]> git.saurik.com Git - apple/javascriptcore.git/blame - ChangeLog-2014-02-20
JavaScriptCore-7600.1.4.9.tar.gz
[apple/javascriptcore.git] / ChangeLog-2014-02-20
CommitLineData
81345200
A
12014-02-20 Mark Hahnenberg <mhahnenberg@apple.com>
2
3 CopiedBlock::pin can call into fastFree while forbidden
4 https://bugs.webkit.org/show_bug.cgi?id=128654
5
6 Reviewed by Oliver Hunt.
7
8 A FullCollection that skips copying doesn't clear the CopyWorkList of the all the surviving
9 CopiedBlocks because we currently only call didSurviveGC() at the beginning of FullCollections.
10
11 EdenCollections always do copying, therefore they always clear all CopyWorkLists.
12
13 The fix is to call didSurviveGC() for all surviving CopiedBlocks at the end of FullCollections
14 as well at the beginning.
15
16 * heap/CopiedBlock.h:
17 (JSC::CopiedBlock::didSurviveGC):
18 * heap/CopiedSpace.cpp:
19 (JSC::CopiedSpace::doneCopying):
20
212014-02-20 Mark Hahnenberg <mhahnenberg@apple.com>
22
23 Add a JSC option to disable EdenCollections
24 https://bugs.webkit.org/show_bug.cgi?id=128849
25
26 Reviewed by Mark Lam.
27
28 This will help quickly identify whether or not GenGC is responsible for a
29 particular crash by prematurely collecting a live object.
30
31 * heap/Heap.cpp:
32 (JSC::Heap::collect):
33 (JSC::Heap::shouldDoFullCollection):
34 * heap/Heap.h:
35 * runtime/Options.h:
36
372014-02-20 Michael Saboff <msaboff@apple.com>
38
39 REGRESSION (r164417): ASSERTION FAILED: isBranch() in X86 32 bit build
40 https://bugs.webkit.org/show_bug.cgi?id=129118
41
42 Reviewed by Filip Pizlo.
43
44 Changed 32 bit version of SpeculativeJIT::compile handling of Jump nodes to match
45 what is in the 64 bit build.
46
47 * dfg/DFGSpeculativeJIT32_64.cpp:
48 (JSC::DFG::SpeculativeJIT::compile):
49
502014-02-20 Zan Dobersek <zdobersek@igalia.com>
51
52 [Automake] Collect the JavaScript files required for JSC builtins through a wildcard
53 https://bugs.webkit.org/show_bug.cgi?id=129115
54
55 Reviewed by Oliver Hunt.
56
57 * GNUmakefile.list.am: Simplify adding new JavaScriptCore builtins by using a wildcard
58 to gather all the JavaScript files instead of listing each file explicitly.
59
602014-02-20 Mark Hahnenberg <mhahnenberg@apple.com>
61
62 Replace uses of deprecated POSIX index() with strchr() in ObjcRuntimeExtras.h
63 https://bugs.webkit.org/show_bug.cgi?id=128610
64
65 Reviewed by Anders Carlsson.
66
67 index() is deprecated in favor of strchr() so we should use the latter.
68
69 * API/JSWrapperMap.mm:
70 (selectorToPropertyName):
71 * API/ObjcRuntimeExtras.h:
72 (parseObjCType):
73
742014-02-19 Filip Pizlo <fpizlo@apple.com>
75
76 FTL should not emit stack overflow checks in leaf functions
77 https://bugs.webkit.org/show_bug.cgi?id=129085
78
79 Reviewed by Michael Saboff.
80
81 Miniscule (0.5%) speed-up on V8v7.
82
83 * ftl/FTLLowerDFGToLLVM.cpp:
84 (JSC::FTL::LowerDFGToLLVM::lower):
85 (JSC::FTL::LowerDFGToLLVM::didOverflowStack):
86
872014-02-20 Mark Hahnenberg <mhahnenberg@apple.com>
88
89 Dynamically generated JSExport protocols added to a class results in a crash
90 https://bugs.webkit.org/show_bug.cgi?id=129108
91
92 Reviewed by Oliver Hunt.
93
94 We're not getting any information from the runtime about the types of the methods on
95 these protocols because they didn't exist at compile time. We should handle this gracefully.
96
97 * API/ObjCCallbackFunction.mm:
98 (objCCallbackFunctionForInvocation):
99 * API/tests/JSExportTests.mm:
100 (+[JSExportTests exportDynamicallyGeneratedProtocolTest]):
101 (runJSExportTests):
102
1032014-02-20 Gabor Rapcsanyi <rgabor@webkit.org>
104
105 ASSERTION FAILED: isUInt16() on ARMv7 after r113253.
106 https://bugs.webkit.org/show_bug.cgi?id=129101
107
108 Reviewed by Michael Saboff.
109
110 If the immediate value type is encoded then we shouldn't reach this assert.
111 Check the immediate type to avoid assertion in alignemnt check.
112
113 * assembler/ARMv7Assembler.h:
114 (JSC::ARMv7Assembler::add):
115
1162014-02-20 Csaba Osztrogonác <ossy@webkit.org>
117
118 Get rid of redundant Platform.h includes
119 https://bugs.webkit.org/show_bug.cgi?id=128817
120
121 Reviewed by Brent Fulgham.
122
123 * API/tests/JSNode.c:
124 * API/tests/JSNodeList.c:
125 * API/tests/minidom.c:
126 * API/tests/testapi.c:
127 * assembler/MacroAssembler.h:
128 * bytecode/ByValInfo.h:
129 * bytecode/CallLinkInfo.h:
130 * bytecode/CallReturnOffsetToBytecodeOffset.h:
131 * bytecode/CodeType.h:
132 * bytecode/HandlerInfo.h:
133 * bytecode/MethodOfGettingAValueProfile.h:
134 * bytecode/PolymorphicAccessStructureList.h:
135 * bytecode/PolymorphicPutByIdList.h:
136 * bytecode/StructureStubClearingWatchpoint.h:
137 * bytecode/StructureStubInfo.h:
138 * bytecode/ValueRecovery.h:
139 * bytecode/VirtualRegister.h:
140 * dfg/DFGAbstractHeap.h:
141 * dfg/DFGAbstractInterpreter.h:
142 * dfg/DFGAbstractInterpreterInlines.h:
143 * dfg/DFGAbstractValue.h:
144 * dfg/DFGAdjacencyList.h:
145 * dfg/DFGAllocator.h:
146 * dfg/DFGAnalysis.h:
147 * dfg/DFGArgumentsSimplificationPhase.h:
148 * dfg/DFGArrayMode.h:
149 * dfg/DFGArrayifySlowPathGenerator.h:
150 * dfg/DFGAtTailAbstractState.h:
151 * dfg/DFGBackwardsPropagationPhase.h:
152 * dfg/DFGBinarySwitch.h:
153 * dfg/DFGBlockInsertionSet.h:
154 * dfg/DFGBranchDirection.h:
155 * dfg/DFGCFAPhase.h:
156 * dfg/DFGCFGSimplificationPhase.h:
157 * dfg/DFGCPSRethreadingPhase.h:
158 * dfg/DFGCSEPhase.h:
159 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
160 * dfg/DFGCapabilities.h:
161 * dfg/DFGClobberSet.h:
162 * dfg/DFGClobberize.h:
163 * dfg/DFGCommon.h:
164 * dfg/DFGCommonData.h:
165 * dfg/DFGConstantFoldingPhase.h:
166 * dfg/DFGCriticalEdgeBreakingPhase.h:
167 * dfg/DFGDCEPhase.h:
168 * dfg/DFGDesiredIdentifiers.h:
169 * dfg/DFGDesiredStructureChains.h:
170 * dfg/DFGDesiredWatchpoints.h:
171 * dfg/DFGDisassembler.h:
172 * dfg/DFGDominators.h:
173 * dfg/DFGDriver.h:
174 * dfg/DFGEdge.h:
175 * dfg/DFGEdgeDominates.h:
176 * dfg/DFGEdgeUsesStructure.h:
177 * dfg/DFGFailedFinalizer.h:
178 * dfg/DFGFiltrationResult.h:
179 * dfg/DFGFinalizer.h:
180 * dfg/DFGFixupPhase.h:
181 * dfg/DFGFlushFormat.h:
182 * dfg/DFGFlushLivenessAnalysisPhase.h:
183 * dfg/DFGFlushedAt.h:
184 * dfg/DFGGraph.h:
185 * dfg/DFGInPlaceAbstractState.h:
186 * dfg/DFGInsertionSet.h:
187 * dfg/DFGInvalidationPointInjectionPhase.h:
188 * dfg/DFGJITCode.h:
189 * dfg/DFGJITFinalizer.h:
190 * dfg/DFGLICMPhase.h:
191 * dfg/DFGLazyJSValue.h:
192 * dfg/DFGLivenessAnalysisPhase.h:
193 * dfg/DFGLongLivedState.h:
194 * dfg/DFGLoopPreHeaderCreationPhase.h:
195 * dfg/DFGMinifiedGraph.h:
196 * dfg/DFGMinifiedID.h:
197 * dfg/DFGMinifiedNode.h:
198 * dfg/DFGNaturalLoops.h:
199 * dfg/DFGNode.h:
200 * dfg/DFGNodeAllocator.h:
201 * dfg/DFGNodeFlags.h:
202 * dfg/DFGNodeType.h:
203 * dfg/DFGOSRAvailabilityAnalysisPhase.h:
204 * dfg/DFGOSREntrypointCreationPhase.h:
205 * dfg/DFGOSRExit.h:
206 * dfg/DFGOSRExitBase.h:
207 * dfg/DFGOSRExitCompilationInfo.h:
208 * dfg/DFGOSRExitCompiler.h:
209 * dfg/DFGOSRExitCompilerCommon.h:
210 * dfg/DFGOSRExitJumpPlaceholder.h:
211 * dfg/DFGPhase.h:
212 * dfg/DFGPlan.h:
213 * dfg/DFGPredictionInjectionPhase.h:
214 * dfg/DFGPredictionPropagationPhase.h:
215 * dfg/DFGResurrectionForValidationPhase.h:
216 * dfg/DFGSSAConversionPhase.h:
217 * dfg/DFGSafeToExecute.h:
218 * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
219 * dfg/DFGSilentRegisterSavePlan.h:
220 * dfg/DFGSlowPathGenerator.h:
221 * dfg/DFGSpeculativeJIT.h:
222 * dfg/DFGStackLayoutPhase.h:
223 * dfg/DFGStructureAbstractValue.h:
224 * dfg/DFGThunks.h:
225 * dfg/DFGTierUpCheckInjectionPhase.h:
226 * dfg/DFGToFTLDeferredCompilationCallback.h:
227 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
228 * dfg/DFGTypeCheckHoistingPhase.h:
229 * dfg/DFGUnificationPhase.h:
230 * dfg/DFGUseKind.h:
231 * dfg/DFGValidate.h:
232 * dfg/DFGValueRecoveryOverride.h:
233 * dfg/DFGValueSource.h:
234 * dfg/DFGVariableAccessData.h:
235 * dfg/DFGVariableAccessDataDump.h:
236 * dfg/DFGVariableEvent.h:
237 * dfg/DFGVariableEventStream.h:
238 * dfg/DFGVirtualRegisterAllocationPhase.h:
239 * dfg/DFGWatchpointCollectionPhase.h:
240 * dfg/DFGWorklist.h:
241 * disassembler/Disassembler.h:
242 * ftl/FTLAbbreviatedTypes.h:
243 * ftl/FTLAbbreviations.h:
244 * ftl/FTLAbstractHeap.h:
245 * ftl/FTLAbstractHeapRepository.h:
246 * ftl/FTLCapabilities.h:
247 * ftl/FTLCommonValues.h:
248 * ftl/FTLCompile.h:
249 * ftl/FTLExitArgument.h:
250 * ftl/FTLExitArgumentForOperand.h:
251 * ftl/FTLExitArgumentList.h:
252 * ftl/FTLExitThunkGenerator.h:
253 * ftl/FTLExitValue.h:
254 * ftl/FTLFail.h:
255 * ftl/FTLForOSREntryJITCode.h:
256 * ftl/FTLFormattedValue.h:
257 * ftl/FTLIntrinsicRepository.h:
258 * ftl/FTLJITCode.h:
259 * ftl/FTLJITFinalizer.h:
260 * ftl/FTLLink.h:
261 * ftl/FTLLocation.h:
262 * ftl/FTLLowerDFGToLLVM.h:
263 * ftl/FTLLoweredNodeValue.h:
264 * ftl/FTLOSREntry.h:
265 * ftl/FTLOSRExit.h:
266 * ftl/FTLOSRExitCompilationInfo.h:
267 * ftl/FTLOSRExitCompiler.h:
268 * ftl/FTLOutput.h:
269 * ftl/FTLSaveRestore.h:
270 * ftl/FTLStackMaps.h:
271 * ftl/FTLState.h:
272 * ftl/FTLSwitchCase.h:
273 * ftl/FTLThunks.h:
274 * ftl/FTLTypedPointer.h:
275 * ftl/FTLValueFormat.h:
276 * ftl/FTLValueFromBlock.h:
277 * heap/JITStubRoutineSet.h:
278 * interpreter/AbstractPC.h:
279 * jit/AssemblyHelpers.h:
280 * jit/CCallHelpers.h:
281 * jit/ClosureCallStubRoutine.h:
282 * jit/GCAwareJITStubRoutine.h:
283 * jit/HostCallReturnValue.h:
284 * jit/JITDisassembler.h:
285 * jit/JITStubRoutine.h:
286 * jit/JITThunks.h:
287 * jit/JITToDFGDeferredCompilationCallback.h:
288 * jit/RegisterSet.h:
289 * jit/Repatch.h:
290 * jit/ScratchRegisterAllocator.h:
291 * jit/TempRegisterSet.h:
292 * jit/ThunkGenerator.h:
293 * llint/LLIntData.h:
294 * llint/LLIntEntrypoint.h:
295 * llint/LLIntExceptions.h:
296 * llint/LLIntOfflineAsmConfig.h:
297 * llint/LLIntOpcode.h:
298 * llint/LLIntSlowPaths.h:
299 * llint/LLIntThunks.h:
300 * llint/LowLevelInterpreter.h:
301 * llvm/InitializeLLVM.h:
302 * llvm/InitializeLLVMPOSIX.h:
303 * llvm/LLVMAPI.h:
304 * os-win32/inttypes.h:
305 * runtime/ArrayStorage.h:
306 * runtime/Butterfly.h:
307 * runtime/CommonSlowPaths.h:
308 * runtime/CommonSlowPathsExceptions.h:
309 * runtime/IndexingHeader.h:
310 * runtime/JSExportMacros.h:
311 * runtime/PropertyOffset.h:
312 * runtime/SparseArrayValueMap.h:
313
3142014-02-19 Filip Pizlo <fpizlo@apple.com>
315
316 DFG should have a way of carrying and preserving conditional branch weights
317 https://bugs.webkit.org/show_bug.cgi?id=129083
318
319 Reviewed by Michael Saboff.
320
321 Branch and Switch now have branch counts/weights for each target. This is encapsulated
322 behind DFG::BranchTarget. We carry this data all the way to the FTL, and the DFG
323 backend ignores it.
324
325 We don't set this data yet; that's for https://bugs.webkit.org/show_bug.cgi?id=129055.
326
327 * dfg/DFGByteCodeParser.cpp:
328 (JSC::DFG::ByteCodeParser::branchData):
329 (JSC::DFG::ByteCodeParser::handleInlining):
330 (JSC::DFG::ByteCodeParser::parseBlock):
331 (JSC::DFG::ByteCodeParser::linkBlock):
332 * dfg/DFGCFGSimplificationPhase.cpp:
333 (JSC::DFG::CFGSimplificationPhase::run):
334 * dfg/DFGFixupPhase.cpp:
335 (JSC::DFG::FixupPhase::fixupNode):
336 * dfg/DFGGraph.cpp:
337 (JSC::DFG::Graph::dump):
338 * dfg/DFGGraph.h:
339 * dfg/DFGInPlaceAbstractState.cpp:
340 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
341 * dfg/DFGJITCompiler.cpp:
342 (JSC::DFG::JITCompiler::link):
343 * dfg/DFGNode.cpp:
344 (JSC::DFG::BranchTarget::dump):
345 * dfg/DFGNode.h:
346 (JSC::DFG::BranchTarget::BranchTarget):
347 (JSC::DFG::BranchTarget::setBytecodeIndex):
348 (JSC::DFG::BranchTarget::bytecodeIndex):
349 (JSC::DFG::BranchData::withBytecodeIndices):
350 (JSC::DFG::BranchData::takenBytecodeIndex):
351 (JSC::DFG::BranchData::notTakenBytecodeIndex):
352 (JSC::DFG::BranchData::forCondition):
353 (JSC::DFG::SwitchCase::SwitchCase):
354 (JSC::DFG::SwitchCase::withBytecodeIndex):
355 (JSC::DFG::SwitchData::SwitchData):
356 (JSC::DFG::Node::targetBytecodeOffsetDuringParsing):
357 (JSC::DFG::Node::targetBlock):
358 (JSC::DFG::Node::branchData):
359 (JSC::DFG::Node::successor):
360 (JSC::DFG::Node::successorForCondition):
361 * dfg/DFGSpeculativeJIT.cpp:
362 (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
363 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
364 (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
365 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
366 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
367 (JSC::DFG::SpeculativeJIT::compileRegExpExec):
368 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
369 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
370 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
371 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
372 (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
373 (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
374 (JSC::DFG::SpeculativeJIT::emitSwitchString):
375 * dfg/DFGSpeculativeJIT32_64.cpp:
376 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
377 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
378 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
379 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
380 (JSC::DFG::SpeculativeJIT::emitBranch):
381 (JSC::DFG::SpeculativeJIT::compile):
382 * dfg/DFGSpeculativeJIT64.cpp:
383 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
384 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
385 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
386 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
387 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
388 (JSC::DFG::SpeculativeJIT::emitBranch):
389 (JSC::DFG::SpeculativeJIT::compile):
390 * ftl/FTLLowerDFGToLLVM.cpp:
391 (JSC::FTL::LowerDFGToLLVM::compileJump):
392 (JSC::FTL::LowerDFGToLLVM::compileBranch):
393 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
394 (JSC::FTL::LowerDFGToLLVM::buildSwitch):
395
3962014-02-19 ChangSeok Oh <changseok.oh@collabora.com>
397
398 Unreviewed build fix after r164396
399
400 * GNUmakefile.list.am: Added Promises.prototype.js properly
401
4022014-02-19 Geoffrey Garen <ggaren@apple.com>
403
404 Crash after -[JSContext evaluateScript:] when initializing JSContext with JSVirtualMachine
405 https://bugs.webkit.org/show_bug.cgi?id=129070
406
407 Reviewed by Mark Hahnenberg.
408
409 Clear our exception explicitly before throwing away the VM because our
410 exception references VM memory.
411
412 * API/JSContext.mm:
413 (-[JSContext dealloc]):
414 * API/tests/testapi.mm:
415 (testObjectiveCAPI):
416
4172014-02-19 Brent Fulgham <bfulgham@apple.com>
418
419 Unreviewed build fix after r164391
420
421 * runtime/Arguments.h: Make SlowArgumentData public so template libraries can
422 access its methods.
423
4242014-02-19 Mark Lam <mark.lam@apple.com>
425
426 Need to align sp before calling operationLoadVarargs on 32-bit platforms.
427 <https://webkit.org/b/129056>
428
429 Reviewed by Michael Saboff.
430
431 In JIT::compileLoadVarargs(), we'll call operationSizeFrameForVarargs()
432 to compute the amount of stack space we need for the varargs, adjust the
433 stack pointer to make room for those varargs, and then call
434 operationLoadVarargs() to fill in the varargs. Currently, the stack
435 pointer adjustment takes care of allocating space for the varargs, but
436 does not align the stack pointer for the call to operationLoadVarargs().
437 The fix is to align the stack pointer there.
438
439 Note: The stack pointer adjustment is based on the new CallFrame pointer
440 value returned by operationSizeFrameForVarargs(). On 64-bit platforms,
441 both the stack pointer and call frame pointer are similarly aligned
442 (i.e. low nibbles are 0). Hence, no additional adjustment is needed.
443 Only the 32-bit code needs the fix.
444
445 Note: The LLINT also works this way i.e. aligns the stack pointer before
446 calling llint_slow_path_call_varargs().
447
448 * jit/JITCall32_64.cpp:
449 (JSC::JIT::compileLoadVarargs):
450
4512014-02-19 Sam Weinig <sam@webkit.org>
452
453 [JS] Convert Promise.prototype.catch to be a built-in
454 https://bugs.webkit.org/show_bug.cgi?id=129052
455
456 Reviewed by Geoffrey Garen.
457
458 * GNUmakefile.list.am:
459 * JavaScriptCore.xcodeproj/project.pbxproj:
460 * builtins/Promise.prototype.js: Added.
461 (catch): Add JS based implementation of Promise.prototype.catch.
462
463 * runtime/JSPromisePrototype.cpp:
464 Remove the C++ implementation of Promise.prototype.catch.
465
4662014-02-19 Filip Pizlo <fpizlo@apple.com>
467
468 FTL should allow LLVM to allocate data sections with alignment > 8
469 https://bugs.webkit.org/show_bug.cgi?id=129066
470
471 Reviewed by Geoffrey Garen.
472
473 We were previously using the native allocator's alignment guarantees (which we presumed
474 to be 8 bytes), and further hinting our desires by using the LSectionWord type (which
475 was 8 bytes). This breaks now that LLVM will sometimes ask for 16 byte alignment on
476 some sections.
477
478 This changes our data section allocation strategy to use the new FTL::DataSection,
479 which can handle arbitrary 2^k alignment.
480
481 * JavaScriptCore.xcodeproj/project.pbxproj:
482 * ftl/FTLCompile.cpp:
483 (JSC::FTL::mmAllocateDataSection):
484 (JSC::FTL::dumpDataSection):
485 (JSC::FTL::compile):
486 * ftl/FTLDataSection.cpp: Added.
487 (JSC::FTL::DataSection::DataSection):
488 (JSC::FTL::DataSection::~DataSection):
489 * ftl/FTLDataSection.h: Added.
490 (JSC::FTL::DataSection::base):
491 (JSC::FTL::DataSection::size):
492 * ftl/FTLJITCode.cpp:
493 (JSC::FTL::JITCode::addDataSection):
494 * ftl/FTLJITCode.h:
495 (JSC::FTL::JITCode::dataSections):
496 * ftl/FTLState.h:
497
4982014-02-19 Filip Pizlo <fpizlo@apple.com>
499
500 Unreviewed, fix comment.
501
502 * ftl/FTLWeight.h:
503 (JSC::FTL::Weight::scaleToTotal):
504
5052014-02-19 Anders Carlsson <andersca@apple.com>
506
507 Add WTF_MAKE_FAST_ALLOCATED to more classes
508 https://bugs.webkit.org/show_bug.cgi?id=129064
509
510 Reviewed by Andreas Kling.
511
512 * dfg/DFGSpeculativeJIT.h:
513 * heap/CopyWorkList.h:
514 * heap/Region.h:
515 * runtime/Arguments.h:
516 * runtime/SymbolTable.h:
517 * runtime/WriteBarrier.h:
518
5192014-02-19 Michael Saboff <msaboff@apple.com>
520
521 Unreviewed build fix after r164374
522
523 * llint/LLIntOfflineAsmConfig.h: Added #define OFFLINE_ASM_X86_WIN 0
524 for ENABLE(LLINT_C_LOOP).
525
5262014-02-19 Filip Pizlo <fpizlo@apple.com>
527
528 FTL should be able to convey branch weights to LLVM
529 https://bugs.webkit.org/show_bug.cgi?id=129054
530
531 Reviewed by Michael Saboff.
532
533 This introduces a really nice way to convey branch weights to LLVM. The basic class
534 is Weight, which just wraps a float; NaN is used when you are not sure. You can
535 pass this alongside a LBasicBlock to branching instructions like condbr and switch.
536 But for simplicity, you can just pass a WeightedTarget, which is a tuple of the
537 two. And for even greater simplicity, you can create WeightedTargets from
538 LBasicBlocks by doing:
539
540 usually(b) => WeightedTarget(b, Weight(1))
541 rarely(b) => WeightedTarget(b, Weight(0))
542 unsure(b) => WeightedTarget(b, Weight()) or WeightedTarget(b, Weight(NaN))
543
544 This allows for constructs like:
545
546 m_out.branch(isCell(value), usually(isCellCase), rarely(slowCase));
547
548 This was intended to be perf-neutral for now, but it did end up creating a ~1%
549 speed-up on V8v7 and Octane2.
550
551 * JavaScriptCore.xcodeproj/project.pbxproj:
552 * ftl/FTLAbbreviations.h:
553 (JSC::FTL::mdNode):
554 * ftl/FTLCommonValues.cpp:
555 (JSC::FTL::CommonValues::CommonValues):
556 * ftl/FTLCommonValues.h:
557 * ftl/FTLLowerDFGToLLVM.cpp:
558 (JSC::FTL::LowerDFGToLLVM::lower):
559 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
560 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
561 (JSC::FTL::LowerDFGToLLVM::compileToThis):
562 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
563 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
564 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
565 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
566 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
567 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
568 (JSC::FTL::LowerDFGToLLVM::compileGetById):
569 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
570 (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
571 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
572 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
573 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
574 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
575 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
576 (JSC::FTL::LowerDFGToLLVM::compileToString):
577 (JSC::FTL::LowerDFGToLLVM::compileToPrimitive):
578 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
579 (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
580 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
581 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
582 (JSC::FTL::LowerDFGToLLVM::compileBranch):
583 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
584 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
585 (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
586 (JSC::FTL::LowerDFGToLLVM::allocateCell):
587 (JSC::FTL::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
588 (JSC::FTL::LowerDFGToLLVM::boolify):
589 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
590 (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
591 (JSC::FTL::LowerDFGToLLVM::buildSwitch):
592 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
593 (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
594 (JSC::FTL::LowerDFGToLLVM::lowDouble):
595 (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
596 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
597 (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
598 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
599 (JSC::FTL::LowerDFGToLLVM::callCheck):
600 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
601 * ftl/FTLOutput.cpp:
602 (JSC::FTL::Output::initialize):
603 (JSC::FTL::Output::appendTo):
604 (JSC::FTL::Output::newBlock):
605 (JSC::FTL::Output::sensibleDoubleToInt):
606 (JSC::FTL::Output::load):
607 (JSC::FTL::Output::store):
608 (JSC::FTL::Output::baseIndex):
609 (JSC::FTL::Output::branch):
610 (JSC::FTL::Output::crashNonTerminal):
611 * ftl/FTLOutput.h:
612 (JSC::FTL::Output::branch):
613 (JSC::FTL::Output::switchInstruction):
614 * ftl/FTLSwitchCase.h:
615 (JSC::FTL::SwitchCase::SwitchCase):
616 (JSC::FTL::SwitchCase::weight):
617 * ftl/FTLWeight.h: Added.
