/Structure.h:
1621 (JSC::Structure::setHasCustomGetterSetterProperties):
1622 Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
1623 the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
1624 Without this, JSObject::put() won't think there are any setters on the prototype chain of an
1625 object that has no static lookup table and uses eagerly reified custom getter/setter properties.
1626
16272014-06-21 Brady Eidson <beidson@apple.com>
1628
1629 Gamepad API - Deprecate the existing implementation
1630 https://bugs.webkit.org/show_bug.cgi?id=134108
1631
1632 Reviewed by Timothy Hatcher.
1633
1634 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
1635 -Move some implementation files into a "deprecated" subdirectory.
1636
1637 * Configurations/FeatureDefines.xcconfig:
1638
16392014-06-21 Commit Queue <commit-queue@webkit.org>
1640
1641 Unreviewed, rolling out r170244.
1642 https://bugs.webkit.org/show_bug.cgi?id=134157
1643
1644 GTK/EFL bindings generator works differently, making this
1645 patch not work there. Will fix entire patch after a rollout.
1646 (Requested by bradee-oh on #webkit).
1647
1648 Reverted changeset:
1649
1650 "Gamepad API - Deprecate the existing implementation"
1651 https://bugs.webkit.org/show_bug.cgi?id=134108
1652 http://trac.webkit.org/changeset/170244
1653
16542014-06-21 Brady Eidson <beidson@apple.com>
1655
1656 Gamepad API - Deprecate the existing implementation
1657 https://bugs.webkit.org/show_bug.cgi?id=134108
1658
1659 Reviewed by Timothy Hatcher.
1660
1661 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
1662 -Add the "Deprecated" suffix to some implementation files
1663
1664 * Configurations/FeatureDefines.xcconfig:
1665
16662014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1667
1668 Removing PAGE_VISIBILITY_API compile guard.
1669 https://bugs.webkit.org/show_bug.cgi?id=133844
1670
1671 Reviewed by Gavin Barraclough.
1672
1673 * Configurations/FeatureDefines.xcconfig:
1674
16752014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1676
1677 ARM traditional buildfix after r169942.
1678 https://bugs.webkit.org/show_bug.cgi?id=134100
1679
1680 Reviewed by Zoltan Herczeg.
1681
1682 * assembler/MacroAssemblerARM.h:
1683 (JSC::MacroAssemblerARM::abortWithReason): Added.
1684
16852014-06-20 Andreas Kling <akling@apple.com>
1686
1687 [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
1688 <https://webkit.org/b/134112>
1689
1690 Reviewed by Mark Hahnenberg.
1691
1692 * heap/BlockAllocator.h:
1693
16942014-06-19 Alex Christensen <achristensen@webkit.org>
1695
1696 Unreviewed fix after r170130.
1697
1698 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
1699 Corrected directory so it can find common.props when opening Visual Studio.
1700
17012014-06-19 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
1702
1703 Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
1704 https://bugs.webkit.org/show_bug.cgi?id=130389
1705
1706 Reviewed by Mark Lam.
1707
1708 Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
1709 into !ENABLE(JIT) since they are mutually exclusive.
1710
1711 * CMakeLists.txt:
1712 * assembler/MacroAssemblerCodeRef.h:
1713 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
1714 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
1715 * assembler/MaxFrameExtentForSlowPathCall.h:
1716 * bytecode/CallLinkStatus.cpp:
1717 (JSC::CallLinkStatus::computeFromLLInt):
1718 * bytecode/CodeBlock.cpp:
1719 (JSC::dumpStructure):
1720 (JSC::CodeBlock::printGetByIdCacheStatus):
1721 (JSC::CodeBlock::printCallOp):
1722 (JSC::CodeBlock::CodeBlock):
1723 (JSC::CodeBlock::~CodeBlock):
1724 (JSC::CodeBlock::propagateTransitions):
1725 (JSC::CodeBlock::finalizeUnconditionally):
1726 (JSC::CodeBlock::unlinkCalls):
1727 (JSC::CodeBlock::unlinkIncomingCalls):
1728 (JSC::CodeBlock::linkIncomingCall):
1729 (JSC::CodeBlock::frameRegisterCount):
1730 * bytecode/CodeBlock.h:
1731 * bytecode/GetByIdStatus.cpp:
1732 (JSC::GetByIdStatus::computeFromLLInt):
1733 * bytecode/Opcode.h:
1734 (JSC::padOpcodeName):
1735 * bytecode/PutByIdStatus.cpp:
1736 (JSC::PutByIdStatus::computeFromLLInt):
1737 * bytecompiler/BytecodeGenerator.cpp:
1738 (JSC::BytecodeGenerator::emitCall):
1739 (JSC::BytecodeGenerator::emitConstruct):
1740 * heap/Heap.cpp:
1741 (JSC::Heap::gatherJSStackRoots):
1742 * interpreter/Interpreter.cpp:
1743 (JSC::Interpreter::initialize):
1744 (JSC::Interpreter::isOpcode):
1745 * interpreter/Interpreter.h:
1746 (JSC::Interpreter::getOpcodeID):
1747 * interpreter/JSStack.cpp:
1748 (JSC::JSStack::JSStack):
1749 (JSC::JSStack::committedByteCount):
1750 * interpreter/JSStack.h:
1751 * interpreter/JSStackInlines.h:
1752 (JSC::JSStack::ensureCapacityFor):
1753 (JSC::JSStack::topOfFrameFor):
1754 (JSC::JSStack::setStackLimit):
1755 * jit/ExecutableAllocatorFixedVMPool.cpp:
1756 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1757 * jit/JIT.h:
1758 (JSC::JIT::compileCTINativeCall):
1759 * jit/JITExceptions.h:
1760 * jit/JITThunks.cpp:
1761 (JSC::JITThunks::ctiNativeCall):
1762 (JSC::JITThunks::ctiNativeConstruct):
1763 * llint/LLIntCLoop.cpp:
1764 * llint/LLIntCLoop.h:
1765 * llint/LLIntData.cpp:
1766 (JSC::LLInt::initialize):
1767 (JSC::LLInt::Data::performAssertions):
1768 * llint/LLIntData.h:
1769 (JSC::LLInt::Data::performAssertions): Deleted.
1770 * llint/LLIntEntrypoint.cpp:
1771 * llint/LLIntEntrypoint.h:
1772 * llint/LLIntExceptions.cpp:
1773 * llint/LLIntExceptions.h:
1774 * llint/LLIntOfflineAsmConfig.h:
1775 * llint/LLIntOffsetsExtractor.cpp:
1776 (JSC::LLIntOffsetsExtractor::dummy):
1777 * llint/LLIntOpcode.h:
1778 * llint/LLIntSlowPaths.cpp:
1779 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1780 * llint/LLIntSlowPaths.h:
1781 * llint/LLIntThunks.cpp:
1782 * llint/LLIntThunks.h:
1783 * llint/LowLevelInterpreter.cpp:
1784 * llint/LowLevelInterpreter.h:
1785 * runtime/CommonSlowPaths.cpp:
1786 * runtime/CommonSlowPaths.h:
1787 * runtime/ErrorHandlingScope.cpp:
1788 (JSC::ErrorHandlingScope::ErrorHandlingScope):
1789 (JSC::ErrorHandlingScope::~ErrorHandlingScope):
1790 * runtime/Executable.cpp:
1791 (JSC::setupLLInt):
1792 * runtime/InitializeThreading.cpp:
1793 (JSC::initializeThreading):
1794 * runtime/JSCJSValue.h:
1795 * runtime/JSCJSValueInlines.h:
1796 * runtime/Options.cpp:
1797 (JSC::recomputeDependentOptions):
1798 * runtime/VM.cpp:
1799 (JSC::VM::VM):
1800 (JSC::sanitizeStackForVM):
1801 * runtime/VM.h:
1802 (JSC::VM::canUseJIT): Deleted.
1803
18042014-06-18 Alex Christensen <achristensen@webkit.org>
1805
1806 Add FTL to Windows build.
1807 https://bugs.webkit.org/show_bug.cgi?id=134015
1808
1809 Reviewed by Filip Pizlo.
1810
1811 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1812 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1813 Added ftl source files.
1814 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1815 Added ftl and llvm directories to include path.
1816 * JavaScriptCore.vcxproj/libllvmForJSC: Added.
1817 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
1818 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
1819 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
1820 * ftl/FTLLowerDFGToLLVM.cpp:
1821 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1822 MSVC doesn't like to divide by zero while compiling. Use std::nan instead.
1823 * llvm/InitializeLLVMWin.cpp: Added.
1824 (JSC::initializeLLVMImpl):
1825 Implemented dynamic loading and linking for Windows.
1826
18272014-06-18 Alex Christensen <achristensen@webkit.org>
1828
1829 Unreviewed build fix after r170107.
1830
1831 * dfg/DFGSpeculativeJIT.cpp:
1832 (JSC::DFG::SpeculativeJIT::compileArithMod):
1833 Use non-template sub for armv7s.
1834
18352014-06-18 David Kilzer <ddkilzer@apple.com>
1836
1837 -[JSContext setName:] leaks NSString
1838 <http://webkit.org/b/134038>
1839
1840 Reviewed by Joseph Pecoraro.
1841
1842 Fixes the following static analyzer warning:
1843
1844 JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
1845 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
1846 ^
1847
1848 * API/JSContext.mm:
1849 (-[JSContext setName:]): Autorelease the copy of |name|.
1850
18512014-06-18 Mark Lam <mark.lam@apple.com>
1852
1853 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
1854 <https://webkit.org/b/133994>
1855
1856 Reviewed by Geoffrey Garen.
1857
1858 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
1859 because it means two unfortunate things:
1860 - It will probably break for zero.
1861 - It will think that -0 is the same as +0 under some circumstances, size
1862 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
1863
1864 The fix is to use std::unordered_map which does not require special empty
1865 and deleted values, and to use the raw bits instead of the double value as
1866 the key.
1867
1868 * dfg/DFGGraph.h:
1869 * dfg/DFGJITCompiler.cpp:
1870 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1871
18722014-06-18 Alex Christensen <achristensen@webkit.org>
1873
1874 Remove duplicate code using sdiv.
1875 https://bugs.webkit.org/show_bug.cgi?id=133764
1876
1877 Reviewed by Daniel Bates.
1878
1879 * assembler/ARMv7Assembler.h:
1880 (JSC::ARMv7Assembler::sdiv):
1881 Make sdiv a template to match arm64.
1882 * dfg/DFGSpeculativeJIT.cpp:
1883 (JSC::DFG::SpeculativeJIT::compileArithDiv):
1884 (JSC::DFG::SpeculativeJIT::compileArithMod):
1885 Remove duplicate code that was identical except for sdiv not being a template.
1886
18872014-06-17 Commit Queue <commit-queue@webkit.org>
1888
1889 Unreviewed, rolling out r170082.
1890 https://bugs.webkit.org/show_bug.cgi?id=134006
1891
1892 Breaks build. (Requested by mlam on #webkit).
1893
1894 Reverted changeset:
1895
1896 "DFGGraph::m_doubleConstantMap will not map 0 values
1897 correctly."
1898 https://bugs.webkit.org/show_bug.cgi?id=133994
1899 http://trac.webkit.org/changeset/170082
1900
19012014-06-17 Mark Lam <mark.lam@apple.com>
1902
1903 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
1904 <https://webkit.org/b/133994>
1905
1906 Reviewed by Geoffrey Garen.
1907
1908 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
1909 because it means two unfortunate things:
1910 - It will probably break for zero.
1911 - It will think that -0 is the same as +0 under some circumstances, size
1912 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
1913
1914 The fix is to use std::unordered_map which does not require special empty
1915 and deleted values, and to use the raw bits instead of the double value as
1916 the key.
1917
1918 * dfg/DFGGraph.h:
1919 * dfg/DFGJITCompiler.cpp:
1920 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1921
19222014-06-17 Oliver Hunt <oliver@apple.com>
1923
1924 Fix error messages for incorrect hex literals
1925 https://bugs.webkit.org/show_bug.cgi?id=133998
1926
1927 Reviewed by Mark Lam.
1928
1929 Ensure that the error messages for bogus hex literals actually
1930 make sense.
1931
1932 * parser/Lexer.cpp:
1933 (JSC::Lexer<T>::lex):
1934 * parser/ParserTokens.h:
1935
19362014-06-17 Matthew Mirman <mmirman@apple.com>
1937
1938 Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses.
1939 https://bugs.webkit.org/show_bug.cgi?id=133814
1940
1941 Reviewed by Filip Pizlo.
1942
1943 Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell
1944 script from using "*.o" as a file when no other files in the directory exist.
1945
1946 * build-symbol-table-index.sh: Added license.
1947 * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
1948
19492014-06-16 Sam Weinig <sam@webkit.org>
1950
1951 Move forward declaration of bindings static functions into their implementation files
1952 https://bugs.webkit.org/show_bug.cgi?id=133943
1953
1954 Reviewed by Geoffrey Garen.
1955
1956 * runtime/CommonIdentifiers.h:
1957 Add a few identifiers that are needed by the DOM.
1958
19592014-06-16 Mark Lam <mark.lam@apple.com>
1960
1961 Parser statementDepth accounting needs to account for when a function body excludes its braces.
1962 <https://webkit.org/b/133832>
1963
1964 Reviewed by Oliver Hunt.
1965
1966 In some cases (e.g. when a Function object is instantiated from a string), the
1967 function body source may not include its braces. The parser needs to account
1968 for this when calculating its statementDepth.
1969
1970 * bytecode/UnlinkedCodeBlock.cpp:
1971 (JSC::generateFunctionCodeBlock):
1972 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
1973 * bytecode/UnlinkedCodeBlock.h:
1974 * parser/Parser.cpp:
1975 (JSC::Parser<LexerType>::parseStatement):
1976 - Also fixed the error message for declaring nested functions in strict mode
1977 to be more accurate.
1978 * parser/Parser.h:
1979 (JSC::Parser<LexerType>::parse):
1980 (JSC::parse):
1981 * runtime/Executable.cpp:
1982 (JSC::ScriptExecutable::newCodeBlockFor):
1983
19842014-06-16 Juergen Ributzka <juergen@apple.com>
1985
1986 Change the order of the alias analysis passes to align with the opt pipeline of LLVM
1987 https://bugs.webkit.org/show_bug.cgi?id=133753
1988
1989 Reviewed by Geoffrey Garen.
1990
1991 The order in which the alias analysis passes are added affects also the
1992 order in which they are utilized. Change the order to align with the
1993 one use by LLVM itself. The last alias analysis pass added will be
1994 evaluated first. With this change we first perform a basic alias
1995 analysis and then use the type-based alias analysis (if required).
1996
1997 * ftl/FTLCompile.cpp:
1998 (JSC::FTL::compile):
1999
20002014-06-16 Juergen Ributzka <juergen@apple.com>
2001
2002 Fix the arguments passed to the LLVM dylib
2003 https://bugs.webkit.org/show_bug.cgi?id=133757
2004
2005 Reviewed by Geoffrey Garen.
2006
2007 The LLVM command line argument parser assumes that the first argument
2008 is the program name. We need to add a fake program name, otherwise the
2009 first argument will be parsed as program name and ignored.
2010
2011 * llvm/library/LLVMExports.cpp:
2012 (initializeAndGetJSCLLVMAPI):
2013
20142014-06-16 Michael Saboff <msaboff@apple.com>
2015
2016 Convert ASSERT in inlineFunctionForCapabilityLevel to early return
2017 https://bugs.webkit.org/show_bug.cgi?id=133903
2018
2019 Reviewed by Mark Hahnenberg.
2020
2021 Hardened code by Converting ASSERT to return CannotCompile.
2022
2023 * dfg/DFGCapabilities.h:
2024 (JSC::DFG::inlineFunctionForCapabilityLevel):
2025
20262014-06-13 Sam Weinig <sam@webkit.org>
2027
2028 Store DOM constants directly in the JS object rather than jumping through a custom accessor
2029 https://bugs.webkit.org/show_bug.cgi?id=133898
2030
2031 Reviewed by Oliver Hunt.
2032
2033 * runtime/Lookup.h:
2034 (JSC::HashTableValue::attributes):
2035 Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
2036 and will make adding more flags possibles.
2037
2038 (JSC::HashTableValue::propertyGetter):
2039 (JSC::HashTableValue::propertyPutter):
2040 Change assertion to use BuiltinOrFunctionOrConstant.
2041
2042 (JSC::HashTableValue::constantInteger):
2043 Added.
2044
2045 (JSC::getStaticPropertySlot):
2046 (JSC::getStaticValueSlot):
2047 Use PropertySlot::setValue() for constants during static lookup.
2048
2049 (JSC::reifyStaticProperties):
2050 Put the constant directly on the object when eagerly reifying.
2051
2052 * runtime/PropertySlot.h:
2053 Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
2054
20552014-06-14 Michael Saboff <msaboff@apple.com>
2056
2057 operationCreateArguments could cause a GC during OSR exit
2058 https://bugs.webkit.org/show_bug.cgi?id=133905
2059
2060 Reviewed by Filip Pizlo.
2061
2062 Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
2063 for use by OSR exit stubs.
2064
2065 * dfg/DFGOSRExitCompilerCommon.cpp:
2066 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2067 * dfg/DFGOperations.cpp:
2068 * dfg/DFGOperations.h:
2069 * jit/JITOperations.cpp:
2070 * jit/JITOperations.h:
2071
20722014-06-13 Mark Hahnenberg <mhahnenberg@apple.com>
2073
2074 OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
2075 https://bugs.webkit.org/show_bug.cgi?id=133880
2076
2077 Reviewed by Filip Pizlo.
2078
2079 We could have exited due to a value received from an inlined block that's no longer on
2080 the stack, so we should just barrier all InlineCallFrames.
2081
2082 * dfg/DFGOSRExitCompilerCommon.cpp:
2083 (JSC::DFG::adjustAndJumpToTarget):
2084
20852014-06-13 Alex Christensen <achristensen@webkit.org>
2086
2087 Make css jit compile for armv7.
2088 https://bugs.webkit.org/show_bug.cgi?id=133596
2089
2090 Reviewed by Benjamin Poulain.
2091
2092 * assembler/MacroAssembler.h:
2093 Use branchPtr on ARM_THUMB2.
2094 * assembler/MacroAssemblerARMv7.h:
2095 (JSC::MacroAssemblerARMv7::addPtrNoFlags):
2096 (JSC::MacroAssemblerARMv7::or32):
2097 (JSC::MacroAssemblerARMv7::test32):
2098 (JSC::MacroAssemblerARMv7::branch):
2099 (JSC::MacroAssemblerARMv7::branchPtr):
2100 Added macros necessary for css jit.
2101
21022014-06-13 Filip Pizlo <fpizlo@apple.com>
2103
2104 Unreviewed, fix ARMv7.
2105
2106 * assembler/MacroAssemblerARMv7.h:
2107 (JSC::MacroAssemblerARMv7::abortWithReason):
2108
21092014-06-12 Filip Pizlo <fpizlo@apple.com>
2110
2111 Even better diagnostics from DFG traps
2112 https://bugs.webkit.org/show_bug.cgi?id=133836
2113
2114 Reviewed by Oliver Hunt.
2115
2116 We now stuff the DFG::NodeType into a register before bailing. Also made the
2117 DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
2118 different numbers than any previous abort reasons.
2119
2120 * assembler/AbortReason.h:
2121 * assembler/MacroAssemblerARM64.h:
2122 (JSC::MacroAssemblerARM64::abortWithReason):
2123 * assembler/MacroAssemblerARMv7.h:
2124 (JSC::MacroAssemblerARMv7::abortWithReason):
2125 * assembler/MacroAssemblerX86.h:
2126 (JSC::MacroAssemblerX86::abortWithReason):
2127 * assembler/MacroAssemblerX86_64.h:
2128 (JSC::MacroAssemblerX86_64::abortWithReason):
2129 * dfg/DFGSpeculativeJIT.cpp:
2130 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2131 (JSC::DFG::SpeculativeJIT::bail):
2132 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2133 * dfg/DFGSpeculativeJIT.h:
2134
21352014-06-12 Simon Fraser <simon.fraser@apple.com>
2136
2137 Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
2138 https://bugs.webkit.org/show_bug.cgi?id=133840
2139
2140 Reviewed by Filip Pizlo.
2141
2142 Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
2143 when running DFG tests.
2144
2145 * API/JSCTestRunnerUtils.cpp:
2146 (JSC::numberOfDFGCompiles):
2147 (JSC::setNeverInline):
2148
21492014-06-12 Brent Fulgham <bfulgham@apple.com>
2150
2151 [Win] Avoid fork bomb during build
2152 https://bugs.webkit.org/show_bug.cgi?id=133837
2153 <rdar://problem/17296034>
2154
2155 Reviewed by Tim Horton.
2156
2157 * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
2158 reasonable default value when the 'num-cpus' script is not available.
2159
21602014-06-12 Mark Lam <mark.lam@apple.com>
2161
2162 Remove some dead / unused code.
2163 <https://webkit.org/b/133828>
2164
2165 Reviewed by Filip Pizlo.
2166
2167 * builtins/BuiltinExecutables.cpp:
2168 (JSC::BuiltinExecutables::createBuiltinExecutable):
2169 * bytecode/UnlinkedCodeBlock.cpp:
2170 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2171 * bytecode/UnlinkedCodeBlock.h:
2172 (JSC::UnlinkedFunctionExecutable::create):
2173 * bytecompiler/BytecodeGenerator.h:
2174 (JSC::BytecodeGenerator::makeFunction):
2175 * parser/Parser.h:
2176 (JSC::DepthManager::DepthManager): Deleted.
2177 (JSC::DepthManager::~DepthManager): Deleted.
2178 * runtime/CodeCache.cpp:
2179 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2180
21812014-06-12 Mark Hahnenberg <mhahnenberg@apple.com>
2182
2183 Move structureHasRareData out of TypeInfo
2184 https://bugs.webkit.org/show_bug.cgi?id=133800
2185
2186 Reviewed by Andreas Kling.
2187
2188 StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger,
2189 but we have a few spare bits in Structure so it would be nice to remove this hack.
2190
2191 * runtime/JSTypeInfo.h:
2192 (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
2193 (JSC::TypeInfo::structureHasRareData): Deleted.
2194 * runtime/Structure.cpp:
2195 (JSC::Structure::Structure):
2196 (JSC::Structure::allocateRareData):
2197 (JSC::Structure::cloneRareDataFrom):
2198 * runtime/Structure.h:
2199 (JSC::Structure::previousID):
2200 (JSC::Structure::objectToStringValue):
2201 (JSC::Structure::setObjectToStringValue):
2202 (JSC::Structure::setPreviousID):
2203 (JSC::Structure::clearPreviousID):
2204 (JSC::Structure::previous):
2205 (JSC::Structure::rareData):
2206 * runtime/StructureInlines.h:
2207 (JSC::Structure::setEnumerationCache):
2208 (JSC::Structure::enumerationCache):
2209
22102014-06-12 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2211
2212 Allow enum guards to be generated from the replay json files
2213 https://bugs.webkit.org/show_bug.cgi?id=133399
2214
2215 Reviewed by Csaba Osztrogonác.
2216
2217 * replay/scripts/CodeGeneratorReplayInputs.py:
2218 (Type.__init__):
2219 (InputsModel.parse_type_with_framework_name):
2220 (Generator.generate_header):
2221 (Generator.generate_implementation):
2222 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
2223 (Test::HandleWheelEvent::HandleWheelEvent):
2224 (Test::HandleWheelEvent::~HandleWheelEvent):
2225 (JSC::InputTraits<Test::HandleWheelEvent>::type):
2226 (JSC::InputTraits<Test::HandleWheelEvent>::encode):
2227 (JSC::InputTraits<Test::HandleWheelEvent>::decode):
2228 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
2229 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
2230 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
2231 (JSC::InputTraits<Test::HandleWheelEvent>::queue):
2232 (Test::HandleWheelEvent::platformEvent):
2233 * replay/scripts/tests/generate-enum-with-guard.json: Added.
2234
22352014-06-12 Carlos Garcia Campos <cgarcia@igalia.com>
2236
2237 Unreviewed. Fix GTK+ build after r169823.
2238
2239 Include StructureInlines.h in a few more files to fix linking
2240 issues due to JSC::Structure::get undefined symbol.
2241
2242 * runtime/ArrayIteratorConstructor.cpp:
2243 * runtime/ArrayIteratorPrototype.cpp:
2244 * runtime/JSConsole.cpp:
2245 * runtime/JSMapIterator.cpp:
2246 * runtime/JSSet.cpp:
2247 * runtime/JSSetIterator.cpp:
2248 * runtime/JSWeakMap.cpp:
2249 * runtime/MapIteratorPrototype.cpp:
2250 * runtime/MapPrototype.cpp:
2251 * runtime/SetIteratorPrototype.cpp:
2252 * runtime/SetPrototype.cpp:
2253 * runtime/WeakMapPrototype.cpp:
2254
22552014-06-12 Csaba Osztrogonác <ossy@webkit.org>
2256
2257 [EFL] One more URTBF after r169823 to make ARM64 build happy too.
2258
2259 * runtime/JSMap.cpp:
2260
22612014-06-11 Mark Hahnenberg <mhahnenberg@apple.com>
2262
2263 Inline caching should try to flatten uncacheable dictionaries
2264 https://bugs.webkit.org/show_bug.cgi?id=133683
2265
2266 Reviewed by Geoffrey Garen.
2267
2268 There exists a body of JS code that deletes properties off of objects (especially function/constructor objects),
2269 which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects.
2270 If properties are deleted out of the object during its initialization, we can enable caching for that object by
2271 attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we
2272 performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary
2273 state then we can just give up on caching that object.
2274
2275 In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
2276 the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
2277 the other inline caching functions to return this enum rather than the opaque booleans that we were previously
2278 returning.
2279
2280 * jit/Repatch.cpp:
2281 (JSC::actionForCell):
2282 (JSC::tryCacheGetByID):
2283 (JSC::repatchGetByID):
2284 (JSC::tryBuildGetByIDList):
2285 (JSC::buildGetByIDList):
2286 (JSC::tryCachePutByID):
2287 (JSC::repatchPutByID):
2288 (JSC::tryBuildPutByIdList):
2289 (JSC::buildPutByIdList):
2290 (JSC::tryRepatchIn):
2291 (JSC::repatchIn):
2292 * runtime/Structure.cpp:
2293 (JSC::Structure::Structure):
2294 (JSC::Structure::flattenDictionaryStructure):
2295 * runtime/Structure.h:
2296 (JSC::Structure::hasBeenFlattenedBefore):
2297
22982014-06-11 Csaba Osztrogonác <ossy@webkit.org>
2299
2300 [EFL] URTBF after r169823.
2301
2302 * bindings/ScriptValue.cpp: Missing include added.
2303
23042014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2305
2306 Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
2307
2308 Rubber-stamped by Andreas Kling.
2309
2310 * runtime/JSObject.h:
2311 (JSC::JSObject::fastGetOwnPropertySlot):
2312
23132014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2314
2315 Turning on DUMP_PROPERTYMAP_STATS causes a build failure
2316 https://bugs.webkit.org/show_bug.cgi?id=133673
2317
2318 Reviewed by Andreas Kling.
2319
2320 Rewrote the property map statistics code because the old code wasn't building,
2321 and it was also mixing numbers for lookups and insertions/removals.
2322
2323 New logging code records the number of calls to PropertyTable::find (finds) and
2324 PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
2325 the number of probing during updates and lookups.
2326
2327 * jsc.cpp:
2328 * runtime/PropertyMapHashTable.h:
2329 (JSC::PropertyTable::find):
2330 (JSC::PropertyTable::get):
2331 (JSC::PropertyTable::findWithString):
2332 (JSC::PropertyTable::add):
2333 (JSC::PropertyTable::remove):
2334 (JSC::PropertyTable::reinsert):
2335 (JSC::PropertyTable::rehash):
2336 * runtime/Structure.cpp:
2337 (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
2338 (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
2339
23402014-06-11 Andreas Kling <akling@apple.com>
2341
2342 Always inline JSValue::get() and Structure::get().
2343 <https://webkit.org/b/133755>
2344
2345 Reviewed by Ryosuke Niwa.
2346
2347 These functions get really hot, so ask the compiler to be more
2348 aggressive about inlining them.
2349
2350 ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
2351 through GetByVal.
2352
2353 * runtime/JSArrayIterator.cpp:
2354 * runtime/JSCJSValue.cpp:
2355 * runtime/JSCJSValueInlines.h:
2356 (JSC::JSValue::get):
2357 * runtime/JSPromiseDeferred.cpp:
2358 * runtime/StructureInlines.h:
2359 (JSC::Structure::get):
2360
23612014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2362
2363 Structure::get should instantiate DeferGC only when materializing property map
2364 https://bugs.webkit.org/show_bug.cgi?id=133727
2365
2366 Rubber-stamped by Andreas Kling.
2367
2368 Make materializePropertyMapIfNecessary always inline.
2369
2370 This is ~12% improvement on the microbenchmark attached in the bug.
2371
2372 * runtime/Structure.h:
2373 (JSC::Structure::materializePropertyMapIfNecessary):
2374 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2375
23762014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2377
2378 Structure::get should instantiate DeferGC only when materializing property map
2379 https://bugs.webkit.org/show_bug.cgi?id=133727
2380
2381 Reviewed by Geoffrey Garen.
2382
2383 DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
2384 collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
2385 when GCSafeConcurrentJITLocker goes out of scope.
2386
2387 However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
2388 in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
2389 and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
2390
2391 Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
2392 and immediately storing a pointer to the newly created property table in the stack before DeferGC
2393 goes out of scope so that the property table will be marked.
2394
2395 This shows 13-16% improvement on the microbenchmark attached in the bug.
2396
2397 * runtime/JSCJSValue.cpp:
2398 * runtime/JSObject.h:
2399 (JSC::JSObject::fastGetOwnPropertySlot):
2400 * runtime/Structure.h:
2401 (JSC::Structure::materializePropertyMapIfNecessary):
2402 * runtime/StructureInlines.h:
2403 (JSC::Structure::get):
2404
24052014-06-11 Andreas Kling <akling@apple.com>
2406
2407 Some JSValue::get() micro-optimzations.
2408 <https://webkit.org/b/133739>
2409
2410 Tighten some of the property lookup code to improve performance of the
2411 eagerly reified prototype attributes:
2412
2413 - Instead of converting the property name to an integer at every step
2414 in the prototype chain, move that to a separate pass at the end
2415 since it should be a rare case.
2416
2417 - Cache the StructureIDTable in a local instead of fetching it from
2418 the Heap on every step.
2419
2420 - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
2421 on the assumption that clients would mostly be cacheable GetByIds,
2422 and it gets pretty hot (~1%) in GetByVal.
2423
2424 - Pass the Structure directly to fillCustomGetterPropertySlot instead
2425 of refetching it from the StructureIDTable.
2426
2427 Reviewed by Geoff Garen.
2428
2429 * runtime/JSObject.cpp:
2430 (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
2431 * runtime/JSObject.h:
2432 (JSC::JSObject::inlineGetOwnPropertySlot):
2433 (JSC::JSObject::fillCustomGetterPropertySlot):
2434 (JSC::JSObject::getOwnPropertySlot):
2435 (JSC::JSObject::fastGetOwnPropertySlot):
2436 (JSC::JSObject::getPropertySlot):
2437 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
2438
24392014-06-10 Sam Weinig <sam@webkit.org>
2440
2441 Don't create a HashTable for JSObjects that use eager reification
2442 https://bugs.webkit.org/show_bug.cgi?id=133705
2443
2444 Reviewed by Geoffrey Garen.
2445
2446 * runtime/Lookup.h:
2447 (JSC::reifyStaticProperties):
2448 Add a version of reifyStaticProperties that takes an array of HashTableValues
2449 rather than a HashTable.
2450
24512014-06-10 Filip Pizlo <fpizlo@apple.com>
2452
2453 Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
2454 https://bugs.webkit.org/show_bug.cgi?id=133698
2455
2456 Reviewed by Geoffrey Garen and Mark Hahnenberg.
2457
2458 * dfg/DFGPredictionPropagationPhase.cpp:
2459 (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
2460 * dfg/DFGVariableAccessData.cpp:
2461 (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
2462 (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
2463 (JSC::DFG::VariableAccessData::flushFormat):
2464 * dfg/DFGVariableAccessData.h:
2465 * tests/stress/int52-inlined-call-argument.js: Added.
2466 (foo):
2467 (bar):
2468
24692014-06-10 Mark Lam <mark.lam@apple.com>
2470
2471 Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
2472 <https://webkit.org/b/133356>
2473
2474 Reviewed by Mark Hahnenberg.
2475
2476 The root cause of this issue is that a nonPropertyTransition can transition
2477 a pinned dictionary structure to an unpinned dictionary structure. The new
2478 structure will get a copy of the property table from the original structure.
2479 However, when a GC occurs, the property table in the new structure will be
2480 cleared because it is unpinned. This leads to complications in subsequent
2481 derivative structures when flattening occurs, which eventually leads to the
2482 assertion failure in this bug.
2483
2484 The fix is to ensure that the new dictionary structure generated by the
2485 nonPropertyTransition will have a copy of its predecessor's property table
2486 and is pinned.
2487
2488 * runtime/Structure.cpp:
2489 (JSC::Structure::nonPropertyTransition):
2490
24912014-06-10 Michael Saboff <msaboff@apple.com>
2492
2493 In a certain app state, Array.prototype.filter() returns incorrect results
2494 https://bugs.webkit.org/show_bug.cgi?id=133577
2495
2496 Reviewed by Oliver Hunt.
2497
2498 Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
2499
2500 * llint/LowLevelInterpreter32_64.asm:
2501 * llint/LowLevelInterpreter64.asm:
2502
25032014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
2504
2505 Global HashTables contain references to atomic StringImpls
2506 https://bugs.webkit.org/show_bug.cgi?id=133661
2507
2508 Reviewed by Geoffrey Garen.
2509
2510 This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables
2511 cache their set of keys as StringImpls that are associated with a particular VM. This is obviously
2512 incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to
2513 change the "keys" field of the static HashTables to be char** instead of StringImpl**.
2514
2515 * runtime/JSObject.cpp:
2516 (JSC::getClassPropertyNames):
2517 * runtime/Lookup.cpp:
2518 (JSC::HashTable::createTable):
2519 (JSC::HashTable::deleteTable):
2520 * runtime/Lookup.h:
2521 (JSC::HashTable::ConstIterator::key):
2522 (JSC::HashTable::entry):
2523
25242014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
2525
2526 Build fix after r169703
2527
2528 * JavaScriptCore.xcodeproj/project.pbxproj:
2529
25302014-06-05 Mark Hahnenberg <mhahnenberg@apple.com>
2531
2532 Eagerly reify DOM prototype attributes
2533 https://bugs.webkit.org/show_bug.cgi?id=133558
2534
2535 Reviewed by Oliver Hunt.
2536
2537 This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype.
2538 By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override
2539 getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on
2540 DOM wrappers.
2541
2542 * CMakeLists.txt:
2543 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2544 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2545 * JavaScriptCore.xcodeproj/project.pbxproj:
2546 * llint/LLIntData.cpp:
2547 (JSC::LLInt::Data::performAssertions):
2548 * llint/LowLevelInterpreter.asm:
2549 * runtime/BatchedTransitionOptimizer.h:
2550 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2551 * runtime/CustomGetterSetter.cpp: Added.
2552 (JSC::callCustomSetter):
2553 * runtime/CustomGetterSetter.h: Added.
2554 (JSC::CustomGetterSetter::create):
2555 (JSC::CustomGetterSetter::getter):
2556 (JSC::CustomGetterSetter::setter):
2557 (JSC::CustomGetterSetter::createStructure):
2558 (JSC::CustomGetterSetter::CustomGetterSetter):
2559 * runtime/JSCJSValue.cpp:
2560 (JSC::JSValue::putToPrimitive):
2561 * runtime/JSCJSValue.h:
2562 * runtime/JSCJSValueInlines.h:
2563 (JSC::JSValue::isCustomGetterSetter):
2564 * runtime/JSCell.h:
2565 * runtime/JSCellInlines.h:
2566 (JSC::JSCell::isCustomGetterSetter):
2567 (JSC::JSCell::canUseFastGetOwnProperty):
2568 * runtime/JSFunction.cpp:
2569 (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
2570 (JSC::JSFunction::isBuiltinFunction): Deleted.
2571 * runtime/JSFunction.h:
2572 * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
2573 (JSC::JSFunction::isBuiltinFunction):
2574 (JSC::JSFunction::isHostOrBuiltinFunction):
2575 * runtime/JSObject.cpp:
2576 (JSC::JSObject::put):
2577 (JSC::JSObject::putDirectCustomAccessor):
2578 (JSC::JSObject::fillGetterPropertySlot):
2579 (JSC::JSObject::fillCustomGetterPropertySlot):
2580 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
2581 * runtime/JSObject.h:
2582 (JSC::JSObject::hasCustomGetterSetterProperties):
2583 (JSC::JSObject::convertToDictionary):
2584 (JSC::JSObject::inlineGetOwnPropertySlot):
2585 (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
2586 (JSC::JSObject::putOwnDataProperty):
2587 (JSC::JSObject::putDirect):
2588 (JSC::JSObject::putDirectWithoutTransition):
2589 * runtime/JSType.h:
2590 * runtime/Lookup.h:
2591 (JSC::reifyStaticProperties):
2592 * runtime/PropertyDescriptor.h:
2593 (JSC::PropertyDescriptor::PropertyDescriptor):
2594 * runtime/Structure.cpp:
2595 (JSC::Structure::Structure):
2596 (JSC::nextOutOfLineStorageCapacity): Deleted.
2597 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
2598 (JSC::Structure::get): Deleted.
2599 * runtime/Structure.h:
2600 (JSC::Structure::hasCustomGetterSetterProperties):
2601 (JSC::Structure::setHasCustomGetterSetterProperties):
2602 * runtime/StructureInlines.h:
2603 (JSC::Structure::get): Inlined due to hotness.
2604 (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
2605 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
2606 * runtime/VM.cpp:
2607 (JSC::VM::VM):
2608 * runtime/VM.h:
2609 * runtime/WriteBarrier.h:
2610 (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
2611
26122014-06-07 Mark Lam <mark.lam@apple.com>
2613
2614 Structure should initialize its previousID in its constructor.
2615 <https://webkit.org/b/133606>
2616
2617 Reviewed by Mark Hahnenberg.
2618
2619 Currently, the Structure constructor that takes a previous structure will
2620 initialize its previousID to point to the previous structure's previousID.
2621 This is incorrect. However, the caller of the Structure::create() factory
2622 method (which instantiated the Structure) will later call setPreviousID()
2623 to set the previousID to the correct previous structure. This makes the
2624 code confusing to read and more error prone in that the structure relies
2625 on client code to fix its invalid previousID.
2626
2627 This patch fixes this by making the Structure constructor initialize
2628 previousID correctly.
2629
2630 * runtime/Structure.cpp:
2631 (JSC::Structure::Structure):
2632 (JSC::Structure::addPropertyTransition):
2633 (JSC::Structure::nonPropertyTransition):
2634 * runtime/Structure.h:
2635 * runtime/StructureInlines.h:
2636 (JSC::Structure::create):
2637
26382014-06-06 Andreas Kling <akling@apple.com>
2639
2640 Indexed getters should return values directly on the PropertySlot.
2641 <https://webkit.org/b/133586>
2642
2643 Remove PropertySlot's custom index mode.
2644
2645 Reviewed by Darin Adler.
2646
2647 * runtime/JSObject.h:
2648 (JSC::PropertySlot::getValue):
2649 * runtime/PropertySlot.h:
2650 (JSC::PropertySlot::setCustomIndex): Deleted.
2651
26522014-06-04 Timothy Horton <timothy_horton@apple.com>
2653
2654 iOS Debug build fix
2655
2656 Rubber-stamped by Filip Pizlo.
2657
2658 * Configurations/LLVMForJSC.xcconfig:
2659 Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
2660
26612014-06-04 Oliver Hunt <oliver@apple.com>
2662
2663 ArrayIterator should not be exposed in Safari 8
2664 https://bugs.webkit.org/show_bug.cgi?id=133494
2665
2666 Reviewed by Michael Saboff.
2667
2668 Separate out types that require constructor objects, and don't
2669 include the iterator types in that list.
2670
2671 * runtime/JSGlobalObject.cpp:
2672 (JSC::JSGlobalObject::reset):
2673 * runtime/JSGlobalObject.h:
2674
26752014-06-04 Filip Pizlo <fpizlo@apple.com>
2676
2677 DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
2678 https://bugs.webkit.org/show_bug.cgi?id=133525
2679 <rdar://problem/16790296>
2680
2681 Reviewed by Oliver Hunt.
2682
2683 * dfg/DFGSafepoint.cpp:
2684 (JSC::DFG::Safepoint::begin):
2685
26862014-06-03 Filip Pizlo <fpizlo@apple.com>
2687
2688 LLVM soft-linking should be truly fail-silent
2689 https://bugs.webkit.org/show_bug.cgi?id=133482
2690
2691 Reviewed by Mark Lam.
2692
2693 * llvm/InitializeLLVMPOSIX.cpp:
2694 (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
2695
26962014-06-03 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2697
2698 REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
2699 https://bugs.webkit.org/show_bug.cgi?id=133149
2700
2701 Reviewed by Csaba Osztrogonác.
2702
2703 * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
2704
27052014-05-31 Anders Carlsson <andersca@apple.com>
2706
2707 Add a LazyNeverDestroyed class template and use it
2708 https://bugs.webkit.org/show_bug.cgi?id=133425
2709
2710 Reviewed by Darin Adler.
2711
2712 * dfg/DFGFunctionWhitelist.cpp:
2713 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
2714 * dfg/DFGFunctionWhitelist.h:
2715
27162014-05-28 Filip Pizlo <fpizlo@apple.com>
2717
2718 DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
2719 https://bugs.webkit.org/show_bug.cgi?id=133368
2720
2721 Reviewed by Mark Lam.
2722
2723 * dfg/DFGDCEPhase.cpp:
2724 (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
2725 * tests/stress/new-array-dead.js: Added.
2726 (foo):
2727
27282014-05-28 Filip Pizlo <fpizlo@apple.com>
2729
2730 Unreviewed, fix not-x86 32-bit.
2731
2732 * llint/LowLevelInterpreter32_64.asm:
2733
27342014-05-27 Filip Pizlo <fpizlo@apple.com>
2735
2736 Arrayify neglects to inform the clobberizer that it might fire watchpoints
2737 https://bugs.webkit.org/show_bug.cgi?id=133340
2738
2739 Reviewed by Mark Lam.
2740
2741 * dfg/DFGClobberize.h:
2742 (JSC::DFG::clobberize): Be honest.
2743 * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
2744 * tests/stress/arrayify-fires-watchpoint.js: Added.
2745 (foo):
2746 (test):
2747 (makeObjectArray):
2748 * tests/stress/arrayify-structure-bad-test.js: Added.
2749 (foo):
2750 (test):
2751
27522014-05-27 Jon Lee <jonlee@apple.com>
2753
2754 Update ENABLE(MEDIA_SOURCE) on Mac
2755 https://bugs.webkit.org/show_bug.cgi?id=133141
2756
2757 Reviewed by Darin Adler.
2758
2759 * Configurations/FeatureDefines.xcconfig:
2760
27612014-05-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
2762
2763 Remove BLOB guards
2764 https://bugs.webkit.org/show_bug.cgi?id=132863
2765
2766 Reviewed by Csaba Osztrogonác.
2767
2768 * Configurations/FeatureDefines.xcconfig:
2769
27702014-05-27 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2771
2772 Allow building CMake based ports with WEB_REPLAY
2773 https://bugs.webkit.org/show_bug.cgi?id=133154
2774
2775 Reviewed by Csaba Osztrogonác.
2776
2777 * CMakeLists.txt:
2778
27792014-05-25 Filip Pizlo <fpizlo@apple.com>
2780
2781 Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
2782 https://bugs.webkit.org/show_bug.cgi?id=133136
2783
2784 Reviewed by Oliver Hunt.
2785
2786 Some key concepts:
2787
2788 - Except for the prediction propagation and type fixup phases, which are super early in
2789 the pipeline, nobody has to know about the fact that booleans may flow into numerical
2790 operations because there will just be a BooleanToNumber node that will take a value
2791 and, if that value is a boolean, will convert it to the equivalent numerical value. It
2792 will have a BooleanUse mode where it will also speculate that the input is a boolean
2793 but it can also do UntypedUse in which case it will pass through any non-booleans.
2794 This operation is very easy to model in all of the compiler tiers.
2795
2796 - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
2797 inputs require taking the slow path and it will still report that it took slow path
2798 for any such operations. The DFG will now be smart enough to ignore baseline JIT slow
2799 path profiling on operations that were known to have had boolean inputs. That's a
2800 little quirky, but it's probably easier than modifying the baseline JIT to track
2801 booleans correctly.
2802
2803 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
2804
2805 * bytecode/SpeculatedType.h:
2806 (JSC::isInt32OrBooleanSpeculation):
2807 (JSC::isInt32SpeculationForArithmetic):
2808 (JSC::isInt32OrBooleanSpeculationForArithmetic):
2809 (JSC::isInt32OrBooleanSpeculationExpectingDefined):
2810 (JSC::isInt52Speculation):
2811 (JSC::isMachineIntSpeculation):
2812 (JSC::isFullNumberOrBooleanSpeculation):
2813 (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
2814 (JSC::isInt32SpeculationExpectingDefined): Deleted.
2815 (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
2816 (JSC::isMachineIntSpeculationForArithmetic): Deleted.
2817 (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
2818 (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
2819 * dfg/DFGAbstractInterpreterInlines.h:
2820 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2821 * dfg/DFGAllocator.h:
2822 (JSC::DFG::Allocator<T>::indexOf):
2823 * dfg/DFGByteCodeParser.cpp:
2824 (JSC::DFG::ByteCodeParser::makeSafe):
2825 (JSC::DFG::ByteCodeParser::makeDivSafe):
2826 (JSC::DFG::ByteCodeParser::handleIntrinsic):
2827 * dfg/DFGCSEPhase.cpp:
2828 (JSC::DFG::CSEPhase::performNodeCSE):
2829 * dfg/DFGClobberize.h:
2830 (JSC::DFG::clobberize):
2831 * dfg/DFGCommon.h:
2832 * dfg/DFGConstantFoldingPhase.cpp:
2833 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2834 * dfg/DFGFixupPhase.cpp:
2835 (JSC::DFG::FixupPhase::fixupNode):
2836 (JSC::DFG::FixupPhase::fixIntConvertingEdge):
2837 (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
2838 (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
2839 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2840 (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
2841 * dfg/DFGGraph.h:
2842 (JSC::DFG::Graph::addSpeculationMode):
2843 (JSC::DFG::Graph::valueAddSpeculationMode):
2844 (JSC::DFG::Graph::arithAddSpeculationMode):
2845 (JSC::DFG::Graph::addShouldSpeculateInt32):
2846 (JSC::DFG::Graph::mulShouldSpeculateInt32):
2847 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
2848 (JSC::DFG::Graph::negateShouldSpeculateInt32):
2849 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
2850 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2851 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
2852 * dfg/DFGNode.h:
2853 (JSC::DFG::Node::sawBooleans):
2854 (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
2855 (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
2856 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
2857 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
2858 (JSC::DFG::Node::shouldSpeculateMachineInt):
2859 (JSC::DFG::Node::shouldSpeculateDouble):
2860 (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
2861 (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
2862 (JSC::DFG::Node::shouldSpeculateNumber):
2863 (JSC::DFG::Node::canSpeculateInt32):
2864 (JSC::DFG::Node::canSpeculateInt52):
2865 (JSC::DFG::Node::sourceFor):
2866 (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
2867 (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
2868 (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
2869 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
2870 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
2871 * dfg/DFGNodeFlags.cpp:
2872 (JSC::DFG::dumpNodeFlags):
2873 * dfg/DFGNodeFlags.h:
2874 (JSC::DFG::nodeMayOverflow):
2875 (JSC::DFG::nodeMayNegZero):
2876 (JSC::DFG::nodeCanSpeculateInt32):
2877 (JSC::DFG::nodeCanSpeculateInt52):
2878 * dfg/DFGNodeType.h:
2879 * dfg/DFGPredictionPropagationPhase.cpp:
2880 (JSC::DFG::PredictionPropagationPhase::run):
2881 (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
2882 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2883 (JSC::DFG::PredictionPropagationPhase::propagate):
2884 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2885 * dfg/DFGSafeToExecute.h:
2886 (JSC::DFG::safeToExecute):
2887 * dfg/DFGSpeculativeJIT.cpp:
2888 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2889 * dfg/DFGSpeculativeJIT32_64.cpp:
2890 (JSC::DFG::SpeculativeJIT::compile):
2891 * dfg/DFGSpeculativeJIT64.cpp:
2892 (JSC::DFG::SpeculativeJIT::compile):
2893 * ftl/FTLCapabilities.cpp:
2894 (JSC::FTL::canCompile):
2895 * ftl/FTLLowerDFGToLLVM.cpp:
2896 (JSC::FTL::LowerDFGToLLVM::compileNode):
2897 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2898 (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
2899 * runtime/JSCJSValue.h:
2900 * runtime/JSCJSValueInlines.h:
2901 (JSC::JSValue::asInt32ForArithmetic):
2902 * tests/stress/max-boolean-exit.js: Added.
2903 (foo):
2904 (test):
2905 * tests/stress/mul-boolean-exit.js: Added.
2906 (foo):
2907 (test):
2908 * tests/stress/plus-boolean-exit.js: Added.
2909 (foo):
2910 (test):
2911 * tests/stress/plus-boolean-or-double.js: Added.
2912 (foo):
2913 (test):
2914 * tests/stress/plus-boolean-or-int.js: Added.
2915 (foo):
2916 (test):
2917
29182014-05-26 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2919
2920 Remove dead code from VM.cpp
2921 https://bugs.webkit.org/show_bug.cgi?id=133284
2922
2923 Reviewed by Darin Adler.
2924
2925 This workaround was added in r127505. Since the clang is the
2926 only used compiler in this case, this workaround is obsolete.
2927
2928 * runtime/VM.cpp:
2929 (JSC::enableAssembler):
2930
29312014-05-26 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2932
2933 JSC CLoop warning fix
2934 https://bugs.webkit.org/show_bug.cgi?id=133259
2935
2936 Reviewed by Darin Adler.
2937
2938 * llint/LLIntSlowPaths.cpp:
2939 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2940
29412014-05-24 Andreas Kling <akling@apple.com>
2942
2943 Object.prototype.toString() should use cached strings for null/undefined.
2944 <https://webkit.org/b/133261>
2945
2946 Normally, when calling Object.prototype.toString() on a regular object,
2947 we'd cache the result of the stringification on the object's structure,
2948 making repeated calls fast.
2949
2950 For null and undefined, we were not as smart. We'd instead construct a
2951 new string with either "[object Null]" or "[object Undefined]" each time.
2952
2953 This was exposed by Dromaeo's JS library tests, where some prototype.js
2954 subtests generate millions of strings this way.
2955
2956 This patch adds two VM-permanent cached strings to the SmallStrings.
2957 Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
2958
2959 Reviewed by Darin Adler.
2960
2961 * runtime/ObjectPrototype.cpp:
2962 (JSC::objectProtoFuncToString):
2963 * runtime/SmallStrings.cpp:
2964 (JSC::SmallStrings::SmallStrings):
2965 (JSC::SmallStrings::initializeCommonStrings):
2966 (JSC::SmallStrings::visitStrongReferences):
2967 * runtime/SmallStrings.h:
2968 (JSC::SmallStrings::nullObjectString):
2969 (JSC::SmallStrings::undefinedObjectString):
2970
29712014-05-23 Mark Hahnenberg <mhahnenberg@apple.com>
2972
2973 Remove operationCallGetter
2974
2975 Rubber stamped by Filip Pizlo.
2976
2977 Nobody calls this function.
2978
2979 * JavaScriptCore.order:
2980 * jit/JITOperations.cpp:
2981 * jit/JITOperations.h:
2982
29832014-05-23 Andreas Kling <akling@apple.com>
2984
2985 Templatize GC's destructor invocation for dtor type.
2986 <https://webkit.org/b/133231>
2987
2988 Get rid of a branch in callDestructor() by templatizing it for
2989 the DestructorType. Removed JSCell::methodTableForDestruction()
2990 since this was the only call site and it was jumping through
2991 a bunch of unnecessary hoops.
2992
2993 Reviewed by Geoffrey Garen.
2994
2995 * heap/MarkedBlock.cpp:
2996 (JSC::MarkedBlock::callDestructor):
2997 (JSC::MarkedBlock::specializedSweep):
2998 * heap/MarkedBlock.h:
2999 * runtime/JSCell.h:
3000 * runtime/JSCellInlines.h:
3001 (JSC::JSCell::methodTableForDestruction): Deleted.
3002
30032014-05-23 Andreas Kling <akling@apple.com>
3004
3005 Support inline caching of RegExpMatchesArray.length
3006 <https://webkit.org/b/133234>
3007
3008 Give RegExpMatchesArray.length the same treatment as JSArray in
3009 repatch so we don't have to go out of line on every access.
3010
3011 ~13% speed-up on Octane/regexp.
3012
3013 Reviewed by Geoffrey Garen.
3014
3015 * jit/Repatch.cpp:
3016 (JSC::tryCacheGetByID):
3017 * runtime/RegExpMatchesArray.h:
3018 (JSC::isRegExpMatchesArray):
3019
30202014-05-22 Mark Lam <mark.lam@apple.com>
3021
3022 REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
3023 <https://webkit.org/b/133182>
3024
3025 Reviewed by Oliver Hunt.
3026
3027 Before r154797, we used to clear the VM exception before calling into the
3028 debugger. After r154797, we don't. This patch will restore this clearing
3029 of the exception before calling into the debugger.
3030
3031 Also added assertions after returning from calls into the debugger to
3032 ensure that the debugger did not introduce any exceptions.
3033
3034 * interpreter/Interpreter.cpp:
3035 (JSC::unwindCallFrame):
3036 (JSC::Interpreter::unwind):
3037 (JSC::Interpreter::debug):
3038 - Fixed the assertion here. Interpreter::debug() should never be called
3039 with a pending exception. Debugger callbacks for exceptions should be
3040 handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
3041
30422014-05-21 Filip Pizlo <fpizlo@apple.com>
3043
3044 Store barrier elision should run after DCE in both the DFG path and the FTL path
3045 https://bugs.webkit.org/show_bug.cgi?id=129718
3046
3047 Rubber stamped by Mark Hahnenberg.
3048
3049 * dfg/DFGPlan.cpp:
3050 (JSC::DFG::Plan::compileInThreadImpl):
3051
30522014-05-21 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
3053
3054 [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
3055 https://bugs.webkit.org/show_bug.cgi?id=132907
3056
3057 Reviewed by Gyuyoung Kim.
3058
3059 * CMakeLists.txt:
3060
30612014-05-16 Martin Robinson <mrobinson@igalia.com>
3062
3063 [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
3064 https://bugs.webkit.org/show_bug.cgi?id=132819
3065
3066 Reviewed by Carlos Garcia Campos.
3067
3068 * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
3069 use the common CMake ones directly.
3070
30712014-05-21 Filip Pizlo <fpizlo@apple.com>
3072
3073 Unreviewed, roll out http://trac.webkit.org/changeset/169159.
3074
3075 This was a unilateral change and wasn't properly reviewed.
3076
3077 * tests/mozilla/mozilla-tests.yaml:
3078
30792014-05-21 Antoine Quint <graouts@webkit.org>
3080
3081 Array.prototype.find and findIndex should skip holes
3082 https://bugs.webkit.org/show_bug.cgi?id=132658
3083
3084 Reviewed by Geoffrey Garen.
3085
3086 Skip holes in the array when iterating such that callback isn't called.
3087
3088 * builtins/Array.prototype.js:
3089 (find):
3090 (findIndex):
3091
30922014-05-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3093
3094 REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
3095 https://bugs.webkit.org/show_bug.cgi?id=133149
3096
3097 Reviewed by Csaba Osztrogonác.
3098
3099 * tests/mozilla/mozilla-tests.yaml:
3100
31012014-05-20 Geoffrey Garen <ggaren@apple.com>
3102
3103 Rolled out <http://trac.webkit.org/changeset/166184>
3104 https://bugs.webkit.org/show_bug.cgi?id=133144
3105
3106 Reviewed by Gavin Barraclough.
3107
3108 It caused a performance regression.
3109
3110 * heap/BlockAllocator.cpp:
3111 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
3112
31132014-05-20 Filip Pizlo <fpizlo@apple.com>
3114
3115 DFG prediction propagation should agree with fixup phase over the return type of GetByVal
3116 https://bugs.webkit.org/show_bug.cgi?id=133134
3117
3118 Reviewed by Mark Hahnenberg.
3119
3120 Make prediction propagator use ArrayMode refinement to decide the return type.
3121
3122 Also introduce a heap prediction intrinsic that allows us to test weird corner cases
3123 like this. The only way we'll see a mismatch like this in the real world is probably
3124 through a gnarly race condition.
3125
3126 * dfg/DFGByteCodeParser.cpp:
3127 (JSC::DFG::ByteCodeParser::handleIntrinsic):
3128 * dfg/DFGNode.h:
3129 (JSC::DFG::Node::setHeapPrediction):
3130 * dfg/DFGPredictionPropagationPhase.cpp:
3131 (JSC::DFG::PredictionPropagationPhase::propagate):
3132 * jsc.cpp:
3133 (GlobalObject::finishCreation):
3134 (functionFalse1):
3135 (functionFalse2):
3136 (functionUndefined1):
3137 (functionUndefined2):
3138 (functionFalse): Deleted.
3139 (functionOtherFalse): Deleted.
3140 (functionUndefined): Deleted.
3141 * runtime/Intrinsic.h:
3142 * tests/stress/get-by-val-double-predicted-int.js: Added.
3143 (foo):
3144
31452014-05-20 Mark Hahnenberg <mhahnenberg@apple.com>
3146
3147 Watchdog timer should be lazily allocated
3148 https://bugs.webkit.org/show_bug.cgi?id=133135
3149
3150 Reviewed by Geoffrey Garen.
3151
3152 We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired.
3153 There is no reason to do this checking if we never activated the Watchdog, which can only be done through
3154 JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit.
3155
3156 By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use
3157 these two API functions (which is true of most clients).
3158
3159 * API/JSContextRef.cpp:
3160 (JSContextGroupSetExecutionTimeLimit):
3161 (JSContextGroupClearExecutionTimeLimit):
3162 * dfg/DFGByteCodeParser.cpp:
3163 (JSC::DFG::ByteCodeParser::parseBlock):
3164 * dfg/DFGSpeculativeJIT32_64.cpp:
3165 (JSC::DFG::SpeculativeJIT::compile):
3166 * dfg/DFGSpeculativeJIT64.cpp:
3167 (JSC::DFG::SpeculativeJIT::compile):
3168 * interpreter/Interpreter.cpp:
3169 (JSC::Interpreter::execute):
3170 (JSC::Interpreter::executeCall):
3171 (JSC::Interpreter::executeConstruct):
3172 * jit/JITOpcodes.cpp:
3173 (JSC::JIT::emit_op_loop_hint):
3174 (JSC::JIT::emitSlow_op_loop_hint):
3175 * jit/JITOperations.cpp:
3176 * llint/LLIntSlowPaths.cpp:
3177 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3178 * runtime/VM.h:
3179 * runtime/Watchdog.cpp:
3180 (JSC::Watchdog::Scope::Scope): Deleted.
3181 (JSC::Watchdog::Scope::~Scope): Deleted.
3182 * runtime/Watchdog.h:
3183 (JSC::Watchdog::Scope::Scope):
3184 (JSC::Watchdog::Scope::~Scope):
3185
31862014-05-19 Mark Hahnenberg <mhahnenberg@apple.com>
3187
3188 JSArray::shiftCountWith* could be more efficient
3189 https://bugs.webkit.org/show_bug.cgi?id=133011
3190
3191 Reviewed by Geoffrey Garen.
3192
3193 Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage
3194 are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling
3195 them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
3196
3197 * runtime/ArrayStorage.h:
3198 (JSC::ArrayStorage::indexingHeader):
3199 (JSC::ArrayStorage::length):
3200 (JSC::ArrayStorage::hasHoles):
3201 * runtime/IndexingHeader.h:
3202 (JSC::IndexingHeader::publicLength):
3203 (JSC::IndexingHeader::from):
3204 * runtime/JSArray.cpp:
3205 (JSC::JSArray::shiftCountWithArrayStorage):
3206 (JSC::JSArray::shiftCountWithAnyIndexingType):
3207 (JSC::JSArray::unshiftCountWithArrayStorage):
3208 * runtime/JSArray.h:
3209 (JSC::JSArray::shiftCountForShift):
3210 (JSC::JSArray::shiftCountForSplice):
3211 (JSC::JSArray::shiftCount):
3212 * runtime/Structure.cpp:
3213 (JSC::Structure::holesRequireSpecialBehavior):
3214 * runtime/Structure.h:
3215
32162014-05-19 Filip Pizlo <fpizlo@apple.com>
3217
3218 Test gardening: skip some failing tests on not-X86.
3219
3220 * tests/mozilla/mozilla-tests.yaml:
3221
32222014-05-19 Mark Lam <mark.lam@apple.com>
3223
3224 operationOptimize() should defer the GC for a while.
3225 <https://webkit.org/b/133103>
3226
3227 Reviewed by Filip Pizlo.
3228
3229 Currently, operationOptimize() only defers the GC until its end. As a result,
3230 a GC may be triggered just before we return from operationOptimize(), and it may
3231 jettison the optimize codeBlock that we're planning to OSR enter into when we
3232 return from this function. This is because the OSR entry on-ramp code hasn't
3233 been executed yet, and hence, there is not yet a reference to this new codeBlock
3234 from the stack, and there won't be until we've had a chance to return out of
3235 operationOptimize() to run the OSR entry on-ramp code.
3236
3237 This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This
3238 ensures that the GC will be deferred until after the OSR entry on-ramp can be
3239 executed.
3240
3241 * jit/JITOperations.cpp:
3242
32432014-05-19 Filip Pizlo <fpizlo@apple.com>
3244
3245 Take care of some ARM64 test failures
3246 https://bugs.webkit.org/show_bug.cgi?id=133090
3247
3248 Reviewed by Geoffrey Garen.
3249
3250 Constant blinding on ARM64 cannot use the scratch register.
3251
3252 * assembler/MacroAssembler.h:
3253 (JSC::MacroAssembler::convertInt32ToDouble):
3254 (JSC::MacroAssembler::branchPtr):
3255 (JSC::MacroAssembler::storePtr):
3256 (JSC::MacroAssembler::store64):
3257 * assembler/MacroAssemblerARM64.h:
3258 (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
3259
32602014-05-19 Tanay C <tanay.c@samsung.com>
3261
3262 Removing some check-webkit-style warnings from ./dfg
3263 https://bugs.webkit.org/show_bug.cgi?id=132854
3264
3265 Reviewed by Darin Adler.
3266
3267 * dfg/DFGAbstractInterpreter.h:
3268 * dfg/DFGAbstractValue.h:
3269 * dfg/DFGBlockInsertionSet.h:
3270 * dfg/DFGCommonData.h:
3271 * dfg/DFGDominators.h:
3272 * dfg/DFGGraph.h:
3273 * dfg/DFGInPlaceAbstractState.h:
3274 * dfg/DFGPredictionPropagationPhase.h:
3275
32762014-05-18 Filip Pizlo <fpizlo@apple.com>
3277
3278 Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
3279 That was a long time ago.
3280
3281 * ftl/FTLLowerDFGToLLVM.cpp:
3282 (JSC::FTL::LowerDFGToLLVM::compileReturn):
3283
32842014-05-18 Rik Cabanier <cabanier@adobe.com>
3285
3286 support for navigator.hardwareConcurrency
3287 https://bugs.webkit.org/show_bug.cgi?id=132588
3288
3289 Reviewed by Filip Pizlo.
3290
3291 * Configurations/FeatureDefines.xcconfig:
3292
32932014-05-16 Michael Saboff <msaboff@apple.com>
3294
3295 Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
3296 https://bugs.webkit.org/show_bug.cgi?id=133009
3297
3298 Reviewed by Oliver Hunt.
3299
3300 If we determine that any alternative requires a minumum match size greater than
3301 INT_MAX, we handle the match in the interpreter.
3302
3303 Check to see if the pattern has unsigned lengths before invoking YARR JIT.
3304 * runtime/RegExp.cpp:
3305 (JSC::RegExp::compile):
3306 (JSC::RegExp::compileMatchOnly):
3307
3308 * tests/stress/large-regexp.js: New test added.
3309
3310 Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
3311 doesn't fit in an int.
3312 * yarr/YarrPattern.cpp:
3313 (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
3314
3315 Clear new m_containsUnsignedLengthPattern flag.
3316 * yarr/YarrPattern.cpp:
3317 (JSC::Yarr::YarrPattern::YarrPattern):
3318 * yarr/YarrPattern.h:
3319 (JSC::Yarr::YarrPattern::reset):
3320 (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
3321
33222014-05-15 Mark Hahnenberg <mhahnenberg@apple.com>
3323
3324 JSDOMWindow should not claim HasImpureGetOwnPropertySlot
3325 https://bugs.webkit.org/show_bug.cgi?id=132918
3326
3327 Reviewed by Geoffrey Garen.
3328
3329 * jit/Repatch.cpp:
3330 (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
3331
33322014-05-15 Alex Christensen <achristensen@webkit.org>
3333
3334 Add pointer lock to features without enabling it.
3335 https://bugs.webkit.org/show_bug.cgi?id=132961
3336
3337 Reviewed by Sam Weinig.
3338
3339 * Configurations/FeatureDefines.xcconfig:
3340 Added ENABLE_POINTER_LOCK to list of features.
3341
33422014-05-14 Mark Hahnenberg <mhahnenberg@apple.com>
3343
3344 Inline caching for proxies clobbers baseGPR too early
3345 https://bugs.webkit.org/show_bug.cgi?id=132916
3346
3347 Reviewed by Filip Pizlo.
3348
3349 We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path
3350 gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR
3351 until we know the inline cache is going to succeed.
3352
3353 * jit/Repatch.cpp:
3354 (JSC::generateByIdStub):
3355
33562014-05-14 Brent Fulgham <bfulgham@apple.com>
3357
3358 [Win] Unreviewed build fix.
3359
3360 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
3361 was missing commands to build LLInt portions of JSC.
3362 * llint/LLIntData.cpp: 64-bit build fix.
3363
33642014-05-14 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
3365
3366 ARM Traditional buildfix after r168776.
3367 https://bugs.webkit.org/show_bug.cgi?id=132903
3368
3369 Reviewed by Darin Adler.
3370
3371 * assembler/MacroAssemblerARM.h:
3372 (JSC::MacroAssemblerARM::abortWithReason): Added.
3373
33742014-05-14 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
3375
3376 Remove CSS_STICKY_POSITION guards
3377 https://bugs.webkit.org/show_bug.cgi?id=132676
3378
3379 Reviewed by Simon Fraser.
3380
3381 * Configurations/FeatureDefines.xcconfig:
3382
33832014-05-13 Filip Pizlo <fpizlo@apple.com>
3384
3385 JIT breakpoints should be more informative
3386 https://bugs.webkit.org/show_bug.cgi?id=132882
3387
3388 Reviewed by Oliver Hunt.
3389
3390 Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
3391 failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
3392 at that platform's abort reason register (r11 on X86-64 for example).
3393
3394 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3395 * JavaScriptCore.xcodeproj/project.pbxproj:
3396 * assembler/AbortReason.h: Added.
3397 * assembler/AbstractMacroAssembler.h:
3398 * assembler/MacroAssemblerARM64.h:
3399 (JSC::MacroAssemblerARM64::abortWithReason):
3400 * assembler/MacroAssemblerARMv7.h:
3401 (JSC::MacroAssemblerARMv7::abortWithReason):
3402 * assembler/MacroAssemblerX86.h:
3403 (JSC::MacroAssemblerX86::abortWithReason):
3404 * assembler/MacroAssemblerX86_64.h:
3405 (JSC::MacroAssemblerX86_64::abortWithReason):
3406 * dfg/DFGSlowPathGenerator.h:
3407 (JSC::DFG::SlowPathGenerator::generate):
3408 * dfg/DFGSpeculativeJIT.cpp:
3409 (JSC::DFG::SpeculativeJIT::bail):
3410 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3411 (JSC::DFG::SpeculativeJIT::compileMakeRope):
3412 * dfg/DFGSpeculativeJIT.h:
3413 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
3414 * dfg/DFGSpeculativeJIT32_64.cpp:
3415 (JSC::DFG::SpeculativeJIT::compile):
3416 * dfg/DFGSpeculativeJIT64.cpp:
3417 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3418 (JSC::DFG::SpeculativeJIT::compile):
3419 * dfg/DFGThunks.cpp:
3420 (JSC::DFG::osrEntryThunkGenerator):
3421 * jit/AssemblyHelpers.cpp:
3422 (JSC::AssemblyHelpers::jitAssertIsInt32):
3423 (JSC::AssemblyHelpers::jitAssertIsJSInt32):
3424 (JSC::AssemblyHelpers::jitAssertIsJSNumber):
3425 (JSC::AssemblyHelpers::jitAssertIsJSDouble):
3426 (JSC::AssemblyHelpers::jitAssertIsCell):
3427 (JSC::AssemblyHelpers::jitAssertTagsInPlace):
3428 (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
3429 (JSC::AssemblyHelpers::jitAssertIsNull):
3430 (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
3431 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3432 * jit/AssemblyHelpers.h:
3433 (JSC::AssemblyHelpers::checkStackPointerAlignment):
3434 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
3435 * jit/JIT.h:
3436 * jit/JITArithmetic.cpp:
3437 (JSC::JIT::emitSlow_op_div):
3438 * jit/JITOpcodes.cpp:
3439 (JSC::JIT::emitSlow_op_loop_hint):
3440 * jit/JITOpcodes32_64.cpp:
3441 (JSC::JIT::privateCompileCTINativeCall):
3442 * jit/JITPropertyAccess.cpp:
3443 (JSC::JIT::emit_op_get_by_val):
3444 (JSC::JIT::compileGetDirectOffset):
3445 (JSC::JIT::addStructureTransitionCheck): Deleted.
3446 (JSC::JIT::testPrototype): Deleted.
3447 * jit/JITPropertyAccess32_64.cpp:
3448 (JSC::JIT::emit_op_get_by_val):
3449 (JSC::JIT::compileGetDirectOffset):
3450 * jit/RegisterPreservationWrapperGenerator.cpp:
3451 (JSC::generateRegisterRestoration):
3452 * jit/Repatch.cpp:
3453 (JSC::addStructureTransitionCheck):
3454 (JSC::linkClosureCall):
3455 * jit/ThunkGenerators.cpp:
3456 (JSC::emitPointerValidation):
3457 (JSC::nativeForGenerator):
3458 * yarr/YarrJIT.cpp:
3459 (JSC::Yarr::YarrGenerator::generate):
3460
34612014-05-13 peavo@outlook.com <peavo@outlook.com>
3462
3463 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
3464 https://bugs.webkit.org/show_bug.cgi?id=132772
3465
3466 Reviewed by Geoffrey Garen.
3467
3468 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
3469 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
3470 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
3471 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
3472
3473 * assembler/MacroAssemblerARM.h:
3474 (JSC::MacroAssemblerARM::loadDouble):
3475 (JSC::MacroAssemblerARM::storeDouble):
3476 * assembler/MacroAssemblerARM64.h:
3477 (JSC::MacroAssemblerARM64::loadDouble):
3478 (JSC::MacroAssemblerARM64::storeDouble):
3479 * assembler/MacroAssemblerARMv7.h:
3480 (JSC::MacroAssemblerARMv7::loadDouble):
3481 (JSC::MacroAssemblerARMv7::storeDouble):
3482 * assembler/MacroAssemblerMIPS.h:
3483 (JSC::MacroAssemblerMIPS::loadDouble):
3484 (JSC::MacroAssemblerMIPS::storeDouble):
3485 * assembler/MacroAssemblerSH4.h:
3486 (JSC::MacroAssemblerSH4::loadDouble):
3487 (JSC::MacroAssemblerSH4::storeDouble):
3488 * assembler/MacroAssemblerX86.h:
3489 (JSC::MacroAssemblerX86::storeDouble):
3490 * assembler/MacroAssemblerX86Common.h:
3491 (JSC::MacroAssemblerX86Common::absDouble):
3492 (JSC::MacroAssemblerX86Common::negateDouble):
3493 (JSC::MacroAssemblerX86Common::loadDouble):
3494 * dfg/DFGSpeculativeJIT.cpp:
3495 (JSC::DFG::SpeculativeJIT::silentFill):
3496 (JSC::DFG::compileClampDoubleToByte):
3497 * dfg/DFGSpeculativeJIT32_64.cpp:
3498 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3499 (JSC::DFG::SpeculativeJIT::compile):
3500 * jit/AssemblyHelpers.cpp:
3501 (JSC::AssemblyHelpers::purifyNaN):
3502 * jit/JITInlines.h:
3503 (JSC::JIT::emitLoadDouble):
3504 * jit/JITPropertyAccess.cpp:
3505 (JSC::JIT::emitFloatTypedArrayGetByVal):
3506 * jit/ThunkGenerators.cpp:
3507 (JSC::floorThunkGenerator):
3508 (JSC::roundThunkGenerator):
3509 (JSC::powThunkGenerator):
3510
35112014-05-12 Commit Queue <commit-queue@webkit.org>
3512
3513 Unreviewed, rolling out r168642.
3514 https://bugs.webkit.org/show_bug.cgi?id=132839
3515
3516 Broke ARM build (Requested by jpfau on #webkit).
3517
3518 Reverted changeset:
3519
3520 "[Win] Enum type with value zero is compatible with void*,
3521 potential cause of crashes."