618 (JSC::FTL::Weight::Weight):
619 (JSC::FTL::Weight::isSet):
620 (JSC::FTL::Weight::operator!):
621 (JSC::FTL::Weight::value):
622 (JSC::FTL::Weight::scaleToTotal):
623 * ftl/FTLWeightedTarget.h: Added.
624 (JSC::FTL::WeightedTarget::WeightedTarget):
625 (JSC::FTL::WeightedTarget::target):
626 (JSC::FTL::WeightedTarget::weight):
627 (JSC::FTL::usually):
628 (JSC::FTL::rarely):
629 (JSC::FTL::unsure):
630
6312014-02-19 peavo@outlook.com <peavo@outlook.com>
632
633 [Win][LLINT] Incorrect stack alignment.
634 https://bugs.webkit.org/show_bug.cgi?id=129045
635
636 Reviewed by Michael Saboff.
637
638 LLINT expects the stack to be 16 byte aligned, but with MSVC it is not.
639 To align the stack, a new backend, X86_WIN, is created.
640
641 * llint/LLIntOfflineAsmConfig.h: Use X86_WIN backend on Windows.
642 * llint/LowLevelInterpreter.asm: Align stack to 16 byte boundaries. Otherwise, use same implementation for X86_WIN as for X86.
643 * llint/LowLevelInterpreter32_64.asm: Adjust stack offset to retrieve function parameters now that the stack is aligned.
644 * offlineasm/backends.rb: Added X86_WIN backend.
645 * offlineasm/x86.rb: Fix crash caused by incorrect assembly code for double types.
646
6472014-02-19 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
648
649 ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) in WTF::dateToDaysFrom1970
650 https://bugs.webkit.org/show_bug.cgi?id=128740
651
652 Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
653 DateConstructor will now check if the number fits into an Int32 before casting
654
655 Reviewed by Geoffrey Garen.
656
657 * runtime/DateConstructor.cpp:
658 (JSC::constructDate):
659 (JSC::dateUTC):
660
6612014-02-19 Mark Hahnenberg <mhahnenberg@apple.com>
662
663 Dedicated worker crash caused by global DFG worklists + GC
664 https://bugs.webkit.org/show_bug.cgi?id=128537
665
666 Reviewed by Filip Pizlo.
667
668 The process-global DFG worklists were causing objects to participate in the garbage collections of VMs
669 other than the one they were allocated in. This started manifesting in the worker tests because they're
670 one of the few WebKit tests that do multithreaded JS.
671
672 The fix is to filter out Plans from other VMs during collection.
673
674 * dfg/DFGSafepoint.cpp:
675 (JSC::DFG::Safepoint::vm):
676 * dfg/DFGSafepoint.h:
677 * dfg/DFGWorklist.cpp:
678 (JSC::DFG::Worklist::isActiveForVM):
679 (JSC::DFG::Worklist::suspendAllThreads):
680 (JSC::DFG::Worklist::resumeAllThreads):
681 (JSC::DFG::Worklist::visitChildren):
682 * dfg/DFGWorklist.h:
683 * heap/Heap.cpp:
684 (JSC::Heap::deleteAllCompiledCode):
685 * heap/SlotVisitorInlines.h:
686 (JSC::SlotVisitor::copyLater):
687
6882014-02-19 Brady Eidson <beidson@apple.com>
689
690 Add FeatureDefines for image controls
691 https://bugs.webkit.org/show_bug.cgi?id=129022
692
693 Reviewed by Jer Noble.
694
695 * Configurations/FeatureDefines.xcconfig:
696
6972014-02-19 Dan Bernstein <mitz@apple.com>
698
699 Simplify PLATFORM(MAC) && !PLATFORM(IOS) and similar expressions
700 https://bugs.webkit.org/show_bug.cgi?id=129029
701
702 Reviewed by Mark Rowe.
703
704 * API/JSValueRef.cpp:
705 (JSValueUnprotect):
706 * jit/ExecutableAllocatorFixedVMPool.cpp:
707
7082014-02-18 Filip Pizlo <fpizlo@apple.com>
709
710 Correctly install libllvmForJSC.dylib in production builds
711 https://bugs.webkit.org/show_bug.cgi?id=129023
712
713 Reviewed by Mark Rowe.
714
715 In non-production builds, we copy it as before. In production builds, we use the install
716 path.
717
718 Also roll http://trac.webkit.org/changeset/164348 back in.
719
720 * Configurations/Base.xcconfig:
721 * Configurations/LLVMForJSC.xcconfig:
722 * JavaScriptCore.xcodeproj/project.pbxproj:
723
7242014-02-18 Filip Pizlo <fpizlo@apple.com>
725
726 Unreviewed, roll out http://trac.webkit.org/changeset/164348 because it broke some
727 builds.
728
729 * JavaScriptCore.xcodeproj/project.pbxproj:
730
7312014-02-18 Filip Pizlo <fpizlo@apple.com>
732
733 Don't call LLVMInitializeNativeTarget() because it can be all messed up if you cross-compile LLVM
734 https://bugs.webkit.org/show_bug.cgi?id=129020
735
736 Reviewed by Dan Bernstein.
737
738 LLVMInitializeNativeTarget() is this super special inline function in llvm-c/Target.h that
739 depends on some #define's that come from some really weird magic in autoconf/configure.ac.
740 That magic fails miserably for cross-compiles. So, we need to manually initialize the things
741 that InitializeNativeTarget initializes.
742
743 * llvm/library/LLVMExports.cpp:
744 (initializeAndGetJSCLLVMAPI):
745
7462014-02-18 Filip Pizlo <fpizlo@apple.com>
747
748 The shell scripts in the Xcode build system should tell you when they failed
749 https://bugs.webkit.org/show_bug.cgi?id=129018
750
751 Reviewed by Mark Rowe.
752
753 * JavaScriptCore.xcodeproj/project.pbxproj:
754
7552014-02-17 Gavin Barraclough <barraclough@apple.com>
756
757 Add fast mapping from StringImpl to JSString
758 https://bugs.webkit.org/show_bug.cgi?id=128625
759
760 Reviewed by Geoff Garen & Andreas Kling.
761
762 * runtime/JSString.cpp:
763 (JSC::JSString::WeakOwner::finalize):
764 - once the JSString weakly owned by a StringImpl becomed unreachable remove the WeakImpl.
765 * runtime/JSString.h:
766 (JSC::jsStringWithWeakOwner):
767 - create a JSString wrapping a StringImpl, and weakly caches the JSString on the StringImpl.
768 * runtime/VM.cpp:
769 (JSC::VM::VM):
770 - initialize jsStringWeakOwner.
771 (JSC::VM::createLeakedForMainThread):
772 - initialize jsStringWeakOwner - the main thread gets to use the weak pointer
773 on StringImpl to cache a JSString wrapper.
774 * runtime/VM.h:
775 - renamed createLeaked -> createLeakedForMainThread to make it clear this
776 should only be used to cretae the main thread VM.
777
7782014-02-18 Oliver Hunt <oliver@apple.com>
779
780 Prevent builtin js named with C++ reserved words from breaking the build
781 https://bugs.webkit.org/show_bug.cgi?id=129017
782
783 Reviewed by Sam Weinig.
784
785 Simple change to a couple of macros to make sure we don't create functions
786 named using reserved words.
787
788 * builtins/BuiltinExecutables.cpp:
789 * builtins/BuiltinNames.h:
790
7912014-02-18 Filip Pizlo <fpizlo@apple.com>
792
793 FTL should build on ARM64
794 https://bugs.webkit.org/show_bug.cgi?id=129010
795
796 Reviewed by Sam Weinig.
797
798 * disassembler/X86Disassembler.cpp: Just because we have the LLVM disassembler doesn't mean we're on X86.
799 * ftl/FTLLocation.cpp: DWARF parsing for ARM64 is super easy.
800 (JSC::FTL::Location::isGPR):
801 (JSC::FTL::Location::gpr):
802 (JSC::FTL::Location::isFPR):
803 (JSC::FTL::Location::fpr):
804 (JSC::FTL::Location::restoreInto): This function wasn't even X86-specific to begin with so move it out of the #if stuff.
805 * ftl/FTLUnwindInfo.cpp: They're called q not d.
806 (JSC::FTL::UnwindInfo::parse):
807 * jit/GPRInfo.h:
808 (JSC::GPRInfo::toArgumentRegister): Add this method; we alraedy had it on X86.
809
8102014-02-18 Filip Pizlo <fpizlo@apple.com>
811
812 FTL unwind parsing should handle ARM64
813 https://bugs.webkit.org/show_bug.cgi?id=128984
814
815 Reviewed by Oliver Hunt.
816
817 This makes unwind parsing handle ARM64 and it makes all clients of unwind info capable of
818 dealing with that architecture.
819
820 The big difference is that ARM64 has callee-save double registers. This is conceptually easy
821 to handle, but out code for dealing with callee-saves spoke of "GPRReg". We've been in this
822 situation before: code that needs to deal with either a GPRReg or a FPRReg. In the past we'd
823 hacked around the problem, but this time I decided to do a full frontal assault. This patch
824 adds a Reg class, which is a box for either GPRReg or FPRReg along with tools for iterating
825 over all possible registers. Then, I threaded this through SaveRestore, RegisterSet,
826 RegisterAtOffset, and UnwindInfo. With the help of Reg, it was easy to refactor the code to
827 handle FPRs in addition to GPRs.
828
829 * CMakeLists.txt:
830 * GNUmakefile.list.am:
831 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
832 * JavaScriptCore.xcodeproj/project.pbxproj:
833 * ftl/FTLOSRExitCompiler.cpp:
834 (JSC::FTL::compileStub):
835 * ftl/FTLRegisterAtOffset.cpp:
836 (JSC::FTL::RegisterAtOffset::dump):
837 * ftl/FTLRegisterAtOffset.h:
838 (JSC::FTL::RegisterAtOffset::RegisterAtOffset):
839 (JSC::FTL::RegisterAtOffset::operator!):
840 (JSC::FTL::RegisterAtOffset::reg):
841 (JSC::FTL::RegisterAtOffset::operator==):
842 (JSC::FTL::RegisterAtOffset::operator<):
843 (JSC::FTL::RegisterAtOffset::getReg):
844 * ftl/FTLSaveRestore.cpp:
845 (JSC::FTL::offsetOfReg):
846 * ftl/FTLSaveRestore.h:
847 * ftl/FTLUnwindInfo.cpp:
848 (JSC::FTL::UnwindInfo::parse):
849 (JSC::FTL::UnwindInfo::find):
850 (JSC::FTL::UnwindInfo::indexOf):
851 * ftl/FTLUnwindInfo.h:
852 * jit/Reg.cpp: Added.
853 (JSC::Reg::dump):
854 * jit/Reg.h: Added.
855 (JSC::Reg::Reg):
856 (JSC::Reg::fromIndex):
857 (JSC::Reg::first):
858 (JSC::Reg::last):
859 (JSC::Reg::next):
860 (JSC::Reg::index):
861 (JSC::Reg::isSet):
862 (JSC::Reg::operator!):
863 (JSC::Reg::isGPR):
864 (JSC::Reg::isFPR):
865 (JSC::Reg::gpr):
866 (JSC::Reg::fpr):
867 (JSC::Reg::operator==):
868 (JSC::Reg::operator!=):
869 (JSC::Reg::operator<):
870 (JSC::Reg::operator>):
871 (JSC::Reg::operator<=):
872 (JSC::Reg::operator>=):
873 (JSC::Reg::hash):
874 (JSC::Reg::invalid):
875 * jit/RegisterSet.h:
876 (JSC::RegisterSet::set):
877 (JSC::RegisterSet::clear):
878 (JSC::RegisterSet::get):
879
8802014-02-17 Filip Pizlo <fpizlo@apple.com>
881
882 More ARM FTL glue
883 https://bugs.webkit.org/show_bug.cgi?id=128948
884
885 Reviewed by Sam Weinig.
886
887 * Configurations/Base.xcconfig: Allow for an header search directory for LLVM's generated files.
888 * Configurations/LLVMForJSC.xcconfig: Link the right things for ARM.
889 * assembler/ARM64Assembler.h: Builds fix.
890 (JSC::ARM64Assembler::fillNops):
891 * disassembler/LLVMDisassembler.cpp: Use the right target triples.
892 (JSC::tryToDisassembleWithLLVM):
893 * ftl/FTLCompile.cpp:
894 (JSC::FTL::fixFunctionBasedOnStackMaps): Build fix.
895 * jit/GPRInfo.h: Builds fix.
896 * llvm/library/LLVMExports.cpp: Link the right things.
897 (initializeAndGetJSCLLVMAPI):
898
8992014-02-17 Anders Carlsson <andersca@apple.com>
900
901 Remove ENABLE_GLOBAL_FASTMALLOC_NEW
902 https://bugs.webkit.org/show_bug.cgi?id=127067
903
904 Reviewed by Geoffrey Garen.
905
906 * parser/Nodes.h:
907
9082014-02-17 Sergio Correia <sergio.correia@openbossa.org>
909
910 Replace uses of PassOwnPtr/OwnPtr with std::unique_ptr in WebCore/inspector
911 https://bugs.webkit.org/show_bug.cgi?id=128681
912
913 Reviewed by Timothy Hatcher.
914
915 Another step towards getting rid of PassOwnPtr/OwnPtr, now targeting
916 WebCore/inspector/*. Besides files in there, a few other files in
917 JavaScriptCore/inspector, WebKit/, WebKit2/WebProcess/WebCoreSupport/
918 and WebCore/testing were touched.
919
920
921 * inspector/ContentSearchUtilities.cpp:
922 * inspector/ContentSearchUtilities.h:
923 * inspector/agents/InspectorConsoleAgent.cpp:
924 * inspector/agents/InspectorConsoleAgent.h:
925
9262014-02-17 Filip Pizlo <fpizlo@apple.com>
927
928 FTL should support ToPrimitive and the DFG should fold it correctly
929 https://bugs.webkit.org/show_bug.cgi?id=128892
930
931 Reviewed by Geoffrey Garen.
932
933 * dfg/DFGAbstractInterpreterInlines.h:
934 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
935 * dfg/DFGConstantFoldingPhase.cpp:
936 (JSC::DFG::ConstantFoldingPhase::foldConstants):
937 * dfg/DFGSpeculativeJIT64.cpp:
938 (JSC::DFG::SpeculativeJIT::compile):
939 * ftl/FTLCapabilities.cpp:
940 (JSC::FTL::canCompile):
941 * ftl/FTLLowerDFGToLLVM.cpp:
942 (JSC::FTL::LowerDFGToLLVM::compileNode):
943 (JSC::FTL::LowerDFGToLLVM::compileToPrimitive):
944 * tests/stress/fold-to-primitive-in-cfa.js: Added.
945 (foo):
946 (.result.foo):
947 * tests/stress/fold-to-primitive-to-identity-in-cfa.js: Added.
948 (foo):
949 (.result.foo):
950
9512014-02-17 Filip Pizlo <fpizlo@apple.com>
952
953 Register preservation wrapper should know about the possibility of callee-saved FPRs
954 https://bugs.webkit.org/show_bug.cgi?id=128923
955
956 Reviewed by Mark Hahnenberg.
957
958 * jit/RegisterPreservationWrapperGenerator.cpp:
959 (JSC::generateRegisterPreservationWrapper):
960 (JSC::generateRegisterRestoration):
961 * jit/RegisterSet.cpp:
962
9632014-02-17 Filip Pizlo <fpizlo@apple.com>
964
965 lr is a special register on ARM64
966 https://bugs.webkit.org/show_bug.cgi?id=128922
967
968 Reviewed by Mark Hahnenberg.
969
970 * jit/RegisterSet.cpp:
971 (JSC::RegisterSet::specialRegisters):
972
9732014-02-17 Filip Pizlo <fpizlo@apple.com>
974
975 Fix RegisterSet::calleeSaveRegisters() by making it correct on ARM64
976 https://bugs.webkit.org/show_bug.cgi?id=128921
977
978 Reviewed by Mark Hahnenberg.
979
980 * jit/RegisterSet.cpp:
981 (JSC::RegisterSet::calleeSaveRegisters):
982
9832014-02-17 Filip Pizlo <fpizlo@apple.com>
984
985 RegisterSet::calleeSaveRegisters() should know about ARM64
986 https://bugs.webkit.org/show_bug.cgi?id=128918
987
988 Reviewed by Mark Hahnenberg.
989
990 * jit/RegisterSet.cpp:
991 (JSC::RegisterSet::calleeSaveRegisters):
992
9932014-02-17 Csaba Osztrogonác <ossy@webkit.org>
994
995 Move back primary header includes next to config.h
996 https://bugs.webkit.org/show_bug.cgi?id=128912
997
998 Reviewed by Alexey Proskuryakov.
999
1000 * dfg/DFGAbstractHeap.cpp:
1001 * dfg/DFGAbstractValue.cpp:
1002 * dfg/DFGArgumentsSimplificationPhase.cpp:
1003 * dfg/DFGArithMode.cpp:
1004 * dfg/DFGArrayMode.cpp:
1005 * dfg/DFGAtTailAbstractState.cpp:
1006 * dfg/DFGAvailability.cpp:
1007 * dfg/DFGBackwardsPropagationPhase.cpp:
1008 * dfg/DFGBasicBlock.cpp:
1009 * dfg/DFGBinarySwitch.cpp:
1010 * dfg/DFGBlockInsertionSet.cpp:
1011 * dfg/DFGByteCodeParser.cpp:
1012 * dfg/DFGCFAPhase.cpp:
1013 * dfg/DFGCFGSimplificationPhase.cpp:
1014 * dfg/DFGCPSRethreadingPhase.cpp:
1015 * dfg/DFGCSEPhase.cpp:
1016 * dfg/DFGCapabilities.cpp:
1017 * dfg/DFGClobberSet.cpp:
1018 * dfg/DFGClobberize.cpp:
1019 * dfg/DFGCommon.cpp:
1020 * dfg/DFGCommonData.cpp:
1021 * dfg/DFGCompilationKey.cpp:
1022 * dfg/DFGCompilationMode.cpp:
1023 * dfg/DFGConstantFoldingPhase.cpp:
1024 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1025 * dfg/DFGDCEPhase.cpp:
1026 * dfg/DFGDesiredIdentifiers.cpp:
1027 * dfg/DFGDesiredStructureChains.cpp:
1028 * dfg/DFGDesiredTransitions.cpp:
1029 * dfg/DFGDesiredWatchpoints.cpp:
1030 * dfg/DFGDesiredWeakReferences.cpp:
1031 * dfg/DFGDesiredWriteBarriers.cpp:
1032 * dfg/DFGDisassembler.cpp:
1033 * dfg/DFGDominators.cpp:
1034 * dfg/DFGEdge.cpp:
1035 * dfg/DFGFailedFinalizer.cpp:
1036 * dfg/DFGFinalizer.cpp:
1037 * dfg/DFGFixupPhase.cpp:
1038 * dfg/DFGFlushFormat.cpp:
1039 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
1040 * dfg/DFGFlushedAt.cpp:
1041 * dfg/DFGGraph.cpp:
1042 * dfg/DFGGraphSafepoint.cpp:
1043 * dfg/DFGInPlaceAbstractState.cpp:
1044 * dfg/DFGIntegerCheckCombiningPhase.cpp:
1045 * dfg/DFGInvalidationPointInjectionPhase.cpp:
1046 * dfg/DFGJITCode.cpp:
1047 * dfg/DFGJITCompiler.cpp:
1048 * dfg/DFGJITFinalizer.cpp:
1049 * dfg/DFGJumpReplacement.cpp:
1050 * dfg/DFGLICMPhase.cpp:
1051 * dfg/DFGLazyJSValue.cpp:
1052 * dfg/DFGLivenessAnalysisPhase.cpp:
1053 * dfg/DFGLongLivedState.cpp:
1054 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1055 * dfg/DFGMinifiedNode.cpp:
1056 * dfg/DFGNaturalLoops.cpp:
1057 * dfg/DFGNode.cpp:
1058 * dfg/DFGNodeFlags.cpp:
1059 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1060 * dfg/DFGOSREntry.cpp:
1061 * dfg/DFGOSREntrypointCreationPhase.cpp:
1062 * dfg/DFGOSRExit.cpp:
1063 * dfg/DFGOSRExitBase.cpp:
1064 * dfg/DFGOSRExitCompiler.cpp:
1065 * dfg/DFGOSRExitCompiler32_64.cpp:
1066 * dfg/DFGOSRExitCompiler64.cpp:
1067 * dfg/DFGOSRExitCompilerCommon.cpp:
1068 * dfg/DFGOSRExitJumpPlaceholder.cpp:
1069 * dfg/DFGOSRExitPreparation.cpp:
1070 * dfg/DFGPhase.cpp:
1071 * dfg/DFGPlan.cpp:
1072 * dfg/DFGPredictionInjectionPhase.cpp:
1073 * dfg/DFGPredictionPropagationPhase.cpp:
1074 * dfg/DFGResurrectionForValidationPhase.cpp:
1075 * dfg/DFGSSAConversionPhase.cpp:
1076 * dfg/DFGSSALoweringPhase.cpp:
1077 * dfg/DFGSafepoint.cpp:
1078 * dfg/DFGSpeculativeJIT.cpp:
1079 * dfg/DFGSpeculativeJIT32_64.cpp:
1080 * dfg/DFGSpeculativeJIT64.cpp:
1081 * dfg/DFGStackLayoutPhase.cpp:
1082 * dfg/DFGStoreBarrierElisionPhase.cpp:
1083 * dfg/DFGStrengthReductionPhase.cpp:
1084 * dfg/DFGThreadData.cpp:
1085 * dfg/DFGThunks.cpp:
1086 * dfg/DFGTierUpCheckInjectionPhase.cpp:
1087 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1088 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
1089 * dfg/DFGTypeCheckHoistingPhase.cpp:
1090 * dfg/DFGUnificationPhase.cpp:
1091 * dfg/DFGUseKind.cpp:
1092 * dfg/DFGValidate.cpp:
1093 * dfg/DFGValueSource.cpp:
1094 * dfg/DFGVariableAccessDataDump.cpp:
1095 * dfg/DFGVariableEvent.cpp:
1096 * dfg/DFGVariableEventStream.cpp:
1097 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1098 * dfg/DFGWatchpointCollectionPhase.cpp:
1099 * dfg/DFGWorklist.cpp:
1100 * heap/JITStubRoutineSet.cpp:
1101 * jit/GCAwareJITStubRoutine.cpp:
1102 * jit/JIT.cpp:
1103 * jit/JITDisassembler.cpp:
1104 * jit/JITOperations.cpp:
1105 * jit/JITStubRoutine.cpp:
1106 * jit/JITStubs.cpp:
1107 * jit/TempRegisterSet.cpp:
1108
11092014-02-16 Filip Pizlo <fpizlo@apple.com>
1110
1111 FTL OSR exit shouldn't make X86-specific assumptions
1112 https://bugs.webkit.org/show_bug.cgi?id=128890
1113
1114 Reviewed by Mark Hahnenberg.
1115
1116 Mostly this is about not using push/pop, but instead using the more abstract pushToSave() and popToRestore() while reflecting on the stack alignment.
1117
1118 * assembler/MacroAssembler.h:
1119 (JSC::MacroAssembler::pushToSaveImmediateWithoutTouchingRegisters):
1120 (JSC::MacroAssembler::pushToSaveByteOffset):
1121 * assembler/MacroAssemblerARM64.h:
1122 (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
1123 (JSC::MacroAssemblerARM64::pushToSaveByteOffset):
1124 * ftl/FTLExitThunkGenerator.cpp:
1125 (JSC::FTL::ExitThunkGenerator::emitThunk):
1126 * ftl/FTLOSRExitCompiler.cpp:
1127 (JSC::FTL::compileStub):
1128 * ftl/FTLThunks.cpp:
1129 (JSC::FTL::osrExitGenerationThunkGenerator):
1130
11312014-02-17 Filip Pizlo <fpizlo@apple.com>
1132
1133 Unreviewed, make this test pass without DFG. It was assuming that you always have DFG
1134 and that it would always tier-up to the DFG - both wrong assumptions.
1135
1136 * tests/stress/tricky-array-bounds-checks.js:
1137 (foo):
1138
11392014-02-17 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
1140
1141 Fix the CLoop build after r163760
1142 https://bugs.webkit.org/show_bug.cgi?id=128900
1143
1144 Reviewed by Csaba Osztrogonác.
1145
1146 * llint/LLIntThunks.cpp:
1147
11482014-02-17 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
1149
1150 CLoop buildfix after r164207
1151 https://bugs.webkit.org/show_bug.cgi?id=128899
1152
1153 Reviewed by Csaba Osztrogonác.
1154
1155 * dfg/DFGCommon.h:
1156 (JSC::DFG::shouldShowDisassembly):
1157
11582014-02-16 Filip Pizlo <fpizlo@apple.com>
1159
1160 Unreviewed, 32-bit build fix.
1161
1162 * assembler/MacroAssembler.h:
1163 (JSC::MacroAssembler::lshiftPtr):
1164
11652014-02-15 Filip Pizlo <fpizlo@apple.com>
1166
1167 FTL should inline polymorphic heap accesses
1168 https://bugs.webkit.org/show_bug.cgi?id=128795
1169
1170 Reviewed by Oliver Hunt.
1171
1172 We now inline GetByIds that we know are pure but polymorphic. They manifest in DFG IR
1173 as MultiGetByOffset, and in LLVM IR as a switch with a basic block for each kind of
1174 read.
1175
1176 2% speed-up on Octane mostly due to a 18% speed-up on deltablue.
1177
1178 * CMakeLists.txt:
1179 * GNUmakefile.list.am:
1180 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1181 * JavaScriptCore.xcodeproj/project.pbxproj:
1182 * bytecode/CodeBlock.cpp:
1183 (JSC::CodeBlock::dumpBytecode):
1184 * bytecode/ExitingJITType.cpp: Added.
1185 (WTF::printInternal):
1186 * bytecode/ExitingJITType.h:
1187 * bytecode/GetByIdStatus.cpp:
1188 (JSC::GetByIdStatus::computeFromLLInt):
1189 (JSC::GetByIdStatus::computeForChain):
1190 (JSC::GetByIdStatus::computeForStubInfo):
1191 (JSC::GetByIdStatus::computeFor):
1192 (JSC::GetByIdStatus::dump):
1193 * bytecode/GetByIdStatus.h:
1194 (JSC::GetByIdStatus::GetByIdStatus):
1195 (JSC::GetByIdStatus::numVariants):
1196 (JSC::GetByIdStatus::variants):
1197 (JSC::GetByIdStatus::at):
1198 (JSC::GetByIdStatus::operator[]):
1199 * bytecode/GetByIdVariant.cpp: Added.
1200 (JSC::GetByIdVariant::dump):
1201 (JSC::GetByIdVariant::dumpInContext):
1202 * bytecode/GetByIdVariant.h: Added.
1203 (JSC::GetByIdVariant::GetByIdVariant):
1204 (JSC::GetByIdVariant::isSet):
1205 (JSC::GetByIdVariant::operator!):
1206 (JSC::GetByIdVariant::structureSet):
1207 (JSC::GetByIdVariant::chain):
1208 (JSC::GetByIdVariant::specificValue):
1209 (JSC::GetByIdVariant::offset):
1210 * dfg/DFGAbstractInterpreterInlines.h:
1211 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1212 * dfg/DFGByteCodeParser.cpp:
1213 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
1214 (JSC::DFG::ByteCodeParser::handleGetById):
1215 (JSC::DFG::ByteCodeParser::parseBlock):
1216 * dfg/DFGCSEPhase.cpp:
1217 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
1218 (JSC::DFG::CSEPhase::performNodeCSE):
1219 * dfg/DFGClobberize.h:
1220 (JSC::DFG::clobberize):
1221 * dfg/DFGCommon.h:
1222 (JSC::DFG::verboseCompilationEnabled):
1223 (JSC::DFG::logCompilationChanges):
1224 (JSC::DFG::shouldShowDisassembly):
1225 * dfg/DFGConstantFoldingPhase.cpp:
1226 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1227 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
1228 * dfg/DFGDriver.cpp:
1229 (JSC::DFG::compileImpl):
1230 * dfg/DFGFixupPhase.cpp:
1231 (JSC::DFG::FixupPhase::fixupNode):
1232 * dfg/DFGGraph.cpp:
1233 (JSC::DFG::Graph::dump):
1234 * dfg/DFGGraph.h:
1235 (JSC::DFG::Graph::convertToConstant):
1236 * dfg/DFGNode.h:
1237 (JSC::DFG::Node::convertToGetByOffset):
1238 (JSC::DFG::Node::hasHeapPrediction):
1239 (JSC::DFG::Node::hasMultiGetByOffsetData):
1240 (JSC::DFG::Node::multiGetByOffsetData):
1241 * dfg/DFGNodeType.h:
1242 * dfg/DFGPhase.h:
1243 (JSC::DFG::Phase::graph):
1244 (JSC::DFG::runAndLog):
1245 * dfg/DFGPlan.cpp:
1246 (JSC::DFG::dumpAndVerifyGraph):
1247 (JSC::DFG::Plan::compileInThread):
1248 (JSC::DFG::Plan::compileInThreadImpl):
1249 * dfg/DFGPredictionPropagationPhase.cpp:
1250 (JSC::DFG::PredictionPropagationPhase::propagate):
1251 * dfg/DFGSafeToExecute.h:
1252 (JSC::DFG::safeToExecute):
1253 * dfg/DFGSpeculativeJIT32_64.cpp:
1254 (JSC::DFG::SpeculativeJIT::compile):
1255 * dfg/DFGSpeculativeJIT64.cpp:
1256 (JSC::DFG::SpeculativeJIT::compile):
1257 * dfg/DFGTypeCheckHoistingPhase.cpp:
1258 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1259 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1260 * ftl/FTLCapabilities.cpp:
1261 (JSC::FTL::canCompile):
1262 * ftl/FTLCompile.cpp:
1263 (JSC::FTL::fixFunctionBasedOnStackMaps):
1264 (JSC::FTL::compile):
1265 * ftl/FTLLowerDFGToLLVM.cpp:
1266 (JSC::FTL::LowerDFGToLLVM::compileNode):
1267 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1268 * ftl/FTLState.h:
1269 (JSC::FTL::verboseCompilationEnabled):
1270 (JSC::FTL::showDisassembly):
1271 * jsc.cpp:
1272 (GlobalObject::finishCreation):
1273 (functionEffectful42):
1274 * runtime/IntendedStructureChain.cpp:
1275 (JSC::IntendedStructureChain::dump):
1276 (JSC::IntendedStructureChain::dumpInContext):
1277 * runtime/IntendedStructureChain.h:
1278 * runtime/Options.cpp:
1279 (JSC::recomputeDependentOptions):
1280 * runtime/Options.h:
1281 * tests/stress/fold-multi-get-by-offset-to-get-by-offset-with-watchpoint.js: Added.
1282 (foo):
1283 (bar):
1284 * tests/stress/fold-multi-get-by-offset-to-get-by-offset.js: Added.
1285 (foo):
1286 (bar):
1287 * tests/stress/multi-get-by-offset-proto-and-self.js: Added.
1288 (foo):
1289 (Foo):
1290
12912014-02-16 Filip Pizlo <fpizlo@apple.com>
1292
1293 DFG::prepareOSREntry should be nice to the stack
1294 https://bugs.webkit.org/show_bug.cgi?id=128883
1295
1296 Reviewed by Oliver Hunt.
1297
1298 Previously OSR entry had some FIXME's and some really badly commented-out code for
1299 clearing stack entries to help GC. It also did some permutations on a stack frame
1300 above us, in such a way that it wasn't obviously that we wouldn't clobber our own
1301 stack frame. This function also crashed in ASan.
1302
1303 It just seems like there was too much badness to the whole idea of prepareOSREntry
1304 directly editing the stack. So, I changed it to create a stack frame in a scratch
1305 buffer on the side and then have some assembly code just copy it into place. This
1306 works fine, fixes a FIXME, possibly fixes some stack clobbering, and might help us
1307 make more progress with ASan.
1308
1309 * dfg/DFGOSREntry.cpp:
1310 (JSC::DFG::prepareOSREntry):
1311 * dfg/DFGOSREntry.h:
1312 * dfg/DFGThunks.cpp:
1313 (JSC::DFG::osrEntryThunkGenerator):
1314 * dfg/DFGThunks.h:
1315 * jit/JITOpcodes.cpp:
1316 (JSC::JIT::emitSlow_op_loop_hint):
1317 * jit/JITOperations.cpp:
1318
13192014-02-15 Filip Pizlo <fpizlo@apple.com>
1320
1321 Vector with inline capacity should work with non-PODs
1322 https://bugs.webkit.org/show_bug.cgi?id=128864
1323
1324 Reviewed by Michael Saboff.
1325
1326 Deques no longer have inline capacity because it was broken, and we didn't need it
1327 here anyway.
1328
1329 * dfg/DFGWorklist.h:
1330
13312014-02-15 Filip Pizlo <fpizlo@apple.com>
1332
1333 Unreviewed, roll out r164166.
1334
1335 This broke three unique tests:
1336
1337 ** The following JSC stress test failures have been introduced:
1338 regress/script-tests/variadic-closure-call.js.default-ftl
1339 regress/script-tests/variadic-closure-call.js.ftl-no-cjit-validate
1340 regress/script-tests/variadic-closure-call.js.ftl-no-cjit-osr-validation
1341 regress/script-tests/variadic-closure-call.js.ftl-eager
1342 regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit
1343 regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit-osr-validation
1344 jsc-layout-tests.yaml/js/script-tests/unmatching-argument-count.js.layout-ftl-eager-no-cjit
1345 regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit
1346 regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit-osr-validation
1347
1348 * bytecode/PolymorphicAccessStructureList.h:
1349 * ftl/FTLCapabilities.cpp:
1350 (JSC::FTL::canCompile):
1351 * ftl/FTLLowerDFGToLLVM.cpp:
1352 (JSC::FTL::LowerDFGToLLVM::compileNode):
1353 * tests/stress/ftl-getbyval-arguments.js:
1354
13552014-02-15 Matthew Mirman <mmirman@apple.com>
1356
1357 Added GetMyArgumentByVal to FTL
1358 https://bugs.webkit.org/show_bug.cgi?id=128850
1359
1360 Reviewed by Filip Pizlo.
1361
1362 * ftl/FTLCapabilities.cpp:
1363 (JSC::FTL::canCompile):
1364 * ftl/FTLLowerDFGToLLVM.cpp:
1365 (JSC::FTL::LowerDFGToLLVM::compileNode):
1366 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
1367 * tests/stress/ftl-getbyval-arguments.js: Added.
1368 (foo):
1369
13702014-02-15 peavo@outlook.com <peavo@outlook.com>
1371
1372 [Win] LLINT is not working.
1373 https://bugs.webkit.org/show_bug.cgi?id=128115
1374
1375 Reviewed by Mark Lam.
1376
1377 This patch will generate assembly code with Intel syntax, which can be processed by the Microsoft assembler (MASM).
1378 By creating an asm file instead of a header file with inline assembly, we can support 64-bit.
1379 Only 32-bit compilation has been tested, not 64-bit.
1380 The aim of this patch is to get LLINT up and running on Windows.
1381
1382 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added new files, and generated asm file.
1383 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1384 * LLIntAssembly/build-LLIntAssembly.sh: Generate dummy asm file in case we're using C backend.
1385 * bytecode/CallLinkStatus.cpp:
1386 (JSC::CallLinkStatus::computeFor): Compile fix when DFG is disabled.
1387 * bytecode/GetByIdStatus.cpp:
1388 (JSC::GetByIdStatus::computeFor): Ditto.
1389 * bytecode/GetByIdStatus.h: Ditto.
1390 * bytecode/PutByIdStatus.cpp:
1391 (JSC::PutByIdStatus::computeFor): Ditto.
1392 * bytecode/PutByIdStatus.h: Ditto.
1393 * llint/LLIntData.cpp:
1394 (JSC::LLInt::initialize): Compile fix.
1395 * llint/LLIntSlowPaths.h: Added llint_crash function.
1396 * llint/LLIntSlowPaths.cpp: Ditto.
1397 * llint/LowLevelInterpreter.cpp: Disable code for Windows.
1398 * llint/LowLevelInterpreter.asm: Remove instruction which generates incorrect assembly code on Windows (MOV 0xbbadbeef, register), call llint_crash instead.
1399 Make local labels visible to MASM on Windows.
1400 * llint/LowLevelInterpreter32_64.asm: Make local labels visible to MASM on Windows.
1401 * offlineasm/asm.rb: Generate asm file with Intel assembly syntax.
1402 * offlineasm/settings.rb: Ditto.
1403 * offlineasm/x86.rb: Ditto.
1404
14052014-02-14 Joseph Pecoraro <pecoraro@apple.com>
1406
1407 Web Inspector: CRASH when debugger closes while paused and remote inspecting a JSContext
1408 https://bugs.webkit.org/show_bug.cgi?id=127757
1409
1410 Reviewed by Timothy Hatcher.
1411
1412 The problem was that the lifetime of the InspectorController and all agents
1413 was tied to the remote inspector session. So, if a remote inspector was
1414 disconnected while in the nested run loop, everything would get torn
1415 down and when execution continued out of the nested runloop we would be
1416 back in the original call stack of destroyed objects.
1417
1418 This patch changes the lifetime of the InspectorController and agents to
1419 the JSGlobalObject. This way the agents are always alive, just the
1420 frontend and backend channels are destroyed and recreated each remote
1421 inspector session. This matches the agent lifetime for WebCore agents.
1422 We can also later take advantage of the agents being alive before
1423 and between inspector debug sessions to stash exception messages to
1424 pass on to a debugger if a debugger is connected later.
1425
1426 * inspector/JSGlobalObjectInspectorController.h:
1427 * inspector/JSGlobalObjectInspectorController.cpp:
1428 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1429 Cleaner initialization of agents. Easier to follow.
1430
1431 (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1432 Move InjectedScript disconnection only once the global object is destroyed.
1433 This way if a developer has attached once and included an injected script,
1434 we will keep it around with any state it might want to remember until
1435 the global object is destroyed.
1436
1437 (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
1438 Disconnect agents and injected scripts when the global object is destroyed.
1439
1440 * inspector/InjectedScriptManager.cpp:
1441 (Inspector::InjectedScriptManager::disconnect):
1442 Now that the injected script manager is reused between remote
1443 inspector sessions, don't clear the pointer on disconnect calls.
1444 We now only call this once when the global object is getting
1445 destroyed anyways so it doesn't matter. But if we wanted to call
1446 disconnect multiple times, e.g. once per session, we could.
1447
1448 * inspector/ScriptDebugServer.cpp:
1449 (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
1450 If the only listener was removed during the nested runloop, then when
1451 we dispatch an event after the nested runloop the listener list will
1452 be empty. Instead of asserting, just pass by an empty list.
1453
1454 * runtime/JSGlobalObject.h:
1455 (JSC::JSGlobalObject::inspectorController):
1456 Tie the inspector controller lifetime to the JSGlobalObject.
1457
1458 * runtime/JSGlobalObject.cpp:
1459 (JSC::JSGlobalObject::~JSGlobalObject):
1460 (JSC::JSGlobalObject::init):
1461 Create the inspector controller, and eagerly signal teardown
1462 in destruction.
1463
1464 * runtime/JSGlobalObjectDebuggable.h:
1465 * runtime/JSGlobalObjectDebuggable.cpp:
1466 (JSC::JSGlobalObjectDebuggable::connect):
1467 (JSC::JSGlobalObjectDebuggable::disconnect):
1468 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
1469 Simplify by using the inspector controller on JSGlobalObject.
1470
14712014-02-14 Mark Hahnenberg <mhahnenberg@apple.com>
1472
1473 -[JSManagedValue value] needs to be protected by the API lock
1474 https://bugs.webkit.org/show_bug.cgi?id=128857
1475
1476 Reviewed by Mark Lam.
1477
1478 * API/APICast.h:
1479 (toRef): Added an ASSERT so that we can detect these sorts of errors earlier. On 32-bit, toRef
1480 can allocate objects so we need to be holding the lock.
1481 * API/APIShims.h: Removed outdated comments.
1482 * API/JSManagedValue.mm: Added RefPtr<JSLock> to JSManagedValue.
1483 (-[JSManagedValue initWithValue:]): Initialize the m_lock field.
1484 (-[JSManagedValue value]): Lock the JSLock, check the VM*, return nil if invalid, take the APIEntryShim otherwise.
1485 * runtime/JSLock.cpp: Bug fix in JSLock. We were assuming that the VM was always non-null in JSLock::lock.
1486 (JSC::JSLock::lock):
1487
14882014-02-14 Oliver Hunt <oliver@apple.com>
1489
1490 Implement a few more Array prototype functions in JS
1491 https://bugs.webkit.org/show_bug.cgi?id=128788
1492
1493 Reviewed by Gavin Barraclough.
1494
1495 Remove a pile of awful C++, and rewrite in simple JS.
1496
1497 Needed to make a few other changes to get fully builtins
1498 behavior to more accurately match a host function's.
1499
1500 * builtins/Array.prototype.js:
1501 (every):
1502 (forEach):
1503 (filter):
1504 (map):
1505 (some):
1506 * builtins/BuiltinExecutables.cpp:
1507 (JSC::BuiltinExecutables::BuiltinExecutables):
1508 (JSC::BuiltinExecutables::createBuiltinExecutable):
1509 * bytecompiler/BytecodeGenerator.cpp:
1510 (JSC::BytecodeGenerator::BytecodeGenerator):
1511 (JSC::BytecodeGenerator::emitPutByVal):
1512 * bytecompiler/BytecodeGenerator.h:
1513 (JSC::BytecodeGenerator::emitExpressionInfo):
1514 * interpreter/Interpreter.cpp:
1515 (JSC::GetStackTraceFunctor::operator()):
1516 * parser/Nodes.h:
1517 (JSC::FunctionBodyNode::overrideName):
1518 * profiler/LegacyProfiler.cpp:
1519 (JSC::createCallIdentifierFromFunctionImp):
1520 * runtime/ArrayPrototype.cpp:
1521 * runtime/JSFunction.cpp:
1522 (JSC::JSFunction::deleteProperty):
1523 * runtime/JSFunction.h:
1524
15252014-02-14 Mark Hahnenberg <mhahnenberg@apple.com>
1526
1527 ASSERT(isValidAllocation(bytes)) when ObjC API creates custom errors
1528 https://bugs.webkit.org/show_bug.cgi?id=128840
1529
1530 Reviewed by Joseph Pecoraro.
1531
1532 We need to add APIEntryShims around places where we allocate errors in JSC.
1533 Also converted some of the createTypeError call sites to use ASCIILiteral.
1534
1535 * API/JSValue.mm:
1536 (valueToArray):
1537 (valueToDictionary):
1538 * API/ObjCCallbackFunction.mm:
1539 (JSC::objCCallbackFunctionCallAsConstructor):
1540 (JSC::ObjCCallbackFunctionImpl::call):
1541 * API/tests/testapi.mm:
1542
15432014-02-14 Mark Hahnenberg <mhahnenberg@apple.com>
1544
1545 Baseline JIT should have a fast path to bypass the write barrier on op_enter
1546 https://bugs.webkit.org/show_bug.cgi?id=128832
1547
1548 Reviewed by Filip Pizlo.
1549
1550 * jit/JIT.h: Removed some random commented out functions.h
1551 * jit/JITOpcodes.cpp:
1552 (JSC::JIT::emit_op_enter):
1553 * jit/JITPropertyAccess.cpp:
1554 (JSC::JIT::emitWriteBarrier):
1555
15562014-02-14 Filip Pizlo <fpizlo@apple.com>
1557
1558 Don't optimize variadic closure calls
1559 https://bugs.webkit.org/show_bug.cgi?id=128835
1560
1561 Reviewed by Gavin Barraclough.
1562
1563 Read the check that had been in JITStubs.cpp, back in the day. This code came
1564 from the DFG and the DFG didn't need these checks.
1565
1566 * jit/JITOperations.cpp:
1567
15682014-02-14 David Kilzer <ddkilzer@apple.com>
1569
1570 [ASan] Disable JSStack::sanitizeStack() to avoid false-positive stack-buffer-overflow errors
1571 <http://webkit.org/b/128819>
1572
1573 Reviewed by Filip Pizlo.
1574
1575 * interpreter/JSStack.cpp:
1576 (JSC::JSStack::sanitizeStack): When building with the clang
1577 address sanitizer, don't sanitize the stack since it will
1578 trigger false-positive stack-buffer-overflow errors. Disabling
1579 this only results in a performance penalty, not a correctness
1580 penalty.
1581
15822014-02-14 Andres Gomez <agomez@igalia.com>
1583
1584 Cleaning the JSStaticScopeObject files left behind after renaming their objects to JSNameScope
1585 https://bugs.webkit.org/show_bug.cgi?id=127595
1586
1587 Reviewed by Mario Sanchez Prada.
1588
1589 JSStaticScopeObject was renamed to JSNameScope and removed long
1590 ago but the files were left behind empty and the CMake compilation
1591 in need of its existance. Now, we are definitely getting rid of
1592 them.
1593
1594 * CMakeLists.txt:
1595 * runtime/JSStaticScopeObject.cpp: Removed.
1596 * runtime/JSStaticScopeObject.h: Removed.
1597
15982014-02-13 Filip Pizlo <fpizlo@apple.com>
1599
1600 Kill some of the last vestiges of the C++ interpreter's PICs
1601 https://bugs.webkit.org/show_bug.cgi?id=128796
1602
1603 Reviewed by Michael Saboff.
1604
1605 * bytecode/BytecodeUseDef.h:
1606 (JSC::computeUsesForBytecodeOffset):
1607 (JSC::computeDefsForBytecodeOffset):
1608 * bytecode/CodeBlock.cpp:
1609 (JSC::CodeBlock::printGetByIdOp):
1610 (JSC::CodeBlock::printGetByIdCacheStatus):
1611 (JSC::CodeBlock::dumpBytecode):
1612 (JSC::CodeBlock::CodeBlock):
1613 * bytecode/GetByIdStatus.cpp:
1614 (JSC::GetByIdStatus::computeForStubInfo):
1615 * bytecode/Opcode.h:
1616 (JSC::padOpcodeName):
1617 * bytecode/PolymorphicAccessStructureList.h:
1618 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
1619 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
1620 (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
1621 (JSC::PolymorphicAccessStructureList::visitWeak):
1622 * bytecode/StructureStubInfo.cpp:
1623 (JSC::StructureStubInfo::deref):
1624 (JSC::StructureStubInfo::visitWeakReferences):
1625 * bytecode/StructureStubInfo.h:
1626 (JSC::isGetByIdAccess):
1627 * jit/JIT.cpp:
1628 (JSC::JIT::privateCompileMainPass):
1629 * jit/Repatch.cpp:
1630 (JSC::getPolymorphicStructureList):
1631 (JSC::tryBuildGetByIDList):
1632 * llint/LowLevelInterpreter.asm:
1633
16342014-02-13 Mark Lam <mark.lam@apple.com>
1635
1636 The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. Part 2.
1637 <https://webkit.org/b/128764>
1638
1639 Reviewed by Mark Hahnenberg.
1640
1641 toJS() is the wrong cast function to use. We need to use toJSForGC() instead.
1642 Also we need to acquire the JSLock to prevent concurrent accesses to the
1643 Strong handle list.
1644
1645 * API/JSValue.mm:
1646 (JSContainerConvertor::add):
1647 (containerValueToObject):
1648 (ObjcContainerConvertor::add):
1649 (objectToValue):
1650
16512014-02-13 Mark Hahnenberg <mhahnenberg@apple.com>
1652
1653 JSManagedValue::dealloc modifies NSMapTable while iterating it
1654 https://bugs.webkit.org/show_bug.cgi?id=128713
1655
1656 Reviewed by Geoffrey Garen.
1657
1658 Having to write a test for this revealed a bug in how addManagedReference:withOwner:
1659 actually notifies JSManagedValues of new owners.
1660
1661 * API/JSManagedValue.mm:
1662 (-[JSManagedValue dealloc]):
1663 * API/JSVirtualMachine.mm:
1664 (-[JSVirtualMachine addManagedReference:withOwner:]):
1665 (-[JSVirtualMachine removeManagedReference:withOwner:]):
1666 * API/tests/testapi.mm:
1667 (testObjectiveCAPI):
1668
16692014-02-13 Filip Pizlo <fpizlo@apple.com>
1670
1671 Unreviewed, fix build.
1672
1673 * ftl/FTLLowerDFGToLLVM.cpp:
1674 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1675
16762014-02-13 Ryosuke Niwa <rniwa@webkit.org>
1677
1678 Speculative Release build fix after r164077.
1679
1680 * API/JSValue.mm:
1681
16822014-02-13 Mark Lam <mark.lam@apple.com>
1683
1684 The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs.
1685 <https://webkit.org/b/128764>
1686
1687 Reviewed by Mark Hahnenberg.
1688
1689 Added a vector of Strong<Unknown> references in the 2 containers, and append
1690 the newly created JSValues to those vectors. This will keep all those JS objects
1691 alive for the duration of the conversion.
1692
1693 * API/JSValue.mm:
1694 (JSContainerConvertor::add):
1695 (ObjcContainerConvertor::add):
1696
16972014-02-13 Matthew Mirman <mmirman@apple.com>
1698
1699 Added GetMyArgumentsLength to FTL
1700 https://bugs.webkit.org/show_bug.cgi?id=128758
1701
1702 Reviewed by Filip Pizlo.
1703
1704 * ftl/FTLCapabilities.cpp:
1705 (JSC::FTL::canCompile):
1706 * ftl/FTLLowerDFGToLLVM.cpp:
1707 (JSC::FTL::LowerDFGToLLVM::compileNode):
1708 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
1709 * tests/stress/ftl-getmyargumentslength.js: Added.