3522 https://bugs.webkit.org/show_bug.cgi?id=132772
3523 http://trac.webkit.org/changeset/168642
3524
35252014-05-12 peavo@outlook.com <peavo@outlook.com>
3526
3527 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
3528 https://bugs.webkit.org/show_bug.cgi?id=132772
3529
3530 Reviewed by Geoffrey Garen.
3531
3532 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
3533 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
3534 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
3535 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
3536
3537 * assembler/MacroAssemblerARM.h:
3538 (JSC::MacroAssemblerARM::loadDouble):
3539 (JSC::MacroAssemblerARM::storeDouble):
3540 * assembler/MacroAssemblerARM64.h:
3541 (JSC::MacroAssemblerARM64::loadDouble):
3542 (JSC::MacroAssemblerARM64::storeDouble):
3543 * assembler/MacroAssemblerARMv7.h:
3544 (JSC::MacroAssemblerARMv7::loadDouble):
3545 (JSC::MacroAssemblerARMv7::storeDouble):
3546 * assembler/MacroAssemblerMIPS.h:
3547 (JSC::MacroAssemblerMIPS::loadDouble):
3548 (JSC::MacroAssemblerMIPS::storeDouble):
3549 * assembler/MacroAssemblerSH4.h:
3550 (JSC::MacroAssemblerSH4::loadDouble):
3551 (JSC::MacroAssemblerSH4::storeDouble):
3552 * assembler/MacroAssemblerX86.h:
3553 (JSC::MacroAssemblerX86::storeDouble):
3554 * assembler/MacroAssemblerX86Common.h:
3555 (JSC::MacroAssemblerX86Common::absDouble):
3556 (JSC::MacroAssemblerX86Common::negateDouble):
3557 (JSC::MacroAssemblerX86Common::loadDouble):
3558 * dfg/DFGSpeculativeJIT.cpp:
3559 (JSC::DFG::SpeculativeJIT::silentFill):
3560 (JSC::DFG::compileClampDoubleToByte):
3561 * dfg/DFGSpeculativeJIT32_64.cpp:
3562 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3563 (JSC::DFG::SpeculativeJIT::compile):
3564 * jit/AssemblyHelpers.cpp:
3565 (JSC::AssemblyHelpers::purifyNaN):
3566 * jit/JITInlines.h:
3567 (JSC::JIT::emitLoadDouble):
3568 * jit/JITPropertyAccess.cpp:
3569 (JSC::JIT::emitFloatTypedArrayGetByVal):
3570 * jit/ThunkGenerators.cpp:
3571 (JSC::floorThunkGenerator):
3572 (JSC::roundThunkGenerator):
3573 (JSC::powThunkGenerator):
3574
35752014-05-12 Andreas Kling <akling@apple.com>
3576
3577 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
3578 <https://webkit.org/b/132828>
3579 <rdar://problem/16886285>
3580
3581 Reviewed by Michael Saboff.
3582
3583 * runtime/JSObject.cpp:
3584 (JSC::JSObject::visitButterfly):
3585 (JSC::JSObject::visitChildren):
3586
3587 Use JSCell::structure(VM&) to reduce the number of hoops we jump
3588 through to find Structures during marking.
3589
35902014-05-12 László Langó <llango.u-szeged@partner.samsung.com>
3591
3592 [cmake] Add missing FTL source files to the build system.
3593
3594 Reviewed by Csaba Osztrogonác.
3595
3596 * CMakeLists.txt:
3597
35982014-05-09 Joseph Pecoraro <pecoraro@apple.com>
3599
3600 Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
3601 https://bugs.webkit.org/show_bug.cgi?id=132409
3602
3603 Reviewed by Timothy Hatcher.
3604
3605 Proxy applications are applications which hold WebViews for other
3606 applications. The WebProcess (Web Content Service) is a proxy application.
3607 For legacy reasons we were supporting a scenario where proxy applications
3608 could potentially host WebViews for more then one other application. That
3609 was never the case for WebProcess and it is now a scenario we don't need
3610 to worry about supporting.
3611
3612 With this change, a proxy application more naturally only holds WebViews
3613 for a single parent / host application. The proxy process can set the
3614 parent pid / audit_token data on the RemoteInspector singleton, and
3615 that data will be sent on to webinspectord later on to be validated.
3616 In the WebProcess<->UIProcess relationship that information is known
3617 and set immediately. In the Legacy iOS case that information is set
3618 soon after, but not immediately known at the point the WebView is created.
3619
3620 This allows us to simplify the RemoteInspectorDebuggable interface.
3621 We no longer need a pid per-Debuggable.
3622
3623 * inspector/remote/RemoteInspector.h:
3624 * inspector/remote/RemoteInspector.mm:
3625 (Inspector::RemoteInspector::RemoteInspector):
3626 (Inspector::RemoteInspector::setParentProcessInformation):
3627 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3628 (Inspector::RemoteInspector::listingForDebuggable):
3629 (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
3630 Handle new proxy application setup message, and provide an API
3631 for a proxy application to set the parent process information.
3632
3633 * inspector/remote/RemoteInspectorConstants.h:
3634 New setup and response message for proxy applications to pass
3635 their parent / host application information to webinspectord.
3636
3637 * inspector/remote/RemoteInspectorDebuggable.cpp:
3638 (Inspector::RemoteInspectorDebuggable::info):
3639 * inspector/remote/RemoteInspectorDebuggable.h:
3640 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
3641 (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
3642 pid per debuggable is no longer needed.
3643
36442014-05-09 Mark Hahnenberg <mhahnenberg@apple.com>
3645
3646 JSDOMWindow should disable property caching after a certain point
3647 https://bugs.webkit.org/show_bug.cgi?id=132751
3648
3649 Reviewed by Filip Pizlo.
3650
3651 This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static
3652 hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks
3653 that it has provided a cacheable value.
3654
3655 * runtime/PropertySlot.h:
3656 (JSC::PropertySlot::PropertySlot):
3657 (JSC::PropertySlot::isCacheable):
3658 (JSC::PropertySlot::disableCaching):
3659
36602014-05-09 Andreas Kling <akling@apple.com>
3661
3662 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
3663 <https://webkit.org/b/132749>
3664
3665 Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
3666 in Object.prototype.* by using JSString::toIdentifier() in the cases where
3667 we are converting JSString -> String -> Identifier.
3668
3669 This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
3670 "The Great HTML5 Gaming Performance Test: 2014 edition"
3671 <http://www.scirra.com/demos/c2/sbperftest/>
3672
3673 Reviewed by Oliver Hunt.
3674
3675 * runtime/ObjectPrototype.cpp:
3676 (JSC::objectProtoFuncHasOwnProperty):
3677 (JSC::objectProtoFuncDefineGetter):
3678 (JSC::objectProtoFuncDefineSetter):
3679 (JSC::objectProtoFuncLookupGetter):
3680 (JSC::objectProtoFuncLookupSetter):
3681
36822014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
3683
3684 JSDOMWindow should have a WatchpointSet to fire on window close
3685 https://bugs.webkit.org/show_bug.cgi?id=132721
3686
3687 Reviewed by Filip Pizlo.
3688
3689 This patch allows us to reset the inline caches that assumed they could skip
3690 the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has
3691 been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
3692
3693 PropertySlot now accepts a WatchpointSet which the inline cache code can look for
3694 to see if it should create a new Watchpoint for that particular inline cache site.
3695
3696 * bytecode/Watchpoint.h:
3697 * jit/Repatch.cpp:
3698 (JSC::generateByIdStub):
3699 (JSC::tryBuildGetByIDList):
3700 (JSC::tryCachePutByID):
3701 (JSC::tryBuildPutByIdList):
3702 * runtime/PropertySlot.h:
3703 (JSC::PropertySlot::PropertySlot):
3704 (JSC::PropertySlot::watchpointSet):
3705 (JSC::PropertySlot::setWatchpointSet):
3706
37072014-05-09 Tanay C <tanay.c@samsung.com>
3708
3709 Fix build warning (uninitialized variable) in DFGFixupPhase.cpp
3710 https://bugs.webkit.org/show_bug.cgi?id=132331
3711
3712 Reviewed by Darin Adler.
3713
3714 * dfg/DFGFixupPhase.cpp:
3715 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3716
37172014-05-09 peavo@outlook.com <peavo@outlook.com>
3718
3719 [Win] Crash when enabling DFG JIT.
3720 https://bugs.webkit.org/show_bug.cgi?id=132683
3721
3722 Reviewed by Geoffrey Garen.
3723
3724 On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
3725 results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
3726 where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
3727 This causes the register to be written to address 0, hence the crash.
3728
3729 * dfg/DFGOSRExitCompiler32_64.cpp:
3730 (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
3731 * dfg/DFGOSRExitCompiler64.cpp:
3732 (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
3733
37342014-05-09 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
3735
3736 REGRESSION(r167094): JSC crashes on ARM Traditional
3737 https://bugs.webkit.org/show_bug.cgi?id=132738
3738
3739 Reviewed by Zoltan Herczeg.
3740
3741 PC is two instructions ahead of the current instruction
3742 on ARM Traditional, so the distance is 8 bytes not 2.
3743
3744 * llint/LowLevelInterpreter.asm:
3745
37462014-05-09 Alberto Garcia <berto@igalia.com>
3747
3748 jsmin.py license header confusing, mentions non-free license
3749 https://bugs.webkit.org/show_bug.cgi?id=123665
3750
3751 Reviewed by Darin Adler.
3752
3753 Pull the most recent version from upstream, which has a clear
3754 license.
3755
3756 * inspector/scripts/jsmin.py:
3757
37582014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
3759
3760 Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
3761 https://bugs.webkit.org/show_bug.cgi?id=132695
3762
3763 Reviewed by Filip Pizlo.
3764
3765 We check in the case where we're accessing something other than the base object (e.g. the prototype),
3766 but we fail to do so for the base object.
3767
3768 * jit/Repatch.cpp:
3769 (JSC::tryCacheGetByID):
3770 (JSC::tryBuildGetByIDList):
3771 * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
3772 because all of the values that are returned that could be impure are set to uncacheable anyways.
3773 (WTF::ImpureGetter::ImpureGetter):
3774 (WTF::ImpureGetter::createStructure):
3775 (WTF::ImpureGetter::create):
3776 (WTF::ImpureGetter::finishCreation):
3777 (WTF::ImpureGetter::getOwnPropertySlot):
3778 (WTF::ImpureGetter::visitChildren):
3779 (WTF::ImpureGetter::setDelegate):
3780 (GlobalObject::finishCreation):
3781 (functionCreateImpureGetter):
3782 (functionSetImpureGetterDelegate):
3783 * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
3784 (foo):
3785
37862014-05-08 Filip Pizlo <fpizlo@apple.com>
3787
3788 deleteAllCompiledCode() shouldn't use the suspension worklist
3789 https://bugs.webkit.org/show_bug.cgi?id=132708
3790
3791 Reviewed by Mark Hahnenberg.
3792
3793 * bytecode/CodeBlock.cpp:
3794 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
3795 * dfg/DFGPlan.cpp:
3796 (JSC::DFG::Plan::isStillValid):
3797 * heap/Heap.cpp:
3798 (JSC::Heap::deleteAllCompiledCode):
3799
38002014-05-08 Filip Pizlo <fpizlo@apple.com>
3801
3802 SSA conversion should delete PhantomLocals for captured variables
3803 https://bugs.webkit.org/show_bug.cgi?id=132693
3804
3805 Reviewed by Mark Hahnenberg.
3806
3807 * dfg/DFGCommon.cpp:
3808 (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
3809 * dfg/DFGCommon.h:
3810 * dfg/DFGFixupPhase.cpp:
3811 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
3812 * dfg/DFGLivenessAnalysisPhase.cpp:
3813 (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
3814 * dfg/DFGSSAConversionPhase.cpp:
3815 (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
3816 * dfg/DFGValidate.cpp: Use the workaround.
3817 * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
3818 (foo):
3819 (bar):
3820
38212014-05-07 Commit Queue <commit-queue@webkit.org>
3822
3823 Unreviewed, rolling out r168451.
3824 https://bugs.webkit.org/show_bug.cgi?id=132670
3825
3826 Not a speed-up, just do what other compilers do. (Requested by
3827 kling on #webkit).
3828
3829 Reverted changeset:
3830
3831 "[X86] Emit BT instruction for single-bit tests."
3832 https://bugs.webkit.org/show_bug.cgi?id=132650
3833 http://trac.webkit.org/changeset/168451
3834
38352014-05-07 Filip Pizlo <fpizlo@apple.com>
3836
3837 Make Executable::clearCode() actually clear all of the entrypoints, and
3838 clean up some other FTL-related calling convention stuff.
3839 <rdar://problem/16720172>
3840
3841 Rubber stamped by Mark Hahnenberg.
3842
3843 * dfg/DFGOperations.cpp:
3844 * dfg/DFGOperations.h:
3845 * dfg/DFGWorklist.cpp:
3846 (JSC::DFG::Worklist::Worklist):
3847 (JSC::DFG::Worklist::finishCreation):
3848 (JSC::DFG::Worklist::create):
3849 (JSC::DFG::ensureGlobalDFGWorklist):
3850 (JSC::DFG::ensureGlobalFTLWorklist):
3851 * dfg/DFGWorklist.h:
3852 * heap/CodeBlockSet.cpp:
3853 (JSC::CodeBlockSet::dump):
3854 * heap/CodeBlockSet.h:
3855 * runtime/Executable.cpp:
3856 (JSC::ExecutableBase::clearCode):
3857
38582014-05-07 Andreas Kling <akling@apple.com>
3859
3860 [X86] Emit BT instruction for single-bit tests.
3861 <https://webkit.org/b/132650>
3862
3863 Implement test-bit-and-branch slightly more efficiently by using
3864 BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
3865 a single bit.
3866
3867 Reviewed by Michael Saboff.
3868
3869 * assembler/MacroAssemblerX86Common.h:
3870 (JSC::MacroAssemblerX86Common::singleBitIndex):
3871 (JSC::MacroAssemblerX86Common::branchTest32):
3872 * assembler/X86Assembler.h:
3873 (JSC::X86Assembler::bt_i8r):
3874 (JSC::X86Assembler::bt_i8m):
3875
38762014-05-07 Mark Lam <mark.lam@apple.com>
3877
3878 REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
3879 <https://webkit.org/b/131356>
3880
3881 Reviewed by Geoffrey Garen.
3882
3883 The issue is that GC needs to be made aware of writes to m_inferredValue
3884 in the VariableWatchpointSet, but was not. As a result, if a JSCell*
3885 is written to a VariableWatchpointSet m_inferredValue, and that JSCell
3886 does not survive an eden GC shortly after, we will end up with a stale
3887 JSCell pointer left in the m_inferredValue.
3888
3889 This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
3890 using DumpRenderTree with the VM heap in zombie mode.
3891
3892 The fix is to change VariableWatchpointSet m_inferredValue to type
3893 WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
3894 is executed by all the execution engines so that the WriteBarrier semantics
3895 are honored.
3896
3897 We still check if the value to be written is the same as the one in the
3898 inferredValue. We'll by-pass calling the slow path notifyWrite() if the
3899 values are the same.
3900
3901 * JavaScriptCore.xcodeproj/project.pbxproj:
3902 * bytecode/CodeBlock.cpp:
3903 (JSC::CodeBlock::CodeBlock):
3904 - need to pass the symbolTable to prepareToWatch() because it will be needed
3905 for instantiating the VariableWatchpointSet in prepareToWatch().
3906
3907 * bytecode/VariableWatchpointSet.h:
3908 (JSC::VariableWatchpointSet::VariableWatchpointSet):
3909 - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
3910 write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
3911 (JSC::VariableWatchpointSet::inferredValue):
3912 (JSC::VariableWatchpointSet::invalidate):
3913 (JSC::VariableWatchpointSet::finalizeUnconditionally):
3914 (JSC::VariableWatchpointSet::addressOfInferredValue):
3915 (JSC::VariableWatchpointSet::notifyWrite): Deleted.
3916 * bytecode/VariableWatchpointSetInlines.h: Added.
3917 (JSC::VariableWatchpointSet::notifyWrite):
3918
3919 * dfg/DFGByteCodeParser.cpp:
3920 (JSC::DFG::ByteCodeParser::cellConstant):
3921 - Added an assert in case we try to make constants of zombified JSCells again.
3922
3923 * dfg/DFGOperations.cpp:
3924 * dfg/DFGOperations.h:
3925 * dfg/DFGSpeculativeJIT.h:
3926 (JSC::DFG::SpeculativeJIT::callOperation):
3927 * dfg/DFGSpeculativeJIT32_64.cpp:
3928 (JSC::DFG::SpeculativeJIT::compile):
3929 * dfg/DFGSpeculativeJIT64.cpp:
3930 (JSC::DFG::SpeculativeJIT::compile):
3931 - We now let the slow path handle the cases when the VariableWatchpointSet is
3932 in state ClearWatchpoint and IsWatched, and the slow path will ensure that
3933 we handle the needed write barrier semantics correctly.
3934 We will by-pass the slow path if the value being written is the same as the
3935 inferred value.
3936
3937 * ftl/FTLIntrinsicRepository.h:
3938 * ftl/FTLLowerDFGToLLVM.cpp:
3939 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
3940 - Let the slow path handle the cases when the VariableWatchpointSet is
3941 in state ClearWatchpoint and IsWatched.
3942 We will by-pass the slow path if the value being written is the same as the
3943 inferred value.
3944
3945 * heap/Heap.cpp:
3946 (JSC::Zombify::operator()):
3947 - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
3948 which is used everywhere else).
3949 * heap/Heap.h:
3950 (JSC::Heap::isZombified):
3951 - Provide a convenience test function to check if JSCells are zombified. This is
3952 currently only used in an assertion in the DFG bytecode parser, but the intent
3953 it that we'll apply this test in other strategic places later to help with early
3954 detection of usage of GC'ed objects when we run in zombie mode.
3955
3956 * jit/JITOpcodes.cpp:
3957 (JSC::JIT::emitSlow_op_captured_mov):
3958 * jit/JITOperations.h:
3959 * jit/JITPropertyAccess.cpp:
3960 (JSC::JIT::emitNotifyWrite):
3961 * jit/JITPropertyAccess32_64.cpp:
3962 (JSC::JIT::emitNotifyWrite):
3963 (JSC::JIT::emitSlow_op_put_to_scope):
3964 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
3965 is in state ClearWatchpoint and IsWatched.
3966 We will by-pass the slow path if the value being written is the same as the
3967 inferred value.
3968
3969 * llint/LowLevelInterpreter32_64.asm:
3970 * llint/LowLevelInterpreter64.asm:
3971 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
3972 is in state ClearWatchpoint and IsWatched.
3973 We will by-pass the slow path if the value being written is the same as the
3974 inferred value.
3975
3976 * runtime/CommonSlowPaths.cpp:
3977
3978 * runtime/JSCJSValue.h: Fixed some typos in the comments.
3979 * runtime/JSGlobalObject.cpp:
3980 (JSC::JSGlobalObject::addGlobalVar):
3981 (JSC::JSGlobalObject::addFunction):
3982 * runtime/JSSymbolTableObject.h:
3983 (JSC::symbolTablePut):
3984 (JSC::symbolTablePutWithAttributes):
3985 * runtime/SymbolTable.cpp:
3986 (JSC::SymbolTableEntry::prepareToWatch):
3987 (JSC::SymbolTableEntry::notifyWriteSlow):
3988 * runtime/SymbolTable.h:
3989 (JSC::SymbolTableEntry::notifyWrite):
3990
39912014-05-06 Michael Saboff <msaboff@apple.com>
3992
3993 Unreviewd build fix for C-LOOP after r168396.
3994
3995 * runtime/TestRunnerUtils.cpp:
3996 (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
3997
39982014-05-06 Michael Saboff <msaboff@apple.com>
3999
4000 Add test for deleteAllCompiledCode
4001 https://bugs.webkit.org/show_bug.cgi?id=132632
4002
4003 Reviewed by Phil Pizlo.
4004
4005 Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
4006 the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks
4007 to write a test that will queue up loads of DFG compiles and then call
4008 Heap::deleteAllCompiledCode() to make sure that it can handle compiled
4009 code as well as code being compiled.
4010
4011 * jsc.cpp:
4012 (GlobalObject::finishCreation):
4013 (functionDeleteAllCompiledCode):
4014 (functionOptimizeNextInvocation):
4015 * runtime/TestRunnerUtils.cpp:
4016 (JSC::optimizeNextInvocation):
4017 * runtime/TestRunnerUtils.h:
4018 * tests/stress/deleteAllCompiledCode.js: Added.
4019 (functionList):
4020 (runTest):
4021
40222014-05-06 Andreas Kling <akling@apple.com>
4023
4024 JSString::toAtomicString() should return AtomicString.
4025 <https://webkit.org/b/132627>
4026
4027 Remove premature optimization where I was trying to avoid refcount
4028 churn when returning an already atomicized String.
4029
4030 Instead of using reinterpret_cast to mangle the String member into
4031 a const AtomicString& return value, just return AtomicString.
4032
4033 Reviewed by Geoff Garen.
4034
4035 * runtime/JSString.h:
4036 (JSC::JSString::toAtomicString):
4037
40382014-05-06 Mark Hahnenberg <mhahnenberg@apple.com>
4039
4040 Roll out r167889
4041
4042 Rubber stamped by Geoff Garen.
4043
4044 It broke some websites.
4045
4046 * runtime/JSPropertyNameIterator.cpp:
4047 (JSC::JSPropertyNameIterator::create):
4048 * runtime/PropertyMapHashTable.h:
4049 (JSC::PropertyTable::hasDeletedOffset):
4050 (JSC::PropertyTable::hadDeletedOffset): Deleted.
4051 * runtime/Structure.cpp:
4052 (JSC::Structure::Structure):
4053 (JSC::Structure::materializePropertyMap):
4054 (JSC::Structure::removePropertyTransition):
4055 (JSC::Structure::changePrototypeTransition):
4056 (JSC::Structure::despecifyFunctionTransition):
4057 (JSC::Structure::attributeChangeTransition):
4058 (JSC::Structure::toDictionaryTransition):
4059 (JSC::Structure::preventExtensionsTransition):
4060 (JSC::Structure::addPropertyWithoutTransition):
4061 (JSC::Structure::removePropertyWithoutTransition):
4062 (JSC::Structure::pin):
4063 (JSC::Structure::pinAndPreventTransitions): Deleted.
4064 * runtime/Structure.h:
4065 * runtime/StructureInlines.h:
4066 (JSC::Structure::setEnumerationCache):
4067 (JSC::Structure::propertyTable):
4068 (JSC::Structure::checkOffsetConsistency):
4069 (JSC::Structure::hadDeletedOffsets): Deleted.
4070 * tests/stress/for-in-after-delete.js:
4071 (foo): Deleted.
4072
40732014-05-05 Andreas Kling <akling@apple.com>
4074
4075 Fix debug build.
4076
4077 * runtime/JSCellInlines.h:
4078 (JSC::JSCell::fastGetOwnProperty):
4079
40802014-05-05 Andreas Kling <akling@apple.com>
4081
4082 Optimize GetByVal when subscript is a rope string.
4083 <https://webkit.org/b/132590>
4084
4085 Use JSString::toIdentifier() in the various GetByVal implementations
4086 to try and avoid allocating extra strings.
4087
4088 Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
4089 in that, to avoid calling JSString::value() which always resolves ropes
4090 into new strings and de-optimizes subsequent toIdentifier() calls.
4091
4092 My iMac says ~9% progression on Dromaeo/dom-attr.html
4093
4094 Reviewed by Phil Pizlo.
4095
4096 * dfg/DFGOperations.cpp:
4097 * jit/JITOperations.cpp:
4098 (JSC::getByVal):
4099 * llint/LLIntSlowPaths.cpp:
4100 (JSC::LLInt::getByVal):
4101 * runtime/JSCell.h:
4102 * runtime/JSCellInlines.h:
4103 (JSC::JSCell::fastGetOwnProperty):
4104 (JSC::JSCell::canUseFastGetOwnProperty):
4105
41062014-05-05 Andreas Kling <akling@apple.com>
4107
4108 REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
4109 <https://webkit.org/b/168256>
4110 <rdar://problem/16816316>
4111
4112 Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
4113 clear the fibers. The caller takes care of this.
4114
4115 Test: fast/dom/getElementById-with-rope-string-arg.html
4116
4117 Reviewed by Geoffrey Garen.
4118
4119 * runtime/JSString.cpp:
4120 (JSC::JSRopeString::resolveRopeSlowCase8):
4121
41222014-05-05 Michael Saboff <msaboff@apple.com>
4123
4124 REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
4125 https://bugs.webkit.org/show_bug.cgi?id=132581
4126
4127 Reviewed by Filip Pizlo.
4128
4129 * dfg/DFGPlan.cpp:
4130 (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
4131 started compiling for is still the same at the end of compilation.
4132 Also did some minor restructuring.
4133
41342014-05-05 Andreas Kling <akling@apple.com>
4135
4136 Optimize PutByVal when subscript is a rope string.
4137 <https://webkit.org/b/132572>
4138
4139 Add a JSString::toIdentifier() that is smarter when the JSString is
4140 really a rope string. Use this in baseline & DFG's PutByVal to avoid
4141 allocating new StringImpls that we immediately deduplicate anyway.
4142
4143 Reviewed by Antti Koivisto.
4144
4145 * dfg/DFGOperations.cpp:
4146 (JSC::DFG::operationPutByValInternal):
4147 * jit/JITOperations.cpp:
4148 * runtime/JSString.h:
4149 (JSC::JSString::toIdentifier):
4150
41512014-05-05 Andreas Kling <akling@apple.com>
4152
4153 Remove two now-incorrect assertions after r168256.
4154
4155 * runtime/JSString.cpp:
4156 (JSC::JSRopeString::resolveRopeSlowCase8):
4157 (JSC::JSRopeString::resolveRopeSlowCase):
4158
41592014-05-04 Andreas Kling <akling@apple.com>
4160
4161 Optimize JSRopeString for resolving directly to AtomicString.
4162 <https://webkit.org/b/132548>
4163
4164 If we know that the JSRopeString we are resolving is going to be used
4165 as an AtomicString, we can try to avoid creating a new string.
4166
4167 We do this by first resolving the rope into a stack buffer, and using
4168 that buffer as a key into the AtomicString table. If there is already
4169 an AtomicString with the same characters, we reuse that instead of
4170 constructing a new StringImpl.
4171
4172 JSString gains these two public functions:
4173
4174 - AtomicString toAtomicString()
4175
4176 Returns an AtomicString, tries to avoid allocating a new string
4177 if possible.
4178
4179 - AtomicStringImpl* toExistingAtomicString()
4180
4181 Returns a non-null AtomicStringImpl* if one already exists in the
4182 AtomicString table. If none is found, the rope is left unresolved.
4183
4184 Reviewed by Filip Pizlo.
4185
4186 * runtime/JSString.cpp:
4187 (JSC::JSRopeString::resolveRopeInternal8):
4188 (JSC::JSRopeString::resolveRopeInternal16):
4189 (JSC::JSRopeString::resolveRopeToAtomicString):
4190 (JSC::JSRopeString::clearFibers):
4191 (JSC::JSRopeString::resolveRopeToExistingAtomicString):
4192 (JSC::JSRopeString::resolveRope):
4193 (JSC::JSRopeString::outOfMemory):
4194 * runtime/JSString.h:
4195 (JSC::JSString::toAtomicString):
4196 (JSC::JSString::toExistingAtomicString):
4197
41982014-05-04 Andreas Kling <akling@apple.com>
4199
4200 Unreviewed, rolling out r168254.
4201
4202 Very crashy on debug JSC tests.
4203
4204 Reverted changeset:
4205
4206 "jsSubstring() should be lazy"
4207 https://bugs.webkit.org/show_bug.cgi?id=132556
4208 http://trac.webkit.org/changeset/168254
4209
42102014-05-04 Filip Pizlo <fpizlo@apple.com>
4211
4212 jsSubstring() should be lazy
4213 https://bugs.webkit.org/show_bug.cgi?id=132556
4214
4215 Reviewed by Andreas Kling.
4216
4217 jsSubstring() is now lazy by using a special rope that is a substring instead of a
4218 concatenation. To make this patch super simple, we require that a substring's base is
4219 never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
4220 path, or we go down a concatenation path which may see exactly one level of substrings in
4221 its fibers.
4222
4223 This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
4224
4225 * heap/MarkedBlock.cpp:
4226 (JSC::MarkedBlock::specializedSweep):
4227 * runtime/JSString.cpp:
4228 (JSC::JSRopeString::visitFibers):
4229 (JSC::JSRopeString::resolveRope):
4230 (JSC::JSRopeString::resolveRopeSlowCase8):
4231 (JSC::JSRopeString::resolveRopeSlowCase):
4232 (JSC::JSRopeString::outOfMemory):
4233 * runtime/JSString.h:
4234 (JSC::JSRopeString::finishCreation):
4235 (JSC::JSRopeString::append):
4236 (JSC::JSRopeString::create):
4237 (JSC::JSRopeString::offsetOfFibers):
4238 (JSC::JSRopeString::fiber):
4239 (JSC::JSRopeString::substringBase):
4240 (JSC::JSRopeString::substringOffset):
4241 (JSC::JSRopeString::substringSentinel):
4242 (JSC::JSRopeString::isSubstring):
4243 (JSC::jsSubstring):
4244 * runtime/RegExpMatchesArray.cpp:
4245 (JSC::RegExpMatchesArray::reifyAllProperties):
4246 * runtime/StringPrototype.cpp:
4247 (JSC::stringProtoFuncSubstring):
4248
42492014-05-02 Michael Saboff <msaboff@apple.com>
4250
4251 "arm64 function not 4-byte aligned" warnings when building JSC
4252 https://bugs.webkit.org/show_bug.cgi?id=132495
4253
4254 Reviewed by Geoffrey Garen.
4255
4256 Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
4257
4258 * llint/LowLevelInterpreter.cpp:
4259
42602014-05-02 Mark Hahnenberg <mhahnenberg@apple.com>
4261
4262 Fix cloop build after r168178
4263
4264 * bytecode/CodeBlock.cpp:
4265
42662014-05-01 Mark Hahnenberg <mhahnenberg@apple.com>
4267
4268 Add a DFG function whitelist
4269 https://bugs.webkit.org/show_bug.cgi?id=132437
4270
4271 Reviewed by Geoffrey Garen.
4272
4273 Often times when debugging, using bytecode ranges isn't enough to narrow down to the
4274 particular DFG block that's causing issues. This patch adds the ability to whitelist
4275 specific functions specified in a file to enable further filtering without having to recompile.
4276
4277 * CMakeLists.txt:
4278 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4279 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
4280 * JavaScriptCore.xcodeproj/project.pbxproj:
4281 * dfg/DFGCapabilities.cpp:
4282 (JSC::DFG::isSupported):
4283 (JSC::DFG::mightInlineFunctionForCall):
4284 (JSC::DFG::mightInlineFunctionForClosureCall):
4285 (JSC::DFG::mightInlineFunctionForConstruct):
4286 * dfg/DFGFunctionWhitelist.cpp: Added.
4287 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
4288 (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
4289 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
4290 (JSC::DFG::FunctionWhitelist::contains):
4291 * dfg/DFGFunctionWhitelist.h: Added.
4292 * runtime/Options.cpp:
4293 (JSC::parse):
4294 (JSC::Options::dumpOption):
4295 * runtime/Options.h:
4296
42972014-05-02 Filip Pizlo <fpizlo@apple.com>
4298
4299 DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
4300 https://bugs.webkit.org/show_bug.cgi?id=132446
4301
4302 Reviewed by Mark Hahnenberg.
4303
4304 Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
4305 our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
4306 to indicate a bound on the value. This is useful for knowing, for example, that
4307 Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
4308 ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
4309 But this means that all arithmetic operations must be careful to note that they may
4310 turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
4311
4312 * dfg/DFGAbstractInterpreterInlines.h:
4313 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
4314 * dfg/DFGByteCodeParser.cpp:
4315 (JSC::DFG::ByteCodeParser::makeSafe):
4316 * tests/stress/int52-ai-add-then-filter-int32.js: Added.
4317 (foo):
4318 * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
4319 (foo):
4320 * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
4321 (foo):
4322 * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
4323 (foo):
4324 * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
4325 (foo):
4326 * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
4327 (foo):
4328
43292014-05-01 Geoffrey Garen <ggaren@apple.com>
4330
4331 JavaScriptCore fails to build with some versions of clang
4332 https://bugs.webkit.org/show_bug.cgi?id=132436
4333
4334 Reviewed by Anders Carlsson.
4335
4336 * runtime/ArgumentsIteratorConstructor.cpp: Since we call
4337 putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
4338 and both are marked inline, it's valid for the compiler to decide
4339 to inline both and emit neither in the binary. Therefore, we need
4340 both inline definitions to be available in the translation unit at
4341 compile time, or we'll try to link against a function that doesn't exist.
4342
43432014-05-01 Commit Queue <commit-queue@webkit.org>
4344
4345 Unreviewed, rolling out r167964.
4346 https://bugs.webkit.org/show_bug.cgi?id=132431
4347
4348 Memory improvements should not regress memory usage (Requested
4349 by olliej on #webkit).
4350
4351 Reverted changeset:
4352
4353 "Don't hold on to parameter BindingNodes forever"
4354 https://bugs.webkit.org/show_bug.cgi?id=132360
4355 http://trac.webkit.org/changeset/167964
4356
43572014-05-01 Filip Pizlo <fpizlo@apple.com>
4358
4359 Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
4360 https://bugs.webkit.org/show_bug.cgi?id=132427
4361
4362 Reviewed by Mark Hahnenberg.
4363
4364 * bytecode/CallLinkStatus.cpp:
4365 (JSC::CallLinkStatus::computeFor):
4366
43672014-04-30 Simon Fraser <simon.fraser@apple.com>
4368
4369 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
4370 https://bugs.webkit.org/show_bug.cgi?id=132396
4371
4372 Reviewed by Eric Carlson.
4373
4374 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
4375
4376 * Configurations/FeatureDefines.xcconfig:
4377
43782014-04-30 Filip Pizlo <fpizlo@apple.com>
4379
4380 Argument flush formats should not be presumed to be JSValue since 'this' is weird
4381 https://bugs.webkit.org/show_bug.cgi?id=132404
4382
4383 Reviewed by Michael Saboff.
4384
4385 * dfg/DFGSpeculativeJIT.cpp:
4386 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
4387 * dfg/DFGSpeculativeJIT32_64.cpp:
4388 (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
4389 * dfg/DFGSpeculativeJIT64.cpp:
4390 (JSC::DFG::SpeculativeJIT::compile): Ditto.
4391 * dfg/DFGValueSource.cpp:
4392 (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
4393 * dfg/DFGValueSource.h:
4394 (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
4395 * ftl/FTLOSREntry.cpp:
4396 (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
4397 * tests/stress/strict-to-this-int.js: Added.
4398 (foo):
4399 (Number.prototype.valueOf):
4400 (test):
4401
44022014-04-29 Oliver Hunt <oliver@apple.com>
4403
4404 Don't hold on to parameterBindingNodes forever
4405 https://bugs.webkit.org/show_bug.cgi?id=132360
4406
4407 Reviewed by Geoffrey Garen.
4408
4409 Don't keep the parameter nodes anymore. Instead we store the
4410 original parameter string and reparse whenever we actually
4411 need them. Because we only actually need them for compilation
4412 this only results in a single extra parse.
4413
4414 * bytecode/UnlinkedCodeBlock.cpp:
4415 (JSC::generateFunctionCodeBlock):
4416 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
4417 (JSC::UnlinkedFunctionExecutable::visitChildren):
4418 (JSC::UnlinkedFunctionExecutable::finishCreation):
4419 (JSC::UnlinkedFunctionExecutable::paramString):
4420 (JSC::UnlinkedFunctionExecutable::parameters):
4421 (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
4422 * bytecode/UnlinkedCodeBlock.h:
4423 (JSC::UnlinkedFunctionExecutable::create):
4424 (JSC::UnlinkedFunctionExecutable::parameterCount):
4425 (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
4426 (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
4427 * parser/ASTBuilder.h:
4428 (JSC::ASTBuilder::ASTBuilder):
4429 (JSC::ASTBuilder::setFunctionBodyParameters):
4430 * parser/Nodes.h:
4431 (JSC::FunctionBodyNode::parametersStartOffset):
4432 (JSC::FunctionBodyNode::parametersEndOffset):
4433 (JSC::FunctionBodyNode::setParameterLocation):
4434 * parser/Parser.cpp:
4435 (JSC::Parser<LexerType>::parseFunctionInfo):
4436 (JSC::parseParameters):
4437 * parser/Parser.h:
4438 (JSC::parse):
4439 * parser/SourceCode.h:
4440 (JSC::SourceCode::subExpression):
4441 * parser/SyntaxChecker.h:
4442 (JSC::SyntaxChecker::setFunctionBodyParameters):
4443
44442014-04-29 Mark Hahnenberg <mhahnenberg@apple.com>
4445
4446 JSProxies should be cacheable
4447 https://bugs.webkit.org/show_bug.cgi?id=132351
4448
4449 Reviewed by Geoffrey Garen.
4450
4451 Whenever we encounter a proxy in an inline cache we should try to cache on the
4452 proxy's target instead of giving up.
4453
4454 This patch adds support for a simple "recursive" inline cache if the base object
4455 we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses
4456 are the only ones to benefit from this right now.
4457
4458 This is performance neutral on the benchmarks we track. Currently we won't
4459 cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
4460
4461 * jit/Repatch.cpp:
4462 (JSC::generateByIdStub):
4463 (JSC::tryBuildGetByIDList):
4464 (JSC::tryCachePutByID):
4465 (JSC::tryBuildPutByIdList):
4466 * jsc.cpp:
4467 (GlobalObject::finishCreation):
4468 (functionCreateProxy):
4469 * runtime/IntendedStructureChain.cpp:
4470 (JSC::IntendedStructureChain::isNormalized):
4471 * runtime/JSCellInlines.h:
4472 (JSC::JSCell::isProxy):
4473 * runtime/JSGlobalObject.h:
4474 (JSC::JSGlobalObject::finishCreation):
4475 * runtime/JSProxy.h:
4476 (JSC::JSProxy::createStructure):
4477 (JSC::JSProxy::targetOffset):
4478 * runtime/JSType.h:
4479 * runtime/Operations.h:
4480 (JSC::isPrototypeChainNormalized):
4481 * runtime/Structure.h:
4482 (JSC::Structure::isProxy):
4483 * tests/stress/proxy-inline-cache.js: Added.
4484 (cacheOnTarget.getX):
4485 (cacheOnTarget):
4486 (cacheOnPrototypeOfTarget.getX):
4487 (cacheOnPrototypeOfTarget):
4488 (dontCacheOnProxyInPrototypeChain.getX):
4489 (dontCacheOnProxyInPrototypeChain):
4490 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
4491 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
4492
44932014-04-29 Filip Pizlo <fpizlo@apple.com>
4494
4495 Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
4496 https://bugs.webkit.org/show_bug.cgi?id=112840
4497
4498 Rubber stamped by Geoffrey Garen.
4499
4500 * Configurations/FeatureDefines.xcconfig:
4501
45022014-04-29 Geoffrey Garen <ggaren@apple.com>
4503
4504 String.prototype.trim removes U+200B from strings.
4505 https://bugs.webkit.org/show_bug.cgi?id=130184
4506
4507 Reviewed by Michael Saboff.
4508
4509 * runtime/StringPrototype.cpp:
4510 (JSC::trimString):
4511 (JSC::isTrimWhitespace): Deleted.
4512
45132014-04-29 Mark Lam <mark.lam@apple.com>
4514
4515 Zombifying sweep should ignore retired blocks.
4516 <https://webkit.org/b/132344>
4517
4518 Reviewed by Mark Hahnenberg.
4519
4520 By definition, retired blocks do not have "dead" objects, or at least
4521 none that we know of yet until the next marking phase has been run
4522 over it. So, we should not be sweeping them (even for zombie mode).
4523
4524 * heap/Heap.cpp:
4525 (JSC::Heap::zombifyDeadObjects):
4526 * heap/MarkedSpace.cpp:
4527 (JSC::MarkedSpace::zombifySweep):
4528 * heap/MarkedSpace.h:
4529 (JSC::ZombifySweep::operator()):
4530
45312014-04-29 Mark Lam <mark.lam@apple.com>
4532
4533 Fix bit rot in zombie mode heap code.
4534 <https://webkit.org/b/132342>
4535
4536 Reviewed by Mark Hahnenberg.
4537
4538 Need to enter a DelayedReleaseScope before doing a sweep.
4539
4540 * heap/Heap.cpp:
4541 (JSC::Heap::zombifyDeadObjects):
4542
45432014-04-29 Tomas Popela <tpopela@redhat.com>
4544
4545 LLINT loadisFromInstruction doesn't need special case for big endians
4546 https://bugs.webkit.org/show_bug.cgi?id=132330
4547
4548 Reviewed by Mark Lam.
4549
4550 The change introduced in r167076 was wrong. We should not apply the offset
4551 adjustment on loadisFromInstruction usage as the instruction
4552 (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
4553 operand variable). The offset of the other union members will be the
4554 same as the offset of the first one, that is 0. The behavior here is the
4555 same on little and big endian architectures. Thus we don't need
4556 special case for big endians.
4557
4558 * llint/LowLevelInterpreter.asm:
4559
45602014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
4561
4562 Simplify tryCacheGetById
4563 https://bugs.webkit.org/show_bug.cgi?id=132314
4564
4565 Reviewed by Oliver Hunt and Filip Pizlo.
4566
4567 This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
4568
4569 * jit/Repatch.cpp:
4570 (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
4571
45722014-04-28 Michael Saboff <msaboff@apple.com>
4573
4574 REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
4575 https://bugs.webkit.org/show_bug.cgi?id=132315
4576
4577 Reviewed by Mark Hahnenberg.
4578
4579 Used the StringImpl version of utf8() instead of creating a String first.
4580
4581 * bytecode/CodeBlock.cpp:
4582 (JSC::CodeBlock::dumpBytecode):
4583
45842014-04-28 Filip Pizlo <fpizlo@apple.com>
4585
4586 The LLInt is awesome and it should get more of the action.
4587
4588 Rubber stamped by Geoffrey Garen.
4589
4590 5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also.
4591
4592 * runtime/Options.h:
4593
45942014-04-27 Filip Pizlo <fpizlo@apple.com>
4595
4596 GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
4597 https://bugs.webkit.org/show_bug.cgi?id=132166
4598
4599 Reviewed by Oliver Hunt and Mark Hahnenberg.
4600
4601 The GC can aid type inference by removing structures that are dead and jettisoning
4602 code that relies on those structures. This can dramatically accelerate type inference
4603 for some tricky programs.
4604
4605 Unfortunately, we previously pinned any structures that enqueued compilations depended
4606 on. This means that if you're on a machine that only runs a single compilation thread
4607 and where compilations are relatively slow, you have a high chance of large numbers of
4608 structures being pinned during any GC since the compilation queue is likely to be full
4609 of random stuff.
4610
4611 This comprehensively fixes this issue by allowing the GC to remove compilation plans
4612 if the things they depend on are dead, and to even cancel safepointed compilations.
4613
4614 * bytecode/CodeBlock.cpp:
4615 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
4616 (JSC::CodeBlock::isKnownToBeLiveDuringGC):
4617 (JSC::CodeBlock::finalizeUnconditionally):
4618 * bytecode/CodeBlock.h:
4619 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
4620 * dfg/DFGDesiredIdentifiers.cpp:
4621 (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
4622 * dfg/DFGDesiredIdentifiers.h:
4623 * dfg/DFGDesiredWatchpoints.h:
4624 * dfg/DFGDesiredWeakReferences.cpp:
4625 (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
4626 * dfg/DFGDesiredWeakReferences.h:
4627 * dfg/DFGGraphSafepoint.cpp:
4628 (JSC::DFG::GraphSafepoint::GraphSafepoint):
4629 * dfg/DFGGraphSafepoint.h:
4630 * dfg/DFGPlan.cpp:
4631 (JSC::DFG::Plan::Plan):
4632 (JSC::DFG::Plan::compileInThread):
4633 (JSC::DFG::Plan::compileInThreadImpl):
4634 (JSC::DFG::Plan::notifyCompiling):
4635 (JSC::DFG::Plan::notifyCompiled):
4636 (JSC::DFG::Plan::notifyReady):
4637 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
4638 (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
4639 (JSC::DFG::Plan::cancel):
4640 (JSC::DFG::Plan::visitChildren): Deleted.
4641 * dfg/DFGPlan.h:
4642 * dfg/DFGSafepoint.cpp:
4643 (JSC::DFG::Safepoint::Result::~Result):
4644 (JSC::DFG::Safepoint::Result::didGetCancelled):
4645 (JSC::DFG::Safepoint::Safepoint):
4646 (JSC::DFG::Safepoint::~Safepoint):
4647 (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
4648 (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
4649 (JSC::DFG::Safepoint::cancel):
4650 (JSC::DFG::Safepoint::visitChildren): Deleted.
4651 * dfg/DFGSafepoint.h:
4652 (JSC::DFG::Safepoint::Result::Result):
4653 * dfg/DFGWorklist.cpp:
4654 (JSC::DFG::Worklist::compilationState):
4655 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
4656 (JSC::DFG::Worklist::removeAllReadyPlansForVM):
4657 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
4658 (JSC::DFG::Worklist::visitWeakReferences):
4659 (JSC::DFG::Worklist::removeDeadPlans):
4660 (JSC::DFG::Worklist::runThread):
4661 (JSC::DFG::Worklist::visitChildren): Deleted.
4662 * dfg/DFGWorklist.h:
4663 * ftl/FTLCompile.cpp:
4664 (JSC::FTL::compile):
4665 * ftl/FTLCompile.h:
4666 * heap/CodeBlockSet.cpp:
4667 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
4668 * heap/Heap.cpp:
4669 (JSC::Heap::markRoots):
4670 (JSC::Heap::visitCompilerWorklistWeakReferences):
4671 (JSC::Heap::removeDeadCompilerWorklistEntries):
4672 (JSC::Heap::visitWeakHandles):
4673 (JSC::Heap::collect):
4674 (JSC::Heap::visitCompilerWorklists): Deleted.
4675 * heap/Heap.h:
4676
46772014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
4678
4679 Deleting properties poisons objects
4680 https://bugs.webkit.org/show_bug.cgi?id=131551
4681
4682 Reviewed by Oliver Hunt.
4683
4684 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
4685
4686 * runtime/JSPropertyNameIterator.cpp:
4687 (JSC::JSPropertyNameIterator::create):
4688 * runtime/PropertyMapHashTable.h:
4689 (JSC::PropertyTable::hasDeletedOffset):
4690 (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when
4691 iterating properties because we're required to iterate properties in insertion order.
4692 * runtime/Structure.cpp:
4693 (JSC::Structure::Structure):
4694 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
4695 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
4696 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
4697 delete transitions, but we allow transitioning from them.
4698 (JSC::Structure::changePrototypeTransition):
4699 (JSC::Structure::despecifyFunctionTransition):
4700 (JSC::Structure::attributeChangeTransition):
4701 (JSC::Structure::toDictionaryTransition):
4702 (JSC::Structure::preventExtensionsTransition):
4703 (JSC::Structure::addPropertyWithoutTransition):
4704 (JSC::Structure::removePropertyWithoutTransition):
4705 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
4706 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
4707 * runtime/Structure.h:
4708 * runtime/StructureInlines.h:
4709 (JSC::Structure::setEnumerationCache):
4710 (JSC::Structure::hadDeletedOffsets):
4711 (JSC::Structure::propertyTable):
4712 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
4713 * tests/stress/for-in-after-delete.js: Added.
4714 (foo):
4715
47162014-04-25 Andreas Kling <akling@apple.com>
4717
4718 Inline (C++) GetByVal with numeric indices more aggressively.
4719 <https://webkit.org/b/132218>
4720
4721 We were already inlining the string indexed GetByVal path pretty well,
4722 while the path for numeric indices got neglected. No more!
4723
4724 ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
4725
4726 Before: 199.50 runs/s
4727 After: 218.58 runs/s
4728
4729 Reviewed by Phil Pizlo.
4730
4731 * dfg/DFGOperations.cpp:
4732 * runtime/JSCJSValueInlines.h:
4733 (JSC::JSValue::get):
4734
4735 ALWAYS_INLINE all the things.
4736
4737 * runtime/JSObject.h:
4738 (JSC::JSObject::getPropertySlot):
4739
4740 Avoid fetching the Structure more than once. We have the same
4741 optimization in the string-indexed code path.
4742
47432014-04-25 Oliver Hunt <oliver@apple.com>
4744
4745 Need earlier cell test
4746 https://bugs.webkit.org/show_bug.cgi?id=132211
4747
4748 Reviewed by Mark Lam.
4749
4750 Move cell test to before the function call repatch
4751 location, as the repatch logic for 32bit assumes that the
4752 caller will already have performed a cell check.
4753
4754 * jit/JITCall32_64.cpp:
4755 (JSC::JIT::compileOpCall):
4756
47572014-04-25 Andreas Kling <akling@apple.com>
4758
4759 Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
4760
4761 * runtime/JSGlobalObject.h:
4762 (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
4763 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
4764
47652014-04-25 Andreas Kling <akling@apple.com>
4766
4767 Windows build fix attempt.
4768
4769 * runtime/JSGlobalObject.h:
4770 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
4771
47722014-04-25 Mark Lam <mark.lam@apple.com>
4773
4774 Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
4775 <https://webkit.org/b/132201>
4776
4777 Reviewed by Joseph Pecoraro.
4778
4779 BreakpointActions is Vector<ScriptBreakpointAction>. Let's just consistently use
4780 BreakpointActions everywhere.
4781
4782 * inspector/ScriptBreakpoint.h:
4783 (Inspector::ScriptBreakpoint::ScriptBreakpoint):
4784 * inspector/ScriptDebugServer.cpp:
4785 (Inspector::ScriptDebugServer::setBreakpoint):
4786 (Inspector::ScriptDebugServer::getActionsForBreakpoint):
4787 * inspector/ScriptDebugServer.h:
4788 * inspector/agents/InspectorDebuggerAgent.cpp:
4789 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
4790 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
4791 (Inspector::InspectorDebuggerAgent::setBreakpoint):
4792 (Inspector::InspectorDebuggerAgent::removeBreakpoint):
4793 * inspector/agents/InspectorDebuggerAgent.h:
4794
47952014-04-24 Filip Pizlo <fpizlo@apple.com>
4796
4797 DFG worklist scanning should not treat the key as a separate entity
4798 https://bugs.webkit.org/show_bug.cgi?id=132167
4799
4800 Reviewed by Mark Hahnenberg.
4801
4802 This simplifies the interface to the GC and will enable more optimizations.
4803
4804 * dfg/DFGCompilationKey.cpp:
4805 (JSC::DFG::CompilationKey::visitChildren): Deleted.
4806 * dfg/DFGCompilationKey.h:
4807 * dfg/DFGPlan.cpp:
4808 (JSC::DFG::Plan::visitChildren):
4809 * dfg/DFGWorklist.cpp:
4810 (JSC::DFG::Worklist::visitChildren):
4811
48122014-04-25 Oliver Hunt <oliver@apple.com>
4813
4814 Remove unused parameter from codeblock linking function
4815 https://bugs.webkit.org/show_bug.cgi?id=132199
4816
4817 Reviewed by Anders Carlsson.
4818
4819 No change in behaviour. This is just a small change to make it
4820 slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
4821 actually mean.
4822
4823 * bytecode/UnlinkedCodeBlock.cpp:
4824 (JSC::UnlinkedFunctionExecutable::link):
4825 * bytecode/UnlinkedCodeBlock.h:
4826 * runtime/Executable.cpp:
4827 (JSC::ProgramExecutable::initializeGlobalProperties):
4828
48292014-04-25 Andreas Kling <akling@apple.com>
4830
4831 Mark some things with WTF_MAKE_FAST_ALLOCATED.
4832 <https://webkit.org/b/132198>
4833
4834 Use FastMalloc for more things.
4835
4836 Reviewed by Anders Carlsson.
4837
4838 * builtins/BuiltinExecutables.h:
4839 * heap/GCThreadSharedData.h:
4840 * inspector/JSConsoleClient.h:
4841 * inspector/agents/InspectorAgent.h:
4842 * runtime/CodeCache.h:
4843 * runtime/JSGlobalObject.h:
4844 * runtime/Lookup.cpp:
4845 (JSC::HashTable::createTable):
4846 (JSC::HashTable::deleteTable):
4847 * runtime/WeakGCMap.h:
4848
48492014-04-25 Antoine Quint <graouts@webkit.org>
4850
4851 Implement Array.prototype.find()
4852 https://bugs.webkit.org/show_bug.cgi?id=130966
4853
4854 Reviewed by Oliver Hunt.
4855
4856 Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
4857
4858 * builtins/Array.prototype.js:
4859 (find):
4860 (findIndex):
4861 * runtime/ArrayPrototype.cpp:
4862
48632014-04-24 Brady Eidson <beidson@apple.com>
4864
4865 Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
4866 https://bugs.webkit.org/show_bug.cgi?id=132155
4867
4868 Reviewed by Tim Horton.
4869
4870 * Configurations/FeatureDefines.xcconfig:
4871
48722014-04-24 Michael Saboff <msaboff@apple.com>
4873
4874 REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
4875 https://bugs.webkit.org/show_bug.cgi?id=132147
4876
4877 Reviewed by Mark Lam.
4878
4879 Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
4880
4881 * assembler/MacroAssemblerARM64.h:
4882 (JSC::MacroAssemblerARM64::or64):
4883 (JSC::MacroAssemblerARM64::xor32):
4884 (JSC::MacroAssemblerARM64::xor64):
4885 * tests/stress/regress-132147.js: Added test.
4886
48872014-04-24 Mark Lam <mark.lam@apple.com>
4888
4889 Make slowPathAllocsBetweenGCs a runtime option.
4890 <https://webkit.org/b/132137>
4891
4892 Reviewed by Mark Hahnenberg.
4893
4894 This will make it easier to more casually run tests with this configuration
4895 as well as to reproduce issues (instead of requiring a code mod and rebuild).
4896 We will now take --slowPathAllocsBetweenGCs=N where N is the number of
4897 slow path allocations before we trigger a collection.
4898
4899 The option defaults to 0, which is reserved to mean that we will not trigger
4900 any collections there.
4901
4902 * heap/Heap.h:
4903 * heap/MarkedAllocator.cpp:
4904 (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
4905 (JSC::MarkedAllocator::allocateSlowCase):
4906 * heap/MarkedAllocator.h:
4907 * runtime/Options.h:
4908
49092014-04-23 Mark Lam <mark.lam@apple.com>
4910
4911 The GC should only resume compiler threads that it suspended in the same GC pass.
4912 <https://webkit.org/b/132088>
4913
4914 Reviewed by Mark Hahnenberg.
4915
4916 Previously, this scenario can occur:
4917 1. Thread 1 starts a GC and tries to suspend DFG worklist threads. However,
4918 no worklists were created yet at the that time.
4919 2. Thread 2 starts to compile some functions and creates a DFG worklist, and
4920 acquires the worklist thread's lock.
4921 3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
4922 This time, it sees the worklist created by Thread 2 and ends up unlocking
4923 the worklist thread's lock that is supposedly held by Thread 2.
4924 Thereafter, chaos ensues.
4925
4926 The fix is to cache the worklists that were actually suspended by each GC pass,
4927 and only resume those when the GC is done.
4928
4929 This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
4930 the fast/workers layout tests.
4931
4932 * heap/Heap.cpp:
4933 (JSC::Heap::visitCompilerWorklists):
4934 (JSC::Heap::deleteAllCompiledCode):
4935 (JSC::Heap::suspendCompilerThreads):
4936 (JSC::Heap::resumeCompilerThreads):
4937 * heap/Heap.h:
4938
49392014-04-23 Mark Hahnenberg <mhahnenberg@apple.com>
4940
4941 Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
4942 https://bugs.webkit.org/show_bug.cgi?id=132079
4943
4944 Reviewed by Michael Saboff.
4945
4946 Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
4947
4948 Also added a test that previously triggered this bug.
4949
4950 * runtime/Arguments.cpp:
4951 (JSC::Arguments::copyBackingStore): D'oh!
4952 * tests/stress/arguments-copy-register-array-backing-store.js: Added.
4953 (foo):
4954 (bar):
4955
49562014-04-23 Mark Rowe <mrowe@apple.com>
4957
4958 [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
4959 <https://webkit.org/b/132053>
4960
4961 Reviewed by Dan Bernstein.
4962
4963 * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
4964 the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
4965 from /bin/sh since that generates unnecessary output.
4966
49672014-04-22 Mark Lam <mark.lam@apple.com>
4968
4969 DFG::Worklist should acquire the m_lock before iterating DFG plans.
4970 <https://webkit.org/b/132032>
4971
4972 Reviewed by Filip Pizlo.
4973
4974 Currently, there's a rightToRun mechanism that ensures that no compilation
4975 threads are running when the GC is iterating through the DFG worklists.
4976 However, this does not prevent a Worker thread from doing a DFG compilation
4977 and modifying the plans in the worklists thereby invalidating the plan
4978 iterator that the GC is using. This patch fixes the issue by acquiring
4979 the worklist m_lock before iterating the worklist plans.
4980
4981 This issue was uncovered by running the fast/workers layout tests with
4982 COLLECT_ON_EVERY_ALLOCATION enabled.
4983
4984 * dfg/DFGWorklist.cpp:
4985 (JSC::DFG::Worklist::isActiveForVM):
4986 (JSC::DFG::Worklist::visitChildren):
4987
49882014-04-22 Brent Fulgham <bfulgham@apple.com>
4989
4990 [Win] Support Python 2.7 in Cygwin
4991 https://bugs.webkit.org/show_bug.cgi?id=132023
4992
4993 Reviewed by Michael Saboff.
4994
4995 * DerivedSources.make: Use a conditional variable to define
4996 the path to Python/Perl.
4997
49982014-04-22 Filip Pizlo <fpizlo@apple.com>
4999
5000 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
5001 https://bugs.webkit.org/show_bug.cgi?id=130867
5002 <rdar://problem/16432456>
5003
5004 Reviewed by Mark Hahnenberg.
5005
5006 * Configurations/Base.xcconfig:
5007 * Configurations/LLVMForJSC.xcconfig:
5008
50092014-04-22 Alex Christensen <achristensen@webkit.org>
5010
5011 [Win] Unreviewed build fix after my r167666.
5012
5013 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
5014 Added ../../../ again to include headers in Source/JavaScriptCore.
5015
50162014-04-22 Alex Christensen <achristensen@webkit.org>
5017
5018 Removed old stdbool and inttypes headers.
5019 https://bugs.webkit.org/show_bug.cgi?id=131966
5020
5021 Reviewed by Brent Fulgham.
5022
5023 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
5024 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
5025 Removed references to os-win32 directory.
5026 * os-win32: Removed.
5027 * os-win32/inttypes.h: Removed.
5028 * os-win32/stdbool.h: Removed.
5029
50302014-04-21 Filip Pizlo <fpizlo@apple.com>
5031
5032 DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
5033 https://bugs.webkit.org/show_bug.cgi?id=131971
5034 <rdar://problem/16676511>
5035
5036 Reviewed by Mark Lam.
5037
5038 * dfg/DFGClobberize.h:
5039 (JSC::DFG::clobberize):
5040
50412014-04-21 Filip Pizlo <fpizlo@apple.com>
5042
5043 Switch statements that skip the baseline JIT should work
5044 https://bugs.webkit.org/show_bug.cgi?id=131965
5045
5046 Reviewed by Mark Hahnenberg.
5047
5048 * bytecode/JumpTable.h:
5049 (JSC::SimpleJumpTable::ensureCTITable):
5050 * dfg/DFGSpeculativeJIT.cpp:
5051 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
5052 * jit/JITOpcodes.cpp:
5053 (JSC::JIT::emit_op_switch_imm):
5054 (JSC::JIT::emit_op_switch_char):
5055 * jit/JITOpcodes32_64.cpp:
5056 (JSC::JIT::emit_op_switch_imm):
5057 (JSC::JIT::emit_op_switch_char):
5058 * tests/stress/inline-llint-with-switch.js: Added.
5059 (foo):
5060 (bar):
5061 (test):
5062
50632014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
5064
5065 Arguments objects shouldn't need a destructor
5066 https://bugs.webkit.org/show_bug.cgi?id=131899
5067
5068 Reviewed by Oliver Hunt.
5069
5070 This patch rids Arguments objects of their destructors. It does this by
5071 switching their backing stores to use CopiedSpace rather than malloc memory.
5072
5073 * dfg/DFGSpeculativeJIT.cpp:
5074 (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
5075 Arguments allocation so that it only emits an extra write for strict mode code rather
5076 than unconditionally.
5077 * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
5078 * runtime/Arguments.cpp:
5079 (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
5080 (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
5081 (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
5082 (JSC::Arguments::deleteProperty):
5083 (JSC::Arguments::defineOwnProperty):
5084 (JSC::Arguments::allocateRegisterArray):
5085 (JSC::Arguments::tearOff):
5086 (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
5087 * runtime/Arguments.h:
5088 (JSC::Arguments::registerArraySizeInBytes):
5089 (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
5090 in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
5091 allocation.
5092 (JSC::Arguments::SlowArgumentData::slowArguments):
5093 (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
5094 (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
5095 (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
5096 (JSC::Arguments::Arguments):
5097 (JSC::Arguments::allocateSlowArguments):
5098 (JSC::Arguments::tryDeleteArgument):
5099 (JSC::Arguments::isDeletedArgument):
5100 (JSC::Arguments::isArgument):
5101 (JSC::Arguments::argument):
5102 (JSC::Arguments::finishCreation):
5103 * runtime/SymbolTable.h:
5104
51052014-04-21 Eric Carlson <eric.carlson@apple.com>
5106
5107 [Mac] implement WebKitDataCue
5108 https://bugs.webkit.org/show_bug.cgi?id=131799
5109
5110 Reviewed by Dean Jackson.
5111
5112 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
5113
51142014-04-21 Filip Pizlo <fpizlo@apple.com>
5115
5116 Unreviewed test gardening, run the repeat-out-of-bounds tests again.
5117
5118 * tests/stress/float32-repeat-out-of-bounds.js:
5119 * tests/stress/int8-repeat-out-of-bounds.js:
5120
51212014-04-21 Filip Pizlo <fpizlo@apple.com>
5122
5123 OSR exit should know about Int52 and Double constants
5124 https://bugs.webkit.org/show_bug.cgi?id=131945
5125
5126 Reviewed by Oliver Hunt.
5127
5128 The DFG OSR exit machinery's ignorance would lead to some constants becoming
5129 jsUndefined() after OSR exit.
5130
5131 The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
5132 stackmap constant rather than baking the constant into the OSRExit data structure.
5133 So, not a big deal, but worth fixing.
5134
5135 Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
5136
5137 * dfg/DFGByteCodeParser.cpp:
5138 (JSC::DFG::ByteCodeParser::handleIntrinsic):
5139 * dfg/DFGMinifiedNode.h:
5140 (JSC::DFG::belongsInMinifiedGraph):
5141 (JSC::DFG::MinifiedNode::hasConstantNumber):
5142 * ftl/FTLLowerDFGToLLVM.cpp:
5143 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
5144 * jsc.cpp:
5145 (GlobalObject::finishCreation):
5146 (functionOtherFalse):
5147 (functionUndefined):
5148 * runtime/Intrinsic.h:
5149 * tests/stress/fold-to-double-constant-then-exit.js: Added.
5150 (foo):
5151 * tests/stress/fold-to-int52-constant-then-exit.js: Added.
5152 (foo):
5153
51542014-04-21 Filip Pizlo <fpizlo@apple.com>
5155
5156 Provide feedback when we encounter an unrecognied node in the FTL backend.
5157
5158 Rubber stamped by Alexey Proskuryakov.
5159
5160 * ftl/FTLLowerDFGToLLVM.cpp:
5161 (JSC::FTL::LowerDFGToLLVM::compileNode):
5162
51632014-04-21 Andreas Kling <akling@apple.com>
5164
5165 Move the JSString cache from DOMWrapperWorld to VM.
5166 <https://webkit.org/b/131940>
5167
5168 Reviewed by Geoff Garen.
5169
5170 * runtime/VM.h:
5171
51722014-04-19 Filip Pizlo <fpizlo@apple.com>
5173
5174 Take block execution count estimates into account when voting double
5175 https://bugs.webkit.org/show_bug.cgi?id=131906
5176
5177 Reviewed by Geoffrey Garen.
5178
5179 This was a drama in three acts.
5180
5181 Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
5182 number of uses of a variable that want double or non-double. Easy as pie. This
5183 gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
5184 else.
5185
5186 Act II: Realize that there were some programs where our previous double voting was
5187 just on the edge of disaster and making it more precise tipped it over. In
5188 particular, if you had an integer variable that would infrequently be used in a
5189 computation that resulted in a variable that was frequently used as an array index,
5190 the outer infrequentness would be the thing we'd use in the vote. So, an array
5191 index would become double. We fix this by reviving global backwards propagation
5192 and introducing the concept of ReallyWantsInt, which is used just for array
5193 indices. Any variable transitively flagged as ReallyWantsInt will never be forced
5194 double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
5195 be set in bitops for RageConversion but using it for double forcing is too much.
5196 Basically, it's cheaper to have to convert a double to an int for a bitop than it
5197 is to convert a double to an int for an array index; also a variable being used as
5198 an array index is a much stronger hint that it ought to be an int. This recovered
5199 performance on everything except programs that used FTL OSR entry.
5200
5201 Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
5202 count, which then completely pollutes the weighting - essentially all votes go
5203 NaN. Fix this with some surgical defenses. Basically, any client of execution
5204 counts should allow for them to be NaN and shouldn't completely fall off a cliff
5205 when it happens.
5206
5207 This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
5208 7% speed-up on AsmBench and 2% speed-up on Kraken.
5209
5210 * CMakeLists.txt:
5211 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5212 * JavaScriptCore.xcodeproj/project.pbxproj:
5213 * dfg/DFGBackwardsPropagationPhase.cpp:
5214 (JSC::DFG::BackwardsPropagationPhase::run):
5215 (JSC::DFG::BackwardsPropagationPhase::propagate):
5216 * dfg/DFGGraph.cpp:
5217 (JSC::DFG::Graph::dumpBlockHeader):
5218 * dfg/DFGGraph.h:
5219 (JSC::DFG::Graph::voteNode):
5220 (JSC::DFG::Graph::voteChildren):
5221 * dfg/DFGNodeFlags.cpp:
5222 (JSC::DFG::dumpNodeFlags):
5223 * dfg/DFGNodeFlags.h:
5224 * dfg/DFGOSREntrypointCreationPhase.cpp:
5225 (JSC::DFG::OSREntrypointCreationPhase::run):
5226 * dfg/DFGPlan.cpp:
5227 (JSC::DFG::Plan::compileInThreadImpl):
5228 * dfg/DFGPredictionPropagationPhase.cpp:
5229 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5230 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
5231 * dfg/DFGVariableAccessData.cpp: Added.
5232 (JSC::DFG::VariableAccessData::VariableAccessData):
5233 (JSC::DFG::VariableAccessData::mergeIsCaptured):
5234 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
5235 (JSC::DFG::VariableAccessData::predict):
5236 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
5237 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5238 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
5239 (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
5240 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
5241 (JSC::DFG::VariableAccessData::flushFormat):
5242 * dfg/DFGVariableAccessData.h:
5243 (JSC::DFG::VariableAccessData::vote):
5244 (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
5245 (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
5246 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
5247 (JSC::DFG::VariableAccessData::predict): Deleted.
5248 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
5249 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
5250 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
5251 (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
5252 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
5253 (JSC::DFG::VariableAccessData::flushFormat): Deleted.
5254
52552014-04-21 Michael Saboff <msaboff@apple.com>
5256
5257 REGRESSION(r167591): ARM64 and ARM traditional builds broken
5258 https://bugs.webkit.org/show_bug.cgi?id=131935
5259
5260 Reviewed by Mark Hahnenberg.
5261
5262 Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
5263 macro assemblers. Added a new test for the original patch.
5264
5265 * assembler/MacroAssemblerARM.h:
5266 (JSC::MacroAssemblerARM::store8):
5267 * assembler/MacroAssemblerARM64.h:
5268 (JSC::MacroAssemblerARM64::store8):
5269 * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
5270
52712014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
5272
5273 Inline allocate Arguments objects in the DFG
5274 https://bugs.webkit.org/show_bug.cgi?id=131897
5275
5276 Reviewed by Geoffrey Garen.
5277
5278 Many libraries/frameworks depend on the arguments object for overloaded API entry points.
5279 This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create
5280 for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
5281
5282 * dfg/DFGSpeculativeJIT.cpp:
5283 (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
5284 * dfg/DFGSpeculativeJIT.h:
5285 (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
5286 * dfg/DFGSpeculativeJIT32_64.cpp:
5287 (JSC::DFG::SpeculativeJIT::compile):
5288 * dfg/DFGSpeculativeJIT64.cpp:
5289 (JSC::DFG::SpeculativeJIT::compile):
5290 * runtime/Arguments.h:
5291 (JSC::Arguments::offsetOfActivation):
5292 (JSC::Arguments::offsetOfOverrodeLength):
5293 (JSC::Arguments::offsetOfIsStrictMode):
5294 (JSC::Arguments::offsetOfRegisterArray):
5295 (JSC::Arguments::offsetOfCallee):
5296 (JSC::Arguments::allocationSize):
5297
52982014-04-20 Andreas Kling <akling@apple.com>
5299
5300 Speed up jsStringWithCache() through WeakGCMap inlining.
5301 <https://webkit.org/b/131923>
5302
5303 Always inline WeakGCMap::add() but move the slow garbage collecting
5304 path out-of-line.
5305
5306 Reviewed by Darin Adler.
5307
5308 * runtime/WeakGCMap.h:
5309 (JSC::WeakGCMap::add):
5310 (JSC::WeakGCMap::gcMap):
5311
53122014-04-20 László Langó <llango.u-szeged@partner.samsung.com>
5313
5314 JavaScriptCore: ARM build fix after r167094.
5315 https://bugs.webkit.org/show_bug.cgi?id=131612
5316
5317 Reviewed by Michael Saboff.
5318
5319 After r167094 there are many build errors on ARM like these:
5320
5321 /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
5322 /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
5323 /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
5324 /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
5325
5326 Problem is caused by the wrong generated assembly like:
5327 "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
5328
5329 `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
5330 the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
5331 Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
5332 use case: move rn, (label1-label2) which is translated to movw and movt.
5333
5334 * llint/LowLevelInterpreter.asm:
5335 * offlineasm/arm.rb:
5336 * offlineasm/instructions.rb:
5337
53382014-04-20 Csaba Osztrogonác <ossy@webkit.org>
5339
5340 [ARM] Unreviewed build fix after r167336.
5341
5342 * assembler/MacroAssemblerARM.h:
5343 (JSC::MacroAssemblerARM::branchAdd32):
5344
53452014-04-20 Commit Queue <commit-queue@webkit.org>
5346
5347 Unreviewed, rolling out r167501.
5348 https://bugs.webkit.org/show_bug.cgi?id=131913
5349
5350 It broke DYEBench (Requested by mhahnenberg on #webkit).
5351
5352 Reverted changeset:
5353
5354 "Deleting properties poisons objects"
5355 https://bugs.webkit.org/show_bug.cgi?id=131551
5356 http://trac.webkit.org/changeset/167501
5357
53582014-04-19 Filip Pizlo <fpizlo@apple.com>
5359
5360 It should be OK to store new fields into objects that have no prototypes
5361 https://bugs.webkit.org/show_bug.cgi?id=131905
5362
5363 Reviewed by Mark Hahnenberg.
5364
5365 * dfg/DFGByteCodeParser.cpp:
5366 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
5367 * tests/stress/put-by-id-transition-null-prototype.js: Added.
5368 (foo):
5369
53702014-04-19 Benjamin Poulain <bpoulain@apple.com>
5371
5372 Make the CSS JIT compile for ARM64
5373 https://bugs.webkit.org/show_bug.cgi?id=131834
5374
5375 Reviewed by Gavin Barraclough.
5376
5377 Extend the ARM64 MacroAssembler to support the code generation required by
5378 the CSS JIT.
5379
5380 * assembler/MacroAssembler.h:
5381 * assembler/MacroAssemblerARM64.h:
5382 (JSC::MacroAssemblerARM64::addPtrNoFlags):
5383 (JSC::MacroAssemblerARM64::or32):
5384 (JSC::MacroAssemblerARM64::branchPtr):
5385 (JSC::MacroAssemblerARM64::test32):
5386 (JSC::MacroAssemblerARM64::branch):
5387 * assembler/MacroAssemblerX86Common.h:
5388 (JSC::MacroAssemblerX86Common::test32):
5389
53902014-04-19 Andreas Kling <akling@apple.com>
5391
5392 Two little shortcuts to the JSType.
5393 <https://webkit.org/b/131896>
5394
5395 Tweak two sites that take the long road through JSCell::structure()->typeInfo()
5396 to look at data that's already in JSCell::type().
5397
5398 Reviewed by Darin Adler.
5399
5400 * runtime/NameInstance.h:
5401 (JSC::isName):
5402 * runtime/NumberPrototype.cpp:
5403 (JSC::toThisNumber):
5404
54052014-04-19 Filip Pizlo <fpizlo@apple.com>
5406
5407 Make it easier to check if an integer sum would overflow
5408 https://bugs.webkit.org/show_bug.cgi?id=131900
5409
5410 Reviewed by Darin Adler.
5411
5412 * dfg/DFGOperations.cpp:
5413 * runtime/Operations.h:
5414 (JSC::jsString):
5415
54162014-04-19 Filip Pizlo <fpizlo@apple.com>
5417
5418 Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
5419
5420 * dfg/DFGOperations.cpp:
5421 * runtime/JSString.h:
5422 (JSC::JSRopeString::RopeBuilder::append):
5423
54242014-04-18 Mark Lam <mark.lam@apple.com>
5425
5426 REGRESSION(r164205): WebKit crash @StructureIDTable::get.
5427 <https://webkit.org/b/130539>
5428
5429 Reviewed by Geoffrey Garen.
5430
5431 prepareOSREntry() prepares for OSR entry by first copying the local var
5432 values from the baseline frame to a scartch buffer, which is then used
5433 to fill in the locals in their new position in the DFG frame. Unfortunately,
5434 prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
5435 size of the baseline frame. As a result, some values of locals in the
5436 baseline frame were not saved off, and the DFG frame may get initialized
5437 with random content that happened to be in the uninitialized (and possibly
5438 unallocated) portions of the scratch buffer.
5439
5440 The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
5441 number of locals in the baseline frame that we want to copy to the scratch
5442 buffer.
5443
5444 Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
5445 at offset 0 in the scratch buffer. So, we continue to write that value
5446 there, not the baseline frame size.
5447
5448 * dfg/DFGOSREntry.cpp:
5449 (JSC::DFG::prepareOSREntry):
5450
54512014-04-18 Timothy Hatcher <timothy@apple.com>
5452
5453 Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
5454 https://bugs.webkit.org/show_bug.cgi?id=131673
5455
5456 Passes existing profiler and inspector tests.
5457
5458 Reviewed by Joseph Pecoraro.
5459
5460 * CMakeLists.txt:
5461 * DerivedSources.make:
5462 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5463 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
5464 * JavaScriptCore.xcodeproj/project.pbxproj:
5465 * inspector/JSConsoleClient.cpp:
5466 (Inspector::JSConsoleClient::JSConsoleClient):
5467 (Inspector::JSConsoleClient::profile):
5468 (Inspector::JSConsoleClient::profileEnd):
5469 (Inspector::JSConsoleClient::count): Deleted.
5470 * inspector/JSConsoleClient.h:
5471 * inspector/JSGlobalObjectInspectorController.cpp:
5472 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
5473 * inspector/agents/InspectorProfilerAgent.cpp: Added.
5474 (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
5475 (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
5476 (Inspector::InspectorProfilerAgent::addProfile):
5477 (Inspector::InspectorProfilerAgent::createProfileHeader):
5478 (Inspector::InspectorProfilerAgent::enable):
5479 (Inspector::InspectorProfilerAgent::disable):
5480 (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
5481 (Inspector::InspectorProfilerAgent::getProfileHeaders):
5482 (Inspector::buildInspectorObject):
5483 (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
5484 (Inspector::InspectorProfilerAgent::getCPUProfile):
5485 (Inspector::InspectorProfilerAgent::removeProfile):
5486 (Inspector::InspectorProfilerAgent::reset):
5487 (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
5488 (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
5489 (Inspector::InspectorProfilerAgent::start):
5490 (Inspector::InspectorProfilerAgent::stop):
5491 (Inspector::InspectorProfilerAgent::setRecordingProfile):
5492 (Inspector::InspectorProfilerAgent::startProfiling):
5493 (Inspector::InspectorProfilerAgent::stopProfiling):
5494 * inspector/agents/InspectorProfilerAgent.h: Added.
5495 * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
5496 (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
5497 (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
5498 * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
5499 * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
5500 * profiler/Profile.h:
5501 * runtime/ConsoleClient.h:
5502
55032014-04-18 Commit Queue <commit-queue@webkit.org>
5504
5505 Unreviewed, rolling out r167527.
5506 https://bugs.webkit.org/show_bug.cgi?id=131883
5507
5508 Broke 32-bit build (Requested by ap on #webkit).
5509
5510 Reverted changeset:
5511
5512 "[Mac] implement WebKitDataCue"
5513 https://bugs.webkit.org/show_bug.cgi?id=131799
5514 http://trac.webkit.org/changeset/167527
5515
55162014-04-18 Eric Carlson <eric.carlson@apple.com>
5517
5518 [Mac] implement WebKitDataCue
5519 https://bugs.webkit.org/show_bug.cgi?id=131799
5520
5521 Reviewed by Dean Jackson.
5522
5523 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
5524
55252014-04-18 Filip Pizlo <fpizlo@apple.com>
5526
5527 Actually address Mark's review feedback.
5528
5529 * dfg/DFGOSRExitCompilerCommon.cpp:
5530 (JSC::DFG::handleExitCounts):
5531
55322014-04-18 Filip Pizlo <fpizlo@apple.com>
5533
5534 Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
5535 https://bugs.webkit.org/show_bug.cgi?id=131850
5536
5537 Reviewed by Mark Hahnenberg.
5538
5539 Templatize ExecutionCounter to allow for two different styles of calculating the
5540 checkpoint threshold.
5541
5542 Appears to be a slight speed-up on DYEBench.
5543
5544 * bytecode/CodeBlock.h:
5545 (JSC::CodeBlock::llintExecuteCounter):
5546 (JSC::CodeBlock::offsetOfJITExecuteCounter):
5547 (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
5548 (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
5549 (JSC::CodeBlock::jitExecuteCounter):
5550 * bytecode/ExecutionCounter.cpp:
5551 (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
5552 (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
5553 (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
5554 (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
5555 (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
5556 (JSC::applyMemoryUsageHeuristics):
5557 (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
5558 (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
5559 (JSC::ExecutionCounter<countingVariant>::setThreshold):
5560 (JSC::ExecutionCounter<countingVariant>::reset):
5561 (JSC::ExecutionCounter<countingVariant>::dump):
5562 (JSC::ExecutionCounter::ExecutionCounter): Deleted.
5563 (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
5564 (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
5565 (JSC::ExecutionCounter::setNewThreshold): Deleted.
5566 (JSC::ExecutionCounter::deferIndefinitely): Deleted.
5567 (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
5568 (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
5569 (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
5570 (JSC::ExecutionCounter::setThreshold): Deleted.
5571 (JSC::ExecutionCounter::reset): Deleted.
5572 (JSC::ExecutionCounter::dump): Deleted.
5573 * bytecode/ExecutionCounter.h:
5574 (JSC::formattedTotalExecutionCount):
5575 (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
5576 (JSC::ExecutionCounter::clippedThreshold):
5577 (JSC::ExecutionCounter::formattedTotalCount): Deleted.
5578 * dfg/DFGJITCode.h:
5579 * dfg/DFGOSRExitCompilerCommon.cpp:
5580 (JSC::DFG::handleExitCounts):
5581 * llint/LowLevelInterpreter.asm:
5582 * runtime/Options.h:
5583
55842014-04-17 Mark Hahnenberg <mhahnenberg@apple.com>
5585
5586 Deleting properties poisons objects
5587 https://bugs.webkit.org/show_bug.cgi?id=131551
5588
5589 Reviewed by Geoffrey Garen.
5590
5591 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
5592
5593 * runtime/Structure.cpp:
5594 (JSC::Structure::Structure):
5595 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
5596 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
5597 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
5598 delete transitions, but we allow transitioning from them.
5599 (JSC::Structure::changePrototypeTransition):
5600 (JSC::Structure::despecifyFunctionTransition):
5601 (JSC::Structure::attributeChangeTransition):
5602 (JSC::Structure::toDictionaryTransition):
5603 (JSC::Structure::preventExtensionsTransition):
5604 (JSC::Structure::addPropertyWithoutTransition):
5605 (JSC::Structure::removePropertyWithoutTransition):
5606 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
5607 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
5608 * runtime/Structure.h:
5609 * runtime/StructureInlines.h:
5610 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
5611
56122014-04-17 Filip Pizlo <fpizlo@apple.com>
5613
5614 InlineCallFrameSet should be refcounted
5615 https://bugs.webkit.org/show_bug.cgi?id=131829
5616
5617 Reviewed by Geoffrey Garen.
5618
5619 And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
5620 became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
5621 Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
5622 the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
5623
5624 So, just make the darn thing refcounted.
5625
5626 * bytecode/InlineCallFrameSet.h:
5627 * dfg/DFGArgumentsSimplificationPhase.cpp:
5628 (JSC::DFG::ArgumentsSimplificationPhase::run):
5629 * dfg/DFGByteCodeParser.cpp:
5630 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
5631 * dfg/DFGCommonData.h:
5632 * dfg/DFGGraph.cpp:
5633 (JSC::DFG::Graph::Graph):
5634 (JSC::DFG::Graph::requiredRegisterCountForExit):
5635 * dfg/DFGGraph.h:
5636 * dfg/DFGJITCompiler.cpp:
5637 (JSC::DFG::JITCompiler::link):
5638 * dfg/DFGPlan.cpp:
5639 (JSC::DFG::Plan::Plan):
5640 * dfg/DFGPlan.h:
5641 * dfg/DFGStackLayoutPhase.cpp:
5642 (JSC::DFG::StackLayoutPhase::run):
5643 * ftl/FTLFail.cpp:
5644 (JSC::FTL::fail):
5645 * ftl/FTLLink.cpp:
5646 (JSC::FTL::link):
5647
56482014-04-17 Filip Pizlo <fpizlo@apple.com>
5649
5650 FTL::fail() should manage memory "correctly"
5651 https://bugs.webkit.org/show_bug.cgi?id=131823
5652 <rdar://problem/16384297>
5653
5654 Reviewed by Oliver Hunt.
5655
5656 * ftl/FTLFail.cpp:
5657 (JSC::FTL::fail):
5658
56592014-04-17 Filip Pizlo <fpizlo@apple.com>
5660
5661 Prediction propagator should correctly model Int52s flowing through arguments
5662 https://bugs.webkit.org/show_bug.cgi?id=131822
5663 <rdar://problem/16641408>
5664
5665 Reviewed by Oliver Hunt.
5666
5667 * dfg/DFGPredictionPropagationPhase.cpp:
5668 (JSC::DFG::PredictionPropagationPhase::propagate):
5669 * tests/stress/int52-argument.js: Added.
5670 (foo):
5671 * tests/stress/int52-variable.js: Added.
5672 (foo):
5673
56742014-04-17 Filip Pizlo <fpizlo@apple.com>
5675
5676 REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
5677 https://bugs.webkit.org/show_bug.cgi?id=131798
5678
5679 Reviewed by Alexey Proskuryakov.
5680
5681 Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
5682 of this assertion can return. For now, it's not clear that the assertion is guarding
5683 any truly undesirable behavior - so it should just go away and be replaced with a
5684 FIXME.
5685
5686 * bytecode/GetByIdStatus.cpp:
5687 (JSC::GetByIdStatus::computeForStubInfo):
5688 * runtime/Structure.h:
5689 (JSC::Structure::takesSlowPathInDFGForImpureProperty):
5690
56912014-04-17 David Kilzer <ddkilzer@apple.com>
5692
5693 Blind attempt to fix Windows build after r166837
5694 <http://webkit.org/b/131246>
5695
5696 Hoping to fix this build error:
5697
5698 warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result. The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
5699
5700 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
5701 boo-boo by changing the GCLogging.cpp ClCompile entry to a
5702 GCLogging.h ClInclude entry.
5703
57042014-04-16 Filip Pizlo <fpizlo@apple.com>
5705
5706 AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
5707 https://bugs.webkit.org/show_bug.cgi?id=131764
5708
5709 Reviewed by Geoffrey Garen.
5710
5711 The attached test case can be made to not crash by deleting old code. It used to be
5712 the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
5713 long ago. At this point, these guards just make life difficult. So get rid of them.
5714
5715 * dfg/DFGAbstractInterpreterInlines.h:
5716 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5717 * dfg/DFGSpeculativeJIT32_64.cpp:
5718 (JSC::DFG::SpeculativeJIT::compile):
5719 * dfg/DFGSpeculativeJIT64.cpp:
5720 (JSC::DFG::SpeculativeJIT::compile):
5721 * tests/stress/bug-131764.js: Added.
5722 (test1):
5723 (test2):
5724
57252014-04-17 Darin Adler <darin@apple.com>
5726
5727 Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
5728 https://bugs.webkit.org/show_bug.cgi?id=131785
5729 rdar://problem/16003108
5730
5731 Reviewed by Brady Eidson.
5732
5733 * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
5734
57352014-04-16 Alexey Proskuryakov <ap@apple.com>
5736
5737 Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
5738
5739 * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
5740
57412014-04-16 Filip Pizlo <fpizlo@apple.com>
5742
5743 Extra error reporting for invalid value conversions
5744 https://bugs.webkit.org/show_bug.cgi?id=131786
5745
5746 Rubber stamped by Ryosuke Niwa.
5747
5748 * dfg/DFGFixupPhase.cpp:
5749 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
5750
57512014-04-16 Filip Pizlo <fpizlo@apple.com>
5752
5753 Sink NaN sanitization to uses and remove it when it's unnecessary
5754 https://bugs.webkit.org/show_bug.cgi?id=131419
5755
5756 Reviewed by Oliver Hunt.
5757
5758 This moves NaN purification to stores that could see an impure NaN.
5759
5760 5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
5761 though, because of the other bug that causes that benchmark to box doubles in a loop.
5762
5763 * bytecode/SpeculatedType.h:
5764 (JSC::isInt32SpeculationForArithmetic):
5765 (JSC::isMachineIntSpeculationForArithmetic):
5766 (JSC::isDoubleSpeculation):
5767 (JSC::isDoubleSpeculationForArithmetic):
5768 * dfg/DFGAbstractInterpreterInlines.h:
5769 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5770 * dfg/DFGAbstractValue.cpp:
5771 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
5772 * dfg/DFGFixupPhase.cpp:
5773 (JSC::DFG::FixupPhase::fixupNode):
5774 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
5775 * dfg/DFGInPlaceAbstractState.cpp:
5776 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5777 * dfg/DFGPredictionPropagationPhase.cpp:
5778 (JSC::DFG::PredictionPropagationPhase::propagate):
5779 * dfg/DFGSpeculativeJIT.cpp:
5780 (JSC::DFG::SpeculativeJIT::compileValueRep):
5781 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
5782 * dfg/DFGUseKind.h:
5783 (JSC::DFG::typeFilterFor):
5784 * ftl/FTLLowerDFGToLLVM.cpp:
5785 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
5786 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
5787 * runtime/PureNaN.h:
5788 * tests/stress/float32-array-nan-inlined.js: Added.
5789 (foo):
5790 (test):
5791 * tests/stress/float32-array-nan.js: Added.
5792 (foo):
5793 (test):
5794 * tests/stress/float64-array-nan-inlined.js: Added.
5795 (foo):
5796 (isBigEndian):
5797 (test):
5798 * tests/stress/float64-array-nan.js: Added.
5799 (foo):
5800 (isBigEndian):
5801 (test):
5802
58032014-04-16 Brent Fulgham <bfulgham@apple.com>
5804
5805 [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
5806 to 32-bit builds, and revise the comment to explain what we are
5807 doing.
5808
5809 * runtime/JSCJSValueInlines.h:
5810 (JSC::JSValue::isMachineInt): Provide motivation for the new
5811 'isinf' check for our 32-bit code path.
5812
58132014-04-16 Juergen Ributzka <juergen@apple.com>
5814
5815 Allocate the data section on the heap again for FTL on ARM64
5816 https://bugs.webkit.org/show_bug.cgi?id=130156
5817
5818 Reviewed by Geoffrey Garen and Filip Pizlo.
5819
5820 * ftl/FTLCompile.cpp:
5821 (JSC::FTL::mmAllocateDataSection):
5822 * ftl/FTLDataSection.cpp:
5823 (JSC::FTL::DataSection::DataSection):
5824 (JSC::FTL::DataSection::~DataSection):
5825 * ftl/FTLDataSection.h:
5826
58272014-04-16 Mark Lam <mark.lam@apple.com>
5828
5829 Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
5830 <https://webkit.org/b/131747>
5831
5832 Reviewed by Filip Pizlo.
5833
5834 When the debugger is about to activate (e.g. enter stepping mode), it first
5835 waits for all DFG compilations to complete. However, when the DFG completes,
5836 if compilation is successful, it will install a new DFG codeBlock. The
5837 CodeBlock installation process is required to register codeBlocks with the
5838 debugger. Debugger::registerCodeBlock() will eventually call
5839 CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
5840 trying to install. Thereafter, chaos ensues.
5841
5842 This jettison'ing only happens because the debugger currently set its
5843 m_steppingMode flag before waiting for compilation to complete. The fix is
5844 simply to set that flag only after compilation is complete.
5845
5846 * debugger/Debugger.cpp:
5847 (JSC::Debugger::setSteppingMode):
5848 (JSC::Debugger::registerCodeBlock):
5849
58502014-04-16 Filip Pizlo <fpizlo@apple.com>
5851
5852 Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
5853 https://bugs.webkit.org/show_bug.cgi?id=131420
5854
5855 Reviewed by Oliver Hunt.
5856
5857 Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
5858 replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
5859 goes through the purifyNaN() API.
5860
5861 SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
5862
5863 Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
5864 have to be too cautious since most prediction-based logic only cares about whether or not
5865 a value could be an integer.
5866
5867 AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
5868 anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
5869 soundly and precisely.
5870
5871 No performance change because this just unblocks
5872 https://bugs.webkit.org/show_bug.cgi?id=131419.
5873
5874 * API/JSValueRef.cpp:
5875 (JSValueMakeNumber):
5876 (JSValueToNumber):
5877 * JavaScriptCore.xcodeproj/project.pbxproj:
5878 * bytecode/SpeculatedType.cpp:
5879 (JSC::dumpSpeculation):
5880 (JSC::speculationFromValue):
5881 (JSC::typeOfDoubleSum):
5882 (JSC::typeOfDoubleDifference):
5883 (JSC::typeOfDoubleProduct):
5884 (JSC::polluteDouble):
5885 (JSC::typeOfDoubleQuotient):
5886 (JSC::typeOfDoubleMinMax):
5887 (JSC::typeOfDoubleNegation):
5888 (JSC::typeOfDoubleAbs):
5889 (JSC::typeOfDoubleFRound):
5890 (JSC::typeOfDoubleBinaryOp):
5891 (JSC::typeOfDoubleUnaryOp):
5892 * bytecode/SpeculatedType.h:
5893 * dfg/DFGAbstractInterpreterInlines.h:
5894 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5895 * dfg/DFGByteCodeParser.cpp:
5896 (JSC::DFG::ByteCodeParser::handleInlining):
5897 (JSC::DFG::ByteCodeParser::parseCodeBlock):
5898 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
5899 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
5900 * dfg/DFGInPlaceAbstractState.cpp:
5901 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5902 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
5903 (JSC::DFG::createPreHeader):
5904 * dfg/DFGNode.h:
5905 (JSC::DFG::BranchTarget::BranchTarget):
5906 * dfg/DFGOSREntrypointCreationPhase.cpp:
5907 (JSC::DFG::OSREntrypointCreationPhase::run):
5908 * dfg/DFGOSRExitCompiler32_64.cpp:
5909 (JSC::DFG::OSRExitCompiler::compileExit):
5910 * dfg/DFGOSRExitCompiler64.cpp:
5911 (JSC::DFG::OSRExitCompiler::compileExit):
5912 * dfg/DFGPredictionPropagationPhase.cpp:
5913 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
5914 (JSC::DFG::PredictionPropagationPhase::propagate):
5915 * dfg/DFGSpeculativeJIT.cpp:
5916 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
5917 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
5918 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
5919 * dfg/DFGSpeculativeJIT32_64.cpp:
5920 (JSC::DFG::SpeculativeJIT::compile):
5921 * dfg/DFGSpeculativeJIT64.cpp:
5922 (JSC::DFG::SpeculativeJIT::compile):
5923 * dfg/DFGVariableAccessData.h:
5924 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
5925 * ftl/FTLLowerDFGToLLVM.cpp:
5926 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
5927 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
5928 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
5929 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
5930 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
5931 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
5932 (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
5933 * ftl/FTLValueFormat.cpp:
5934 (JSC::FTL::reboxAccordingToFormat):
5935 * jit/AssemblyHelpers.cpp:
5936 (JSC::AssemblyHelpers::purifyNaN):
5937 (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
5938 * jit/AssemblyHelpers.h:
5939 * jit/JITPropertyAccess.cpp:
5940 (JSC::JIT::emitFloatTypedArrayGetByVal):
5941 * runtime/DateConstructor.cpp:
5942 (JSC::constructDate):
5943 * runtime/DateInstanceCache.h:
5944 (JSC::DateInstanceData::DateInstanceData):
5945 (JSC::DateInstanceCache::reset):
5946 * runtime/ExceptionHelpers.cpp:
5947 (JSC::TerminatedExecutionError::defaultValue):
5948 * runtime/JSArray.cpp:
5949 (JSC::JSArray::setLength):
5950 (JSC::JSArray::pop):
5951 (JSC::JSArray::shiftCountWithAnyIndexingType):
5952 (JSC::JSArray::sortVector):
5953 (JSC::JSArray::compactForSorting):
5954 * runtime/JSArray.h:
5955 (JSC::JSArray::create):
5956 (JSC::JSArray::tryCreateUninitialized):
5957 * runtime/JSCJSValue.cpp:
5958 (JSC::JSValue::toNumberSlowCase):
5959 * runtime/JSCJSValue.h:
5960 * runtime/JSCJSValueInlines.h:
5961 (JSC::jsNaN):
5962 (JSC::JSValue::JSValue):
5963 (JSC::JSValue::getPrimitiveNumber):
5964 * runtime/JSGlobalObjectFunctions.cpp:
5965 (JSC::parseInt):
5966 (JSC::jsStrDecimalLiteral):
5967 (JSC::toDouble):
5968 (JSC::jsToNumber):
5969 (JSC::parseFloat):
5970 * runtime/JSObject.cpp:
5971 (JSC::JSObject::createInitialDouble):
5972 (JSC::JSObject::convertUndecidedToDouble):
5973 (JSC::JSObject::convertInt32ToDouble):
5974 (JSC::JSObject::deletePropertyByIndex):
5975 (JSC::JSObject::ensureLengthSlow):
5976 * runtime/MathObject.cpp:
5977 (JSC::mathProtoFuncMax):
5978 (JSC::mathProtoFuncMin):
5979 * runtime/PureNaN.h: Added.
5980 (JSC::pureNaN):
5981 (JSC::isImpureNaN):
5982 (JSC::purifyNaN):
5983 * runtime/TypedArrayAdaptors.h:
5984 (JSC::FloatTypedArrayAdaptor::toJSValue):
5985
59862014-04-16 Juergen Ributzka <juergen@apple.com>
5987
5988 Enable system library calls in FTL for ARM64
5989 https://bugs.webkit.org/show_bug.cgi?id=130154
5990
5991 Reviewed by Geoffrey Garen and Filip Pizlo.
5992
5993 * ftl/FTLIntrinsicRepository.h:
5994 * ftl/FTLOutput.h:
5995 (JSC::FTL::Output::doubleRem):
5996 (JSC::FTL::Output::doubleSin):
5997 (JSC::FTL::Output::doubleCos):
5998
59992014-04-16 peavo@outlook.com <peavo@outlook.com>
6000
6001 Fix JSC Debug Regressions on Windows
6002 https://bugs.webkit.org/show_bug.cgi?id=131182
6003
6004 Reviewed by Brent Fulgham.
6005
6006 The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
6007 and set the st floating point register tags, if the value of the number parameter is infinite.
6008 If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
6009 This can be avoided by checking for infinity first.
6010
6011 * runtime/JSCJSValueInlines.h:
6012 (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
6013 * runtime/Options.cpp:
6014 (JSC::recomputeDependentOptions): Re-enable jit for Windows.
6015
60162014-04-16 Oliver Hunt <oliver@apple.com>
6017
6018 Simple ES6 feature:Array.prototype.fill
6019 https://bugs.webkit.org/show_bug.cgi?id=131703
6020
6021 Reviewed by David Hyatt.
6022
6023 Add support for Array.prototype.fill
6024
6025 * builtins/Array.prototype.js:
6026 (fill):
6027 * runtime/ArrayPrototype.cpp:
6028
60292014-04-16 Mark Hahnenberg <mhahnenberg@apple.com>
6030
6031 [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
6032 https://bugs.webkit.org/show_bug.cgi?id=131728
6033
6034 Reviewed by Darin Adler.
6035
6036 * runtime/JSObject.cpp:
6037 (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the
6038 path we expect to never take. Also shut up confused compilers about uninitialized things.
6039
60402014-04-16 Filip Pizlo <fpizlo@apple.com>
6041
6042 Unreviewed, ARMv7 build fix after r167336.
6043
6044 * assembler/MacroAssemblerARMv7.h:
6045 (JSC::MacroAssemblerARMv7::branchAdd32):
6046
60472014-04-16 Gabor Rapcsanyi <rgabor@webkit.org>
6048
6049 Unreviewed, ARM64 buildfix after r167336.
6050
6051 * assembler/MacroAssemblerARM64.h:
6052 (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
6053
60542014-04-15 Filip Pizlo <fpizlo@apple.com>
6055
6056 Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
6057
6058 * dfg/DFGAbstractInterpreterInlines.h:
6059 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6060
60612014-04-15 Filip Pizlo <fpizlo@apple.com>
6062
6063 compileMakeRope does not emit necessary bounds checks
6064 https://bugs.webkit.org/show_bug.cgi?id=130684
6065 <rdar://problem/16398388>
6066
6067 Reviewed by Oliver Hunt.
6068
6069 Add string length bounds checks in a bunch of places. We should never allow a string
6070 to have a length greater than 2^31-1 because it's not clear that the language has
6071 semantics for it and because there is code that assumes that this cannot happen.
6072
6073 Also add a bunch of tests to that effect to cover the various ways in which this was
6074 previously allowed to happen.
6075
6076 * dfg/DFGOperations.cpp:
6077 * dfg/DFGSpeculativeJIT.cpp:
6078 (JSC::DFG::SpeculativeJIT::compileMakeRope):
6079 * ftl/FTLLowerDFGToLLVM.cpp:
6080 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
6081 * runtime/JSString.cpp:
6082 (JSC::JSRopeString::RopeBuilder::expand):
6083 * runtime/JSString.h:
6084 (JSC::JSString::create):
6085 (JSC::JSRopeString::RopeBuilder::append):
6086 (JSC::JSRopeString::RopeBuilder::release):
6087 (JSC::JSRopeString::append):
6088 * runtime/Operations.h:
6089 (JSC::jsString):
6090 (JSC::jsStringFromRegisterArray):
6091 (JSC::jsStringFromArguments):
6092 * runtime/StringPrototype.cpp:
6093 (JSC::stringProtoFuncIndexOf):
6094 (JSC::stringProtoFuncSlice):
6095 (JSC::stringProtoFuncSubstring):
6096 (JSC::stringProtoFuncToLowerCase):
6097 * tests/stress/make-large-string-jit-strcat.js: Added.
6098 (foo):
6099 * tests/stress/make-large-string-jit.js: Added.
6100 (foo):
6101 * tests/stress/make-large-string-strcat.js: Added.
6102 * tests/stress/make-large-string.js: Added.
6103
61042014-04-15 Julien Brianceau <jbriance@cisco.com>
6105
6106 Remove invalid sh4 specific code in JITInlines header.
6107 https://bugs.webkit.org/show_bug.cgi?id=131692
6108
6109 Reviewed by Geoffrey Garen.
6110
6111 * jit/JITInlines.h:
6112 (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
6113 anymore since r160244, so the sh4 specific code is invalid now
6114 and has to be removed.
6115
61162014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
6117
6118 Fix precedence issue in JSCell:setRemembered
6119
6120 Rubber stamped by Filip Pizlo.
6121
6122 * runtime/JSCell.h:
6123 (JSC::JSCell::setRemembered):
6124
61252014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
6126
6127 Objective-C API external object graphs don't handle generational collection properly
6128 https://bugs.webkit.org/show_bug.cgi?id=131634
6129
6130 Reviewed by Geoffrey Garen.
6131
6132 If the set of Objective-C objects transitively reachable through an object changes, we
6133 need to update the set of opaque roots accordingly. If we don't, the next EdenCollection
6134 won't rescan the external object graph, which would lead us to consider a newly allocated
6135 JSManagedValue to be dead.
6136
6137 * API/JSBase.cpp:
6138 (JSSynchronousEdenCollectForDebugging):
6139 * API/JSVirtualMachine.mm:
6140 (-[JSVirtualMachine initWithContextGroupRef:]):
6141 (-[JSVirtualMachine dealloc]):
6142 (-[JSVirtualMachine isOldExternalObject:]):
6143 (-[JSVirtualMachine addExternalRememberedObject:]):
6144 (-[JSVirtualMachine addManagedReference:withOwner:]):
6145 (-[JSVirtualMachine removeManagedReference:withOwner:]):
6146 (-[JSVirtualMachine externalRememberedSet]):
6147 (scanExternalObjectGraph):
6148 (scanExternalRememberedSet):
6149 * API/JSVirtualMachineInternal.h:
6150 * API/tests/testapi.mm:
6151 * heap/Heap.cpp:
6152 (JSC::Heap::markRoots):
6153 * heap/Heap.h:
6154 (JSC::Heap::slotVisitor):
6155 * heap/SlotVisitor.h:
6156 * heap/SlotVisitorInlines.h:
6157 (JSC::SlotVisitor::containsOpaqueRoot):
6158 (JSC::SlotVisitor::containsOpaqueRootTriState):
6159
61602014-04-15 Filip Pizlo <fpizlo@apple.com>
6161
6162 DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
6163 https://bugs.webkit.org/show_bug.cgi?id=131423
6164
6165 Reviewed by Geoffrey Garen.
6166
6167 This introduces more static typing into DFG IR. Previously we just had the notion of
6168 JSValues and Storage. This was weird because doubles weren't always convertible to
6169 JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
6170 sort of insert explicit conversion nodes just for the places where we knew that an
6171 implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
6172 we'd get bugs from forgetting to do the right conversion.
6173
6174 This patch introduces a hard and fast rule: doubles can never be implicitly converted to
6175 anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
6176 nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
6177 conversions. They are like Identity but return the same value using a different
6178 representation. Likewise, constants may now be represented using either JSConstant,
6179 Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
6180 Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
6181 Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
6182 we speculate DoubleReal and expect Double representation.
6183
6184 In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
6185 this also makes it easier to introduce optimizations in the future. It's now possible for
6186 AI to model when/how conversion take place. For example if doing a conversion results in
6187 NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
6188 what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
6189
6190 This was a big change, so I had to do some interesting things, like finally get rid of
6191 the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
6192 the ByteCodeParser no longer emits Identity nodes since that was always pointless.
6193
6194 No performance change because this mostly just rationalizes preexisting behavior.
6195
6196 * JavaScriptCore.xcodeproj/project.pbxproj:
6197 * assembler/MacroAssemblerX86.h:
6198 * bytecode/CodeBlock.cpp:
6199 * bytecode/CodeBlock.h:
6200 * dfg/DFGAbstractInterpreter.h:
6201 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
6202 (JSC::DFG::AbstractInterpreter::setConstant):
6203 * dfg/DFGAbstractInterpreterInlines.h:
6204 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6205 * dfg/DFGAbstractValue.cpp:
6206 (JSC::DFG::AbstractValue::set):
6207 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
6208 (JSC::DFG::AbstractValue::checkConsistency):
6209 * dfg/DFGAbstractValue.h:
6210 * dfg/DFGBackwardsPropagationPhase.cpp:
6211 (JSC::DFG::BackwardsPropagationPhase::propagate):
6212 * dfg/DFGBasicBlock.h:
6213 * dfg/DFGBasicBlockInlines.h:
6214 (JSC::DFG::BasicBlock::appendNode):
6215 (JSC::DFG::BasicBlock::appendNonTerminal):
6216 * dfg/DFGByteCodeParser.cpp:
6217 (JSC::DFG::ByteCodeParser::parseBlock):
6218 * dfg/DFGCSEPhase.cpp:
6219 (JSC::DFG::CSEPhase::constantCSE):
6220 (JSC::DFG::CSEPhase::performNodeCSE):
6221 (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
6222 * dfg/DFGCapabilities.h:
6223 * dfg/DFGClobberize.h:
6224 (JSC::DFG::clobberize):
6225 * dfg/DFGConstantFoldingPhase.cpp:
6226 (JSC::DFG::ConstantFoldingPhase::foldConstants):
6227 * dfg/DFGDCEPhase.cpp:
6228 (JSC::DFG::DCEPhase::fixupBlock):
6229 * dfg/DFGEdge.h:
6230 (JSC::DFG::Edge::willNotHaveCheck):
6231 * dfg/DFGFixupPhase.cpp:
6232 (JSC::DFG::FixupPhase::run):
6233 (JSC::DFG::FixupPhase::fixupNode):
6234 (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
6235 (JSC::DFG::FixupPhase::observeUseKindOnNode):
6236 (JSC::DFG::FixupPhase::fixIntEdge):
6237 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
6238 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
6239 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
6240 (JSC::DFG::FixupPhase::fixEdgeRepresentation):
6241 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6242 (JSC::DFG::FixupPhase::addRequiredPhantom):
6243 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
6244 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
6245 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
6246 * dfg/DFGFlushFormat.h:
6247 (JSC::DFG::resultFor):
6248 (JSC::DFG::useKindFor):
6249 * dfg/DFGGraph.cpp:
6250 (JSC::DFG::Graph::dump):
6251 * dfg/DFGGraph.h:
6252 (JSC::DFG::Graph::addNode):
6253 * dfg/DFGInPlaceAbstractState.cpp:
6254 (JSC::DFG::InPlaceAbstractState::initialize):
6255 * dfg/DFGInsertionSet.h:
6256 (JSC::DFG::InsertionSet::insertNode):
6257 (JSC::DFG::InsertionSet::insertConstant):
6258 (JSC::DFG::InsertionSet::insertConstantForUse):
6259 * dfg/DFGIntegerCheckCombiningPhase.cpp:
6260 (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
6261 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
6262 * dfg/DFGNode.cpp:
6263 (JSC::DFG::Node::convertToIdentity):
6264 (WTF::printInternal):
6265 * dfg/DFGNode.h:
6266 (JSC::DFG::Node::Node):
6267 (JSC::DFG::Node::setResult):
6268 (JSC::DFG::Node::result):
6269 (JSC::DFG::Node::isConstant):
6270 (JSC::DFG::Node::hasConstant):
6271 (JSC::DFG::Node::convertToConstant):
6272 (JSC::DFG::Node::valueOfJSConstant):
6273 (JSC::DFG::Node::hasResult):
6274 (JSC::DFG::Node::hasInt32Result):
6275 (JSC::DFG::Node::hasInt52Result):
6276 (JSC::DFG::Node::hasNumberResult):
6277 (JSC::DFG::Node::hasDoubleResult):
6278 (JSC::DFG::Node::hasJSResult):
6279 (JSC::DFG::Node::hasBooleanResult):
6280 (JSC::DFG::Node::hasStorageResult):
6281 (JSC::DFG::Node::defaultUseKind):
6282 (JSC::DFG::Node::defaultEdge):
6283 (JSC::DFG::Node::convertToIdentity): Deleted.
6284 * dfg/DFGNodeFlags.cpp:
6285 (JSC::DFG::dumpNodeFlags):
6286 * dfg/DFGNodeFlags.h:
6287 (JSC::DFG::canonicalResultRepresentation):
6288 * dfg/DFGNodeType.h:
6289 * dfg/DFGOSRExitCompiler32_64.cpp:
6290 (JSC::DFG::OSRExitCompiler::compileExit):
6291 * dfg/DFGOSRExitCompiler64.cpp:
6292 (JSC::DFG::OSRExitCompiler::compileExit):
6293 * dfg/DFGPredictionPropagationPhase.cpp:
6294 (JSC::DFG::PredictionPropagationPhase::propagate):
6295 * dfg/DFGResurrectionForValidationPhase.cpp:
6296 (JSC::DFG::ResurrectionForValidationPhase::run):
6297 * dfg/DFGSSAConversionPhase.cpp:
6298 (JSC::DFG::SSAConversionPhase::run):
6299 * dfg/DFGSafeToExecute.h:
6300 (JSC::DFG::SafeToExecuteEdge::operator()):
6301 (JSC::DFG::safeToExecute):
6302 * dfg/DFGSpeculativeJIT.cpp:
6303 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
6304 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
6305 (JSC::DFG::SpeculativeJIT::silentFill):
6306 (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
6307 (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
6308 (JSC::DFG::JSValueRegsTemporary::regs):
6309 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
6310 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
6311 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
6312 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
6313 (JSC::DFG::SpeculativeJIT::compileValueRep):
6314 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
6315 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
6316 (JSC::DFG::SpeculativeJIT::compileAdd):
6317 (JSC::DFG::SpeculativeJIT::compileArithSub):
6318 (JSC::DFG::SpeculativeJIT::compileArithNegate):
6319 (JSC::DFG::SpeculativeJIT::compileArithMul):
6320 (JSC::DFG::SpeculativeJIT::compileArithDiv):
6321 (JSC::DFG::SpeculativeJIT::compileArithMod):
6322 (JSC::DFG::SpeculativeJIT::compare):
6323 (JSC::DFG::SpeculativeJIT::compileStrictEq):
6324 (JSC::DFG::SpeculativeJIT::speculateNumber):
6325 (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
6326 (JSC::DFG::SpeculativeJIT::speculate):
6327 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
6328 (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
6329 (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
6330 * dfg/DFGSpeculativeJIT.h:
6331 (JSC::DFG::SpeculativeJIT::allocate):
6332 (JSC::DFG::SpeculativeJIT::use):
6333 (JSC::DFG::SpeculativeJIT::boxDouble):
6334 (JSC::DFG::SpeculativeJIT::spill):
6335 (JSC::DFG::SpeculativeJIT::jsValueResult):
6336 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
6337 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
6338 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
6339 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
6340 * dfg/DFGSpeculativeJIT32_64.cpp:
6341 (JSC::DFG::SpeculativeJIT::fillJSValue):
6342 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
6343 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6344 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
6345 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
6346 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
6347 (JSC::DFG::SpeculativeJIT::emitBranch):
6348 (JSC::DFG::SpeculativeJIT::compile):
6349 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
6350 * dfg/DFGSpeculativeJIT64.cpp:
6351 (JSC::DFG::SpeculativeJIT::fillJSValue):
6352 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
6353 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
6354 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6355 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
6356 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
6357 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
6358 (JSC::DFG::SpeculativeJIT::emitBranch):
6359 (JSC::DFG::SpeculativeJIT::compile):
6360 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
6361 * dfg/DFGStrengthReductionPhase.cpp:
6362 (JSC::DFG::StrengthReductionPhase::handleNode):
6363 * dfg/DFGUseKind.cpp:
6364 (WTF::printInternal):
6365 * dfg/DFGUseKind.h:
6366 (JSC::DFG::typeFilterFor):
6367 (JSC::DFG::shouldNotHaveTypeCheck):
6368 (JSC::DFG::mayHaveTypeCheck):
6369 (JSC::DFG::isNumerical):
6370 (JSC::DFG::isDouble):
6371 (JSC::DFG::isCell):
6372 (JSC::DFG::usesStructure):
6373 (JSC::DFG::useKindForResult):
6374 * dfg/DFGValidate.cpp:
6375 (JSC::DFG::Validate::validate):
6376 * dfg/DFGVariadicFunction.h: Removed.
6377 * ftl/FTLCapabilities.cpp:
6378 (JSC::FTL::canCompile):
6379 * ftl/FTLLowerDFGToLLVM.cpp:
6380 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
6381 (JSC::FTL::LowerDFGToLLVM::compileNode):
6382 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
6383 (JSC::FTL::LowerDFGToLLVM::compilePhi):
6384 (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
6385 (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
6386 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
6387 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
6388 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
6389 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
6390 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
6391 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
6392 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
6393 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
6394 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
6395 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
6396 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
6397 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
6398 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
6399 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
6400 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
6401 (JSC::FTL::LowerDFGToLLVM::compare):
6402 (JSC::FTL::LowerDFGToLLVM::boolify):
6403 (JSC::FTL::LowerDFGToLLVM::lowInt52):
6404 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
6405 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
6406 (JSC::FTL::LowerDFGToLLVM::lowDouble):
6407 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
6408 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
6409 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
6410 (JSC::FTL::LowerDFGToLLVM::speculate):
6411 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
6412 (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
6413 (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
6414 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
6415 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
6416 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
6417 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
6418 * ftl/FTLValueFormat.cpp:
6419 (JSC::FTL::reboxAccordingToFormat):
6420 * jit/AssemblyHelpers.cpp:
6421 (JSC::AssemblyHelpers::sanitizeDouble):
6422 * jit/AssemblyHelpers.h:
6423 (JSC::AssemblyHelpers::boxDouble):
6424
64252014-04-15 Commit Queue <commit-queue@webkit.org>
6426
6427 Unreviewed, rolling out r167199 and r167251.
6428 https://bugs.webkit.org/show_bug.cgi?id=131678
6429
6430 Caused a DYEBench regression and does not seem to improve perf
6431 on relevant websites (Requested by rniwa on #webkit).
6432
6433 Reverted changesets:
6434
6435 "Rewrite Function.bind as a builtin"
6436 https://bugs.webkit.org/show_bug.cgi?id=131083
6437 http://trac.webkit.org/changeset/167199
6438
6439 "Update test result"
6440 http://trac.webkit.org/changeset/167251
6441
64422014-04-14 Commit Queue <commit-queue@webkit.org>
6443
6444 Unreviewed, rolling out r167272.
6445 https://bugs.webkit.org/show_bug.cgi?id=131666
6446
6447 Broke multiple tests (Requested by ap on #webkit).
6448
6449 Reverted changeset:
6450
6451 "Function.bind itself is too slow"
6452 https://bugs.webkit.org/show_bug.cgi?id=131636
6453 http://trac.webkit.org/changeset/167272
6454
64552014-04-14 Geoffrey Garen <ggaren@apple.com>
6456
6457 ASSERT when firing low memory warning
6458 https://bugs.webkit.org/show_bug.cgi?id=131659
6459
6460 Reviewed by Mark Hahnenberg.
6461
6462 * heap/Heap.cpp:
6463 (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
6464 called when no GC is happening because that is what we do when a low
6465 memory warning fires, and it is harmless.
6466
64672014-04-14 Mark Hahnenberg <mhahnenberg@apple.com>
6468
6469 emit_op_put_by_id should not emit a write barrier that filters on value
6470 https://bugs.webkit.org/show_bug.cgi?id=131654
6471
6472 Reviewed by Filip Pizlo.
6473
6474 The 32-bit implementation does this, and it can cause crashes if we later repatch the
6475 code to allocate and store new Butterflies.
6476
6477 * jit/JITPropertyAccess.cpp:
6478 (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on
6479 32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag
6480 load down into the if statement so that we don't do it if we're not filtering on the value.
6481 * jit/JITPropertyAccess32_64.cpp:
6482 (JSC::JIT::emit_op_put_by_id):
6483
64842014-04-14 Oliver Hunt <oliver@apple.com>
6485
6486 Function.bind itself is too slow
6487 https://bugs.webkit.org/show_bug.cgi?id=131636
6488
6489 Reviewed by Geoffrey Garen.
6490
6491 Rather than forcing creation of an activation, we now store
6492 bound function properties directly on the returned closure.
6493 This is necessary to deal with code that creates many function
6494 bindings, but does not call them very often.
6495
6496 This is a 60% speed up in the included js/regress test.
6497
6498 * builtins/BuiltinExecutables.cpp:
6499 (JSC::BuiltinExecutables::createBuiltinExecutable):
6500 * builtins/Function.prototype.js:
6501 (bind.bindingFunction):
6502 (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
6503 (bind.else.switch.case.1.bindingFunction):
6504 (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
6505 (bind.else.switch.case.2.bindingFunction):
6506 (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
6507 (bind.else.switch.case.3.bindingFunction):
6508 (bind.else.switch.bindingFunction):
6509 (bind):
6510 (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
6511 (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
6512 (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
6513 * runtime/CommonIdentifiers.h:
6514
65152014-04-14 Julien Brianceau <jbriance@cisco.com>
6516
6517 [sh4] Allow use of SubImmediates in LLINT.
6518 https://bugs.webkit.org/show_bug.cgi?id=131608
6519
6520 Reviewed by Mark Lam.
6521
6522 Allow use of SubImmediates with const pool so the sh4 architecture can
6523 share the arm path for setEntryAddress macro. It reduces architecture
6524 specific code and lead to a more optimal generated code for sh4.
6525
6526 * llint/LowLevelInterpreter.asm:
6527 * offlineasm/sh4.rb:
6528
65292014-04-14 Andreas Kling <akling@apple.com>
6530
6531 Array.prototype.concat should allocate output storage only once.
6532 <https://webkit.org/b/131609>
6533
6534 Do a first pass across 'this' and any arguments to compute the
6535 final size of the resulting array from Array.prototype.concat.
6536 This avoids having to grow the output incrementally as we go.
6537
6538 This also includes two other micro-optimizations:
6539
6540 - Mark getProperty() with ALWAYS_INLINE.
6541
6542 - Use JSArray::length() instead of taking the generic property
6543 lookup path when we know an argument is an Array.
6544
6545 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
6546
6547 Reviewed by Oliver & Darin.
6548
6549 * runtime/ArrayPrototype.cpp:
6550 (JSC::getProperty):
6551 (JSC::arrayProtoFuncConcat):
6552
65532014-04-14 Commit Queue <commit-queue@webkit.org>
6554
6555 Unreviewed, rolling out r167249.
6556 https://bugs.webkit.org/show_bug.cgi?id=131621
6557
6558 broke 3 tests on cloop (Requested by kling on #webkit).
6559
6560 Reverted changeset:
6561
6562 "Array.prototype.concat should allocate output storage only
6563 once."
6564 https://bugs.webkit.org/show_bug.cgi?id=131609
6565 http://trac.webkit.org/changeset/167249
6566
65672014-04-14 Alex Christensen <achristensen@webkit.org>
6568
6569 Fixed potential integer truncation.
6570 https://bugs.webkit.org/show_bug.cgi?id=131615
6571
6572 Reviewed by Darin Adler.
6573
6574 * assembler/X86Assembler.h:
6575 (JSC::X86Assembler::fillNops):
6576 Truncate the size_t to an unsigned after it is limited to 15 instead of before.
6577
65782014-04-14 Andreas Kling <akling@apple.com>
6579
6580 Array.prototype.concat should allocate output storage only once.
6581 <https://webkit.org/b/131609>
6582
6583 Do a first pass across 'this' and any arguments to compute the
6584 final size of the resulting array from Array.prototype.concat.
6585 This avoids having to grow the output incrementally as we go.
6586
6587 This also includes two other micro-optimizations:
6588
6589 - Mark getProperty() with ALWAYS_INLINE.
6590
6591 - Use JSArray::length() instead of taking the generic property
6592 lookup path when we know an argument is an Array.
6593
6594 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
6595
6596 Reviewed by Darin Adler.
6597
6598 * runtime/ArrayPrototype.cpp:
6599 (JSC::getProperty):
6600 (JSC::arrayProtoFuncConcat):
6601
66022014-04-14 Benjamin Poulain <benjamin@webkit.org>
6603
6604 [JSC] Improve the call site of string comparison in some hot path
6605 https://bugs.webkit.org/show_bug.cgi?id=131605
6606
6607 Reviewed by Darin Adler.
6608
6609 When resolved, the String of a JSString is never null. It can be empty but not null.
6610 The null value is reserved for ropes but those would be resolved when getting the value.
6611
6612 Consequently, we should use the equal() operation that do not handle null values.
6613 Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
6614
6615 * jit/JITOperations.cpp:
6616 * runtime/JSCJSValueInlines.h:
6617 (JSC::JSValue::equalSlowCaseInline):
6618 (JSC::JSValue::strictEqualSlowCaseInline):
6619 (JSC::JSValue::pureStrictEqual):
6620
66212014-04-08 Oliver Hunt <oliver@apple.com>
6622
6623 Rewrite Function.bind as a builtin
6624 https://bugs.webkit.org/show_bug.cgi?id=131083
6625
6626 Reviewed by Geoffrey Garen.
6627
6628 This change removes the existing function.bind implementation
6629 entirely so JSBoundFunction is no more.
6630
6631 Instead we just return a regular JS closure with a few
6632 private properties hanging off it that allow us to perform
6633 the necessary bound function fakery. While most of this is
6634 simple, a couple of key changes:
6635
6636 - The parser and lexer now directly track whether they're
6637 parsing code for call or construct and convert the private
6638 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
6639 This automatically gives us the ability to vary behaviour
6640 from within the builtin. It also leaves a lot of headroom
6641 for trivial future improvements.
6642 - The instanceof operator now uses the prototypeForHasInstance
6643 private name, and we have a helper function to ensure that
6644 all objects that need to can update their magical 'prototype'
6645 property pair correctly.
6646
6647 * API/JSScriptRef.cpp:
6648 (parseScript):
6649 * JavaScriptCore.xcodeproj/project.pbxproj:
6650 * builtins/BuiltinExecutables.cpp:
6651 (JSC::BuiltinExecutables::createBuiltinExecutable):
6652 * builtins/Function.prototype.js:
6653 (bind.bindingFunction):
6654 (bind.else.bindingFunction):
6655 (bind):
6656 * bytecode/UnlinkedCodeBlock.cpp:
6657 (JSC::generateFunctionCodeBlock):
6658 * bytecompiler/NodesCodegen.cpp:
6659 (JSC::InstanceOfNode::emitBytecode):
6660 * interpreter/Interpreter.cpp:
6661 * parser/Lexer.cpp:
6662 (JSC::Lexer<T>::Lexer):
6663 (JSC::Lexer<LChar>::parseIdentifier):
6664 (JSC::Lexer<UChar>::parseIdentifier):
6665 * parser/Lexer.h:
6666 * parser/Parser.cpp:
6667 (JSC::Parser<LexerType>::Parser):
6668 (JSC::Parser<LexerType>::parseInner):
6669 * parser/Parser.h:
6670 (JSC::parse):
6671 * parser/ParserModes.h:
6672 * runtime/CodeCache.cpp:
6673 (JSC::CodeCache::getGlobalCodeBlock):
6674 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
6675 * runtime/CommonIdentifiers.h:
6676 * runtime/Completion.cpp:
6677 (JSC::checkSyntax):
6678 * runtime/Executable.cpp:
6679 (JSC::ProgramExecutable::checkSyntax):
6680 * runtime/FunctionPrototype.cpp:
6681 (JSC::FunctionPrototype::addFunctionProperties):
6682 (JSC::functionProtoFuncBind): Deleted.
6683 * runtime/JSBoundFunction.cpp: Removed.
6684 * runtime/JSBoundFunction.h: Removed.
6685 * runtime/JSFunction.cpp:
6686 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
6687 (JSC::RetrieveCallerFunctionFunctor::operator()):
6688 (JSC::retrieveCallerFunction):
6689 (JSC::JSFunction::getOwnPropertySlot):
6690 (JSC::JSFunction::defineOwnProperty):
6691 * runtime/JSGlobalObject.cpp:
6692 (JSC::JSGlobalObject::reset):
6693 * runtime/JSGlobalObjectFunctions.cpp:
6694 (JSC::globalFuncSetTypeErrorAccessor):
6695 * runtime/JSGlobalObjectFunctions.h:
6696 * runtime/JSObject.h:
6697 (JSC::JSObject::inlineGetOwnPropertySlot):
6698
66992014-04-12 Filip Pizlo <fpizlo@apple.com>
6700
6701 Math.fround() should be an intrinsic
6702 https://bugs.webkit.org/show_bug.cgi?id=131583
6703
6704 Reviewed by Geoffrey Garen.
6705
6706 Makes programs that use Math.fround() run up to 6x faster.
6707
6708 * dfg/DFGAbstractInterpreterInlines.h:
6709 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6710 * dfg/DFGByteCodeParser.cpp:
6711 (JSC::DFG::ByteCodeParser::handleIntrinsic):
6712 * dfg/DFGCSEPhase.cpp:
6713 (JSC::DFG::CSEPhase::performNodeCSE):
6714 * dfg/DFGClobberize.h:
6715 (JSC::DFG::clobberize):
6716 * dfg/DFGFixupPhase.cpp:
6717 (JSC::DFG::FixupPhase::fixupNode):
6718 * dfg/DFGNodeType.h:
6719 * dfg/DFGPredictionPropagationPhase.cpp:
6720 (JSC::DFG::PredictionPropagationPhase::propagate):
6721 * dfg/DFGSafeToExecute.h:
6722 (JSC::DFG::safeToExecute):
6723 * dfg/DFGSpeculativeJIT32_64.cpp:
6724 (JSC::DFG::SpeculativeJIT::compile):
6725 * dfg/DFGSpeculativeJIT64.cpp:
6726 (JSC::DFG::SpeculativeJIT::compile):
6727 * ftl/FTLCapabilities.cpp:
6728 (JSC::FTL::canCompile):
6729 * ftl/FTLLowerDFGToLLVM.cpp:
6730 (JSC::FTL::LowerDFGToLLVM::compileNode):
6731 (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
6732 * runtime/Intrinsic.h:
6733 * runtime/MathObject.cpp:
6734 (JSC::MathObject::finishCreation):
6735
67362014-04-12 Filip Pizlo <fpizlo@apple.com>
6737
6738 FTL should use stackmap register liveness
6739 https://bugs.webkit.org/show_bug.cgi?id=130791
6740
6741 Reviewed by Goeffrey Garen.
6742
6743 Enable the stackmap register liveness support by fixing the two last bugs:
6744
6745 - If everything is dead after the patchpoint - a good possibility for a put_by_id -
6746 then we shouldn't crash due to a null scratch buffer.
6747
6748 - Always consider callee-saves as if they were live. More precisely, we should
6749 consider those callee-saves that are not saved by the enclosing function to be live.
6750 For now we do the much simpler thing and consider callee-saves to be always live
6751 since it has minimal impact on the scratch register allocator. It will know not to
6752 preserve those for calls, anyway.
6753
6754 I tried writing a test for the null scratch buffer thing, but failed. I will land the
6755 test anyway since it seems useful.
6756
6757 * ftl/FTLCompile.cpp:
6758 (JSC::FTL::usedRegistersFor):
6759 * jit/ScratchRegisterAllocator.cpp:
6760 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
6761 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
6762 * runtime/Options.h:
6763 * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
6764 (foo):
6765
67662014-04-11 Filip Pizlo <fpizlo@apple.com>
6767
6768 DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
6769 https://bugs.webkit.org/show_bug.cgi?id=131424
6770
6771 Reviewed by Geoffrey Garen.
6772
6773 This defers type conversion injection until we've decided on types. This makes the
6774 process of deciding types a bit more flexible - for example we can naturally fixpoint
6775 and change our minds. Only when things are settled do we actually insert conversions.
6776
6777 This is a necessary prerequisite for keeping double, int52, and JSValue data flow
6778 separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
6779 that there are typed uses. If we were eagerly inserting type conversions then we would
6780 first insert a to/from-JSValue conversion in some cases only to then replace it by
6781 the other conversions. It's probably trivial to remove those redundant conversions later
6782 but I think it's better if we don't insert them to begin with.
6783
6784 * bytecode/CodeOrigin.h:
6785 (JSC::CodeOrigin::operator!):
6786 * dfg/DFGFixupPhase.cpp:
6787 (JSC::DFG::FixupPhase::run):
6788 (JSC::DFG::FixupPhase::fixupBlock):
6789 (JSC::DFG::FixupPhase::fixupNode):
6790 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
6791 (JSC::DFG::FixupPhase::fixEdge):
6792 (JSC::DFG::FixupPhase::fixIntEdge):
6793 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
6794 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6795 (JSC::DFG::FixupPhase::addRequiredPhantom):
6796 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
6797 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
6798 (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
6799 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
6800 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
6801
68022014-04-11 Brian J. Burg <burg@cs.washington.edu>
6803
6804 Web Replay: code generator should consider enclosing class when computing duplicate type names
6805 https://bugs.webkit.org/show_bug.cgi?id=131554
6806
6807 Reviewed by Timothy Hatcher.
6808
6809 We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
6810 can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
6811 by the enclosing class and enum name.
6812
6813 Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
6814
6815 * replay/scripts/CodeGeneratorReplayInputs.py:
6816 (Type.type_name): Prepend the enclosing class name.
6817 (Type.type_name.is):
6818 * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
6819 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
6820 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
6821 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
6822 * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
6823 * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
6824
68252014-04-11 Gavin Barraclough <baraclough@apple.com>
6826
6827 Rollout - Rewrite Function.bind as a builtin
6828 https://bugs.webkit.org/show_bug.cgi?id=131083
6829
6830 Unreviewed.
6831
6832 Rolling out r167020 while investigating a performance regression.
6833
6834 * API/JSObjectRef.cpp:
6835 (JSObjectMakeConstructor):
6836 * API/JSScriptRef.cpp:
6837 (parseScript):
6838 * CMakeLists.txt:
6839 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6840 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
6841 * JavaScriptCore.xcodeproj/project.pbxproj:
6842 * builtins/BuiltinExecutables.cpp:
6843 (JSC::BuiltinExecutables::createBuiltinExecutable):
6844 * builtins/Function.prototype.js:
6845 (apply):
6846 (bind.bindingFunction): Deleted.
6847 (bind.else.bindingFunction): Deleted.
6848 (bind): Deleted.
6849 * bytecode/UnlinkedCodeBlock.cpp:
6850 (JSC::generateFunctionCodeBlock):
6851 * bytecompiler/NodesCodegen.cpp:
6852 (JSC::InstanceOfNode::emitBytecode):
6853 * interpreter/Interpreter.cpp:
6854 * parser/Lexer.cpp:
6855 (JSC::Lexer<T>::Lexer):
6856 (JSC::Lexer<LChar>::parseIdentifier):
6857 (JSC::Lexer<UChar>::parseIdentifier):
6858 * parser/Lexer.h:
6859 * parser/Parser.cpp:
6860 (JSC::Parser<LexerType>::Parser):
6861 (JSC::Parser<LexerType>::parseInner):
6862 * parser/Parser.h:
6863 (JSC::parse):
6864 * parser/ParserModes.h:
6865 * runtime/ArgumentsIteratorConstructor.cpp:
6866 (JSC::ArgumentsIteratorConstructor::finishCreation):
6867 * runtime/ArrayConstructor.cpp:
6868 (JSC::ArrayConstructor::finishCreation):
6869 * runtime/BooleanConstructor.cpp:
6870 (JSC::BooleanConstructor::finishCreation):
6871 * runtime/CodeCache.cpp:
6872 (JSC::CodeCache::getGlobalCodeBlock):
6873 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
6874 * runtime/CommonIdentifiers.h:
6875 * runtime/Completion.cpp:
6876 (JSC::checkSyntax):
6877 * runtime/DateConstructor.cpp:
6878 (JSC::DateConstructor::finishCreation):
6879 * runtime/ErrorConstructor.cpp:
6880 (JSC::ErrorConstructor::finishCreation):
6881 * runtime/Executable.cpp:
6882 (JSC::ProgramExecutable::checkSyntax):
6883 * runtime/FunctionConstructor.cpp:
6884 (JSC::FunctionConstructor::finishCreation):
6885 * runtime/FunctionPrototype.cpp:
6886 (JSC::FunctionPrototype::addFunctionProperties):
6887 (JSC::functionProtoFuncBind):
6888 * runtime/JSArrayBufferConstructor.cpp:
6889 (JSC::JSArrayBufferConstructor::finishCreation):
6890 * runtime/JSBoundFunction.cpp: Added.
6891 (JSC::boundFunctionCall):
6892 (JSC::boundFunctionConstruct):
6893 (JSC::JSBoundFunction::create):
6894 (JSC::JSBoundFunction::destroy):
6895 (JSC::JSBoundFunction::customHasInstance):
6896 (JSC::JSBoundFunction::JSBoundFunction):
6897 (JSC::JSBoundFunction::finishCreation):
6898 (JSC::JSBoundFunction::visitChildren):
6899 * runtime/JSBoundFunction.h: Added.
6900 (JSC::JSBoundFunction::targetFunction):
6901 (JSC::JSBoundFunction::boundThis):
6902 (JSC::JSBoundFunction::boundArgs):
6903 (JSC::JSBoundFunction::createStructure):
6904 * runtime/JSFunction.cpp:
6905 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
6906 (JSC::RetrieveCallerFunctionFunctor::operator()):
6907 (JSC::retrieveCallerFunction):
6908 (JSC::JSFunction::getOwnPropertySlot):
6909 (JSC::JSFunction::getOwnNonIndexPropertyNames):
6910 (JSC::JSFunction::put):
6911 (JSC::JSFunction::defineOwnProperty):
6912 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
6913 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
6914 * runtime/JSGlobalObject.cpp:
6915 (JSC::JSGlobalObject::reset):
6916 * runtime/JSGlobalObjectFunctions.cpp:
6917 (JSC::globalFuncSetTypeErrorAccessor): Deleted.
6918 * runtime/JSGlobalObjectFunctions.h:
6919 * runtime/JSObject.cpp:
6920 (JSC::JSObject::putDirectPrototypeProperty): Deleted.
6921 (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
6922 * runtime/JSObject.h:
6923 * runtime/JSPromiseConstructor.cpp:
6924 (JSC::JSPromiseConstructor::finishCreation):
6925 * runtime/MapConstructor.cpp:
6926 (JSC::MapConstructor::finishCreation):
6927 * runtime/MapIteratorConstructor.cpp:
6928 (JSC::MapIteratorConstructor::finishCreation):
6929 * runtime/NameConstructor.cpp:
6930 (JSC::NameConstructor::finishCreation):
6931 * runtime/NativeErrorConstructor.cpp:
6932 (JSC::NativeErrorConstructor::finishCreation):
6933 * runtime/NumberConstructor.cpp:
6934 (JSC::NumberConstructor::finishCreation):
6935 * runtime/ObjectConstructor.cpp:
6936 (JSC::ObjectConstructor::finishCreation):
6937 * runtime/RegExpConstructor.cpp:
6938 (JSC::RegExpConstructor::finishCreation):
6939 * runtime/SetConstructor.cpp:
6940 (JSC::SetConstructor::finishCreation):
6941 * runtime/SetIteratorConstructor.cpp:
6942 (JSC::SetIteratorConstructor::finishCreation):
6943 * runtime/StringConstructor.cpp:
6944 (JSC::StringConstructor::finishCreation):
6945 * runtime/WeakMapConstructor.cpp:
6946 (JSC::WeakMapConstructor::finishCreation):
6947
69482014-04-11 David Kilzer <ddkilzer@apple.com>
6949
6950 [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
6951 <http://webkit.org/b/131556>
6952 <rdar://problem/16591856>
6953
6954 Reviewed by Brent Fulgham.
6955
6956 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
6957 OTHER_LDFLAGS so the ASan build does not try to link to
6958 libclang_rt.asan_osx_dynamic.dylib.
6959
69602014-04-11 Mark Lam <mark.lam@apple.com>
6961
6962 JSMainThreadExecState::call() should clear exceptions before returning.
6963 <https://webkit.org/b/131530>
6964
6965 Reviewed by Geoffrey Garen.
6966
6967 Added a version of JSC::call() that return any uncaught exception instead
6968 of leaving it pending in the VM.
6969
6970 As part of this change, I updated various parts of the code base to use the
6971 new API as needed.
6972
6973 * bindings/ScriptFunctionCall.cpp:
6974 (Deprecated::ScriptFunctionCall::call):
6975 - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
6976 The injected scripts that will include Inspector scripts that should catch
6977 and handle any exceptions that were thrown. We should not be seeing any
6978 exceptions returned from this call. However, we do have checks for
6979 exceptions in case there are bugs in the Inspector scripts which allowed
6980 the exception to leak through. Hence, it is proper to clear the exception
6981 here, and only record the fact that an exception was seen (if present).
6982
6983 * bindings/ScriptFunctionCall.h:
6984 * inspector/InspectorEnvironment.h:
6985 * runtime/CallData.cpp:
6986 (JSC::call):
6987 * runtime/CallData.h:
6988
69892014-04-11 Oliver Hunt <oliver@apple.com>
6990
6991 Add BuiltinLog function to make debugging builtins easier
6992 https://bugs.webkit.org/show_bug.cgi?id=131550
6993
6994 Reviewed by Andreas Kling.
6995
6996 Add a logging function that builtins can use for debugging.
6997
6998 * runtime/CommonIdentifiers.h:
6999 * runtime/JSGlobalObject.cpp:
7000 (JSC::JSGlobalObject::reset):
7001 * runtime/JSGlobalObjectFunctions.cpp:
7002 (JSC::globalFuncBuiltinLog):
7003 * runtime/JSGlobalObjectFunctions.h:
7004
70052014-04-11 Julien Brianceau <jbriance@cisco.com>
7006
7007 Fix LLInt for sh4 architecture (broken since C stack merge).
7008 https://bugs.webkit.org/show_bug.cgi?id=131532
7009
7010 Reviewed by Mark Lam.
7011
7012 This patch fixes build and also implements sh4 parts for initPCRelative and
7013 setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
7014
7015 * llint/LowLevelInterpreter.asm:
7016 * llint/LowLevelInterpreter32_64.asm:
7017 * offlineasm/instructions.rb:
7018 * offlineasm/sh4.rb:
7019
70202014-04-10 Michael Saboff <msaboff@apple.com>
7021
7022 Crash beneath DFG JIT code @ video.disney.com
7023 https://bugs.webkit.org/show_bug.cgi?id=131447
7024
7025 Reviewed by Geoffrey Garen.
7026
7027 The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
7028 'tag not less than Undefined' check. The first check was incorrectly elided if we
7029 knew that the value *was* an int32, when it should have been elided if we already
7030 knew that the value *was not* an int32.
7031
7032 * dfg/DFGSpeculativeJIT.cpp:
7033 (JSC::DFG::SpeculativeJIT::speculateMisc):
7034 * tests/stress/test-spec-misc.js: Added test.
7035 (getX):
7036 (foo):
7037 (bar):
7038
70392014-04-08 Filip Pizlo <fpizlo@apple.com>
7040
7041 Make room for additional types in SpeculatedType.h
7042 https://bugs.webkit.org/show_bug.cgi?id=131422
7043
7044 Reviewed by Sam Weinig.
7045
7046 This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
7047
7048 * bytecode/SpeculatedType.h:
7049
70502014-04-10 Alex Christensen <achristensen@webkit.org>
7051
7052 Compile fix for Win64.
7053 https://bugs.webkit.org/show_bug.cgi?id=131508
7054
7055 Reviewed by Geoffrey Garen.
7056
7057 * assembler/X86Assembler.h:
7058 (JSC::X86Assembler::fillNops):
7059 Added unsigned template parameter to distinguish between size_t and unsigned long.
7060
70612014-04-10 Michael Saboff <msaboff@apple.com>
7062
7063 LLInt interpreter code should be generated as part of one function
7064 https://bugs.webkit.org/show_bug.cgi?id=131205
7065
7066 Reviewed by Mark Lam.
7067
7068 Changed the generation of llint opcodes so that they are all part of the same
7069 global function, llint_entry. That function is used to fill in an entry point
7070 table that includes each of the opcodes and helpers.
7071
7072 * CMakeLists.txt:
7073 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
7074 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
7075 * JavaScriptCore.xcodeproj/project.pbxproj:
7076 Added appropriate use of new -I option to offline assembler and offset
7077 generator scripts.
7078
7079 * llint/LowLevelInterpreter.asm:
7080 * llint/LowLevelInterpreter.cpp:
7081 * llint/LowLevelInterpreter.h:
7082 * offlineasm/arm.rb:
7083 * offlineasm/arm64.rb:
7084 * offlineasm/asm.rb:
7085 * offlineasm/ast.rb:
7086 * offlineasm/backends.rb:
7087 * offlineasm/cloop.rb:
7088 * offlineasm/generate_offset_extractor.rb:
7089 * offlineasm/instructions.rb:
7090 * offlineasm/parser.rb:
7091 * offlineasm/registers.rb:
7092 * offlineasm/self_hash.rb:
7093 * offlineasm/settings.rb:
7094 * offlineasm/transform.rb:
7095 * offlineasm/x86.rb:
7096 Added a new "global" keyword to the offline assembler that denotes a label that
7097 should be exported. Added opcode and operand support to get the absolute
7098 address of a local label using position independent calculations. Updated the
7099 offline assembler to handle included files, both when generating the checksum
7100 as well as including files from other than the local directory via a newly
7101 added -I option. The offline assembler now automatically determines external
7102 functions by keeping track of referenced functions that are defined within the
7103 assembly source. This is used both for choosing the correct macro for external
7104 references as well as generating the needed EXTERN directives for masm.
7105 Updated the generation of the masm only .sym file to be written once at the end
7106 of the offline assembler.
7107
7108 * assembler/MacroAssemblerCodeRef.h:
7109 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
7110 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
7111 * bytecode/CodeBlock.cpp:
7112 (JSC::CodeBlock::dumpBytecode):
7113 (JSC::CodeBlock::CodeBlock):
7114 * bytecode/GetByIdStatus.cpp:
7115 (JSC::GetByIdStatus::computeFromLLInt):
7116 * bytecode/Opcode.h:
7117 (JSC::padOpcodeName):
7118 * bytecode/PutByIdStatus.cpp:
7119 (JSC::PutByIdStatus::computeFromLLInt):
7120 * jit/JIT.cpp:
7121 (JSC::JIT::privateCompileMainPass):
7122 * jit/JITStubs.h:
7123 * llint/LLIntCLoop.cpp:
7124 (JSC::LLInt::initialize):
7125 * llint/LLIntData.h:
7126 (JSC::LLInt::getCodeFunctionPtr):
7127 (JSC::LLInt::getOpcode): Deleted.
7128 (JSC::LLInt::getCodePtr): Deleted.
7129 * llint/LLIntOpcode.h:
7130 * llint/LLIntSlowPaths.cpp:
7131 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
7132 * llint/LLIntThunks.cpp:
7133 (JSC::LLInt::functionForCallEntryThunkGenerator):
7134 (JSC::LLInt::functionForConstructEntryThunkGenerator):
7135 (JSC::LLInt::functionForCallArityCheckThunkGenerator):
7136 (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
7137 (JSC::LLInt::evalEntryThunkGenerator):
7138 (JSC::LLInt::programEntryThunkGenerator):
7139 * llint/LLIntThunks.h:
7140 Changed references to llint helpers to go through the entry point table populated
7141 by llint_entry. Added helpers to OpcodeID enum for all builds.
7142
7143 * bytecode/BytecodeList.json:
7144 * generate-bytecode-files:
7145 * llint/LLIntCLoop.cpp:
7146 (JSC::LLInt::CLoop::initialize):
7147 Reordered sections to match the order that the functions are added to the entry point
7148 table. Added new "asmPrefix" property for symbols that have one name but are generated
7149 with a prefix, e.g. op_enter -> llint_op_enter. Eliminated the "emitDefineID" property
7150 as we are using enums for all bytecode references. Changed the C Loop only
7151 llint_c_loop_init to llint_entry.
7152
71532014-04-10 Matthew Mirman <mmirman@apple.com>
7154
7155 WIP for inlining C++. Added a build target to produce LLVM IR.
7156 https://bugs.webkit.org/show_bug.cgi?id=130523
7157
7158 Reviewed by Mark Rowe.
7159
7160 * JavaScriptCore.xcodeproj/project.pbxproj:
7161 * build-symbol-table-index.py: Added.
7162 * build-symbol-table-index.sh: Added.
7163 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
7164 * copy-llvm-ir-to-derived-sources.sh: Added.
7165
71662014-04-10 Brian J. Burg <burg@cs.washington.edu>
7167
7168 Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
7169 https://bugs.webkit.org/show_bug.cgi?id=131341
7170
7171 Reviewed by Timothy Hatcher.
7172
7173 Add support for encoding/decoding unsigned long with EncodedValue.
7174 It is a distinct type from uint32_t and uint64_t.
7175
7176 * replay/EncodedValue.cpp:
7177 (JSC::EncodedValue::convertTo<unsigned long>):
7178 * replay/EncodedValue.h:
7179
71802014-04-10 Mark Lam <mark.lam@apple.com>
7181
7182 LLINT loadisFromInstruction should handle the big endian case.
7183 <https://webkit.org/b/131495>
7184
7185 Reviewed by Mark Hahnenberg.
7186
7187 The LLINT loadisFromInstruction macro aims to load the least significant
7188 32-bit word from the 64-bit bytecode instruction stream and sign extend
7189 it. For big endian machines, the current implementation would load the
7190 wrong 32-bit word.
7191
7192 Without this fix, the JSC tests will crash on big endian machines.
7193 Thanks to Tomas Popela for diagnosing this issue.
7194
7195 * llint/LowLevelInterpreter.asm:
7196
71972014-04-09 Mark Lam <mark.lam@apple.com>
7198
7199 Temporarily disable the JIT for the Windows port.
7200 <https://webkit.org/b/131470>
7201
7202 Reviewed by Brent Fulgham.
7203
7204 This is a temporary stop gap measure to green the Windows bots until
7205 we have a fix for https://webkit.org/b/131182.
7206
7207 * runtime/Options.cpp:
7208 (JSC::recomputeDependentOptions):
7209
72102014-04-09 Juergen Ributzka <juergen@apple.com>
7211
7212 [FTL] Emit multibyte NOPs on X86-64
7213 https://bugs.webkit.org/show_bug.cgi?id=131394
7214
7215 Reviewed by Michael Saboff.
7216
7217 * assembler/X86Assembler.h:
7218 (JSC::X86Assembler::fillNops):
7219
72202014-04-09 Julien Brianceau <jbriance@cisco.com>
7221
7222 Get rid of JITOperationWrappers.h header file.
7223 https://bugs.webkit.org/show_bug.cgi?id=131450
7224
7225 Reviewed by Michael Saboff.
7226
7227 JITOperationWrappers header file contains architecture specific code that is
7228 not needed anymore, so get rid of it.