1710 (foo):
1711
17122014-02-13 Filip Pizlo <fpizlo@apple.com>
1713
1714 Unreviewed, roll out http://trac.webkit.org/changeset/164066.
1715
1716 It broke tests and it was just plain wrong.
1717
1718 * bytecode/GetByIdStatus.cpp:
1719 (JSC::GetByIdStatus::computeFromLLInt):
1720 (JSC::GetByIdStatus::computeForStubInfo):
1721 * runtime/Structure.h:
1722 (JSC::Structure::takesSlowPathInDFGForImpureProperty):
1723
17242014-02-13 Ryuan Choi <ryuan.choi@samsung.com>
1725
1726 Unreviewed build fix.
1727
1728 Fixed typo.
1729
1730 * dfg/DFGIntegerCheckCombiningPhase.cpp:
1731 (JSC::DFG::IntegerCheckCombiningPhase::run):
1732
17332014-02-13 Michael Saboff <msaboff@apple.com>
1734
1735 Change FTL stack check to use VM's stackLimit
1736 https://bugs.webkit.org/show_bug.cgi?id=128561
1737
1738 Reviewed by Filip Pizlo.
1739
1740 Changes FTL function entry to check the call frame register against the FTL
1741 specific stack limit (VM::m_ftlStackLimit) and throw an exception if the
1742 stack limit has been exceeded. Updated the exception handling code to have
1743 a second entry that will unroll the current frame to the caller, since that
1744 is where the exception should be processed.
1745
1746 * ftl/FTLCompile.cpp:
1747 (JSC::FTL::fixFunctionBasedOnStackMaps):
1748 * ftl/FTLIntrinsicRepository.h:
1749 * ftl/FTLLowerDFGToLLVM.cpp:
1750 (JSC::FTL::LowerDFGToLLVM::lower):
1751 * ftl/FTLState.h:
1752 * runtime/VM.h:
1753 (JSC::VM::addressOfFTLStackLimit):
1754
17552014-02-13 Filip Pizlo <fpizlo@apple.com>
1756
1757 GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything
1758 https://bugs.webkit.org/show_bug.cgi?id=128772
1759
1760 Reviewed by Mark Hahnenberg.
1761
1762 * bytecode/GetByIdStatus.cpp:
1763 (JSC::GetByIdStatus::computeFromLLInt):
1764 (JSC::GetByIdStatus::computeForStubInfo):
1765 * runtime/Structure.h:
1766 (JSC::Structure::takesSlowPathInDFGForImpureProperty):
1767
17682014-02-13 Mark Hahnenberg <mhahnenberg@apple.com>
1769
1770 Add some RELEASE_ASSERTs to catch JSLock bugs earlier
1771 https://bugs.webkit.org/show_bug.cgi?id=128762
1772
1773 Reviewed by Mark Lam.
1774
1775 * interpreter/Interpreter.cpp:
1776 (JSC::Interpreter::execute):
1777 * runtime/JSLock.cpp:
1778 (JSC::JSLock::DropAllLocks::DropAllLocks):
1779
17802014-02-12 Filip Pizlo <fpizlo@apple.com>
1781
1782 Hoist and combine array bounds checks
1783 https://bugs.webkit.org/show_bug.cgi?id=125433
1784
1785 Reviewed by Mark Hahnenberg.
1786
1787 This adds a phase for reasoning about overflow checks and array bounds checks. It's
1788 block-local, and removes both overflow checks and bounds checks in one go.
1789
1790 This also improves reasoning about commutative operations, and CSE between
1791 CheckOverflow and Unchecked arithmetic.
1792
1793 This strangely uncovered a DFG backend bug where we were trying to extract an int32
1794 from a constant even when that constant was just simply a number. I fixed that bug.
1795
1796 * CMakeLists.txt:
1797 * GNUmakefile.list.am:
1798 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1799 * JavaScriptCore.xcodeproj/project.pbxproj:
1800 * dfg/DFGAbstractInterpreterInlines.h:
1801 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1802 * dfg/DFGAbstractValue.cpp:
1803 (JSC::DFG::AbstractValue::set):
1804 * dfg/DFGArgumentsSimplificationPhase.cpp:
1805 (JSC::DFG::ArgumentsSimplificationPhase::run):
1806 * dfg/DFGArithMode.h:
1807 (JSC::DFG::subsumes):
1808 * dfg/DFGByteCodeParser.cpp:
1809 (JSC::DFG::ByteCodeParser::handleIntrinsic):
1810 * dfg/DFGCSEPhase.cpp:
1811 (JSC::DFG::CSEPhase::pureCSE):
1812 (JSC::DFG::CSEPhase::int32ToDoubleCSE):
1813 (JSC::DFG::CSEPhase::performNodeCSE):
1814 * dfg/DFGClobberize.h:
1815 (JSC::DFG::clobberize):
1816 * dfg/DFGEdge.cpp:
1817 (JSC::DFG::Edge::dump):
1818 * dfg/DFGEdge.h:
1819 (JSC::DFG::Edge::sanitized):
1820 (JSC::DFG::Edge::hash):
1821 * dfg/DFGFixupPhase.cpp:
1822 (JSC::DFG::FixupPhase::fixupNode):
1823 * dfg/DFGGraph.h:
1824 (JSC::DFG::Graph::valueOfInt32Constant):
1825 * dfg/DFGInsertionSet.h:
1826 (JSC::DFG::InsertionSet::insertConstant):
1827 * dfg/DFGIntegerCheckCombiningPhase.cpp: Added.
1828 (JSC::DFG::IntegerCheckCombiningPhase::IntegerCheckCombiningPhase):
1829 (JSC::DFG::IntegerCheckCombiningPhase::run):
1830 (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1831 (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
1832 (JSC::DFG::IntegerCheckCombiningPhase::isValid):
1833 (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
1834 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
1835 (JSC::DFG::performIntegerCheckCombining):
1836 * dfg/DFGIntegerCheckCombiningPhase.h: Added.
1837 * dfg/DFGNode.h:
1838 (JSC::DFG::Node::willHaveCodeGenOrOSR):
1839 * dfg/DFGNodeType.h:
1840 * dfg/DFGPlan.cpp:
1841 (JSC::DFG::Plan::compileInThreadImpl):
1842 * dfg/DFGPredictionPropagationPhase.cpp:
1843 (JSC::DFG::PredictionPropagationPhase::propagate):
1844 * dfg/DFGSafeToExecute.h:
1845 (JSC::DFG::safeToExecute):
1846 * dfg/DFGSpeculativeJIT.cpp:
1847 (JSC::DFG::SpeculativeJIT::compileAdd):
1848 * dfg/DFGSpeculativeJIT32_64.cpp:
1849 (JSC::DFG::SpeculativeJIT::compile):
1850 * dfg/DFGSpeculativeJIT64.cpp:
1851 (JSC::DFG::SpeculativeJIT::compile):
1852 * dfg/DFGStrengthReductionPhase.cpp:
1853 (JSC::DFG::StrengthReductionPhase::handleNode):
1854 (JSC::DFG::StrengthReductionPhase::handleCommutativity):
1855 * dfg/DFGTypeCheckHoistingPhase.cpp:
1856 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1857 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1858 * ftl/FTLCapabilities.cpp:
1859 (JSC::FTL::canCompile):
1860 * ftl/FTLLowerDFGToLLVM.cpp:
1861 (JSC::FTL::LowerDFGToLLVM::compileNode):
1862 * jsc.cpp:
1863 (GlobalObject::finishCreation):
1864 (functionFalse):
1865 * runtime/Identifier.h:
1866 * runtime/Intrinsic.h:
1867 * runtime/JSObject.h:
1868 * tests/stress/get-by-id-untyped.js: Added.
1869 (foo):
1870 * tests/stress/inverted-additive-subsumption.js: Added.
1871 (foo):
1872 * tests/stress/redundant-add-overflow-checks.js: Added.
1873 (foo):
1874 * tests/stress/redundant-array-bounds-checks-addition-skip-first.js: Added.
1875 (foo):
1876 (arraycmp):
1877 * tests/stress/redundant-array-bounds-checks-addition.js: Added.
1878 (foo):
1879 (arraycmp):
1880 * tests/stress/redundant-array-bounds-checks-unchecked-addition.js: Added.
1881 (foo):
1882 (arraycmp):
1883 * tests/stress/redundant-array-bounds-checks.js: Added.
1884 (foo):
1885 (arraycmp):
1886 * tests/stress/tricky-array-bounds-checks.js: Added.
1887 (foo):
1888 (arraycmp):
1889
18902014-02-13 Filip Pizlo <fpizlo@apple.com>
1891
1892 FTL should be OK with __compact_unwind in a data section
1893 https://bugs.webkit.org/show_bug.cgi?id=128756
1894
1895 Reviewed by Mark Hahnenberg.
1896
1897 * ftl/FTLCompile.cpp:
1898 (JSC::FTL::mmAllocateCodeSection):
1899 (JSC::FTL::mmAllocateDataSection):
1900
19012014-02-13 Michael Saboff <msaboff@apple.com>
1902
1903 CStack Branch: VM::currentReturnThunkPC appears to be unused and should be removed
1904 https://bugs.webkit.org/show_bug.cgi?id=127205
1905
1906 Reviewed by Geoffrey Garen.
1907
1908 Removed ununsed references to VM::currentReturnThunkPC.
1909
1910 * jit/ThunkGenerators.cpp:
1911 (JSC::arityFixup):
1912 * runtime/VM.h:
1913
19142014-02-13 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
1915
1916 Code cleanup: remove gcc<4.7 guards.
1917 https://bugs.webkit.org/show_bug.cgi?id=128729
1918
1919 Reviewed by Anders Carlsson.
1920
1921 Remove GCC_VERSION_AT_LEAST guards when it checks for pre-4.7 versions,
1922 as WK does not compile with earlier gcc versions.
1923
1924 * assembler/MIPSAssembler.h:
1925 (JSC::MIPSAssembler::cacheFlush):
1926 * interpreter/StackVisitor.cpp:
1927 (JSC::printif):
1928
19292014-02-12 Mark Lam <mark.lam@apple.com>
1930
1931 No need to save reservedZoneSize when dropping the JSLock.
1932 <https://webkit.org/b/128719>
1933
1934 Reviewed by Geoffrey Garen.
1935
1936 The reservedZoneSize does not change due to the VM being run on a different
1937 thread. Hence, there is no need to save and restore its value. Instead of
1938 calling updateReservedZoneSize() to update the stack limit, we now call
1939 setStackPointerAtVMEntry() to do the job. setStackPointerAtVMEntry()
1940 will update the stackPointerAtVMEntry and delegate to updateStackLimit() to
1941 update the stack limit based on the new stackPointerAtVMEntry.
1942
1943 * runtime/ErrorHandlingScope.cpp:
1944 (JSC::ErrorHandlingScope::ErrorHandlingScope):
1945 (JSC::ErrorHandlingScope::~ErrorHandlingScope):
1946 - Previously, we initialize stackPointerAtVMEntry in VMEntryScope. This
1947 means that the stackPointerAtVMEntry may not be initialize when we
1948 instantiate the ErrorHandlingScope. And so, we needed to initialize the
1949 stackPointerAtVMEntry in the ErrorHandlingScope constructor if it's not
1950 already initialized.
1951
1952 Now that we initialize the stackPointerAtVMEntry when we lock the VM JSLock,
1953 we are guaranteed that it will be initialized by the time we instantiate
1954 the ErrorHandlingScope. Hence, we can change the ErrorHandlingScope code
1955 to just assert that the stackPointerAtVMEntry is initialized instead.
1956
1957 * runtime/InitializeThreading.cpp:
1958 (JSC::initializeThreading):
1959 - We no longer need to save the reservedZoneSize. Remove the related code.
1960
1961 * runtime/JSLock.cpp:
1962 (JSC::JSLock::lock):
1963 - When we grab the JSLock mutex for the first time, there is no reason why
1964 the stackPointerAtVMEntry should be initialized. By definition, grabbing
1965 the lock for the first time equates to entering the VM for the first time.
1966 Hence, we can just assert that stackPointerAtVMEntry is uninitialized,
1967 and initialize it unconditionally.
1968
1969 The only exception to this is if we're locking to regrab the JSLock in
1970 grabAllLocks(), but grabAllLocks() will take care of restoring the
1971 stackPointerAtVMEntry in that case after lock() returns. stackPointerAtVMEntry
1972 should still be 0 when we've just locked the JSLock. So, the above assertion
1973 always holds true.
1974
1975 Note: VM::setStackPointerAtVMEntry() will take care of calling
1976 VM::updateStackLimit() based on the new stackPointerAtVMEntry.
1977
1978 - There is no need to save the reservedZoneSize. The reservedZoneSize is
1979 set to Options::reservedZoneSize() when the VM is initialized. Thereafter,
1980 the ErrorHandlingScope will change it to Options::errorModeReservedZoneSize()
1981 when we're handling an error, and it will restore it afterwards. There is
1982 no other reason we should be changing the reservedZoneSize. Hence, we can
1983 remove the unnecessary code to save it here.
1984
1985 (JSC::JSLock::unlock):
1986 - Similarly, when the lockCount reaches 0 in unlock(), it is synonymous with
1987 exiting the VM. Hence, we should just clear the stackPointerAtVMEntry and
1988 update the stackLimit. Exiting the VM should have no effect on the VM
1989 reservedZoneSize. Hence, we can remove the unnecessary code to "restore" it.
1990
1991 (JSC::JSLock::dropAllLocks):
1992 - When dropping locks, we do not need to save the reservedZoneSize because
1993 the reservedZoneSize should remain the same regardless of which thread
1994 we are executing JS on. Hence, we can remove the unnecessary code to save
1995 the reservedZoneSize here.
1996
1997 (JSC::JSLock::grabAllLocks):
1998 - When re-grabbing locks, restoring the stackPointerAtVMEntry via
1999 VM::setStackPointerAtVMEntry() will take care of updating the stack limit.
2000 As explained above, there's no need to save the reservedZoneSize. Hence,
2001 there's no need to "restore" it here.
2002
2003 * runtime/VM.cpp:
2004 (JSC::VM::VM):
2005 (JSC::VM::setStackPointerAtVMEntry):
2006 - Sets the stackPointerAtVMEntry and delegates to updateStackLimit() to update
2007 the stack limit based on the new stackPointerAtVMEntry.
2008 (JSC::VM::updateStackLimit):
2009 * runtime/VM.h:
2010 (JSC::VM::stackPointerAtVMEntry):
2011 - Renamed stackPointerAtVMEntry to m_stackPointerAtVMEntry and made it private.
2012 Added a stackPointerAtVMEntry() function to read the value.
2013
20142014-02-12 Mark Hahnenberg <mhahnenberg@apple.com>
2015
2016 DelayedReleaseScope in MarkedAllocator::tryAllocateHelper is wrong
2017 https://bugs.webkit.org/show_bug.cgi?id=128641
2018
2019 Reviewed by Michael Saboff.
2020
2021 We were improperly handling the case where the DelayedReleaseScope
2022 in tryAllocateHelper would cause us to drop the API lock, allowing
2023 another thread to sneak in and allocate a new block after we had already
2024 concluded that there were no more blocks to allocate out of.
2025
2026 The fix is to call tryAllocateHelper in a loop until we know for sure
2027 that this did not happen.
2028
2029 There was also a race condition with the DelayedReleaseScope in addBlock.
2030 We would add the block to the MarkedBlock's list, sweep it, and then return,
2031 causing us to drop the API lock momentarily. Another thread could then
2032 grab the lock, and allocate out of the new block to the point where the
2033 free list was empty. Then we would return to the original thread, who thinks
2034 it's impossible to not allocate successfully at this point.
2035 Instead we should just let tryAllocate do all the hard work with correctly
2036 sweeping and getting a valid result.
2037
2038 There was another race condition in didFinishIterating. We would call resumeAllocating,
2039 which would create a DelayedReleaseScope. The DelayedReleaseScope would then release
2040 API lock before we set m_isIterating back to false, which would potentially confuse
2041 other threads.
2042
2043 * heap/MarkedAllocator.cpp:
2044 (JSC::MarkedAllocator::tryAllocateHelper):
2045 (JSC::MarkedAllocator::tryPopFreeList):
2046 (JSC::MarkedAllocator::tryAllocate):
2047 (JSC::MarkedAllocator::addBlock):
2048 * heap/MarkedAllocator.h:
2049
20502014-02-12 Brian Burg <bburg@apple.com>
2051
2052 Web Replay: capture and replay nondeterminism of Date.now() and Math.random()
2053 https://bugs.webkit.org/show_bug.cgi?id=128633
2054
2055 Reviewed by Filip Pizlo.
2056
2057 Upstream the only two sources of script-visible nondeterminism in JavaScriptCore.
2058
2059 The random seed for WeakRandom is memoized when the owning JSGlobalObject is
2060 constructed. It is deterministically initialized during replay before any
2061 scripts execute with the global object.
2062
2063 The implementations of `Date.now()` and `new Date()` eventually obtain the
2064 current time from jsCurrentTime(). When capturing, we save return values of
2065 jsCurrentTime() into the recording. When replaying, we use memoized values from
2066 the recording instead of obtaining values from the platform-specific currentTime()
2067 implementation. No other code calls jsCurrentTime().
2068
2069 * DerivedSources.make: Add rules to make JSReplayInputs.h from JSInputs.json.
2070 * JavaScriptCore.xcodeproj/project.pbxproj:
2071 * replay/JSInputs.json: Added. Includes specifications for replay inputs
2072 "GetCurrentTime" and "SetRandomSeed". Tests will be added for both input
2073 cases once sufficient replay machinery has been added.
2074
2075 * replay/NondeterministicInput.h: NondeterministicInput should not have
2076 been marked 'final'.
2077
2078 * runtime/DateConstructor.cpp:
2079 (JSC::deterministicCurrentTime): Added. Load or store the current time depending
2080 on what kind of InputCursor is attached to the JSGlobalObject.
2081
2082 (JSC::constructDate): Use deterministicCurrentTime().
2083 (JSC::dateNow): Use deterministicCurrentTime().
2084 * runtime/JSGlobalObject.cpp:
2085 (JSC::JSGlobalObject::setInputCursor): When setting a non-empty input cursor,
2086 immediately store or load the "SetRandomSeed" input and initialize WeakRandom's
2087 random seed with it. The input cursor (and thus random seed) must be set before
2088 any scripts are evaluated with this JSGlobalObject.
2089
2090 * runtime/WeakRandom.h:
2091 (JSC::WeakRandom::WeakRandom): Add JSGlobalObject as a friend class.
2092 (JSC::WeakRandom::initializeSeed): Extract the seed initialization into a
2093 separate method so it can be called outside of the JSGlobalObject constructor.
2094
20952014-02-12 Joseph Pecoraro <pecoraro@apple.com>
2096
2097 Web Inspector: Cleanup JavaScriptCore/inspector
2098 https://bugs.webkit.org/show_bug.cgi?id=128662
2099
2100 Reviewed by Timothy Hatcher.
2101
2102 Now that the code has settled, do a cleanup pass.
2103
2104 * inspector/ContentSearchUtilities.cpp:
2105 * inspector/InspectorValues.cpp:
2106 (Inspector::InspectorValue::asObject):
2107 (Inspector::InspectorValue::asArray):
2108 (Inspector::InspectorValue::parseJSON):
2109 (Inspector::InspectorObjectBase::getObject):
2110 (Inspector::InspectorObjectBase::getArray):
2111 (Inspector::InspectorObjectBase::get):
2112 * inspector/ScriptCallStackFactory.cpp:
2113 * inspector/ScriptDebugServer.cpp:
2114 * inspector/agents/JSGlobalObjectConsoleAgent.h:
2115
21162014-02-12 Ryosuke Niwa <rniwa@webkit.org>
2117
2118 Windows build fix attempt after r163960.
2119
2120 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2121 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2122
21232014-02-12 Michael Saboff <msaboff@apple.com>
2124
2125 Adjust VM::stackLimit based on the size of the largest FTL stack produced
2126 https://bugs.webkit.org/show_bug.cgi?id=128562
2127
2128 Reviewed by Mark Lam.
2129
2130 Added VM::m_largestFTLStackSize to track the largest stack size of an FTL compiled
2131 function. Added VM::m_ftlStackLimit for FTL functions stack limit. Renamed
2132 VM::updateStackLimitWithReservedZoneSize to VM::updateReservedZoneSize. Renamed
2133 VM::setStackLimit to VM::updateStackLimit and changed it to do the updating of the
2134 stack limits, including taking into account m_largestFTLStackSize.
2135
2136 * ftl/FTLJITFinalizer.cpp:
2137 (JSC::FTL::JITFinalizer::finalizeFunction):
2138 * runtime/ErrorHandlingScope.cpp:
2139 (JSC::ErrorHandlingScope::ErrorHandlingScope):
2140 (JSC::ErrorHandlingScope::~ErrorHandlingScope):
2141 * runtime/JSLock.cpp:
2142 (JSC::JSLock::lock):
2143 (JSC::JSLock::unlock):
2144 (JSC::JSLock::grabAllLocks):
2145 * runtime/VM.cpp:
2146 (JSC::VM::VM):
2147 (JSC::VM::updateReservedZoneSize):
2148 (JSC::VM::updateStackLimit):
2149 (JSC::VM::updateFTLLargestStackSize):
2150 * runtime/VM.h:
2151
21522014-02-11 Oliver Hunt <oliver@apple.com>
2153
2154 Make it possible to implement JS builtins in JS
2155 https://bugs.webkit.org/show_bug.cgi?id=127887
2156
2157 Reviewed by Michael Saboff.
2158
2159 This patch makes it possible to write builtin functions in JS.
2160 The bindings, generators, and definitions are all created automatically
2161 based on js files in the builtins/ directory. This patch includes one
2162 such case: Array.prototype.js with an implementation of every().
2163
2164 There's a lot of refactoring to make it possible for CommonIdentifiers
2165 to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp})
2166 without breaking the offset extractor. The result of this refactoring
2167 is that CommonIdentifiers, and a few other miscellaneous headers now
2168 need to be included directly as they were formerly captured through other
2169 paths.
2170
2171 In addition this adds a flag to the Lookup table's hashentry to indicate
2172 that a static function is actually backed by JS. There is then a lot of
2173 logic to thread the special nature of the functon to where it matters.
2174 This allows toString(), .caller, etc to mimic the behaviour of a host
2175 function.
2176
2177 Notes on writing builtins:
2178 - Each function is compiled independently of the others, and those
2179 implementations cannot currently capture all global properties (as
2180 that could be potentially unsafe). If a function does capture a
2181 global we will deliberately crash.
2182 - For those "global" properties that we do want access to, we use
2183 the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers
2184 are private names, and behave just like regular properties, only
2185 without the risk of adulteration. Again, in the @Object case, we
2186 explicitly duplicate the ObjectConstructor reference on the GlobalObject
2187 so that we have guaranteed access to the original version of the
2188 constructor.
2189 - call, apply, eval, and Function are all rejected identifiers, again
2190 to prevent anything from accidentally using an adulterated object.
2191 Instead @call and @apply are available, and happily they completely
2192 drop the neq_ptr instruction as they're defined as always being the
2193 original call/apply functions.
2194
2195 These restrictions are just intended to make it harder to accidentally
2196 make changes that are incorrect (for instance calling whatever has been
2197 assigned to global.Object, instead of the original constructor function).
2198 However, making a mistake like this should result in a purely semantic
2199 error as fundamentally these functions are treated as though they were
2200 regular JS code in the host global, and have no more privileges than
2201 any other JS.
2202
2203 The initial proof of concept is Array.prototype.every, this shows a 65%
2204 performance improvement, and that improvement is significantly hurt by
2205 our poor optimisation of op_in.
2206
2207 As this is such a limited function, we have not yet exported all symbols
2208 that we could possibly need, but as we implement more, the likelihood
2209 of encountering missing features will reduce.
2210
2211
2212 * API/JSCallbackObjectFunctions.h:
2213 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
2214 (JSC::JSCallbackObject<Parent>::put):
2215 (JSC::JSCallbackObject<Parent>::deleteProperty):
2216 (JSC::JSCallbackObject<Parent>::getStaticValue):
2217 (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2218 (JSC::JSCallbackObject<Parent>::callbackGetter):
2219 * CMakeLists.txt:
2220 * DerivedSources.make:
2221 * GNUmakefile.am:
2222 * GNUmakefile.list.am:
2223 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2224 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2225 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2226 * JavaScriptCore.vcxproj/copy-files.cmd:
2227 * JavaScriptCore.xcodeproj/project.pbxproj:
2228 * builtins/Array.prototype.js:
2229 (every):
2230 * builtins/BuiltinExecutables.cpp: Added.
2231 (JSC::BuiltinExecutables::BuiltinExecutables):
2232 (JSC::BuiltinExecutables::createBuiltinExecutable):
2233 * builtins/BuiltinExecutables.h:
2234 (JSC::BuiltinExecutables::create):
2235 * builtins/BuiltinNames.h: Added.
2236 (JSC::BuiltinNames::BuiltinNames):
2237 (JSC::BuiltinNames::getPrivateName):
2238 (JSC::BuiltinNames::getPublicName):
2239 * bytecode/CodeBlock.cpp:
2240 (JSC::CodeBlock::CodeBlock):
2241 * bytecode/UnlinkedCodeBlock.cpp:
2242 (JSC::generateFunctionCodeBlock):
2243 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2244 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2245 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2246 * bytecode/UnlinkedCodeBlock.h:
2247 (JSC::ExecutableInfo::ExecutableInfo):
2248 (JSC::UnlinkedFunctionExecutable::create):
2249 (JSC::UnlinkedFunctionExecutable::toStrictness):
2250 (JSC::UnlinkedFunctionExecutable::isBuiltinFunction):
2251 (JSC::UnlinkedCodeBlock::isBuiltinFunction):
2252 * bytecompiler/BytecodeGenerator.cpp:
2253 (JSC::BytecodeGenerator::BytecodeGenerator):
2254 * bytecompiler/BytecodeGenerator.h:
2255 (JSC::BytecodeGenerator::isBuiltinFunction):
2256 (JSC::BytecodeGenerator::makeFunction):
2257 * bytecompiler/NodesCodegen.cpp:
2258 (JSC::CallFunctionCallDotNode::emitBytecode):
2259 (JSC::ApplyFunctionCallDotNode::emitBytecode):
2260 * create_hash_table:
2261 * generate-js-builtins: Added.