7229
7230 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7231 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7232 * JavaScriptCore.xcodeproj/project.pbxproj:
7233 * dfg/DFGOperations.cpp:
7234 * jit/JITOperationWrappers.h: Removed.
7235 * jit/JITOperations.cpp:
7236
72372014-04-09 Mark Lam <mark.lam@apple.com>
7238
7239 Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
7240 <https://webkit.org/b/131449>
7241
7242 Reviewed by Mark Hahnenberg.
7243
7244 Change ProtoCallFrame::paddedArgCount to be of type uint32_t. The argCount
7245 that it pads is of type int anyway. It doesn't need to be 64 bit. This
7246 also makes it work with the LLINT which is loading it with a loadi
7247 instruction.
7248
7249 We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
7250 when loading the argCount.
7251
7252 The paddedArgCount issue was causing failures when running the JSC tests on a
7253 64-bit big endian machine. In this case, the paddedArgCount in the
7254 ProtoCallFrame has the value 2. However, because the paddedArgCount was stored
7255 as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
7256 that field, the LLINT got a value of 0 instead of the expected 2. With this
7257 patch, we now have a matching store and load of a 32-bit value, and endianness
7258 no longer comes into play.
7259
7260 As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
7261 the payload field of the Register. In the definition of EncodedValueDescriptor,
7262 We already ensure that that the payload is in the least significant 32-bits for
7263 little endian machines, and in the most significant 32-bits for big endian
7264 machines. This means that there is no endianness bug when loading this value
7265 using loadi. However, adding the PayLoadOffset clarifies the intent of the
7266 code to load the payload part of the Register value.
7267
7268 * interpreter/ProtoCallFrame.h:
7269 (JSC::ProtoCallFrame::setPaddedArgCount):
7270 * llint/LowLevelInterpreter32_64.asm:
7271 * llint/LowLevelInterpreter64.asm:
7272
72732014-04-08 Oliver Hunt <oliver@apple.com>
7274
7275 Rewrite Function.bind as a builtin
7276 https://bugs.webkit.org/show_bug.cgi?id=131083
7277
7278 Reviewed by Geoffrey Garen.
7279
7280 This change removes the existing function.bind implementation
7281 entirely so JSBoundFunction is no more.
7282
7283 Instead we just return a regular JS closure with a few
7284 private properties hanging off it that allow us to perform
7285 the necessary bound function fakery. While most of this is
7286 simple, a couple of key changes:
7287
7288 - The parser and lexer now directly track whether they're
7289 parsing code for call or construct and convert the private
7290 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
7291 This automatically gives us the ability to vary behaviour
7292 from within the builtin. It also leaves a lot of headroom
7293 for trivial future improvements.
7294 - The instanceof operator now uses the prototypeForHasInstance
7295 private name, and we have a helper function to ensure that
7296 all objects that need to can update their magical 'prototype'
7297 property pair correctly.
7298
7299 * API/JSScriptRef.cpp:
7300 (parseScript):
7301 * JavaScriptCore.xcodeproj/project.pbxproj:
7302 * builtins/BuiltinExecutables.cpp:
7303 (JSC::BuiltinExecutables::createBuiltinExecutable):
7304 * builtins/Function.prototype.js:
7305 (bind.bindingFunction):
7306 (bind.else.bindingFunction):
7307 (bind):
7308 * bytecode/UnlinkedCodeBlock.cpp:
7309 (JSC::generateFunctionCodeBlock):
7310 * bytecompiler/NodesCodegen.cpp:
7311 (JSC::InstanceOfNode::emitBytecode):
7312 * interpreter/Interpreter.cpp:
7313 * parser/Lexer.cpp:
7314 (JSC::Lexer<T>::Lexer):
7315 (JSC::Lexer<LChar>::parseIdentifier):
7316 (JSC::Lexer<UChar>::parseIdentifier):
7317 * parser/Lexer.h:
7318 * parser/Parser.cpp:
7319 (JSC::Parser<LexerType>::Parser):
7320 (JSC::Parser<LexerType>::parseInner):
7321 * parser/Parser.h:
7322 (JSC::parse):
7323 * parser/ParserModes.h:
7324 * runtime/CodeCache.cpp:
7325 (JSC::CodeCache::getGlobalCodeBlock):
7326 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
7327 * runtime/CommonIdentifiers.h:
7328 * runtime/Completion.cpp:
7329 (JSC::checkSyntax):
7330 * runtime/Executable.cpp:
7331 (JSC::ProgramExecutable::checkSyntax):
7332 * runtime/FunctionPrototype.cpp:
7333 (JSC::FunctionPrototype::addFunctionProperties):
7334 (JSC::functionProtoFuncBind): Deleted.
7335 * runtime/JSBoundFunction.cpp: Removed.
7336 * runtime/JSBoundFunction.h: Removed.
7337 * runtime/JSFunction.cpp:
7338 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
7339 (JSC::RetrieveCallerFunctionFunctor::operator()):
7340 (JSC::retrieveCallerFunction):
7341 (JSC::JSFunction::getOwnPropertySlot):
7342 (JSC::JSFunction::defineOwnProperty):
7343 * runtime/JSGlobalObject.cpp:
7344 (JSC::JSGlobalObject::reset):
7345 * runtime/JSGlobalObjectFunctions.cpp:
7346 (JSC::globalFuncSetTypeErrorAccessor):
7347 * runtime/JSGlobalObjectFunctions.h:
7348 * runtime/JSObject.h:
7349 (JSC::JSObject::inlineGetOwnPropertySlot):
7350
73512014-04-08 Jon Lee <jonlee@apple.com>
7352
7353 Turn MSE on by default
7354 https://bugs.webkit.org/show_bug.cgi?id=131313
7355 <rdar://problem/16525223>
7356
7357 Reviewed by Jer Noble.
7358
7359 * Configurations/FeatureDefines.xcconfig:
7360
73612014-04-08 Joseph Pecoraro <pecoraro@apple.com>
7362
7363 Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
7364 https://bugs.webkit.org/show_bug.cgi?id=131406
7365
7366 Reviewed by Timothy Hatcher.
7367
7368 * inspector/remote/RemoteInspector.h:
7369 * inspector/remote/RemoteInspector.mm:
7370 (Inspector::RemoteInspector::stop):
7371 (Inspector::RemoteInspector::stopInternal):
7372 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
7373 Provide a way to stop externally and a path to stop when in
7374 the middle of handling a message already with the locked mutex.
7375
7376 * inspector/remote/RemoteInspectorXPCConnection.h:
7377 * inspector/remote/RemoteInspectorXPCConnection.mm:
7378 (Inspector::RemoteInspectorXPCConnection::close):
7379 (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
7380 Provide a way to close externally and a path to close when in
7381 the middle of handling a message already with a mutex.
7382
73832014-04-08 Joseph Pecoraro <pecoraro@apple.com>
7384
7385 Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
7386 https://bugs.webkit.org/show_bug.cgi?id=131398
7387
7388 Reviewed by Timothy Hatcher.
7389
7390 * inspector/InjectedScriptSource.js:
7391 The console object can be deleted from a page or JSContext,
7392 so keep code that expects that it could have been deleted
7393 to be resilient in those cases.
7394
7395 * inspector/JSGlobalObjectScriptDebugServer.h:
7396 * inspector/agents/JSGlobalObjectDebuggerAgent.h:
7397 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
7398 Change the FIXMEs to NOTEs that explain why these functions
7399 have empty implementations for JSContext inspection.
7400
74012014-04-08 Filip Pizlo <fpizlo@apple.com>
7402
7403 Unreviewed, fix a goofy assertion to fix debug.
7404
7405 * bytecode/PolymorphicPutByIdList.h:
7406 (JSC::PutByIdAccess::isSetter):
7407 (JSC::PutByIdAccess::oldStructure):
7408 (JSC::PutByIdAccess::chain):
7409 (JSC::PutByIdAccess::stubRoutine):
7410 (JSC::PutByIdAccess::customSetter):
7411
74122014-04-08 Filip Pizlo <fpizlo@apple.com>
7413
7414 Fail silently if the LLVM dylib isn't found
7415 https://bugs.webkit.org/show_bug.cgi?id=131385
7416
7417 Reviewed by Mark Hahnenberg.
7418
7419 * dfg/DFGPlan.cpp:
7420 (JSC::DFG::Plan::compileInThreadImpl):
7421 * llvm/InitializeLLVM.cpp:
7422 (JSC::initializeLLVM):
7423 * llvm/InitializeLLVM.h:
7424 * llvm/InitializeLLVMPOSIX.cpp:
7425 (JSC::initializeLLVMPOSIX):
7426
74272014-04-07 Filip Pizlo <fpizlo@apple.com>
7428
7429 Repatch should support setters and plant calls to them directly
7430 https://bugs.webkit.org/show_bug.cgi?id=130750
7431
7432 Reviewed by Geoffrey Garen.
7433
7434 All of the infrastructure was in place so this just enables setter optimization.
7435
7436 This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.
7437
7438 * bytecode/PolymorphicPutByIdList.cpp:
7439 (JSC::PutByIdAccess::visitWeak):
7440 * bytecode/PolymorphicPutByIdList.h:
7441 (JSC::PutByIdAccess::setter):
7442 (JSC::PutByIdAccess::customSetter): Deleted.
7443 * bytecode/PutByIdStatus.cpp:
7444 (JSC::PutByIdStatus::computeForStubInfo):
7445 * jit/Repatch.cpp:
7446 (JSC::toString):
7447 (JSC::kindFor):
7448 (JSC::customFor):
7449 (JSC::generateByIdStub):
7450 (JSC::tryCachePutByID):
7451 (JSC::tryBuildPutByIdList):
7452 * runtime/JSObject.cpp:
7453 (JSC::JSObject::put):
7454 * runtime/Lookup.h:
7455 (JSC::putEntry):
7456 * runtime/PutPropertySlot.h:
7457 (JSC::PutPropertySlot::setCacheableSetter):
7458 (JSC::PutPropertySlot::isCacheableSetter):
7459 (JSC::PutPropertySlot::isCacheableCustom):
7460 (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
7461 (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
7462 * tests/stress/setter.js: Added.
7463 (foo):
7464
74652014-04-07 Filip Pizlo <fpizlo@apple.com>
7466
7467 Setters are just getters that take an extra argument and don't return a value
7468 https://bugs.webkit.org/show_bug.cgi?id=131336
7469
7470 Reviewed by Geoffrey Garen.
7471
7472 Other than that, they're totally the same thing.
7473
7474 This isn't as dumb as it sounds.
7475
7476 Most of the work in calling an accessor has to do with emitting the necessary checks for
7477 figuring out whether we're calling the accessor we expected, followed by the boilerplate
7478 needed for setting up a call inside of a stub. It makes sense for the code to be totally
7479 common.
7480
7481 * jit/AssemblyHelpers.h:
7482 (JSC::AssemblyHelpers::storeValue):
7483 (JSC::AssemblyHelpers::moveTrustedValue):
7484 * jit/CCallHelpers.h:
7485 (JSC::CCallHelpers::setupResults):
7486 * jit/Repatch.cpp:
7487 (JSC::kindFor):
7488 (JSC::customFor):
7489 (JSC::generateByIdStub):
7490 (JSC::tryCacheGetByID):
7491 (JSC::tryBuildGetByIDList):
7492 (JSC::tryCachePutByID):
7493 (JSC::tryBuildPutByIdList):
7494 (JSC::generateGetByIdStub): Deleted.
7495 (JSC::emitCustomSetterStub): Deleted.
7496 * runtime/JSCJSValue.h:
7497 (JSC::JSValue::asValue):
7498 * runtime/PutPropertySlot.h:
7499 (JSC::PutPropertySlot::cachedOffset):
7500
75012014-04-07 Joseph Pecoraro <pecoraro@apple.com>
7502
7503 Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
7504 https://bugs.webkit.org/show_bug.cgi?id=131321
7505
7506 Reviewed by Mark Rowe.
7507
7508 * inspector/remote/RemoteInspector.mm:
7509 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
7510 Avoid attempting to take the same lock twice. Move the received message
7511 lock grab after the WIRPermissionDenied branch, which takes the lock
7512 inside RemoteInspector::stop.
7513
75142014-04-07 Filip Pizlo <fpizlo@apple.com>
7515
7516 Make it possible to disable some of the FTL's more interesting features
7517 https://bugs.webkit.org/show_bug.cgi?id=131312
7518
7519 Reviewed by Mark Hahnenberg.
7520
7521 * dfg/DFGByteCodeParser.cpp:
7522 (JSC::DFG::ByteCodeParser::handleGetById):
7523 (JSC::DFG::ByteCodeParser::handlePutById):
7524 (JSC::DFG::ByteCodeParser::parse):
7525 * runtime/Options.h:
7526
75272014-04-04 Mark Lam <mark.lam@apple.com>
7528
7529 Date object needs to check for ES5 15.9.1.14 TimeClip limit.
7530 <https://webkit.org/b/131248>
7531
7532 Reviewed by Mark Hahnenberg.
7533
7534 The current Date object code does not adequately check for the ES5
7535 15.9.1.14 TimeClip limit. As a result, some calculations can underflow
7536 / overflow and produce unexpected results.
7537
7538 For example, we were getting an assertion failure in
7539 WTF::equivalentYearForDST() due int underflows in this function, which
7540 in turn were due to an int overflow in WTF::msToYear().
7541
7542 This patch adds the needed checks, and adds some assertions to ensure
7543 that the used values are sane.
7544
7545 The changes have no noticeable impact on benchmark results.
7546
7547 * runtime/DateConstructor.cpp:
7548 (JSC::callDate):
7549 * runtime/JSDateMath.cpp:
7550 (JSC::localTimeOffset):
7551 (JSC::gregorianDateTimeToMS):
7552 (JSC::msToGregorianDateTime):
7553 (JSC::parseDateFromNullTerminatedCharacters):
7554 (JSC::parseDate):
7555 * runtime/JSDateMath.h:
7556 - parseDateFromNullTerminatedCharacters() does not need to be public.
7557 Made it a static function.
7558 * runtime/VM.cpp:
7559 (JSC::VM::resetDateCache):
7560 - Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN()
7561 to be consistent with other Date code.
7562
75632014-04-06 Csaba Osztrogonác <ossy@webkit.org>
7564
7565 Unreviewed speculative 32-bit buildfix after r166837.
7566
7567 * heap/Heap.cpp:
7568 (JSC::Heap::updateObjectCounts):
7569
75702014-04-06 Dan Bernstein <mitz@apple.com>
7571
7572 32-bit build fix.
7573
7574 * runtime/JSGlobalObject.cpp:
7575 (JSC::JSGlobalObject::setInputCursor):
7576
75772014-04-04 Brian J. Burg <burg@cs.washington.edu>
7578
7579 Enable WEB_REPLAY for PLATFORM(MAC)
7580 https://bugs.webkit.org/show_bug.cgi?id=130700
7581
7582 Reviewed by Timothy Hatcher.
7583
7584 * Configurations/FeatureDefines.xcconfig:
7585
75862014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
7587
7588 Add missing files from r166837
7589
7590 * heap/GCLogging.cpp: Added.
7591 (JSC::GCLogging::levelAsString):
7592 (JSC::LoggingFunctor::LoggingFunctor):
7593 (JSC::LoggingFunctor::~LoggingFunctor):
7594 (JSC::LoggingFunctor::operator()):
7595 (JSC::LoggingFunctor::log):
7596 (JSC::LoggingFunctor::reviveCells):
7597 (JSC::LoggingFunctor::returnValue):
7598 (JSC::GCLogging::dumpObjectGraph):
7599 * heap/GCLogging.h: Added.
7600
76012014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
7602
7603 Enhanced GC logging
7604 https://bugs.webkit.org/show_bug.cgi?id=131246
7605
7606 Reviewed by Geoff Garen.
7607
7608 Getting data on the state of the JSC Heap at runtime is currently in a sad state.
7609 The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full
7610 recompile to turn it on. It would be nice if we could runtime enable our GC logging
7611 infrastructure while incurring minimal cost when it is disabled.
7612
7613 It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING
7614 provides us with the discovered roots along with parent-child relationships as objects
7615 are scanned. However, once an object is scanned it will never be declared as the child
7616 of another object during that collection. This gives us a tree-like view of the
7617 Heap (i.e. each scanned node only reports having a single parent), where the actual
7618 Heap can be an arbitrary graph.
7619
7620 This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances
7621 our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose
7622 logging levels. None means no logging is done, Basic is what logGC() = true would have done
7623 prior to this patch, and Verbose logs all object relationships.
7624
7625 JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow
7626 subclasses to override the default string representation that will be dumped. These
7627 methods allow JSCells to be dumped using the standard dataLog() calls similar to much of
7628 the logging infrastructure in our compilers.
7629
7630 This patch also adds a GCLogging class that handles dumping the relationships between objects.
7631 It does this by using the pre-existing visitChildren virtual methods to obtain the immediate
7632 children of each live cell at the end of garbage collection.
7633
7634 This change meets our goal of being neutral on the benchmarks we track.
7635
7636 * JavaScriptCore.xcodeproj/project.pbxproj:
7637 * heap/GCLogging.cpp: Added.
7638 (JSC::GCLogging::levelAsString):
7639 (JSC::LoggingFunctor::LoggingFunctor):
7640 (JSC::LoggingFunctor::operator()):
7641 (JSC::LoggingFunctor::log):
7642 (JSC::LoggingFunctor::reviveCells):
7643 (JSC::LoggingFunctor::returnValue):
7644 (JSC::GCLogging::dumpObjectGraph):
7645 * heap/GCLogging.h: Added.
7646 * heap/GCSegmentedArray.h:
7647 (JSC::GCSegmentedArray::begin):
7648 (JSC::GCSegmentedArray::end):
7649 * heap/Heap.cpp:
7650 (JSC::Heap::markRoots):
7651 (JSC::Heap::visitSmallStrings):
7652 (JSC::Heap::visitConservativeRoots):
7653 (JSC::Heap::visitCompilerWorklists):
7654 (JSC::Heap::visitProtectedObjects):
7655 (JSC::Heap::visitTempSortVectors):
7656 (JSC::Heap::visitArgumentBuffers):
7657 (JSC::Heap::visitException):
7658 (JSC::Heap::visitStrongHandles):
7659 (JSC::Heap::visitHandleStack):
7660 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
7661 (JSC::Heap::visitWeakHandles):
7662 (JSC::Heap::updateObjectCounts):
7663 (JSC::Heap::collect):
7664 (JSC::Heap::didFinishCollection):
7665 * heap/Heap.h:
7666 * heap/MarkStack.h:
7667 * heap/SlotVisitor.cpp:
7668 (JSC::SlotVisitor::dump):
7669 * heap/SlotVisitor.h:
7670 (JSC::SlotVisitor::markStack):
7671 * heap/SlotVisitorInlines.h:
7672 (JSC::SlotVisitor::internalAppend):
7673 * runtime/ClassInfo.h:
7674 * runtime/JSCell.cpp:
7675 (JSC::JSCell::dump):
7676 (JSC::JSCell::dumpToStream):
7677 (JSC::JSCell::className):
7678 * runtime/JSCell.h:
7679 * runtime/JSCellInlines.h:
7680 (JSC::JSCell::visitChildren):
7681 * runtime/JSString.cpp:
7682 (JSC::JSString::dumpToStream):
7683 (JSC::JSString::visitChildren):
7684 * runtime/JSString.h:
7685 (JSC::JSString::length):
7686 (JSC::JSRopeString::RopeBuilder::length):
7687 * runtime/Options.cpp:
7688 (JSC::parse):
7689 (JSC::Options::setOption):
7690 (JSC::Options::dumpOption):
7691 * runtime/Options.h:
7692
76932014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
7694
7695 Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph
7696 https://bugs.webkit.org/show_bug.cgi?id=131251
7697
7698 Reviewed by Geoffrey Garen.
7699
7700 * API/JSVirtualMachine.mm:
7701 (scanExternalObjectGraph):
7702 * API/tests/testapi.mm:
7703
77042014-04-03 Brian J. Burg <burg@cs.washington.edu>
7705
7706 Web Inspector: hook up probe samples to TimelineAgent's records
7707 https://bugs.webkit.org/show_bug.cgi?id=131127
7708
7709 Reviewed by Timothy Hatcher.
7710
7711 * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction.
7712
77132014-04-04 Commit Queue <commit-queue@webkit.org>
7714
7715 Unreviewed, rolling out r166820.
7716 https://bugs.webkit.org/show_bug.cgi?id=131256
7717
7718 Broke builds. (Requested by bdash on #webkit).
7719
7720 Reverted changeset:
7721
7722 "WIP for inlining C++. Added a build target to produce llvm
7723 ir."
7724 https://bugs.webkit.org/show_bug.cgi?id=130523
7725 http://trac.webkit.org/changeset/166820
7726
77272014-04-04 Matthew Mirman <mmirman@apple.com>
7728
7729 WIP for inlining C++. Added a build target to produce llvm ir.
7730 https://bugs.webkit.org/show_bug.cgi?id=130523
7731
7732 Reviewed by Filip Pizlo.
7733
7734 The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o
7735
7736 * JavaScriptCore.xcodeproj/project.pbxproj:
7737 * build_index.py: Added.
7738 * Configurations/CompileRuntimeToLLVMir.xcconfig: Added.
7739
77402014-04-04 Joseph Pecoraro <pecoraro@apple.com>
7741
7742 Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled
7743 https://bugs.webkit.org/show_bug.cgi?id=131241
7744
7745 Reviewed by Timothy Hatcher.
7746
7747 * inspector/JSGlobalObjectInspectorController.cpp:
7748 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
7749 Log the exception to the system console if system console output is enabled.
7750
77512014-04-04 Joseph Pecoraro <pecoraro@apple.com>
7752
7753 Web Inspector: Provide a way for JSContext console to log to system console
7754 https://bugs.webkit.org/show_bug.cgi?id=131050
7755
7756 Reviewed by Timothy Hatcher.
7757
7758 Applications often re-expose some log -> NSLog functionality.
7759 We already have the capability ourselves, which includes extra
7760 information such as sourceURL:line:column, all arguments instead
7761 of just one argument, and backtrace information on console.trace.
7762 Therefore it would be convenient if developers could just use
7763 the built-in console.log and get rich output in both the inspector
7764 and the console, without writing their own logger.
7765
7766 The logging will be enabled in debug builds by default, and can be enabled
7767 otherwise by setting a user default before creating the first context.
7768
7769 For example, in the application itself:
7770
7771 [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"];
7772
7773 Or from outside the application:
7774
7775 shell> defaults write <app-bundle-identifier> JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES
7776
7777 * inspector/JSConsoleClient.h:
7778 * inspector/JSConsoleClient.cpp:
7779 (Inspector::JSConsoleClient::logToSystemConsole):
7780 (Inspector::JSConsoleClient::setLogToSystemConsole):
7781 (Inspector::JSConsoleClient::initializeLogToSystemConsole):
7782 (Inspector::JSConsoleClient::JSConsoleClient):
7783 Global setting for logging to system console. Enabled on
7784 debug builds, and by a user default on supported platforms.
7785
7786 (Inspector::JSConsoleClient::messageWithTypeAndLevel):
7787 Log to system console when the static setting is enabled.
7788
7789 * runtime/ConsoleClient.h:
7790 * runtime/ConsoleClient.cpp:
7791 (JSC::appendURLAndPosition):
7792 (JSC::appendMessagePrefix):
7793 (JSC::ConsoleClient::printConsoleMessage):
7794 (JSC::ConsoleClient::printConsoleMessageWithArguments):
7795 Clean up printing. Build strings and use WTFLogAlways instead of printf
7796 for consistant logging.
7797
7798 * runtime/ConsoleClient.cpp:
7799 (JSC::ConsoleClient::printConsoleMessageWithArguments):
7800 Clean up printing. If there is no source URL, don't print a leading colon.
7801
78022014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
7803
7804 Use JSCell::indexingType instead of Structure::indexingType wherever possible
7805 https://bugs.webkit.org/show_bug.cgi?id=131230
7806
7807 Reviewed by Mark Lam.
7808
7809 Avoid the indirection through the Structure.
7810
7811 * bytecode/ArrayAllocationProfile.cpp:
7812 (JSC::ArrayAllocationProfile::updateIndexingType):
7813 * bytecode/ArrayAllocationProfile.h:
7814 (JSC::ArrayAllocationProfile::selectIndexingType):
7815 * heap/HeapStatistics.cpp:
7816 (JSC::StorageStatistics::operator()):
7817 * runtime/ArrayPrototype.cpp:
7818 (JSC::attemptFastSort):
7819 * runtime/JSGlobalObject.cpp:
7820 (JSC::JSGlobalObject::objectPrototypeIsSane):
7821 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
7822 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
7823 * runtime/JSPropertyNameIterator.cpp:
7824 (JSC::JSPropertyNameIterator::create):
7825
78262014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
7827
7828 Use JSCell::type instead of TypeInfo::type wherever possible
7829 https://bugs.webkit.org/show_bug.cgi?id=131229
7830
7831 Reviewed by Michael Saboff.
7832
7833 Avoid going through the Structure and reifying the TypeInfo.
7834
7835 * runtime/Executable.h:
7836 (JSC::ExecutableBase::isEvalExecutable):
7837 (JSC::ExecutableBase::isProgramExecutable):
7838
78392014-04-03 Andreas Kling <akling@apple.com>
7840
7841 Fast-path for casting JS wrappers to JSNode.
7842 <https://webkit.org/b/131196>
7843
7844 Allow code outside of JSC (well, WebCore) to extend the JSType spectrum
7845 a little bit. We do this by exposing a LastJSCObjectType constant so
7846 WebCore can encode its own wrapper types after that.
7847
7848 Reviewed by Mark Hahnenberg and Geoff Garen.
7849
7850 * runtime/JSType.h:
7851
7852 Added LastJSCObjectType for use by WebCore.
7853
7854 * runtime/JSObject.h:
7855 (JSC::JSObject::isVariableObject):
7856
7857 Updated since this can no longer assume that types >= VariableObjectType
7858 are all variable objects.
7859
78602014-04-03 Mark Hahnenberg <mhahnenberg@apple.com>
7861
7862 All Heap::writeBarriers should be inline
7863 https://bugs.webkit.org/show_bug.cgi?id=131197
7864
7865 Reviewed by Mark Lam.
7866
7867 One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical
7868 enough and small enough to belong in HeapInlines.h. Also added the proper
7869 ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds.
7870
7871 * heap/Heap.cpp:
7872 (JSC::Heap::writeBarrier): Deleted.
7873 * heap/Heap.h:
7874 * heap/HeapInlines.h:
7875 (JSC::Heap::writeBarrier):
7876 * runtime/JSCellInlines.h:
7877 (JSC::Heap::writeBarrier): Deleted.
7878
78792014-04-03 Joseph Pecoraro <pecoraro@apple.com>
7880
7881 Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector
7882 https://bugs.webkit.org/show_bug.cgi?id=131186
7883
7884 Reviewed by Geoffrey Garen.
7885
7886 * API/JSContextPrivate.h:
7887 * API/JSContext.mm:
7888 (-[JSContext _includesNativeCallStackWhenReportingExceptions]):
7889 (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]):
7890 JSContext ObjC SPI to opt-out of including native call stacks in exceptions.
7891
7892 * API/JSContextRefPrivate.h:
7893 * API/JSContextRef.cpp:
7894 (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
7895 (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
7896 JSContext C SPI to opt-out of including native call stacks in exceptions.
7897
7898 * inspector/JSGlobalObjectInspectorController.h:
7899 * inspector/JSGlobalObjectInspectorController.cpp:
7900 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
7901 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
7902 Only include the native call stack if the setting is enabled. It is enabled by default.
7903
79042014-04-03 Mark Lam <mark.lam@apple.com>
7905
7906 Fix bit rot in ARMv7 JIT probe mechanism.
7907 <https://webkit.org/b/131167>
7908
7909 Reviewed by Geoffrey Garen.
7910
7911 1. The macro assembler does not support pushing the SP register. Worked
7912 around this by pushing the LR register as a placeholder, and then
7913 writing the original SP value to that slot.
7914 2. The CPUState field in the ProbeContext needs to be aligned on a 4
7915 byte boundary, not an 8 byte boundary.
7916
7917 * assembler/MacroAssemblerARMv7.cpp:
7918 (JSC::MacroAssemblerARMv7::probe):
7919 * jit/JITStubsARMv7.h:
7920
79212014-04-02 Mark Lam <mark.lam@apple.com>
7922
7923 ARMv7 compare32() should not use TST to do CMP's job.
7924 <https://webkit.org/b/131146>
7925
7926 Reviewed by Geoffrey Garen.
7927
7928 The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)"
7929 was using "tst reg, reg" to implement "cmp reg, #0". Unfortunately, the tst
7930 instruction doesn't set the Overflow (V) flag and this results in random
7931 results depending on whether there was a preceeding instruction that did set
7932 the Overflow (V) flag. This issue was causing emscripten-cube2hash to run
7933 with a lot of OSR exits where not expected as well as producing wrong results.
7934
7935 The fix is to use "cmp reg, #0" to do the job properly.
7936
7937 * assembler/MacroAssemblerARMv7.h:
7938 (JSC::MacroAssemblerARMv7::compare32):
7939
79402014-04-02 Mark Hahnenberg <mhahnenberg@apple.com>
7941
7942 CodeBlockSet should be generational
7943 https://bugs.webkit.org/show_bug.cgi?id=127152
7944
7945 Reviewed by Geoffrey Garen.
7946
7947 During EdenCollections we now only visit those CodeBlocks that:
7948 a) Are new since the last collection if they were somehow otherwise reachable.
7949 b) Are reachable from an Executable that is part of the remembered set.
7950
7951 * bytecode/CodeBlock.cpp:
7952 (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables.
7953 (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the
7954 shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness.
7955 * bytecode/CodeBlock.h:
7956 (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this).
7957 We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection).
7958 (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning.
7959 (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks.
7960 * heap/CodeBlockSet.cpp:
7961 (JSC::CodeBlockSet::~CodeBlockSet):
7962 (JSC::CodeBlockSet::add):
7963 (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into
7964 the set of old CodeBlocks.
7965 (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks.
7966 (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the
7967 remembered set. When an Executable is added to the remembered set it's typically because we need to do something
7968 with its CodeBlock.
7969 (JSC::CodeBlockSet::clearMarks):
7970 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks
7971 to determine which CodeBlocks are dead and eagerly finalizes/deletes them.
7972 (JSC::CodeBlockSet::remove):
7973 (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks.
7974 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing
7975 CodeBlocks because we no longer always do this at the beginning of EdenCollections.
7976 * heap/CodeBlockSet.h:
7977 (JSC::CodeBlockSet::iterate):
7978 * heap/Heap.cpp:
7979 (JSC::Heap::markRoots):
7980 (JSC::Heap::deleteAllCompiledCode):
7981 (JSC::Heap::deleteUnmarkedCompiledCode):
7982 * runtime/Executable.cpp:
7983 (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation:
7984 a) A CodeBlock is created and is compiled on a DFG worker thread.
7985 b) No GC happens.
7986 c) The CodeBlock has finished being compiled and is installed in the Executable.
7987 d) The function never executes before the next GC.
7988 e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless
7989 it's added to the remembered set.
7990
79912014-04-02 Mark Lam <mark.lam@apple.com>
7992
7993 Added some more dataLog info for OSR exits.
7994 <https://webkit.org/b/131120>
7995
7996 Reviewed by Michael Saboff.
7997
7998 Adding info about the OSR exit index, the bytecode index of the bytecode
7999 that is OSR exiting, and the reason for the OSR exit. This change is
8000 for debugging code which only comes into play when we use the
8001 --printEachOSRExit option.
8002
8003 * dfg/DFGOSRExit.h:
8004 * dfg/DFGOSRExitCompiler32_64.cpp:
8005 (JSC::DFG::OSRExitCompiler::compileExit):
8006 * dfg/DFGOSRExitCompiler64.cpp:
8007 (JSC::DFG::OSRExitCompiler::compileExit):
8008 * dfg/DFGOperations.cpp:
8009
80102014-04-02 Martin Robinson <mrobinson@igalia.com>
8011
8012 REGRESSION(r165704): [GTK] Inspector resources not correctly generated
8013 https://bugs.webkit.org/show_bug.cgi?id=130343
8014
8015 Reviewed by Gustavo Noronha Silva.
8016
8017 * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one
8018 in which it should be distributed. This allows us to more easily package it for GTK+.
8019
80202014-04-01 Timothy Hatcher <timothy@apple.com>
8021
8022 Remove HeapProfiler from the Web Inspector protocol.
8023
8024 https://bugs.webkit.org/show_bug.cgi?id=131070
8025
8026 Reviewed by Joseph Pecoraro.
8027
8028 * inspector/agents/InspectorConsoleAgent.h:
8029 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
8030 (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted.
8031 * inspector/agents/JSGlobalObjectConsoleAgent.h:
8032 * inspector/protocol/Console.json:
8033
80342014-03-31 Simon Fraser <simon.fraser@apple.com>
8035
8036 Enable WEB_TIMING on Mac and iOS
8037 https://bugs.webkit.org/show_bug.cgi?id=128064
8038
8039 Reviewed by Sam Weinig, Brent Fulgham.
8040
8041 Enable WEB_TIMING.
8042
8043 * Configurations/FeatureDefines.xcconfig:
8044
80452014-03-31 Michael Saboff <msaboff@apple.com>
8046
8047 REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects
8048 https://bugs.webkit.org/show_bug.cgi?id=130992
8049
8050 Reviewed by Mark Hahnenberg.
8051
8052 Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object.
8053
8054 * API/JSObjectRef.cpp:
8055 (JSObjectGetPrivate):
8056 (JSObjectSetPrivate):
8057 * API/tests/testapi.c:
8058 (main): Added new test case to validate we are properly foarwarding.
8059
80602014-03-31 Mark Hahnenberg <mhahnenberg@apple.com>
8061
8062 Improve GC_LOGGING
8063 https://bugs.webkit.org/show_bug.cgi?id=130988
8064
8065 Reviewed by Geoffrey Garen.
8066
8067 GC_LOGGING can be useful for diagnosing where we're spending our time during collection,
8068 but it doesn't distinguish between Eden and Full collections in the data it gathers. This
8069 patch updates it so that it can. It also adds the process ID to the beginning of each line
8070 of input to be able to distinguish between the output of multiple processes exiting at the
8071 same time.
8072
8073 * heap/Heap.cpp:
8074 (JSC::Heap::collect):
8075
80762014-03-31 Dean Jackson <dino@apple.com>
8077
8078 Remove WEB_ANIMATIONS
8079 https://bugs.webkit.org/show_bug.cgi?id=130989
8080
8081 Reviewed by Simon Fraser.
8082
8083 Remove this feature flag until we plan to implement.
8084
8085 * Configurations/FeatureDefines.xcconfig:
8086
80872014-03-31 Filip Pizlo <fpizlo@apple.com>
8088
8089 More validation for FTL inline caches
8090 https://bugs.webkit.org/show_bug.cgi?id=130948
8091
8092 Reviewed by Geoffrey Garen.
8093
8094 * dfg/DFGByteCodeParser.cpp:
8095 (JSC::DFG::ByteCodeParser::handleGetById):
8096 (JSC::DFG::ByteCodeParser::handlePutById):
8097 * runtime/Options.h:
8098
80992014-03-31 Filip Pizlo <fpizlo@apple.com>
8100
8101 LLVM IR for store barriers should be nicely arranged and they don't need exception checks
8102 https://bugs.webkit.org/show_bug.cgi?id=130950
8103
8104 Reviewed by Mark Hahnenberg.
8105
8106 * ftl/FTLLowerDFGToLLVM.cpp:
8107 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
8108
81092014-03-31 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
8110
8111 [CMake] Stop checking for WTF_USE_ICU_UNICODE.
8112 https://bugs.webkit.org/show_bug.cgi?id=130965
8113
8114 Reviewed by Martin Robinson.
8115
8116 This is somewhat of a follow-up to r162782, which got rid of
8117 WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's
8118 CMakeLists.txt. This meant the includes and libraries were not
8119 being properly included since then.
8120
8121 * CMakeLists.txt:
8122
81232014-03-31 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
8124
8125 Remove hostThisRegister() and hostThisValue()
8126 https://bugs.webkit.org/show_bug.cgi?id=130895
8127
8128 Reviewed by Geoffrey Garen.
8129
8130 Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively.
8131
8132 * API/APICallbackFunction.h:
8133 (JSC::APICallbackFunction::call):
8134 * API/JSCallbackObjectFunctions.h:
8135 (JSC::JSCallbackObject<Parent>::call):
8136 * dfg/DFGOSREntry.cpp:
8137 (JSC::DFG::prepareOSREntry):
8138 * inspector/JSInjectedScriptHostPrototype.cpp:
8139 (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
8140 (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
8141 (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
8142 (Inspector::jsInjectedScriptHostPrototypeFunctionType):
8143 (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
8144 (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
8145 * inspector/JSJavaScriptCallFramePrototype.cpp:
8146 (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
8147 (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
8148 (Inspector::jsJavaScriptCallFrameAttributeCaller):
8149 (Inspector::jsJavaScriptCallFrameAttributeSourceID):
8150 (Inspector::jsJavaScriptCallFrameAttributeLine):
8151 (Inspector::jsJavaScriptCallFrameAttributeColumn):
8152 (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
8153 (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
8154 (Inspector::jsJavaScriptCallFrameAttributeThisObject):
8155 (Inspector::jsJavaScriptCallFrameAttributeType):
8156 * interpreter/CallFrame.h:
8157 (JSC::ExecState::hostThisRegister): Deleted.
8158 (JSC::ExecState::hostThisValue): Deleted.
8159 * runtime/Arguments.cpp:
8160 (JSC::argumentsFuncIterator):
8161 * runtime/ArrayPrototype.cpp:
8162 (JSC::arrayProtoFuncToString):
8163 (JSC::arrayProtoFuncToLocaleString):
8164 (JSC::arrayProtoFuncJoin):
8165 (JSC::arrayProtoFuncConcat):
8166 (JSC::arrayProtoFuncPop):
8167 (JSC::arrayProtoFuncPush):
8168 (JSC::arrayProtoFuncReverse):
8169 (JSC::arrayProtoFuncShift):
8170 (JSC::arrayProtoFuncSlice):
8171 (JSC::arrayProtoFuncSort):
8172 (JSC::arrayProtoFuncSplice):
8173 (JSC::arrayProtoFuncUnShift):
8174 (JSC::arrayProtoFuncReduce):
8175 (JSC::arrayProtoFuncReduceRight):
8176 (JSC::arrayProtoFuncIndexOf):
8177 (JSC::arrayProtoFuncLastIndexOf):
8178 (JSC::arrayProtoFuncValues):
8179 (JSC::arrayProtoFuncEntries):
8180 (JSC::arrayProtoFuncKeys):
8181 * runtime/BooleanPrototype.cpp:
8182 (JSC::booleanProtoFuncToString):
8183 (JSC::booleanProtoFuncValueOf):
8184 * runtime/ConsolePrototype.cpp:
8185 (JSC::consoleLogWithLevel):
8186 (JSC::consoleProtoFuncClear):
8187 (JSC::consoleProtoFuncDir):
8188 (JSC::consoleProtoFuncDirXML):
8189 (JSC::consoleProtoFuncTable):
8190 (JSC::consoleProtoFuncTrace):
8191 (JSC::consoleProtoFuncAssert):
8192 (JSC::consoleProtoFuncCount):
8193 (JSC::consoleProtoFuncProfile):
8194 (JSC::consoleProtoFuncProfileEnd):
8195 (JSC::consoleProtoFuncTime):
8196 (JSC::consoleProtoFuncTimeEnd):
8197 (JSC::consoleProtoFuncTimeStamp):
8198 (JSC::consoleProtoFuncGroup):
8199 (JSC::consoleProtoFuncGroupCollapsed):
8200 (JSC::consoleProtoFuncGroupEnd):
8201 * runtime/DatePrototype.cpp:
8202 (JSC::formateDateInstance):
8203 (JSC::dateProtoFuncToISOString):
8204 (JSC::dateProtoFuncToLocaleString):
8205 (JSC::dateProtoFuncToLocaleDateString):
8206 (JSC::dateProtoFuncToLocaleTimeString):
8207 (JSC::dateProtoFuncGetTime):
8208 (JSC::dateProtoFuncGetFullYear):
8209 (JSC::dateProtoFuncGetUTCFullYear):
8210 (JSC::dateProtoFuncGetMonth):
8211 (JSC::dateProtoFuncGetUTCMonth):
8212 (JSC::dateProtoFuncGetDate):
8213 (JSC::dateProtoFuncGetUTCDate):
8214 (JSC::dateProtoFuncGetDay):
8215 (JSC::dateProtoFuncGetUTCDay):
8216 (JSC::dateProtoFuncGetHours):
8217 (JSC::dateProtoFuncGetUTCHours):
8218 (JSC::dateProtoFuncGetMinutes):
8219 (JSC::dateProtoFuncGetUTCMinutes):
8220 (JSC::dateProtoFuncGetSeconds):
8221 (JSC::dateProtoFuncGetUTCSeconds):
8222 (JSC::dateProtoFuncGetMilliSeconds):
8223 (JSC::dateProtoFuncGetUTCMilliseconds):
8224 (JSC::dateProtoFuncGetTimezoneOffset):
8225 (JSC::dateProtoFuncSetTime):
8226 (JSC::setNewValueFromTimeArgs):
8227 (JSC::setNewValueFromDateArgs):
8228 (JSC::dateProtoFuncSetYear):
8229 (JSC::dateProtoFuncGetYear):
8230 (JSC::dateProtoFuncToJSON):
8231 * runtime/ErrorPrototype.cpp:
8232 (JSC::errorProtoFuncToString):
8233 * runtime/FunctionPrototype.cpp:
8234 (JSC::functionProtoFuncToString):
8235 (JSC::functionProtoFuncBind):
8236 * runtime/NamePrototype.cpp:
8237 (JSC::privateNameProtoFuncToString):
8238 * runtime/NumberPrototype.cpp:
8239 (JSC::numberProtoFuncToExponential):
8240 (JSC::numberProtoFuncToFixed):
8241 (JSC::numberProtoFuncToPrecision):
8242 (JSC::numberProtoFuncClz):
8243 (JSC::numberProtoFuncToString):
8244 (JSC::numberProtoFuncToLocaleString):
8245 (JSC::numberProtoFuncValueOf):
8246 * runtime/ObjectPrototype.cpp:
8247 (JSC::objectProtoFuncValueOf):
8248 (JSC::objectProtoFuncHasOwnProperty):
8249 (JSC::objectProtoFuncIsPrototypeOf):
8250 (JSC::objectProtoFuncDefineGetter):
8251 (JSC::objectProtoFuncDefineSetter):
8252 (JSC::objectProtoFuncLookupGetter):
8253 (JSC::objectProtoFuncLookupSetter):
8254 (JSC::objectProtoFuncPropertyIsEnumerable):
8255 (JSC::objectProtoFuncToLocaleString):
8256 (JSC::objectProtoFuncToString):
8257 * runtime/RegExpPrototype.cpp:
8258 (JSC::regExpProtoFuncTest):
8259 (JSC::regExpProtoFuncExec):
8260 (JSC::regExpProtoFuncCompile):
8261 (JSC::regExpProtoFuncToString):
8262 * runtime/StringPrototype.cpp:
8263 (JSC::stringProtoFuncReplace):
8264 (JSC::stringProtoFuncToString):
8265 (JSC::stringProtoFuncCharAt):
8266 (JSC::stringProtoFuncCharCodeAt):
8267 (JSC::stringProtoFuncConcat):
8268 (JSC::stringProtoFuncIndexOf):
8269 (JSC::stringProtoFuncLastIndexOf):
8270 (JSC::stringProtoFuncMatch):
8271 (JSC::stringProtoFuncSearch):
8272 (JSC::stringProtoFuncSlice):
8273 (JSC::stringProtoFuncSplit):
8274 (JSC::stringProtoFuncSubstr):
8275 (JSC::stringProtoFuncSubstring):
8276 (JSC::stringProtoFuncToLowerCase):
8277 (JSC::stringProtoFuncToUpperCase):
8278 (JSC::stringProtoFuncLocaleCompare):
8279 (JSC::stringProtoFuncBig):
8280 (JSC::stringProtoFuncSmall):
8281 (JSC::stringProtoFuncBlink):
8282 (JSC::stringProtoFuncBold):
8283 (JSC::stringProtoFuncFixed):
8284 (JSC::stringProtoFuncItalics):
8285 (JSC::stringProtoFuncStrike):
8286 (JSC::stringProtoFuncSub):
8287 (JSC::stringProtoFuncSup):
8288 (JSC::stringProtoFuncFontcolor):
8289 (JSC::stringProtoFuncFontsize):
8290 (JSC::stringProtoFuncAnchor):
8291 (JSC::stringProtoFuncLink):
8292 (JSC::stringProtoFuncTrim):
8293 (JSC::stringProtoFuncTrimLeft):
8294 (JSC::stringProtoFuncTrimRight):
8295
82962014-03-28 Filip Pizlo <fpizlo@apple.com>
8297
8298 Land the stackmap register liveness glue with the uses of the liveness disabled
8299 https://bugs.webkit.org/show_bug.cgi?id=130924
8300
8301 Reviewed by Oliver Hunt.
8302
8303 Add the liveness and fix other bugs I found.
8304
8305 * bytecode/PutByIdStatus.cpp:
8306 (JSC::PutByIdStatus::computeFor):
8307 * ftl/FTLCompile.cpp:
8308 (JSC::FTL::usedRegistersFor):
8309 (JSC::FTL::fixFunctionBasedOnStackMaps):
8310 * ftl/FTLSlowPathCall.cpp:
8311 * ftl/FTLSlowPathCallKey.cpp:
8312 (JSC::FTL::SlowPathCallKey::dump):
8313 * ftl/FTLSlowPathCallKey.h:
8314 (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
8315 (JSC::FTL::SlowPathCallKey::argumentRegisters):
8316 (JSC::FTL::SlowPathCallKey::withCallTarget):
8317 * ftl/FTLStackMaps.cpp:
8318 (JSC::FTL::StackMaps::Record::locationSet):
8319 (JSC::FTL::StackMaps::Record::liveOutsSet):
8320 (JSC::FTL::StackMaps::Record::usedRegisterSet):
8321 * ftl/FTLStackMaps.h:
8322 * ftl/FTLThunks.cpp:
8323 (JSC::FTL::registerClobberCheck):
8324 (JSC::FTL::slowPathCallThunkGenerator):
8325 * jit/RegisterSet.cpp:
8326 (JSC::RegisterSet::stackRegisters):
8327 (JSC::RegisterSet::reservedHardwareRegisters):
8328 (JSC::RegisterSet::runtimeRegisters):
8329 (JSC::RegisterSet::specialRegisters):
8330 (JSC::RegisterSet::dump):
8331 * jit/RegisterSet.h:
8332 (JSC::RegisterSet::RegisterSet):
8333 (JSC::RegisterSet::setAny):
8334 (JSC::RegisterSet::setMany):
8335 * jit/Repatch.cpp:
8336 (JSC::tryCacheGetByID):
8337 (JSC::tryCachePutByID):
8338 (JSC::tryRepatchIn):
8339 * runtime/Options.cpp:
8340 (JSC::recomputeDependentOptions):
8341 * runtime/Options.h:
8342
83432014-03-28 Mark Lam <mark.lam@apple.com>
8344
8345 mandreel throws a checksum error on 32-bit x86.
8346 <https://webkit.org/b/125706>
8347
8348 Reviewed by Filip Pizlo.
8349
8350 The 32-bit DFG can emit code that loads double constants from its
8351 CodeBlock's m_constantRegisters vector. The emitted instruction will
8352 embed the address of the constant from the vector's backing store.
8353 Subsequently, while inserting new constants, the DFG may resize the
8354 vector, thereby reallocating the backing store. This renders the
8355 previously embedded constant addresses stale.
8356
8357 The fix is to use a dedicated doubles constant pool stored in the DFG
8358 CommonData instead. This constant pool won't be reallocated, and
8359 hence will not manifest this issue.
8360
8361 * dfg/DFGCommonData.h:
8362 * dfg/DFGGraph.h:
8363 * dfg/DFGJITCompiler.cpp:
8364 (JSC::DFG::JITCompiler::link):
8365 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
8366 * dfg/DFGJITCompiler.h:
8367 (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.
8368
83692014-03-28 Joseph Pecoraro <pecoraro@apple.com>
8370
8371 Web Inspector: console.warn is showing as error instead of warning
8372 https://bugs.webkit.org/show_bug.cgi?id=130921
8373
8374 Reviewed by Timothy Hatcher.
8375
8376 * runtime/ConsolePrototype.cpp:
8377 (JSC::consoleProtoFuncWarn):
8378 console.warn should be MessageLevel Warning, not Error.
8379
83802014-03-28 Oliver Hunt <oliver@apple.com>
8381
8382 Fix cloop build.
8383
8384 * bytecode/BytecodeList.json:
8385
83862014-03-28 Michael Saboff <msaboff@apple.com>
8387
8388 Unreviewed, rolling r166248 back in.
8389
8390 Turns out r166070 didn't cause a 2% performance loss in page load times
8391
8392 Reverted changeset:
8393
8394 Unreviewed, rolling out r166126.
8395 Rollout r166126 in prepartion to roll out prerequisite r166070
8396
83972014-03-27 Commit Queue <commit-queue@webkit.org>
8398
8399 Unreviewed, rolling out r166376.
8400 https://bugs.webkit.org/show_bug.cgi?id=130887
8401
8402 This was a misguided optimization. (Requested by kling on
8403 #webkit).
8404
8405 Reverted changeset:
8406
8407 "Avoid fetching JSObject::structure() repeatedly in
8408 putDirectInternal."
8409 https://bugs.webkit.org/show_bug.cgi?id=130857
8410 http://trac.webkit.org/changeset/166376
8411
84122014-03-27 Oliver Hunt <oliver@apple.com>
8413
8414 Support spread operand in |new| expressions
8415 https://bugs.webkit.org/show_bug.cgi?id=130877
8416
8417 Reviewed by Michael Saboff.
8418
8419 Add support for the spread operator being applied in
8420 |new| expressions. This required adding support for
8421 a new opcode, op_construct_varargs. This is a relatively
8422 simple refactoring of the call_varargs implementation.
8423
8424 * bytecode/BytecodeList.json:
8425 * bytecode/BytecodeUseDef.h:
8426 (JSC::computeUsesForBytecodeOffset):
8427 (JSC::computeDefsForBytecodeOffset):
8428 * bytecode/CallLinkInfo.cpp:
8429 (JSC::CallLinkInfo::unlink):
8430 * bytecode/CallLinkInfo.h:
8431 (JSC::CallLinkInfo::callTypeFor):
8432 (JSC::CallLinkInfo::specializationKind):
8433 * bytecode/CodeBlock.cpp:
8434 (JSC::CodeBlock::dumpBytecode):
8435 (JSC::CodeBlock::CodeBlock):
8436 * bytecompiler/BytecodeGenerator.cpp:
8437 (JSC::BytecodeGenerator::emitCallVarargs):
8438 (JSC::BytecodeGenerator::emitConstructVarargs):
8439 (JSC::BytecodeGenerator::emitConstruct):
8440 * bytecompiler/BytecodeGenerator.h:
8441 * jit/JIT.cpp:
8442 (JSC::JIT::privateCompileMainPass):
8443 (JSC::JIT::privateCompileSlowCases):
8444 * jit/JIT.h:
8445 * jit/JITCall.cpp:
8446 (JSC::JIT::compileOpCall):
8447 (JSC::JIT::compileOpCallSlowCase):
8448 (JSC::JIT::emit_op_construct_varargs):
8449 (JSC::JIT::emitSlow_op_construct_varargs):
8450 * jit/JITCall32_64.cpp:
8451 (JSC::JIT::emitSlow_op_construct_varargs):
8452 (JSC::JIT::emit_op_construct_varargs):
8453 (JSC::JIT::compileOpCall):
8454 (JSC::JIT::compileOpCallSlowCase):
8455 * jit/JITOperations.cpp:
8456 * llint/LLIntSlowPaths.cpp:
8457 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
8458 * llint/LLIntSlowPaths.h:
8459 * llint/LowLevelInterpreter.asm:
8460 * parser/Parser.cpp:
8461 (JSC::Parser<LexerType>::parseMemberExpression):
8462
84632014-03-27 Filip Pizlo <fpizlo@apple.com>
8464
8465 Revert http://trac.webkit.org/changeset/166386 because it broke builds.
8466
8467 * Configurations/Base.xcconfig:
8468 * Configurations/LLVMForJSC.xcconfig:
8469
84702014-03-27 Filip Pizlo <fpizlo@apple.com>
8471
8472 Unreviewed, skip this test for now.
8473
8474 * tests/stress/recurse-infinitely-on-getter.js:
8475
84762014-03-27 Filip Pizlo <fpizlo@apple.com>
8477
8478 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
8479 https://bugs.webkit.org/show_bug.cgi?id=130867
8480 <rdar://problem/16432456>
8481
8482 Reviewed by Mark Hahnenberg.
8483
8484 * Configurations/Base.xcconfig:
8485 * Configurations/LLVMForJSC.xcconfig:
8486
84872014-03-27 Andreas Kling <akling@apple.com>
8488
8489 Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
8490 <https://webkit.org/b/130857>
8491
8492 Use the cached Structure* instead of re-fetching it over and over since
8493 that's a non-trivial operation these days.
8494
8495 Reviewed by Mark Hahnenberg.
8496
8497 * runtime/JSObject.h:
8498 (JSC::JSObject::putDirectInternal):
8499
85002014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
8501
8502 Check the remembered set bit faster
8503 https://bugs.webkit.org/show_bug.cgi?id=130860
8504
8505 Reviewed by Oliver Hunt.
8506
8507 Currently we look up the remembered set bit in the MarkedBlock in C++ code, but
8508 that bit is also stored in the object. We should look it up there whenever possible.
8509
8510 * heap/CopiedBlockInlines.h:
8511 (JSC::CopiedBlock::shouldReportLiveBytes):
8512 * heap/Heap.cpp:
8513 (JSC::Heap::addToRememberedSet):
8514 * heap/Heap.h:
8515 * heap/HeapInlines.h: Removed.
8516 * heap/SlotVisitorInlines.h:
8517 (JSC::SlotVisitor::reportExtraMemoryUsage):
8518
85192014-03-27 Joseph Pecoraro <pecoraro@apple.com>
8520
8521 Web Inspector: Provide SPI to disallow remote inspection of a JSContext
8522 https://bugs.webkit.org/show_bug.cgi?id=130853
8523
8524 Reviewed by Timothy Hatcher.
8525
8526 * API/JSContextPrivate.h: Added.
8527 * API/JSContext.mm:
8528 (-[JSContext _remoteInspectionEnabled]):
8529 (-[JSContext _setRemoteInspectionEnabled:]):
8530 ObjC SPI to enable/disable remote inspection.
8531
8532 * API/JSContextRefPrivate.h:
8533 * API/JSContextRef.cpp:
8534 (JSGlobalContextGetRemoteInspectionEnabled):
8535 (JSGlobalContextSetRemoteInspectionEnabled):
8536 C SPI to enable/disable remote inspection.
8537
8538 * JavaScriptCore.xcodeproj/project.pbxproj:
8539 Add new private header, and export as a private header.
8540
85412014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
8542
8543 Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
8544 https://bugs.webkit.org/show_bug.cgi?id=130845
8545
8546 Reviewed by Filip Pizlo.
8547
8548 There was a hack added to make sure C Loop LLInt worked which included overriding the
8549 global Options::useLLInt setting, which makes no sense to do here. We should put the
8550 update of the global setting in Options::recomputeDependentOptions along with the other
8551 execution engine flags.
8552
8553 * runtime/Executable.cpp:
8554 (JSC::ScriptExecutable::prepareForExecutionImpl):
8555 * runtime/Options.cpp:
8556 (JSC::recomputeDependentOptions):
8557
85582014-03-26 Filip Pizlo <fpizlo@apple.com>
8559
8560 Enable LLVM stackmap liveOuts computation
8561 https://bugs.webkit.org/show_bug.cgi?id=130821
8562
8563 Reviewed by Andy Estes and Sam Weinig.
8564
8565 * ftl/FTLStackMaps.cpp:
8566 (JSC::FTL::StackMaps::Record::dump):
8567 * llvm/library/LLVMExports.cpp:
8568 (initializeAndGetJSCLLVMAPI):
8569
85702014-03-26 Filip Pizlo <fpizlo@apple.com>
8571
8572 Parse stackmaps liveOuts
8573 https://bugs.webkit.org/show_bug.cgi?id=130801
8574
8575 Reviewed by Geoffrey Garen.
8576
8577 This just adds the code to parse them but doesn't do anything with them, yet.
8578
8579 * ftl/FTLLocation.cpp:
8580 (JSC::FTL::Location::forStackmaps):
8581 * ftl/FTLLocation.h:
8582 (JSC::FTL::Location::forRegister):
8583 (JSC::FTL::Location::forIndirect):
8584 * ftl/FTLStackMaps.cpp:
8585 (JSC::FTL::StackMaps::Location::parse):
8586 (JSC::FTL::StackMaps::Location::dump):
8587 (JSC::FTL::StackMaps::LiveOut::parse):
8588 (JSC::FTL::StackMaps::LiveOut::dump):
8589 (JSC::FTL::StackMaps::Record::parse):
8590 (JSC::FTL::StackMaps::Record::dump):
8591 * ftl/FTLStackMaps.h:
8592
85932014-03-26 Mark Lam <mark.lam@apple.com>
8594
8595 Build fix after r166307.
8596
8597 Not reviewed.
8598
8599 * runtime/JSCell.h:
8600 - The inline function isAPIValueWrapper() should not be exported. This
8601 was causing a linkage error when building for 32-bit x86 on Mac.
8602
86032014-03-26 Filip Pizlo <fpizlo@apple.com>
8604
8605 Reasoning about DWARF register numbers should be moved out of FTL::Location
8606 https://bugs.webkit.org/show_bug.cgi?id=130792
8607
8608 Reviewed by Oliver Hunt.
8609
8610 Moving this code makes it possible for things other than FTL::Location to reason about
8611 DWARF register encoding. This refactoring also appears to reduce some code duplication
8612 and makes FTLLocation.cpp cleaner.
8613
8614 * JavaScriptCore.xcodeproj/project.pbxproj:
8615 * ftl/FTLCompile.cpp:
8616 (JSC::FTL::fixFunctionBasedOnStackMaps):
8617 * ftl/FTLDWARFRegister.cpp: Added.
8618 (JSC::FTL::DWARFRegister::reg):
8619 (JSC::FTL::DWARFRegister::dump):
8620 * ftl/FTLDWARFRegister.h: Added.
8621 (JSC::FTL::DWARFRegister::DWARFRegister):
8622 (JSC::FTL::DWARFRegister::dwarfRegNum):
8623 * ftl/FTLLocation.cpp:
8624 (JSC::FTL::Location::dump):
8625 (JSC::FTL::Location::isGPR):
8626 (JSC::FTL::Location::gpr):
8627 (JSC::FTL::Location::isFPR):
8628 (JSC::FTL::Location::fpr):
8629 * ftl/FTLLocation.h:
8630 (JSC::FTL::Location::hasDwarfReg):
8631 (JSC::FTL::Location::dwarfReg):
8632
86332014-03-26 Brent Fulgham <bfulgham@apple.com>
8634
8635 Unreviewed build fix.
8636
8637 * runtime/JSCell.h: VS2013 confused about argument type.
8638
86392014-03-26 Zoltan Horvath <zoltan@webkit.org>
8640
8641 [CSS Shapes] Remove shape-inside support
8642 https://bugs.webkit.org/show_bug.cgi?id=130698
8643
8644 Reviewed by David Hyatt.
8645
8646 * Configurations/FeatureDefines.xcconfig:
8647
86482014-03-26 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
8649
8650 Rename hasFastArrayStorage to be more appropriate
8651 https://bugs.webkit.org/show_bug.cgi?id=130773
8652
8653 Reviewed by Filip Pizlo.
8654
8655 * dfg/DFGArrayMode.cpp:
8656 (JSC::DFG::ArrayMode::alreadyChecked):
8657 * dfg/DFGSpeculativeJIT32_64.cpp:
8658 (JSC::DFG::SpeculativeJIT::compile):
8659 * dfg/DFGSpeculativeJIT64.cpp:
8660 (JSC::DFG::SpeculativeJIT::compile):
8661 * dfg/DFGWatchpointCollectionPhase.cpp:
8662 (JSC::DFG::WatchpointCollectionPhase::handle):
8663 * ftl/FTLLowerDFGToLLVM.cpp:
8664 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
8665 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
8666 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
8667 * runtime/ButterflyInlines.h:
8668 (JSC::Butterfly::unshift):
8669 (JSC::Butterfly::shift):
8670 * runtime/IndexingHeaderInlines.h:
8671 (JSC::IndexingHeader::preCapacity):
8672 * runtime/IndexingType.h:
8673 (JSC::hasArrayStorage):
8674 (JSC::hasAnyArrayStorage):
8675 (JSC::hasFastArrayStorage): Deleted.
8676 * runtime/JSArray.cpp:
8677 (JSC::JSArray::sortVector):
8678 (JSC::JSArray::compactForSorting):
8679 * runtime/JSArray.h:
8680 (JSC::JSArray::create):
8681 (JSC::JSArray::tryCreateUninitialized):
8682 * runtime/JSGlobalObject.cpp:
8683 * runtime/JSObject.cpp:
8684 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
8685 * runtime/JSObject.h:
8686 (JSC::JSObject::ensureArrayStorage):
8687 (JSC::JSObject::arrayStorage):
8688 * runtime/StructureTransitionTable.h:
8689 (JSC::newIndexingType):
8690
86912014-03-26 Zan Dobersek <zdobersek@igalia.com>
8692
8693 Unreviewed. Removing the remaining Automake cruft.
8694
8695 * GNUmakefile.list.am: Removed.
8696
86972014-03-25 Filip Pizlo <fpizlo@apple.com>
8698
8699 Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
8700 https://bugs.webkit.org/show_bug.cgi?id=130764
8701 <rdar://problem/16304788>
8702
8703 Reviewed by Sam Weinig.
8704
8705 Being an arguments alias just means that your OSR exit recovery should attempt arguments
8706 creation. This is true of arguments locals. We had special cases that tried to make it not
8707 true of arguments locals. The only consequence of those special cases was to cause crashes
8708 in case of arguments that are also captured variables (i.e. we have SlowArguments). This
8709 change just removes those special cases.
8710
8711 This change means that the FTL will now see SetLocals with a FlushedArguments format.
8712 Previously you wouldn't see them because previously only non-captured variable would be
8713 arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
8714 left. Adding handling for FlushedArguments is a benign and simple change since its
8715 behavior is identical to FlushedJSValue for that code's purposes.
8716
8717 * dfg/DFGArgumentsSimplificationPhase.cpp:
8718 (JSC::DFG::ArgumentsSimplificationPhase::run):
8719 * ftl/FTLLowerDFGToLLVM.cpp:
8720 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
8721 * tests/stress/captured-arguments-variable.js: Added.
8722 (foo):
8723 (noInline):
8724
87252014-03-25 Mark Hahnenberg <mhahnenberg@apple.com>
8726
8727 Add HeapInlines
8728 https://bugs.webkit.org/show_bug.cgi?id=130759
8729
8730 Reviewed by Filip Pizlo.
8731
8732 * GNUmakefile.list.am:
8733 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8734 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8735 * JavaScriptCore.xcodeproj/project.pbxproj:
8736 * heap/Heap.cpp:
8737 (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
8738 (JSC::MarkedBlockSnapshotFunctor::operator()):
8739 * heap/Heap.h: Also reindented while we're here.
8740 (JSC::Heap::writeBarrierBuffer):
8741 (JSC::Heap::vm):
8742 (JSC::Heap::objectSpace):
8743 (JSC::Heap::machineThreads):
8744 (JSC::Heap::operationInProgress):
8745 (JSC::Heap::allocatorForObjectWithoutDestructor):
8746 (JSC::Heap::allocatorForObjectWithNormalDestructor):
8747 (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
8748 (JSC::Heap::storageAllocator):
8749 (JSC::Heap::notifyIsSafeToCollect):
8750 (JSC::Heap::isSafeToCollect):
8751 (JSC::Heap::handleSet):
8752 (JSC::Heap::handleStack):
8753 (JSC::Heap::lastFullGCLength):
8754 (JSC::Heap::lastEdenGCLength):
8755 (JSC::Heap::increaseLastFullGCLength):
8756 (JSC::Heap::sizeBeforeLastEdenCollection):
8757 (JSC::Heap::sizeAfterLastEdenCollection):
8758 (JSC::Heap::sizeBeforeLastFullCollection):
8759 (JSC::Heap::sizeAfterLastFullCollection):
8760 (JSC::Heap::jitStubRoutines):
8761 (JSC::Heap::isDeferred):
8762 (JSC::Heap::structureIDTable):
8763 (JSC::Heap::removeCodeBlock):
8764 * heap/HeapInlines.h: Added.
8765 (JSC::Heap::shouldCollect):
8766 (JSC::Heap::isBusy):
8767 (JSC::Heap::isCollecting):
8768 (JSC::Heap::heap):
8769 (JSC::Heap::isLive):
8770 (JSC::Heap::isInRememberedSet):
8771 (JSC::Heap::isMarked):
8772 (JSC::Heap::testAndSetMarked):
8773 (JSC::Heap::setMarked):
8774 (JSC::Heap::isWriteBarrierEnabled):
8775 (JSC::Heap::writeBarrier):
8776 (JSC::Heap::reportExtraMemoryCost):
8777 (JSC::Heap::forEachProtectedCell):
8778 (JSC::Heap::forEachCodeBlock):
8779 (JSC::Heap::allocateWithNormalDestructor):
8780 (JSC::Heap::allocateWithImmortalStructureDestructor):
8781 (JSC::Heap::allocateWithoutDestructor):
8782 (JSC::Heap::tryAllocateStorage):
8783 (JSC::Heap::tryReallocateStorage):
8784 (JSC::Heap::ascribeOwner):
8785 (JSC::Heap::blockAllocator):
8786 (JSC::Heap::releaseSoon):
8787 (JSC::Heap::incrementDeferralDepth):
8788 (JSC::Heap::decrementDeferralDepth):
8789 (JSC::Heap::collectIfNecessaryOrDefer):
8790 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
8791 (JSC::Heap::markListSet):
8792 * runtime/JSCInlines.h:
8793
87942014-03-25 Filip Pizlo <fpizlo@apple.com>
8795
8796 DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
8797 https://bugs.webkit.org/show_bug.cgi?id=130760
8798
8799 Reviewed by Mark Hahnenberg.
8800
8801 * dfg/DFGByteCodeParser.cpp:
8802 (JSC::DFG::ByteCodeParser::setLocal):
8803 (JSC::DFG::ByteCodeParser::setArgument):
8804 (JSC::DFG::ByteCodeParser::handleInlining):
8805 (JSC::DFG::ByteCodeParser::parseBlock):
8806 * tests/stress/assign-argument-in-inlined-call.js: Added.
8807 (f1):
8808 (getF2Arguments):
8809 (f2):
8810 (f3):
8811 * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
8812 (f1):
8813 (f2):
8814 (f3):
8815
88162014-03-25 Filip Pizlo <fpizlo@apple.com>
8817
8818 Fix 32-bit getter call alignment.
8819
8820 Reviewed by Mark Hahnenberg.
8821
8822 * jit/Repatch.cpp:
8823 (JSC::generateGetByIdStub):
8824
88252014-03-25 Filip Pizlo <fpizlo@apple.com>
8826
8827 Repatch should plant calls to getters directly rather than through a C helper
8828 https://bugs.webkit.org/show_bug.cgi?id=129589
8829
8830 Reviewed by Mark Hahnenberg.
8831
8832 As the title says. All of the superstructure for this was already in place, so now it
8833 was just a matter of actually emitting the call.
8834
8835 8x speed-up for getter microbenchmarks.
8836
8837 * CMakeLists.txt:
8838 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8839 * JavaScriptCore.xcodeproj/project.pbxproj:
8840 * bytecode/PolymorphicGetByIdList.h:
8841 (JSC::GetByIdAccess::doesCalls):
8842 * jit/AccessorCallJITStubRoutine.cpp: Added.
8843 (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
8844 (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
8845 (JSC::AccessorCallJITStubRoutine::visitWeak):
8846 * jit/AccessorCallJITStubRoutine.h: Added.
8847 * jit/AssemblyHelpers.h:
8848 (JSC::AssemblyHelpers::storeCell):
8849 * jit/GCAwareJITStubRoutine.h:
8850 * jit/Repatch.cpp:
8851 (JSC::generateGetByIdStub):
8852 * runtime/GetterSetter.h:
8853 (JSC::GetterSetter::offsetOfGetter):
8854 (JSC::GetterSetter::offsetOfSetter):
8855
88562014-03-25 Michael Saboff <msaboff@apple.com>
8857
8858 Unreviewed, rolling out r166126.
8859
8860 Rollout r166126 in prepartion to roll out prerequisite r166070
8861
8862 Reverted changeset:
8863
8864 "toThis() on a JSWorkerGlobalScope should return a JSProxy and
8865 not undefined"
8866 https://bugs.webkit.org/show_bug.cgi?id=130554
8867 http://trac.webkit.org/changeset/166126
8868
88692014-03-25 Oliver Hunt <oliver@apple.com>
8870
8871 AST incorrectly conflates readable and writable locations
8872 https://bugs.webkit.org/show_bug.cgi?id=130734
8873
8874 Reviewed by Filip Pizlo.
8875
8876 We need to distinguish between "locations" that are valid for reading
8877 and writing, vs those that may only be written.
8878
8879 * bytecompiler/NodesCodegen.cpp:
8880 (JSC::ForInNode::emitBytecode):
8881 (JSC::ForOfNode::emitBytecode):
8882 * parser/Nodes.h:
8883 (JSC::ExpressionNode::isAssignmentLocation):
8884
88852014-03-24 Oliver Hunt <oliver@apple.com>
8886
8887 ASSERTION FAILED in Parser: dst != localReg
8888 https://bugs.webkit.org/show_bug.cgi?id=130710
8889
8890 Reviewed by Filip Pizlo.
8891
8892 Just make sure we don't try to write to a captured constant,
8893 following the change to track captured variables separately.
8894
8895 * bytecompiler/NodesCodegen.cpp:
8896 (JSC::PostfixNode::emitResolve):
8897 (JSC::PrefixNode::emitResolve):
8898
88992014-03-25 Martin Robinson <mrobinson@igalia.com>
8900
8901 [GTK] Remove the autotools build
8902 https://bugs.webkit.org/show_bug.cgi?id=130717
8903
8904 Reviewed by Anders Carlsson.
8905
8906 * GNUmakefile.am: Removed.
8907 * config.h: Remove references to the autotools configure file.
8908
89092014-03-24 Filip Pizlo <fpizlo@apple.com>
8910
8911 More scaffolding for a stub routine to have a stub recursively embedded inside it
8912 https://bugs.webkit.org/show_bug.cgi?id=130770
8913
8914 Reviewed by Oliver Hunt.
8915
8916 * bytecode/CallLinkInfo.cpp:
8917 (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
8918 (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
8919 * bytecode/CallLinkInfo.h:
8920 * bytecode/CodeBlock.cpp:
8921 (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
8922 (JSC::CodeBlock::unlinkCalls):
8923 (JSC::CodeBlock::unlinkIncomingCalls):
8924 * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
8925 (JSC::GetByIdAccess::visitWeak):
8926 (JSC::PolymorphicGetByIdList::visitWeak):
8927 * bytecode/PolymorphicGetByIdList.h:
8928 * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
8929 (JSC::PutByIdAccess::visitWeak):
8930 (JSC::PolymorphicPutByIdList::visitWeak):
8931 * bytecode/PolymorphicPutByIdList.h:
8932 * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
8933 (JSC::StructureStubInfo::visitWeakReferences):
8934 * bytecode/StructureStubInfo.h:
8935 * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
8936 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
8937 * jit/GCAwareJITStubRoutine.cpp:
8938 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
8939 (JSC::createJITStubRoutine):
8940 * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
8941 (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
8942 * jit/JITStubRoutine.cpp:
8943 (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
8944 * jit/JITStubRoutine.h:
8945 * jit/Repatch.cpp:
8946 (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
8947 (JSC::emitCustomSetterStub): Clean up some code.
8948
89492014-03-24 Geoffrey Garen <ggaren@apple.com>
8950
8951 Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
8952 when WebKit is compiled with fcatch-undefined-behavior
8953 https://bugs.webkit.org/show_bug.cgi?id=130652
8954
8955 Reviewed by Mark Hahnenberg.
8956
8957 Use a static member function because the butterfly we pass in might be
8958 NULL, and passing NULL to a member function is undefined behavior.
8959
8960 Stylistically, I think this new way reads a little more clearly, since it
8961 matches createOrGrowArrayRight, and it helps to convey that m_butterfly
8962 might not exist yet.
8963
8964 * runtime/Butterfly.h:
8965 * runtime/ButterflyInlines.h:
8966 (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
8967 because we might create. Split out the create path to avoid using NULL
8968 in a member function expression.
8969
8970 Removed some unused versions of this function.
8971
8972 * runtime/JSObject.cpp:
8973 (JSC::JSObject::growOutOfLineStorage): Updated for interface change.
8974
89752014-03-24 Oliver Hunt <oliver@apple.com>
8976
8977 Strict mode destructuring assignment crashes the parser.
8978 https://bugs.webkit.org/show_bug.cgi?id=130538
8979
8980 Reviewed by Michael Saboff.
8981
8982 The SyntaxChecker mode always return 1 for success, except
8983 for a small subset of functions where we needed exact information.
8984 This ends up just being a poor design decision as it means
8985 the parser can get confused between a function return 1, and
8986 the Resolve constant which was also 1. So we now use a unique
8987 type for every creation method.
8988
8989 * parser/SyntaxChecker.h:
8990 (JSC::SyntaxChecker::createSourceElements):
8991 (JSC::SyntaxChecker::createFunctionBody):
8992 (JSC::SyntaxChecker::createArguments):
8993 (JSC::SyntaxChecker::createSpreadExpression):
8994 (JSC::SyntaxChecker::createArgumentsList):
8995 (JSC::SyntaxChecker::createPropertyList):
8996 (JSC::SyntaxChecker::createElementList):
8997 (JSC::SyntaxChecker::createFormalParameterList):
8998 (JSC::SyntaxChecker::createClause):
8999 (JSC::SyntaxChecker::createClauseList):
9000 (JSC::SyntaxChecker::createFuncDeclStatement):
9001 (JSC::SyntaxChecker::createBlockStatement):
9002 (JSC::SyntaxChecker::createExprStatement):
9003 (JSC::SyntaxChecker::createIfStatement):
9004 (JSC::SyntaxChecker::createForLoop):
9005 (JSC::SyntaxChecker::createForInLoop):
9006 (JSC::SyntaxChecker::createForOfLoop):
9007 (JSC::SyntaxChecker::createEmptyStatement):
9008 (JSC::SyntaxChecker::createVarStatement):
9009 (JSC::SyntaxChecker::createReturnStatement):
9010 (JSC::SyntaxChecker::createBreakStatement):
9011 (JSC::SyntaxChecker::createContinueStatement):
9012 (JSC::SyntaxChecker::createTryStatement):
9013 (JSC::SyntaxChecker::createSwitchStatement):
9014 (JSC::SyntaxChecker::createWhileStatement):
9015 (JSC::SyntaxChecker::createWithStatement):
9016 (JSC::SyntaxChecker::createDoWhileStatement):
9017 (JSC::SyntaxChecker::createLabelStatement):
9018 (JSC::SyntaxChecker::createThrowStatement):
9019 (JSC::SyntaxChecker::createDebugger):
9020 (JSC::SyntaxChecker::createConstStatement):
9021 (JSC::SyntaxChecker::appendConstDecl):
9022 (JSC::SyntaxChecker::combineCommaNodes):
9023 (JSC::SyntaxChecker::operatorStackPop):
9024
90252014-03-24 Brent Fulgham <bfulgham@apple.com>
9026
9027 Activate WebVTT Tests Once Merging is Complete
9028 https://bugs.webkit.org/show_bug.cgi?id=130420
9029
9030 Reviewed by Eric Carlson.
9031
9032 * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)
9033
90342014-03-24 Andreas Kling <akling@apple.com>
9035
9036 Stop pulling in all the macro assemblers from VM.h
9037 <https://webkit.org/b/130691>
9038
9039 Remove #include of "GPRInfo.h". This breaks WebCore's dependency
9040 on macro assemblers headers and removes 8 includes from every
9041 .cpp file in the JS bindings.
9042
9043 Reviewed by Geoff Garen.
9044
9045 * runtime/VM.h:
9046
90472014-03-24 Gavin Barraclough <barraclough@apple.com>
9048
9049 Add support for thread QoS
9050 https://bugs.webkit.org/show_bug.cgi?id=130688
9051
9052 Reviewed by Andreas Kling.
9053
9054 * heap/BlockAllocator.cpp:
9055 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
9056 - block freeing is a utility activity.
9057
90582014-03-24 Filip Pizlo <fpizlo@apple.com>
9059
9060 Unreviewed, fix CLOOP build.
9061
9062 * bytecode/CallLinkStatus.cpp:
9063 (JSC::CallLinkStatus::computeFor):
9064 * bytecode/CodeBlock.cpp:
9065 (JSC::CodeBlock::printCallOp):
9066 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
9067 (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
9068 * bytecode/CodeBlock.h:
9069 (JSC::CodeBlock::callLinkInfosEnd): Deleted.
9070
90712014-03-24 Gabor Rapcsanyi <rgabor@webkit.org>
9072
9073 [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
9074 https://bugs.webkit.org/show_bug.cgi?id=130453
9075
9076 Reviewed by Filip Pizlo.
9077
9078 Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
9079 at sxtw and uxtw instructions.
9080
9081 * offlineasm/arm64.rb:
9082
90832014-03-23 Hyowon Kim <hw1008.kim@samsung.com>
9084
9085 Move all EFL typedefs into EflTypedefs.h.
9086 https://bugs.webkit.org/show_bug.cgi?id=130511
9087
9088 Reviewed by Gyuyoung Kim
9089
9090 * heap/HeapTimer.h: Remove EFL typedefs.
9091
90922014-03-23 Filip Pizlo <fpizlo@apple.com>
9093
9094 Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
9095 https://bugs.webkit.org/show_bug.cgi?id=130650
9096 <rdar://problem/16122966>
9097
9098 Reviewed by Michael Saboff.
9099
9100 Previously, it was only in the case of inlining that we would do SetLocal's beyond the
9101 previously established numLocals limit. But then we added generalized op_call_varargs
9102 handling, which results in us emitting SetLocals that didn't previously exist in the
9103 bytecode.
9104
9105 This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
9106
9107 * dfg/DFGByteCodeParser.cpp:
9108 (JSC::DFG::ByteCodeParser::ensureLocals):
9109 (JSC::DFG::ByteCodeParser::handleInlining):
9110 (JSC::DFG::ByteCodeParser::parseBlock):
9111 (JSC::DFG::ByteCodeParser::parse):
9112 * ftl/FTLOSRExitCompiler.cpp:
9113 (JSC::FTL::compileStub): Make this do alignment correctly.
9114 * runtime/Options.h:
9115 * tests/stress/call-varargs-from-inlined-code.js: Added.
9116 * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
9117
91182014-03-22 Filip Pizlo <fpizlo@apple.com>
9119
9120 Unreviewed, adjust sizes for ARM64.
9121
9122 * ftl/FTLInlineCacheSize.cpp:
9123 (JSC::FTL::sizeOfCall):
9124
91252014-03-22 Filip Pizlo <fpizlo@apple.com>
9126
9127 Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
9128 https://bugs.webkit.org/show_bug.cgi?id=130649
9129 <rdar://problem/16399949>
9130
9131 Reviewed by Andreas Kling.
9132
9133 * dfg/DFGSpeculativeJIT32_64.cpp:
9134 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
9135 * dfg/DFGSpeculativeJIT64.cpp:
9136 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
9137 * tests/stress/fuzz-bug-16399949.js: Added.
9138 (tryItOut.f):
9139 (tryItOut):
9140
91412014-03-22 Filip Pizlo <fpizlo@apple.com>
9142
9143 Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
9144 https://bugs.webkit.org/show_bug.cgi?id=130644
9145
9146 Reviewed by Andreas Kling.
9147
9148 This is conceptually a really simple change but it involves the following:
9149
9150 - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
9151
9152 - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
9153
9154 - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
9155 longer has a vector of slow path counts that shadows the CallLinkInfo vector.
9156
9157 - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
9158 and not all relinking.
9159
9160 This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
9161 the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
9162 with a op_call/op_construct instruction and a machine code return PC within such an
9163 instruction.
9164
9165 * bytecode/CallLinkInfo.h:
9166 (JSC::getCallLinkInfoCodeOrigin):
9167 * bytecode/CallLinkStatus.cpp:
9168 (JSC::CallLinkStatus::computeFor):
9169 (JSC::CallLinkStatus::computeDFGStatuses):
9170 * bytecode/CallLinkStatus.h:
9171 * bytecode/CodeBlock.cpp:
9172 (JSC::CodeBlock::printCallOp):
9173 (JSC::CodeBlock::dumpBytecode):
9174 (JSC::CodeBlock::finalizeUnconditionally):
9175 (JSC::CodeBlock::getCallLinkInfoMap):
9176 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
9177 (JSC::CodeBlock::addCallLinkInfo):
9178 (JSC::CodeBlock::unlinkCalls):
9179 * bytecode/CodeBlock.h:
9180 (JSC::CodeBlock::stubInfoBegin):
9181 (JSC::CodeBlock::stubInfoEnd):
9182 (JSC::CodeBlock::callLinkInfosBegin):
9183 (JSC::CodeBlock::callLinkInfosEnd):
9184 (JSC::CodeBlock::byValInfo):
9185 * dfg/DFGByteCodeParser.cpp:
9186 (JSC::DFG::ByteCodeParser::handleCall):
9187 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
9188 * dfg/DFGJITCode.h:
9189 * dfg/DFGJITCompiler.cpp:
9190 (JSC::DFG::JITCompiler::link):
9191 * dfg/DFGJITCompiler.h:
9192 (JSC::DFG::JITCompiler::addJSCall):
9193 (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
9194 * dfg/DFGOSRExitCompilerCommon.cpp:
9195 (JSC::DFG::reifyInlinedCallFrames):
9196 * dfg/DFGSpeculativeJIT.cpp:
9197 (JSC::DFG::SpeculativeJIT::compile):
9198 * dfg/DFGSpeculativeJIT.h:
9199 * dfg/DFGSpeculativeJIT32_64.cpp:
9200 (JSC::DFG::SpeculativeJIT::emitCall):
9201 * dfg/DFGSpeculativeJIT64.cpp:
9202 (JSC::DFG::SpeculativeJIT::emitCall):
9203 * ftl/FTLCompile.cpp:
9204 (JSC::FTL::fixFunctionBasedOnStackMaps):
9205 * ftl/FTLInlineCacheSize.cpp:
9206 (JSC::FTL::sizeOfCall):
9207 * ftl/FTLJSCall.cpp:
9208 (JSC::FTL::JSCall::JSCall):
9209 (JSC::FTL::JSCall::emit):
9210 (JSC::FTL::JSCall::link):
9211 * ftl/FTLJSCall.h:
9212 * jit/JIT.cpp:
9213 (JSC::JIT::privateCompileMainPass):
9214 (JSC::JIT::privateCompileSlowCases):
9215 (JSC::JIT::privateCompile):
9216 * jit/JIT.h:
9217 * jit/JITCall.cpp:
9218 (JSC::JIT::compileOpCall):
9219 (JSC::JIT::compileOpCallSlowCase):
9220 * jit/JITCall32_64.cpp:
9221 (JSC::JIT::compileOpCall):
9222 (JSC::JIT::compileOpCallSlowCase):
9223 * jit/JITOperations.cpp:
9224 * jit/JITOperations.h:
9225 (JSC::operationLinkFor):
9226 (JSC::operationVirtualFor):
9227 (JSC::operationLinkClosureCallFor):
9228 * jit/Repatch.cpp:
9229 (JSC::linkClosureCall):
9230 * jit/ThunkGenerators.cpp:
9231 (JSC::slowPathFor):
9232 (JSC::virtualForThunkGenerator):
9233 * tests/stress/eval-that-is-not-eval.js: Added.
9234
92352014-03-22 Filip Pizlo <fpizlo@apple.com>
9236
9237 Unreviewed, fix mispelled test name.
9238
9239 * tests/stress/constand-folding-osr-exit.js: Removed.
9240 * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
9241
92422014-03-22 Andreas Kling <akling@apple.com>
9243
9244 CREATE_DOM_WRAPPER doesn't need the ExecState.
9245 <https://webkit.org/b/130648>
9246
9247 Add a fast path from JSGlobalObject to the VM so we don't have
9248 to dance via the Heap.
9249
9250 Reviewed by Darin Adler.
9251
9252 * runtime/JSGlobalObject.cpp:
9253 (JSC::JSGlobalObject::JSGlobalObject):
9254 * runtime/JSGlobalObject.h:
9255 (JSC::JSGlobalObject::vm):
9256
92572014-03-22 Filip Pizlo <fpizlo@apple.com>
9258
9259 Unreviewed, fix FTL build.
9260
9261 * ftl/FTLJITFinalizer.cpp:
9262
92632014-03-22 Michael Saboff <msaboff@apple.com>
9264
9265 toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
9266 https://bugs.webkit.org/show_bug.cgi?id=130554
9267
9268 Reviewed by Geoffrey Garen.
9269
9270 Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
9271 Did some cleanup as well. Moved the setting of the thisObject in a JSGlobalObject to
9272 happen in finishCreation() so that it will also happen for other derived classes including
9273 JSWorkerGlobalScopeBase.
9274
9275 * API/JSContextRef.cpp:
9276 (JSGlobalContextCreateInGroup):
9277 * jsc.cpp:
9278 (GlobalObject::create):
9279 * API/tests/testapi.c:
9280 (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
9281 the result from JSContextGetGlobalObject() as that will return the proxy.
9282 * runtime/JSGlobalObject.cpp:
9283 (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
9284 we now call setGlobalThis in finishCreation().
9285 * runtime/JSGlobalObject.h:
9286 (JSC::JSGlobalObject::finishCreation):
9287 (JSC::JSGlobalObject::setGlobalThis): Made this a private method.
9288
92892014-03-22 Andreas Kling <akling@apple.com>
9290
9291 Fix debug build.
9292
9293 * bytecode/CodeBlock.cpp:
9294 * runtime/Executable.cpp:
9295
92962014-03-22 Andreas Kling <akling@apple.com>
9297
9298 Cut down on JSC profiler includes in WebCore & co.
9299 <https://webkit.org/b/130637>
9300
9301 Most of WebKit was pulling in JSC's profiler headers via VM.h.
9302
9303 Reviewed by Darin Adler.
9304
9305 * dfg/DFGDisassembler.cpp:
9306 * dfg/DFGDisassembler.h:
9307 * dfg/DFGJITFinalizer.cpp:
9308 * jsc.cpp:
9309 * runtime/VM.cpp:
9310 * runtime/VM.h:
9311
93122014-03-22 Landry Breuil <landry@openbsd.org>
9313
9314 Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
9315 https://bugs.webkit.org/show_bug.cgi?id=129965
9316
9317 Reviewed By Anders Carlsson.
9318
93192014-03-21 Mark Lam <mark.lam@apple.com>
9320
9321 Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
9322 <https://webkit.org/b/124508>
9323
9324 Reviewed by Oliver Hunt.
9325
9326 The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
9327 pointer from the BytecodeGenerator's m_localScopes vector, and then it
9328 calls emitPopScopes(). emitPopScopes() may do finally clause handling
9329 which will require the m_localScopes to be cloned so that it can change
9330 the local scopes for the finally block, and then restore it after
9331 handling the finally clause. These modifications of the m_localScopes
9332 vector will result in the LabelScope pointer in BreakNode::emitBytecode()
9333 becoming stale, thereby causing the crash.
9334
9335 The same issue applies to the ContinueNode as well.
9336
9337 The fix is to use the existing LabelScopePtr abstraction instead of raw
9338 LabelScope pointers. The LabelScopePtr is resilient to the underlying
9339 vector re-allocating its backing store.
9340
9341 I also changed the LabelScopePtr constructor that takes a LabelScopeStore
9342 to expect a reference to the owner store instead of a pointer because the
9343 owner store should never be a null pointer.
9344
9345 * bytecompiler/BytecodeGenerator.cpp:
9346 (JSC::BytecodeGenerator::newLabelScope):
9347 (JSC::BytecodeGenerator::breakTarget):
9348 (JSC::BytecodeGenerator::continueTarget):
9349 * bytecompiler/BytecodeGenerator.h:
9350 * bytecompiler/LabelScope.h:
9351 (JSC::LabelScopePtr::LabelScopePtr):
9352 (JSC::LabelScopePtr::operator bool):
9353 (JSC::LabelScopePtr::null):
9354 * bytecompiler/NodesCodegen.cpp:
9355 (JSC::ContinueNode::trivialTarget):
9356 (JSC::ContinueNode::emitBytecode):
9357 (JSC::BreakNode::trivialTarget):
9358 (JSC::BreakNode::emitBytecode):
9359
93602014-03-21 Mark Hahnenberg <mhahnenberg@apple.com>
9361
9362 6% SunSpider commandline regression due to r165940
9363 https://bugs.webkit.org/show_bug.cgi?id=130617
9364
9365 Reviewed by Michael Saboff.
9366
9367 In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected
9368 before. Some of the benchmarks are never running a single EdenCollection, which causes
9369 them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer
9370 slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of
9371 magnitude more than we normally would.
9372
9373 The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
9374
9375 * heap/Heap.cpp:
9376 (JSC::Heap::Heap):
9377
93782014-03-21 Filip Pizlo <fpizlo@apple.com>
9379
9380 Constants folded by DFG::ByteCodeParser should not be dead.
9381 https://bugs.webkit.org/show_bug.cgi?id=130576
9382
9383 Reviewed by Mark Hahnenberg.
9384
9385 This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
9386 reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
9387 or more folders in LLVM). Doing so has no performance impact since the other constant folders
9388 already subsume this one.
9389
9390 Also added a test case for the specific bug that instigated this.
9391
9392 * dfg/DFGByteCodeParser.cpp:
9393 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
9394 (JSC::DFG::ByteCodeParser::getJSConstant):
9395 (JSC::DFG::ByteCodeParser::inferredConstant):
9396 (JSC::DFG::ByteCodeParser::handleIntrinsic):
9397 (JSC::DFG::ByteCodeParser::parseBlock):
9398 * dfg/DFGNode.h:
9399 * dfg/DFGNodeFlags.h:
9400 * tests/stress/constand-folding-osr-exit.js: Added.
9401 (foo):
9402 (test):
9403 (.var):
9404
94052014-03-21 Mark Lam <mark.lam@apple.com>
9406
9407 StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
9408 <https://webkit.org/b/130566>
9409
9410 Reviewed by Filip Pizlo.
9411
9412 * dfg/DFGStackLayoutPhase.cpp:
9413 (JSC::DFG::StackLayoutPhase::run):
9414
94152014-03-20 Filip Pizlo <fpizlo@apple.com>
9416
9417 FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
9418 https://bugs.webkit.org/show_bug.cgi?id=130562
9419 <rdar://problem/16382842>
9420
9421 Reviewed by Geoffrey Garen.
9422
9423 * ftl/FTLLowerDFGToLLVM.cpp:
9424 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
9425 * tests/stress/uint32array-unsigned-load.js: Added.
9426 (foo):
9427
94282014-03-20 Brian Burg <bburg@apple.com>
9429
9430 Web Inspector: add frontend controller and models for replay sessions
9431 https://bugs.webkit.org/show_bug.cgi?id=130145
9432
9433 Reviewed by Joseph Pecoraro.
9434
9435 * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
9436
94372014-03-20 Filip Pizlo <fpizlo@apple.com>
9438
9439 FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
9440 https://bugs.webkit.org/show_bug.cgi?id=130546
9441 <rdar://problem/16383308>
9442
9443 Reviewed by Mark Hahnenberg.
9444
9445 Make AI do a better job of folding this.
9446
9447 Also made the FTL backend be more tolerant of data representations. In this case it
9448 didn't know that "constant" was a valid representation. There is a finite set of
9449 possible representations, but broadly, we don't write code that presumes anything
9450 about the representation of an input; that's what methods like lowJSValue() are for.
9451 ValueToInt32 was previously not relying on those methods at all because it had some
9452 hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
9453 to lowJSValue().
9454
9455 * dfg/DFGAbstractInterpreterInlines.h:
9456 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
9457 * ftl/FTLLowerDFGToLLVM.cpp:
9458 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
9459 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
9460 * tests/stress/value-to-int32-undefined-constant.js: Added.
9461 (foo):
9462 * tests/stress/value-to-int32-undefined.js: Added.
9463 (foo):
9464
94652014-03-20 Mark Hahnenberg <mhahnenberg@apple.com>
9466
9467 Add some assertions back
9468 https://bugs.webkit.org/show_bug.cgi?id=130531
9469
9470 Reviewed by Geoffrey Garen.
9471
9472 We removed a useful set of assertions for verifying that MarkedBlocks were
9473 in the state that we expected them to be in after clearing marks in the Heap.
9474 We should add these back to catch bugs earlier.
9475
9476 * heap/MarkedBlock.h:
9477 * heap/MarkedSpace.cpp:
9478 (JSC::VerifyMarkedOrRetired::operator()):
9479 (JSC::MarkedSpace::clearMarks):
9480
94812014-03-20 Filip Pizlo <fpizlo@apple.com>
9482
9483 Implement stackmap header version check and support new stackmap formats
9484 https://bugs.webkit.org/show_bug.cgi?id=130535
9485 <rdar://problem/16164284>
9486
9487 Reviewed by Geoffrey Garen.
9488
9489 Add the notion of versioning so that LLVMers can happily implement new stackmap formats
9490 without worrying about WebKit getting version-locked to LLVM. In the future, we will have
9491 to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
9492 to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
9493 happy to move backward in time to older versions of LLVM.
9494
9495 * ftl/FTLStackMaps.cpp:
9496 (JSC::FTL::readObject):
9497 (JSC::FTL::StackMaps::Constant::parse):
9498 (JSC::FTL::StackMaps::StackSize::parse):
9499 (JSC::FTL::StackMaps::Location::parse):
9500 (JSC::FTL::StackMaps::Record::parse):
9501 (JSC::FTL::StackMaps::parse):
9502 (JSC::FTL::StackMaps::dump):
9503 (JSC::FTL::StackMaps::dumpMultiline):
9504 * ftl/FTLStackMaps.h:
9505
95062014-03-20 Filip Pizlo <fpizlo@apple.com>
9507
9508 Crash beneath operationTearOffActivation running this JS compression demo
9509 https://bugs.webkit.org/show_bug.cgi?id=130295
9510 <rdar://problem/16332337>
9511
9512 Reviewed by Oliver Hunt.
9513
9514 Make sure that we flush things as if we were at a terminal, if we are at a block with
9515 no forward edges. This fixes infinitely loopy code with captured variables.
9516
9517 Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
9518
9519 Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
9520 it by itself. Now it's an artifact of CPS rethreading.
9521
9522 Add a bunch of tests. All of them previously either crashed or returned bad output due
9523 to memory corruption.
9524
9525 * bytecode/CodeBlock.cpp:
9526 (JSC::CodeBlock::isCaptured):
9527 * dfg/DFGByteCodeParser.cpp:
9528 (JSC::DFG::ByteCodeParser::flushForTerminal):
9529 (JSC::DFG::ByteCodeParser::flushForReturn):
9530 (JSC::DFG::ByteCodeParser::flushIfTerminal):
9531 (JSC::DFG::ByteCodeParser::branchData):
9532 (JSC::DFG::ByteCodeParser::parseBlock):
9533 * dfg/DFGCFGSimplificationPhase.cpp:
9534 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
9535 * dfg/DFGCPSRethreadingPhase.cpp:
9536 (JSC::DFG::CPSRethreadingPhase::run):
9537 (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
9538 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
9539 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
9540 * dfg/DFGCSEPhase.cpp:
9541 (JSC::DFG::CSEPhase::performNodeCSE):
9542 * dfg/DFGGraph.cpp:
9543 (JSC::DFG::Graph::clearFlagsOnAllNodes):
9544 * dfg/DFGGraph.h:
9545 * dfg/DFGNode.h:
9546 * dfg/DFGNodeFlags.cpp:
9547 (JSC::DFG::dumpNodeFlags):
9548 * dfg/DFGNodeFlags.h:
9549 * dfg/DFGSSAConversionPhase.cpp:
9550 (JSC::DFG::SSAConversionPhase::run):
9551 * tests/stress/activation-test-loop.js: Added.
9552 (Inner.this.doStuff):
9553 (Inner):
9554 (foo.inner.isDone):
9555 (foo):
9556 * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
9557 (bar):
9558 (foo):
9559 (noInline):
9560 * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
9561 (bar):
9562 (foo):
9563 (noInline):
9564 * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
9565 (bar):
9566 (foo):
9567 (noInline):
9568 * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
9569 (bar):
9570 (foo):
9571 (noInline):
9572 * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
9573 (bar):
9574 (foo):
9575 (noInline):
9576 * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
9577 (bar):
9578 (fuzz):
9579 (foo.f):
9580 (foo):
9581 * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
9582 (bar):
9583 (foo.f):
9584 (foo):
9585 * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
9586 (bar):
9587 (foo.f):
9588 (foo):
9589 * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
9590 (bar):
9591 (foo):
9592 (noInline):
9593
95942014-03-20 Oliver Hunt <oliver@apple.com>
9595
9596 Incorrect behavior when mutating a typed array during set.
9597 https://bugs.webkit.org/show_bug.cgi?id=130428
9598
9599 Reviewed by Geoffrey Garen.
9600
9601 This fixes a null derefence that occurs if a typed array
9602 is mutated during the set() operation. The patch gets rid
9603 of the "Quickly" version of setIndex that is assigning
9604 JSValues of unknown type, as the numeric conversion can trigger
9605 side effects that lead to neutering, and so we deref null.
9606
9607 * runtime/JSGenericTypedArrayView.h:
9608 (JSC::JSGenericTypedArrayView::setIndex):
9609 * runtime/JSGenericTypedArrayViewInlines.h:
9610 (JSC::JSGenericTypedArrayView<Adaptor>::set):
9611 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
9612
96132014-03-20 Gavin Barraclough <barraclough@apple.com>
9614
9615 Remove IdentifierTable typedef, isIdentifier()
9616 https://bugs.webkit.org/show_bug.cgi?id=130533
9617
9618 Rubber stamped by Geoff Garen.
9619
9620 Code should use AtomicStringTable, isAtomic() directly.
9621
9622 * API/JSClassRef.cpp:
9623 (OpaqueJSClass::~OpaqueJSClass):
9624 (OpaqueJSClassContextData::OpaqueJSClassContextData):
9625 (OpaqueJSClass::className):
9626 * API/JSClassRef.h:
9627 * bytecode/SpeculatedType.cpp:
9628 (JSC::speculationFromCell):
9629 * bytecompiler/BytecodeGenerator.cpp:
9630 (JSC::BytecodeGenerator::BytecodeGenerator):
9631 * dfg/DFGSpeculativeJIT.cpp:
9632 (JSC::DFG::SpeculativeJIT::compileIn):
9633 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
9634 * ftl/FTLLowerDFGToLLVM.cpp:
9635 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
9636 * heap/Heap.cpp:
9637 (JSC::Heap::collect):
9638 * interpreter/CallFrame.h:
9639 (JSC::ExecState::atomicStringTable):
9640 * parser/ASTBuilder.h:
9641 (JSC::ASTBuilder::addVar):
9642 * parser/Parser.cpp:
9643 (JSC::Parser<LexerType>::createBindingPattern):
9644 * runtime/Completion.cpp:
9645 (JSC::checkSyntax):
9646 (JSC::evaluate):
9647 * runtime/Identifier.cpp:
9648 (JSC::Identifier::checkCurrentAtomicStringTable):
9649 * runtime/Identifier.h:
9650 (JSC::Identifier::Identifier):
9651 * runtime/IdentifierInlines.h:
9652 (JSC::Identifier::add):
9653 * runtime/JSCJSValue.cpp:
9654 (JSC::JSValue::dumpInContext):
9655 * runtime/JSLock.cpp:
9656 (JSC::JSLock::didAcquireLock):
9657 (JSC::JSLock::willReleaseLock):
9658 (JSC::JSLock::DropAllLocks::DropAllLocks):
9659 (JSC::JSLock::DropAllLocks::~DropAllLocks):
9660 * runtime/JSLock.h:
9661 * runtime/PropertyMapHashTable.h:
9662 (JSC::PropertyTable::find):
9663 (JSC::PropertyTable::get):
9664 (JSC::PropertyTable::findWithString):
9665 * runtime/PropertyName.h:
9666 (JSC::PropertyName::PropertyName):
9667 * runtime/PropertyNameArray.cpp:
9668 (JSC::PropertyNameArray::add):
9669 * runtime/VM.cpp:
9670 (JSC::VM::VM):
9671 (JSC::VM::~VM):
9672 * runtime/VM.h:
9673 (JSC::VM::atomicStringTable):
9674
96752014-03-20 Gavin Barraclough <barraclough@apple.com>
9676
9677 Merge AtomicString, Identifier
9678 https://bugs.webkit.org/show_bug.cgi?id=128624
9679
9680 Reviewed by Geoff Garen.
9681
9682 WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
9683 Identifer - that is one too many.
9684
9685 Remove Identifier in favour of AtomicString. Identifier had two interesting
9686 mechanisms that we preserve.
9687
9688 (1) JSC API VMs each get their own string table, switch the string table on
9689 API entry/exit.
9690 (2) JSC caches a pointer to the string table on the VM to avoid a thread
9691 specific access. Adds a new AtomicString::add method to support this.
9692
9693 * API/JSAPIWrapperObject.mm:
9694 - updated includes.
9695 * JavaScriptCore.xcodeproj/project.pbxproj:
9696 - added IdentifierInlines.h.
9697 * inspector/JSInjectedScriptHostPrototype.cpp:
9698 * inspector/JSJavaScriptCallFramePrototype.cpp:
9699 - updated includes.
9700 * interpreter/CallFrame.h:
9701 (JSC::ExecState::atomicStringTable):
9702 - added, used via AtomicString::add to avoid thread-specific access.
9703 * runtime/ConsolePrototype.cpp:
9704 - updated includes.
9705 * runtime/Identifier.cpp:
9706 (JSC::Identifier::add):
9707 (JSC::Identifier::add8):
9708 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
9709 * runtime/Identifier.h:
9710 (JSC::Identifier::Identifier):
9711 - added ASSERTS.
9712 (JSC::Identifier::add):
9713 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
9714 * runtime/IdentifierInlines.h: Added.
9715 (JSC::Identifier::add):
9716 - moved from Identifier.h, use AtomicString::add.
9717 * runtime/JSCInlines.h:
9718 - added IdentifierInlines.h.
9719 * runtime/JSLock.h:
9720 - removed IdentifierTable.
9721 * runtime/PropertyNameArray.cpp:
9722 - updated includes.
9723 * runtime/SmallStrings.cpp:
9724 (JSC::SmallStringsStorage::SmallStringsStorage):
9725 - ensure all single character strings are Atomic.
9726 * runtime/VM.cpp:
9727 (JSC::VM::VM):
9728 - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
9729 * runtime/VM.h:
9730 (JSC::VM::atomicStringTable):
9731 - added, used via AtomicString::add to avoid thread-specific access.
9732
97332014-03-20 Gabor Rapcsanyi <rgabor@webkit.org>
9734
9735 [ARM64] Fix assembler build issues and add cacheFlush support for Linux
9736 https://bugs.webkit.org/show_bug.cgi?id=130502
9737
9738 Reviewed by Michael Saboff.
9739
9740 Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
9741 because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
9742 Add cacheFlush support for Linux.
9743
9744 * assembler/ARM64Assembler.h:
9745 (JSC::ARM64Assembler::linuxPageFlush):
9746 (JSC::ARM64Assembler::cacheFlush):
9747 * assembler/MacroAssemblerARM64.h:
9748 (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
9749
97502014-03-19 Gavin Barraclough <barraclough@apple.com>
9751
9752 https://bugs.webkit.org/show_bug.cgi?id=130494
9753 EmptyUnique strings are Identifiers/Atomic
9754
9755 Reviewed by Geoff Garen.
9756
9757 EmptyUnique strings should set the Identifier/Atomic flag.
9758
9759 This fixes an unreproducible bug we believe exists in Identifier handling.
9760 Expected behaviour is that while Identifiers may reference EmptyUniques
9761 (StringImpls allocated as UIDs for PrivateNames), these are not created
9762 through the main Identifier constructor, the Identifier flag is not set
9763 on PrivateNames, and we should never lookup EmptyUnique strings in the
9764 IdentifierTable.
9765
9766 Unfortunately that was happening. Some tables used to implement property
9767 access in the JIT hold StringImpl*s, and turn these back into Identifiers
9768 using the identfiier constructor. Since the code generator will now plant
9769 by-id (cachable) accesses to PrivateNames we can end up passing an
9770 EmptyUnique to Identifier::add, potentially leading to PrivateNames being
9771 uniqued together (though hard to prove, since the hash codes are random).
9772
9773 * runtime/PropertyName.h:
9774 (JSC::PropertyName::PropertyName):
9775 (JSC::PropertyName::uid):
9776 (JSC::PropertyName::publicName):
9777 (JSC::PropertyName::asIndex):
9778 - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
9779 * runtime/Structure.cpp:
9780 (JSC::Structure::getPropertyNamesFromStructure):
9781 - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
9782
97832014-03-19 Filip Pizlo <fpizlo@apple.com>
9784
9785 Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
9786
9787 * dfg/DFGCommon.h:
9788
97892014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
9790
9791 GC timer should intelligently choose between EdenCollections and FullCollections
9792 https://bugs.webkit.org/show_bug.cgi?id=128261
9793
9794 Reviewed by Geoffrey Garen.
9795
9796 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
9797 always does FullCollections. To reduce the impact of the GC timer on the system this patch
9798 changes Heap so that it has two timers, one for each type of collection. The FullCollection
9799 timer is notified at the end of EdenCollections how much the Heap has grown since the last
9800 FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't
9801 be detected by an EdenCollection).
9802
9803 * CMakeLists.txt:
9804 * GNUmakefile.list.am:
9805 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9806 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
9807 * JavaScriptCore.xcodeproj/project.pbxproj:
9808 * heap/EdenGCActivityCallback.cpp: Added.
9809 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
9810 (JSC::EdenGCActivityCallback::doCollection):
9811 (JSC::EdenGCActivityCallback::lastGCLength):
9812 (JSC::EdenGCActivityCallback::deathRate):
9813 (JSC::EdenGCActivityCallback::gcTimeSlice):
9814 * heap/EdenGCActivityCallback.h: Added.
9815 (JSC::GCActivityCallback::createEdenTimer):
9816 * heap/FullGCActivityCallback.cpp: Added.
9817 (JSC::FullGCActivityCallback::FullGCActivityCallback):
9818 (JSC::FullGCActivityCallback::doCollection):
9819 (JSC::FullGCActivityCallback::lastGCLength):
9820 (JSC::FullGCActivityCallback::deathRate):
9821 (JSC::FullGCActivityCallback::gcTimeSlice):
9822 * heap/FullGCActivityCallback.h: Added.
9823 (JSC::GCActivityCallback::createFullTimer):
9824 * heap/GCActivityCallback.cpp:
9825 (JSC::GCActivityCallback::GCActivityCallback):
9826 (JSC::GCActivityCallback::doWork):
9827 (JSC::GCActivityCallback::scheduleTimer):
9828 (JSC::GCActivityCallback::cancelTimer):
9829 (JSC::GCActivityCallback::didAllocate):
9830 (JSC::GCActivityCallback::willCollect):
9831 (JSC::GCActivityCallback::cancel):
9832 * heap/GCActivityCallback.h:
9833 * heap/Heap.cpp:
9834 (JSC::Heap::Heap):
9835 (JSC::Heap::reportAbandonedObjectGraph):
9836 (JSC::Heap::didAbandon):
9837 (JSC::Heap::collectAllGarbage):
9838 (JSC::Heap::collect):
9839 (JSC::Heap::willStartCollection):
9840 (JSC::Heap::updateAllocationLimits):
9841 (JSC::Heap::didFinishCollection):
9842 (JSC::Heap::setFullActivityCallback):
9843 (JSC::Heap::setEdenActivityCallback):
9844 (JSC::Heap::fullActivityCallback):
9845 (JSC::Heap::edenActivityCallback):
9846 (JSC::Heap::setGarbageCollectionTimerEnabled):
9847 (JSC::Heap::didAllocate):
9848 (JSC::Heap::shouldDoFullCollection):
9849 * heap/Heap.h:
9850 (JSC::Heap::lastFullGCLength):
9851 (JSC::Heap::lastEdenGCLength):
9852 (JSC::Heap::increaseLastFullGCLength):
9853 (JSC::Heap::sizeBeforeLastEdenCollection):
9854 (JSC::Heap::sizeAfterLastEdenCollection):
9855 (JSC::Heap::sizeBeforeLastFullCollection):
9856 (JSC::Heap::sizeAfterLastFullCollection):
9857 * heap/HeapOperation.h:
9858 * heap/HeapStatistics.cpp:
9859 (JSC::HeapStatistics::showObjectStatistics):
9860 * heap/HeapTimer.cpp:
9861 (JSC::HeapTimer::timerDidFire):
9862 * jsc.cpp:
9863 (functionFullGC):
9864 (functionEdenGC):
9865 * runtime/Options.h:
9866
98672014-03-19 Commit Queue <commit-queue@webkit.org>
9868
9869 Unreviewed, rolling out r165926.
9870 https://bugs.webkit.org/show_bug.cgi?id=130488
9871
9872 broke the iOS build (Requested by estes on #webkit).
9873
9874 Reverted changeset:
9875
9876 "GC timer should intelligently choose between EdenCollections
9877 and FullCollections"
9878 https://bugs.webkit.org/show_bug.cgi?id=128261
9879 http://trac.webkit.org/changeset/165926
9880
98812014-03-13 Mark Hahnenberg <mhahnenberg@apple.com>
9882
9883 GC timer should intelligently choose between EdenCollections and FullCollections
9884 https://bugs.webkit.org/show_bug.cgi?id=128261
9885
9886 Reviewed by Geoffrey Garen.
9887
9888 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
9889 always does FullCollections. To reduce the impact of the GC timer on the system this patch
9890 changes Heap so that it has two timers, one for each type of collection. The FullCollection
9891 timer is notified at the end of EdenCollections how much the Heap has grown since the last
9892 FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be
9893 detected by an EdenCollection).
9894
9895 * heap/GCActivityCallback.cpp:
9896 (JSC::GCActivityCallback::GCActivityCallback):
9897 (JSC::GCActivityCallback::doWork):
9898 (JSC::FullGCActivityCallback::FullGCActivityCallback):
9899 (JSC::FullGCActivityCallback::doCollection):
9900 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
9901 (JSC::EdenGCActivityCallback::doCollection):
9902 (JSC::GCActivityCallback::scheduleTimer):
9903 (JSC::GCActivityCallback::cancelTimer):
9904 (JSC::GCActivityCallback::didAllocate):
9905 (JSC::GCActivityCallback::willCollect):
9906 (JSC::GCActivityCallback::cancel):
9907 * heap/GCActivityCallback.h:
9908 (JSC::GCActivityCallback::GCActivityCallback):
9909 (JSC::GCActivityCallback::createFullTimer):
9910 (JSC::GCActivityCallback::createEdenTimer):
9911 * heap/Heap.cpp:
9912 (JSC::Heap::Heap):
9913 (JSC::Heap::didAbandon):
9914 (JSC::Heap::willStartCollection):
9915 (JSC::Heap::updateAllocationLimits):
9916 (JSC::Heap::setFullActivityCallback):
9917 (JSC::Heap::setEdenActivityCallback):
9918 (JSC::Heap::fullActivityCallback):
9919 (JSC::Heap::edenActivityCallback):
9920 (JSC::Heap::setGarbageCollectionTimerEnabled):
9921 (JSC::Heap::didAllocate):
9922 * heap/Heap.h:
9923 * heap/HeapTimer.cpp:
9924 (JSC::HeapTimer::timerDidFire):
9925
99262014-03-19 Filip Pizlo <fpizlo@apple.com>
9927
9928 REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
9929 https://bugs.webkit.org/show_bug.cgi?id=130134
9930
9931 Reviewed by Mark Hahnenberg.
9932
9933 * dfg/DFGFixupPhase.cpp:
9934 (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
9935 * dfg/DFGSpeculativeJIT32_64.cpp:
9936 (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
9937 (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
9938 * jit/JITInlineCacheGenerator.cpp:
9939 (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
9940 * jit/JITInlineCacheGenerator.h:
9941 * jit/Repatch.cpp:
9942 (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
9943
99442014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
9945
9946 Normalize some of the older JSC options
9947 https://bugs.webkit.org/show_bug.cgi?id=128753
9948
9949 Reviewed by Michael Saboff.
9950
9951 * runtime/Options.cpp:
9952 (JSC::Options::initialize):
9953
99542014-03-12 Mark Lam <mark.lam@apple.com>
9955
9956 Update type of local vars to match the type of String length.
9957 <https://webkit.org/b/130077>
9958
9959 Reviewed by Geoffrey Garen.
9960
9961 * runtime/JSStringJoiner.cpp:
9962 (JSC::JSStringJoiner::join):
9963
99642014-03-18 Filip Pizlo <fpizlo@apple.com>
9965
9966 Get rid of Flush in SSA
9967 https://bugs.webkit.org/show_bug.cgi?id=130440
9968
9969 Reviewed by Sam Weinig.
9970
9971 This is basically a red patch. We used to use backwards flow for determining what was
9972 flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
9973 accomplish anything. Keeping them around in SSA can only make things hard.
9974
9975 * CMakeLists.txt:
9976 * GNUmakefile.list.am:
9977 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9978 * JavaScriptCore.xcodeproj/project.pbxproj:
9979 * dfg/DFGBasicBlock.cpp:
9980 (JSC::DFG::BasicBlock::SSAData::SSAData):
9981 * dfg/DFGBasicBlock.h:
9982 * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
9983 * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
9984 * dfg/DFGGraph.cpp:
9985 (JSC::DFG::Graph::dump):
9986 * dfg/DFGPlan.cpp:
9987 (JSC::DFG::Plan::compileInThreadImpl):
9988 * dfg/DFGSSAConversionPhase.cpp:
9989 (JSC::DFG::SSAConversionPhase::run):
9990 * ftl/FTLLowerDFGToLLVM.cpp:
9991 (JSC::FTL::LowerDFGToLLVM::compileNode):
9992
99932014-03-18 Filip Pizlo <fpizlo@apple.com>
9994
9995 Unreviewed, fix iOS production build.
9996
9997 * JavaScriptCore.xcodeproj/project.pbxproj:
9998
99992014-03-18 Michael Saboff <msaboff@apple.com>
10000
10001 Update RegExp Tracing code
10002 https://bugs.webkit.org/show_bug.cgi?id=130381
10003
10004 Reviewed by Andreas Kling.
10005
10006 Updated the regular expression tracing code for 8/16 bit JIT as
10007 well as match only entry points. Also added average string length
10008 metric.
10009
10010 * runtime/RegExp.cpp:
10011 (JSC::RegExp::RegExp):
10012 (JSC::RegExp::match):
10013 (JSC::RegExp::printTraceData):
10014 * runtime/RegExp.h:
10015 * runtime/VM.cpp:
10016 (JSC::VM::addRegExpToTrace):
10017 (JSC::VM::dumpRegExpTrace):
10018 * runtime/VM.h:
10019 * yarr/YarrJIT.h:
10020 (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
10021 (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
10022 (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
10023 (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
10024
100252014-03-17 Filip Pizlo <fpizlo@apple.com>
10026
10027 Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
10028 https://bugs.webkit.org/show_bug.cgi?id=130300
10029
10030 Reviewed by Mark Hahnenberg.
10031
10032 We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
10033 This makes the DFG aware of this.
10034
10035 Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
10036 the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
10037
10038 This also gives the DFG some abstractions for checking something is a cell or is other.
10039 This made this patch easier to write and also simplified a bunch of other stuff.
10040
10041 1% speed-up on Octane.
10042
10043 * assembler/AbstractMacroAssembler.h:
10044 (JSC::AbstractMacroAssembler::JumpList::JumpList):
10045 * bytecode/SpeculatedType.h:
10046 (JSC::isNotStringVarSpeculation):
10047 * dfg/DFGFixupPhase.cpp:
10048 (JSC::DFG::FixupPhase::fixupNode):
10049 * dfg/DFGNode.h:
10050 (JSC::DFG::Node::childFor):
10051 (JSC::DFG::Node::shouldSpeculateNotStringVar):
10052 * dfg/DFGSafeToExecute.h:
10053 (JSC::DFG::SafeToExecuteEdge::operator()):
10054 * dfg/DFGSpeculativeJIT.cpp:
10055 (JSC::DFG::SpeculativeJIT::compileIn):
10056 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
10057 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
10058 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
10059 (JSC::DFG::SpeculativeJIT::compileStrictEq):
10060 (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
10061 (JSC::DFG::SpeculativeJIT::compileStringEquality):
10062 (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
10063 (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
10064 (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
10065 (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
10066 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
10067 (JSC::DFG::SpeculativeJIT::speculateString):
10068 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
10069 (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
10070 (JSC::DFG::SpeculativeJIT::speculateNotCell):
10071 (JSC::DFG::SpeculativeJIT::speculateOther):
10072 (JSC::DFG::SpeculativeJIT::speculate):
10073 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
10074 (JSC::DFG::SpeculativeJIT::emitSwitchString):
10075 * dfg/DFGSpeculativeJIT.h:
10076 (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
10077 (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
10078 (JSC::DFG::SpeculativeJIT::booleanResult):
10079 * dfg/DFGSpeculativeJIT32_64.cpp:
10080 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
10081 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
10082 (JSC::DFG::SpeculativeJIT::emitCall):
10083 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10084 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
10085 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
10086 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
10087 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
10088 (JSC::DFG::SpeculativeJIT::compile):
10089 (JSC::DFG::branchIsCell):
10090 (JSC::DFG::branchNotCell):
10091 (JSC::DFG::SpeculativeJIT::branchIsOther):
10092 (JSC::DFG::SpeculativeJIT::branchNotOther):
10093 (JSC::DFG::SpeculativeJIT::moveTrueTo):
10094 (JSC::DFG::SpeculativeJIT::moveFalseTo):
10095 (JSC::DFG::SpeculativeJIT::blessBoolean):
10096 * dfg/DFGSpeculativeJIT64.cpp:
10097 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
10098 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
10099 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10100 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
10101 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
10102 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
10103 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
10104 (JSC::DFG::SpeculativeJIT::compile):
10105 (JSC::DFG::SpeculativeJIT::writeBarrier):
10106 (JSC::DFG::SpeculativeJIT::branchIsCell):
10107 (JSC::DFG::SpeculativeJIT::branchNotCell):
10108 (JSC::DFG::SpeculativeJIT::branchIsOther):
10109 (JSC::DFG::SpeculativeJIT::branchNotOther):
10110 (JSC::DFG::SpeculativeJIT::moveTrueTo):
10111 (JSC::DFG::SpeculativeJIT::moveFalseTo):
10112 (JSC::DFG::SpeculativeJIT::blessBoolean):
10113 * dfg/DFGUseKind.cpp:
10114 (WTF::printInternal):
10115 * dfg/DFGUseKind.h:
10116 (JSC::DFG::typeFilterFor):
10117 * ftl/FTLCapabilities.cpp:
10118 (JSC::FTL::canCompile):
10119 * ftl/FTLLowerDFGToLLVM.cpp:
10120 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
10121 (JSC::FTL::LowerDFGToLLVM::lowString):
10122 (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
10123 (JSC::FTL::LowerDFGToLLVM::speculate):
10124 (JSC::FTL::LowerDFGToLLVM::speculateString):
10125 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
10126 (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
10127 * runtime/JSCJSValue.h:
10128 * tests/stress/string-ident-to-not-string-var-equality.js: Added.
10129 (foo):
10130 (bar):
10131 (test):
10132
101332014-03-18 Joseph Pecoraro <pecoraro@apple.com>
10134
10135 Add Copyright to framework.sb
10136 https://bugs.webkit.org/show_bug.cgi?id=130413
10137
10138 Reviewed by Timothy Hatcher.
10139
10140 Other sb files got the copyright. Follow suit.
10141
10142 * framework.sb:
10143
101442014-03-18 Matthew Mirman <mmirman@apple.com>
10145
10146 Removed extra parens from if statement in a preprocessor define.
10147 https://bugs.webkit.org/show_bug.cgi?id=130408
10148
10149 Reviewed by Filip Pizlo.
10150
10151 * parser/Parser.cpp:
10152
101532014-03-18 Filip Pizlo <fpizlo@apple.com>
10154
10155 More FTL enabling.
10156
10157 Rubber stamped by Dan Bernstein and Mark Hahnenberg.
10158
10159 * Configurations/FeatureDefines.xcconfig:
10160 * ftl/FTLCompile.cpp:
10161 (JSC::FTL::compile):
10162
101632014-03-17 Michael Saboff <msaboff@apple.com>
10164
10165 V8 regexp spends most of its time in operationGetById
10166 https://bugs.webkit.org/show_bug.cgi?id=130380
10167
10168 Reviewed by Filip Pizlo.
10169
10170 Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
10171 When V8 regexp is run from the command line, this nets a 2% performance improvement.
10172 When the test is run for a longer amount of time, there is much less benefit as the
10173 DFG will emit the appropriate code for String.length. This does remove
10174 operationGetById as the hottest function whne run from the command line.
10175
10176 * jit/Repatch.cpp:
10177 (JSC::tryCacheGetByID):
10178
101792014-03-17 Andreas Kling <akling@apple.com>
10180
10181 Add one-deep cache to opaque roots hashset.
10182 <https://webkit.org/b/130357>
10183
10184 The vast majority of WebCore JS wrappers will have their Document*
10185 as the root(). This change adds a simple optimization where we cache
10186 the last lookup and avoid going to the hashset for repeated queries.
10187
10188 Looks like 0.4% progression on DYEB on my MBP.
10189
10190 Reviewed by Mark Hahnenberg.
10191
10192 * JavaScriptCore.xcodeproj/project.pbxproj:
10193 * heap/OpaqueRootSet.h: Added.
10194 (JSC::OpaqueRootSet::OpaqueRootSet):
10195 (JSC::OpaqueRootSet::contains):
10196 (JSC::OpaqueRootSet::isEmpty):
10197 (JSC::OpaqueRootSet::clear):
10198 (JSC::OpaqueRootSet::add):
10199 (JSC::OpaqueRootSet::size):
10200 (JSC::OpaqueRootSet::begin):
10201 (JSC::OpaqueRootSet::end):
10202 * heap/SlotVisitor.h:
10203
102042014-03-17 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
10205
10206 Implement Math.hypot
10207 https://bugs.webkit.org/show_bug.cgi?id=129486
10208
10209 Reviewed by Darin Adler.
10210
10211 * runtime/MathObject.cpp:
10212 (JSC::MathObject::finishCreation):
10213 (JSC::mathProtoFuncHypot):
10214
102152014-03-17 Zsolt Borbely <borbezs@inf.u-szeged.hu>
10216
10217 Fix the !ENABLE(PROMISES) build
10218 https://bugs.webkit.org/show_bug.cgi?id=130328
10219
10220 Reviewed by Darin Adler.
10221
10222 Add missing ENABLE(PROMISES) guards.
10223
10224 * runtime/JSGlobalObject.cpp:
10225 (JSC::JSGlobalObject::reset):
10226 (JSC::JSGlobalObject::visitChildren):
10227 * runtime/JSGlobalObject.h:
10228 * runtime/JSPromiseDeferred.cpp:
10229 * runtime/JSPromiseDeferred.h:
10230 * runtime/JSPromiseReaction.cpp:
10231 * runtime/JSPromiseReaction.h:
10232 * runtime/VM.cpp:
10233 (JSC::VM::VM):
10234 * runtime/VM.h:
10235
102362014-03-16 Andreas Kling <akling@apple.com>
10237
10238 REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
10239 <https://webkit.org/b/130304>
10240
10241 Reviewed by Anders Carlsson.
10242
10243 Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
10244 that doesn't put a potentially unwanted string into the Identifier table.
10245
10246 * API/OpaqueJSString.cpp:
10247 (OpaqueJSString::identifier):
10248
102492014-03-16 Brian Burg <bburg@apple.com>
10250
10251 Web Inspector: generated backend commands should reflect build system ENABLE settings
10252 https://bugs.webkit.org/show_bug.cgi?id=130111
10253
10254 Reviewed by Timothy Hatcher.
10255
10256 * CMakeLists.txt:
10257
10258 Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
10259 instead of globbing any .json file.
10260
10261 * DerivedSources.make:
10262
10263 Force the combined inspector protocol file to be regenerated if
10264 the content or list of domains itself changes.
10265
102662014-03-16 Brian Burg <bburg@apple.com>
10267
10268 Web Inspector: vended backend commands file should be generated as part of the build
10269 https://bugs.webkit.org/show_bug.cgi?id=130110
10270
10271 Reviewed by Timothy Hatcher.
10272
10273 * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
10274 private headers directory.
10275
102762014-03-16 Darin Adler <darin@apple.com>
10277
10278 Remove all uses of deprecatedCharacters from JavaScriptCore
10279 https://bugs.webkit.org/show_bug.cgi?id=130304
10280
10281 Reviewed by Anders Carlsson.
10282
10283 * API/JSValueRef.cpp:
10284 (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
10285 * API/OpaqueJSString.cpp:
10286 (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
10287 (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
10288 juse use the standard one that takes a String.
10289 (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
10290 hand-written alternative.
10291
10292 * bindings/ScriptValue.cpp:
10293 (Deprecated::jsToInspectorValue): Create InspectorString from String directly
10294 instead of involving a character pointer. Use the String from Identifier
10295 directly instead of making a new String.
10296
10297 * inspector/ContentSearchUtilities.cpp:
10298 (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
10299 instead of building a String a character at a time. This is still a very slow
10300 way to do this. Also use strchr to search for a character instead of building
10301 a String every time just to use find on it.
10302
10303 * inspector/InspectorValues.cpp:
10304 (Inspector::doubleQuoteString): Remove unnecessary trip through a
10305 character pointer. This is still a really slow way to do this.
10306 (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
10307 instead of String::deprecatedCharacters. Still slow to always upconvert.
10308
10309 * runtime/DateConstructor.cpp: Removed unneeded include.
10310 * runtime/DatePrototype.cpp: Ditto.
10311
10312 * runtime/Identifier.h: Removed deprecatedCharacters function.
10313
10314 * runtime/JSGlobalObjectFunctions.cpp:
10315 (JSC::encode): Added a type cast to avoid ambiguity with the two character-
10316 appending functions from JSStringBuilder. Removed unneeded code duplicating
10317 what JSStringBuilder already does in its character append function.
10318 (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
10319 (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
10320 is used outside this file have external linkage. Added a new overload that takes
10321 a StringView.
10322 (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
10323 (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
10324 single character.
10325
10326 * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
10327
10328 * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
10329 (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
10330 Made one overload private. Fixed a performance bug where we would reserve capacity
10331 in the 8-bit buffer but then append to the 16-bit buffer.
10332
10333 * runtime/ObjectPrototype.cpp: Removed unneeded include.
10334
10335 * runtime/StringPrototype.cpp:
10336 (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
10337 (JSC::stringProtoFuncLink): Ditto.
10338
103392014-03-15 Filip Pizlo <fpizlo@apple.com>
10340
10341 FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
10342 https://bugs.webkit.org/show_bug.cgi?id=130296
10343
10344 Reviewed by Andreas Kling.
10345
10346 During the 32-bit structure ID work, the second load of the structure was removed.
10347 That's wrong. The whole point of loading the structure ID again is that the structure
10348 ID would have been changed by the arrayification call, and we're verifying that the
10349 arrayification succeeded in changing the structure. If we check the old structure - as
10350 the code was doing after the 32-bit structure ID work - then this check is guaranteed
10351 to fail, causing a significant performance regression.
10352
10353 It's actually amazing that the regression wasn't bigger. The reason is that if FTL
10354 code pathologically exits but the equivalent DFG code doesn't, then the exponential
10355 backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
10356 the time at least, the DFG wasn't much slower so this didn't cause too much pain.
10357
10358 * ftl/FTLLowerDFGToLLVM.cpp:
10359 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
10360
103612014-03-15 Filip Pizlo <fpizlo@apple.com>
10362
10363 FTL should support CheckHasInstance/InstanceOf
10364 https://bugs.webkit.org/show_bug.cgi?id=130285
10365
10366 Reviewed by Sam Weinig.
10367
10368 Fairly straightforward; I also discovered an inaccurate FIXME in the process.
10369
10370 * dfg/DFGFixupPhase.cpp:
10371 (JSC::DFG::FixupPhase::fixupNode):
10372 * ftl/FTLAbstractHeapRepository.h:
10373 * ftl/FTLCapabilities.cpp:
10374 (JSC::FTL::canCompile):
10375 * ftl/FTLLowerDFGToLLVM.cpp:
10376 (JSC::FTL::LowerDFGToLLVM::compileNode):
10377 (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
10378 (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
10379 * ftl/FTLOutput.h:
10380 (JSC::FTL::Output::phi):
10381 * tests/stress/instanceof.js: Added.
10382 * tests/stress/instanceof-not-cell.js: Added.
10383
103842014-03-15 Michael Saboff <msaboff@apple.com>
10385
10386 It should be possible to adjust DFG and FTL compiler thread priorities
10387 https://bugs.webkit.org/show_bug.cgi?id=130288
10388
10389 Reviewed by Filip Pizlo.
10390
10391 Added ability to change thread priorities relative to its current priority.
10392 Created options to adjust the priority of the DFG and FTL compilation work thread
10393 pools. For two core systems, there might be three runnable threads, the main thread,
10394 the DFG compilation thread and the FTL compilation thread. With the same priority,
10395 the scheduler is free to schedule whatever thread it wants. By lowering the
10396 compilation threads, the main thread can run. Further tests may suggest better values
10397 for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
10398
10399 For a two-core device, this change has a net positive improvement of 1-3% across
10400 SunSpider, Octane, Kraken and AsmBench.
10401
10402 * dfg/DFGWorklist.cpp:
10403 (JSC::DFG::Worklist::finishCreation):
10404 (JSC::DFG::Worklist::create):
10405 (JSC::DFG::ensureGlobalDFGWorklist):
10406 (JSC::DFG::ensureGlobalFTLWorklist):
10407 * dfg/DFGWorklist.h:
10408 * runtime/Options.cpp:
10409 (JSC::computePriorityDeltaOfWorkerThreads):
10410 * runtime/Options.h:
10411
104122014-03-15 David Kilzer <ddkilzer@apple.com>
10413
10414 [iOS] Define SYSTEM_VERSION_PREFIX consistently
10415 <http://webkit.org/b/130293>
10416 <rdar://problem/15926359>
10417
10418 Reviewed by Dan Bernstein.
10419
10420 * Configurations/Version.xcconfig:
10421 (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
10422 Source/WebKit/mac/Version.xcconfig.
10423
104242014-03-15 David Kilzer <ddkilzer@apple.com>
10425
10426 Fix build: using integer absolute value function 'abs' when argument is of floating point type
10427 <http://webkit.org/b/130286>
10428
10429 Reviewed by Filip Pizlo.
10430
10431 Fixes the following build failure using trunk clang:
10432
10433 JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
10434 value = abs(value);
10435 ^
10436 JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
10437 value = abs(value);
10438 ^~~
10439 fabs
10440
10441 * assembler/MacroAssembler.h:
10442 (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
10443 fabs().
10444
104452014-03-14 Oliver Hunt <oliver@apple.com>
10446
10447 Reinstate intialiser syntax in for-in loops
10448 https://bugs.webkit.org/show_bug.cgi?id=130269
10449
10450 Reviewed by Michael Saboff.
10451
10452 Disallowing the initialiser broke some sites so this patch re-allows
10453 the syntax. We still disallow the syntax in 'of' and pattern based
10454 enumeration.
10455
10456 * parser/ASTBuilder.h:
10457 (JSC::ASTBuilder::isBindingNode):
10458 * parser/Parser.cpp:
10459 (JSC::Parser<LexerType>::parseVarDeclarationList):
10460 (JSC::Parser<LexerType>::parseForStatement):
10461 * parser/SyntaxChecker.h:
10462 (JSC::SyntaxChecker::operatorStackPop):
10463
104642014-03-14 Mark Lam <mark.lam@apple.com>
10465
10466 Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
10467 <https://webkit.org/b/130279>
10468
10469 Reviewed by Filip Pizlo.
10470
10471 If neither the getter nor setter are defined, accessing __lookupGetter__
10472 and __lookupSetter__ will return undefined as expected. However, if the
10473 getter is defined but the setter is not, accessing __lookupSetter__ will
10474 crash the VM. Similarly, accessing __lookupGetter__ when only the setter
10475 is defined will crash the VM.
10476
10477 The reason is because objectProtoFuncLookupGetter() and
10478 objectProtoFuncLookupSetter() did not check if the getter and setter
10479 value is non-null before returning it as an EncodedJSValue. The fix is
10480 to add the appropriate null checks.
10481
10482 * runtime/ObjectPrototype.cpp:
10483 (JSC::objectProtoFuncLookupGetter):
10484 (JSC::objectProtoFuncLookupSetter):
10485
104862014-03-14 Mark Rowe <mrowe@apple.com>
10487
10488 Fix the production build.
10489
10490 Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
10491 be at the expected relative path when working from installed source.
10492
10493 * Configurations/Base.xcconfig:
10494
104952014-03-14 Maciej Stachowiak <mjs@apple.com>
10496
10497 Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
10498 https://bugs.webkit.org/show_bug.cgi?id=130276
10499 <rdar://problem/16266927>
10500
10501 Reviewed by Simon Fraser.
10502
10503 * API/APICast.h:
10504 * API/JSBase.cpp:
10505 * API/JSBase.h:
10506 * API/JSBasePrivate.h:
10507 * API/JSCallbackConstructor.cpp:
10508 * API/JSCallbackConstructor.h:
10509 * API/JSCallbackFunction.cpp:
10510 * API/JSCallbackFunction.h:
10511 * API/JSCallbackObject.cpp:
10512 * API/JSCallbackObject.h:
10513 * API/JSCallbackObjectFunctions.h:
10514 * API/JSClassRef.cpp:
10515 * API/JSClassRef.h:
10516 * API/JSContextRef.cpp:
10517 * API/JSContextRef.h:
10518 * API/JSContextRefPrivate.h:
10519 * API/JSObjectRef.cpp:
10520 * API/JSObjectRef.h:
10521 * API/JSProfilerPrivate.cpp:
10522 * API/JSProfilerPrivate.h:
10523 * API/JSRetainPtr.h:
10524 * API/JSStringRef.cpp:
10525 * API/JSStringRef.h:
10526 * API/JSStringRefBSTR.cpp:
10527 * API/JSStringRefBSTR.h:
10528 * API/JSStringRefCF.cpp:
10529 * API/JSStringRefCF.h:
10530 * API/JSValueRef.cpp:
10531 * API/JSValueRef.h:
10532 * API/JavaScript.h:
10533 * API/JavaScriptCore.h:
10534 * API/OpaqueJSString.cpp:
10535 * API/OpaqueJSString.h:
10536 * API/tests/JSNode.c:
10537 * API/tests/JSNode.h:
10538 * API/tests/JSNodeList.c:
10539 * API/tests/JSNodeList.h:
10540 * API/tests/Node.c:
10541 * API/tests/Node.h:
10542 * API/tests/NodeList.c:
10543 * API/tests/NodeList.h:
10544 * API/tests/minidom.c:
10545 * API/tests/minidom.js:
10546 * API/tests/testapi.c:
10547 * API/tests/testapi.js:
10548 * DerivedSources.make:
10549 * bindings/ScriptValue.cpp:
10550 * bytecode/CodeBlock.cpp:
10551 * bytecode/CodeBlock.h:
10552 * bytecode/EvalCodeCache.h:
10553 * bytecode/Instruction.h:
10554 * bytecode/JumpTable.cpp:
10555 * bytecode/JumpTable.h:
10556 * bytecode/Opcode.cpp:
10557 * bytecode/Opcode.h:
10558 * bytecode/SamplingTool.cpp:
10559 * bytecode/SamplingTool.h:
10560 * bytecode/SpeculatedType.cpp:
10561 * bytecode/SpeculatedType.h:
10562 * bytecode/ValueProfile.h:
10563 * bytecompiler/BytecodeGenerator.cpp:
10564 * bytecompiler/BytecodeGenerator.h:
10565 * bytecompiler/Label.h:
10566 * bytecompiler/LabelScope.h:
10567 * bytecompiler/RegisterID.h:
10568 * debugger/DebuggerCallFrame.cpp:
10569 * debugger/DebuggerCallFrame.h:
10570 * dfg/DFGDesiredStructureChains.cpp:
10571 * dfg/DFGDesiredStructureChains.h:
10572 * heap/GCActivityCallback.cpp:
10573 * heap/GCActivityCallback.h:
10574 * inspector/ConsoleMessage.cpp:
10575 * inspector/ConsoleMessage.h:
10576 * inspector/IdentifiersFactory.cpp:
10577 * inspector/IdentifiersFactory.h:
10578 * inspector/InjectedScriptManager.cpp:
10579 * inspector/InjectedScriptManager.h:
10580 * inspector/InjectedScriptSource.js:
10581 * inspector/ScriptBreakpoint.h:
10582 * inspector/ScriptDebugListener.h:
10583 * inspector/ScriptDebugServer.cpp:
10584 * inspector/ScriptDebugServer.h:
10585 * inspector/agents/InspectorAgent.cpp:
10586 * inspector/agents/InspectorAgent.h:
10587 * inspector/agents/InspectorDebuggerAgent.cpp:
10588 * inspector/agents/InspectorDebuggerAgent.h:
10589 * interpreter/Interpreter.cpp:
10590 * interpreter/Interpreter.h:
10591 * interpreter/JSStack.cpp:
10592 * interpreter/JSStack.h:
10593 * interpreter/Register.h:
10594 * jit/CompactJITCodeMap.h:
10595 * jit/JITStubs.cpp:
10596 * jit/JITStubs.h:
10597 * jit/JITStubsARM.h:
10598 * jit/JITStubsARMv7.h:
10599 * jit/JITStubsX86.h:
10600 * jit/JITStubsX86_64.h:
10601 * os-win32/stdbool.h:
10602 * parser/SourceCode.h:
10603 * parser/SourceProvider.h:
10604 * profiler/LegacyProfiler.cpp:
10605 * profiler/LegacyProfiler.h:
10606 * profiler/ProfileNode.cpp:
10607 * profiler/ProfileNode.h:
10608 * runtime/ArrayBufferView.cpp:
10609 * runtime/ArrayBufferView.h:
10610 * runtime/BatchedTransitionOptimizer.h:
10611 * runtime/CallData.h:
10612 * runtime/ConstructData.h:
10613 * runtime/DumpContext.cpp:
10614 * runtime/DumpContext.h:
10615 * runtime/ExceptionHelpers.cpp:
10616 * runtime/ExceptionHelpers.h:
10617 * runtime/InitializeThreading.cpp:
10618 * runtime/InitializeThreading.h:
10619 * runtime/IntegralTypedArrayBase.h:
10620 * runtime/IntendedStructureChain.cpp:
10621 * runtime/IntendedStructureChain.h:
10622 * runtime/JSActivation.cpp:
10623 * runtime/JSActivation.h:
10624 * runtime/JSExportMacros.h:
10625 * runtime/JSGlobalObject.cpp:
10626 * runtime/JSNotAnObject.cpp:
10627 * runtime/JSNotAnObject.h:
10628 * runtime/JSPropertyNameIterator.cpp:
10629 * runtime/JSPropertyNameIterator.h:
10630 * runtime/JSSegmentedVariableObject.cpp:
10631 * runtime/JSSegmentedVariableObject.h:
10632 * runtime/JSSymbolTableObject.cpp:
10633 * runtime/JSSymbolTableObject.h:
10634 * runtime/JSTypeInfo.h:
10635 * runtime/JSVariableObject.cpp:
10636 * runtime/JSVariableObject.h:
10637 * runtime/PropertyTable.cpp:
10638 * runtime/PutPropertySlot.h:
10639 * runtime/SamplingCounter.cpp:
10640 * runtime/SamplingCounter.h:
10641 * runtime/Structure.cpp:
10642 * runtime/Structure.h:
10643 * runtime/StructureChain.cpp:
10644 * runtime/StructureChain.h:
10645 * runtime/StructureInlines.h:
10646 * runtime/StructureTransitionTable.h:
10647 * runtime/SymbolTable.cpp:
10648 * runtime/SymbolTable.h:
10649 * runtime/TypedArrayBase.h:
10650 * runtime/TypedArrayType.cpp:
10651 * runtime/TypedArrayType.h:
10652 * runtime/VM.cpp:
10653 * runtime/VM.h:
10654 * yarr/RegularExpression.cpp:
10655 * yarr/RegularExpression.h:
10656
106572014-03-14 Filip Pizlo <fpizlo@apple.com>
10658
10659 Final FTL iOS build magic
10660 https://bugs.webkit.org/show_bug.cgi?id=130281
10661
10662 Reviewed by Michael Saboff.
10663
10664 * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
10665 * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
10666
106672014-03-14 Joseph Pecoraro <pecoraro@apple.com>
10668
10669 Web Inspector: Gracefully handle nil name -[JSContext setName:]
10670 https://bugs.webkit.org/show_bug.cgi?id=130262
10671
10672 Reviewed by Mark Hahnenberg.
10673
10674 * API/JSContext.mm:
10675 (-[JSContext setName:]):
10676 Gracefully handle nil input.
10677
10678 * API/tests/testapi.c:
10679 (globalContextNameTest):
10680 * API/tests/testapi.mm:
10681 Test for nil / NULL names in the ObjC and C APIs.
10682
106832014-03-11 Oliver Hunt <oliver@apple.com>
10684
10685 Improve dom error messages
10686 https://bugs.webkit.org/show_bug.cgi?id=130103
10687
10688 Reviewed by Andreas Kling.
10689
10690 Add new helper function.
10691
10692 * runtime/Error.h:
10693 (JSC::throwVMTypeError):
10694
106952014-03-14 László Langó <llango.u-szeged@partner.samsung.com>
10696
10697 Remove unused method declaration.
10698 https://bugs.webkit.org/show_bug.cgi?id=130238
10699
10700 Reviewed by Filip Pizlo.
10701
10702 The implementation of CallFrame::dumpCaller was removed in
10703 http://trac.webkit.org/changeset/153183, but the declaration of it was not.
10704
10705 * interpreter/CallFrame.h:
10706 Remove CallFrame::dumpCaller() method declaration.
10707
107082014-03-12 Sergio Villar Senin <svillar@igalia.com>
10709
10710 Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
10711 https://bugs.webkit.org/show_bug.cgi?id=129612
10712
10713 Reviewed by Darin Adler.
10714
10715 For new code use static NeverDestroyed<T> instead.
10716
10717 * API/JSAPIWrapperObject.mm:
10718 (jsAPIWrapperObjectHandleOwner):
10719 * API/JSManagedValue.mm:
10720 (managedValueHandleOwner):
10721 * inspector/agents/InspectorDebuggerAgent.cpp:
10722 (Inspector::objectGroupForBreakpointAction):
10723 * inspector/scripts/CodeGeneratorInspectorStrings.py:
10724 * interpreter/JSStack.cpp:
10725 (JSC::stackStatisticsMutex):
10726 * jit/ExecutableAllocator.cpp:
10727 (JSC::DemandExecutableAllocator::allocators):
10728
107292014-03-12 Gavin Barraclough <barraclough@apple.com>
10730
10731 Reduce memory use for static property maps
10732 https://bugs.webkit.org/show_bug.cgi?id=129986
10733
10734 Reviewed by Andreas Kling.
10735
10736 Static property tables are currently duplicated on first use from read-only memory into dirty memory
10737 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
10738 (we use a custom hash table without a rehash) a lot of memory may be wasted.
10739
10740 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
10741 from string hashes to indicies into a densely packed array of values. Compute the index table at
10742 compile time as a part of the derived sources step, such that this may be read-only data.
10743
10744 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
10745 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
10746 keys, which are Identifiers.
10747
10748 * create_hash_table:
10749 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
10750 * parser/Lexer.cpp:
10751 (JSC::Lexer<LChar>::parseIdentifier):
10752 (JSC::Lexer<UChar>::parseIdentifier):
10753 (JSC::Lexer<T>::parseIdentifierSlowCase):
10754 - HashEntry -> HashTableValue.
10755 * parser/Lexer.h:
10756 (JSC::Keywords::getKeyword):
10757 - HashEntry -> HashTableValue.
10758 * runtime/ClassInfo.h:
10759 - removed HashEntry.
10760 * runtime/JSObject.cpp:
10761 (JSC::getClassPropertyNames):
10762 - use HashTable::ConstIterator.
10763 (JSC::JSObject::put):
10764 (JSC::JSObject::deleteProperty):
10765 (JSC::JSObject::findPropertyHashEntry):
10766 - HashEntry -> HashTableValue.
10767 (JSC::JSObject::reifyStaticFunctionsForDelete):
10768 - changed HashTable::ConstIterator interface.
10769 * runtime/JSObject.h:
10770 - HashEntry -> HashTableValue.
10771 * runtime/Lookup.cpp:
10772 (JSC::HashTable::createTable):
10773 - table -> keys, keys array is now densely packed.
10774 (JSC::HashTable::deleteTable):
10775 - table -> keys.
10776 (JSC::setUpStaticFunctionSlot):
10777 - HashEntry -> HashTableValue.
10778 * runtime/Lookup.h:
10779 (JSC::HashTableValue::builtinGenerator):
10780 (JSC::HashTableValue::function):
10781 (JSC::HashTableValue::functionLength):
10782 (JSC::HashTableValue::propertyGetter):
10783 (JSC::HashTableValue::propertyPutter):
10784 (JSC::HashTableValue::lexerValue):
10785 - added accessor methods from HashEntry.
10786 (JSC::HashTable::copy):
10787 - fields changed.
10788 (JSC::HashTable::initializeIfNeeded):
10789 - table -> keys.