2262 (getCopyright):
2263 (getFunctions):
2264 (generateCode):
2265 (mangleName):
2266 (FunctionExecutable):
2267 (Identifier):
2268 (JSGlobalObject):
2269 (SourceCode):
2270 (UnlinkedFunctionExecutable):
2271 (VM):
2272 * interpreter/CachedCall.h:
2273 (JSC::CachedCall::CachedCall):
2274 * parser/ASTBuilder.h:
2275 (JSC::ASTBuilder::makeFunctionCallNode):
2276 * parser/Lexer.cpp:
2277 (JSC::Lexer<T>::Lexer):
2278 (JSC::isSafeBuiltinIdentifier):
2279 (JSC::Lexer<LChar>::parseIdentifier):
2280 (JSC::Lexer<UChar>::parseIdentifier):
2281 (JSC::Lexer<T>::lex):
2282 * parser/Lexer.h:
2283 (JSC::isSafeIdentifier):
2284 (JSC::Lexer<T>::lexExpectIdentifier):
2285 * parser/Nodes.cpp:
2286 (JSC::ProgramNode::setClosedVariables):
2287 * parser/Nodes.h:
2288 (JSC::ScopeNode::capturedVariables):
2289 (JSC::ScopeNode::setClosedVariables):
2290 (JSC::ProgramNode::closedVariables):
2291 * parser/Parser.cpp:
2292 (JSC::Parser<LexerType>::Parser):
2293 (JSC::Parser<LexerType>::parseInner):
2294 (JSC::Parser<LexerType>::didFinishParsing):
2295 (JSC::Parser<LexerType>::printUnexpectedTokenText):
2296 * parser/Parser.h:
2297 (JSC::Scope::getUsedVariables):
2298 (JSC::Parser::closedVariables):
2299 (JSC::parse):
2300 * parser/ParserModes.h:
2301 * parser/ParserTokens.h:
2302 * runtime/ArrayPrototype.cpp:
2303 * runtime/CodeCache.cpp:
2304 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2305 * runtime/CommonIdentifiers.cpp:
2306 (JSC::CommonIdentifiers::CommonIdentifiers):
2307 (JSC::CommonIdentifiers::~CommonIdentifiers):
2308 (JSC::CommonIdentifiers::getPrivateName):
2309 (JSC::CommonIdentifiers::getPublicName):
2310 * runtime/CommonIdentifiers.h:
2311 (JSC::CommonIdentifiers::builtinNames):
2312 * runtime/ExceptionHelpers.cpp:
2313 (JSC::createUndefinedVariableError):
2314 * runtime/Executable.h:
2315 (JSC::EvalExecutable::executableInfo):
2316 (JSC::ProgramExecutable::executableInfo):
2317 (JSC::FunctionExecutable::isBuiltinFunction):
2318 * runtime/FunctionPrototype.cpp:
2319 (JSC::functionProtoFuncToString):
2320 * runtime/JSActivation.cpp:
2321 (JSC::JSActivation::symbolTableGet):
2322 (JSC::JSActivation::symbolTablePut):
2323 (JSC::JSActivation::symbolTablePutWithAttributes):
2324 * runtime/JSFunction.cpp:
2325 (JSC::JSFunction::createBuiltinFunction):
2326 (JSC::JSFunction::calculatedDisplayName):
2327 (JSC::JSFunction::sourceCode):
2328 (JSC::JSFunction::isHostOrBuiltinFunction):
2329 (JSC::JSFunction::isBuiltinFunction):
2330 (JSC::JSFunction::callerGetter):
2331 (JSC::JSFunction::getOwnPropertySlot):
2332 (JSC::JSFunction::getOwnNonIndexPropertyNames):
2333 (JSC::JSFunction::put):
2334 (JSC::JSFunction::defineOwnProperty):
2335 * runtime/JSFunction.h:
2336 * runtime/JSFunctionInlines.h:
2337 (JSC::JSFunction::nativeFunction):
2338 (JSC::JSFunction::nativeConstructor):
2339 (JSC::isHostFunction):
2340 * runtime/JSGlobalObject.cpp:
2341 (JSC::JSGlobalObject::reset):
2342 (JSC::JSGlobalObject::visitChildren):
2343 * runtime/JSGlobalObject.h:
2344 (JSC::JSGlobalObject::objectConstructor):
2345 (JSC::JSGlobalObject::symbolTableHasProperty):
2346 * runtime/JSObject.cpp:
2347 (JSC::getClassPropertyNames):
2348 (JSC::JSObject::reifyStaticFunctionsForDelete):
2349 (JSC::JSObject::putDirectBuiltinFunction):
2350 * runtime/JSObject.h:
2351 * runtime/JSSymbolTableObject.cpp:
2352 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2353 * runtime/JSSymbolTableObject.h:
2354 (JSC::symbolTableGet):
2355 (JSC::symbolTablePut):
2356 (JSC::symbolTablePutWithAttributes):
2357 * runtime/Lookup.cpp:
2358 (JSC::setUpStaticFunctionSlot):
2359 * runtime/Lookup.h:
2360 (JSC::HashEntry::builtinGenerator):
2361 (JSC::HashEntry::propertyGetter):
2362 (JSC::HashEntry::propertyPutter):
2363 (JSC::HashTable::entry):
2364 (JSC::getStaticPropertySlot):
2365 (JSC::getStaticValueSlot):
2366 (JSC::putEntry):
2367 * runtime/NativeErrorConstructor.cpp:
2368 (JSC::NativeErrorConstructor::finishCreation):
2369 * runtime/NativeErrorConstructor.h:
2370 * runtime/PropertySlot.h:
2371 * runtime/VM.cpp:
2372 (JSC::VM::VM):
2373 * runtime/VM.h:
2374 (JSC::VM::builtinExecutables):
2375
23762014-02-11 Brent Fulgham <bfulgham@apple.com>
2377
2378 Remove some unintended copies in ranged for loops
2379 https://bugs.webkit.org/show_bug.cgi?id=128644
2380
2381 Reviewed by Anders Carlsson.
2382
2383 * inspector/InjectedScriptHost.cpp:
2384 (Inspector::InjectedScriptHost::clearAllWrappers): Avoid creating/destroying
2385 a std::pair<> and pointer each loop iteration.
2386 * parser/Parser.cpp:
2387 (JSC::Parser<LexerType>::Parser): Avoid copying object containing a string
2388 each loop iteration.
2389
23902014-02-11 Ryosuke Niwa <rniwa@webkit.org>
2391
2392 Debug build fix after r163946.
2393
2394 * dfg/DFGByteCodeParser.cpp:
2395 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
2396
23972014-02-11 Filip Pizlo <fpizlo@apple.com>
2398
2399 Inserting a node with a codeOrigin "like" another node should copy both the codeOrigin and codeOriginForExitTarget
2400 https://bugs.webkit.org/show_bug.cgi?id=128635
2401
2402 Reviewed by Michael Saboff.
2403
2404 Originally nodes just had a codeOrigin. But then we started doing code motion, and we
2405 needed to separate the codeOrigin that designated where to exit from the codeOrigin
2406 that designated everything else. The "everything else" is actually pretty important:
2407 it includes profiling, exception handling, and the actual semantics of the node. For
2408 example some nodes use the origin's global object in some way.
2409
2410 This all sort of worked except for one quirk: the facilities for creating nodes all
2411 assumed that there really was only one origin. LICM would work around this by setting
2412 the codeOriginForExitTarget manually. But, that means that:
2413
2414 - If we did hoist a node twice, then the second time around, we would forget the node's
2415 original exit target.
2416
2417 - If we did an insertNode() to insert a node before a hoisted node, the inserted node
2418 would have the wrong exit target.
2419
2420 Most of the time, if we copy the code origin, we actually want to copy both origins.
2421 So, this patch introduces the notion of a NodeOrigin which has two CodeOrigins: a
2422 forExit code origin that says where to exit, and a semantic code origin for everything
2423 else.
2424
2425 This also (annoyingly?) means that we are always more explicit about which code origin
2426 we refer to. That means that a lot of "node->codeOrigin" expressions had to change to
2427 "node->origin.semantic". This was partly a ploy on my part to ensure that this
2428 refactoring was complete: to get the code to compile I really had to audit all uses of
2429 CodeOrigin. If, in the future, we find that "node->origin.semantic" is too cumbersome
2430 then we can reintroduce the Node::codeOrigin field. For now I kinda like it though.
2431
2432 * GNUmakefile.list.am:
2433 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2434 * JavaScriptCore.xcodeproj/project.pbxproj:
2435 * dfg/DFGAbstractInterpreterInlines.h:
2436 (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
2437 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2438 * dfg/DFGArgumentsSimplificationPhase.cpp:
2439 (JSC::DFG::ArgumentsSimplificationPhase::run):
2440 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
2441 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
2442 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
2443 * dfg/DFGArrayMode.cpp:
2444 (JSC::DFG::ArrayMode::originalArrayStructure):
2445 (JSC::DFG::ArrayMode::alreadyChecked):
2446 * dfg/DFGByteCodeParser.cpp:
2447 (JSC::DFG::ByteCodeParser::addToGraph):
2448 * dfg/DFGCFGSimplificationPhase.cpp:
2449 (JSC::DFG::CFGSimplificationPhase::run):
2450 (JSC::DFG::CFGSimplificationPhase::convertToJump):
2451 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
2452 (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
2453 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2454 * dfg/DFGCPSRethreadingPhase.cpp:
2455 (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
2456 (JSC::DFG::CPSRethreadingPhase::addPhi):
2457 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
2458 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
2459 (JSC::DFG::CPSRethreadingPhase::propagatePhis):
2460 * dfg/DFGCSEPhase.cpp:
2461 (JSC::DFG::CSEPhase::setLocalStoreElimination):
2462 * dfg/DFGClobberize.h:
2463 (JSC::DFG::clobberize):
2464 * dfg/DFGCommonData.cpp:
2465 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2466 * dfg/DFGConstantFoldingPhase.cpp:
2467 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2468 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
2469 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2470 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
2471 * dfg/DFGDCEPhase.cpp:
2472 (JSC::DFG::DCEPhase::fixupBlock):
2473 * dfg/DFGDisassembler.cpp:
2474 (JSC::DFG::Disassembler::createDumpList):
2475 * dfg/DFGFixupPhase.cpp:
2476 (JSC::DFG::FixupPhase::fixupNode):
2477 (JSC::DFG::FixupPhase::createToString):
2478 (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
2479 (JSC::DFG::FixupPhase::convertStringAddUse):
2480 (JSC::DFG::FixupPhase::fixupToPrimitive):
2481 (JSC::DFG::FixupPhase::fixupToString):
2482 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
2483 (JSC::DFG::FixupPhase::checkArray):
2484 (JSC::DFG::FixupPhase::blessArrayOperation):
2485 (JSC::DFG::FixupPhase::fixEdge):
2486 (JSC::DFG::FixupPhase::insertStoreBarrier):
2487 (JSC::DFG::FixupPhase::fixIntEdge):
2488 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
2489 (JSC::DFG::FixupPhase::truncateConstantToInt32):
2490 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
2491 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
2492 (JSC::DFG::FixupPhase::convertToGetArrayLength):
2493 (JSC::DFG::FixupPhase::prependGetArrayLength):
2494 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
2495 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
2496 * dfg/DFGGraph.cpp:
2497 (JSC::DFG::Graph::dumpCodeOrigin):
2498 (JSC::DFG::Graph::amountOfNodeWhiteSpace):
2499 (JSC::DFG::Graph::dump):
2500 (JSC::DFG::Graph::dumpBlockHeader):
2501 * dfg/DFGGraph.h:
2502 (JSC::DFG::Graph::hasExitSite):
2503 (JSC::DFG::Graph::valueProfileFor):
2504 (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2505 * dfg/DFGInvalidationPointInjectionPhase.cpp:
2506 (JSC::DFG::InvalidationPointInjectionPhase::handle):
2507 (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
2508 * dfg/DFGLICMPhase.cpp:
2509 (JSC::DFG::LICMPhase::attemptHoist):
2510 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
2511 (JSC::DFG::createPreHeader):
2512 * dfg/DFGNode.h:
2513 (JSC::DFG::Node::Node):
2514 (JSC::DFG::Node::isStronglyProvedConstantIn):
2515 * dfg/DFGNodeOrigin.h: Added.
2516 (JSC::DFG::NodeOrigin::NodeOrigin):
2517 (JSC::DFG::NodeOrigin::isSet):
2518 * dfg/DFGOSREntrypointCreationPhase.cpp:
2519 (JSC::DFG::OSREntrypointCreationPhase::run):
2520 * dfg/DFGResurrectionForValidationPhase.cpp:
2521 (JSC::DFG::ResurrectionForValidationPhase::run):
2522 * dfg/DFGSSAConversionPhase.cpp:
2523 (JSC::DFG::SSAConversionPhase::run):
2524 * dfg/DFGSSALoweringPhase.cpp:
2525 (JSC::DFG::SSALoweringPhase::handleNode):
2526 (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2527 * dfg/DFGSpeculativeJIT.cpp:
2528 (JSC::DFG::SpeculativeJIT::compileIn):
2529 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2530 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2531 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2532 * dfg/DFGSpeculativeJIT.h:
2533 (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
2534 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
2535 (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
2536 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
2537 (JSC::DFG::SpeculativeJIT::appendCall):
2538 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
2539 * dfg/DFGSpeculativeJIT32_64.cpp:
2540 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2541 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2542 (JSC::DFG::SpeculativeJIT::emitCall):
2543 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2544 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2545 (JSC::DFG::SpeculativeJIT::compile):
2546 * dfg/DFGSpeculativeJIT64.cpp:
2547 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
2548 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
2549 (JSC::DFG::SpeculativeJIT::emitCall):
2550 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2551 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2552 (JSC::DFG::SpeculativeJIT::compile):
2553 * dfg/DFGStrengthReductionPhase.cpp:
2554 (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
2555 (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
2556 * dfg/DFGTierUpCheckInjectionPhase.cpp:
2557 (JSC::DFG::TierUpCheckInjectionPhase::run):
2558 * dfg/DFGTypeCheckHoistingPhase.cpp:
2559 (JSC::DFG::TypeCheckHoistingPhase::run):
2560 * dfg/DFGValidate.cpp:
2561 (JSC::DFG::Validate::validateSSA):
2562 * dfg/DFGWatchpointCollectionPhase.cpp:
2563 (JSC::DFG::WatchpointCollectionPhase::handle):
2564 (JSC::DFG::WatchpointCollectionPhase::handleEdge):
2565 (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
2566 (JSC::DFG::WatchpointCollectionPhase::globalObject):
2567 * ftl/FTLJSCall.cpp:
2568 (JSC::FTL::JSCall::link):
2569 * ftl/FTLLink.cpp:
2570 (JSC::FTL::link):
2571 * ftl/FTLLowerDFGToLLVM.cpp:
2572 (JSC::FTL::LowerDFGToLLVM::compileNode):
2573 (JSC::FTL::LowerDFGToLLVM::compileToThis):
2574 (JSC::FTL::LowerDFGToLLVM::compilePutById):
2575 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2576 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
2577 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
2578 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
2579 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
2580 (JSC::FTL::LowerDFGToLLVM::compileGetMyScope):
2581 (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
2582 (JSC::FTL::LowerDFGToLLVM::getById):
2583 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2584 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructure):
2585 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid):
2586 (JSC::FTL::LowerDFGToLLVM::callPreflight):
2587
25882014-02-11 Filip Pizlo <fpizlo@apple.com>
2589
2590 Fix assertions and incorrect codegen for CompareEq(ObjectOrOther:, Object:)
2591 https://bugs.webkit.org/show_bug.cgi?id=128648
2592
2593 Reviewed by Mark Lam.
2594
2595 I did CompareEq(Object:, ObjectOrOther:) correctly but the flipped version wrong.
2596 That's what I get for running tests in release mode. It's hard to write a test for
2597 the incorrect codegen; that's kind of why the assertions are there.
2598
2599 * ftl/FTLLowerDFGToLLVM.cpp:
2600 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2601
26022014-02-11 Filip Pizlo <fpizlo@apple.com>
2603
2604 Unreviewed, trivial change to silence FTL assertions
2605
2606 Normally, lowJSValue() should only be used for UntypedUse only. Here we are using it
2607 on ObjectOrOtherUse because we execute the speculation ourselves. The way you're
2608 supposed to do this is by passing ManualOperandSpeculation to tell lowJSValue() not
2609 to assert.
2610
2611 * ftl/FTLLowerDFGToLLVM.cpp:
2612 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2613
26142014-02-11 Filip Pizlo <fpizlo@apple.com>
2615
2616 Use LLVM's dead store elimination
2617 https://bugs.webkit.org/show_bug.cgi?id=128638
2618
2619 Reviewed by Mark Hahnenberg.
2620
2621 DFG's store elimination was being run too soon for comfort on the FTL path. It's
2622 really only sound when run after all other optimizations. Remove it from the FTL
2623 path.
2624
2625 Enable LLVM store elimination. It's both easier to reason about and more
2626 comprehensive.
2627
2628 * dfg/DFGPlan.cpp:
2629 (JSC::DFG::Plan::compileInThreadImpl):
2630 * ftl/FTLCompile.cpp:
2631 (JSC::FTL::compile):
2632
26332014-02-11 Brian Burg <bburg@apple.com>
2634
2635 Web Replay: upstream replay input code generator and EncodedValue class
2636 https://bugs.webkit.org/show_bug.cgi?id=128215
2637
2638 Reviewed by Joseph Pecoraro.
2639
2640 Add the replay inputs code generator. Most features of the input generator are
2641 exercised by included generator regression tests, which produce useful but
2642 non-compilable test replay inputs.
2643
2644 Add EncodedValue, the main replay input serialization class that encodes and
2645 decodes inputs and their data between C++ types and the JSON-based replay recording
2646 format. EncodedValue uses EncodingTraits specializations for type-specific encoding.
2647 Relative to other WebKit marshalling mechanisms, EncodedValue is key/value based.
2648 EncodedValue uses InspectorValue subclasses as its backing data structure.
2649
2650 Add some missing numerical conversions to InspectorValue.
2651
2652 * JavaScriptCore.xcodeproj/project.pbxproj:
2653 * inspector/InspectorValues.cpp:
2654 (Inspector::InspectorValue::asNumber):
2655 (Inspector::InspectorBasicValue::asNumber):
2656 * inspector/InspectorValues.h:
2657 * replay/EncodedValue.cpp: Added.
2658 (JSC::EncodedValue::asObject):
2659 (JSC::EncodedValue::asArray):
2660 (JSC::ScalarEncodingTraits<bool>::encodeValue):
2661 (JSC::ScalarEncodingTraits<double>::encodeValue):
2662 (JSC::ScalarEncodingTraits<float>::encodeValue):
2663 (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
2664 (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
2665 (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
2666 (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
2667 (JSC::long>::encodeValue):
2668 (JSC::EncodedValue::convertTo<bool>):
2669 (JSC::EncodedValue::convertTo<double>):
2670 (JSC::EncodedValue::convertTo<float>):
2671 (JSC::EncodedValue::convertTo<int32_t>):
2672 (JSC::EncodedValue::convertTo<int64_t>):
2673 (JSC::EncodedValue::convertTo<uint32_t>):
2674 (JSC::EncodedValue::convertTo<uint64_t>):
2675 (JSC::long>):
2676 (JSC::EncodedValue::convertTo<String>):
2677 (JSC::EncodedValue::put<EncodedValue>):
2678 (JSC::EncodedValue::append<EncodedValue>):
2679 (JSC::EncodedValue::get<EncodedValue>):
2680 * replay/EncodedValue.h: Added.
2681 (JSC::EncodedValue::EncodedValue):
2682 (JSC::EncodedValue::createObject):
2683 (JSC::EncodedValue::createArray):
2684 (JSC::EncodedValue::createString):
2685 (JSC::EncodedValue::~EncodedValue):
2686 (JSC::ScalarEncodingTraits::decodeValue):
2687 (JSC::EncodingTraits<String>::encodeValue):
2688 (JSC::EncodedValue::put):
2689 (JSC::EncodedValue::append):
2690 (JSC::EncodedValue::get):
2691 * replay/scripts/CodeGeneratorReplayInputs.py: Added.
2692 (ParseException):
2693 (TypecheckException):
2694 (Framework):
2695 (Framework.__init__):
2696 (Framework.setting):
2697 (Framework.fromString):
2698 (Frameworks):
2699 (InputQueue):
2700 (InputQueue.__init__):
2701 (InputQueue.setting):
2702 (InputQueue.fromString):
2703 (InputQueues):
2704 (Input):
2705 (Input.__init__):
2706 (Input.setting):
2707 (InputMember):
2708 (InputMember.__init__):
2709 (InputMember.has_flag):
2710 (TypeMode):
2711 (TypeMode.__init__):
2712 (TypeMode.fromString):
2713 (TypeModes):
2714 (Type):
2715 (Type.__init__):
2716 (Type.__eq__):
2717 (Type.__hash__):
2718 (Type.has_flag):
2719 (Type.is_struct):
2720 (Type.is_enum):
2721 (Type.is_enum_class):
2722 (Type.declaration_kind):
2723 (Type.qualified_prefix):
2724 (Type.qualified_prefix.is):
2725 (Type.type_name):
2726 (Type.storage_type):
2727 (Type.borrow_type):
2728 (Type.argument_type):
2729 (check_properties):
2730 (VectorType):
2731 (VectorType.__init__):
2732 (VectorType.has_flag):
2733 (VectorType.is_struct):
2734 (VectorType.is_enum):
2735 (VectorType.is_enum_class):
2736 (VectorType.qualified_prefix):
2737 (VectorType.type_name):
2738 (VectorType.argument_type):
2739 (InputsModel):
2740 (InputsModel.__init__):
2741 (InputsModel.enum_types):
2742 (InputsModel.get_type_for_member):
2743 (InputsModel.parse_toplevel):
2744 (InputsModel.parse_type_with_framework_name):
2745 (InputsModel.parse_input):
2746 (InputsModel.typecheck):
2747 (InputsModel.typecheck_type):
2748 (InputsModel.typecheck_input):
2749 (InputsModel.typecheck_input_member):
2750 (IncrementalFileWriter):
2751 (IncrementalFileWriter.__init__):
2752 (IncrementalFileWriter.write):
2753 (IncrementalFileWriter.close):
2754 (lcfirst):
2755 (wrap_with_guard):
2756 (Generator):
2757 (Generator.__init__):
2758 (Generator.setting):
2759 (Generator.output_filename):
2760 (Generator.write_output_files):
2761 (Generator.generate_header):
2762 (Generator.generate_implementation):
2763 (Generator.generate_license):
2764 (Generator.generate_includes):
2765 (Generator.generate_includes.declaration):
2766 (Generator.generate_includes.declaration.is):
2767 (Generator.generate_type_forward_declarations):
2768 (Generator.generate_type_forward_declarations.is):
2769 (Generator.generate_class_declaration):
2770 (Generator.generate_input_constructor_declaration):
2771 (Generator.generate_input_destructor_declaration):
2772 (Generator.generate_input_member_getter):
2773 (Generator.generate_input_member_declaration):
2774 (Generator.generate_input_member_tuples):
2775 (Generator.qualified_input_name):
2776 (Generator.generate_input_trait_declaration):
2777 (Generator.generate_enum_trait_declaration):
2778 (Generator.generate_for_each_macro):
2779 (Generator.generate_class_implementation):
2780 (Generator.generate_enum_trait_implementation):
2781 (Generator.generate_enum_trait_implementation.is):
2782 (Generator.generate_input_trait_implementation):
2783 (Generator.generate_input_encode_implementation):
2784 (Generator.generate_input_decode_implementation):
2785 (Generator.generate_constructor_initializer_list):
2786 (Generator.generate_constructor_formals_list):
2787 (Generator.generate_member_borrow_expression):
2788 (Generator.generate_member_move_expression):
2789 (Generator.generate_constructor_arguments_list):
2790 (generate_from_specification):
2791 * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Added.
2792 (Templates):
2793 * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.cpp: Added.
2794 * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.h: Added.
2795 * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Added.
2796 * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Added.
2797 * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Added.
2798 * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Added.
2799 * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Added.
2800 * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Added.
2801 * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Added.
2802 * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Added.
2803 * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Added.
2804 * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Added.
2805 * replay/scripts/tests/expected/fail-on-no-types.json-error: Added.
2806 * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Added.
2807 * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Added.
2808 * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Added.
2809 * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Added.
2810 * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Added.
2811 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Added.
2812 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Added.
2813 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-error: Added.
2814 * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Added.
2815 * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Added.
2816 * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Added.
2817 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Added.
2818 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Added.
2819 * replay/scripts/tests/expected/generate-inputs-with-flags.json-error: Added.
2820 * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Added.
2821 * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Added.
2822 * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Added.
2823 * replay/scripts/tests/fail-on-duplicate-input-names.json: Added.
2824 * replay/scripts/tests/fail-on-duplicate-type-names.json: Added.
2825 * replay/scripts/tests/fail-on-enum-type-missing-values.json: Added.
2826 * replay/scripts/tests/fail-on-missing-input-member-name.json: Added.
2827 * replay/scripts/tests/fail-on-missing-input-name.json: Added.
2828 * replay/scripts/tests/fail-on-missing-input-queue.json: Added.
2829 * replay/scripts/tests/fail-on-missing-type-mode.json: Added.
2830 * replay/scripts/tests/fail-on-missing-type-name.json: Added.
2831 * replay/scripts/tests/fail-on-no-inputs.json: Added.
2832 * replay/scripts/tests/fail-on-no-types.json: Added.
2833 * replay/scripts/tests/fail-on-unknown-input-queue.json: Added.
2834 * replay/scripts/tests/fail-on-unknown-member-type.json: Added.
2835 * replay/scripts/tests/fail-on-unknown-type-mode.json: Added.
2836 * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Added.
2837 * replay/scripts/tests/generate-enum-encoding-helpers.json: Added.
2838 * replay/scripts/tests/generate-event-loop-shape-types.json: Added.
2839 * replay/scripts/tests/generate-input-with-guard.json: Added.