10790 (JSC::HashTable::entry):
10791 - HashEntry -> HashTableValue.
10792 (JSC::HashTable::ConstIterator::ConstIterator):
10793 - iterate packed value array, so no need to skipInvalidKeys().
10794 (JSC::HashTable::ConstIterator::value):
10795 (JSC::HashTable::ConstIterator::key):
10796 (JSC::HashTable::ConstIterator::operator->):
10797 - accessors now get HashTableValue/StringImpl* separately.
10798 (JSC::HashTable::ConstIterator::operator++):
10799 - iterate packed value array, so no need to skipInvalidKeys().
10800 (JSC::HashTable::end):
10801 - end is now size of dense not sparse array.
10802 (JSC::getStaticPropertySlot):
10803 (JSC::getStaticFunctionSlot):
10804 (JSC::getStaticValueSlot):
10805 (JSC::putEntry):
10806 (JSC::lookupPut):
10807 - HashEntry -> HashTableValue.
10808
108092014-03-13 Filip Pizlo <fpizlo@apple.com>
10810
10811 Unreviewed, fix Mac no-FTL build.
10812
10813 * llvm/library/LLVMExports.cpp:
10814 (initializeAndGetJSCLLVMAPI):
10815
108162014-03-13 Juergen Ributzka <juergen@apple.com>
10817
10818 Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
10819 https://bugs.webkit.org/show_bug.cgi?id=130224
10820
10821 Reviewed by Filip Pizlo.
10822
10823 This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
10824 the LLVM dylib. This allows the dylib to be safely used with other LLVM
10825 dylibs on the same system. It also reduces the dynamic linking overhead
10826 and also reduces the size by 6MB, because the linker can now dead strip
10827 many unused functions.
10828
10829 * Configurations/LLVMForJSC.xcconfig:
10830
108312014-03-13 Andreas Kling <akling@apple.com>
10832
10833 VM::discardAllCode() should clear the RegExp cache.
10834 <https://webkit.org/b/130144>
10835
10836 Reviewed by Michael Saboff.
10837
10838 * runtime/VM.cpp:
10839 (JSC::VM::discardAllCode):
10840
108412014-03-13 Andreas Kling <akling@apple.com>
10842
10843 Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
10844 <https://webkit.org/b/129995>
10845
10846 This code path is not taken anymore on DYEB, and I can't explain why
10847 it was showing up in my profiles. Backing it out per JoePeck's suggestion.
10848
10849 * inspector/JSGlobalObjectInspectorController.cpp:
10850 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
10851
108522014-03-13 Filip Pizlo <fpizlo@apple.com>
10853
10854 FTL should support IsBlah
10855 https://bugs.webkit.org/show_bug.cgi?id=130202
10856
10857 Reviewed by Geoffrey Garen.
10858
10859 * ftl/FTLCapabilities.cpp:
10860 (JSC::FTL::canCompile):
10861 * ftl/FTLIntrinsicRepository.h:
10862 * ftl/FTLLowerDFGToLLVM.cpp:
10863 (JSC::FTL::LowerDFGToLLVM::compileNode):
10864 (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
10865 (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
10866 (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
10867 (JSC::FTL::LowerDFGToLLVM::compileIsString):
10868 (JSC::FTL::LowerDFGToLLVM::compileIsObject):
10869 (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
10870 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
10871 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
10872 (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
10873 (JSC::FTL::LowerDFGToLLVM::isNumber):
10874 (JSC::FTL::LowerDFGToLLVM::isNotNumber):
10875 (JSC::FTL::LowerDFGToLLVM::isBoolean):
10876 * ftl/FTLOSRExitCompiler.cpp:
10877 * tests/stress/is-undefined-exit-on-masquerader.js: Added.
10878 (bar):
10879 (foo):
10880 (test):
10881 * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
10882 (foo):
10883 (test):
10884 * tests/stress/is-undefined-masquerader.js: Added.
10885 (foo):
10886 (test):
10887
108882014-03-13 Mark Lam <mark.lam@apple.com>
10889
10890 JS benchmarks crash with a bus error on 32-bit x86.
10891 <https://webkit.org/b/130203>
10892
10893 Reviewed by Geoffrey Garen.
10894
10895 The issue is that generateGetByIdStub() can potentially use the same register
10896 for the JSValue base register and the target tag register. After loading the
10897 tag value into the target tag register, the JSValue base address is lost.
10898 The code then proceeds to load the payload value using the base register, and
10899 this results in a crash.
10900
10901 The fix is to check if the base register is the same as the target tag register.
10902 If so, we should make a copy the base register first before loading the tag
10903 value, and use the copy to load the payload value instead.
10904
10905 * jit/Repatch.cpp:
10906 (JSC::generateGetByIdStub):
10907
109082014-03-12 Filip Pizlo <fpizlo@apple.com>
10909
10910 WebKit shouldn't crash on uniprocessor machines
10911 https://bugs.webkit.org/show_bug.cgi?id=130176
10912
10913 Reviewed by Michael Saboff.
10914
10915 Previously the math for computing the number of JIT compiler threads would come up with
10916 zero threads on uniprocessor machines, and then the Worklist code would assert.
10917
10918 * runtime/Options.cpp:
10919 (JSC::computeNumberOfWorkerThreads):
10920 * runtime/Options.h:
10921
109222014-03-13 Radu Stavila <stavila@adobe.com>
10923
10924 Webkit not building on XCode 5.1 due to garbage collection no longer being supported
10925 https://bugs.webkit.org/show_bug.cgi?id=130087
10926
10927 Reviewed by Mark Rowe.
10928
10929 Disable garbage collection on macosx when not using internal SDK.
10930
10931 * Configurations/Base.xcconfig:
10932
109332014-03-10 Darin Adler <darin@apple.com>
10934
10935 Avoid copy-prone idiom "for (auto item : collection)"
10936 https://bugs.webkit.org/show_bug.cgi?id=129990
10937
10938 Reviewed by Geoffrey Garen.
10939
10940 * heap/CodeBlockSet.h:
10941 (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
10942 * inspector/ScriptDebugServer.cpp:
10943 (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
10944 make explicit that we are iterating through pointers.
10945 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
10946 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
10947 * inspector/agents/InspectorDebuggerAgent.cpp:
10948 (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
10949 get rid of an unneeded local variable.
10950
109512014-03-13 Brian Burg <bburg@apple.com>
10952
10953 Web Inspector: Remove unused callId parameter from evaluateInWebInspector
10954 https://bugs.webkit.org/show_bug.cgi?id=129744
10955
10956 Reviewed by Timothy Hatcher.
10957
10958 * inspector/agents/InspectorAgent.cpp:
10959 (Inspector::InspectorAgent::enable):
10960 (Inspector::InspectorAgent::evaluateForTestInFrontend):
10961 * inspector/agents/InspectorAgent.h:
10962 * inspector/protocol/InspectorDomain.json:
10963
109642014-03-11 Filip Pizlo <fpizlo@apple.com>
10965
10966 ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
10967 https://bugs.webkit.org/show_bug.cgi?id=130069
10968
10969 Reviewed by Geoffrey Garen.
10970
10971 This was a great assertion, and it represents our strictest interpretation of the rules of
10972 our intermediate representation. However, fixing DCE to actually preserve the relevant
10973 property would be hard, and it wouldn't have an observable effect right now because nobody
10974 actually uses the propery of CPS that this assertion is checking for.
10975
10976 In particular, we do always require, and rely on, the fact that non-captured variables
10977 have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
10978 block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
10979 PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
10980 broken in this regard. But, in the strictest sense, CPS also means that for captured
10981 variables, variablesAtTail also continues to point to the last relevant use of the
10982 variable. In particular, if there are multiple GetLocals, then it should point to the last
10983 one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
10984 variables, except to check the VariableAccessData; but in that case, we don't really need
10985 the *last* relevant use of the variable - any node that mentions the same variable will do
10986 just fine.
10987
10988 So, this change loosens the assertion and adds a detailed FIXME describing what we would
10989 have to do if we wanted to preserve the more strict property.
10990
10991 This also makes changes to various debug printing paths so that validation doesn't crash
10992 during graph dump. This also adds tests for the interesting cases of DCE failing to
10993 preserve CPS in the strictest sense. This also attempts to win the record for longest test
10994 name.
10995
10996 * bytecode/CodeBlock.cpp:
10997 (JSC::CodeBlock::hashAsStringIfPossible):
10998 (JSC::CodeBlock::dumpAssumingJITType):
10999 * bytecode/CodeBlock.h:
11000 * bytecode/CodeOrigin.cpp:
11001 (JSC::InlineCallFrame::hashAsStringIfPossible):
11002 (JSC::InlineCallFrame::dumpBriefFunctionInformation):
11003 * bytecode/CodeOrigin.h:
11004 * dfg/DFGCPSRethreadingPhase.cpp:
11005 (JSC::DFG::CPSRethreadingPhase::run):
11006 * dfg/DFGDCEPhase.cpp:
11007 (JSC::DFG::DCEPhase::cleanVariables):
11008 * dfg/DFGInPlaceAbstractState.cpp:
11009 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
11010 * runtime/FunctionExecutableDump.cpp:
11011 (JSC::FunctionExecutableDump::dump):
11012 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
11013 (foo):
11014 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
11015 (foo):
11016
110172014-03-12 Brian Burg <bburg@apple.com>
11018
11019 Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
11020 https://bugs.webkit.org/show_bug.cgi?id=129445
11021
11022 Reviewed by Timothy Hatcher.
11023
11024 There was a bug in the replay inputs code generator that would include
11025 headers for definitions of enum classes, even though they can be safely
11026 forward-declared.
11027
11028 * replay/scripts/CodeGeneratorReplayInputs.py:
11029 (Generator.generate_includes): Only include for copy constructor if the
11030 type is a heavy scalar (i.e., String, URL), not a normal scalar
11031 (i.e., int, double, enum classes).
11032
11033 (Generator.generate_type_forward_declarations): Forward-declare scalars
11034 that are enums or enum classes.
11035
110362014-03-12 Joseph Pecoraro <pecoraro@apple.com>
11037
11038 Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
11039 https://bugs.webkit.org/show_bug.cgi?id=130118
11040
11041 Reviewed by Timothy Hatcher.
11042
11043 * Configurations/FeatureDefines.xcconfig:
11044
110452014-03-12 Joseph Pecoraro <pecoraro@apple.com>
11046
11047 Web Inspector: Hang in Remote Inspection triggering breakpoint from console
11048 https://bugs.webkit.org/show_bug.cgi?id=130032
11049
11050 Reviewed by Timothy Hatcher.
11051
11052 * inspector/EventLoop.h:
11053 * inspector/EventLoop.cpp:
11054 (Inspector::EventLoop::remoteInspectorRunLoopMode):
11055 (Inspector::EventLoop::cycle):
11056 Expose the run loop mode name so it can be used if needed by others.
11057
11058 * inspector/remote/RemoteInspectorDebuggableConnection.h:
11059 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
11060 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
11061 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
11062 (Inspector::RemoteInspectorBlock::operator=):
11063 (Inspector::RemoteInspectorBlock::operator()):
11064 (Inspector::RemoteInspectorQueueTask):
11065 Instead of a dispatch_queue, have our own static Vector of debugger tasks.
11066
11067 (Inspector::RemoteInspectorHandleRunSource):
11068 (Inspector::RemoteInspectorInitializeQueue):
11069 Initialize the static queue and run loop source. When the run loop source
11070 fires, it will exhaust the queue of debugger messages.
11071
11072 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
11073 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
11074 When we get a debuggable connection add a run loop source for inspector commands.
11075
11076 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
11077 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
11078 Enqueue blocks on our Vector instead of our dispatch_queue.
11079
110802014-03-12 Commit Queue <commit-queue@webkit.org>
11081
11082 Unreviewed, rolling out r165482.
11083 https://bugs.webkit.org/show_bug.cgi?id=130157
11084
11085 Broke the windows build; "error C2466: cannot allocate an
11086 array of constant size 0" (Requested by jernoble on #webkit).
11087
11088 Reverted changeset:
11089
11090 "Reduce memory use for static property maps"
11091 https://bugs.webkit.org/show_bug.cgi?id=129986
11092 http://trac.webkit.org/changeset/165482
11093
110942014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
11095
11096 Remove HandleSet::m_nextToFinalize
11097 https://bugs.webkit.org/show_bug.cgi?id=130109
11098
11099 Reviewed by Mark Lam.
11100
11101 This is a remnant of when HandleSet contained things that needed to be finalized.
11102
11103 * heap/HandleSet.cpp:
11104 (JSC::HandleSet::HandleSet):
11105 (JSC::HandleSet::writeBarrier):
11106 * heap/HandleSet.h:
11107 (JSC::HandleSet::allocate):
11108 (JSC::HandleSet::deallocate):
11109
111102014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
11111
11112 Layout Test fast/workers/worker-gc.html is failing
11113 https://bugs.webkit.org/show_bug.cgi?id=130135
11114
11115 Reviewed by Geoffrey Garen.
11116
11117 When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's
11118 main list of blocks, i.e. not in the retired list. When shutting down the VM this
11119 wasn't always the case which was causing ASSERTs to fire. We should rearrange things
11120 so that allocators are notified with lastChanceToFinalize. This will give them
11121 the chance to move their retired blocks back into the main list before removing them all.
11122
11123 * heap/MarkedAllocator.cpp:
11124 (JSC::LastChanceToFinalize::operator()):
11125 (JSC::MarkedAllocator::lastChanceToFinalize):
11126 * heap/MarkedAllocator.h:
11127 * heap/MarkedSpace.cpp:
11128 (JSC::LastChanceToFinalize::operator()):
11129 (JSC::MarkedSpace::lastChanceToFinalize):
11130
111312014-03-12 Gavin Barraclough <barraclough@apple.com>
11132
11133 Reduce memory use for static property maps
11134 https://bugs.webkit.org/show_bug.cgi?id=129986
11135
11136 Reviewed by Andreas Kling.
11137
11138 Static property tables are currently duplicated on first use from read-only memory into dirty memory
11139 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
11140 (we use a custom hash table without a rehash) a lot of memory may be wasted.
11141
11142 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
11143 from string hashes to indicies into a densely packed array of values. Compute the index table at
11144 compile time as a part of the derived sources step, such that this may be read-only data.
11145
11146 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
11147 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
11148 keys, which are Identifiers.
11149
11150 * create_hash_table:
11151 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
11152 * parser/Lexer.cpp:
11153 (JSC::Lexer<LChar>::parseIdentifier):
11154 (JSC::Lexer<UChar>::parseIdentifier):
11155 (JSC::Lexer<T>::parseIdentifierSlowCase):
11156 - HashEntry -> HashTableValue.
11157 * parser/Lexer.h:
11158 (JSC::Keywords::getKeyword):
11159 - HashEntry -> HashTableValue.
11160 * runtime/ClassInfo.h:
11161 - removed HashEntry.
11162 * runtime/JSObject.cpp:
11163 (JSC::getClassPropertyNames):
11164 - use HashTable::ConstIterator.
11165 (JSC::JSObject::put):
11166 (JSC::JSObject::deleteProperty):
11167 (JSC::JSObject::findPropertyHashEntry):
11168 - HashEntry -> HashTableValue.
11169 (JSC::JSObject::reifyStaticFunctionsForDelete):
11170 - changed HashTable::ConstIterator interface.
11171 * runtime/JSObject.h:
11172 - HashEntry -> HashTableValue.
11173 * runtime/Lookup.cpp:
11174 (JSC::HashTable::createTable):
11175 - table -> keys, keys array is now densely packed.
11176 (JSC::HashTable::deleteTable):
11177 - table -> keys.
11178 (JSC::setUpStaticFunctionSlot):
11179 - HashEntry -> HashTableValue.
11180 * runtime/Lookup.h:
11181 (JSC::HashTableValue::builtinGenerator):
11182 (JSC::HashTableValue::function):
11183 (JSC::HashTableValue::functionLength):
11184 (JSC::HashTableValue::propertyGetter):
11185 (JSC::HashTableValue::propertyPutter):
11186 (JSC::HashTableValue::lexerValue):
11187 - added accessor methods from HashEntry.
11188 (JSC::HashTable::copy):
11189 - fields changed.
11190 (JSC::HashTable::initializeIfNeeded):
11191 - table -> keys.
11192 (JSC::HashTable::entry):
11193 - HashEntry -> HashTableValue.
11194 (JSC::HashTable::ConstIterator::ConstIterator):
11195 - iterate packed value array, so no need to skipInvalidKeys().
11196 (JSC::HashTable::ConstIterator::value):
11197 (JSC::HashTable::ConstIterator::key):
11198 (JSC::HashTable::ConstIterator::operator->):
11199 - accessors now get HashTableValue/StringImpl* separately.
11200 (JSC::HashTable::ConstIterator::operator++):
11201 - iterate packed value array, so no need to skipInvalidKeys().
11202 (JSC::HashTable::end):
11203 - end is now size of dense not sparse array.
11204 (JSC::getStaticPropertySlot):
11205 (JSC::getStaticFunctionSlot):
11206 (JSC::getStaticValueSlot):
11207 (JSC::putEntry):
11208 (JSC::lookupPut):
11209 - HashEntry -> HashTableValue.
11210
112112014-03-11 Filip Pizlo <fpizlo@apple.com>
11212
11213 It should be possible to build WebKit with FTL on iOS
11214 https://bugs.webkit.org/show_bug.cgi?id=130116
11215
11216 Reviewed by Dan Bernstein.
11217
11218 * Configurations/Base.xcconfig:
11219
112202014-03-10 Filip Pizlo <fpizlo@apple.com>
11221
11222 GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
11223 https://bugs.webkit.org/show_bug.cgi?id=129778
11224
11225 Reviewed by Geoffrey Garen.
11226
11227 Also deduplicate the GetById getter call caching. Also add some small tests for
11228 get stubs.
11229
11230 This change reduces the amount of code involved in GetById access caching and it
11231 creates data structures that can serve as an elegant scaffold for introducing other
11232 kinds of caches or improving current caching styles. It will definitely make getter
11233 performance improvements easier to implement.
11234
11235 * CMakeLists.txt:
11236 * GNUmakefile.list.am:
11237 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11238 * JavaScriptCore.xcodeproj/project.pbxproj:
11239 * bytecode/CodeBlock.cpp:
11240 (JSC::CodeBlock::printGetByIdCacheStatus):
11241 * bytecode/GetByIdStatus.cpp:
11242 (JSC::GetByIdStatus::computeForStubInfo):
11243 * bytecode/PolymorphicGetByIdList.cpp: Added.
11244 (JSC::GetByIdAccess::GetByIdAccess):
11245 (JSC::GetByIdAccess::~GetByIdAccess):
11246 (JSC::GetByIdAccess::fromStructureStubInfo):
11247 (JSC::GetByIdAccess::visitWeak):
11248 (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
11249 (JSC::PolymorphicGetByIdList::from):
11250 (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
11251 (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
11252 (JSC::PolymorphicGetByIdList::addAccess):
11253 (JSC::PolymorphicGetByIdList::isFull):
11254 (JSC::PolymorphicGetByIdList::isAlmostFull):
11255 (JSC::PolymorphicGetByIdList::didSelfPatching):
11256 (JSC::PolymorphicGetByIdList::visitWeak):
11257 * bytecode/PolymorphicGetByIdList.h: Added.
11258 (JSC::GetByIdAccess::GetByIdAccess):
11259 (JSC::GetByIdAccess::isSet):
11260 (JSC::GetByIdAccess::operator!):
11261 (JSC::GetByIdAccess::type):
11262 (JSC::GetByIdAccess::structure):
11263 (JSC::GetByIdAccess::chain):
11264 (JSC::GetByIdAccess::chainCount):
11265 (JSC::GetByIdAccess::stubRoutine):
11266 (JSC::GetByIdAccess::doesCalls):
11267 (JSC::PolymorphicGetByIdList::isEmpty):
11268 (JSC::PolymorphicGetByIdList::size):
11269 (JSC::PolymorphicGetByIdList::at):
11270 (JSC::PolymorphicGetByIdList::operator[]):
11271 * bytecode/StructureStubInfo.cpp:
11272 (JSC::StructureStubInfo::deref):
11273 (JSC::StructureStubInfo::visitWeakReferences):
11274 * bytecode/StructureStubInfo.h:
11275 (JSC::isGetByIdAccess):
11276 (JSC::StructureStubInfo::initGetByIdList):
11277 * jit/Repatch.cpp:
11278 (JSC::generateGetByIdStub):
11279 (JSC::tryCacheGetByID):
11280 (JSC::patchJumpToGetByIdStub):
11281 (JSC::tryBuildGetByIDList):
11282 (JSC::tryBuildPutByIdList):
11283 * tests/stress/getter.js: Added.
11284 (foo):
11285 (.o):
11286 * tests/stress/polymorphic-prototype-accesses.js: Added.
11287 (Foo):
11288 (Bar):
11289 (foo):
11290 * tests/stress/prototype-getter.js: Added.
11291 (Foo):
11292 (foo):
11293 * tests/stress/simple-prototype-accesses.js: Added.
11294 (Foo):
11295 (foo):
11296
112972014-03-11 Mark Hahnenberg <mhahnenberg@apple.com>
11298
11299 MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
11300 https://bugs.webkit.org/show_bug.cgi?id=129920
11301
11302 Reviewed by Geoffrey Garen.
11303
11304 This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
11305 when the amount of free space in a MarkedBlock drops below a certain threshold.
11306 Retired blocks are not considered for sweeping.
11307
11308 This is profitable because it reduces churn during sweeping. To build a free list,
11309 we have to scan through each cell in a block. After a collection, all objects that
11310 are live in the block will remain live until the next FullCollection, at which time
11311 we un-retire all previously retired blocks. Thus, a small number of objects in a block
11312 that die during each EdenCollection could cause us to do a disproportiante amount of
11313 sweeping for how much free memory we get back.
11314
11315 This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
11316
11317 * heap/Heap.h:
11318 (JSC::Heap::didRetireBlockWithFreeListSize):
11319 * heap/MarkedAllocator.cpp:
11320 (JSC::MarkedAllocator::tryAllocateHelper):
11321 (JSC::MarkedAllocator::removeBlock):
11322 (JSC::MarkedAllocator::reset):
11323 * heap/MarkedAllocator.h:
11324 (JSC::MarkedAllocator::MarkedAllocator):
11325 (JSC::MarkedAllocator::forEachBlock):
11326 * heap/MarkedBlock.cpp:
11327 (JSC::MarkedBlock::sweepHelper):
11328 (JSC::MarkedBlock::clearMarksWithCollectionType):
11329 (JSC::MarkedBlock::didRetireBlock):
11330 * heap/MarkedBlock.h:
11331 (JSC::MarkedBlock::willRemoveBlock):
11332 (JSC::MarkedBlock::isLive):
11333 * heap/MarkedSpace.cpp:
11334 (JSC::MarkedSpace::clearNewlyAllocated):
11335 (JSC::MarkedSpace::clearMarks):
11336 * runtime/Options.h:
11337
113382014-03-11 Andreas Kling <akling@apple.com>
11339
11340 Streamline PropertyTable for lookup-only access.
11341 <https://webkit.org/b/130060>
11342
11343 The PropertyTable lookup algorithm was written to support both read
11344 and write access. This wasn't actually needed in most places.
11345
11346 This change adds a PropertyTable::get() that just returns the value
11347 type (instead of an insertion iterator.) It also adds an early return
11348 for empty tables.
11349
11350 Finally, up the minimum table capacity from 8 to 16. It was lowered
11351 to 8 in order to save memory, but that was before PropertyTables were
11352 GC allocated. Nowadays we don't have nearly as many tables, since all
11353 the unpinned transitions die off.
11354
11355 Reviewed by Darin Adler.
11356
11357 * runtime/PropertyMapHashTable.h:
11358 (JSC::PropertyTable::get):
11359 * runtime/Structure.cpp:
11360 (JSC::Structure::despecifyDictionaryFunction):
11361 (JSC::Structure::attributeChangeTransition):
11362 (JSC::Structure::get):
11363 (JSC::Structure::despecifyFunction):
11364 * runtime/StructureInlines.h:
11365 (JSC::Structure::get):
11366
113672014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
11368
11369 REGRESSION(r165407): DoYouEvenBench crashes in DRT
11370 https://bugs.webkit.org/show_bug.cgi?id=130066
11371
11372 Reviewed by Geoffrey Garen.
11373
11374 The baseline JIT does a conditional store barrier for the put_by_id, but we need
11375 an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
11376
11377 * jit/JIT.h:
11378 * jit/JITPropertyAccess.cpp:
11379 (JSC::JIT::emit_op_put_by_id):
11380 (JSC::JIT::emitWriteBarrier):
11381
113822014-03-10 Mark Lam <mark.lam@apple.com>
11383
11384 Resurrect bit-rotted JIT::probe() mechanism.
11385 <https://webkit.org/b/130067>
11386
11387 Reviewed by Geoffrey Garen.
11388
11389 * jit/JITStubs.cpp:
11390 - Added the needed #include <wtf/InlineASM.h>.
11391
113922014-03-10 Joseph Pecoraro <pecoraro@apple.com>
11393
11394 Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
11395
11396 Rubber-stamped by Dan Bernstein.
11397
11398 * Configurations/JavaScriptCore.xcconfig:
11399
114002014-03-10 Mark Lam <mark.lam@apple.com>
11401
11402 r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
11403 <https://webkit.org/b/130065>
11404
11405 Reviewed by Michael Saboff.
11406
11407 There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
11408 being able to return InvalidIndex. Hence, the assertion is invalid. Ditto for
11409 FPRInfo::toIndex().
11410
11411 The fix is to remove the "result != InvalidIndex" assertions.
11412
11413 * jit/FPRInfo.h:
11414 (JSC::FPRInfo::toIndex):
11415 * jit/GPRInfo.h:
11416 (JSC::GPRInfo::toIndex):
11417
114182014-03-10 Mark Lam <mark.lam@apple.com>
11419
11420 Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
11421 <https://webkit.org/b/129955>
11422
11423 Reviewed by Geoffrey Garen.
11424
11425 The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
11426 stack memory every time it was called. This is now fixed.
11427
11428 * jit/JITOperations.cpp:
11429
114302014-03-10 Joseph Pecoraro <pecoraro@apple.com>
11431
11432 Better JSContext API for named evaluations (other than //# sourceURL)
11433 https://bugs.webkit.org/show_bug.cgi?id=129911
11434
11435 Reviewed by Geoffrey Garen.
11436
11437 * API/JSBase.h:
11438 * API/JSContext.h:
11439 * API/JSContext.mm:
11440 (-[JSContext evaluateScript:]):
11441 (-[JSContext evaluateScript:withSourceURL:]):
11442 Add new evaluateScript:withSourceURL:.
11443
11444 * API/tests/testapi.c:
11445 (main):
11446 * API/tests/testapi.mm:
11447 (testObjectiveCAPI):
11448 Add tests for sourceURL in evaluate APIs. It should
11449 affect the exception objects.
11450
114512014-03-10 Filip Pizlo <fpizlo@apple.com>
11452
11453 Repatch should save and restore all used registers - not just temp ones - when making a call
11454 https://bugs.webkit.org/show_bug.cgi?id=130041
11455
11456 Reviewed by Geoffrey Garen and Mark Hahnenberg.
11457
11458 The save/restore code was written back when the only client was the DFG, which only uses a
11459 subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
11460 other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
11461 lead to data corruption on ARM64.
11462
11463 * jit/RegisterSet.cpp:
11464 (JSC::RegisterSet::calleeSaveRegisters):
11465 (JSC::RegisterSet::numberOfSetGPRs):
11466 (JSC::RegisterSet::numberOfSetFPRs):
11467 * jit/RegisterSet.h:
11468 * jit/Repatch.cpp:
11469 (JSC::storeToWriteBarrierBuffer):
11470 (JSC::emitPutTransitionStub):
11471 * jit/ScratchRegisterAllocator.cpp:
11472 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
11473 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
11474 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
11475 (JSC::ScratchRegisterAllocator::usedRegistersForCall):
11476 (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
11477 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
11478 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
11479 * jit/ScratchRegisterAllocator.h:
11480
114812014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
11482
11483 Remove ConditionalStore barrier
11484 https://bugs.webkit.org/show_bug.cgi?id=130040
11485
11486 Reviewed by Geoffrey Garen.
11487
11488 ConditionalStoreBarrier was created when barriers were much more expensive. Now that
11489 they're cheap(er), we can get rid of them. This also allows us to get rid of the write
11490 barrier logic in emitPutTransitionStub because we always will have executed a write barrier
11491 on the base object in the case where we are allocating and storing a new Butterfly into it.
11492 Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object,
11493 so we'd have to emit a write barrier in the transition case.
11494
11495 This is performance neutral on the benchmarks we track.
11496
11497 * dfg/DFGAbstractInterpreterInlines.h:
11498 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11499 * dfg/DFGClobberize.h:
11500 (JSC::DFG::clobberize):
11501 * dfg/DFGConstantFoldingPhase.cpp:
11502 (JSC::DFG::ConstantFoldingPhase::foldConstants):
11503 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
11504 * dfg/DFGFixupPhase.cpp:
11505 (JSC::DFG::FixupPhase::fixupNode):
11506 (JSC::DFG::FixupPhase::insertStoreBarrier):
11507 * dfg/DFGNode.h:
11508 (JSC::DFG::Node::isStoreBarrier):
11509 * dfg/DFGNodeType.h:
11510 * dfg/DFGPredictionPropagationPhase.cpp:
11511 (JSC::DFG::PredictionPropagationPhase::propagate):
11512 * dfg/DFGSafeToExecute.h:
11513 (JSC::DFG::safeToExecute):
11514 * dfg/DFGSpeculativeJIT.cpp:
11515 (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
11516 * dfg/DFGSpeculativeJIT32_64.cpp:
11517 (JSC::DFG::SpeculativeJIT::compile):
11518 * dfg/DFGSpeculativeJIT64.cpp:
11519 (JSC::DFG::SpeculativeJIT::compile):
11520 * ftl/FTLCapabilities.cpp:
11521 (JSC::FTL::canCompile):
11522 * ftl/FTLLowerDFGToLLVM.cpp:
11523 (JSC::FTL::LowerDFGToLLVM::compileNode):
11524 * jit/Repatch.cpp:
11525 (JSC::emitPutTransitionStub):
11526
115272014-03-10 Filip Pizlo <fpizlo@apple.com>
11528
11529 DFG and FTL should know that comparing anything to Misc is cheap and easy
11530 https://bugs.webkit.org/show_bug.cgi?id=130001
11531
11532 Reviewed by Geoffrey Garen.
11533
11534 - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
11535 comparison is just Untyped:.
11536
11537 - This obviates the need for CompareStrictEqConstant, so remove it.
11538
11539 - FTL had a thing called "Nully" which is really "Other". Rename it and add
11540 OtherUse.
11541
11542 9% speed-up on box2d.
11543
11544 * dfg/DFGAbstractInterpreterInlines.h:
11545 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11546 * dfg/DFGByteCodeParser.cpp:
11547 (JSC::DFG::ByteCodeParser::parseBlock):
11548 * dfg/DFGClobberize.h:
11549 (JSC::DFG::clobberize):
11550 * dfg/DFGFixupPhase.cpp:
11551 (JSC::DFG::FixupPhase::fixupNode):
11552 * dfg/DFGNode.h:
11553 (JSC::DFG::Node::isBinaryUseKind):
11554 (JSC::DFG::Node::shouldSpeculateOther):
11555 * dfg/DFGNodeType.h:
11556 * dfg/DFGPredictionPropagationPhase.cpp:
11557 (JSC::DFG::PredictionPropagationPhase::propagate):
11558 * dfg/DFGSafeToExecute.h:
11559 (JSC::DFG::safeToExecute):
11560 * dfg/DFGSpeculativeJIT.cpp:
11561 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
11562 (JSC::DFG::SpeculativeJIT::compare):
11563 (JSC::DFG::SpeculativeJIT::compileStrictEq):
11564 * dfg/DFGSpeculativeJIT.h:
11565 * dfg/DFGSpeculativeJIT32_64.cpp:
11566 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
11567 (JSC::DFG::SpeculativeJIT::compile):
11568 * dfg/DFGSpeculativeJIT64.cpp:
11569 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
11570 (JSC::DFG::SpeculativeJIT::compile):
11571 * ftl/FTLCapabilities.cpp:
11572 (JSC::FTL::canCompile):
11573 * ftl/FTLLowerDFGToLLVM.cpp:
11574 (JSC::FTL::LowerDFGToLLVM::compileNode):
11575 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
11576 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
11577 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
11578 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
11579 (JSC::FTL::LowerDFGToLLVM::isNotOther):
11580 (JSC::FTL::LowerDFGToLLVM::isOther):
11581 (JSC::FTL::LowerDFGToLLVM::speculate):
11582 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
11583 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
11584 (JSC::FTL::LowerDFGToLLVM::speculateOther):
11585 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
11586 * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
11587
115882014-03-10 Filip Pizlo <fpizlo@apple.com>
11589
11590 Unreviewed, remove unintended change.
11591
11592 * dfg/DFGDriver.cpp:
11593 (JSC::DFG::compileImpl):
11594
115952014-03-10 Filip Pizlo <fpizlo@apple.com>
11596
11597 jsc commandline shouldn't have a "console" because that confuses some tests into thinking
11598 that they're running in the browser.
11599
11600 Rubber stamped by Mark Hahnenberg.
11601
11602 * jsc.cpp:
11603 (GlobalObject::finishCreation):
11604
116052014-03-10 Filip Pizlo <fpizlo@apple.com>
11606
11607 Out-line ScratchRegisterAllocator
11608
11609 Rubber stamped by Mark Hahnenberg.
11610
11611 * CMakeLists.txt:
11612 * GNUmakefile.list.am:
11613 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11614 * JavaScriptCore.xcodeproj/project.pbxproj:
11615 * dfg/DFGDriver.cpp:
11616 (JSC::DFG::compileImpl):
11617 * jit/ScratchRegisterAllocator.cpp: Added.
11618 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
11619 (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
11620 (JSC::ScratchRegisterAllocator::lock):
11621 (JSC::ScratchRegisterAllocator::allocateScratch):
11622 (JSC::ScratchRegisterAllocator::allocateScratchGPR):
11623 (JSC::ScratchRegisterAllocator::allocateScratchFPR):
11624 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
11625 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
11626 (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
11627 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
11628 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
11629 * jit/ScratchRegisterAllocator.h:
11630
116312014-03-10 Brent Fulgham <bfulgham@apple.com>
11632
11633 [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
11634 https://bugs.webkit.org/show_bug.cgi?id=130023
11635
11636 Reviewed by Dean Jackson.
11637
11638 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
11639 path names to avoid accidental escaping of later string substitutions.
11640
116412014-03-10 Andreas Kling <akling@apple.com>
11642
11643 [X86_64] Smaller code for testb_i8r when register is accumulator.
11644 <https://webkit.org/b/130026>
11645
11646 Generate the shorthand version of "test al, imm" when possible.
11647
11648 Reviewed by Michael Saboff.
11649
11650 * assembler/X86Assembler.h:
11651 (JSC::X86Assembler::testb_i8r):
11652
116532014-03-10 Andreas Kling <akling@apple.com>
11654
11655 [X86_64] Smaller code for sub_ir when register is accumulator.
11656 <https://webkit.org/b/130025>
11657
11658 Generate the shorthand version of "sub eax, imm" when possible.
11659
11660 Reviewed by Michael Saboff.
11661
11662 * assembler/X86Assembler.h:
11663 (JSC::X86Assembler::subl_ir):
11664 (JSC::X86Assembler::subq_ir):
11665
116662014-03-10 Andreas Kling <akling@apple.com>
11667
11668 [X86_64] Smaller code for add_ir when register is accumulator.
11669 <https://webkit.org/b/130024>
11670
11671 Generate the shorthand version of "add eax, imm" when possible.
11672
11673 Reviewed by Michael Saboff.
11674
11675 * assembler/X86Assembler.h:
11676 (JSC::X86Assembler::addl_ir):
11677 (JSC::X86Assembler::addq_ir):
11678
116792014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
11680
11681 writeBarrier in emitPutReplaceStub is unnecessary
11682 https://bugs.webkit.org/show_bug.cgi?id=130030
11683
11684 Reviewed by Filip Pizlo.
11685
11686 We already emit write barriers for each put-by-id when they're first compiled, so it's
11687 redundant to emit a write barrier as part of the repatched code.
11688
11689 * jit/Repatch.cpp:
11690 (JSC::emitPutReplaceStub):
11691
116922014-03-10 Andreas Kling <akling@apple.com>
11693
11694 [X86_64] Smaller code for xor_ir when register is accumulator.
11695 <https://webkit.org/b/130008>
11696
11697 Generate the shorthand version of "xor eax, imm" when possible.
11698
11699 Reviewed by Benjamin Poulain.
11700
11701 * assembler/X86Assembler.h:
11702 (JSC::X86Assembler::xorl_ir):
11703 (JSC::X86Assembler::xorq_ir):
11704
117052014-03-10 Andreas Kling <akling@apple.com>
11706
11707 [X86_64] Smaller code for or_ir when register is accumulator.
11708 <https://webkit.org/b/130007>
11709
11710 Generate the shorthand version of "or eax, imm" when possible.
11711
11712 Reviewed by Benjamin Poulain.
11713
11714 * assembler/X86Assembler.h:
11715 (JSC::X86Assembler::orl_ir):
11716 (JSC::X86Assembler::orq_ir):
11717
117182014-03-10 Andreas Kling <akling@apple.com>
11719
11720 [X86_64] Smaller code for test_ir when register is accumulator.
11721 <https://webkit.org/b/130006>
11722
11723 Generate the shorthand version of "test eax, imm" when possible.
11724
11725 Reviewed by Benjamin Poulain.
11726
11727 * assembler/X86Assembler.h:
11728 (JSC::X86Assembler::testl_i32r):
11729 (JSC::X86Assembler::testq_i32r):
11730
117312014-03-10 Andreas Kling <akling@apple.com>
11732
11733 [X86_64] Smaller code for cmp_ir when register is accumulator.
11734 <https://webkit.org/b/130005>
11735
11736 Generate the shorthand version of "cmp eax, imm" when possible.
11737
11738 Reviewed by Benjamin Poulain.
11739
11740 * assembler/X86Assembler.h:
11741 (JSC::X86Assembler::cmpl_ir):
11742 (JSC::X86Assembler::cmpq_ir):
11743
117442014-03-10 Andreas Kling <akling@apple.com>
11745
11746 [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
11747 <https://webkit.org/b/130002>
11748
11749 Generate this:
11750
11751 mov [address], imm32
11752
11753 Instead of this:
11754
11755 mov scratchRegister, imm32
11756 mov [address], scratchRegister
11757
11758 For store64(imm, address) where the 64-bit immediate can be passed as
11759 a sign-extended 32-bit value.
11760
11761 Reviewed by Benjamin Poulain.
11762
11763 * assembler/MacroAssemblerX86_64.h:
11764 (CAN_SIGN_EXTEND_32_64):
11765 (JSC::MacroAssemblerX86_64::store64):
11766
117672014-03-10 Andreas Kling <akling@apple.com>
11768
11769 [X86_64] Smaller code for xchg_rr when one register is accumulator.
11770 <https://webkit.org/b/130004>
11771
11772 Generate the 1-byte version of "xchg eax, reg" when possible.
11773
11774 Reviewed by Benjamin Poulain.
11775
11776 * assembler/X86Assembler.h:
11777 (JSC::X86Assembler::xchgl_rr):
11778 (JSC::X86Assembler::xchgq_rr):
11779
117802014-03-09 Filip Pizlo <fpizlo@apple.com>
11781
11782 GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
11783 https://bugs.webkit.org/show_bug.cgi?id=129998
11784
11785 Reviewed by Geoffrey Garen.
11786
11787 Not only is that the established contract, but this is used to signal to
11788 ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
11789 that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
11790 some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
11791 fine but previously it would have led to either an assertion failure, or data corruption, in
11792 the ScratchRegisterAllocator.
11793
11794 * jit/GPRInfo.h:
11795 (JSC::GPRInfo::toIndex):
11796
117972014-03-09 Filip Pizlo <fpizlo@apple.com>
11798
11799 FTL fails the new equals-masquerader strictEqualConstant test
11800 https://bugs.webkit.org/show_bug.cgi?id=129996
11801
11802 Reviewed by Mark Lam.
11803
11804 It turns out that the FTL was trying to do the masquerading stuff for ===null. But
11805 that's wrong since none of the other engines do it. The DFG even had an ancient
11806 FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
11807 don't do it and JSValue::strictEqual() doesn't do it.
11808
11809 Remove the FIXME and remove the extra checks in the FTL.
11810
11811 This is a glorious patch: nothing but red and it fixes a test failure.
11812
11813 * dfg/DFGSpeculativeJIT.cpp:
11814 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
11815 * ftl/FTLLowerDFGToLLVM.cpp:
11816 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
11817
118182014-03-09 Andreas Kling <akling@apple.com>
11819
11820 Short-circuit JSGlobalObjectInspectorController when not inspecting.
11821 <https://webkit.org/b/129995>
11822
11823 Add an early return in reportAPIException() when the console agent
11824 is disabled. This avoids expensive symbolication during exceptions
11825 if there's nobody expecting the fancy backtrace anyway.
11826
11827 ~2% progression on DYEB on my MBP.
11828
11829 Reviewed by Geoff Garen.
11830
11831 * inspector/JSGlobalObjectInspectorController.cpp:
11832 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
11833
118342014-03-09 Andreas Kling <akling@apple.com>
11835
11836 Inline the trivial parts of GC deferral.
11837 <https://webkit.org/b/129984>
11838
11839 Made most of the functions called by the DeferGC RAII object inline
11840 to avoid function call overhead.
11841
11842 Looks like ~1% progression on DYEB.
11843
11844 Reviewed by Geoffrey Garen.
11845
11846 * heap/Heap.cpp:
11847 * heap/Heap.h:
11848 (JSC::Heap::incrementDeferralDepth):
11849 (JSC::Heap::decrementDeferralDepth):
11850 (JSC::Heap::collectIfNecessaryOrDefer):
11851 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
11852
118532014-03-08 Mark Lam <mark.lam@apple.com>
11854
11855 32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
11856 <https://webkit.org/b/129969>
11857
11858 Reviewed by Geoffrey Garen.
11859
11860 The 32-bit version of handleUncaughtException was missing the handling of an
11861 edge case for stack overflows where the current frame may already be the
11862 sentinel frame. This edge case was handled in the 64-bit version. The fix
11863 is to bring the 32-bit version up to parity.
11864
11865 * jit/JIT.cpp:
11866 (JSC::JIT::privateCompile):
11867 * llint/LowLevelInterpreter32_64.asm:
11868
118692014-03-07 Mark Lam <mark.lam@apple.com>
11870
11871 Fix bugs in 32-bit Structure implementation.
11872 <https://webkit.org/b/129947>
11873
11874 Reviewed by Mark Hahnenberg.
11875
11876 Added the loading of the Structure (from the JSCell) before use that was
11877 missing in a few places. Also added more test cases to equals-masquerader.js.
11878
11879 * dfg/DFGSpeculativeJIT32_64.cpp:
11880 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
11881 (JSC::DFG::SpeculativeJIT::compile):
11882 * dfg/DFGSpeculativeJIT64.cpp:
11883 (JSC::DFG::SpeculativeJIT::compile):
11884 * llint/LowLevelInterpreter32_64.asm:
11885 * tests/stress/equals-masquerader.js:
11886 (equalsNull):
11887 (notEqualsNull):
11888 (strictEqualsNull):
11889 (strictNotEqualsNull):
11890 (equalsUndefined):
11891 (notEqualsUndefined):
11892 (strictEqualsUndefined):
11893 (strictNotEqualsUndefined):
11894 (isFalsey):
11895 (test):
11896
118972014-03-07 Andrew Trick <atrick@apple.com>
11898
11899 Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
11900 https://bugs.webkit.org/show_bug.cgi?id=129954
11901
11902 Reviewed by Filip Pizlo.
11903
11904 * tests/stress/float32-repeat-out-of-bounds.js:
11905 * tests/stress/int8-repeat-out-of-bounds.js:
11906
119072014-03-07 Michael Saboff <msaboff@apple.com>
11908
11909 .cfi directives in LowLevelInterpreter.cpp are providing no benefit
11910 https://bugs.webkit.org/show_bug.cgi?id=129945
11911
11912 Reviewed by Mark Lam.
11913
11914 Removed .cfi directive. Verified that stack traces didn't regress in crash reporter
11915 or in lldb.
11916
11917 * llint/LowLevelInterpreter.cpp:
11918
119192014-03-07 Oliver Hunt <oliver@apple.com>
11920
11921 Continue hangs when performing for-of over arguments
11922 https://bugs.webkit.org/show_bug.cgi?id=129915
11923
11924 Reviewed by Geoffrey Garen.
11925
11926 Put the continue label in the right place
11927
11928 * bytecompiler/BytecodeGenerator.cpp:
11929 (JSC::BytecodeGenerator::emitEnumeration):
11930
119312014-03-07 peavo@outlook.com <peavo@outlook.com>
11932
11933 [Win64] Compile error after r165128.
11934 https://bugs.webkit.org/show_bug.cgi?id=129807
11935
11936 Reviewed by Mark Lam.
11937
11938 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
11939 Check platform environment variable to determine if an assembler file should be generated.
11940
119412014-03-07 Michael Saboff <msaboff@apple.com>
11942
11943 Clarify how we deal with "special" registers
11944 https://bugs.webkit.org/show_bug.cgi?id=129806
11945
11946 Already reviewed change being relanded.
11947
11948 Relanding change set r165196 as it wasn't responsible for the breakage reported in
11949 https://bugs.webkit.org/show_bug.cgi?id=129822. That appears to be a build or
11950
11951 Reviewed by Michael Saboff.
11952 configuration issue.
11953
11954 * assembler/ARM64Assembler.h:
11955 (JSC::ARM64Assembler::lastRegister):
11956 * assembler/MacroAssembler.h:
11957 (JSC::MacroAssembler::nextRegister):
11958 * ftl/FTLLocation.cpp:
11959 (JSC::FTL::Location::restoreInto):
11960 * ftl/FTLSaveRestore.cpp:
11961 (JSC::FTL::saveAllRegisters):
11962 (JSC::FTL::restoreAllRegisters):
11963 * ftl/FTLSlowPathCall.cpp:
11964 * jit/RegisterSet.cpp:
11965 (JSC::RegisterSet::reservedHardwareRegisters):
11966 (JSC::RegisterSet::runtimeRegisters):
11967 (JSC::RegisterSet::specialRegisters):
11968 (JSC::RegisterSet::calleeSaveRegisters):
11969 * jit/RegisterSet.h:
11970
119712014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
11972
11973 Move GCActivityCallback to heap
11974 https://bugs.webkit.org/show_bug.cgi?id=129457
11975
11976 Reviewed by Geoffrey Garen.
11977
11978 All the other GC timer related stuff is there already.
11979
11980 * CMakeLists.txt:
11981 * GNUmakefile.list.am:
11982 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11983 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11984 * JavaScriptCore.xcodeproj/project.pbxproj:
11985 * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
11986 * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
11987 * runtime/GCActivityCallback.cpp: Removed.
11988 * runtime/GCActivityCallback.h: Removed.
11989
119902014-03-07 Andrew Trick <atrick@apple.com>
11991
11992 Correct a comment typo from:
11993 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
11994 https://bugs.webkit.org/show_bug.cgi?id=129865
11995
11996 Reviewed by Mark Lam.
11997
11998 * ftl/FTLOutput.h:
11999 (JSC::FTL::Output::doubleRem):
12000
120012014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
12002
12003 Use OwnPtr in StructureIDTable
12004 https://bugs.webkit.org/show_bug.cgi?id=129828
12005
12006 Reviewed by Geoffrey Garen.
12007
12008 This reduces the amount of boilerplate and fixes a memory leak.
12009
12010 * runtime/StructureIDTable.cpp:
12011 (JSC::StructureIDTable::StructureIDTable):
12012 (JSC::StructureIDTable::resize):
12013 (JSC::StructureIDTable::flushOldTables):
12014 (JSC::StructureIDTable::allocateID):
12015 (JSC::StructureIDTable::deallocateID):
12016 * runtime/StructureIDTable.h:
12017 (JSC::StructureIDTable::table):
12018 (JSC::StructureIDTable::get):
12019
120202014-03-07 Andrew Trick <atrick@apple.com>
12021
12022 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
12023 https://bugs.webkit.org/show_bug.cgi?id=129865
12024
12025 Reviewed by Filip Pizlo.
12026
12027 * ftl/FTLIntrinsicRepository.h:
12028 * ftl/FTLOutput.h:
12029 (JSC::FTL::Output::doubleRem):
12030
120312014-03-06 Filip Pizlo <fpizlo@apple.com>
12032
12033 If the FTL is build-time enabled then it should be run-time enabled.
12034
12035 Rubber stamped by Geoffrey Garen.
12036
12037 * runtime/Options.cpp:
12038 (JSC::recomputeDependentOptions):
12039 * runtime/Options.h:
12040
120412014-03-06 Joseph Pecoraro <pecoraro@apple.com>
12042
12043 [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
12044 https://bugs.webkit.org/show_bug.cgi?id=129852
12045
12046 Reviewed by Geoffrey Garen.
12047
12048 * framework.sb: Added.
12049 Sandbox extension to allow access to "com.apple.webinspector".
12050
12051 * JavaScriptCore.xcodeproj/project.pbxproj:
12052 Add a Copy Resources build phase and include framework.sb.
12053
12054 * Configurations/JavaScriptCore.xcconfig:
12055 Do not copy framework.sb on iOS.
12056
120572014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
12058
12059 JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
12060 https://bugs.webkit.org/show_bug.cgi?id=129858
12061
12062 Reviewed by Mark Lam.
12063
12064 It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock,
12065 but now it ends up overwriting the IdentifierTable that JSLock just restored.
12066
12067 * API/JSContextRef.cpp:
12068 (JSGlobalContextRelease):
12069
120702014-03-06 Oliver Hunt <oliver@apple.com>
12071
12072 Fix FTL build.
12073
12074 * dfg/DFGConstantFoldingPhase.cpp:
12075 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12076
120772014-03-06 Brent Fulgham <bfulgham@apple.com>
12078
12079 Unreviewed build fix after r165128.
12080
12081 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
12082 performing 'Production' and 'DebugSuffix' type builds.
12083
120842014-03-06 Julien Brianceau <jbriance@cisco.com>
12085
12086 Unreviewed, fix style in my previous commit.
12087 https://bugs.webkit.org/show_bug.cgi?id=129833
12088
12089 * runtime/JSConsole.cpp:
12090
120912014-03-06 Julien Brianceau <jbriance@cisco.com>
12092
12093 Build fix: add missing include in JSConole.cpp.
12094 https://bugs.webkit.org/show_bug.cgi?id=129833
12095
12096 Reviewed by Oliver Hunt.
12097
12098 * runtime/JSConsole.cpp:
12099
121002014-03-06 Oliver Hunt <oliver@apple.com>
12101
12102 Fix ARMv7
12103
12104 * jit/CCallHelpers.h:
12105 (JSC::CCallHelpers::setupArgumentsWithExecState):
12106
121072014-03-06 Commit Queue <commit-queue@webkit.org>
12108
12109 Unreviewed, rolling out r165196.
12110 http://trac.webkit.org/changeset/165196
12111 https://bugs.webkit.org/show_bug.cgi?id=129822
12112
12113 broke arm64 on hardware (Requested by bfulgham on #webkit).
12114
12115 * assembler/ARM64Assembler.h:
12116 (JSC::ARM64Assembler::lastRegister):
12117 * assembler/MacroAssembler.h:
12118 (JSC::MacroAssembler::isStackRelated):
12119 (JSC::MacroAssembler::firstRealRegister):
12120 (JSC::MacroAssembler::nextRegister):
12121 (JSC::MacroAssembler::secondRealRegister):
12122 * ftl/FTLLocation.cpp:
12123 (JSC::FTL::Location::restoreInto):
12124 * ftl/FTLSaveRestore.cpp:
12125 (JSC::FTL::saveAllRegisters):
12126 (JSC::FTL::restoreAllRegisters):
12127 * ftl/FTLSlowPathCall.cpp:
12128 * jit/RegisterSet.cpp:
12129 (JSC::RegisterSet::specialRegisters):
12130 (JSC::RegisterSet::calleeSaveRegisters):
12131 * jit/RegisterSet.h:
12132
121332014-03-06 Mark Lam <mark.lam@apple.com>
12134
12135 REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
12136 <https://webkit.org/b/129813>
12137
12138 Reviewed by Michael Saboff.
12139
12140 Fixed broken C loop LLINT build.
12141
12142 * llint/LowLevelInterpreter.cpp:
12143 (JSC::CLoop::execute):
12144 * offlineasm/cloop.rb:
12145
121462014-03-03 Oliver Hunt <oliver@apple.com>
12147
12148 Support caching of custom setters
12149 https://bugs.webkit.org/show_bug.cgi?id=129519
12150
12151 Reviewed by Filip Pizlo.
12152
12153 This patch adds caching of assignment to properties that
12154 are backed by C functions. This provides most of the leg
12155 work required to start supporting setters, and resolves
12156 the remaining regressions from moving DOM properties up
12157 the prototype chain.
12158
12159 * JavaScriptCore.xcodeproj/project.pbxproj:
12160 * bytecode/PolymorphicPutByIdList.cpp:
12161 (JSC::PutByIdAccess::visitWeak):
12162 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12163 (JSC::PolymorphicPutByIdList::from):
12164 * bytecode/PolymorphicPutByIdList.h:
12165 (JSC::PutByIdAccess::transition):
12166 (JSC::PutByIdAccess::replace):
12167 (JSC::PutByIdAccess::customSetter):
12168 (JSC::PutByIdAccess::isCustom):
12169 (JSC::PutByIdAccess::oldStructure):
12170 (JSC::PutByIdAccess::chain):
12171 (JSC::PutByIdAccess::stubRoutine):
12172 * bytecode/PutByIdStatus.cpp:
12173 (JSC::PutByIdStatus::computeForStubInfo):
12174 (JSC::PutByIdStatus::computeFor):
12175 (JSC::PutByIdStatus::dump):
12176 * bytecode/PutByIdStatus.h:
12177 (JSC::PutByIdStatus::PutByIdStatus):
12178 (JSC::PutByIdStatus::takesSlowPath):
12179 (JSC::PutByIdStatus::makesCalls):
12180 * bytecode/StructureStubInfo.h:
12181 * dfg/DFGAbstractInterpreterInlines.h:
12182 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12183 * dfg/DFGByteCodeParser.cpp:
12184 (JSC::DFG::ByteCodeParser::emitPutById):
12185 (JSC::DFG::ByteCodeParser::handlePutById):
12186 * dfg/DFGClobberize.h:
12187 (JSC::DFG::clobberize):
12188 * dfg/DFGCommon.h:
12189 * dfg/DFGConstantFoldingPhase.cpp:
12190 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12191 * dfg/DFGFixupPhase.cpp:
12192 (JSC::DFG::FixupPhase::fixupNode):
12193 * dfg/DFGNode.h:
12194 (JSC::DFG::Node::hasIdentifier):
12195 * dfg/DFGNodeType.h:
12196 * dfg/DFGPredictionPropagationPhase.cpp:
12197 (JSC::DFG::PredictionPropagationPhase::propagate):
12198 * dfg/DFGSafeToExecute.h:
12199 (JSC::DFG::safeToExecute):
12200 * dfg/DFGSpeculativeJIT.cpp:
12201 (JSC::DFG::SpeculativeJIT::compileIn):
12202 * dfg/DFGSpeculativeJIT.h:
12203 * dfg/DFGSpeculativeJIT32_64.cpp:
12204 (JSC::DFG::SpeculativeJIT::cachedGetById):
12205 (JSC::DFG::SpeculativeJIT::cachedPutById):
12206 (JSC::DFG::SpeculativeJIT::compile):
12207 * dfg/DFGSpeculativeJIT64.cpp:
12208 (JSC::DFG::SpeculativeJIT::cachedGetById):
12209 (JSC::DFG::SpeculativeJIT::cachedPutById):
12210 (JSC::DFG::SpeculativeJIT::compile):
12211 * jit/CCallHelpers.h:
12212 (JSC::CCallHelpers::setupArgumentsWithExecState):
12213 * jit/JITInlineCacheGenerator.cpp:
12214 (JSC::JITByIdGenerator::JITByIdGenerator):
12215 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12216 * jit/JITInlineCacheGenerator.h:
12217 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12218 * jit/JITOperations.cpp:
12219 * jit/JITOperations.h:
12220 * jit/JITPropertyAccess.cpp:
12221 (JSC::JIT::emit_op_get_by_id):
12222 (JSC::JIT::emit_op_put_by_id):
12223 * jit/JITPropertyAccess32_64.cpp:
12224 (JSC::JIT::emit_op_get_by_id):
12225 (JSC::JIT::emit_op_put_by_id):
12226 * jit/Repatch.cpp:
12227 (JSC::tryCacheGetByID):
12228 (JSC::tryBuildGetByIDList):
12229 (JSC::emitCustomSetterStub):
12230 (JSC::tryCachePutByID):
12231 (JSC::tryBuildPutByIdList):
12232 * jit/SpillRegistersMode.h: Added.
12233 * llint/LLIntSlowPaths.cpp:
12234 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12235 * runtime/Lookup.h:
12236 (JSC::putEntry):
12237 * runtime/PutPropertySlot.h:
12238 (JSC::PutPropertySlot::setCacheableCustomProperty):
12239 (JSC::PutPropertySlot::customSetter):
12240 (JSC::PutPropertySlot::isCacheablePut):
12241 (JSC::PutPropertySlot::isCacheableCustomProperty):
12242 (JSC::PutPropertySlot::cachedOffset):
12243
122442014-03-06 Filip Pizlo <fpizlo@apple.com>
12245
12246 FTL arity fixup should work on ARM64
12247 https://bugs.webkit.org/show_bug.cgi?id=129810
12248
12249 Reviewed by Michael Saboff.
12250
12251 - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
12252 callee-save.
12253
12254 - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
12255
12256 This makes some more tests pass.
12257
12258 * dfg/DFGJITCompiler.cpp:
12259 (JSC::DFG::JITCompiler::compileFunction):
12260 * ftl/FTLLink.cpp:
12261 (JSC::FTL::link):
12262 * jit/AssemblyHelpers.h:
12263 (JSC::AssemblyHelpers::prologueStackPointerDelta):
12264 * jit/JIT.cpp:
12265 (JSC::JIT::privateCompile):
12266 * jit/ThunkGenerators.cpp:
12267 (JSC::arityFixup):
12268 * llint/LowLevelInterpreter64.asm:
12269 * offlineasm/arm64.rb:
12270 * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
12271
122722014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
12273
12274 Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
12275 https://bugs.webkit.org/show_bug.cgi?id=129760
12276
12277 Reviewed by Geoffrey Garen.
12278
12279 r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms.
12280 The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
12281
12282 * dfg/DFGSpeculativeJIT.cpp:
12283 (JSC::DFG::SpeculativeJIT::writeBarrier):
12284 * dfg/DFGSpeculativeJIT.h:
12285 * dfg/DFGSpeculativeJIT32_64.cpp:
12286 (JSC::DFG::SpeculativeJIT::writeBarrier):
12287 * dfg/DFGSpeculativeJIT64.cpp:
12288 (JSC::DFG::SpeculativeJIT::writeBarrier):
12289 * jit/AssemblyHelpers.h:
12290 (JSC::AssemblyHelpers::checkMarkByte):
12291 * jit/JIT.h:
12292 * jit/JITPropertyAccess.cpp:
12293 * jit/Repatch.cpp:
12294 (JSC::writeBarrier):
12295
122962014-03-06 Joseph Pecoraro <pecoraro@apple.com>
12297
12298 Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
12299 https://bugs.webkit.org/show_bug.cgi?id=127944
12300
12301 Reviewed by Geoffrey Garen.
12302
12303 Always expose the Console object in JSContexts, just like we
12304 do for web pages. The default behavior will route to an
12305 attached JSContext inspector. This can be overriden by
12306 setting the ConsoleClient on the JSGlobalObject, which WebCore
12307 does to get slightly different behavior.
12308
12309 * CMakeLists.txt:
12310 * GNUmakefile.list.am:
12311 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12312 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12313 * JavaScriptCore.xcodeproj/project.pbxproj:
12314 Update build systems.
12315
12316 * API/tests/testapi.js:
12317 * API/tests/testapi.mm:
12318 Test that "console" exists in C and ObjC contexts.
12319
12320 * runtime/ConsoleClient.cpp: Added.
12321 (JSC::ConsoleClient::printURLAndPosition):
12322 (JSC::ConsoleClient::printMessagePrefix):
12323 (JSC::ConsoleClient::printConsoleMessage):
12324 (JSC::ConsoleClient::printConsoleMessageWithArguments):
12325 (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
12326 (JSC::ConsoleClient::logWithLevel):
12327 (JSC::ConsoleClient::clear):
12328 (JSC::ConsoleClient::dir):
12329 (JSC::ConsoleClient::dirXML):
12330 (JSC::ConsoleClient::table):
12331 (JSC::ConsoleClient::trace):
12332 (JSC::ConsoleClient::assertCondition):
12333 (JSC::ConsoleClient::group):
12334 (JSC::ConsoleClient::groupCollapsed):
12335 (JSC::ConsoleClient::groupEnd):
12336 * runtime/ConsoleClient.h: Added.
12337 (JSC::ConsoleClient::~ConsoleClient):
12338 New private interface for handling the console object's methods.
12339 A lot of the methods funnel through messageWithTypeAndLevel.
12340
12341 * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
12342 Moved to JSC namespace.
12343
12344 * runtime/JSGlobalObject.cpp:
12345 (JSC::JSGlobalObject::JSGlobalObject):
12346 (JSC::JSGlobalObject::init):
12347 (JSC::JSGlobalObject::reset):
12348 (JSC::JSGlobalObject::visitChildren):
12349 Create the "console" object when initializing the environment.
12350 Also set the default console client to be the JS context inspector.
12351
12352 * runtime/JSGlobalObject.h:
12353 (JSC::JSGlobalObject::setConsoleClient):
12354 (JSC::JSGlobalObject::consoleClient):
12355 Ability to change the console client, so WebCore can set a custom client.
12356
12357 * runtime/ConsolePrototype.cpp: Added.
12358 (JSC::ConsolePrototype::finishCreation):
12359 (JSC::valueToStringWithUndefinedOrNullCheck):
12360 (JSC::consoleLogWithLevel):
12361 (JSC::consoleProtoFuncDebug):
12362 (JSC::consoleProtoFuncError):
12363 (JSC::consoleProtoFuncLog):
12364 (JSC::consoleProtoFuncWarn):
12365 (JSC::consoleProtoFuncClear):
12366 (JSC::consoleProtoFuncDir):
12367 (JSC::consoleProtoFuncDirXML):
12368 (JSC::consoleProtoFuncTable):
12369 (JSC::consoleProtoFuncTrace):
12370 (JSC::consoleProtoFuncAssert):
12371 (JSC::consoleProtoFuncCount):
12372 (JSC::consoleProtoFuncProfile):
12373 (JSC::consoleProtoFuncProfileEnd):
12374 (JSC::consoleProtoFuncTime):
12375 (JSC::consoleProtoFuncTimeEnd):
12376 (JSC::consoleProtoFuncTimeStamp):
12377 (JSC::consoleProtoFuncGroup):
12378 (JSC::consoleProtoFuncGroupCollapsed):
12379 (JSC::consoleProtoFuncGroupEnd):
12380 * runtime/ConsolePrototype.h: Added.
12381 (JSC::ConsolePrototype::create):
12382 (JSC::ConsolePrototype::createStructure):
12383 (JSC::ConsolePrototype::ConsolePrototype):
12384 Define the console object interface. Parse out required / expected
12385 arguments and throw expcetions when methods are misused.
12386
12387 * runtime/JSConsole.cpp: Added.
12388 * runtime/JSConsole.h: Added.
12389 (JSC::JSConsole::createStructure):
12390 (JSC::JSConsole::create):
12391 (JSC::JSConsole::JSConsole):
12392 Empty "console" object. Everything is in the prototype.
12393
12394 * inspector/JSConsoleClient.cpp: Added.
12395 (Inspector::JSConsoleClient::JSGlobalObjectConsole):
12396 (Inspector::JSConsoleClient::count):
12397 (Inspector::JSConsoleClient::profile):
12398 (Inspector::JSConsoleClient::profileEnd):
12399 (Inspector::JSConsoleClient::time):
12400 (Inspector::JSConsoleClient::timeEnd):
12401 (Inspector::JSConsoleClient::timeStamp):
12402 (Inspector::JSConsoleClient::warnUnimplemented):
12403 (Inspector::JSConsoleClient::internalAddMessage):
12404 * inspector/JSConsoleClient.h: Added.
12405 * inspector/JSGlobalObjectInspectorController.cpp:
12406 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
12407 (Inspector::JSGlobalObjectInspectorController::consoleClient):
12408 * inspector/JSGlobalObjectInspectorController.h:
12409 Default JSContext ConsoleClient implementation. Handle nearly
12410 everything exception profile/profileEnd and timeStamp.
12411
124122014-03-06 Andreas Kling <akling@apple.com>
12413
12414 Drop unlinked function code on memory pressure.
12415 <https://webkit.org/b/129789>
12416
12417 Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
12418 are not currently being compiled.
12419
12420 4.5 MB progression on Membuster.
12421
12422 Reviewed by Geoffrey Garen.
12423
12424 * heap/Heap.cpp:
12425 (JSC::Heap::deleteAllUnlinkedFunctionCode):
12426 * heap/Heap.h:
12427 * runtime/VM.cpp:
12428 (JSC::VM::discardAllCode):
12429
124302014-03-06 Filip Pizlo <fpizlo@apple.com>
12431
12432 Clarify how we deal with "special" registers
12433 https://bugs.webkit.org/show_bug.cgi?id=129806
12434
12435 Reviewed by Michael Saboff.
12436
12437 Previously we had two different places that defined what "stack" registers are, a thing
12438 called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
12439 "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
12440 one place and had a baked-in notion of what it meant for a register to be "real" or not.
12441
12442 It's not cool to use words like "real" and "special" to describe registers, especially if you
12443 fail to qualify what that means. This originally made sense on X86 - "real" registers were
12444 the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
12445 you also have to worry about the LR register, which we'd want to say is "not real" but it's
12446 also not a "stack" register. This got super confusing.
12447
12448 So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
12449 a "stack" register, and uses the word special only in places where it's clearly defined and
12450 where no better word comes to mind.
12451
12452 This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
12453 Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
12454 magically didn't break anything because you never need to save/restore either FP or Q0, but
12455 it was still super weird.
12456
12457 * assembler/ARM64Assembler.h:
12458 (JSC::ARM64Assembler::lastRegister):
12459 * assembler/MacroAssembler.h:
12460 (JSC::MacroAssembler::nextRegister):
12461 * ftl/FTLLocation.cpp:
12462 (JSC::FTL::Location::restoreInto):
12463 * ftl/FTLSaveRestore.cpp:
12464 (JSC::FTL::saveAllRegisters):
12465 (JSC::FTL::restoreAllRegisters):
12466 * ftl/FTLSlowPathCall.cpp:
12467 * jit/RegisterSet.cpp:
12468 (JSC::RegisterSet::reservedHardwareRegisters):
12469 (JSC::RegisterSet::runtimeRegisters):
12470 (JSC::RegisterSet::specialRegisters):
12471 (JSC::RegisterSet::calleeSaveRegisters):
12472 * jit/RegisterSet.h:
12473
124742014-03-06 Filip Pizlo <fpizlo@apple.com>
12475
12476 Unreviewed, fix build.
12477
12478 * disassembler/ARM64Disassembler.cpp:
12479
124802014-03-06 Filip Pizlo <fpizlo@apple.com>
12481
12482 Use the LLVM disassembler on ARM64 if we are enabling the FTL
12483 https://bugs.webkit.org/show_bug.cgi?id=129785
12484
12485 Reviewed by Geoffrey Garen.
12486
12487 Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
12488 is strictly more capable at this point. Use it if it's available.
12489
12490 * disassembler/ARM64Disassembler.cpp:
12491 (JSC::tryToDisassemble):
12492
124932014-03-05 Joseph Pecoraro <pecoraro@apple.com>
12494
12495 Web Inspector: Reduce RWI message frequency
12496 https://bugs.webkit.org/show_bug.cgi?id=129767
12497
12498 Reviewed by Timothy Hatcher.
12499
12500 This used to be 0.2s and changed by accident to 0.02s.
12501
12502 * inspector/remote/RemoteInspector.mm:
12503 (Inspector::RemoteInspector::pushListingSoon):
12504
125052014-03-05 Commit Queue <commit-queue@webkit.org>
12506
12507 Unreviewed, rolling out r165141, r165157, and r165158.
12508 http://trac.webkit.org/changeset/165141
12509 http://trac.webkit.org/changeset/165157
12510 http://trac.webkit.org/changeset/165158
12511 https://bugs.webkit.org/show_bug.cgi?id=129772
12512
12513 "broke ftl" (Requested by olliej_ on #webkit).
12514
12515 * JavaScriptCore.xcodeproj/project.pbxproj:
12516 * bytecode/PolymorphicPutByIdList.cpp:
12517 (JSC::PutByIdAccess::visitWeak):
12518 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12519 (JSC::PolymorphicPutByIdList::from):
12520 * bytecode/PolymorphicPutByIdList.h:
12521 (JSC::PutByIdAccess::transition):
12522 (JSC::PutByIdAccess::replace):
12523 (JSC::PutByIdAccess::oldStructure):
12524 (JSC::PutByIdAccess::chain):
12525 (JSC::PutByIdAccess::stubRoutine):
12526 * bytecode/PutByIdStatus.cpp:
12527 (JSC::PutByIdStatus::computeForStubInfo):
12528 (JSC::PutByIdStatus::computeFor):
12529 (JSC::PutByIdStatus::dump):
12530 * bytecode/PutByIdStatus.h:
12531 (JSC::PutByIdStatus::PutByIdStatus):
12532 (JSC::PutByIdStatus::takesSlowPath):
12533 * bytecode/StructureStubInfo.h:
12534 * dfg/DFGAbstractInterpreterInlines.h:
12535 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12536 * dfg/DFGByteCodeParser.cpp:
12537 (JSC::DFG::ByteCodeParser::emitPutById):
12538 (JSC::DFG::ByteCodeParser::handlePutById):
12539 * dfg/DFGClobberize.h:
12540 (JSC::DFG::clobberize):
12541 * dfg/DFGCommon.h:
12542 * dfg/DFGConstantFoldingPhase.cpp:
12543 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12544 * dfg/DFGFixupPhase.cpp:
12545 (JSC::DFG::FixupPhase::fixupNode):
12546 * dfg/DFGNode.h:
12547 (JSC::DFG::Node::hasIdentifier):
12548 * dfg/DFGNodeType.h:
12549 * dfg/DFGPredictionPropagationPhase.cpp:
12550 (JSC::DFG::PredictionPropagationPhase::propagate):
12551 * dfg/DFGSafeToExecute.h:
12552 (JSC::DFG::safeToExecute):
12553 * dfg/DFGSpeculativeJIT.cpp:
12554 (JSC::DFG::SpeculativeJIT::compileIn):
12555 * dfg/DFGSpeculativeJIT.h:
12556 * dfg/DFGSpeculativeJIT32_64.cpp:
12557 (JSC::DFG::SpeculativeJIT::cachedGetById):
12558 (JSC::DFG::SpeculativeJIT::cachedPutById):
12559 (JSC::DFG::SpeculativeJIT::compile):
12560 * dfg/DFGSpeculativeJIT64.cpp:
12561 (JSC::DFG::SpeculativeJIT::cachedGetById):
12562 (JSC::DFG::SpeculativeJIT::cachedPutById):
12563 (JSC::DFG::SpeculativeJIT::compile):
12564 * ftl/FTLCompile.cpp:
12565 (JSC::FTL::fixFunctionBasedOnStackMaps):
12566 * jit/CCallHelpers.h:
12567 (JSC::CCallHelpers::setupArgumentsWithExecState):
12568 * jit/JITInlineCacheGenerator.cpp:
12569 (JSC::JITByIdGenerator::JITByIdGenerator):
12570 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12571 * jit/JITInlineCacheGenerator.h:
12572 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12573 * jit/JITOperations.cpp:
12574 * jit/JITOperations.h:
12575 * jit/JITPropertyAccess.cpp:
12576 (JSC::JIT::emit_op_get_by_id):
12577 (JSC::JIT::emit_op_put_by_id):
12578 * jit/JITPropertyAccess32_64.cpp:
12579 (JSC::JIT::emit_op_get_by_id):
12580 (JSC::JIT::emit_op_put_by_id):
12581 * jit/Repatch.cpp:
12582 (JSC::tryCacheGetByID):
12583 (JSC::tryBuildGetByIDList):
12584 (JSC::tryCachePutByID):
12585 (JSC::tryBuildPutByIdList):
12586 * jit/SpillRegistersMode.h: Removed.