2840 * replay/scripts/tests/generate-input-with-vector-members.json: Added.
2841 * replay/scripts/tests/generate-inputs-with-flags.json: Added.
2842 * replay/scripts/tests/generate-memoized-type-modes.json: Added.
2843
28442014-02-11 Joseph Pecoraro <pecoraro@apple.com>
2845
2846 Add Availability Macros to new JSC APIs
2847 https://bugs.webkit.org/show_bug.cgi?id=128615
2848
2849 Reviewed by Mark Rowe.
2850
2851 * API/JSContext.h:
2852 * API/JSContextRef.h:
2853
28542014-02-11 Filip Pizlo <fpizlo@apple.com>
2855
2856 FTL should support CompareEq(ObjectOrOther:, Object:)
2857 https://bugs.webkit.org/show_bug.cgi?id=127752
2858
2859 Reviewed by Oliver Hunt.
2860
2861 Also introduce some helpers for reasoning about nullness and truthyness.
2862
2863 * ftl/FTLCapabilities.cpp:
2864 (JSC::FTL::canCompile):
2865 * ftl/FTLLowerDFGToLLVM.cpp:
2866 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
2867 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
2868 (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
2869 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
2870 (JSC::FTL::LowerDFGToLLVM::isNotNully):
2871 (JSC::FTL::LowerDFGToLLVM::isNully):
2872 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2873 * tests/stress/compare-eq-object-or-other-to-object.js: Added.
2874 (foo):
2875 (test):
2876 * tests/stress/compare-eq-object-to-object-or-other.js: Added.
2877 (foo):
2878 (test):
2879
28802014-02-11 Mark Hahnenberg <mhahnenberg@apple.com>
2881
2882 32-bit LLInt writeBarrierOnGlobalObject is wrong
2883 https://bugs.webkit.org/show_bug.cgi?id=128556
2884
2885 Reviewed by Geoffrey Garen.
2886
2887 * llint/LowLevelInterpreter32_64.asm:
2888 * llint/LowLevelInterpreter64.asm: Also fixed the value check on 64-bit.
2889
28902014-02-11 Gabor Rapcsanyi <rgabor@webkit.org>
2891
2892 LLInt typo error after r139004.
2893 https://bugs.webkit.org/show_bug.cgi?id=128592
2894
2895 Reviewed by Michael Saboff.
2896
2897 * offlineasm/arm.rb: change immediate to register in the condition
2898
28992014-02-10 Filip Pizlo <fpizlo@apple.com>
2900
2901 LICM should gracefully handle unprofiled code
2902 https://bugs.webkit.org/show_bug.cgi?id=127848
2903
2904 Reviewed by Mark Hahnenberg.
2905
2906 * dfg/DFGLICMPhase.cpp:
2907 (JSC::DFG::LICMPhase::run):
2908
29092014-02-11 Mark Hahnenberg <mhahnenberg@apple.com>
2910
2911 Obj-C API: JSExport doesn't work for methods that contain protocols in their type signature
2912 https://bugs.webkit.org/show_bug.cgi?id=128540
2913
2914 Reviewed by Oliver Hunt.
2915
2916 The bug is in parseObjCType in ObjcRuntimeExtras.h. When we see an '@' in the
2917 type signature of a method, we assume that what follows the '@' is a class name,
2918 so we call objc_getClass, and if that returns nil then we give up on the method
2919 and don't export it.
2920
2921 This assumption doesn't work in the case of id<Protocol> because it's the name
2922 of the protocol that follows the '@', not the name of a class. We should have
2923 another fallback case for protocol names.
2924
2925 There's another case that also doesn't work, and that's the case of a named class
2926 with a specified prototype in a method signature (e.g. NSObject<MyProtocol>).
2927 There the substring of the type signature that represents the class is "NSObject<MyProtocol>",
2928 which will also cause objc_getClass to return nil.
2929
2930 * API/ObjcRuntimeExtras.h:
2931 (parseObjCType):
2932 * API/tests/DateTests.mm: Also fixed an issue I noticed where we don't use an autorelease pool
2933 for the DateTests.
2934 * API/tests/JSExportTests.h: Added.
2935 * API/tests/JSExportTests.mm: Added.
2936 (-[TruthTeller returnTrue]):
2937 (-[ExportMethodWithIdProtocol methodWithIdProtocol:]):
2938 (-[ExportMethodWithClassProtocol methodWithClassProtocol:]):
2939 (+[JSExportTests exportInstanceMethodWithIdProtocolTest]):
2940 (+[JSExportTests exportInstanceMethodWithClassProtocolTest]):
2941 (runJSExportTests):
2942 * API/tests/testapi.mm:
2943 * JavaScriptCore.xcodeproj/project.pbxproj:
2944
29452014-02-10 Michael Saboff <msaboff@apple.com>
2946
2947 Re-enable ARM Thumb2 disassembler
2948 https://bugs.webkit.org/show_bug.cgi?id=128577
2949
2950 Reviewed by Filip Pizlo.
2951
2952 Changed signature of tryToDisassemble() to match updates.
2953 Fixed typo in disassembler.
2954
2955 * disassembler/ARMv7/ARMv7DOpcode.cpp:
2956 * disassembler/ARMv7Disassembler.cpp:
2957 (JSC::tryToDisassemble):
2958
29592014-02-10 Mark Lam <mark.lam@apple.com>
2960
2961 Removing limitation on JSLock's lockDropDepth.
2962 <https://webkit.org/b/128570>
2963
2964 Reviewed by Geoffrey Garen.
2965
2966 Now that we've switched to using the C stack, we no longer need to limit
2967 the JSLock::lockDropDepth to 2.
2968
2969 For C loop builds which still use the separate JSStack, the JSLock will
2970 enforce ordering for re-grabbing the lock after dropping it. Re-grabbing
2971 must occur in the reverse order of the dropping of the locks.
2972
2973 Ordering is achieved by JSLock::dropAllLocks() stashing away the
2974 JSLock:: m_lockDropDepth in its DropAllLocks instance's m_dropDepth
2975 before unlocking the lock. Subsequently, JSLock::grabAllLocks() will
2976 ensure that JSLocks::m_lockDropDepth equals its DropAllLocks instance's
2977 m_dropDepth before allowing the lock to be re-grabbed. Otherwise, it
2978 will yield execution and retry again later.
2979
2980 Note: because JSLocks::m_lockDropDepth is protected by the JSLock's
2981 mutex, grabAllLocks() will optimistically lock the JSLock before doing
2982 the check on m_lockDropDepth. If the check fails, it will unlock the
2983 JSLock, yield, and then relock it again later before retrying the check.
2984 This ensures that m_lockDropDepth remains under the protection of the
2985 JSLock's mutex.
2986
2987 * runtime/JSLock.cpp:
2988 (JSC::JSLock::dropAllLocks):
2989 (JSC::JSLock::grabAllLocks):
2990 (JSC::JSLock::DropAllLocks::DropAllLocks):
2991 (JSC::JSLock::DropAllLocks::~DropAllLocks):
2992 * runtime/JSLock.h:
2993 (JSC::JSLock::DropAllLocks::setDropDepth):
2994 (JSC::JSLock::DropAllLocks::dropDepth):
2995
29962014-02-10 Filip Pizlo <fpizlo@apple.com>
2997
2998 FTL should support ToThis
2999 https://bugs.webkit.org/show_bug.cgi?id=127751
3000
3001 Reviewed by Oliver Hunt.
3002
3003 * ftl/FTLCapabilities.cpp:
3004 (JSC::FTL::canCompile):
3005 * ftl/FTLIntrinsicRepository.h:
3006 * ftl/FTLLowerDFGToLLVM.cpp:
3007 (JSC::FTL::LowerDFGToLLVM::compileNode):
3008 (JSC::FTL::LowerDFGToLLVM::compileToThis):
3009 * tests/stress/to-this-polymorphic.js: Added.
3010 (foo):
3011
30122014-02-10 Filip Pizlo <fpizlo@apple.com>
3013
3014 Rename Operations.h to JSCInlines.h
3015 https://bugs.webkit.org/show_bug.cgi?id=128543
3016
3017 Rubber stamped by Geoffrey Garen.
3018
3019 Well, what this actually does is it splits Operations.h into a real Operations.h that
3020 actually contains "operations", and JSCInlines.h, which serves the role of being an
3021 inlines umbrella.
3022
3023 * API/JSBase.cpp:
3024 * API/JSCTestRunnerUtils.cpp:
3025 * API/JSCallbackConstructor.cpp:
3026 * API/JSCallbackFunction.cpp:
3027 * API/JSCallbackObject.cpp:
3028 * API/JSClassRef.cpp:
3029 * API/JSContext.mm:
3030 * API/JSContextRef.cpp:
3031 * API/JSManagedValue.mm:
3032 * API/JSObjectRef.cpp:
3033 * API/JSScriptRef.cpp:
3034 * API/JSValue.mm:
3035 * API/JSValueRef.cpp:
3036 * API/JSWeakObjectMapRefPrivate.cpp:
3037 * API/JSWrapperMap.mm:
3038 * GNUmakefile.list.am:
3039 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3040 * JavaScriptCore.xcodeproj/project.pbxproj:
3041 * assembler/LinkBuffer.cpp:
3042 * bindings/ScriptFunctionCall.cpp:
3043 * bindings/ScriptObject.cpp:
3044 * bytecode/ArrayAllocationProfile.cpp:
3045 * bytecode/ArrayProfile.cpp:
3046 * bytecode/BytecodeBasicBlock.cpp:
3047 * bytecode/CallLinkInfo.cpp:
3048 * bytecode/CallLinkStatus.cpp:
3049 * bytecode/CodeBlock.cpp:
3050 * bytecode/CodeBlockJettisoningWatchpoint.cpp:
3051 * bytecode/CodeOrigin.cpp:
3052 * bytecode/ExecutionCounter.cpp:
3053 * bytecode/GetByIdStatus.cpp:
3054 * bytecode/LazyOperandValueProfile.cpp:
3055 * bytecode/MethodOfGettingAValueProfile.cpp:
3056 * bytecode/PreciseJumpTargets.cpp:
3057 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
3058 * bytecode/PutByIdStatus.cpp:
3059 * bytecode/SamplingTool.cpp:
3060 * bytecode/SpecialPointer.cpp:
3061 * bytecode/SpeculatedType.cpp:
3062 * bytecode/StructureStubClearingWatchpoint.cpp:
3063 * bytecode/UnlinkedCodeBlock.cpp:
3064 * bytecode/ValueRecovery.cpp:
3065 * bytecompiler/BytecodeGenerator.cpp:
3066 * bytecompiler/NodesCodegen.cpp:
3067 * debugger/Debugger.cpp:
3068 * debugger/DebuggerActivation.cpp:
3069 * debugger/DebuggerCallFrame.cpp:
3070 * dfg/DFGAbstractHeap.cpp:
3071 * dfg/DFGAbstractValue.cpp:
3072 * dfg/DFGArgumentsSimplificationPhase.cpp:
3073 * dfg/DFGArithMode.cpp:
3074 * dfg/DFGArrayMode.cpp:
3075 * dfg/DFGAtTailAbstractState.cpp:
3076 * dfg/DFGAvailability.cpp:
3077 * dfg/DFGBackwardsPropagationPhase.cpp:
3078 * dfg/DFGBasicBlock.cpp:
3079 * dfg/DFGBinarySwitch.cpp:
3080 * dfg/DFGBlockInsertionSet.cpp:
3081 * dfg/DFGByteCodeParser.cpp:
3082 * dfg/DFGCFAPhase.cpp:
3083 * dfg/DFGCFGSimplificationPhase.cpp:
3084 * dfg/DFGCPSRethreadingPhase.cpp:
3085 * dfg/DFGCSEPhase.cpp:
3086 * dfg/DFGCapabilities.cpp:
3087 * dfg/DFGClobberSet.cpp:
3088 * dfg/DFGClobberize.cpp:
3089 * dfg/DFGCommon.cpp:
3090 * dfg/DFGCommonData.cpp:
3091 * dfg/DFGCompilationKey.cpp:
3092 * dfg/DFGCompilationMode.cpp:
3093 * dfg/DFGConstantFoldingPhase.cpp:
3094 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3095 * dfg/DFGDCEPhase.cpp:
3096 * dfg/DFGDesiredIdentifiers.cpp:
3097 * dfg/DFGDesiredStructureChains.cpp:
3098 * dfg/DFGDesiredTransitions.cpp:
3099 * dfg/DFGDesiredWatchpoints.cpp:
3100 * dfg/DFGDesiredWeakReferences.cpp:
3101 * dfg/DFGDesiredWriteBarriers.cpp:
3102 * dfg/DFGDisassembler.cpp:
3103 * dfg/DFGDominators.cpp:
3104 * dfg/DFGDriver.cpp:
3105 * dfg/DFGEdge.cpp:
3106 * dfg/DFGFailedFinalizer.cpp:
3107 * dfg/DFGFinalizer.cpp:
3108 * dfg/DFGFixupPhase.cpp:
3109 * dfg/DFGFlushFormat.cpp:
3110 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3111 * dfg/DFGFlushedAt.cpp:
3112 * dfg/DFGGraph.cpp:
3113 * dfg/DFGGraphSafepoint.cpp:
3114 * dfg/DFGInPlaceAbstractState.cpp:
3115 * dfg/DFGInvalidationPointInjectionPhase.cpp:
3116 * dfg/DFGJITCode.cpp:
3117 * dfg/DFGJITCompiler.cpp:
3118 * dfg/DFGJITFinalizer.cpp:
3119 * dfg/DFGJumpReplacement.cpp:
3120 * dfg/DFGLICMPhase.cpp:
3121 * dfg/DFGLazyJSValue.cpp:
3122 * dfg/DFGLivenessAnalysisPhase.cpp:
3123 * dfg/DFGLongLivedState.cpp:
3124 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3125 * dfg/DFGMinifiedNode.cpp:
3126 * dfg/DFGNaturalLoops.cpp:
3127 * dfg/DFGNode.cpp:
3128 * dfg/DFGNodeFlags.cpp:
3129 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3130 * dfg/DFGOSREntry.cpp:
3131 * dfg/DFGOSREntrypointCreationPhase.cpp:
3132 * dfg/DFGOSRExit.cpp:
3133 * dfg/DFGOSRExitBase.cpp:
3134 * dfg/DFGOSRExitCompiler.cpp:
3135 * dfg/DFGOSRExitCompiler32_64.cpp:
3136 * dfg/DFGOSRExitCompiler64.cpp:
3137 * dfg/DFGOSRExitCompilerCommon.cpp:
3138 * dfg/DFGOSRExitJumpPlaceholder.cpp:
3139 * dfg/DFGOSRExitPreparation.cpp:
3140 * dfg/DFGOperations.cpp:
3141 * dfg/DFGPhase.cpp:
3142 * dfg/DFGPlan.cpp:
3143 * dfg/DFGPredictionInjectionPhase.cpp:
3144 * dfg/DFGPredictionPropagationPhase.cpp:
3145 * dfg/DFGResurrectionForValidationPhase.cpp:
3146 * dfg/DFGSSAConversionPhase.cpp:
3147 * dfg/DFGSSALoweringPhase.cpp:
3148 * dfg/DFGSafepoint.cpp:
3149 * dfg/DFGSpeculativeJIT.cpp:
3150 * dfg/DFGSpeculativeJIT32_64.cpp:
3151 * dfg/DFGSpeculativeJIT64.cpp:
3152 * dfg/DFGStackLayoutPhase.cpp:
3153 * dfg/DFGStoreBarrierElisionPhase.cpp:
3154 * dfg/DFGStrengthReductionPhase.cpp:
3155 * dfg/DFGThreadData.cpp:
3156 * dfg/DFGThunks.cpp:
3157 * dfg/DFGTierUpCheckInjectionPhase.cpp:
3158 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
3159 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3160 * dfg/DFGTypeCheckHoistingPhase.cpp:
3161 * dfg/DFGUnificationPhase.cpp:
3162 * dfg/DFGUseKind.cpp:
3163 * dfg/DFGValidate.cpp:
3164 * dfg/DFGValueSource.cpp:
3165 * dfg/DFGVariableAccessDataDump.cpp:
3166 * dfg/DFGVariableEvent.cpp:
3167 * dfg/DFGVariableEventStream.cpp:
3168 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3169 * dfg/DFGWatchpointCollectionPhase.cpp:
3170 * dfg/DFGWorklist.cpp:
3171 * ftl/FTLAbstractHeap.cpp:
3172 * ftl/FTLAbstractHeapRepository.cpp:
3173 * ftl/FTLExitValue.cpp:
3174 * ftl/FTLLink.cpp:
3175 * ftl/FTLLowerDFGToLLVM.cpp:
3176 * ftl/FTLOSREntry.cpp:
3177 * ftl/FTLOSRExit.cpp:
3178 * ftl/FTLOSRExitCompiler.cpp:
3179 * ftl/FTLSlowPathCall.cpp:
3180 * heap/BlockAllocator.cpp:
3181 * heap/CodeBlockSet.cpp:
3182 * heap/ConservativeRoots.cpp:
3183 * heap/CopiedSpace.cpp:
3184 * heap/CopyVisitor.cpp:
3185 * heap/DeferGC.cpp:
3186 * heap/GCThread.cpp:
3187 * heap/GCThreadSharedData.cpp:
3188 * heap/HandleSet.cpp:
3189 * heap/HandleStack.cpp:
3190 * heap/Heap.cpp:
3191 * heap/HeapStatistics.cpp:
3192 * heap/HeapTimer.cpp:
3193 * heap/IncrementalSweeper.cpp:
3194 * heap/JITStubRoutineSet.cpp:
3195 * heap/MachineStackMarker.cpp:
3196 * heap/MarkStack.cpp:
3197 * heap/MarkedAllocator.cpp:
3198 * heap/MarkedBlock.cpp:
3199 * heap/MarkedSpace.cpp:
3200 * heap/SlotVisitor.cpp:
3201 * heap/SuperRegion.cpp:
3202 * heap/Weak.cpp:
3203 * heap/WeakBlock.cpp:
3204 * heap/WeakHandleOwner.cpp:
3205 * heap/WeakSet.cpp:
3206 * heap/WriteBarrierBuffer.cpp:
3207 * heap/WriteBarrierSupport.cpp:
3208 * inspector/InjectedScript.cpp:
3209 * inspector/InjectedScriptBase.cpp:
3210 * inspector/JSGlobalObjectScriptDebugServer.cpp:
3211 * inspector/JSInjectedScriptHost.cpp:
3212 * inspector/ScriptArguments.cpp:
3213 * inspector/ScriptCallStackFactory.cpp:
3214 * interpreter/AbstractPC.cpp:
3215 * interpreter/CallFrame.cpp:
3216 * interpreter/Interpreter.cpp:
3217 * interpreter/JSStack.cpp:
3218 * interpreter/ProtoCallFrame.cpp:
3219 * interpreter/StackVisitor.cpp:
3220 * interpreter/VMInspector.cpp:
3221 * jit/ArityCheckFailReturnThunks.cpp:
3222 * jit/AssemblyHelpers.cpp:
3223 * jit/ClosureCallStubRoutine.cpp:
3224 * jit/ExecutableAllocator.cpp:
3225 * jit/ExecutableAllocatorFixedVMPool.cpp:
3226 * jit/GCAwareJITStubRoutine.cpp:
3227 * jit/HostCallReturnValue.cpp:
3228 * jit/JIT.cpp:
3229 * jit/JITArithmetic.cpp:
3230 * jit/JITArithmetic32_64.cpp:
3231 * jit/JITCall.cpp:
3232 * jit/JITCall32_64.cpp:
3233 * jit/JITCode.cpp:
3234 * jit/JITDisassembler.cpp:
3235 * jit/JITExceptions.cpp:
3236 * jit/JITInlineCacheGenerator.cpp:
3237 * jit/JITInlines.h:
3238 * jit/JITOperations.cpp:
3239 * jit/JITOperationsMSVC64.cpp:
3240 * jit/JITStubRoutine.cpp:
3241 * jit/JITStubs.cpp:
3242 * jit/JITThunks.cpp:
3243 * jit/JITToDFGDeferredCompilationCallback.cpp:
3244 * jit/RegisterPreservationWrapperGenerator.cpp:
3245 * jit/RegisterSet.cpp:
3246 * jit/Repatch.cpp:
3247 * jit/TempRegisterSet.cpp:
3248 * jit/ThunkGenerators.cpp:
3249 * jsc.cpp:
3250 * llint/LLIntExceptions.cpp:
3251 * llint/LLIntSlowPaths.cpp:
3252 * llint/LowLevelInterpreter.cpp:
3253 * parser/Lexer.cpp:
3254 * parser/Nodes.cpp:
3255 * parser/Parser.cpp:
3256 * parser/ParserArena.cpp:
3257 * parser/SourceCode.cpp:
3258 * parser/SourceProvider.cpp:
3259 * parser/SourceProviderCache.cpp:
3260 * profiler/LegacyProfiler.cpp:
3261 * profiler/ProfileGenerator.cpp:
3262 * profiler/ProfilerBytecode.cpp:
3263 * profiler/ProfilerBytecodeSequence.cpp:
3264 * profiler/ProfilerBytecodes.cpp:
3265 * profiler/ProfilerCompilation.cpp:
3266 * profiler/ProfilerCompiledBytecode.cpp:
3267 * profiler/ProfilerDatabase.cpp:
3268 * profiler/ProfilerOSRExit.cpp:
3269 * profiler/ProfilerOSRExitSite.cpp:
3270 * profiler/ProfilerOrigin.cpp:
3271 * profiler/ProfilerOriginStack.cpp:
3272 * profiler/ProfilerProfiledBytecodes.cpp:
3273 * runtime/ArgList.cpp:
3274 * runtime/Arguments.cpp:
3275 * runtime/ArgumentsIteratorPrototype.cpp:
3276 * runtime/ArrayBuffer.cpp:
3277 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
3278 * runtime/ArrayConstructor.cpp:
3279 * runtime/ArrayPrototype.cpp:
3280 * runtime/BooleanConstructor.cpp:
3281 * runtime/BooleanObject.cpp:
3282 * runtime/BooleanPrototype.cpp:
3283 * runtime/CallData.cpp:
3284 * runtime/CodeCache.cpp:
3285 * runtime/CommonSlowPaths.cpp:
3286 * runtime/CommonSlowPathsExceptions.cpp:
3287 * runtime/Completion.cpp:
3288 * runtime/ConstructData.cpp:
3289 * runtime/DateConstructor.cpp:
3290 * runtime/DateInstance.cpp:
3291 * runtime/DatePrototype.cpp:
3292 * runtime/Error.cpp:
3293 * runtime/ErrorConstructor.cpp:
3294 * runtime/ErrorInstance.cpp:
3295 * runtime/ErrorPrototype.cpp:
3296 * runtime/ExceptionHelpers.cpp:
3297 * runtime/Executable.cpp:
3298 * runtime/FunctionConstructor.cpp:
3299 * runtime/FunctionPrototype.cpp:
3300 * runtime/GetterSetter.cpp:
3301 * runtime/Identifier.cpp:
3302 * runtime/IntendedStructureChain.cpp:
3303 * runtime/InternalFunction.cpp:
3304 * runtime/JSActivation.cpp:
3305 * runtime/JSArgumentsIterator.cpp:
3306 * runtime/JSArray.cpp:
3307 * runtime/JSArrayBuffer.cpp:
3308 * runtime/JSArrayBufferConstructor.cpp:
3309 * runtime/JSArrayBufferPrototype.cpp:
3310 * runtime/JSArrayBufferView.cpp:
3311 * runtime/JSBoundFunction.cpp:
3312 * runtime/JSCInlines.h: Copied from Source/JavaScriptCore/runtime/Operations.h.
3313 * runtime/JSCell.cpp:
3314 * runtime/JSDataView.cpp:
3315 * runtime/JSDataViewPrototype.cpp:
3316 * runtime/JSDateMath.cpp:
3317 * runtime/JSFunction.cpp:
3318 * runtime/JSGlobalObject.cpp:
3319 * runtime/JSGlobalObjectFunctions.cpp:
3320 * runtime/JSLock.cpp:
3321 * runtime/JSNameScope.cpp:
3322 * runtime/JSNotAnObject.cpp:
3323 * runtime/JSONObject.cpp:
3324 * runtime/JSObject.cpp:
3325 * runtime/JSPropertyNameIterator.cpp:
3326 * runtime/JSPropertyNameIterator.h:
3327 * runtime/JSProxy.cpp:
3328 * runtime/JSScope.cpp:
3329 * runtime/JSSegmentedVariableObject.cpp:
3330 * runtime/JSString.cpp:
3331 * runtime/JSStringJoiner.cpp:
3332 * runtime/JSSymbolTableObject.cpp:
3333 * runtime/JSTypedArrayConstructors.cpp:
3334 * runtime/JSTypedArrayPrototypes.cpp:
3335 * runtime/JSTypedArrays.cpp:
3336 * runtime/JSVariableObject.cpp:
3337 * runtime/JSWithScope.cpp:
3338 * runtime/JSWrapperObject.cpp:
3339 * runtime/LiteralParser.cpp:
3340 * runtime/Lookup.cpp:
3341 * runtime/MathObject.cpp:
3342 * runtime/NameConstructor.cpp:
3343 * runtime/NameInstance.cpp:
3344 * runtime/NamePrototype.cpp:
3345 * runtime/NativeErrorConstructor.cpp:
3346 * runtime/NativeErrorPrototype.cpp:
3347 * runtime/NumberConstructor.cpp:
3348 * runtime/NumberObject.cpp:
3349 * runtime/NumberPrototype.cpp:
3350 * runtime/ObjectConstructor.cpp:
3351 * runtime/ObjectPrototype.cpp:
3352 * runtime/Operations.cpp:
3353 * runtime/Operations.h:
3354 * runtime/PropertyDescriptor.cpp:
3355 * runtime/PrototypeMap.cpp:
3356 * runtime/RegExp.cpp:
3357 * runtime/RegExpCache.cpp:
3358 * runtime/RegExpCachedResult.cpp:
3359 * runtime/RegExpConstructor.cpp:
3360 * runtime/RegExpMatchesArray.cpp:
3361 * runtime/RegExpObject.cpp:
3362 * runtime/RegExpPrototype.cpp:
3363 * runtime/SimpleTypedArrayController.cpp:
3364 * runtime/SmallStrings.cpp:
3365 * runtime/SparseArrayValueMap.cpp:
3366 * runtime/StrictEvalActivation.cpp:
3367 * runtime/StringConstructor.cpp:
3368 * runtime/StringObject.cpp:
3369 * runtime/StringPrototype.cpp:
3370 * runtime/StringRecursionChecker.cpp:
3371 * runtime/Structure.cpp:
3372 * runtime/StructureChain.cpp:
3373 * runtime/StructureRareData.cpp:
3374 * runtime/SymbolTable.cpp:
3375 * runtime/TestRunnerUtils.cpp:
3376 * runtime/VM.cpp:
3377 * testRegExp.cpp:
3378
33792014-02-10 Matthew Mirman <mmirman@apple.com>
3380
3381 Removes the inline assert from SpeculativeJIT's ReallocatePropertyStorage
3382 https://bugs.webkit.org/show_bug.cgi?id=128566
3383
3384 Reviewed by Filip Pizlo.
3385
3386 * dfg/DFGSpeculativeJIT.cpp:
3387 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3388
33892014-02-10 Filip Pizlo <fpizlo@apple.com>
3390
3391 Rename getRecordMap to computeRecordMap.
3392
3393 Rubber stamped by Michael Saboff.
3394
3395 "get" is such a weird prefix. It implies a getter. We don't prefix our getters with
3396 anything in WebKit. Also, this isn't a getter. It actually does work to transform
3397 the stackmaps into a hashmap. So, computeRecordMap is a much better name.