12587 * llint/LLIntSlowPaths.cpp:
12588 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12589 * runtime/Lookup.h:
12590 (JSC::putEntry):
12591 * runtime/PutPropertySlot.h:
12592 (JSC::PutPropertySlot::isCacheable):
12593 (JSC::PutPropertySlot::cachedOffset):
12594
125952014-03-05 Joseph Pecoraro <pecoraro@apple.com>
12596
12597 Web Inspector: Prevent possible deadlock in view indication
12598 https://bugs.webkit.org/show_bug.cgi?id=129766
12599
12600 Reviewed by Geoffrey Garen.
12601
12602 * inspector/remote/RemoteInspector.mm:
12603 (Inspector::RemoteInspector::receivedIndicateMessage):
12604
126052014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
12606
12607 JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
12608 https://bugs.webkit.org/show_bug.cgi?id=129754
12609
12610 Reviewed by Geoffrey Garen.
12611
12612 InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
12613
12614 * runtime/JSCell.h:
12615 (JSC::JSCell::inlineTypeFlags):
12616 * runtime/JSObject.h:
12617 (JSC::JSObject::fastGetOwnPropertySlot):
12618 * runtime/JSTypeInfo.h:
12619 (JSC::TypeInfo::TypeInfo):
12620 (JSC::TypeInfo::overridesGetOwnPropertySlot):
12621
126222014-03-05 Joseph Pecoraro <pecoraro@apple.com>
12623
12624 Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
12625 https://bugs.webkit.org/show_bug.cgi?id=129763
12626
12627 Reviewed by Geoffrey Garen.
12628
12629 Clear the list of all breakpoints, including unresolved breakpoints.
12630
12631 * inspector/agents/InspectorDebuggerAgent.cpp:
12632 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
12633
126342014-03-05 Mark Lam <mark.lam@apple.com>
12635
12636 llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
12637 <https://webkit.org/b/129768>
12638
12639 Reviewed by Mark Hahnenberg.
12640
12641 When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
12642 and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
12643 path llint_slow_path_check_has_instance(), and execute a code path that does the
12644 following:
12645 1. Adjusts the byte code PC to the jump target PC.
12646 2. For the purpose of storing the result, get the result registerIndex from the
12647 1st operand using the PC as if the PC is still pointing to op_check_has_instance
12648 bytecode.
12649
12650 The result is that whatever value resides after where the jump target PC is will
12651 be used as a result register value. Depending on what that value is, the result
12652 can be:
12653 1. the code coincidently works correctly
12654 2. memory corruption
12655 3. crashes
12656
12657 The fix is to only adjust the byte code PC after we have stored the result.
12658
12659 * llint/LLIntSlowPaths.cpp:
12660 (llint_slow_path_check_has_instance):
12661
126622014-03-05 Ryosuke Niwa <rniwa@webkit.org>
12663
12664 Another build fix attempt after r165141.
12665
12666 * ftl/FTLCompile.cpp:
12667 (JSC::FTL::fixFunctionBasedOnStackMaps):
12668
126692014-03-05 Ryosuke Niwa <rniwa@webkit.org>
12670
12671 FTL build fix attempt after r165141.
12672
12673 * ftl/FTLCompile.cpp:
12674 (JSC::FTL::fixFunctionBasedOnStackMaps):
12675
126762014-03-05 Gavin Barraclough <barraclough@apple.com>
12677
12678 https://bugs.webkit.org/show_bug.cgi?id=128625
12679 Add fast mapping from StringImpl to JSString
12680
12681 Unreviewed roll-out.
12682
12683 Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
12684
12685 * runtime/JSString.cpp:
12686 * runtime/JSString.h:
12687 * runtime/VM.cpp:
12688 (JSC::VM::createLeaked):
12689 * runtime/VM.h:
12690
126912014-03-03 Oliver Hunt <oliver@apple.com>
12692
12693 Support caching of custom setters
12694 https://bugs.webkit.org/show_bug.cgi?id=129519
12695
12696 Reviewed by Filip Pizlo.
12697
12698 This patch adds caching of assignment to properties that
12699 are backed by C functions. This provides most of the leg
12700 work required to start supporting setters, and resolves
12701 the remaining regressions from moving DOM properties up
12702 the prototype chain.
12703
12704 * JavaScriptCore.xcodeproj/project.pbxproj:
12705 * bytecode/PolymorphicPutByIdList.cpp:
12706 (JSC::PutByIdAccess::visitWeak):
12707 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12708 (JSC::PolymorphicPutByIdList::from):
12709 * bytecode/PolymorphicPutByIdList.h:
12710 (JSC::PutByIdAccess::transition):
12711 (JSC::PutByIdAccess::replace):
12712 (JSC::PutByIdAccess::customSetter):
12713 (JSC::PutByIdAccess::isCustom):
12714 (JSC::PutByIdAccess::oldStructure):
12715 (JSC::PutByIdAccess::chain):
12716 (JSC::PutByIdAccess::stubRoutine):
12717 * bytecode/PutByIdStatus.cpp:
12718 (JSC::PutByIdStatus::computeForStubInfo):
12719 (JSC::PutByIdStatus::computeFor):
12720 (JSC::PutByIdStatus::dump):
12721 * bytecode/PutByIdStatus.h:
12722 (JSC::PutByIdStatus::PutByIdStatus):
12723 (JSC::PutByIdStatus::takesSlowPath):
12724 (JSC::PutByIdStatus::makesCalls):
12725 * bytecode/StructureStubInfo.h:
12726 * dfg/DFGAbstractInterpreterInlines.h:
12727 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12728 * dfg/DFGByteCodeParser.cpp:
12729 (JSC::DFG::ByteCodeParser::emitPutById):
12730 (JSC::DFG::ByteCodeParser::handlePutById):
12731 * dfg/DFGClobberize.h:
12732 (JSC::DFG::clobberize):
12733 * dfg/DFGCommon.h:
12734 * dfg/DFGConstantFoldingPhase.cpp:
12735 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12736 * dfg/DFGFixupPhase.cpp:
12737 (JSC::DFG::FixupPhase::fixupNode):
12738 * dfg/DFGNode.h:
12739 (JSC::DFG::Node::hasIdentifier):
12740 * dfg/DFGNodeType.h:
12741 * dfg/DFGPredictionPropagationPhase.cpp:
12742 (JSC::DFG::PredictionPropagationPhase::propagate):
12743 * dfg/DFGSafeToExecute.h:
12744 (JSC::DFG::safeToExecute):
12745 * dfg/DFGSpeculativeJIT.cpp:
12746 (JSC::DFG::SpeculativeJIT::compileIn):
12747 * dfg/DFGSpeculativeJIT.h:
12748 * dfg/DFGSpeculativeJIT32_64.cpp:
12749 (JSC::DFG::SpeculativeJIT::cachedGetById):
12750 (JSC::DFG::SpeculativeJIT::cachedPutById):
12751 (JSC::DFG::SpeculativeJIT::compile):
12752 * dfg/DFGSpeculativeJIT64.cpp:
12753 (JSC::DFG::SpeculativeJIT::cachedGetById):
12754 (JSC::DFG::SpeculativeJIT::cachedPutById):
12755 (JSC::DFG::SpeculativeJIT::compile):
12756 * jit/CCallHelpers.h:
12757 (JSC::CCallHelpers::setupArgumentsWithExecState):
12758 * jit/JITInlineCacheGenerator.cpp:
12759 (JSC::JITByIdGenerator::JITByIdGenerator):
12760 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12761 * jit/JITInlineCacheGenerator.h:
12762 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12763 * jit/JITOperations.cpp:
12764 * jit/JITOperations.h:
12765 * jit/JITPropertyAccess.cpp:
12766 (JSC::JIT::emit_op_get_by_id):
12767 (JSC::JIT::emit_op_put_by_id):
12768 * jit/JITPropertyAccess32_64.cpp:
12769 (JSC::JIT::emit_op_get_by_id):
12770 (JSC::JIT::emit_op_put_by_id):
12771 * jit/Repatch.cpp:
12772 (JSC::tryCacheGetByID):
12773 (JSC::tryBuildGetByIDList):
12774 (JSC::emitCustomSetterStub):
12775 (JSC::tryCachePutByID):
12776 (JSC::tryBuildPutByIdList):
12777 * jit/SpillRegistersMode.h: Added.
12778 * llint/LLIntSlowPaths.cpp:
12779 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12780 * runtime/Lookup.h:
12781 (JSC::putEntry):
12782 * runtime/PutPropertySlot.h:
12783 (JSC::PutPropertySlot::setCacheableCustomProperty):
12784 (JSC::PutPropertySlot::customSetter):
12785 (JSC::PutPropertySlot::isCacheablePut):
12786 (JSC::PutPropertySlot::isCacheableCustomProperty):
12787 (JSC::PutPropertySlot::cachedOffset):
12788
127892014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
12790
12791 JSCell::m_gcData should encode its information differently
12792 https://bugs.webkit.org/show_bug.cgi?id=129741
12793
12794 Reviewed by Geoffrey Garen.
12795
12796 We want to keep track of three GC states for an object:
12797
12798 1. Not marked (which implies not in the remembered set)
12799 2. Marked but not in the remembered set
12800 3. Marked and in the remembered set
12801
12802 Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write
12803 barrier, we only want to take the slow path if the object being stored to is in state #2.
12804 We'd like to make the test for state #2 as fast as possible, which means making it a
12805 compare against 0.
12806
12807 * dfg/DFGOSRExitCompilerCommon.cpp:
12808 (JSC::DFG::osrWriteBarrier):
12809 * dfg/DFGSpeculativeJIT.cpp:
12810 (JSC::DFG::SpeculativeJIT::checkMarkByte):
12811 (JSC::DFG::SpeculativeJIT::writeBarrier):
12812 * dfg/DFGSpeculativeJIT.h:
12813 * dfg/DFGSpeculativeJIT32_64.cpp:
12814 (JSC::DFG::SpeculativeJIT::writeBarrier):
12815 * dfg/DFGSpeculativeJIT64.cpp:
12816 (JSC::DFG::SpeculativeJIT::writeBarrier):
12817 * ftl/FTLLowerDFGToLLVM.cpp:
12818 (JSC::FTL::LowerDFGToLLVM::allocateCell):
12819 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
12820 * heap/Heap.cpp:
12821 (JSC::Heap::clearRememberedSet):
12822 (JSC::Heap::addToRememberedSet):
12823 * jit/AssemblyHelpers.h:
12824 (JSC::AssemblyHelpers::checkMarkByte):
12825 * jit/JIT.h:
12826 * jit/JITPropertyAccess.cpp:
12827 (JSC::JIT::checkMarkByte):
12828 (JSC::JIT::emitWriteBarrier):
12829 * jit/Repatch.cpp:
12830 (JSC::writeBarrier):
12831 * llint/LowLevelInterpreter.asm:
12832 * llint/LowLevelInterpreter32_64.asm:
12833 * llint/LowLevelInterpreter64.asm:
12834 * runtime/JSCell.h:
12835 (JSC::JSCell::mark):
12836 (JSC::JSCell::remember):
12837 (JSC::JSCell::forget):
12838 (JSC::JSCell::isMarked):
12839 (JSC::JSCell::isRemembered):
12840 * runtime/JSCellInlines.h:
12841 (JSC::JSCell::JSCell):
12842 * runtime/StructureIDBlob.h:
12843 (JSC::StructureIDBlob::StructureIDBlob):
12844
128452014-03-05 Filip Pizlo <fpizlo@apple.com>
12846
12847 More FTL ARM fixes
12848 https://bugs.webkit.org/show_bug.cgi?id=129755
12849
12850 Reviewed by Geoffrey Garen.
12851
12852 - Be more defensive about inline caches that have degenerate chains.
12853
12854 - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
12855 platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
12856
12857 - Don't even emit intrinsic declarations on non-x86 platforms.
12858
12859 - More debug printing support.
12860
12861 - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
12862 but somehow it gets lucky on x86.
12863
12864 * bytecode/GetByIdStatus.cpp:
12865 (JSC::GetByIdStatus::appendVariant):
12866 (JSC::GetByIdStatus::computeForChain):
12867 (JSC::GetByIdStatus::computeForStubInfo):
12868 * bytecode/GetByIdStatus.h:
12869 * bytecode/PutByIdStatus.cpp:
12870 (JSC::PutByIdStatus::appendVariant):
12871 (JSC::PutByIdStatus::computeForStubInfo):
12872 * bytecode/PutByIdStatus.h:
12873 * bytecode/StructureSet.h:
12874 (JSC::StructureSet::overlaps):
12875 * ftl/FTLCompile.cpp:
12876 (JSC::FTL::mmAllocateDataSection):
12877 * ftl/FTLDataSection.cpp:
12878 (JSC::FTL::DataSection::DataSection):
12879 (JSC::FTL::DataSection::~DataSection):
12880 * ftl/FTLDataSection.h:
12881 * ftl/FTLLowerDFGToLLVM.cpp:
12882 (JSC::FTL::LowerDFGToLLVM::lower):
12883 * ftl/FTLOutput.h:
12884 (JSC::FTL::Output::doubleSin):
12885 (JSC::FTL::Output::doubleCos):
12886 * runtime/JSCJSValue.cpp:
12887 (JSC::JSValue::dumpInContext):
12888 * runtime/JSCell.h:
12889 (JSC::JSCell::structureID):
12890
128912014-03-05 peavo@outlook.com <peavo@outlook.com>
12892
12893 [Win32][LLINT] Crash when running JSC stress tests.
12894 https://bugs.webkit.org/show_bug.cgi?id=129429
12895
12896 On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
12897 where the guard page is a barrier between committed and uncommitted memory.
12898 When data from the guard page is read or written, the guard page is moved, and memory is committed.
12899 This is how the system grows the stack.
12900 When using the C stack on Windows we need to precommit the needed stack space.
12901 Otherwise we might crash later if we access uncommitted stack memory.
12902 This can happen if we allocate stack space larger than the page guard size (4K).
12903 The system does not get the chance to move the guard page, and commit more memory,
12904 and we crash if uncommitted memory is accessed.
12905 The MSVC compiler fixes this by inserting a call to the _chkstk() function,
12906 when needed, see http://support.microsoft.com/kb/100775.
12907
12908 Reviewed by Geoffrey Garen.
12909
12910 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
12911 * jit/Repatch.cpp:
12912 (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
12913 * offlineasm/x86.rb: Compile fix, and small simplification.
12914 * runtime/VM.cpp:
12915 (JSC::preCommitStackMemory): Added function to precommit stack memory.
12916 (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
12917
129182014-03-05 Michael Saboff <msaboff@apple.com>
12919
12920 JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
12921 https://bugs.webkit.org/show_bug.cgi?id=129746
12922
12923 Reviewed by Filip Pizlo.
12924
12925 Changed to use a union to manually assemble or disassemble the various types
12926 from / to the corresponding bytes. All memory access is now done using
12927 byte accesses.
12928
12929 * runtime/JSDataViewPrototype.cpp:
12930 (JSC::getData):
12931 (JSC::setData):
12932
129332014-03-05 Filip Pizlo <fpizlo@apple.com>
12934
12935 FTL loadStructure always generates invalid IR
12936 https://bugs.webkit.org/show_bug.cgi?id=129747
12937
12938 Reviewed by Mark Hahnenberg.
12939
12940 As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
12941 of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
12942 to have a pointer to a type, and you can only load things of that type from that
12943 pointer. Pointer arithmetic is basically not possible except through the bizarre
12944 getelementptr operator. This doesn't fit with how the JS object model works since
12945 the JS object model doesn't consist of nice and tidy C types placed in C arrays.
12946 Also, it would be impossible to use getelementptr and LLVM pointers for accessing
12947 any of JSC's C or C++ objects unless we went through the exercise of redeclaring
12948 all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
12949 this for us, but that would require that to use the FTL, JSC itself would have to
12950 be compiled with clang. Worse, it would have to be compiled with a clang that uses
12951 a version of LLVM that is compatible with the one against which the FTL is linked.
12952 Yuck!
12953
12954 The solution is to NEVER use LLVM pointers. This has always been the case in the
12955 FTL. But it causes some confusion.
12956
12957 Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
12958 pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
12959 "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
12960 pointer that has the type that we want. The load and store operations over pointers
12961 are called Output::load* and Output::store*, where * is one of "8", "16", "32",
12962 "64", "Ptr", "Float", or "Double.
12963
12964 There is unavoidable confusion here. It would be bizarre for the FTL to call its
12965 "pointer-wide integers" anything other than "pointers", since they are, in all
12966 respects that we care about, simply pointers. But they are *not* LLVM pointers and
12967 they never will be that.
12968
12969 There is one exception to this "no pointers" rule. The FTL does use actual LLVM
12970 pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
12971 confusion, we call these "references". So an "FTL reference" is actually an "LLVM
12972 pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
12973 methods for access called Output::get and Output::set. These lower to LLVM load
12974 and store, since FTL references are just LLVM pointers.
12975
12976 This confusion appears to have led to incorrect code in loadStructure().
12977 loadStructure() was using get() and set() to access FTL pointers. But those methods
12978 don't work on FTL pointers and never will, since they are for FTL references.
12979
12980 The worst part of this is that it was previously impossible to have test coverage
12981 for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
12982 patch fixes this by introducing a Masquerader object to jsc.cpp.
12983
12984 * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
12985 * ftl/FTLLowerDFGToLLVM.cpp:
12986 (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
12987 * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
12988 * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
12989 (WTF::Masquerader::Masquerader):
12990 (WTF::Masquerader::create):
12991 (WTF::Masquerader::createStructure):
12992 (GlobalObject::finishCreation):
12993 (functionMakeMasquerader):
12994 * tests/stress/equals-masquerader.js: Added.
12995 (foo):
12996 (test):
12997
129982014-03-05 Anders Carlsson <andersca@apple.com>
12999
13000 Tweak after r165109 to avoid extra copies
13001 https://bugs.webkit.org/show_bug.cgi?id=129745
13002
13003 Reviewed by Geoffrey Garen.
13004
13005 * heap/Heap.cpp:
13006 (JSC::Heap::visitProtectedObjects):
13007 (JSC::Heap::visitTempSortVectors):
13008 (JSC::Heap::clearRememberedSet):
13009 * heap/Heap.h:
13010 (JSC::Heap::forEachProtectedCell):
13011
130122014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13013
13014 DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
13015 https://bugs.webkit.org/show_bug.cgi?id=129717
13016
13017 Reviewed by Filip Pizlo.
13018
13019 * dfg/DFGStoreBarrierElisionPhase.cpp:
13020 (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
13021 (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
13022
130232014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13024
13025 Use range-based loops where possible in Heap methods
13026 https://bugs.webkit.org/show_bug.cgi?id=129513
13027
13028 Reviewed by Mark Lam.
13029
13030 Replace old school iterator based loops with the new range-based loop hotness
13031 for a better tomorrow.
13032
13033 * heap/CodeBlockSet.cpp:
13034 (JSC::CodeBlockSet::~CodeBlockSet):
13035 (JSC::CodeBlockSet::clearMarks):
13036 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
13037 (JSC::CodeBlockSet::traceMarked):
13038 * heap/Heap.cpp:
13039 (JSC::Heap::visitProtectedObjects):
13040 (JSC::Heap::visitTempSortVectors):
13041 (JSC::Heap::clearRememberedSet):
13042 * heap/Heap.h:
13043 (JSC::Heap::forEachProtectedCell):
13044
130452014-03-04 Filip Pizlo <fpizlo@apple.com>
13046
13047 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
13048 https://bugs.webkit.org/show_bug.cgi?id=129563
13049
13050 Reviewed by Geoffrey Garen.
13051
13052 Rolling this back in after fixing an assertion failure. speculateMisc() should have
13053 said DFG_TYPE_CHECK instead of typeCheck.
13054
13055 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
13056 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
13057 user of this was EarleyBoyer, and in that benchmark what it was really doing was
13058 comparing undefined, null, and booleans to each other.
13059
13060 This also adds support for miscellaneous things that I needed to make my various test
13061 cases work. This includes comparison over booleans and the various Throw-related node
13062 types.
13063
13064 This also improves constant folding of CompareStrictEq and CompareEq.
13065
13066 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
13067 based on profiling, which caused some downstream badness. We don't actually support
13068 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
13069 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
13070 shouldn't factor out the bounds check since the access is not InBounds but then the
13071 backend would ignore the flag and assume that the bounds check was already emitted.
13072 This showed up on an existing test but I added a test for this explicitly to have more
13073 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
13074 that we'll have a bounds check anyway.
13075
13076 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
13077 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
13078 still a lot more coverage work to be done there.
13079
13080 * bytecode/SpeculatedType.cpp:
13081 (JSC::speculationToAbbreviatedString):
13082 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
13083 (JSC::valuesCouldBeEqual):
13084 * bytecode/SpeculatedType.h:
13085 (JSC::isMiscSpeculation):
13086 * dfg/DFGAbstractInterpreterInlines.h:
13087 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13088 * dfg/DFGArrayMode.cpp:
13089 (JSC::DFG::ArrayMode::refine):
13090 * dfg/DFGArrayMode.h:
13091 * dfg/DFGFixupPhase.cpp:
13092 (JSC::DFG::FixupPhase::fixupNode):
13093 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
13094 * dfg/DFGNode.h:
13095 (JSC::DFG::Node::shouldSpeculateMisc):
13096 * dfg/DFGSafeToExecute.h:
13097 (JSC::DFG::SafeToExecuteEdge::operator()):
13098 * dfg/DFGSpeculativeJIT.cpp:
13099 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13100 (JSC::DFG::SpeculativeJIT::speculateMisc):
13101 (JSC::DFG::SpeculativeJIT::speculate):
13102 * dfg/DFGSpeculativeJIT.h:
13103 * dfg/DFGSpeculativeJIT32_64.cpp:
13104 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13105 * dfg/DFGSpeculativeJIT64.cpp:
13106 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13107 * dfg/DFGUseKind.cpp:
13108 (WTF::printInternal):
13109 * dfg/DFGUseKind.h:
13110 (JSC::DFG::typeFilterFor):
13111 * ftl/FTLCapabilities.cpp:
13112 (JSC::FTL::canCompile):
13113 * ftl/FTLLowerDFGToLLVM.cpp:
13114 (JSC::FTL::LowerDFGToLLVM::compileNode):
13115 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13116 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13117 (JSC::FTL::LowerDFGToLLVM::compileThrow):
13118 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
13119 (JSC::FTL::LowerDFGToLLVM::isMisc):
13120 (JSC::FTL::LowerDFGToLLVM::speculate):
13121 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
13122 * tests/stress/float32-array-out-of-bounds.js: Added.
13123 * tests/stress/weird-equality-folding-cases.js: Added.
13124
131252014-03-04 Commit Queue <commit-queue@webkit.org>
13126
13127 Unreviewed, rolling out r165085.
13128 http://trac.webkit.org/changeset/165085
13129 https://bugs.webkit.org/show_bug.cgi?id=129729
13130
13131 Broke imported/w3c/html-templates/template-element/template-
13132 content.html (Requested by ap on #webkit).
13133
13134 * bytecode/SpeculatedType.cpp:
13135 (JSC::speculationToAbbreviatedString):
13136 * bytecode/SpeculatedType.h:
13137 * dfg/DFGAbstractInterpreterInlines.h:
13138 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13139 * dfg/DFGArrayMode.cpp:
13140 (JSC::DFG::ArrayMode::refine):
13141 * dfg/DFGArrayMode.h:
13142 * dfg/DFGFixupPhase.cpp:
13143 (JSC::DFG::FixupPhase::fixupNode):
13144 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
13145 * dfg/DFGNode.h:
13146 (JSC::DFG::Node::shouldSpeculateBoolean):
13147 * dfg/DFGSafeToExecute.h:
13148 (JSC::DFG::SafeToExecuteEdge::operator()):
13149 * dfg/DFGSpeculativeJIT.cpp:
13150 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13151 (JSC::DFG::SpeculativeJIT::speculate):
13152 * dfg/DFGSpeculativeJIT.h:
13153 * dfg/DFGSpeculativeJIT32_64.cpp:
13154 * dfg/DFGSpeculativeJIT64.cpp:
13155 * dfg/DFGUseKind.cpp:
13156 (WTF::printInternal):
13157 * dfg/DFGUseKind.h:
13158 (JSC::DFG::typeFilterFor):
13159 * ftl/FTLCapabilities.cpp:
13160 (JSC::FTL::canCompile):
13161 * ftl/FTLLowerDFGToLLVM.cpp:
13162 (JSC::FTL::LowerDFGToLLVM::compileNode):
13163 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13164 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13165 (JSC::FTL::LowerDFGToLLVM::speculate):
13166 * tests/stress/float32-array-out-of-bounds.js: Removed.
13167 * tests/stress/weird-equality-folding-cases.js: Removed.
13168
131692014-03-04 Brian Burg <bburg@apple.com>
13170
13171 Inspector does not restore breakpoints after a page reload
13172 https://bugs.webkit.org/show_bug.cgi?id=129655
13173
13174 Reviewed by Joseph Pecoraro.
13175
13176 Fix a regression introduced by r162096 that erroneously removed
13177 the inspector backend's mapping of files to breakpoints whenever the
13178 global object was cleared.
13179
13180 The inspector's breakpoint mappings should only be cleared when the
13181 debugger agent is disabled or destroyed. We should only clear the
13182 debugger's breakpoint state when the global object is cleared.
13183
13184 To make it clearer what state is being cleared, the two cases have
13185 been split into separate methods.
13186
13187 * inspector/agents/InspectorDebuggerAgent.cpp:
13188 (Inspector::InspectorDebuggerAgent::disable):
13189 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
13190 (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
13191 (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
13192 * inspector/agents/InspectorDebuggerAgent.h:
13193
131942014-03-04 Andreas Kling <akling@apple.com>
13195
13196 Streamline JSValue::get().
13197 <https://webkit.org/b/129720>
13198
13199 Fetch each Structure and VM only once when walking the prototype chain
13200 in JSObject::getPropertySlot(), then pass it along to the functions
13201 we call from there, so they don't have to re-fetch it.
13202
13203 Reviewed by Geoff Garen.
13204
13205 * runtime/JSObject.h:
13206 (JSC::JSObject::inlineGetOwnPropertySlot):
13207 (JSC::JSObject::fastGetOwnPropertySlot):
13208 (JSC::JSObject::getPropertySlot):
13209
132102014-03-01 Filip Pizlo <fpizlo@apple.com>
13211
13212 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
13213 https://bugs.webkit.org/show_bug.cgi?id=129563
13214
13215 Reviewed by Geoffrey Garen.
13216
13217 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
13218 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
13219 user of this was EarleyBoyer, and in that benchmark what it was really doing was
13220 comparing undefined, null, and booleans to each other.
13221
13222 This also adds support for miscellaneous things that I needed to make my various test
13223 cases work. This includes comparison over booleans and the various Throw-related node
13224 types.
13225
13226 This also improves constant folding of CompareStrictEq and CompareEq.
13227
13228 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
13229 based on profiling, which caused some downstream badness. We don't actually support
13230 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
13231 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
13232 shouldn't factor out the bounds check since the access is not InBounds but then the
13233 backend would ignore the flag and assume that the bounds check was already emitted.
13234 This showed up on an existing test but I added a test for this explicitly to have more
13235 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
13236 that we'll have a bounds check anyway.
13237
13238 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
13239 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
13240 still a lot more coverage work to be done there.
13241
13242 * bytecode/SpeculatedType.cpp:
13243 (JSC::speculationToAbbreviatedString):
13244 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
13245 (JSC::valuesCouldBeEqual):
13246 * bytecode/SpeculatedType.h:
13247 (JSC::isMiscSpeculation):
13248 * dfg/DFGAbstractInterpreterInlines.h:
13249 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13250 * dfg/DFGFixupPhase.cpp:
13251 (JSC::DFG::FixupPhase::fixupNode):
13252 * dfg/DFGNode.h:
13253 (JSC::DFG::Node::shouldSpeculateMisc):
13254 * dfg/DFGSafeToExecute.h:
13255 (JSC::DFG::SafeToExecuteEdge::operator()):
13256 * dfg/DFGSpeculativeJIT.cpp:
13257 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13258 (JSC::DFG::SpeculativeJIT::speculateMisc):
13259 (JSC::DFG::SpeculativeJIT::speculate):
13260 * dfg/DFGSpeculativeJIT.h:
13261 * dfg/DFGSpeculativeJIT32_64.cpp:
13262 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13263 * dfg/DFGSpeculativeJIT64.cpp:
13264 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13265 * dfg/DFGUseKind.cpp:
13266 (WTF::printInternal):
13267 * dfg/DFGUseKind.h:
13268 (JSC::DFG::typeFilterFor):
13269 * ftl/FTLCapabilities.cpp:
13270 (JSC::FTL::canCompile):
13271 * ftl/FTLLowerDFGToLLVM.cpp:
13272 (JSC::FTL::LowerDFGToLLVM::compileNode):
13273 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13274 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13275 (JSC::FTL::LowerDFGToLLVM::compileThrow):
13276 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
13277 (JSC::FTL::LowerDFGToLLVM::isMisc):
13278 (JSC::FTL::LowerDFGToLLVM::speculate):
13279 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
13280 * tests/stress/float32-array-out-of-bounds.js: Added.
13281 * tests/stress/weird-equality-folding-cases.js: Added.
13282
132832014-03-04 Andreas Kling <akling@apple.com>
13284
13285 Spam static branch prediction hints on JS bindings.
13286 <https://webkit.org/b/129703>
13287
13288 Add LIKELY hint to jsDynamicCast since it's always used in a context
13289 where we expect it to succeed and takes an error path when it doesn't.
13290
13291 Reviewed by Geoff Garen.
13292
13293 * runtime/JSCell.h:
13294 (JSC::jsDynamicCast):
13295
132962014-03-04 Andreas Kling <akling@apple.com>
13297
13298 Get to Structures more efficiently in JSCell::methodTable().
13299 <https://webkit.org/b/129702>
13300
13301 In JSCell::methodTable(), get the VM once and pass that along to
13302 structure(VM&) instead of using the heavier structure().
13303
13304 In JSCell::methodTable(VM&), replace calls to structure() with
13305 calls to structure(VM&).
13306
13307 Reviewed by Mark Hahnenberg.
13308
13309 * runtime/JSCellInlines.h:
13310 (JSC::JSCell::methodTable):
13311
133122014-03-04 Joseph Pecoraro <pecoraro@apple.com>
13313
13314 Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
13315 https://bugs.webkit.org/show_bug.cgi?id=129697
13316
13317 Reviewed by Timothy Hatcher.
13318
13319 * inspector/remote/RemoteInspectorXPCConnection.mm:
13320 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
13321 (Inspector::RemoteInspectorXPCConnection::handleEvent):
13322
133232014-03-04 Mark Hahnenberg <mhahnenberg@apple.com>
13324
13325 Merge API shims and JSLock
13326 https://bugs.webkit.org/show_bug.cgi?id=129650
13327
13328 Reviewed by Mark Lam.
13329
13330 JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason
13331 to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
13332
13333 * API/APICallbackFunction.h:
13334 (JSC::APICallbackFunction::call):
13335 (JSC::APICallbackFunction::construct):
13336 * API/APIShims.h: Removed.
13337 * API/JSBase.cpp:
13338 (JSEvaluateScript):
13339 (JSCheckScriptSyntax):
13340 (JSGarbageCollect):
13341 (JSReportExtraMemoryCost):
13342 (JSSynchronousGarbageCollectForDebugging):
13343 * API/JSCallbackConstructor.cpp:
13344 * API/JSCallbackFunction.cpp:
13345 * API/JSCallbackObjectFunctions.h:
13346 (JSC::JSCallbackObject<Parent>::init):
13347 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
13348 (JSC::JSCallbackObject<Parent>::put):
13349 (JSC::JSCallbackObject<Parent>::putByIndex):
13350 (JSC::JSCallbackObject<Parent>::deleteProperty):
13351 (JSC::JSCallbackObject<Parent>::construct):
13352 (JSC::JSCallbackObject<Parent>::customHasInstance):
13353 (JSC::JSCallbackObject<Parent>::call):
13354 (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
13355 (JSC::JSCallbackObject<Parent>::getStaticValue):
13356 (JSC::JSCallbackObject<Parent>::callbackGetter):
13357 * API/JSContext.mm:
13358 (-[JSContext setException:]):
13359 (-[JSContext wrapperForObjCObject:]):
13360 (-[JSContext wrapperForJSObject:]):
13361 * API/JSContextRef.cpp:
13362 (JSContextGroupRelease):
13363 (JSContextGroupSetExecutionTimeLimit):
13364 (JSContextGroupClearExecutionTimeLimit):
13365 (JSGlobalContextCreateInGroup):
13366 (JSGlobalContextRetain):
13367 (JSGlobalContextRelease):
13368 (JSContextGetGlobalObject):
13369 (JSContextGetGlobalContext):
13370 (JSGlobalContextCopyName):
13371 (JSGlobalContextSetName):
13372 * API/JSManagedValue.mm:
13373 (-[JSManagedValue value]):
13374 * API/JSObjectRef.cpp:
13375 (JSObjectMake):
13376 (JSObjectMakeFunctionWithCallback):
13377 (JSObjectMakeConstructor):
13378 (JSObjectMakeFunction):
13379 (JSObjectMakeArray):
13380 (JSObjectMakeDate):
13381 (JSObjectMakeError):
13382 (JSObjectMakeRegExp):
13383 (JSObjectGetPrototype):
13384 (JSObjectSetPrototype):
13385 (JSObjectHasProperty):
13386 (JSObjectGetProperty):
13387 (JSObjectSetProperty):
13388 (JSObjectGetPropertyAtIndex):
13389 (JSObjectSetPropertyAtIndex):
13390 (JSObjectDeleteProperty):
13391 (JSObjectGetPrivateProperty):
13392 (JSObjectSetPrivateProperty):
13393 (JSObjectDeletePrivateProperty):
13394 (JSObjectIsFunction):
13395 (JSObjectCallAsFunction):
13396 (JSObjectCallAsConstructor):
13397 (JSObjectCopyPropertyNames):
13398 (JSPropertyNameArrayRelease):
13399 (JSPropertyNameAccumulatorAddName):
13400 * API/JSScriptRef.cpp:
13401 * API/JSValue.mm:
13402 (isDate):
13403 (isArray):
13404 (containerValueToObject):
13405 (valueToArray):
13406 (valueToDictionary):
13407 (objectToValue):
13408 * API/JSValueRef.cpp:
13409 (JSValueGetType):
13410 (JSValueIsUndefined):
13411 (JSValueIsNull):
13412 (JSValueIsBoolean):
13413 (JSValueIsNumber):
13414 (JSValueIsString):
13415 (JSValueIsObject):
13416 (JSValueIsObjectOfClass):
13417 (JSValueIsEqual):
13418 (JSValueIsStrictEqual):
13419 (JSValueIsInstanceOfConstructor):
13420 (JSValueMakeUndefined):
13421 (JSValueMakeNull):
13422 (JSValueMakeBoolean):
13423 (JSValueMakeNumber):
13424 (JSValueMakeString):
13425 (JSValueMakeFromJSONString):
13426 (JSValueCreateJSONString):
13427 (JSValueToBoolean):
13428 (JSValueToNumber):
13429 (JSValueToStringCopy):
13430 (JSValueToObject):
13431 (JSValueProtect):
13432 (JSValueUnprotect):
13433 * API/JSVirtualMachine.mm:
13434 (-[JSVirtualMachine addManagedReference:withOwner:]):
13435 (-[JSVirtualMachine removeManagedReference:withOwner:]):
13436 * API/JSWeakObjectMapRefPrivate.cpp:
13437 * API/JSWrapperMap.mm:
13438 (constructorHasInstance):
13439 (makeWrapper):
13440 (tryUnwrapObjcObject):
13441 * API/ObjCCallbackFunction.mm:
13442 (JSC::objCCallbackFunctionCallAsFunction):
13443 (JSC::objCCallbackFunctionCallAsConstructor):
13444 (objCCallbackFunctionForInvocation):
13445 * CMakeLists.txt:
13446 * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
13447 * GNUmakefile.list.am:
13448 * JavaScriptCore.xcodeproj/project.pbxproj:
13449 * dfg/DFGWorklist.cpp:
13450 * heap/DelayedReleaseScope.h:
13451 (JSC::DelayedReleaseScope::~DelayedReleaseScope):
13452 * heap/HeapTimer.cpp:
13453 (JSC::HeapTimer::timerDidFire):
13454 (JSC::HeapTimer::timerEvent):
13455 * heap/IncrementalSweeper.cpp:
13456 * inspector/InjectedScriptModule.cpp:
13457 (Inspector::InjectedScriptModule::ensureInjected):
13458 * jsc.cpp:
13459 (jscmain):
13460 * runtime/GCActivityCallback.cpp:
13461 (JSC::DefaultGCActivityCallback::doWork):
13462 * runtime/JSGlobalObjectDebuggable.cpp:
13463 (JSC::JSGlobalObjectDebuggable::connect):
13464 (JSC::JSGlobalObjectDebuggable::disconnect):
13465 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
13466 * runtime/JSLock.cpp:
13467 (JSC::JSLock::lock):
13468 (JSC::JSLock::didAcquireLock):
13469 (JSC::JSLock::unlock):
13470 (JSC::JSLock::willReleaseLock):
13471 (JSC::JSLock::DropAllLocks::DropAllLocks):
13472 (JSC::JSLock::DropAllLocks::~DropAllLocks):
13473 * runtime/JSLock.h:
13474 * testRegExp.cpp:
13475 (realMain):
13476
134772014-03-04 Commit Queue <commit-queue@webkit.org>
13478
13479 Unreviewed, rolling out r164812.
13480 http://trac.webkit.org/changeset/164812
13481 https://bugs.webkit.org/show_bug.cgi?id=129699
13482
13483 it made things run slower (Requested by pizlo on #webkit).
13484
13485 * interpreter/Interpreter.cpp:
13486 (JSC::Interpreter::execute):
13487 * jsc.cpp:
13488 (GlobalObject::finishCreation):
13489 * runtime/BatchedTransitionOptimizer.h:
13490 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
13491 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
13492
134932014-03-02 Filip Pizlo <fpizlo@apple.com>
13494
13495 GetMyArgumentByVal in FTL
13496 https://bugs.webkit.org/show_bug.cgi?id=128850
13497
13498 Reviewed by Oliver Hunt.
13499
13500 This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
13501 They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
13502 caused it to think that the arity check had failed if the caller had passed more
13503 arguments than needed. This would cause the call frame copying to sort of go into
13504 reverse (because the amount-by-which-we-failed-arity would have opposite sign,
13505 throwing off a bunch of math) and the stack would end up being corrupted.
13506
13507 The bug was revealed by two existing tests although as far as I could tell, neither
13508 test was intending to cover this case directly. So, I added a new test.
13509
13510 * ftl/FTLCapabilities.cpp:
13511 (JSC::FTL::canCompile):
13512 * ftl/FTLLowerDFGToLLVM.cpp:
13513 (JSC::FTL::LowerDFGToLLVM::compileNode):
13514 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
13515 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
13516 (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
13517 (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
13518 * ftl/FTLOSRExitCompiler.cpp:
13519 (JSC::FTL::compileStub):
13520 * ftl/FTLState.h:
13521 * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
13522 * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
13523 * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
13524 * tests/stress/ftl-get-my-argument-by-val.js: Added.
13525
135262014-03-04 Zan Dobersek <zdobersek@igalia.com>
13527
13528 [GTK] Build the Udis86 disassembler
13529 https://bugs.webkit.org/show_bug.cgi?id=129679
13530
13531 Reviewed by Michael Saboff.
13532
13533 * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
13534 * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
13535
135362014-03-04 Andreas Kling <akling@apple.com>
13537
13538 Fix too-narrow assertion I added in r165054.
13539
13540 It's okay for a 1-character string to come in here. This will happen
13541 if the VM small string optimization doesn't apply (ch > 0xFF)
13542
13543 * runtime/JSString.h:
13544 (JSC::jsStringWithWeakOwner):
13545
135462014-03-04 Andreas Kling <akling@apple.com>
13547
13548 Micro-optimize Strings in JS bindings.
13549 <https://webkit.org/b/129673>
13550
13551 Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
13552 This avoids branches in length() and operator[].
13553
13554 Also call JSString::create() directly instead of jsString() and just
13555 assert that the string length is >1. This way we don't duplicate the
13556 optimizations for empty and single-character strings.
13557
13558 Reviewed by Ryosuke Niwa.
13559
13560 * runtime/JSString.h:
13561 (JSC::jsStringWithWeakOwner):
13562
135632014-03-04 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
13564
13565 Implement Number.prototype.clz()
13566 https://bugs.webkit.org/show_bug.cgi?id=129479
13567
13568 Reviewed by Oliver Hunt.
13569
13570 Implemented Number.prototype.clz() as specified in the ES6 standard.
13571
13572 * runtime/NumberPrototype.cpp:
13573 (JSC::numberProtoFuncClz):
13574
135752014-03-03 Joseph Pecoraro <pecoraro@apple.com>
13576
13577 Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
13578 https://bugs.webkit.org/show_bug.cgi?id=129631
13579
13580 Reviewed by Timothy Hatcher.
13581
13582 Avoid deref() too early if a client calls close(). The xpc_connection_close
13583 will cause another XPC_ERROR event to come in from the queue, deref then.
13584 Likewise, protect multithreaded access to m_client. If a client calls
13585 close() we want to immediately clear the pointer to prevent calls to it.
13586
13587 Overall the multi-threading aspects of RemoteInspectorXPCConnection are
13588 growing too complicated for probably little benefit. We may want to
13589 clean this up later.
13590
13591 * inspector/remote/RemoteInspector.mm:
13592 (Inspector::RemoteInspector::xpcConnectionFailed):
13593 * inspector/remote/RemoteInspectorXPCConnection.h:
13594 * inspector/remote/RemoteInspectorXPCConnection.mm:
13595 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
13596 (Inspector::RemoteInspectorXPCConnection::close):
13597 (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
13598 (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
13599 (Inspector::RemoteInspectorXPCConnection::handleEvent):
13600 (Inspector::RemoteInspectorXPCConnection::sendMessage):
13601
136022014-03-03 Michael Saboff <msaboff@apple.com>
13603
13604 AbstractMacroAssembler::CachedTempRegister should start out invalid
13605 https://bugs.webkit.org/show_bug.cgi?id=129657
13606
13607 Reviewed by Filip Pizlo.
13608
13609 * assembler/AbstractMacroAssembler.h:
13610 (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
13611 - Invalidate all cached registers in constructor as we don't know the
13612 contents of any register at the entry to the code we are going to
13613 generate.
13614
136152014-03-03 Andreas Kling <akling@apple.com>
13616
13617 StructureOrOffset should be fastmalloced.
13618 <https://webkit.org/b/129640>
13619
13620 Reviewed by Geoffrey Garen.
13621
13622 * runtime/StructureIDTable.h:
13623
136242014-03-03 Michael Saboff <msaboff@apple.com>
13625
13626 Crash in JIT code while watching a video @ storyboard.tumblr.com
13627 https://bugs.webkit.org/show_bug.cgi?id=129635
13628
13629 Reviewed by Filip Pizlo.
13630
13631 Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
13632 construtor.
13633
13634 * jit/TempRegisterSet.cpp:
13635 (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
13636 * jit/TempRegisterSet.h:
13637 (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
13638 (JSC::TempRegisterSet::clearAll): New private helper.
13639
136402014-03-03 Benjamin Poulain <benjamin@webkit.org>
13641
13642 [x86] Improve code generation of byte test
13643 https://bugs.webkit.org/show_bug.cgi?id=129597
13644
13645 Reviewed by Geoffrey Garen.
13646
13647 When possible, test the 8 bit register to itself instead of comparing it
13648 to a literal.
13649
13650 * assembler/MacroAssemblerX86Common.h:
13651 (JSC::MacroAssemblerX86Common::test32):
13652
136532014-03-03 Mark Lam <mark.lam@apple.com>
13654
13655 Web Inspector: debugger statements do not break.
13656 <https://webkit.org/b/129524>
13657
13658 Reviewed by Geoff Garen.
13659
13660 Since we no longer call op_debug hooks unless there is a debugger request
13661 made on the CodeBlock, the op_debug for the debugger statement never gets
13662 serviced.
13663
13664 With this fix, we check in the CodeBlock constructor if any debugger
13665 statements are present. If so, we set a m_hasDebuggerStatement flag that
13666 causes the CodeBlock to show as having debugger requests. Hence,
13667 breaking at debugger statements is now restored.
13668
13669 * bytecode/CodeBlock.cpp:
13670 (JSC::CodeBlock::CodeBlock):
13671 * bytecode/CodeBlock.h:
13672 (JSC::CodeBlock::hasDebuggerRequests):
13673 (JSC::CodeBlock::clearDebuggerRequests):
13674
136752014-03-03 Mark Lam <mark.lam@apple.com>
13676
13677 ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
13678 <https://webkit.org/b/129393>
13679
13680 Reviewed by Geoffrey Garen.
13681
13682 The issue manifests because the debugger will iterate all CodeBlocks in
13683 the heap when setting / clearing breakpoints, but it is possible for a
13684 CodeBlock to have been instantiate but is not yet registered with the
13685 debugger. This can happen because of the following:
13686
13687 1. DFG worklist compilation is still in progress, and the target
13688 codeBlock is not ready for installation in its executable yet.
13689
13690 2. DFG compilation failed and we have a codeBlock that will never be
13691 installed in its executable, and the codeBlock has not been cleaned
13692 up by the GC yet.
13693
13694 The code for installing the codeBlock in its executable is the same code
13695 that registers it with the debugger. Hence, these codeBlocks are not
13696 registered with the debugger, and any pending breakpoints that would map
13697 to that CodeBlock is as yet unset or will never be set. As such, an
13698 attempt to remove a breakpoint in that CodeBlock will fail that assertion.
13699
13700 To fix this, we do the following:
13701
13702 1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
13703 compilation. This is achieved by providing a
13704 DeferredCompilationCallback::compilationDidComplete() that does this
13705 clean up, and have all sub classes call it at the end of their
13706 compilationDidComplete() methods.
13707
13708 2. Before the debugger or profiler iterates CodeBlocks in the heap, they
13709 will wait for all compilations to complete before proceeding. This
13710 ensures that:
13711 1. any zombie CodeBlocks would have been cleaned up, and won't be
13712 seen by the debugger or profiler.
13713 2. all CodeBlocks that the debugger and profiler needs to operate on
13714 will be "ready" for whatever needs to be done to them e.g.
13715 jettison'ing of DFG codeBlocks.
13716
13717 * bytecode/DeferredCompilationCallback.cpp:
13718 (JSC::DeferredCompilationCallback::compilationDidComplete):
13719 * bytecode/DeferredCompilationCallback.h:
13720 - Provide default implementation method to clean up zombie CodeBlocks.
13721
13722 * debugger/Debugger.cpp:
13723 (JSC::Debugger::forEachCodeBlock):
13724 - Utility function to iterate CodeBlocks. It ensures that all compilations
13725 are complete before proceeding.
13726 (JSC::Debugger::setSteppingMode):
13727 (JSC::Debugger::toggleBreakpoint):
13728 (JSC::Debugger::recompileAllJSFunctions):
13729 (JSC::Debugger::clearBreakpoints):
13730 (JSC::Debugger::clearDebuggerRequests):
13731 - Use the utility iterator function.
13732
13733 * debugger/Debugger.h:
13734 * dfg/DFGOperations.cpp:
13735 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
13736
13737 * dfg/DFGPlan.cpp:
13738 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
13739 - Remove unneeded code (that was not the best solution anyway) for ensuring
13740 that we don't generate new DFG codeBlocks after enabling the debugger or
13741 profiler. Now that we wait for compilations to complete before proceeding
13742 with debugger and profiler work, this scenario will never happen.
13743
13744 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
13745 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
13746 - Call the super class method to clean up zombie codeBlocks.
13747
13748 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
13749 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
13750 - Call the super class method to clean up zombie codeBlocks.
13751
13752 * heap/CodeBlockSet.cpp:
13753 (JSC::CodeBlockSet::remove):
13754 * heap/CodeBlockSet.h:
13755 * heap/Heap.h:
13756 (JSC::Heap::removeCodeBlock):
13757 - New method to remove a codeBlock from the codeBlock set.
13758
13759 * jit/JITOperations.cpp:
13760 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
13761
13762 * jit/JITToDFGDeferredCompilationCallback.cpp:
13763 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
13764 - Call the super class method to clean up zombie codeBlocks.
13765
13766 * runtime/VM.cpp:
13767 (JSC::VM::waitForCompilationsToComplete):
13768 - Renamed from prepareToDiscardCode() to be clearer about what it does.
13769
13770 (JSC::VM::discardAllCode):
13771 (JSC::VM::releaseExecutableMemory):
13772 (JSC::VM::setEnabledProfiler):
13773 - Wait for compilation to complete before enabling the profiler.
13774
13775 * runtime/VM.h:
13776
137772014-03-03 Brian Burg <bburg@apple.com>
13778
13779 Another unreviewed build fix attempt for Windows after r164986.
13780
13781 We never told Visual Studio to copy over the web replay code generator scripts
13782 and the generated headers for JavaScriptCore replay inputs as if they were
13783 private headers.
13784
13785 * JavaScriptCore.vcxproj/copy-files.cmd:
13786
137872014-03-03 Brian Burg <bburg@apple.com>
13788
13789 Web Replay: upstream input storage, capture/replay machinery, and inspector domain
13790 https://bugs.webkit.org/show_bug.cgi?id=128782
13791
13792 Reviewed by Timothy Hatcher.
13793
13794 Alter the replay inputs code generator so that it knows when it is necessary to
13795 to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
13796
13797 * JavaScriptCore.xcodeproj/project.pbxproj:
13798 * replay/scripts/CodeGeneratorReplayInputs.py:
13799 (Framework.fromString):
13800 (Frameworks): Add WTF as an allowed framework for code generation.
13801 (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
13802 (Generator.generate_includes.declaration):
13803 (Generator.generate_includes.or):
13804 (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
13805
138062014-03-02 Filip Pizlo <fpizlo@apple.com>
13807
13808 PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
13809 https://bugs.webkit.org/show_bug.cgi?id=129591
13810
13811 Reviewed by Michael Saboff.
13812
13813 * bytecode/PolymorphicPutByIdList.cpp:
13814 (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
13815 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
13816 (JSC::PolymorphicPutByIdList::from):
13817 * bytecode/PolymorphicPutByIdList.h:
13818 (JSC::PutByIdAccess::stubRoutine):
13819 * jit/Repatch.cpp:
13820 (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
13821
138222014-03-02 Filip Pizlo <fpizlo@apple.com>
13823
13824 Debugging improvements from my gbemu investigation session
13825 https://bugs.webkit.org/show_bug.cgi?id=129599
13826
13827 Reviewed by Mark Lam.
13828
13829 Various improvements from when I was investigating bug 129411.
13830
13831 * bytecode/CodeBlock.cpp:
13832 (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
13833 * jsc.cpp:
13834 (GlobalObject::finishCreation):
13835 (functionDescribe): Make describe() return a string rather than printing the string.
13836 (functionDescribeArray): Like describe(), but prints details about arrays.
13837
138382014-02-25 Andreas Kling <akling@apple.com>
13839
13840 JSDOMWindow::commonVM() should return a reference.
13841 <https://webkit.org/b/129293>
13842
13843 Added a DropAllLocks constructor that takes VM& without null checks.
13844
13845 Reviewed by Geoff Garen.
13846
138472014-03-02 Mark Lam <mark.lam@apple.com>
13848
13849 CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
13850 <https://webkit.org/b/129584>
13851
13852 Reviewed by Darin Adler.
13853
13854 * bytecode/CodeBlock.h:
13855 (JSC::CodeBlock::hasDebuggerRequests):
13856
138572014-03-02 Mark Lam <mark.lam@apple.com>
13858
13859 Clean up use of Options::enableConcurrentJIT().
13860 <https://webkit.org/b/129582>
13861
13862 Reviewed by Filip Pizlo.
13863
13864 DFG Driver was conditionally checking Options::enableConcurrentJIT()
13865 only if ENABLE(CONCURRENT_JIT). Otherwise, it bypasses it with a local
13866 enableConcurrentJIT set to false.
13867
13868 Instead we should configure Options::enableConcurrentJIT() to be false
13869 in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
13870 check Options::enableConcurrentJIT(). This makes the code read a little
13871 cleaner.
13872
13873 * dfg/DFGDriver.cpp:
13874 (JSC::DFG::compileImpl):
13875 * runtime/Options.cpp:
13876 (JSC::recomputeDependentOptions):
13877
138782014-03-01 Filip Pizlo <fpizlo@apple.com>
13879
13880 This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
13881 stress tests.
13882
13883 * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
13884
138852014-03-01 Andreas Kling <akling@apple.com>
13886
13887 JSCell::fastGetOwnProperty() should get the Structure more efficiently.
13888 <https://webkit.org/b/129560>
13889
13890 Now that structure() is nontrivial and we have a faster structure(VM&),
13891 make use of that in fastGetOwnProperty() since we already have VM.
13892
13893 Reviewed by Sam Weinig.
13894
13895 * runtime/JSCellInlines.h:
13896 (JSC::JSCell::fastGetOwnProperty):
13897
138982014-03-01 Andreas Kling <akling@apple.com>
13899
13900 Avoid going through ExecState for VM when we already have it (in some places.)
13901 <https://webkit.org/b/129554>
13902
13903 Tweak some places that jump through unnecessary hoops to get the VM.
13904 There are many more like this.
13905
13906 Reviewed by Sam Weinig.
13907
13908 * runtime/JSObject.cpp:
13909 (JSC::JSObject::putByIndexBeyondVectorLength):
13910 (JSC::JSObject::putDirectIndexBeyondVectorLength):
13911 * runtime/ObjectPrototype.cpp:
13912 (JSC::objectProtoFuncToString):
13913
139142014-02-28 Filip Pizlo <fpizlo@apple.com>
13915
13916 FTL should support PhantomArguments
13917 https://bugs.webkit.org/show_bug.cgi?id=113986
13918
13919 Reviewed by Oliver Hunt.
13920
13921 Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
13922 object into the FTL's OSR exit compiler.
13923
13924 This isn't a speed-up yet, since there is still more to be done to fully support
13925 all of the arguments craziness that our varargs benchmarks do.
13926
13927 * dfg/DFGOSRExitCompiler32_64.cpp:
13928 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
13929 * dfg/DFGOSRExitCompiler64.cpp:
13930 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
13931 * dfg/DFGOSRExitCompilerCommon.cpp:
13932 (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
13933 (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
13934 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
13935 * dfg/DFGOSRExitCompilerCommon.h:
13936 * ftl/FTLCapabilities.cpp:
13937 (JSC::FTL::canCompile):
13938 * ftl/FTLExitValue.cpp:
13939 (JSC::FTL::ExitValue::dumpInContext):
13940 * ftl/FTLExitValue.h:
13941 (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
13942 (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
13943 (JSC::FTL::ExitValue::valueFormat):
13944 * ftl/FTLLowerDFGToLLVM.cpp:
13945 (JSC::FTL::LowerDFGToLLVM::compileNode):
13946 (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
13947 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
13948 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
13949 * ftl/FTLOSRExitCompiler.cpp:
13950 (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
13951 * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
13952 * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
13953
139542014-02-28 Filip Pizlo <fpizlo@apple.com>
13955
13956 Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
13957
13958 * dfg/DFGCSEPhase.cpp:
13959 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
13960
139612014-02-28 Andreas Kling <akling@apple.com>
13962
13963 JSObject::findPropertyHashEntry() should take VM instead of ExecState.
13964 <https://webkit.org/b/129529>
13965
13966 Callers already have VM in a local, and findPropertyHashEntry() only
13967 uses the VM, no need to go all the way through ExecState.
13968
13969 Reviewed by Geoffrey Garen.
13970
13971 * runtime/JSObject.cpp:
13972 (JSC::JSObject::put):
13973 (JSC::JSObject::deleteProperty):
13974 (JSC::JSObject::findPropertyHashEntry):
13975 * runtime/JSObject.h:
13976
139772014-02-28 Joseph Pecoraro <pecoraro@apple.com>
13978
13979 Deadlock remotely inspecting iOS Simulator
13980 https://bugs.webkit.org/show_bug.cgi?id=129511
13981
13982 Reviewed by Timothy Hatcher.
13983
13984 Avoid synchronous setup. Do it asynchronously, and let
13985 the RemoteInspector singleton know later if it failed.
13986
13987 * inspector/remote/RemoteInspector.h:
13988 * inspector/remote/RemoteInspector.mm:
13989 (Inspector::RemoteInspector::setupFailed):
13990 * inspector/remote/RemoteInspectorDebuggableConnection.h:
13991 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
13992 (Inspector::RemoteInspectorDebuggableConnection::setup):
13993
139942014-02-28 Oliver Hunt <oliver@apple.com>
13995
13996 REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
13997 https://bugs.webkit.org/show_bug.cgi?id=129488
13998
13999 Reviewed by Mark Lam.
14000
14001 Whoops, modify the right register.
14002
14003 * jit/JITCall32_64.cpp:
14004 (JSC::JIT::compileLoadVarargs):
14005
140062014-02-28 Filip Pizlo <fpizlo@apple.com>
14007
14008 FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
14009 https://bugs.webkit.org/show_bug.cgi?id=129503
14010
14011 Reviewed by Mark Lam.
14012
14013 * ftl/FTLIntrinsicRepository.h:
14014 * ftl/FTLOutput.h:
14015 (JSC::FTL::Output::doubleSin):
14016 (JSC::FTL::Output::doubleCos):
14017 (JSC::FTL::Output::intrinsicOrOperation):
14018
140192014-02-28 Mark Hahnenberg <mhahnenberg@apple.com>
14020
14021 Fix !ENABLE(GGC) builds
14022
14023 * heap/Heap.cpp:
14024 (JSC::Heap::markRoots):
14025 (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
14026
140272014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
14028
14029 Clean up Heap::collect and Heap::markRoots
14030 https://bugs.webkit.org/show_bug.cgi?id=129464
14031
14032 Reviewed by Geoffrey Garen.
14033
14034 These functions have built up a lot of cruft recently.
14035 We should do a bit of cleanup to make them easier to grok.
14036
14037 * heap/Heap.cpp:
14038 (JSC::Heap::finalizeUnconditionalFinalizers):
14039 (JSC::Heap::gatherStackRoots):
14040 (JSC::Heap::gatherJSStackRoots):
14041 (JSC::Heap::gatherScratchBufferRoots):
14042 (JSC::Heap::clearLivenessData):
14043 (JSC::Heap::visitSmallStrings):
14044 (JSC::Heap::visitConservativeRoots):
14045 (JSC::Heap::visitCompilerWorklists):
14046 (JSC::Heap::markProtectedObjects):
14047 (JSC::Heap::markTempSortVectors):
14048 (JSC::Heap::markArgumentBuffers):
14049 (JSC::Heap::visitException):
14050 (JSC::Heap::visitStrongHandles):
14051 (JSC::Heap::visitHandleStack):
14052 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
14053 (JSC::Heap::converge):
14054 (JSC::Heap::visitWeakHandles):
14055 (JSC::Heap::clearRememberedSet):
14056 (JSC::Heap::updateObjectCounts):
14057 (JSC::Heap::resetVisitors):
14058 (JSC::Heap::markRoots):
14059 (JSC::Heap::copyBackingStores):
14060 (JSC::Heap::deleteUnmarkedCompiledCode):
14061 (JSC::Heap::collect):
14062 (JSC::Heap::collectIfNecessaryOrDefer):
14063 (JSC::Heap::suspendCompilerThreads):
14064 (JSC::Heap::willStartCollection):
14065 (JSC::Heap::deleteOldCode):
14066 (JSC::Heap::flushOldStructureIDTables):
14067 (JSC::Heap::flushWriteBarrierBuffer):
14068 (JSC::Heap::stopAllocation):
14069 (JSC::Heap::reapWeakHandles):
14070 (JSC::Heap::sweepArrayBuffers):
14071 (JSC::Heap::snapshotMarkedSpace):
14072 (JSC::Heap::deleteSourceProviderCaches):
14073 (JSC::Heap::notifyIncrementalSweeper):
14074 (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
14075 (JSC::Heap::resetAllocators):
14076 (JSC::Heap::updateAllocationLimits):
14077 (JSC::Heap::didFinishCollection):
14078 (JSC::Heap::resumeCompilerThreads):
14079 * heap/Heap.h:
14080
140812014-02-27 Ryosuke Niwa <rniwa@webkit.org>
14082
14083 indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
14084 https://bugs.webkit.org/show_bug.cgi?id=129466
14085
14086 Reviewed by Michael Saboff.
14087
14088 Refactored the code to avoid calling JSString::value when needle is longer than haystack.
14089
14090 * runtime/StringPrototype.cpp:
14091 (JSC::stringProtoFuncIndexOf):
14092 (JSC::stringProtoFuncLastIndexOf):
14093
140942014-02-27 Timothy Hatcher <timothy@apple.com>
14095
14096 Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
14097
14098 https://bugs.webkit.org/show_bug.cgi?id=129458
14099
14100 Reviewed by Joseph Pecoraro.
14101
14102 * inspector/ContentSearchUtilities.cpp:
14103 (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
14104 (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
14105 line ending type and don't try to strip the line ending. Use size_t
14106 (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
14107 This will include the line ending in the lines, but that is okay.
14108 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
14109 (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
14110
141112014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14112
14113 [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
14114 https://bugs.webkit.org/show_bug.cgi?id=129446
14115
14116 Reviewed by Timothy Hatcher.
14117
14118 Remove duplicate header entries in Copy Header build phase.
14119
14120 * JavaScriptCore.xcodeproj/project.pbxproj:
14121
141222014-02-27 Oliver Hunt <oliver@apple.com>
14123
14124 Whoops, include all of last patch.
14125
14126 * jit/JITCall32_64.cpp:
14127 (JSC::JIT::compileLoadVarargs):
14128
141292014-02-27 Oliver Hunt <oliver@apple.com>
14130
14131 Slow cases for function.apply and function.call should not require vm re-entry
14132 https://bugs.webkit.org/show_bug.cgi?id=129454
14133
14134 Reviewed by Geoffrey Garen.
14135
14136 Implement call and apply using builtins. Happily the use
14137 of @call and @apply don't perform function equality checks
14138 and just plant direct var_args calls. This did expose a few
14139 codegen issues, but they're all covered by existing tests
14140 once call and apply are implemented in JS.
14141
14142 * JavaScriptCore.xcodeproj/project.pbxproj:
14143 * builtins/Function.prototype.js: Added.
14144 (call):
14145 (apply):
14146 * bytecompiler/NodesCodegen.cpp:
14147 (JSC::CallFunctionCallDotNode::emitBytecode):
14148 (JSC::ApplyFunctionCallDotNode::emitBytecode):
14149 * dfg/DFGCapabilities.cpp:
14150 (JSC::DFG::capabilityLevel):
14151 * interpreter/Interpreter.cpp:
14152 (JSC::sizeFrameForVarargs):
14153 (JSC::loadVarargs):
14154 * interpreter/Interpreter.h:
14155 * jit/JITCall.cpp:
14156 (JSC::JIT::compileLoadVarargs):
14157 * parser/ASTBuilder.h:
14158 (JSC::ASTBuilder::makeFunctionCallNode):
14159 * parser/Lexer.cpp:
14160 (JSC::isSafeBuiltinIdentifier):
14161 * runtime/CommonIdentifiers.h:
14162 * runtime/FunctionPrototype.cpp:
14163 (JSC::FunctionPrototype::addFunctionProperties):
14164 * runtime/JSObject.cpp:
14165 (JSC::JSObject::putDirectBuiltinFunction):
14166 (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
14167 * runtime/JSObject.h:
14168
141692014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14170
14171 Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
14172 https://bugs.webkit.org/show_bug.cgi?id=129443
14173
14174 Reviewed by Timothy Hatcher.
14175
14176 This queue is specific to the JSContext debuggable connections,
14177 there is no XPC involved. Give it a better name.
14178
14179 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
14180 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
14181
141822014-02-27 David Kilzer <ddkilzer@apple.com>
14183
14184 Remove jsc symlink if it already exists
14185
14186 This is a follow-up fix for:
14187
14188 Create symlink to /usr/local/bin/jsc during installation
14189 <http://webkit.org/b/129399>
14190 <rdar://problem/16168734>
14191
14192 * JavaScriptCore.xcodeproj/project.pbxproj:
14193 (Create /usr/local/bin/jsc symlink): If a jsc symlink already
14194 exists where we're about to create the symlink, remove the old
14195 one first.
14196
141972014-02-27 Michael Saboff <msaboff@apple.com>
14198
14199 Unreviewed build fix for Mac tools after r164814
14200
14201 * Configurations/ToolExecutable.xcconfig:
14202 - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
14203 * JavaScriptCore.xcodeproj/project.pbxproj:
14204 - Changed productName to testRegExp for testRegExp target.
14205
142062014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14207
14208 Web Inspector: JSContext inspection should report exceptions in the console
14209 https://bugs.webkit.org/show_bug.cgi?id=128776
14210
14211 Reviewed by Timothy Hatcher.
14212
14213 When JavaScript API functions have an exception, let the inspector
14214 know so it can log the JavaScript and Native backtrace that caused
14215 the exception.
14216
14217 Include some clean up of ConsoleMessage and ScriptCallStack construction.
14218
14219 * API/JSBase.cpp:
14220 (JSEvaluateScript):
14221 (JSCheckScriptSyntax):
14222 * API/JSObjectRef.cpp:
14223 (JSObjectMakeFunction):
14224 (JSObjectMakeArray):
14225 (JSObjectMakeDate):
14226 (JSObjectMakeError):
14227 (JSObjectMakeRegExp):
14228 (JSObjectGetProperty):
14229 (JSObjectSetProperty):
14230 (JSObjectGetPropertyAtIndex):
14231 (JSObjectSetPropertyAtIndex):
14232 (JSObjectDeleteProperty):
14233 (JSObjectCallAsFunction):
14234 (JSObjectCallAsConstructor):
14235 * API/JSValue.mm:
14236 (reportExceptionToInspector):
14237 (valueToArray):
14238 (valueToDictionary):
14239 * API/JSValueRef.cpp:
14240 (JSValueIsEqual):
14241 (JSValueIsInstanceOfConstructor):
14242 (JSValueCreateJSONString):
14243 (JSValueToNumber):
14244 (JSValueToStringCopy):
14245 (JSValueToObject):
14246 When seeing an exception, let the inspector know there was an exception.
14247
14248 * inspector/JSGlobalObjectInspectorController.h:
14249 * inspector/JSGlobalObjectInspectorController.cpp:
14250 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
14251 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
14252 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
14253 Log API exceptions by also grabbing the native backtrace.
14254
14255 * inspector/ScriptCallStack.h:
14256 * inspector/ScriptCallStack.cpp:
14257 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
14258 (Inspector::ScriptCallStack::append):
14259 Minor extensions to ScriptCallStack to make it easier to work with.
14260
14261 * inspector/ConsoleMessage.cpp:
14262 (Inspector::ConsoleMessage::ConsoleMessage):
14263 (Inspector::ConsoleMessage::autogenerateMetadata):
14264 Provide better default information if the first call frame was native.
14265
14266 * inspector/ScriptCallStackFactory.cpp:
14267 (Inspector::createScriptCallStack):
14268 (Inspector::extractSourceInformationFromException):
14269 (Inspector::createScriptCallStackFromException):
14270 Perform the handling here of inserting a fake call frame for exceptions
14271 if there was no call stack (e.g. a SyntaxError) or if the first call
14272 frame had no information.
14273
14274 * inspector/ConsoleMessage.cpp:
14275 (Inspector::ConsoleMessage::ConsoleMessage):
14276 (Inspector::ConsoleMessage::autogenerateMetadata):
14277 * inspector/ConsoleMessage.h:
14278 * inspector/ScriptCallStackFactory.cpp:
14279 (Inspector::createScriptCallStack):
14280 (Inspector::createScriptCallStackForConsole):
14281 * inspector/ScriptCallStackFactory.h:
14282 * inspector/agents/InspectorConsoleAgent.cpp:
14283 (Inspector::InspectorConsoleAgent::enable):
14284 (Inspector::InspectorConsoleAgent::addMessageToConsole):
14285 (Inspector::InspectorConsoleAgent::count):
14286 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
14287 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
14288 ConsoleMessage cleanup.
14289
142902014-02-27 David Kilzer <ddkilzer@apple.com>
14291
14292 Create symlink to /usr/local/bin/jsc during installation
14293 <http://webkit.org/b/129399>
14294 <rdar://problem/16168734>
14295
14296 Reviewed by Dan Bernstein.
14297
14298 * JavaScriptCore.xcodeproj/project.pbxproj:
14299 - Add "Create /usr/local/bin/jsc symlink" build phase script to
14300 create the symlink during installation.
14301
143022014-02-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
14303
14304 Math.{max, min}() must not return after first NaN value
14305 https://bugs.webkit.org/show_bug.cgi?id=104147
14306
14307 Reviewed by Oliver Hunt.
14308
14309 According to the spec, ToNumber going to be called on each argument
14310 even if a `NaN` value was already found
14311
14312 * runtime/MathObject.cpp:
14313 (JSC::mathProtoFuncMax):
14314 (JSC::mathProtoFuncMin):
14315
143162014-02-27 Gergo Balogh <gbalogh.u-szeged@partner.samsung.com>
14317
14318 JSType upper limit (0xff) assertion can be removed.
14319 https://bugs.webkit.org/show_bug.cgi?id=129424
14320
14321 Reviewed by Geoffrey Garen.
14322
14323 * runtime/JSTypeInfo.h:
14324 (JSC::TypeInfo::TypeInfo):
14325
143262014-02-26 Michael Saboff <msaboff@apple.com>
14327
14328 Auto generate bytecode information for bytecode parser and LLInt
14329 https://bugs.webkit.org/show_bug.cgi?id=129181
14330
14331 Reviewed by Mark Lam.
14332
14333 Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
14334 helpers. It also includes bytecode length and other information used to generate files.
14335 Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
14336 in DerivedSources/JavaScriptCore/.
14337
14338 Added the generation of these files to the "DerivedSource" build step.
14339 Slighty changed the build order, since the Bytecodes.h file is needed by
14340 JSCLLIntOffsetsExtractor. Moved the offline assembly to a separate step since it needs
14341 to be run after JSCLLIntOffsetsExtractor.
14342
14343 Made related changes to OPCODE macros and their use.
14344
14345 Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
14346 jsc to resolve Mac build issue.
14347
14348 * CMakeLists.txt:
14349 * Configurations/JSC.xcconfig:
14350 * DerivedSources.make:
14351 * GNUmakefile.am:
14352 * GNUmakefile.list.am:
14353 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14354 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14355 * JavaScriptCore.vcxproj/copy-files.cmd:
14356 * JavaScriptCore.xcodeproj/project.pbxproj:
14357 * bytecode/Opcode.h:
14358 (JSC::padOpcodeName):
14359 * llint/LLIntCLoop.cpp:
14360 (JSC::LLInt::CLoop::initialize):
14361 * llint/LLIntCLoop.h:
14362 * llint/LLIntData.cpp:
14363 (JSC::LLInt::initialize):
14364 * llint/LLIntOpcode.h:
14365 * llint/LowLevelInterpreter.asm:
14366
143672014-02-27 Julien Brianceau <jbriance@cisco.com>
14368
14369 Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
14370 https://bugs.webkit.org/show_bug.cgi?id=129420
14371
14372 Reviewed by Geoffrey Garen.
14373
14374 * dfg/DFGSpeculativeJIT.h:
14375 (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
14376 Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
14377
143782014-02-27 Filip Pizlo <fpizlo@apple.com>
14379
14380 Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
14381 https://bugs.webkit.org/show_bug.cgi?id=129435
14382
14383 Reviewed by Oliver Hunt.
14384
14385 This is a 5-10% speed-up on Octane/closure.
14386
14387 * interpreter/Interpreter.cpp:
14388 (JSC::Interpreter::execute):
14389 * jsc.cpp:
14390 (GlobalObject::finishCreation):
14391 (functionClearCodeCache):
14392 * runtime/BatchedTransitionOptimizer.h:
14393 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
14394 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
14395
143962014-02-27 Alexey Proskuryakov <ap@apple.com>
14397
14398 Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
14399
14400 * inspector/scripts: Added property svn:ignore.
14401 * replay/scripts: Added property svn:ignore.
14402
144032014-02-27 Gabor Rapcsanyi <rgabor@webkit.org>
14404
14405 r164764 broke the ARM build
14406 https://bugs.webkit.org/show_bug.cgi?id=129415
14407
14408 Reviewed by Zoltan Herczeg.
14409
14410 * assembler/MacroAssemblerARM.h:
14411 (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
14412 (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
14413 (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
14414 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
14415
144162014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
14417
14418 r164764 broke the ARM build
14419 https://bugs.webkit.org/show_bug.cgi?id=129415
14420
14421 Reviewed by Geoffrey Garen.
14422
14423 * assembler/MacroAssemblerARM.h:
14424 (JSC::MacroAssemblerARM::moveWithPatch):
14425
144262014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
14427
14428 r164764 broke the ARM build
14429 https://bugs.webkit.org/show_bug.cgi?id=129415
14430
14431 Reviewed by Geoffrey Garen.
14432
14433 * assembler/MacroAssemblerARM.h:
14434 (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
14435
144362014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
14437
14438 EFL build fix
14439
14440 * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
14441 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
14442 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
14443
144442014-02-25 Mark Hahnenberg <mhahnenberg@apple.com>
14445
14446 Make JSCells have 32-bit Structure pointers
14447 https://bugs.webkit.org/show_bug.cgi?id=123195
14448
14449 Reviewed by Filip Pizlo.
14450
14451 This patch changes JSCells such that they no longer have a full 64-bit Structure
14452 pointer in their header. Instead they now have a 32-bit index into
14453 a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
14454 pointers.
14455
14456 This change frees up an additional 32 bits of information in our object headers.
14457 We then use this extra space to store the indexing type of the object, the JSType
14458 of the object, some various type flags, and garbage collection data (e.g. mark bit).
14459 Because this inline type information is now faster to read, it pays for the slowdown
14460 incurred by having to perform an extra indirection through the StructureIDTable.
14461
14462 This patch also threads a reference to the current VM through more of the C++ runtime
14463 to offset the cost of having to look up the VM to get the actual Structure pointer.
14464
14465 * API/JSContext.mm:
14466 (-[JSContext setException:]):
14467 (-[JSContext wrapperForObjCObject:]):
14468 (-[JSContext wrapperForJSObject:]):
14469 * API/JSContextRef.cpp:
14470 (JSContextGroupRelease):
14471 (JSGlobalContextRelease):
14472 * API/JSObjectRef.cpp:
14473 (JSObjectIsFunction):
14474 (JSObjectCopyPropertyNames):
14475 * API/JSValue.mm:
14476 (containerValueToObject):
14477 * API/JSWrapperMap.mm:
14478 (tryUnwrapObjcObject):
14479 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14480 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14481 * JavaScriptCore.xcodeproj/project.pbxproj:
14482 * assembler/AbstractMacroAssembler.h:
14483 * assembler/MacroAssembler.h:
14484 (JSC::MacroAssembler::patchableBranch32WithPatch):
14485 (JSC::MacroAssembler::patchableBranch32):
14486 * assembler/MacroAssemblerARM64.h:
14487 (JSC::MacroAssemblerARM64::branchPtrWithPatch):
14488 (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
14489 (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
14490 (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
14491 (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
14492 * assembler/MacroAssemblerARMv7.h:
14493 (JSC::MacroAssemblerARMv7::store8):
14494 (JSC::MacroAssemblerARMv7::branch32WithPatch):
14495 (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
14496 (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
14497 (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
14498 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
14499 * assembler/MacroAssemblerX86.h:
14500 (JSC::MacroAssemblerX86::branch32WithPatch):
14501 (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
14502 (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
14503 (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
14504 * assembler/MacroAssemblerX86_64.h:
14505 (JSC::MacroAssemblerX86_64::store32):
14506 (JSC::MacroAssemblerX86_64::moveWithPatch):
14507 (JSC::MacroAssemblerX86_64::branch32WithPatch):
14508 (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
14509 (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
14510 (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
14511 (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
14512 * assembler/RepatchBuffer.h:
14513 (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
14514 (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
14515 * assembler/X86Assembler.h:
14516 (JSC::X86Assembler::revertJumpTo_movq_i64r):
14517 (JSC::X86Assembler::revertJumpTo_movl_i32r):
14518 * bytecode/ArrayProfile.cpp:
14519 (JSC::ArrayProfile::computeUpdatedPrediction):
14520 * bytecode/ArrayProfile.h:
14521 (JSC::ArrayProfile::ArrayProfile):
14522 (JSC::ArrayProfile::addressOfLastSeenStructureID):
14523 (JSC::ArrayProfile::observeStructure):
14524 * bytecode/CodeBlock.h:
14525 (JSC::CodeBlock::heap):
14526 * bytecode/UnlinkedCodeBlock.h:
14527 * debugger/Debugger.h:
14528 * dfg/DFGAbstractHeap.h:
14529 * dfg/DFGArrayifySlowPathGenerator.h:
14530 * dfg/DFGClobberize.h:
14531 (JSC::DFG::clobberize):
14532 * dfg/DFGJITCompiler.h:
14533 (JSC::DFG::JITCompiler::branchWeakStructure):
14534 (JSC::DFG::JITCompiler::branchStructurePtr):
14535 * dfg/DFGOSRExitCompiler32_64.cpp:
14536 (JSC::DFG::OSRExitCompiler::compileExit):
14537 * dfg/DFGOSRExitCompiler64.cpp:
14538 (JSC::DFG::OSRExitCompiler::compileExit):
14539 * dfg/DFGOSRExitCompilerCommon.cpp:
14540 (JSC::DFG::osrWriteBarrier):
14541 (JSC::DFG::adjustAndJumpToTarget):
14542 * dfg/DFGOperations.cpp:
14543 (JSC::DFG::putByVal):
14544 * dfg/DFGSpeculativeJIT.cpp:
14545 (JSC::DFG::SpeculativeJIT::checkArray):
14546 (JSC::DFG::SpeculativeJIT::arrayify):
14547 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
14548 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
14549 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
14550 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
14551 (JSC::DFG::SpeculativeJIT::speculateObject):
14552 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
14553 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
14554 (JSC::DFG::SpeculativeJIT::speculateString):
14555 (JSC::DFG::SpeculativeJIT::speculateStringObject):
14556 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
14557 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
14558 (JSC::DFG::SpeculativeJIT::emitSwitchString):
14559 (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
14560 (JSC::DFG::SpeculativeJIT::writeBarrier):
14561 * dfg/DFGSpeculativeJIT.h:
14562 (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
14563 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
14564 * dfg/DFGSpeculativeJIT32_64.cpp:
14565 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
14566 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
14567 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
14568 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
14569 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
14570 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
14571 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
14572 (JSC::DFG::SpeculativeJIT::compile):
14573 (JSC::DFG::SpeculativeJIT::writeBarrier):
14574 * dfg/DFGSpeculativeJIT64.cpp:
14575 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
14576 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
14577 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
14578 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
14579 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
14580 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
14581 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
14582 (JSC::DFG::SpeculativeJIT::compile):
14583 (JSC::DFG::SpeculativeJIT::writeBarrier):
14584 * dfg/DFGWorklist.cpp:
14585 * ftl/FTLAbstractHeapRepository.cpp:
14586 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
14587 * ftl/FTLAbstractHeapRepository.h:
14588 * ftl/FTLLowerDFGToLLVM.cpp:
14589 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
14590 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
14591 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
14592 (JSC::FTL::LowerDFGToLLVM::compileToString):
14593 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
14594 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
14595 (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
14596 (JSC::FTL::LowerDFGToLLVM::allocateCell):
14597 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
14598 (JSC::FTL::LowerDFGToLLVM::isObject):
14599 (JSC::FTL::LowerDFGToLLVM::isString):
14600 (JSC::FTL::LowerDFGToLLVM::isArrayType):
14601 (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
14602 (JSC::FTL::LowerDFGToLLVM::isType):
14603 (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
14604 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
14605 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
14606 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
14607 (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
14608 (JSC::FTL::LowerDFGToLLVM::loadStructure):
14609 (JSC::FTL::LowerDFGToLLVM::weakStructure):
14610 * ftl/FTLOSRExitCompiler.cpp:
14611 (JSC::FTL::compileStub):
14612 * ftl/FTLOutput.h:
14613 (JSC::FTL::Output::store8):
14614 * heap/GCAssertions.h:
14615 * heap/Heap.cpp:
14616 (JSC::Heap::getConservativeRegisterRoots):
14617 (JSC::Heap::collect):
14618 (JSC::Heap::writeBarrier):
14619 * heap/Heap.h:
14620 (JSC::Heap::structureIDTable):
14621 * heap/MarkedSpace.h:
14622 (JSC::MarkedSpace::forEachBlock):
14623 * heap/SlotVisitorInlines.h:
14624 (JSC::SlotVisitor::internalAppend):
14625 * jit/AssemblyHelpers.h:
14626 (JSC::AssemblyHelpers::branchIfCellNotObject):
14627 (JSC::AssemblyHelpers::genericWriteBarrier):
14628 (JSC::AssemblyHelpers::emitLoadStructure):
14629 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
14630 * jit/JIT.h:
14631 * jit/JITCall.cpp:
14632 (JSC::JIT::compileOpCall):
14633 (JSC::JIT::privateCompileClosureCall):
14634 * jit/JITCall32_64.cpp:
14635 (JSC::JIT::emit_op_ret_object_or_this):
14636 (JSC::JIT::compileOpCall):
14637 (JSC::JIT::privateCompileClosureCall):
14638 * jit/JITInlineCacheGenerator.cpp:
14639 (JSC::JITByIdGenerator::generateFastPathChecks):
14640 * jit/JITInlineCacheGenerator.h:
14641 * jit/JITInlines.h:
14642 (JSC::JIT::emitLoadCharacterString):
14643 (JSC::JIT::checkStructure):
14644 (JSC::JIT::emitJumpIfCellNotObject):
14645 (JSC::JIT::emitAllocateJSObject):
14646 (JSC::JIT::emitArrayProfilingSiteWithCell):
14647 (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
14648 (JSC::JIT::branchStructure):
14649 (JSC::branchStructure):
14650 * jit/JITOpcodes.cpp:
14651 (JSC::JIT::emit_op_check_has_instance):
14652 (JSC::JIT::emit_op_instanceof):
14653 (JSC::JIT::emit_op_is_undefined):
14654 (JSC::JIT::emit_op_is_string):
14655 (JSC::JIT::emit_op_ret_object_or_this):
14656 (JSC::JIT::emit_op_to_primitive):
14657 (JSC::JIT::emit_op_jeq_null):
14658 (JSC::JIT::emit_op_jneq_null):
14659 (JSC::JIT::emit_op_get_pnames):
14660 (JSC::JIT::emit_op_next_pname):
14661 (JSC::JIT::emit_op_eq_null):
14662 (JSC::JIT::emit_op_neq_null):
14663 (JSC::JIT::emit_op_to_this):
14664 (JSC::JIT::emitSlow_op_to_this):
14665 * jit/JITOpcodes32_64.cpp:
14666 (JSC::JIT::emit_op_check_has_instance):
14667 (JSC::JIT::emit_op_instanceof):
14668 (JSC::JIT::emit_op_is_undefined):
14669 (JSC::JIT::emit_op_is_string):
14670 (JSC::JIT::emit_op_to_primitive):
14671 (JSC::JIT::emit_op_jeq_null):
14672 (JSC::JIT::emit_op_jneq_null):
14673 (JSC::JIT::emitSlow_op_eq):
14674 (JSC::JIT::emitSlow_op_neq):
14675 (JSC::JIT::compileOpStrictEq):
14676 (JSC::JIT::emit_op_eq_null):
14677 (JSC::JIT::emit_op_neq_null):
14678 (JSC::JIT::emit_op_get_pnames):
14679 (JSC::JIT::emit_op_next_pname):
14680 (JSC::JIT::emit_op_to_this):
14681 * jit/JITOperations.cpp:
14682 * jit/JITPropertyAccess.cpp:
14683 (JSC::JIT::stringGetByValStubGenerator):
14684 (JSC::JIT::emit_op_get_by_val):
14685 (JSC::JIT::emitSlow_op_get_by_val):
14686 (JSC::JIT::emit_op_get_by_pname):
14687 (JSC::JIT::emit_op_put_by_val):
14688 (JSC::JIT::emit_op_get_by_id):
14689 (JSC::JIT::emitLoadWithStructureCheck):
14690 (JSC::JIT::emitSlow_op_get_from_scope):
14691 (JSC::JIT::emitSlow_op_put_to_scope):
14692 (JSC::JIT::checkMarkWord):
14693 (JSC::JIT::emitWriteBarrier):
14694 (JSC::JIT::addStructureTransitionCheck):
14695 (JSC::JIT::emitIntTypedArrayGetByVal):
14696 (JSC::JIT::emitFloatTypedArrayGetByVal):
14697 (JSC::JIT::emitIntTypedArrayPutByVal):
14698 (JSC::JIT::emitFloatTypedArrayPutByVal):
14699 * jit/JITPropertyAccess32_64.cpp:
14700 (JSC::JIT::stringGetByValStubGenerator):
14701 (JSC::JIT::emit_op_get_by_val):
14702 (JSC::JIT::emitSlow_op_get_by_val):
14703 (JSC::JIT::emit_op_put_by_val):
14704 (JSC::JIT::emit_op_get_by_id):
14705 (JSC::JIT::emit_op_get_by_pname):
14706 (JSC::JIT::emitLoadWithStructureCheck):
14707 * jit/JSInterfaceJIT.h:
14708 (JSC::JSInterfaceJIT::emitJumpIfNotType):
14709 * jit/Repatch.cpp:
14710 (JSC::repatchByIdSelfAccess):
14711 (JSC::addStructureTransitionCheck):
14712 (JSC::replaceWithJump):
14713 (JSC::generateProtoChainAccessStub):
14714 (JSC::tryCacheGetByID):
14715 (JSC::tryBuildGetByIDList):
14716 (JSC::writeBarrier):
14717 (JSC::emitPutReplaceStub):
14718 (JSC::emitPutTransitionStub):
14719 (JSC::tryBuildPutByIdList):
14720 (JSC::tryRepatchIn):
14721 (JSC::linkClosureCall):
14722 (JSC::resetGetByID):
14723 (JSC::resetPutByID):
14724 * jit/SpecializedThunkJIT.h:
14725 (JSC::SpecializedThunkJIT::loadJSStringArgument):
14726 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
14727 * jit/ThunkGenerators.cpp:
14728 (JSC::virtualForThunkGenerator):
14729 (JSC::arrayIteratorNextThunkGenerator):
14730 * jit/UnusedPointer.h:
14731 * llint/LowLevelInterpreter.asm:
14732 * llint/LowLevelInterpreter32_64.asm:
14733 * llint/LowLevelInterpreter64.asm:
14734 * runtime/Arguments.cpp:
14735 (JSC::Arguments::createStrictModeCallerIfNecessary):
14736 (JSC::Arguments::createStrictModeCalleeIfNecessary):
14737 * runtime/Arguments.h:
14738 (JSC::Arguments::createStructure):
14739 * runtime/ArrayPrototype.cpp:
14740 (JSC::shift):
14741 (JSC::unshift):
14742 (JSC::arrayProtoFuncToString):
14743 (JSC::arrayProtoFuncPop):
14744 (JSC::arrayProtoFuncReverse):
14745 (JSC::performSlowSort):
14746 (JSC::arrayProtoFuncSort):
14747 (JSC::arrayProtoFuncSplice):
14748 (JSC::arrayProtoFuncUnShift):
14749 * runtime/CommonSlowPaths.cpp:
14750 (JSC::SLOW_PATH_DECL):
14751 * runtime/Executable.h:
14752 (JSC::ExecutableBase::isFunctionExecutable):
14753 (JSC::ExecutableBase::clearCodeVirtual):
14754 (JSC::ScriptExecutable::unlinkCalls):
14755 * runtime/GetterSetter.cpp:
14756 (JSC::callGetter):
14757 (JSC::callSetter):
14758 * runtime/InitializeThreading.cpp:
14759 * runtime/JSArray.cpp:
14760 (JSC::JSArray::unshiftCountSlowCase):
14761 (JSC::JSArray::setLength):
14762 (JSC::JSArray::pop):
14763 (JSC::JSArray::push):
14764 (JSC::JSArray::shiftCountWithArrayStorage):
14765 (JSC::JSArray::shiftCountWithAnyIndexingType):
14766 (JSC::JSArray::unshiftCountWithArrayStorage):
14767 (JSC::JSArray::unshiftCountWithAnyIndexingType):
14768 (JSC::JSArray::sortNumericVector):
14769 (JSC::JSArray::sortNumeric):
14770 (JSC::JSArray::sortCompactedVector):
14771 (JSC::JSArray::sort):
14772 (JSC::JSArray::sortVector):
14773 (JSC::JSArray::fillArgList):
14774 (JSC::JSArray::copyToArguments):
14775 (JSC::JSArray::compactForSorting):
14776 * runtime/JSCJSValueInlines.h:
14777 (JSC::JSValue::toThis):
14778 (JSC::JSValue::put):
14779 (JSC::JSValue::putByIndex):
14780 (JSC::JSValue::equalSlowCaseInline):
14781 * runtime/JSCell.cpp:
14782 (JSC::JSCell::put):
14783 (JSC::JSCell::putByIndex):
14784 (JSC::JSCell::deleteProperty):
14785 (JSC::JSCell::deletePropertyByIndex):
14786 * runtime/JSCell.h:
14787 (JSC::JSCell::clearStructure):
14788 (JSC::JSCell::mark):
14789 (JSC::JSCell::isMarked):
14790 (JSC::JSCell::structureIDOffset):
14791 (JSC::JSCell::typeInfoFlagsOffset):
14792 (JSC::JSCell::typeInfoTypeOffset):
14793 (JSC::JSCell::indexingTypeOffset):
14794 (JSC::JSCell::gcDataOffset):
14795 * runtime/JSCellInlines.h:
14796 (JSC::JSCell::JSCell):
14797 (JSC::JSCell::finishCreation):
14798 (JSC::JSCell::type):
14799 (JSC::JSCell::indexingType):
14800 (JSC::JSCell::structure):
14801 (JSC::JSCell::visitChildren):
14802 (JSC::JSCell::isObject):
14803 (JSC::JSCell::isString):
14804 (JSC::JSCell::isGetterSetter):
14805 (JSC::JSCell::isProxy):
14806 (JSC::JSCell::isAPIValueWrapper):
14807 (JSC::JSCell::setStructure):
14808 (JSC::JSCell::methodTable):
14809 (JSC::Heap::writeBarrier):
14810 * runtime/JSDataView.cpp:
14811 (JSC::JSDataView::createStructure):
14812 * runtime/JSDestructibleObject.h:
14813 (JSC::JSCell::classInfo):
14814 * runtime/JSFunction.cpp:
14815 (JSC::JSFunction::getOwnNonIndexPropertyNames):
14816 (JSC::JSFunction::put):
14817 (JSC::JSFunction::defineOwnProperty):
14818 * runtime/JSGenericTypedArrayView.h:
14819 (JSC::JSGenericTypedArrayView::createStructure):
14820 * runtime/JSObject.cpp:
14821 (JSC::getCallableObjectSlow):
14822 (JSC::JSObject::copyButterfly):
14823 (JSC::JSObject::visitButterfly):
14824 (JSC::JSFinalObject::visitChildren):
14825 (JSC::JSObject::getOwnPropertySlotByIndex):
14826 (JSC::JSObject::put):
14827 (JSC::JSObject::putByIndex):
14828 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
14829 (JSC::JSObject::enterDictionaryIndexingMode):
14830 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
14831 (JSC::JSObject::createInitialIndexedStorage):
14832 (JSC::JSObject::createInitialUndecided):
14833 (JSC::JSObject::createInitialInt32):
14834 (JSC::JSObject::createInitialDouble):
14835 (JSC::JSObject::createInitialContiguous):
14836 (JSC::JSObject::createArrayStorage):
14837 (JSC::JSObject::convertUndecidedToInt32):
14838 (JSC::JSObject::convertUndecidedToDouble):
14839 (JSC::JSObject::convertUndecidedToContiguous):
14840 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
14841 (JSC::JSObject::convertUndecidedToArrayStorage):
14842 (JSC::JSObject::convertInt32ToDouble):
14843 (JSC::JSObject::convertInt32ToContiguous):
14844 (JSC::JSObject::convertInt32ToArrayStorage):
14845 (JSC::JSObject::genericConvertDoubleToContiguous):
14846 (JSC::JSObject::convertDoubleToArrayStorage):
14847 (JSC::JSObject::convertContiguousToArrayStorage):
14848 (JSC::JSObject::ensureInt32Slow):
14849 (JSC::JSObject::ensureDoubleSlow):
14850 (JSC::JSObject::ensureContiguousSlow):
14851 (JSC::JSObject::ensureArrayStorageSlow):
14852 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
14853 (JSC::JSObject::switchToSlowPutArrayStorage):
14854 (JSC::JSObject::setPrototype):
14855 (JSC::JSObject::setPrototypeWithCycleCheck):
14856 (JSC::JSObject::putDirectNonIndexAccessor):
14857 (JSC::JSObject::deleteProperty):
14858 (JSC::JSObject::hasOwnProperty):
14859 (JSC::JSObject::deletePropertyByIndex):
14860 (JSC::JSObject::getPrimitiveNumber):
14861 (JSC::JSObject::hasInstance):
14862 (JSC::JSObject::getPropertySpecificValue):
14863 (JSC::JSObject::getPropertyNames):
14864 (JSC::JSObject::getOwnPropertyNames):
14865 (JSC::JSObject::getOwnNonIndexPropertyNames):
14866 (JSC::JSObject::seal):
14867 (JSC::JSObject::freeze):
14868 (JSC::JSObject::preventExtensions):
14869 (JSC::JSObject::reifyStaticFunctionsForDelete):
14870 (JSC::JSObject::removeDirect):
14871 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
14872 (JSC::JSObject::putByIndexBeyondVectorLength):
14873 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
14874 (JSC::JSObject::putDirectIndexBeyondVectorLength):
14875 (JSC::JSObject::getNewVectorLength):
14876 (JSC::JSObject::countElements):
14877 (JSC::JSObject::increaseVectorLength):
14878 (JSC::JSObject::ensureLengthSlow):
14879 (JSC::JSObject::growOutOfLineStorage):
14880 (JSC::JSObject::getOwnPropertyDescriptor):
14881 (JSC::putDescriptor):
14882 (JSC::JSObject::defineOwnNonIndexProperty):
14883 * runtime/JSObject.h:
14884 (JSC::getJSFunction):
14885 (JSC::JSObject::getArrayLength):
14886 (JSC::JSObject::getVectorLength):
14887 (JSC::JSObject::putByIndexInline):
14888 (JSC::JSObject::canGetIndexQuickly):
14889 (JSC::JSObject::getIndexQuickly):
14890 (JSC::JSObject::tryGetIndexQuickly):
14891 (JSC::JSObject::getDirectIndex):
14892 (JSC::JSObject::canSetIndexQuickly):
14893 (JSC::JSObject::canSetIndexQuicklyForPutDirect):
14894 (JSC::JSObject::setIndexQuickly):
14895 (JSC::JSObject::initializeIndex):
14896 (JSC::JSObject::hasSparseMap):
14897 (JSC::JSObject::inSparseIndexingMode):
14898 (JSC::JSObject::getDirect):
14899 (JSC::JSObject::getDirectOffset):
14900 (JSC::JSObject::isSealed):
14901 (JSC::JSObject::isFrozen):
14902 (JSC::JSObject::flattenDictionaryObject):
14903 (JSC::JSObject::ensureInt32):
14904 (JSC::JSObject::ensureDouble):
14905 (JSC::JSObject::ensureContiguous):
14906 (JSC::JSObject::rageEnsureContiguous):
14907 (JSC::JSObject::ensureArrayStorage):
14908 (JSC::JSObject::arrayStorage):
14909 (JSC::JSObject::arrayStorageOrNull):
14910 (JSC::JSObject::ensureLength):
14911 (JSC::JSObject::currentIndexingData):
14912 (JSC::JSObject::getHolyIndexQuickly):
14913 (JSC::JSObject::currentRelevantLength):
14914 (JSC::JSObject::isGlobalObject):
14915 (JSC::JSObject::isVariableObject):
14916 (JSC::JSObject::isStaticScopeObject):
14917 (JSC::JSObject::isNameScopeObject):
14918 (JSC::JSObject::isActivationObject):
14919 (JSC::JSObject::isErrorInstance):
14920 (JSC::JSObject::inlineGetOwnPropertySlot):
14921 (JSC::JSObject::fastGetOwnPropertySlot):
14922 (JSC::JSObject::getPropertySlot):
14923 (JSC::JSObject::putDirectInternal):
14924 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
14925 * runtime/JSPropertyNameIterator.h:
14926 (JSC::JSPropertyNameIterator::createStructure):
14927 * runtime/JSProxy.cpp:
14928 (JSC::JSProxy::getOwnPropertySlot):
14929 (JSC::JSProxy::getOwnPropertySlotByIndex):
14930 (JSC::JSProxy::put):
14931 (JSC::JSProxy::putByIndex):
14932 (JSC::JSProxy::defineOwnProperty):
14933 (JSC::JSProxy::deleteProperty):
14934 (JSC::JSProxy::deletePropertyByIndex):
14935 (JSC::JSProxy::getPropertyNames):
14936 (JSC::JSProxy::getOwnPropertyNames):
14937 * runtime/JSScope.cpp:
14938 (JSC::JSScope::objectAtScope):
14939 * runtime/JSString.h:
14940 (JSC::JSString::createStructure):
14941 (JSC::isJSString):
14942 * runtime/JSType.h:
14943 * runtime/JSTypeInfo.h:
14944 (JSC::TypeInfo::TypeInfo):
14945 (JSC::TypeInfo::isObject):
14946 (JSC::TypeInfo::structureIsImmortal):
14947 (JSC::TypeInfo::zeroedGCDataOffset):
14948 (JSC::TypeInfo::inlineTypeFlags):
14949 * runtime/MapData.h:
14950 * runtime/ObjectConstructor.cpp:
14951 (JSC::objectConstructorGetOwnPropertyNames):
14952 (JSC::objectConstructorKeys):
14953 (JSC::objectConstructorDefineProperty):
14954 (JSC::defineProperties):
14955 (JSC::objectConstructorSeal):
14956 (JSC::objectConstructorFreeze):
14957 (JSC::objectConstructorIsSealed):
14958 (JSC::objectConstructorIsFrozen):
14959 * runtime/ObjectPrototype.cpp:
14960 (JSC::objectProtoFuncDefineGetter):
14961 (JSC::objectProtoFuncDefineSetter):
14962 (JSC::objectProtoFuncToString):
14963 * runtime/Operations.cpp:
14964 (JSC::jsTypeStringForValue):
14965 (JSC::jsIsObjectType):
14966 * runtime/Operations.h:
14967 (JSC::normalizePrototypeChainForChainAccess):
14968 (JSC::normalizePrototypeChain):
14969 * runtime/PropertyMapHashTable.h:
14970 (JSC::PropertyTable::createStructure):
14971 * runtime/RegExp.h:
14972 (JSC::RegExp::createStructure):
14973 * runtime/SparseArrayValueMap.h:
14974 * runtime/Structure.cpp:
14975 (JSC::Structure::Structure):
14976 (JSC::Structure::~Structure):
14977 (JSC::Structure::prototypeChainMayInterceptStoreTo):
14978 * runtime/Structure.h:
14979 (JSC::Structure::id):
14980 (JSC::Structure::idBlob):
14981 (JSC::Structure::objectInitializationFields):
14982 (JSC::Structure::structureIDOffset):
14983 * runtime/StructureChain.h:
14984 (JSC::StructureChain::createStructure):
14985 * runtime/StructureIDTable.cpp: Added.
14986 (JSC::StructureIDTable::StructureIDTable):
14987 (JSC::StructureIDTable::~StructureIDTable):
14988 (JSC::StructureIDTable::resize):
14989 (JSC::StructureIDTable::flushOldTables):
14990 (JSC::StructureIDTable::allocateID):
14991 (JSC::StructureIDTable::deallocateID):
14992 * runtime/StructureIDTable.h: Added.
14993 (JSC::StructureIDTable::base):
14994 (JSC::StructureIDTable::get):
14995 * runtime/SymbolTable.h:
14996 * runtime/TypedArrayType.cpp:
14997 (JSC::typeForTypedArrayType):
14998 * runtime/TypedArrayType.h:
14999 * runtime/WeakMapData.h:
15000
150012014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
15002
15003 Unconditional logging in compileFTLOSRExit
15004 https://bugs.webkit.org/show_bug.cgi?id=129407
15005
15006 Reviewed by Michael Saboff.
15007
15008 This was causing tests to fail with the FTL enabled.
15009
15010 * ftl/FTLOSRExitCompiler.cpp:
15011 (JSC::FTL::compileFTLOSRExit):
15012
150132014-02-26 Oliver Hunt <oliver@apple.com>
15014
15015 Remove unused access types
15016 https://bugs.webkit.org/show_bug.cgi?id=129385
15017
15018 Reviewed by Filip Pizlo.
15019
15020 Remove unused cruft.
15021
15022 * bytecode/CodeBlock.cpp:
15023 (JSC::CodeBlock::printGetByIdCacheStatus):
15024 * bytecode/StructureStubInfo.cpp:
15025 (JSC::StructureStubInfo::deref):
15026 * bytecode/StructureStubInfo.h:
15027 (JSC::isGetByIdAccess):
15028 (JSC::isPutByIdAccess):
15029
150302014-02-26 Oliver Hunt <oliver@apple.com>
15031
15032 Function.prototype.apply has a bad time with the spread operator
15033 https://bugs.webkit.org/show_bug.cgi?id=129381
15034
15035 Reviewed by Mark Hahnenberg.
15036
15037 Make sure our apply logic handle the spread operator correctly.
15038 To do this we simply emit the enumeration logic that we'd normally
15039 use for other enumerations, but only store the first two results
15040 to registers. Then perform a varargs call.
15041
15042 * bytecompiler/NodesCodegen.cpp:
15043 (JSC::ApplyFunctionCallDotNode::emitBytecode):
15044
150452014-02-26 Mark Lam <mark.lam@apple.com>
15046
15047 Compilation policy management belongs in operationOptimize(), not the DFG Driver.
15048 <https://webkit.org/b/129355>
15049
15050 Reviewed by Filip Pizlo.
15051
15052 By compilation policy, I mean the rules for determining whether to
15053 compile, when to compile, when to attempt compilation again, etc. The
15054 few of these policy decisions that were previously being made in the
15055 DFG driver are now moved to operationOptimize() where we keep the rest
15056 of the policy logic. Decisions that are based on the capabilities
15057 supported by the DFG are moved to DFG capabiliityLevel().
15058
15059 I've run the following benchmarks:
15060 1. the collection of jsc benchmarks on the jsc executable vs. its
15061 baseline.
15062 2. Octane 2.0 in browser without the WebInspector.
15063 3. Octane 2.0 in browser with the WebInspector open and a breakpoint
15064 set somewhere where it won't break.
15065
15066 In all of these, the results came out to be a wash as expected.
15067
15068 * dfg/DFGCapabilities.cpp:
15069 (JSC::DFG::isSupported):
15070 (JSC::DFG::mightCompileEval):
15071 (JSC::DFG::mightCompileProgram):
15072 (JSC::DFG::mightCompileFunctionForCall):
15073 (JSC::DFG::mightCompileFunctionForConstruct):
15074 (JSC::DFG::mightInlineFunctionForCall):
15075 (JSC::DFG::mightInlineFunctionForClosureCall):
15076 (JSC::DFG::mightInlineFunctionForConstruct):
15077 * dfg/DFGCapabilities.h:
15078 * dfg/DFGDriver.cpp:
15079 (JSC::DFG::compileImpl):
15080 * jit/JITOperations.cpp:
15081
150822014-02-26 Mark Lam <mark.lam@apple.com>
15083
15084 ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
15085 <https://webkit.org/b/129364>
15086
15087 Reviewed by Alexey Proskuryakov.
15088
15089 InjectedScriptModule::ensureInjected() needs an APIEntryShim.
15090
15091 * inspector/InjectedScriptModule.cpp:
15092 (Inspector::InjectedScriptModule::ensureInjected):
15093 - Added the needed but missing APIEntryShim.
15094
150952014-02-25 Mark Lam <mark.lam@apple.com>
15096
15097 Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
15098 <https://webkit.org/b/128766>
15099
15100 Reviewed by Geoffrey Garen.
15101
15102 Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
15103 The reasoning is that we don't know of any clients that need unordered
15104 re-entry into the VM from different threads. So, we're enforcing ordered
15105 re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
15106
15107 The crash in this bug happened because we were allowing unordered re-entry,
15108 and the following type of scenario occurred:
15109
15110 1. Thread T1 locks the VM, and enters the VM to execute some JS code.
15111 2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
15112 first time it entered the VM.
15113 T1 sets VM::m_entryScope to T1's entryScope.
15114 3. T1 drops all locks.
15115
15116 4. Thread T2 locks the VM, and enters the VM to execute some JS code.
15117 On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
15118 does not set the entryScope.
15119 5. T2 drops all locks.
15120
15121 6. T1 re-grabs locks.
15122 7. T1 returns all the way out of JS code. On exit from the outer most
15123 JS function, T1 clears VM::m_entryScope (because T1 was the one who
15124 set it).
15125 8. T1 unlocks the VM.
15126
15127 9. T2 re-grabs locks.
15128 10. T2 proceeds to execute some code and expects VM::m_entryScope to be
15129 NOT null, but it turns out to be null. Assertion failures and
15130 crashes ensue.
15131
15132 With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
15133 the VM. Hence, the issue will no longer manifest.
15134
15135 * runtime/JSLock.cpp:
15136 (JSC::JSLock::dropAllLocks):
15137 (JSC::JSLock::grabAllLocks):
15138 * runtime/JSLock.h:
15139 (JSC::JSLock::DropAllLocks::dropDepth):
15140
151412014-02-25 Mark Lam <mark.lam@apple.com>
15142
15143 Need to initialize VM stack data even when the VM is on an exclusive thread.
15144 <https://webkit.org/b/129265>
15145
15146 Not reviewed.
15147
15148 Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
15149
15150 * API/APIShims.h:
15151 (JSC::APIEntryShim::APIEntryShim):
15152 (JSC::APICallbackShim::shouldDropAllLocks):
15153 * heap/MachineStackMarker.cpp:
15154 (JSC::MachineThreads::addCurrentThread):
15155 * runtime/JSLock.cpp:
15156 (JSC::JSLockHolder::JSLockHolder):
15157 (JSC::JSLockHolder::init):
15158 (JSC::JSLockHolder::~JSLockHolder):
15159 (JSC::JSLock::JSLock):
15160 (JSC::JSLock::setExclusiveThread):
15161 (JSC::JSLock::lock):
15162 (JSC::JSLock::unlock):
15163 (JSC::JSLock::currentThreadIsHoldingLock):
15164 (JSC::JSLock::dropAllLocks):
15165 (JSC::JSLock::grabAllLocks):
15166 * runtime/JSLock.h:
15167 (JSC::JSLock::hasExclusiveThread):
15168 (JSC::JSLock::exclusiveThread):
15169 * runtime/VM.cpp:
15170 (JSC::VM::VM):
15171 * runtime/VM.h:
15172 (JSC::VM::hasExclusiveThread):
15173 (JSC::VM::exclusiveThread):
15174 (JSC::VM::setExclusiveThread):
15175 (JSC::VM::currentThreadIsHoldingAPILock):
15176
151772014-02-25 Filip Pizlo <fpizlo@apple.com>
15178
15179 Inline caching in the FTL on ARM64 should "work"
15180 https://bugs.webkit.org/show_bug.cgi?id=129334
15181
15182 Reviewed by Mark Hahnenberg.
15183
15184 Gets us to the point where simple tests that use inline caching are passing.
15185
15186 * assembler/LinkBuffer.cpp:
15187 (JSC::LinkBuffer::copyCompactAndLinkCode):
15188 (JSC::LinkBuffer::shrink):
15189 * ftl/FTLInlineCacheSize.cpp:
15190 (JSC::FTL::sizeOfGetById):
15191 (JSC::FTL::sizeOfPutById):
15192 (JSC::FTL::sizeOfCall):
15193 * ftl/FTLOSRExitCompiler.cpp:
15194 (JSC::FTL::compileFTLOSRExit):
15195 * ftl/FTLThunks.cpp:
15196 (JSC::FTL::osrExitGenerationThunkGenerator):
15197 * jit/GPRInfo.h:
15198 * offlineasm/arm64.rb:
15199
152002014-02-25 Commit Queue <commit-queue@webkit.org>
15201
15202 Unreviewed, rolling out r164627.
15203 http://trac.webkit.org/changeset/164627
15204 https://bugs.webkit.org/show_bug.cgi?id=129325
15205
15206 Broke SubtleCrypto tests (Requested by ap on #webkit).
15207
15208 * API/APIShims.h:
15209 (JSC::APIEntryShim::APIEntryShim):
15210 (JSC::APICallbackShim::shouldDropAllLocks):
15211 * heap/MachineStackMarker.cpp:
15212 (JSC::MachineThreads::addCurrentThread):
15213 * runtime/JSLock.cpp:
15214 (JSC::JSLockHolder::JSLockHolder):
15215 (JSC::JSLockHolder::init):
15216 (JSC::JSLockHolder::~JSLockHolder):
15217 (JSC::JSLock::JSLock):
15218 (JSC::JSLock::lock):
15219 (JSC::JSLock::unlock):
15220 (JSC::JSLock::currentThreadIsHoldingLock):
15221 (JSC::JSLock::dropAllLocks):
15222 (JSC::JSLock::grabAllLocks):
15223 * runtime/JSLock.h:
15224 * runtime/VM.cpp:
15225 (JSC::VM::VM):
15226 * runtime/VM.h:
15227 (JSC::VM::currentThreadIsHoldingAPILock):
15228
152292014-02-25 Filip Pizlo <fpizlo@apple.com>
15230
15231 ARM64 rshift64 should be an arithmetic shift
15232 https://bugs.webkit.org/show_bug.cgi?id=129323
15233
15234 Reviewed by Mark Hahnenberg.
15235
15236 * assembler/MacroAssemblerARM64.h:
15237 (JSC::MacroAssemblerARM64::rshift64):
15238
152392014-02-25 Sergio Villar Senin <svillar@igalia.com>
15240
15241 [CSS Grid Layout] Add ENABLE flag
15242 https://bugs.webkit.org/show_bug.cgi?id=129153
15243
15244 Reviewed by Simon Fraser.
15245
15246 * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
15247
152482014-02-25 Michael Saboff <msaboff@apple.com>
15249
15250 JIT Engines use the wrong stack limit for stack checks
15251 https://bugs.webkit.org/show_bug.cgi?id=129314
15252
15253 Reviewed by Filip Pizlo.
15254
15255 Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
15256
15257 * dfg/DFGJITCompiler.cpp:
15258 (JSC::DFG::JITCompiler::compileFunction):
15259 * jit/JIT.cpp:
15260 (JSC::JIT::privateCompile):
15261 * jit/JITCall.cpp:
15262 (JSC::JIT::compileLoadVarargs):
15263 * jit/JITCall32_64.cpp:
15264 (JSC::JIT::compileLoadVarargs):
15265 * runtime/VM.h:
15266 (JSC::VM::addressOfStackLimit):
15267
152682014-02-25 Filip Pizlo <fpizlo@apple.com>
15269
15270 Unreviewed, roll out http://trac.webkit.org/changeset/164493.
15271
15272 It causes crashes, apparently because it's removing too many barriers. I will investigate
15273 later.
15274
15275 * bytecode/SpeculatedType.cpp:
15276 (JSC::speculationToAbbreviatedString):
15277 * bytecode/SpeculatedType.h:
15278 * dfg/DFGFixupPhase.cpp:
15279 (JSC::DFG::FixupPhase::fixupNode):
15280 (JSC::DFG::FixupPhase::insertStoreBarrier):
15281 * dfg/DFGNode.h:
15282 * ftl/FTLCapabilities.cpp:
15283 (JSC::FTL::canCompile):
15284 * ftl/FTLLowerDFGToLLVM.cpp:
15285 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
15286 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
15287 (JSC::FTL::LowerDFGToLLVM::isNotNully):
15288 (JSC::FTL::LowerDFGToLLVM::isNully):
15289 (JSC::FTL::LowerDFGToLLVM::speculate):
15290 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
15291 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
15292
152932014-02-24 Oliver Hunt <oliver@apple.com>
15294
15295 Fix build.
15296
15297 * jit/CCallHelpers.h:
15298 (JSC::CCallHelpers::setupArgumentsWithExecState):
15299
153002014-02-24 Oliver Hunt <oliver@apple.com>
15301
15302 Spread operator has a bad time when applied to call function
15303 https://bugs.webkit.org/show_bug.cgi?id=128853
15304
15305 Reviewed by Geoffrey Garen.
15306
15307 Follow on from the previous patch the added an extra slot to
15308 op_call_varargs (and _call, _call_eval, _construct). We now
15309 use the slot as an offset to in effect act as a 'slice' on
15310 the spread subject. This allows us to automatically retain
15311 all our existing argument and array optimisatons. Most of
15312 this patch is simply threading the offset around.
15313
15314 * bytecode/CodeBlock.cpp:
15315 (JSC::CodeBlock::dumpBytecode):
15316 * bytecompiler/BytecodeGenerator.cpp:
15317 (JSC::BytecodeGenerator::emitCall):
15318 (JSC::BytecodeGenerator::emitCallVarargs):
15319 * bytecompiler/BytecodeGenerator.h:
15320 * bytecompiler/NodesCodegen.cpp:
15321 (JSC::getArgumentByVal):
15322 (JSC::CallFunctionCallDotNode::emitBytecode):
15323 (JSC::ApplyFunctionCallDotNode::emitBytecode):
15324 * interpreter/Interpreter.cpp:
15325 (JSC::sizeFrameForVarargs):
15326 (JSC::loadVarargs):
15327 * interpreter/Interpreter.h:
15328 * jit/CCallHelpers.h:
15329 (JSC::CCallHelpers::setupArgumentsWithExecState):
15330 * jit/JIT.h:
15331 * jit/JITCall.cpp:
15332 (JSC::JIT::compileLoadVarargs):
15333 * jit/JITInlines.h:
15334 (JSC::JIT::callOperation):
15335 * jit/JITOperations.cpp:
15336 * jit/JITOperations.h:
15337 * llint/LLIntSlowPaths.cpp:
15338 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
15339 * runtime/Arguments.cpp:
15340 (JSC::Arguments::copyToArguments):
15341 * runtime/Arguments.h:
15342 * runtime/JSArray.cpp:
15343 (JSC::JSArray::copyToArguments):
15344 * runtime/JSArray.h:
15345
153462014-02-24 Mark Lam <mark.lam@apple.com>
15347
15348 Need to initialize VM stack data even when the VM is on an exclusive thread.
15349 <https://webkit.org/b/129265>
15350
15351 Reviewed by Geoffrey Garen.
15352
15353 We check VM::exclusiveThread as an optimization to forego the need to do
15354 JSLock locking. However, we recently started piggy backing on JSLock's
15355 lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
15356 and lastStackTop) to appropriate values for the current thread. This is
15357 needed because we may be acquiring the lock to enter the VM on a different
15358 thread.
15359
15360 As a result, we ended up not initializing the VM stack data when
15361 VM::exclusiveThread causes us to bypass the locking activity. Even though
15362 the VM::exclusiveThread will not have to deal with the VM being entered
15363 on a different thread, it still needs to initialize the VM stack data.
15364 The VM relies on that data being initialized properly once it has been
15365 entered.
15366
15367 With this fix, we push the check for exclusiveThread down into the JSLock,
15368 and handle the bypassing of unneeded locking activity there while still
15369 executing the necessary the VM stack data initialization.
15370
15371 * API/APIShims.h:
15372 (JSC::APIEntryShim::APIEntryShim):
15373 (JSC::APICallbackShim::shouldDropAllLocks):
15374 * heap/MachineStackMarker.cpp:
15375 (JSC::MachineThreads::addCurrentThread):
15376 * runtime/JSLock.cpp:
15377 (JSC::JSLockHolder::JSLockHolder):
15378 (JSC::JSLockHolder::init):
15379 (JSC::JSLockHolder::~JSLockHolder):
15380 (JSC::JSLock::JSLock):
15381 (JSC::JSLock::setExclusiveThread):
15382 (JSC::JSLock::lock):
15383 (JSLock::unlock):
15384 (JSLock::currentThreadIsHoldingLock):
15385 (JSLock::dropAllLocks):
15386 (JSLock::grabAllLocks):
15387 * runtime/JSLock.h:
15388 (JSC::JSLock::exclusiveThread):
15389 * runtime/VM.cpp:
15390 (JSC::VM::VM):
15391 * runtime/VM.h:
15392 (JSC::VM::exclusiveThread):
15393 (JSC::VM::setExclusiveThread):
15394 (JSC::VM::currentThreadIsHoldingAPILock):
15395
153962014-02-24 Filip Pizlo <fpizlo@apple.com>
15397
15398 FTL should do polymorphic PutById inlining
15399 https://bugs.webkit.org/show_bug.cgi?id=129210
15400
15401 Reviewed by Mark Hahnenberg and Oliver Hunt.
15402
15403 This makes PutByIdStatus inform us about polymorphic cases by returning an array of
15404 PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
15405 selection of multiple inlined PutByIdVariants.
15406
15407 MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
15408 http://trac.webkit.org/changeset/164207.
15409
15410 This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
15411 that generate similar code.
15412
15413 1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
15414 sometimes swaps field insertion order, creating fake polymorphism.
15415
15416 * CMakeLists.txt:
15417 * GNUmakefile.list.am:
15418 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
15419 * JavaScriptCore.xcodeproj/project.pbxproj:
15420 * bytecode/PutByIdStatus.cpp:
15421 (JSC::PutByIdStatus::computeFromLLInt):
15422 (JSC::PutByIdStatus::computeFor):
15423 (JSC::PutByIdStatus::computeForStubInfo):
15424 (JSC::PutByIdStatus::dump):
15425 * bytecode/PutByIdStatus.h:
15426 (JSC::PutByIdStatus::PutByIdStatus):
15427 (JSC::PutByIdStatus::isSimple):
15428 (JSC::PutByIdStatus::numVariants):
15429 (JSC::PutByIdStatus::variants):
15430 (JSC::PutByIdStatus::at):
15431 (JSC::PutByIdStatus::operator[]):
15432 * bytecode/PutByIdVariant.cpp: Added.
15433 (JSC::PutByIdVariant::dump):
15434 (JSC::PutByIdVariant::dumpInContext):
15435 * bytecode/PutByIdVariant.h: Added.
15436 (JSC::PutByIdVariant::PutByIdVariant):
15437 (JSC::PutByIdVariant::replace):
15438 (JSC::PutByIdVariant::transition):
15439 (JSC::PutByIdVariant::kind):
15440 (JSC::PutByIdVariant::isSet):
15441 (JSC::PutByIdVariant::operator!):
15442 (JSC::PutByIdVariant::structure):
15443 (JSC::PutByIdVariant::oldStructure):
15444 (JSC::PutByIdVariant::newStructure):
15445 (JSC::PutByIdVariant::structureChain):
15446 (JSC::PutByIdVariant::offset):
15447 * dfg/DFGAbstractInterpreterInlines.h:
15448 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
15449 * dfg/DFGByteCodeParser.cpp:
15450 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
15451 (JSC::DFG::ByteCodeParser::handleGetById):
15452 (JSC::DFG::ByteCodeParser::emitPutById):
15453 (JSC::DFG::ByteCodeParser::handlePutById):
15454 (JSC::DFG::ByteCodeParser::parseBlock):
15455 * dfg/DFGCSEPhase.cpp:
15456 (JSC::DFG::CSEPhase::checkStructureElimination):
15457 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
15458 (JSC::DFG::CSEPhase::putStructureStoreElimination):
15459 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
15460 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
15461 * dfg/DFGClobberize.h:
15462 (JSC::DFG::clobberize):
15463 * dfg/DFGConstantFoldingPhase.cpp:
15464 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15465 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
15466 * dfg/DFGFixupPhase.cpp:
15467 (JSC::DFG::FixupPhase::fixupNode):
15468 * dfg/DFGGraph.cpp:
15469 (JSC::DFG::Graph::dump):
15470 * dfg/DFGGraph.h:
15471 * dfg/DFGNode.cpp:
15472 (JSC::DFG::MultiPutByOffsetData::writesStructures):
15473 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
15474 * dfg/DFGNode.h:
15475 (JSC::DFG::Node::convertToPutByOffset):
15476 (JSC::DFG::Node::hasMultiPutByOffsetData):
15477 (JSC::DFG::Node::multiPutByOffsetData):
15478 * dfg/DFGNodeType.h:
15479 * dfg/DFGPredictionPropagationPhase.cpp:
15480 (JSC::DFG::PredictionPropagationPhase::propagate):
15481 * dfg/DFGSafeToExecute.h:
15482 (JSC::DFG::safeToExecute):
15483 * dfg/DFGSpeculativeJIT32_64.cpp:
15484 (JSC::DFG::SpeculativeJIT::compile):
15485 * dfg/DFGSpeculativeJIT64.cpp:
15486 (JSC::DFG::SpeculativeJIT::compile):
15487 * dfg/DFGTypeCheckHoistingPhase.cpp:
15488 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
15489 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
15490 * ftl/FTLCapabilities.cpp:
15491 (JSC::FTL::canCompile):
15492 * ftl/FTLLowerDFGToLLVM.cpp:
15493 (JSC::FTL::LowerDFGToLLVM::compileNode):
15494 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
15495 (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
15496 (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
15497 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
15498 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
15499 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
15500 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
15501 (JSC::FTL::LowerDFGToLLVM::loadProperty):
15502 (JSC::FTL::LowerDFGToLLVM::storeProperty):
15503 (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
15504 (JSC::FTL::LowerDFGToLLVM::storageForTransition):
15505 (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
15506 (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
15507 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
15508 * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
15509 * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
15510 * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
15511
155122014-02-24 peavo@outlook.com <peavo@outlook.com>
15513
15514 JSC regressions after r164494
15515 https://bugs.webkit.org/show_bug.cgi?id=129272
15516
15517 Reviewed by Mark Lam.
15518
15519 * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
15520
155212014-02-24 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
15522
15523 Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
15524 https://bugs.webkit.org/show_bug.cgi?id=129255
15525
15526 Reviewed by Csaba Osztrogonác.
15527
15528 ENABLE_WORKERS macro was removed in r159679.
15529 Support is now also removed from xcconfig files.
15530
15531 * Configurations/FeatureDefines.xcconfig:
15532
155332014-02-24 David Kilzer <ddkilzer@apple.com>
15534
15535 Remove redundant setting in FeatureDefines.xcconfig
15536
15537 * Configurations/FeatureDefines.xcconfig:
15538
155392014-02-23 Sam Weinig <sam@webkit.org>
15540
15541 Update FeatureDefines.xcconfig
15542
15543 Rubber-stamped by Anders Carlsson.
15544
15545 * Configurations/FeatureDefines.xcconfig:
15546
155472014-02-23 Dean Jackson <dino@apple.com>
15548
15549 Sort the project file with sort-Xcode-project-file.
15550
15551 Rubber-stamped by Sam Weinig.
15552
15553 * JavaScriptCore.xcodeproj/project.pbxproj:
15554
155552014-02-23 Sam Weinig <sam@webkit.org>
15556
15557 Move telephone number detection behind its own ENABLE macro
15558 https://bugs.webkit.org/show_bug.cgi?id=129236
15559
15560 Reviewed by Dean Jackson.
15561
15562 * Configurations/FeatureDefines.xcconfig:
15563 Add ENABLE_TELEPHONE_NUMBER_DETECTION.
15564
155652014-02-22 Filip Pizlo <fpizlo@apple.com>
15566
15567 Refine DFG+FTL inlining and compilation limits
15568 https://bugs.webkit.org/show_bug.cgi?id=129212
15569
15570 Reviewed by Mark Hahnenberg.
15571
15572 Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
15573 and set that limit quite high. Institute a limit on inlining-into. The idea here is
15574 that large functions tend to be autogenerated, and code generators like emscripten
15575 appear to leave few inlining opportunities anyway. Also, we don't want the code
15576 size explosion that we would risk if we allowed compilation of a large function and
15577 then inlined a ton of stuff into it.
15578
15579 This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
15580 regression. This is a 9% speed-up on AsmBench.
15581
15582 * bytecode/CodeBlock.cpp:
15583 (JSC::CodeBlock::noticeIncomingCall):
15584 * dfg/DFGByteCodeParser.cpp:
15585 (JSC::DFG::ByteCodeParser::handleInlining):
15586 * dfg/DFGCapabilities.h:
15587 (JSC::DFG::isSmallEnoughToInlineCodeInto):
15588 * ftl/FTLCapabilities.cpp:
15589 (JSC::FTL::canCompile):
15590 * ftl/FTLState.h:
15591 (JSC::FTL::shouldShowDisassembly):
15592 * runtime/Options.h:
15593
155942014-02-22 Dan Bernstein <mitz@apple.com>
15595
15596 REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
15597 https://bugs.webkit.org/show_bug.cgi?id=129227
15598
15599 Reviewed by Eric Carlson.
15600
15601 Reverted r164507.
15602
15603 * API/JSBase.cpp:
15604 (JSEvaluateScript):
15605 (JSCheckScriptSyntax):
15606 * API/JSObjectRef.cpp:
15607 (JSObjectMakeFunction):
15608 (JSObjectMakeArray):
15609 (JSObjectMakeDate):
15610 (JSObjectMakeError):
15611 (JSObjectMakeRegExp):
15612 (JSObjectGetProperty):
15613 (JSObjectSetProperty):
15614 (JSObjectGetPropertyAtIndex):
15615 (JSObjectSetPropertyAtIndex):
15616 (JSObjectDeleteProperty):
15617 (JSObjectCallAsFunction):
15618 (JSObjectCallAsConstructor):
15619 * API/JSValue.mm:
15620 (valueToArray):
15621 (valueToDictionary):
15622 * API/JSValueRef.cpp:
15623 (JSValueIsEqual):
15624 (JSValueIsInstanceOfConstructor):
15625 (JSValueCreateJSONString):
15626 (JSValueToNumber):
15627 (JSValueToStringCopy):
15628 (JSValueToObject):
15629 * inspector/ConsoleMessage.cpp:
15630 (Inspector::ConsoleMessage::ConsoleMessage):
15631 (Inspector::ConsoleMessage::autogenerateMetadata):
15632 * inspector/ConsoleMessage.h:
15633 * inspector/JSGlobalObjectInspectorController.cpp:
15634 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
15635 * inspector/JSGlobalObjectInspectorController.h:
15636 * inspector/ScriptCallStack.cpp:
15637 * inspector/ScriptCallStack.h:
15638 * inspector/ScriptCallStackFactory.cpp:
15639 (Inspector::createScriptCallStack):
15640 (Inspector::createScriptCallStackForConsole):
15641 (Inspector::createScriptCallStackFromException):
15642 * inspector/ScriptCallStackFactory.h:
15643 * inspector/agents/InspectorConsoleAgent.cpp:
15644 (Inspector::InspectorConsoleAgent::enable):
15645 (Inspector::InspectorConsoleAgent::addMessageToConsole):
15646 (Inspector::InspectorConsoleAgent::count):
15647 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
15648 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
15649
156502014-02-22 Joseph Pecoraro <pecoraro@apple.com>
15651
15652 Remove some unreachable code (-Wunreachable-code)
15653 https://bugs.webkit.org/show_bug.cgi?id=129220
15654
15655 Reviewed by Eric Carlson.
15656
15657 * API/tests/testapi.c:
15658 (EvilExceptionObject_convertToType):
15659 * disassembler/udis86/udis86_decode.c:
15660 (decode_operand):
15661
156622014-02-22 Filip Pizlo <fpizlo@apple.com>
15663
15664 Unreviewed, ARMv7 build fix.
15665
15666 * assembler/ARMv7Assembler.h:
15667
156682014-02-21 Filip Pizlo <fpizlo@apple.com>
15669
15670 It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
15671 https://bugs.webkit.org/show_bug.cgi?id=124733
15672
15673 Reviewed by Oliver Hunt.
15674
15675 This also takes the opportunity to de-duplicate some branch compaction code.
15676
15677 * assembler/ARM64Assembler.h:
15678 * assembler/ARMv7Assembler.h:
15679 (JSC::ARMv7Assembler::buffer):
15680 * assembler/AssemblerBuffer.h:
15681 (JSC::AssemblerData::AssemblerData):
15682 (JSC::AssemblerBuffer::AssemblerBuffer):
15683 (JSC::AssemblerBuffer::storage):
15684 (JSC::AssemblerBuffer::grow):
15685 * assembler/LinkBuffer.h:
15686 (JSC::LinkBuffer::LinkBuffer):
15687 (JSC::LinkBuffer::executableOffsetFor):
15688 (JSC::LinkBuffer::applyOffset):
15689 * assembler/MacroAssemblerARM64.h:
15690 (JSC::MacroAssemblerARM64::link):
15691 * assembler/MacroAssemblerARMv7.h:
15692
156932014-02-21 Brent Fulgham <bfulgham@apple.com>
15694
15695 Extend media support for WebVTT sources
15696 https://bugs.webkit.org/show_bug.cgi?id=129156
15697
15698 Reviewed by Eric Carlson.
15699
15700 * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
15701
157022014-02-21 Joseph Pecoraro <pecoraro@apple.com>
15703
15704 Web Inspector: JSContext inspection should report exceptions in the console
15705 https://bugs.webkit.org/show_bug.cgi?id=128776
15706
15707 Reviewed by Timothy Hatcher.
15708
15709 When JavaScript API functions have an exception, let the inspector
15710 know so it can log the JavaScript and Native backtrace that caused
15711 the exception.
15712
15713 Include some clean up of ConsoleMessage and ScriptCallStack construction.
15714
15715 * API/JSBase.cpp:
15716 (JSEvaluateScript):
15717 (JSCheckScriptSyntax):
15718 * API/JSObjectRef.cpp:
15719 (JSObjectMakeFunction):
15720 (JSObjectMakeArray):
15721 (JSObjectMakeDate):
15722 (JSObjectMakeError):
15723 (JSObjectMakeRegExp):
15724 (JSObjectGetProperty):
15725 (JSObjectSetProperty):
15726 (JSObjectGetPropertyAtIndex):
15727 (JSObjectSetPropertyAtIndex):
15728 (JSObjectDeleteProperty):
15729 (JSObjectCallAsFunction):
15730 (JSObjectCallAsConstructor):
15731 * API/JSValue.mm:
15732 (reportExceptionToInspector):
15733 (valueToArray):
15734 (valueToDictionary):
15735 * API/JSValueRef.cpp:
15736 (JSValueIsEqual):
15737 (JSValueIsInstanceOfConstructor):
15738 (JSValueCreateJSONString):
15739 (JSValueToNumber):
15740 (JSValueToStringCopy):
15741 (JSValueToObject):
15742 When seeing an exception, let the inspector know there was an exception.
15743
15744 * inspector/JSGlobalObjectInspectorController.h:
15745 * inspector/JSGlobalObjectInspectorController.cpp:
15746 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
15747 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
15748 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
15749 Log API exceptions by also grabbing the native backtrace.
15750
15751 * inspector/ScriptCallStack.h:
15752 * inspector/ScriptCallStack.cpp:
15753 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
15754 (Inspector::ScriptCallStack::append):
15755 Minor extensions to ScriptCallStack to make it easier to work with.
15756
15757 * inspector/ConsoleMessage.cpp:
15758 (Inspector::ConsoleMessage::ConsoleMessage):
15759 (Inspector::ConsoleMessage::autogenerateMetadata):
15760 Provide better default information if the first call frame was native.
15761
15762 * inspector/ScriptCallStackFactory.cpp:
15763 (Inspector::createScriptCallStack):
15764 (Inspector::extractSourceInformationFromException):
15765 (Inspector::createScriptCallStackFromException):
15766 Perform the handling here of inserting a fake call frame for exceptions
15767 if there was no call stack (e.g. a SyntaxError) or if the first call
15768 frame had no information.
15769
15770 * inspector/ConsoleMessage.cpp:
15771 (Inspector::ConsoleMessage::ConsoleMessage):
15772 (Inspector::ConsoleMessage::autogenerateMetadata):
15773 * inspector/ConsoleMessage.h:
15774 * inspector/ScriptCallStackFactory.cpp:
15775 (Inspector::createScriptCallStack):
15776 (Inspector::createScriptCallStackForConsole):
15777 * inspector/ScriptCallStackFactory.h:
15778 * inspector/agents/InspectorConsoleAgent.cpp:
15779 (Inspector::InspectorConsoleAgent::enable):
15780 (Inspector::InspectorConsoleAgent::addMessageToConsole):
15781 (Inspector::InspectorConsoleAgent::count):
15782 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
15783 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
15784 ConsoleMessage cleanup.
15785
157862014-02-21 Oliver Hunt <oliver@apple.com>
15787
15788 Add extra space to op_call and related opcodes
15789 https://bugs.webkit.org/show_bug.cgi?id=129170
15790
15791 Reviewed by Mark Lam.
15792
15793 No change in behaviour, just some refactoring to add an extra
15794 slot to the op_call instructions, and refactoring to make similar
15795 changes easier in future.
15796
15797 * bytecode/CodeBlock.cpp:
15798 (JSC::CodeBlock::printCallOp):
15799 * bytecode/Opcode.h:
15800 (JSC::padOpcodeName):
15801 * bytecompiler/BytecodeGenerator.cpp:
15802 (JSC::BytecodeGenerator::emitCall):
15803 (JSC::BytecodeGenerator::emitCallVarargs):
15804 (JSC::BytecodeGenerator::emitConstruct):
15805 * dfg/DFGByteCodeParser.cpp:
15806 (JSC::DFG::ByteCodeParser::handleIntrinsic):
15807 * jit/JITCall.cpp:
15808 (JSC::JIT::compileOpCall):
15809 * jit/JITCall32_64.cpp:
15810 (JSC::JIT::compileOpCall):
15811 * llint/LowLevelInterpreter.asm:
15812 * llint/LowLevelInterpreter32_64.asm:
15813 * llint/LowLevelInterpreter64.asm:
15814
158152014-02-21 Mark Lam <mark.lam@apple.com>
15816
15817 gatherFromOtherThread() needs to align the sp before gathering roots.
15818 <https://webkit.org/b/129169>
15819
15820 Reviewed by Geoffrey Garen.
15821
15822 The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
15823 gatherFromOtherThread() defines the range of the other thread's stack as
15824 being bounded by the other thread's stack pointer and stack base. While
15825 the stack base will always be aligned to sizeof(void*), the stack pointer
15826 may not be. This is because the other thread may have just pushed a 32-bit
15827 value on its stack before we suspended it for scanning.
15828
15829 The fix is to round the stack pointer up to the next aligned address of
15830 sizeof(void*) and start scanning from there. On 64-bit systems, we will
15831 effectively ignore the 32-bit word at the bottom of the stack (top of the
15832 stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
15833 64-bit pointers should always be stored on 64-bit aligned boundaries (our
15834 conservative scan algorithm already depends on this assumption).
15835
15836 On 32-bit systems, the rounding is effectively a no-op.
15837
15838 * heap/ConservativeRoots.cpp:
15839 (JSC::ConservativeRoots::genericAddSpan):
15840 - Hardened somne assertions so that we can catch misalignment issues on
15841 release builds as well.
15842 * heap/MachineStackMarker.cpp:
15843 (JSC::MachineThreads::gatherFromOtherThread):
15844
158452014-02-21 Matthew Mirman <mmirman@apple.com>
15846
15847 Added a GetMyArgumentsLengthSafe and added a speculation check.
15848 https://bugs.webkit.org/show_bug.cgi?id=129051
15849
15850 Reviewed by Filip Pizlo.
15851
15852 * ftl/FTLLowerDFGToLLVM.cpp:
15853 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
15854
158552014-02-21 peavo@outlook.com <peavo@outlook.com>
15856
15857 [Win][LLINT] Many JSC stress test failures.
15858 https://bugs.webkit.org/show_bug.cgi?id=129155
15859
15860 Reviewed by Michael Saboff.
15861
15862 Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
15863 Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
15864 E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
15865
15866 * offlineasm/x86.rb: Swap operand order on Windows.
15867
158682014-02-21 Filip Pizlo <fpizlo@apple.com>
15869
15870 DFG write barriers should do more speculations
15871 https://bugs.webkit.org/show_bug.cgi?id=129160
15872
15873 Reviewed by Mark Hahnenberg.
15874
15875 Replace ConditionalStoreBarrier with the cheapest speculation that you could do
15876 instead.
15877
15878 Miniscule speed-up on some things. It's a decent difference in code size, though.
15879
15880 * bytecode/SpeculatedType.cpp:
15881 (JSC::speculationToAbbreviatedString):
15882 * bytecode/SpeculatedType.h:
15883 (JSC::isNotCellSpeculation):
15884 * dfg/DFGFixupPhase.cpp:
15885 (JSC::DFG::FixupPhase::fixupNode):
15886 (JSC::DFG::FixupPhase::insertStoreBarrier):
15887 (JSC::DFG::FixupPhase::insertPhantomCheck):
15888 * dfg/DFGNode.h:
15889 (JSC::DFG::Node::shouldSpeculateOther):
15890 (JSC::DFG::Node::shouldSpeculateNotCell):
15891 * ftl/FTLCapabilities.cpp:
15892 (JSC::FTL::canCompile):
15893 * ftl/FTLLowerDFGToLLVM.cpp:
15894 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
15895 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
15896 (JSC::FTL::LowerDFGToLLVM::isNotOther):
15897 (JSC::FTL::LowerDFGToLLVM::isOther):
15898 (JSC::FTL::LowerDFGToLLVM::speculate):
15899 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
15900 (JSC::FTL::LowerDFGToLLVM::speculateOther):
15901 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
15902
159032014-02-21 Joseph Pecoraro <pecoraro@apple.com>
15904
15905 Revert r164486, causing a number of test failures.
15906
15907 Unreviewed rollout.
15908
159092014-02-21 Filip Pizlo <fpizlo@apple.com>
15910
15911 Revive SABI (aka shouldAlwaysBeInlined)
15912 https://bugs.webkit.org/show_bug.cgi?id=129159
15913
15914 Reviewed by Mark Hahnenberg.
15915
15916 This is a small Octane speed-up.
15917
15918 * jit/Repatch.cpp:
15919 (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
15920
159212014-02-21 Joseph Pecoraro <pecoraro@apple.com>
15922
15923 Web Inspector: JSContext inspection should report exceptions in the console
15924 https://bugs.webkit.org/show_bug.cgi?id=128776
15925
15926 Reviewed by Timothy Hatcher.
15927
15928 When JavaScript API functions have an exception, let the inspector
15929 know so it can log the JavaScript and Native backtrace that caused
15930 the exception.
15931
15932 Include some clean up of ConsoleMessage and ScriptCallStack construction.
15933
15934 * API/JSBase.cpp:
15935 (JSEvaluateScript):
15936 (JSCheckScriptSyntax):
15937 * API/JSObjectRef.cpp:
15938 (JSObjectMakeFunction):
15939 (JSObjectMakeArray):
15940 (JSObjectMakeDate):
15941 (JSObjectMakeError):
15942 (JSObjectMakeRegExp):
15943 (JSObjectGetProperty):
15944 (JSObjectSetProperty):
15945 (JSObjectGetPropertyAtIndex):
15946 (JSObjectSetPropertyAtIndex):
15947 (JSObjectDeleteProperty):
15948 (JSObjectCallAsFunction):
15949 (JSObjectCallAsConstructor):
15950 * API/JSValue.mm:
15951 (reportExceptionToInspector):
15952 (valueToArray):
15953 (valueToDictionary):
15954 * API/JSValueRef.cpp:
15955 (JSValueIsEqual):
15956 (JSValueIsInstanceOfConstructor):
15957 (JSValueCreateJSONString):
15958 (JSValueToNumber):
15959 (JSValueToStringCopy):
15960 (JSValueToObject):
15961 When seeing an exception, let the inspector know there was an exception.
15962
15963 * inspector/JSGlobalObjectInspectorController.h:
15964 * inspector/JSGlobalObjectInspectorController.cpp:
15965 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
15966 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
15967 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
15968 Log API exceptions by also grabbing the native backtrace.
15969
15970 * inspector/ScriptCallStack.h:
15971 * inspector/ScriptCallStack.cpp:
15972 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
15973 (Inspector::ScriptCallStack::append):
15974 Minor extensions to ScriptCallStack to make it easier to work with.
15975
15976 * inspector/ConsoleMessage.cpp:
15977 (Inspector::ConsoleMessage::ConsoleMessage):
15978 (Inspector::ConsoleMessage::autogenerateMetadata):
15979 Provide better default information if the first call frame was native.
15980
15981 * inspector/ScriptCallStackFactory.cpp:
15982 (Inspector::createScriptCallStack):
15983 (Inspector::extractSourceInformationFromException):
15984 (Inspector::createScriptCallStackFromException):
15985 Perform the handling here of inserting a fake call frame for exceptions
15986 if there was no call stack (e.g. a SyntaxError) or if the first call
15987 frame had no information.
15988
15989 * inspector/ConsoleMessage.cpp:
15990 (Inspector::ConsoleMessage::ConsoleMessage):
15991 (Inspector::ConsoleMessage::autogenerateMetadata):
15992 * inspector/ConsoleMessage.h:
15993 * inspector/ScriptCallStackFactory.cpp:
15994 (Inspector::createScriptCallStack):
15995 (Inspector::createScriptCallStackForConsole):
15996 * inspector/ScriptCallStackFactory.h:
15997 * inspector/agents/InspectorConsoleAgent.cpp:
15998 (Inspector::InspectorConsoleAgent::enable):
15999 (Inspector::InspectorConsoleAgent::addMessageToConsole):
16000 (Inspector::InspectorConsoleAgent::count):
16001 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
16002 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
16003 ConsoleMessage cleanup.
16004
160052014-02-20 Anders Carlsson <andersca@apple.com>
16006
16007 Modernize JSGlobalLock and JSLockHolder
16008 https://bugs.webkit.org/show_bug.cgi?id=129105
16009
16010 Reviewed by Michael Saboff.
16011
16012 Use std::mutex and std::thread::id where possible.
16013
16014 * runtime/JSLock.cpp:
16015 (JSC::GlobalJSLock::GlobalJSLock):
16016 (JSC::GlobalJSLock::~GlobalJSLock):
16017 (JSC::GlobalJSLock::initialize):
16018 (JSC::JSLock::JSLock):
16019 (JSC::JSLock::lock):
16020 (JSC::JSLock::unlock):
16021 (JSC::JSLock::currentThreadIsHoldingLock):
16022 * runtime/JSLock.h:
16023
160242014-02-20 Mark Lam <mark.lam@apple.com>
16025
16026 virtualForWithFunction() should not throw an exception with a partially initialized frame.
16027 <https://webkit.org/b/129134>
16028
16029 Reviewed by Michael Saboff.
16030
16031 Currently, when JITOperations.cpp's virtualForWithFunction() fails to
16032 prepare the callee function for execution, it proceeds to throw the
16033 exception using the callee frame which is only partially initialized
16034 thus far. Instead, it should be throwing the exception using the caller
16035 frame because:
16036 1. the error happened "in" the caller while preparing the callee for
16037 execution i.e. the caller frame is the top fully initialized frame
16038 on the stack.
16039 2. the callee frame is not fully initialized yet, and the unwind
16040 mechanism cannot depend on the data in it.
16041
16042 * jit/JITOperations.cpp:
16043
160442014-02-20 Mark Lam <mark.lam@apple.com>
16045
16046 DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
16047 <https://webkit.org/b/129131>
16048
16049 Reviewed by Mark Hahnenberg.
16050
16051 Currently, DefaultGCActivityCallback::doWork() does not check if the GC
16052 needs to be deferred before commencing. As a result, the GC may crash
16053 and/or corrupt data because the VM is not in the consistent state needed
16054 for the GC to run. With this fix, doWork() now checks if the GC is
16055 supposed to be deferred and re-schedules if needed. It only commences
16056 with GC'ing when it's safe to do so.
16057
16058 * runtime/GCActivityCallback.cpp:
16059 (JSC::DefaultGCActivityCallback::doWork):
16060
160612014-02-20 Geoffrey Garen <ggaren@apple.com>
16062
16063 Math.imul gives wrong results
16064 https://bugs.webkit.org/show_bug.cgi?id=126345
16065
16066 Reviewed by Mark Hahnenberg.
16067
16068 Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
16069 Instead, take a slow path that will do the right thing.
16070
16071 * jit/ThunkGenerators.cpp:
16072 (JSC::imulThunkGenerator):
16073
160742014-02-20 Filip Pizlo <fpizlo@apple.com>
16075
16076 DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
16077 https://bugs.webkit.org/show_bug.cgi?id=129129
16078
16079 Reviewed by Geoffrey Garen.
16080
16081 We estimate execution counts based on loop depth, and then use those to estimate branch
16082 weights. These weights then get carried all the way down to LLVM prof branch_weights
16083 meta-data.
16084
16085 This is better than letting LLVM do its own static estimates, since by the time we
16086 generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
16087 course, it would be even better if we just slurped in some kind of execution counts
16088 from profiling, but we don't do that, yet.
16089
16090 * CMakeLists.txt:
16091 * GNUmakefile.list.am:
16092 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16093 * JavaScriptCore.xcodeproj/project.pbxproj:
16094 * dfg/DFGBasicBlock.cpp:
16095 (JSC::DFG::BasicBlock::BasicBlock):
16096 * dfg/DFGBasicBlock.h:
16097 * dfg/DFGBlockInsertionSet.cpp:
16098 (JSC::DFG::BlockInsertionSet::insert):
16099 (JSC::DFG::BlockInsertionSet::insertBefore):
16100 * dfg/DFGBlockInsertionSet.h:
16101 * dfg/DFGByteCodeParser.cpp:
16102 (JSC::DFG::ByteCodeParser::handleInlining):
16103 (JSC::DFG::ByteCodeParser::parseCodeBlock):
16104 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
16105 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
16106 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
16107 (JSC::DFG::createPreHeader):
16108 * dfg/DFGNaturalLoops.h:
16109 (JSC::DFG::NaturalLoops::loopDepth):
16110 * dfg/DFGOSREntrypointCreationPhase.cpp:
16111 (JSC::DFG::OSREntrypointCreationPhase::run):
16112 * dfg/DFGPlan.cpp:
16113 (JSC::DFG::Plan::compileInThreadImpl):
16114 * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
16115 (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
16116 (JSC::DFG::StaticExecutionCountEstimationPhase::run):
16117 (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
16118 (JSC::DFG::performStaticExecutionCountEstimation):
16119 * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
16120
161212014-02-20 Filip Pizlo <fpizlo@apple.com>
16122
16123 FTL may not see a compact_unwind section if there weren't any stackmaps
16124 https://bugs.webkit.org/show_bug.cgi?id=129125
16125
16126 Reviewed by Geoffrey Garen.
16127
16128 It's OK to not have an unwind section, so long as the function also doesn't have any
16129 OSR exits.
16130
16131 * ftl/FTLCompile.cpp:
16132 (JSC::FTL::fixFunctionBasedOnStackMaps):
16133 (JSC::FTL::compile):
16134 * ftl/FTLUnwindInfo.cpp:
16135 (JSC::FTL::UnwindInfo::parse):
16136 * ftl/FTLUnwindInfo.h:
16137
16138== Rolled over to ChangeLog-2014-02-20 ==