3398
3399 * ftl/FTLCompile.cpp:
3400 (JSC::FTL::compile):
3401 * ftl/FTLJITFinalizer.cpp:
3402 (JSC::FTL::JITFinalizer::finalizeFunction):
3403 * ftl/FTLStackMaps.cpp:
3404 (JSC::FTL::StackMaps::computeRecordMap):
3405 * ftl/FTLStackMaps.h:
3406
34072014-02-10 Matthew Mirman <mmirman@apple.com>
3408
3409 ReallocatePropertyStorage in FTL
3410 https://bugs.webkit.org/show_bug.cgi?id=128352
3411
3412 Reviewed by Filip Pizlo.
3413
3414 * ftl/FTLCapabilities.cpp:
3415 (JSC::FTL::canCompile):
3416 * ftl/FTLIntrinsicRepository.h:
3417 * ftl/FTLLowerDFGToLLVM.cpp:
3418 (JSC::FTL::LowerDFGToLLVM::compileNode):
3419 (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
3420 * tests/stress/ftl-reallocatepropertystorage.js: Added.
3421 (foo):
3422
34232014-02-10 Michael Saboff <msaboff@apple.com>
3424
3425 Fail FTL compilation if the required stack is too big
3426 https://bugs.webkit.org/show_bug.cgi?id=128560
3427
3428 Reviewed by Filip Pizlo.
3429
3430 Added StackSize struct to FTLStackMaps and populated it. Added and updated
3431 related dump functions. Use the stack size found at the end of the compilation
3432 to compare against the value of a new option, llvmMaxStackSize. We fail the
3433 compile if the function's stack size is greater than llvmMaxStackSize.
3434
3435 * dfg/DFGPlan.cpp:
3436 (JSC::DFG::Plan::compileInThreadImpl):
3437 * ftl/FTLStackMaps.cpp:
3438 (JSC::FTL::StackMaps::StackSize::parse):
3439 (JSC::FTL::StackMaps::StackSize::dump):
3440 (JSC::FTL::StackMaps::parse):
3441 (JSC::FTL::StackMaps::dump):
3442 (JSC::FTL::StackMaps::dumpMultiline):
3443 (JSC::FTL::StackMaps::getStackSize):
3444 * ftl/FTLStackMaps.h:
3445 * runtime/Options.h:
3446
34472014-02-10 Mark Lam <mark.lam@apple.com>
3448
3449 Change JSLock::dropAllLocks() and friends to use lock() and unlock().
3450 <https://webkit.org/b/128451>
3451
3452 Reviewed by Geoffrey Garen.
3453
3454 Currently, JSLock's dropAllLocks(), dropAllLocksUnconditionally(), and
3455 grabAllLocks() implement locking / unlocking by duplicating the code from
3456 lock() and unlock(). Instead, they should just call lock() and unlock().
3457
3458 * runtime/JSLock.cpp:
3459 (JSC::JSLock::lock):
3460 (JSC::JSLock::unlock):
3461 - Modified lock() and unlock() into a version that takes an entry count
3462 to lock / unlock. The previous lock() and unlock() now calls these
3463 new versions with an entry count of 1.
3464
3465 (JSC::JSLock::dropAllLocks):
3466 (JSC::JSLock::dropAllLocksUnconditionally):
3467 (JSC::JSLock::grabAllLocks):
3468 - Delegate to unlock() and lock() instead of duplicating the lock / unlock
3469 code.
3470 - There a some differences with calling lock() instead of duplicating its
3471 code in grabAllLock() i.e. lock() does the following additional work:
3472
3473 1. lock() does a re-entry check that is not needed by grabAllLocks().
3474 However, this is effectively a no-op since we never own the JSLock
3475 before calling grabAllLocks().
3476
3477 2. set VM stackPointerAtVMEntry.
3478 3. update VM stackLimit and reservedZoneSize.
3479 4. set VM lastStackTop.
3480 These 3 steps are just busy work which are also effective no-ops
3481 because immediately after lock() returns, grabAllLocks() will write
3482 over those values with their saved versions in the threadData.
3483
3484 * runtime/JSLock.h:
3485
34862014-02-10 Anders Carlsson <andersca@apple.com>
3487
3488 Try to fix the Windows build.
3489
3490 * heap/UnconditionalFinalizer.h:
3491 * runtime/SymbolTable.h:
3492
34932014-02-10 Andreas Kling <akling@apple.com>
3494
3495 Make the Identifier::add() family return PassRef<StringImpl>.
3496 <https://webkit.org/b/128542>
3497
3498 This knocks one branch off of creating an Identifier from another
3499 string source.
3500
3501 Reviewed by Oliver Hunt.
3502
3503 * runtime/Identifier.cpp:
3504 (JSC::Identifier::add):
3505 (JSC::Identifier::add8):
3506 (JSC::Identifier::addSlowCase):
3507 * runtime/Identifier.h:
3508 (JSC::Identifier::add):
3509 * runtime/Lookup.cpp:
3510 (JSC::HashTable::createTable):
3511
35122014-02-09 Mark Lam <mark.lam@apple.com>
3513
3514 Remove unnecessary spinLock in JSLock.
3515 <https://webkit.org/b/128450>
3516
3517 Reviewed by Filip Pizlo.
3518
3519 The JSLock's mutex already provides protection for write access to
3520 JSLock's internal state. The only JSLock state that needs to be read
3521 from any thread including threads that don't own the JSLock is
3522 m_ownerThread, which is used in currentThreadIsHoldingLock() to do an
3523 ownership test on the lock.
3524
3525 It is safe for other threads to read from m_ownerThread because they
3526 only need to know whether its value matches their own thread id
3527 (provided by WTF::currentThread()).
3528
3529 Here are the scenarios for how the ownership test can go:
3530
3531 1. The JSLock has just been initialized and is not owned by any thread.
3532
3533 In this case, m_ownerThread will be 0 and will not match any thread's
3534 thread id. The checking thread will know that it needs to lock the
3535 JSLock before using the VM.
3536
3537 2. The JSLock was previously locked, but now is unlocked.
3538
3539 When we unlock it in JSLock::unlock(), the owner thread clears
3540 m_ownerThread to 0. Hence, this case is the same as (1) above.
3541
3542 3. The JSLock is locked by Thread A. Thread B is checking ownership.
3543
3544 In this case, m_ownerThread will contains the Thread A's thread id.
3545 Thread B will see that the thread id does not match its own and will
3546 proceed to block on the JSLock's mutex to wait for its turn to use
3547 the VM.
3548
3549 With Weak Memory Ordering architectures, Thread A's thread id may
3550 not get written out to memory before Thread B inspects m_ownerThread.
3551 However, though Thread B may not see Thread A's thread id in
3552 m_ownerThread, it will see 0 which is the last value written to it
3553 before the JSLock mutex was unlocked. The mutex unlock would have
3554 executed a memory fence which would have flushed the 0 to
3555 m_ownerThread in memory. Hence, Thread B will know that it does not
3556 own the lock.
3557
3558 Apart from removing the unneeded spin lock code, I also changed the
3559 JSLock code to use currentThreadIsHoldingLock() and setOwnerThread()
3560 instead of accessing m_ownerThread directly.
3561
3562 * runtime/JSLock.cpp:
3563 (JSC::JSLock::JSLock):
3564
3565 (JSC::JSLock::lock):
3566 - Removed spinLock but left the indentation as is to keep the diff to a
3567 minimum for better readability. Will unindent in a subsequent patch.
3568
3569 (JSC::JSLock::unlock):
3570 - Before unlocking the mutex, clear m_ownerThread to indicate that the
3571 lock is no longer owned.
3572
3573 (JSC::JSLock::currentThreadIsHoldingLock):
3574 - Removed the check of m_lockCount for determining ownership. Checking
3575 m_ownerThread is sufficient.
3576
3577 (JSC::JSLock::dropAllLocks):
3578 (JSC::JSLock::dropAllLocksUnconditionally):
3579 - Renamed local locksToDrop to the better name droppedLockCount.
3580 - Clear m_ownerThread since we're unlocking the JSLock.
3581
3582 (JSC::JSLock::grabAllLocks):
3583 - Removed unneeded lock ownership test for lock re-entry case because
3584 grabAllLocks() is never used to re-enter a locked JSLock.
3585
3586 (JSC::JSLock::DropAllLocks::DropAllLocks):
3587 (JSC::JSLock::DropAllLocks::~DropAllLocks):
3588
3589 * runtime/JSLock.h:
3590 (JSC::JSLock::setOwnerThread):
3591
35922014-02-10 Filip Pizlo <fpizlo@apple.com>
3593
3594 Unreviewed, roll out http://trac.webkit.org/changeset/163796
3595
3596 The change was not justified in any way and it has a net negative effect on the code.
3597
3598 * dfg/DFGAbstractInterpreter.h:
3599 * dfg/DFGAbstractValue.h:
3600 * dfg/DFGAdjacencyList.h:
3601 * dfg/DFGArgumentPosition.h:
3602 * dfg/DFGArgumentsSimplificationPhase.cpp:
3603 * dfg/DFGArrayMode.cpp:
3604 * dfg/DFGArrayifySlowPathGenerator.h:
3605 * dfg/DFGAtTailAbstractState.h:
3606 * dfg/DFGAvailability.h:
3607 * dfg/DFGBackwardsPropagationPhase.cpp:
3608 * dfg/DFGBasicBlock.h:
3609 * dfg/DFGBasicBlockInlines.h:
3610 * dfg/DFGByteCodeParser.cpp:
3611 * dfg/DFGCFAPhase.cpp:
3612 * dfg/DFGCFGSimplificationPhase.cpp:
3613 * dfg/DFGCPSRethreadingPhase.cpp:
3614 * dfg/DFGCSEPhase.cpp:
3615 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3616 * dfg/DFGCapabilities.cpp:
3617 * dfg/DFGCapabilities.h:
3618 * dfg/DFGClobberize.h:
3619 * dfg/DFGCommonData.cpp:
3620 * dfg/DFGConstantFoldingPhase.cpp:
3621 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3622 * dfg/DFGDCEPhase.cpp:
3623 * dfg/DFGDominators.h:
3624 * dfg/DFGDriver.cpp:
3625 * dfg/DFGDriver.h:
3626 * dfg/DFGFixupPhase.cpp:
3627 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3628 * dfg/DFGGenerationInfo.h:
3629 * dfg/DFGGraph.cpp:
3630 * dfg/DFGGraph.h:
3631 * dfg/DFGInPlaceAbstractState.cpp:
3632 * dfg/DFGInPlaceAbstractState.h:
3633 * dfg/DFGInlineCacheWrapperInlines.h:
3634 * dfg/DFGInvalidationPointInjectionPhase.cpp:
3635 * dfg/DFGJITCode.h:
3636 * dfg/DFGJITCompiler.cpp:
3637 * dfg/DFGJITCompiler.h:
3638 * dfg/DFGJITFinalizer.cpp:
3639 * dfg/DFGJITFinalizer.h:
3640 * dfg/DFGLICMPhase.cpp:
3641 * dfg/DFGLivenessAnalysisPhase.cpp:
3642 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3643 * dfg/DFGMinifiedNode.h:
3644 * dfg/DFGNaturalLoops.h:
3645 * dfg/DFGNode.cpp:
3646 * dfg/DFGNode.h:
3647 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3648 * dfg/DFGOSREntry.cpp:
3649 * dfg/DFGOSREntrypointCreationPhase.cpp:
3650 * dfg/DFGOSRExit.cpp:
3651 * dfg/DFGOSRExit.h:
3652 * dfg/DFGOSRExitBase.cpp:
3653 * dfg/DFGOSRExitCompilationInfo.h:
3654 * dfg/DFGOSRExitCompiler.cpp:
3655 * dfg/DFGOSRExitCompiler32_64.cpp:
3656 * dfg/DFGOSRExitCompiler64.cpp:
3657 * dfg/DFGOSRExitJumpPlaceholder.cpp:
3658 * dfg/DFGOperations.cpp:
3659 * dfg/DFGPhase.h:
3660 * dfg/DFGPlan.h:
3661 * dfg/DFGPredictionInjectionPhase.cpp:
3662 * dfg/DFGPredictionPropagationPhase.cpp:
3663 * dfg/DFGResurrectionForValidationPhase.cpp:
3664 * dfg/DFGSSAConversionPhase.cpp:
3665 * dfg/DFGSSALoweringPhase.cpp:
3666 * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
3667 * dfg/DFGSlowPathGenerator.h:
3668 * dfg/DFGSpeculativeJIT.cpp:
3669 * dfg/DFGSpeculativeJIT.h:
3670 * dfg/DFGSpeculativeJIT32_64.cpp:
3671 * dfg/DFGSpeculativeJIT64.cpp:
3672 * dfg/DFGStackLayoutPhase.cpp:
3673 * dfg/DFGStoreBarrierElisionPhase.cpp:
3674 * dfg/DFGStrengthReductionPhase.cpp:
3675 * dfg/DFGThunks.cpp:
3676 * dfg/DFGTierUpCheckInjectionPhase.cpp:
3677 * dfg/DFGTypeCheckHoistingPhase.cpp:
3678 * dfg/DFGUnificationPhase.cpp:
3679 * dfg/DFGValidate.h:
3680 * dfg/DFGValueSource.h:
3681 * dfg/DFGVariableAccessData.h:
3682 * dfg/DFGVariableAccessDataDump.cpp:
3683 * dfg/DFGVariableEvent.h:
3684 * dfg/DFGVariableEventStream.h:
3685 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3686 * dfg/DFGWatchpointCollectionPhase.cpp:
3687 * dfg/DFGWorklist.cpp:
3688
36892014-02-10 Peter Molnar <pmolnar.u-szeged@partner.samsung.com>
3690
3691 Remove extra includes from DFG
3692 https://bugs.webkit.org/show_bug.cgi?id=126983
3693
3694 Reviewed by Andreas Kling.
3695
3696 * dfg/DFGAbstractInterpreter.h:
3697 * dfg/DFGAbstractValue.h:
3698 * dfg/DFGAdjacencyList.h:
3699 * dfg/DFGArgumentPosition.h:
3700 * dfg/DFGArgumentsSimplificationPhase.cpp:
3701 * dfg/DFGArrayMode.cpp:
3702 * dfg/DFGArrayifySlowPathGenerator.h:
3703 * dfg/DFGAtTailAbstractState.h:
3704 * dfg/DFGAvailability.h:
3705 * dfg/DFGBackwardsPropagationPhase.cpp:
3706 * dfg/DFGBasicBlock.h:
3707 * dfg/DFGBasicBlockInlines.h:
3708 * dfg/DFGByteCodeParser.cpp:
3709 * dfg/DFGCFAPhase.cpp:
3710 * dfg/DFGCFGSimplificationPhase.cpp:
3711 * dfg/DFGCPSRethreadingPhase.cpp:
3712 * dfg/DFGCSEPhase.cpp:
3713 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3714 * dfg/DFGCapabilities.cpp:
3715 * dfg/DFGCapabilities.h:
3716 * dfg/DFGClobberize.h:
3717 * dfg/DFGCommonData.cpp:
3718 * dfg/DFGConstantFoldingPhase.cpp:
3719 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3720 * dfg/DFGDCEPhase.cpp:
3721 * dfg/DFGDominators.h:
3722 * dfg/DFGDriver.cpp:
3723 * dfg/DFGDriver.h:
3724 * dfg/DFGFixupPhase.cpp:
3725 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3726 * dfg/DFGGenerationInfo.h:
3727 * dfg/DFGGraph.cpp:
3728 * dfg/DFGGraph.h:
3729 * dfg/DFGInPlaceAbstractState.cpp:
3730 * dfg/DFGInPlaceAbstractState.h:
3731 * dfg/DFGInlineCacheWrapperInlines.h:
3732 * dfg/DFGInvalidationPointInjectionPhase.cpp:
3733 * dfg/DFGJITCode.h:
3734 * dfg/DFGJITCompiler.cpp:
3735 * dfg/DFGJITCompiler.h:
3736 * dfg/DFGJITFinalizer.cpp:
3737 * dfg/DFGJITFinalizer.h:
3738 * dfg/DFGLICMPhase.cpp:
3739 * dfg/DFGLivenessAnalysisPhase.cpp:
3740 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
3741 * dfg/DFGMinifiedNode.h:
3742 * dfg/DFGNaturalLoops.h:
3743 * dfg/DFGNode.cpp:
3744 * dfg/DFGNode.h:
3745 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
3746 * dfg/DFGOSREntry.cpp:
3747 * dfg/DFGOSREntrypointCreationPhase.cpp:
3748 * dfg/DFGOSRExit.cpp:
3749 * dfg/DFGOSRExit.h:
3750 * dfg/DFGOSRExitBase.cpp:
3751 * dfg/DFGOSRExitCompilationInfo.h:
3752 * dfg/DFGOSRExitCompiler.cpp:
3753 * dfg/DFGOSRExitCompiler32_64.cpp:
3754 * dfg/DFGOSRExitCompiler64.cpp:
3755 * dfg/DFGOSRExitJumpPlaceholder.cpp:
3756 * dfg/DFGOperations.cpp:
3757 * dfg/DFGPhase.h:
3758 * dfg/DFGPlan.h:
3759 * dfg/DFGPredictionInjectionPhase.cpp:
3760 * dfg/DFGPredictionPropagationPhase.cpp:
3761 * dfg/DFGResurrectionForValidationPhase.cpp:
3762 * dfg/DFGSSAConversionPhase.cpp:
3763 * dfg/DFGSSALoweringPhase.cpp:
3764 * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
3765 * dfg/DFGSlowPathGenerator.h:
3766 * dfg/DFGSpeculativeJIT.cpp:
3767 * dfg/DFGSpeculativeJIT.h:
3768 * dfg/DFGSpeculativeJIT32_64.cpp:
3769 * dfg/DFGSpeculativeJIT64.cpp:
3770 * dfg/DFGStackLayoutPhase.cpp:
3771 * dfg/DFGStoreBarrierElisionPhase.cpp:
3772 * dfg/DFGStrengthReductionPhase.cpp:
3773 * dfg/DFGThunks.cpp:
3774 * dfg/DFGTierUpCheckInjectionPhase.cpp:
3775 * dfg/DFGTypeCheckHoistingPhase.cpp:
3776 * dfg/DFGUnificationPhase.cpp:
3777 * dfg/DFGValidate.h:
3778 * dfg/DFGValueSource.h:
3779 * dfg/DFGVariableAccessData.h:
3780 * dfg/DFGVariableAccessDataDump.cpp:
3781 * dfg/DFGVariableEvent.h:
3782 * dfg/DFGVariableEventStream.h:
3783 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3784 * dfg/DFGWatchpointCollectionPhase.cpp:
3785 * dfg/DFGWorklist.cpp:
3786
37872014-02-10 Filip Pizlo <fpizlo@apple.com>
3788
3789 JSC environment variables should override other mechanisms for setting options
3790 https://bugs.webkit.org/show_bug.cgi?id=128511
3791
3792 Reviewed by Geoffrey Garen.
3793
3794 * runtime/Options.cpp:
3795 (JSC::Options::setOption):
3796 * runtime/Options.h:
3797
37982014-02-10 Darin Adler <darin@apple.com>
3799
3800 Stop using String::deprecatedCharacters to call WTF::Collator
3801 https://bugs.webkit.org/show_bug.cgi?id=128517
3802
3803 Reviewed by Alexey Proskuryakov.
3804
3805 * runtime/StringPrototype.cpp:
3806 (JSC::stringProtoFuncLocaleCompare): Use the default constructor for Collator, which now
3807 gives the default locale collation rules. Use the new arguments for Collator::collate, which
3808 are now StringView. These two changes together eliminate the need for a separate helper function.
3809
38102014-02-10 Filip Pizlo <fpizlo@apple.com>
3811
3812 <1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput')
3813 https://bugs.webkit.org/show_bug.cgi?id=128278
3814
3815 Reviewed by Mark Hahnenberg.
3816
3817 Fix another FTL flake due to bytecode liveness corner cases. Hopefully it's the last
3818 one.
3819
3820 * dfg/DFGByteCodeParser.cpp:
3821 (JSC::DFG::ByteCodeParser::parseBlock): Make sure that inside a constructor, the 'this' result is always set. This makes it easier to unify the treatment of 'this' for OSR exit: we just say that it's always live.
3822 * dfg/DFGGraph.cpp:
3823 (JSC::DFG::Graph::isLiveInBytecode): Assume that 'this' is live. We were already sort of doing this for calls because the callsite would claim it to be live. But we didn't do it for constructors. It's true that *at the callsite* 'this' won't be live, but inside the inlined constructor, it almost certainly will be.
3824 * dfg/DFGTierUpCheckInjectionPhase.cpp:
3825 (JSC::DFG::TierUpCheckInjectionPhase::run): I just noticed this benign bug. We should only return 'true' if we actually injected checks.
3826 * ftl/FTLOSRExitCompiler.cpp:
3827 (JSC::FTL::compileStub): Make it easier to just dump disassembly for FTL OSR exits.
3828 * runtime/Options.h: Ditto.
3829 * tests/stress/inlined-constructor-this-liveness.js: Added.
3830 (Foo):
3831 (foo):
3832 * tests/stress/inlined-function-this-liveness.js: Added.
3833 (bar):
3834 (foo):
3835
38362014-02-10 Filip Pizlo <fpizlo@apple.com>
3837
3838 Actually register those DFG::Safepoints
3839 https://bugs.webkit.org/show_bug.cgi?id=128521
3840
3841 Reviewed by Mark Hahnenberg.
3842
3843 No test because GC + thread + JIT = ???.
3844
3845 * dfg/DFGSafepoint.cpp:
3846 (JSC::DFG::Safepoint::~Safepoint):
3847 (JSC::DFG::Safepoint::begin):
3848
38492014-02-10 Peter Molnar <pmolnar.u-szeged@partner.samsung.com>
3850
3851 Fix EFL build with INSPECTOR disabled
3852 https://bugs.webkit.org/show_bug.cgi?id=125064
3853
3854 Reviewed by Csaba Osztrogonác.
3855
3856 * inspector/InjectedScriptManager.h:
3857 * inspector/ScriptDebugServer.cpp:
3858 * inspector/agents/InspectorAgent.h:
3859 * inspector/scripts/CodeGeneratorInspectorStrings.py:
3860 (Inspector):
3861
38622014-02-09 Filip Pizlo <fpizlo@apple.com>
3863
3864 GC blocks on FTL and then badness
3865 https://bugs.webkit.org/show_bug.cgi?id=128291
3866
3867 Reviewed by Oliver Hunt.
3868
3869 Introduce the notion of a DFG::Safepoint, which allows you to unlock the rightToRun
3870 mutex for your JIT thread, while supplying the GC with all of the information it would
3871 need to scan you at that moment in time. The default way of using this is
3872 DFG::GraphSafepoint, where you just supply the Graph. There's a lot of machinery in
3873 this patch just to make the Graph scannable.
3874
3875 We then use DFG::GraphSafepoint in just two places for now: (1) while initializing LLVM
3876 and (2) while invoking LLVM' optimizer and backend.
3877
3878 This is a 30% speed-up on Octane/typescript and a 10% speed-up on Octane/gbemu. 2-3%
3879 speed-up overall on Octane.
3880
3881 * CMakeLists.txt:
3882 * GNUmakefile.list.am:
3883 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3884 * JavaScriptCore.xcodeproj/project.pbxproj:
3885 * dfg/DFGDriver.cpp:
3886 (JSC::DFG::compileImpl):
3887 * dfg/DFGGraph.cpp:
3888 (JSC::DFG::Graph::visitChildren):
3889 * dfg/DFGGraph.h:
3890 * dfg/DFGGraphSafepoint.cpp: Added.
3891 (JSC::DFG::GraphSafepoint::GraphSafepoint):
3892 (JSC::DFG::GraphSafepoint::~GraphSafepoint):
3893 * dfg/DFGGraphSafepoint.h: Added.
3894 * dfg/DFGOperations.h:
3895 * dfg/DFGPlan.cpp:
3896 (JSC::DFG::Plan::compileInThread):
3897 (JSC::DFG::Plan::compileInThreadImpl):
3898 * dfg/DFGPlan.h:
3899 * dfg/DFGSafepoint.cpp: Added.
3900 (JSC::DFG::Safepoint::Safepoint):
3901 (JSC::DFG::Safepoint::~Safepoint):
3902 (JSC::DFG::Safepoint::add):
3903 (JSC::DFG::Safepoint::begin):
3904 (JSC::DFG::Safepoint::visitChildren):
3905 * dfg/DFGSafepoint.h: Added.
3906 * dfg/DFGScannable.h: Added.
3907 (JSC::DFG::Scannable::Scannable):
3908 (JSC::DFG::Scannable::~Scannable):
3909 * dfg/DFGThreadData.cpp: Added.
3910 (JSC::DFG::ThreadData::ThreadData):
3911 (JSC::DFG::ThreadData::~ThreadData):
3912 * dfg/DFGThreadData.h: Added.
3913 * dfg/DFGWorklist.cpp:
3914 (JSC::DFG::Worklist::finishCreation):
3915 (JSC::DFG::Worklist::visitChildren):
3916 (JSC::DFG::Worklist::runThread):
3917 * dfg/DFGWorklist.h:
3918 * ftl/FTLCompile.cpp:
3919 (JSC::FTL::compile):
3920 * heap/SlotVisitor.h:
3921 * heap/SlotVisitorInlines.h:
3922 (JSC::SlotVisitor::appendUnbarrieredReadOnlyPointer):
3923 (JSC::SlotVisitor::appendUnbarrieredReadOnlyValue):
3924
39252014-02-09 Filip Pizlo <fpizlo@apple.com>
3926
3927 Never include *Inlines.h files in interface headers, and never include *Inlines.h when you could include Operations.h instead
3928 https://bugs.webkit.org/show_bug.cgi?id=128505
3929
3930 Reviewed by Mark Hahnenberg and Oliver Hunt.
3931
3932 * API/JSContextRef.cpp:
3933 * assembler/LinkBuffer.cpp:
3934 * bytecode/ArrayProfile.cpp:
3935 * bytecode/BytecodeBasicBlock.cpp:
3936 * bytecode/BytecodeLivenessAnalysisInlines.h:
3937 * bytecode/CallLinkInfo.cpp:
3938 * bytecode/CodeBlock.cpp:
3939 * bytecode/CodeBlock.h:
3940 * bytecode/CodeBlockJettisoningWatchpoint.cpp:
3941 * bytecode/ExecutionCounter.cpp:
3942 * bytecode/MethodOfGettingAValueProfile.cpp:
3943 * bytecode/PreciseJumpTargets.cpp:
3944 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
3945 * bytecode/SamplingTool.cpp:
3946 * bytecode/SpecialPointer.cpp:
3947 * bytecode/StructureStubClearingWatchpoint.cpp:
3948 * debugger/DebuggerCallFrame.cpp:
3949 * dfg/DFGAbstractHeap.cpp:
3950 * dfg/DFGAbstractValue.cpp:
3951 * dfg/DFGArgumentsSimplificationPhase.cpp:
3952 * dfg/DFGArithMode.cpp:
3953 * dfg/DFGArrayMode.cpp:
3954 * dfg/DFGAtTailAbstractState.cpp:
3955 * dfg/DFGAvailability.cpp:
3956 * dfg/DFGBackwardsPropagationPhase.cpp:
3957 * dfg/DFGBasicBlock.cpp:
3958 * dfg/DFGBinarySwitch.cpp:
3959 * dfg/DFGBlockInsertionSet.cpp:
3960 * dfg/DFGByteCodeParser.cpp:
3961 * dfg/DFGCFAPhase.cpp:
3962 * dfg/DFGCFGSimplificationPhase.cpp:
3963 * dfg/DFGCPSRethreadingPhase.cpp:
3964 * dfg/DFGCSEPhase.cpp:
3965 * dfg/DFGCapabilities.cpp:
3966 * dfg/DFGClobberSet.cpp:
3967 * dfg/DFGClobberize.cpp:
3968 * dfg/DFGCommon.cpp:
3969 * dfg/DFGCommonData.cpp:
3970 * dfg/DFGCompilationKey.cpp:
3971 * dfg/DFGCompilationMode.cpp:
3972 * dfg/DFGConstantFoldingPhase.cpp:
3973 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3974 * dfg/DFGDCEPhase.cpp:
3975 * dfg/DFGDesiredIdentifiers.cpp:
3976 * dfg/DFGDesiredStructureChains.cpp:
3977 * dfg/DFGDesiredTransitions.cpp:
3978 * dfg/DFGDesiredWatchpoints.cpp:
3979 * dfg/DFGDisassembler.cpp:
3980 * dfg/DFGDisassembler.h:
3981 * dfg/DFGDominators.cpp:
3982 * dfg/DFGEdge.cpp:
3983 * dfg/DFGFailedFinalizer.cpp:
3984 * dfg/DFGFinalizer.cpp:
3985 * dfg/DFGFixupPhase.cpp:
3986 * dfg/DFGFlushFormat.cpp:
3987 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3988 * dfg/DFGFlushedAt.cpp:
3989 * dfg/DFGGraph.cpp:
3990 * dfg/DFGInPlaceAbstractState.cpp:
3991 * dfg/DFGInvalidationPointInjectionPhase.cpp:
3992 * dfg/DFGJITCode.cpp:
3993 * dfg/DFGJITCompiler.cpp:
3994 * dfg/DFGJITCompiler.h:
3995 * dfg/DFGJITFinalizer.cpp:
3996 * dfg/DFGJumpReplacement.cpp:
3997 * dfg/DFGLICMPhase.cpp:
3998 * dfg/DFGLazyJSValue.cpp:
3999 * dfg/DFGLivenessAnalysisPhase.cpp:
4000 * dfg/DFGLongLivedState.cpp:
4001 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
4002 * dfg/DFGMinifiedNode.cpp:
4003 * dfg/DFGNaturalLoops.cpp:
4004 * dfg/DFGNode.cpp:
4005 * dfg/DFGNodeFlags.cpp:
4006 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
4007 * dfg/DFGOSREntry.cpp:
4008 * dfg/DFGOSREntrypointCreationPhase.cpp:
4009 * dfg/DFGOSRExit.cpp:
4010 * dfg/DFGOSRExitBase.cpp:
4011 * dfg/DFGOSRExitCompiler.cpp:
4012 * dfg/DFGOSRExitCompiler32_64.cpp:
4013 * dfg/DFGOSRExitCompiler64.cpp:
4014 * dfg/DFGOSRExitCompilerCommon.cpp:
4015 * dfg/DFGOSRExitJumpPlaceholder.cpp:
4016 * dfg/DFGOSRExitPreparation.cpp:
4017 * dfg/DFGOperations.cpp:
4018 * dfg/DFGOperations.h:
4019 * dfg/DFGPhase.cpp:
4020 * dfg/DFGPlan.cpp:
4021 * dfg/DFGPredictionInjectionPhase.cpp:
4022 * dfg/DFGPredictionPropagationPhase.cpp:
4023 * dfg/DFGResurrectionForValidationPhase.cpp:
4024 * dfg/DFGSSAConversionPhase.cpp:
4025 * dfg/DFGSSALoweringPhase.cpp:
4026 * dfg/DFGSpeculativeJIT.cpp:
4027 * dfg/DFGSpeculativeJIT32_64.cpp:
4028 * dfg/DFGSpeculativeJIT64.cpp:
4029 * dfg/DFGStackLayoutPhase.cpp:
4030 * dfg/DFGStoreBarrierElisionPhase.cpp:
4031 * dfg/DFGStrengthReductionPhase.cpp:
4032 * dfg/DFGThunks.cpp:
4033 * dfg/DFGTierUpCheckInjectionPhase.cpp:
4034 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
4035 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
4036 * dfg/DFGTypeCheckHoistingPhase.cpp:
4037 * dfg/DFGUnificationPhase.cpp:
4038 * dfg/DFGUseKind.cpp:
4039 * dfg/DFGValidate.cpp:
4040 * dfg/DFGValueSource.cpp:
4041 * dfg/DFGVariableAccessDataDump.cpp:
4042 * dfg/DFGVariableEvent.cpp:
4043 * dfg/DFGVariableEventStream.cpp:
4044 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
4045 * dfg/DFGWatchpointCollectionPhase.cpp:
4046 * dfg/DFGWorklist.cpp:
4047 * disassembler/Disassembler.cpp:
4048 * ftl/FTLLink.cpp:
4049 * ftl/FTLOSRExitCompiler.cpp:
4050 * ftl/FTLSlowPathCall.cpp:
4051 * ftl/FTLThunks.cpp:
4052 (JSC::FTL::slowPathCallThunkGenerator):
4053 * heap/BlockAllocator.cpp:
4054 * heap/CodeBlockSet.cpp:
4055 * heap/ConservativeRoots.cpp:
4056 * heap/DeferGC.cpp:
4057 * heap/GCThread.cpp:
4058 * heap/GCThreadSharedData.cpp:
4059 * heap/HeapTimer.cpp:
4060 * heap/IncrementalSweeper.cpp:
4061 * heap/JITStubRoutineSet.cpp:
4062 * heap/MachineStackMarker.cpp:
4063 * heap/MarkStack.cpp:
4064 * heap/MarkedAllocator.cpp:
4065 * heap/MarkedSpace.cpp:
4066 * heap/SuperRegion.cpp:
4067 * heap/Weak.cpp:
4068 * heap/WeakHandleOwner.cpp:
4069 * heap/WeakSet.cpp:
4070 * heap/WriteBarrierBuffer.cpp:
4071 * heap/WriteBarrierSupport.cpp:
4072 * inspector/ScriptCallStackFactory.cpp:
4073 * interpreter/AbstractPC.cpp:
4074 * interpreter/JSStack.cpp:
4075 * interpreter/ProtoCallFrame.cpp:
4076 * interpreter/VMInspector.cpp:
4077 * jit/ArityCheckFailReturnThunks.cpp:
4078 * jit/AssemblyHelpers.cpp:
4079 * jit/ExecutableAllocator.cpp:
4080 * jit/ExecutableAllocatorFixedVMPool.cpp:
4081 * jit/GCAwareJITStubRoutine.cpp:
4082 * jit/HostCallReturnValue.cpp:
4083 * jit/JITDisassembler.cpp:
4084 * jit/JITDisassembler.h:
4085 * jit/JITExceptions.cpp:
4086 * jit/JITInlines.h:
4087 * jit/JITOperations.cpp:
4088 * jit/JITOperationsMSVC64.cpp:
4089 * jit/JITStubRoutine.cpp:
4090 * jit/JITStubs.cpp:
4091 * jit/JITToDFGDeferredCompilationCallback.cpp:
4092 * jit/RegisterPreservationWrapperGenerator.cpp:
4093 * jit/RegisterSet.cpp:
4094 * jit/Repatch.cpp:
4095 * jit/TempRegisterSet.cpp:
4096 * jsc.cpp:
4097 * parser/Lexer.cpp:
4098 * parser/Parser.cpp:
4099 * parser/ParserArena.cpp:
4100 * parser/SourceCode.cpp:
4101 * parser/SourceProvider.cpp:
4102 * parser/SourceProviderCache.cpp:
4103 * profiler/ProfileGenerator.cpp:
4104 * runtime/Arguments.cpp:
4105 * runtime/ArgumentsIteratorPrototype.cpp:
4106 * runtime/CommonSlowPathsExceptions.cpp:
4107 * runtime/JSArgumentsIterator.cpp:
4108 * runtime/JSFunction.cpp:
4109 * runtime/JSGlobalObjectFunctions.cpp:
4110 * runtime/ObjectConstructor.cpp:
4111 * runtime/Operations.h:
4112 * runtime/VM.cpp:
4113
41142014-02-09 Filip Pizlo <fpizlo@apple.com>
4115
4116 Unreviewed, don't mark isHostFunction() inline in the header file because that really confuses EFL.
4117
4118 * runtime/JSFunction.h:
4119
41202014-02-09 Anders Carlsson <andersca@apple.com>
4121
4122 Add WTF_MAKE_FAST_ALLOCATED to more classes
4123 https://bugs.webkit.org/show_bug.cgi?id=128506
4124
4125 Reviewed by Andreas Kling.
4126
4127 * bytecode/UnlinkedInstructionStream.h:
4128 * runtime/SymbolTable.h:
4129 * runtime/WriteBarrier.h:
4130
41312014-02-09 Mark Hahnenberg <mhahnenberg@apple.com>
4132
4133 Objective-C API NSDate conversion is off by 1000x (ms vs s)
4134 https://bugs.webkit.org/show_bug.cgi?id=128386
4135
4136 Reviewed by Michael Saboff.
4137
4138 * API/JSValue.mm:
4139 (valueToObjectWithoutCopy):
4140 (valueToDate):
4141 (objectToValueWithoutCopy):
4142 * API/tests/DateTests.h: Added.
4143 * API/tests/DateTests.mm: Added.
4144 (+[DateTests NSDateToJSDateTest]):
4145 (+[DateTests JSDateToNSDateTest]):
4146 (+[DateTests roundTripThroughJSDateTest]):
4147 (+[DateTests roundTripThroughObjCDateTest]):
4148 * API/tests/testapi.mm:
4149 (checkResult):
4150 * JavaScriptCore.xcodeproj/project.pbxproj:
4151
41522014-02-09 Andreas Kling <akling@apple.com>
4153
4154 Pass VM instead of ExecState to JSCell::fastGetOwnProperty().
4155 <https://webkit.org/b/128497>
4156
4157 Knocks off a couple of instructions.
4158
4159 Reviewed by Anders Carlsson.
4160
4161 * dfg/DFGOperations.cpp:
4162 * jit/JITOperations.cpp:
4163 (JSC::getByVal):
4164 * llint/LLIntSlowPaths.cpp:
4165 (JSC::LLInt::getByVal):
4166 * runtime/JSCell.h:
4167 * runtime/JSCellInlines.h:
4168 (JSC::JSCell::fastGetOwnProperty):
4169
41702014-02-09 Anders Carlsson <andersca@apple.com>
4171
4172 Convert some JSC code over to std::mutex
4173 https://bugs.webkit.org/show_bug.cgi?id=128500
4174
4175 Reviewed by Dan Bernstein.
4176
4177 * API/JSVirtualMachine.mm:
4178 (wrapperCacheMutex):
4179 (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
4180 (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
4181 * heap/GCThreadSharedData.h:
4182 * heap/SlotVisitor.cpp:
4183 (JSC::SlotVisitor::mergeOpaqueRoots):
4184 * heap/SlotVisitorInlines.h:
4185 (JSC::SlotVisitor::containsOpaqueRootTriState):
4186 * inspector/remote/RemoteInspector.h:
4187 * inspector/remote/RemoteInspector.mm:
4188 (Inspector::RemoteInspector::registerDebuggable):
4189 (Inspector::RemoteInspector::unregisterDebuggable):
4190 (Inspector::RemoteInspector::updateDebuggable):
4191 (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
4192 (Inspector::RemoteInspector::start):
4193 (Inspector::RemoteInspector::stop):
4194 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
4195 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
4196 (Inspector::RemoteInspector::xpcConnectionFailed):
4197 (Inspector::RemoteInspector::pushListingSoon):
4198 (Inspector::RemoteInspector::receivedIndicateMessage):
4199 * inspector/remote/RemoteInspectorDebuggableConnection.h:
4200 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
4201 (Inspector::RemoteInspectorDebuggableConnection::setup):
4202 (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
4203 (Inspector::RemoteInspectorDebuggableConnection::close):
4204 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
4205 * jit/ExecutableAllocator.cpp:
4206 (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
4207 (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
4208 (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
4209 (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
4210 (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
4211 (JSC::DemandExecutableAllocator::allocatorsMutex):
4212
42132014-02-09 Commit Queue <commit-queue@webkit.org>
4214
4215 Unreviewed, rolling out r163737.
4216 http://trac.webkit.org/changeset/163737
4217 https://bugs.webkit.org/show_bug.cgi?id=128491
4218
4219 Caused 8+ tests to fail on Mavericks and Mountain Lion bots
4220 (Requested by rniwa on #webkit).
4221
4222 * runtime/JSString.h:
4223 (JSC::jsSingleCharacterString):
4224 (JSC::jsSingleCharacterSubstring):
4225 (JSC::jsString):
4226 (JSC::jsSubstring8):
4227 * runtime/SmallStrings.cpp:
4228 (JSC::SmallStringsStorage::SmallStringsStorage):
4229 (JSC::SmallStrings::SmallStrings):
4230
42312014-02-08 Anders Carlsson <andersca@apple.com>
4232
4233 Simplify single character substrings in JSC
4234 https://bugs.webkit.org/show_bug.cgi?id=128483
4235
4236 Reviewed by Andreas Kling.
4237
4238 With the recent work to make StringImpl occupy less space, it is actually more
4239 efficient to allocate a single character string that it is to use createSubstringSharingImpl!
4240
4241 * runtime/JSString.h:
4242 (JSC::jsSingleCharacterString):
4243 (JSC::jsSingleCharacterSubstring):
4244 (JSC::jsString):
4245 (JSC::jsSubstring8):
4246 * runtime/SmallStrings.cpp:
4247 (JSC::SmallStringsStorage::SmallStringsStorage):
4248 (JSC::SmallStrings::SmallStrings):
4249
42502014-02-08 Mark Hahnenberg <mhahnenberg@apple.com>
4251
4252 Baseline JIT uses the wrong version of checkMarkWord in emitWriteBarrier
4253 https://bugs.webkit.org/show_bug.cgi?id=128474
4254
4255 Reviewed by Michael Saboff.
4256
4257 * jit/JITPropertyAccess.cpp:
4258 (JSC::JIT::emitWriteBarrier):
4259
42602014-02-08 Mark Lam <mark.lam@apple.com>
4261
4262 Rename a field and some variables in JSLock to better describe what they contain.
4263 <https://webkit.org/b/128475>
4264
4265 Reviewed by Oliver Hunt.
4266
4267 * runtime/JSLock.cpp:
4268 (JSC::JSLock::dropAllLocks):
4269 (JSC::JSLock::dropAllLocksUnconditionally):
4270 (JSC::JSLock::grabAllLocks):
4271 (JSC::JSLock::DropAllLocks::DropAllLocks):
4272 (JSC::JSLock::DropAllLocks::~DropAllLocks):
4273 * runtime/JSLock.h:
4274
42752014-02-08 Anders Carlsson <andersca@apple.com>
4276
4277 Stop using getCharactersWithUpconvert in JavaScriptCore
4278 https://bugs.webkit.org/show_bug.cgi?id=128457
4279
4280 Reviewed by Andreas Kling.
4281
4282 Change substituteBackreferencesSlow to take StringViews and use a StringBuilder instead of upconverting
4283 if the source or replacement strings area 16-bit.
4284
4285 * runtime/StringPrototype.cpp:
4286 (JSC::substituteBackreferencesSlow):
4287 (JSC::substituteBackreferences):
4288
42892014-02-08 Mark Rowe <mrowe@apple.com>
4290
4291 <https://webkit.org/b/128452> Don't duplicate the list of input files for postprocess-headers.sh
4292
4293 Reviewed by Dan Bernstein.
4294
4295 * postprocess-headers.sh: Pull the list of headers to process out of the environment.
4296
42972014-02-08 Mark Rowe <mrowe@apple.com>
4298
4299 Fix the iOS build.
4300
4301 * API/WebKitAvailability.h: Skip the workarounds specific to OS X when we're building for iOS.
4302
43032014-02-07 Mark Rowe <mrowe@apple.com>
4304
4305 <https://webkit.org/b/128448> Fix use of availability macros on recently-added APIs
4306
4307 Reviewed by Dan Bernstein.
4308
4309 * API/JSContext.h: Remove some #ifs.
4310 * API/JSManagedValue.h: Ditto.
4311 * API/WebKitAvailability.h: #define the macros that availability macros mentioning
4312 newer OS X versions would expand to when building on older OS versions.
4313 * JavaScriptCore.xcodeproj/project.pbxproj: Call the new postprocess-headers.sh.
4314 * postprocess-headers.sh: Extracted from the Xcode project. Updated to remove content
4315 from headers based on the __MAC_OS_X_VERSION_MIN_REQUIRED macro, and to
4316 process WebKitAvailability.h.
4317
43182014-02-07 Mark Lam <mark.lam@apple.com>
4319
4320 JSLock should not "restore" VM stack values if it did not re-grab locks.
4321 <https://webkit.org/b/128447>
4322
4323 Reviewed by Geoffrey Garen.
4324
4325 In the existing code, if DropAllLocks is instantiate with DontAlwaysDropLocks
4326 in a thread that does not own the JSLock, then a bug will manifest where:
4327
4328 1. The DropAllLocks constructor will save the VM's stackPointerAtEntry,
4329 lastStackTop, and reservedZoneSize even though it will not drop the JSLock.
4330 2. The DropAllLocks destructor will restore those 3 values to the VM even
4331 though the JSLock will not grab its internal lock.
4332
4333 The former only causes busy work but does not impact correctness. The latter
4334 however, will corrupt those 3 VM values which belong to the thread that
4335 actually owns the JSLock.
4336
4337 The fix is to only save the values when the JSLock will actually drop its
4338 internal lock, and only restore the values if it did re-grab the internal lock.
4339
4340 * runtime/JSLock.cpp:
4341 (JSC::JSLock::dropAllLocks):
4342 (JSC::JSLock::dropAllLocksUnconditionally):
4343 (JSC::JSLock::grabAllLocks):
4344 (JSC::JSLock::DropAllLocks::DropAllLocks):
4345 - Moved the saving of VM stack values to dropAllLocks() and
4346 dropAllLocksUnconditionally().
4347 (JSC::JSLock::DropAllLocks::~DropAllLocks):
4348 - Moved the restoring of VM stack values to grabAllLocks().
4349
43502014-02-07 Filip Pizlo <fpizlo@apple.com>
4351
4352 Don't throw away code if there is code on the worklists
4353 https://bugs.webkit.org/show_bug.cgi?id=128443
4354
4355 Reviewed by Joseph Pecoraro.
4356
4357 If we throw away compiled code and there is code currently being JITed then the JIT
4358 will get confused after it resumes: it will see a code block that had claimed to belong
4359 to an executable except that it doesn't belong to any executables anymore.
4360
4361 * dfg/DFGWorklist.h:
4362 (JSC::DFG::Worklist::isActive):
4363 * heap/Heap.cpp:
4364 (JSC::Heap::deleteAllCompiledCode):
4365
43662014-02-07 Filip Pizlo <fpizlo@apple.com>
4367
4368 GC should safepoint the DFG worklist in a smarter way rather than just waiting for everything to complete
4369 https://bugs.webkit.org/show_bug.cgi?id=128297
4370
4371 Reviewed by Oliver Hunt.
4372
4373 This makes DFG worklist threads have a rightToRun lock that gives them the ability to
4374 be safepointed by the GC in much the same way as you'd expect from a fully
4375 multithreaded VM.
4376
4377 The idea is that the worklist threads's roots are the DFG::Plan. They only touch those
4378 roots when holding the rightToRun lock. They currently grab that lock to run the
4379 compiler, but relinquish it when accessing - and waiting on - the worklist.
4380
4381 * bytecode/CodeBlock.h:
4382 (JSC::CodeBlockSet::mark):
4383 * dfg/DFGCompilationKey.cpp:
4384 (JSC::DFG::CompilationKey::visitChildren):
4385 * dfg/DFGCompilationKey.h:
4386 * dfg/DFGDesiredStructureChains.cpp:
4387 (JSC::DFG::DesiredStructureChains::visitChildren):
4388 * dfg/DFGDesiredStructureChains.h:
4389 * dfg/DFGDesiredTransitions.cpp:
4390 (JSC::DFG::DesiredTransition::visitChildren):
4391 (JSC::DFG::DesiredTransitions::visitChildren):
4392 * dfg/DFGDesiredTransitions.h:
4393 * dfg/DFGDesiredWeakReferences.cpp:
4394 (JSC::DFG::DesiredWeakReferences::visitChildren):
4395 * dfg/DFGDesiredWeakReferences.h:
4396 * dfg/DFGDesiredWriteBarriers.cpp:
4397 (JSC::DFG::DesiredWriteBarrier::visitChildren):
4398 (JSC::DFG::DesiredWriteBarriers::visitChildren):
4399 * dfg/DFGDesiredWriteBarriers.h:
4400 * dfg/DFGPlan.cpp:
4401 (JSC::DFG::Plan::visitChildren):
4402 * dfg/DFGPlan.h:
4403 * dfg/DFGWorklist.cpp:
4404 (JSC::DFG::Worklist::~Worklist):
4405 (JSC::DFG::Worklist::finishCreation):
4406 (JSC::DFG::Worklist::suspendAllThreads):
4407 (JSC::DFG::Worklist::resumeAllThreads):
4408 (JSC::DFG::Worklist::visitChildren):
4409 (JSC::DFG::Worklist::runThread):
4410 (JSC::DFG::Worklist::threadFunction):
4411 * dfg/DFGWorklist.h:
4412 (JSC::DFG::numberOfWorklists):
4413 (JSC::DFG::worklistForIndexOrNull):
4414 * heap/CodeBlockSet.h:
4415 * heap/Heap.cpp:
4416 (JSC::Heap::markRoots):
4417 (JSC::Heap::collect):
4418 * runtime/IntendedStructureChain.cpp:
4419 (JSC::IntendedStructureChain::visitChildren):
4420 * runtime/IntendedStructureChain.h:
4421 * runtime/VM.cpp:
4422 (JSC::VM::~VM):
4423 (JSC::VM::prepareToDiscardCode):
4424
44252014-02-07 Mark Lam <mark.lam@apple.com>
4426
4427 Unify JSLock implementation for iOS and non-iOS ports.
4428 <https://webkit.org/b/128409>
4429
4430 Reviewed by Michael Saboff.
4431
4432 The iOS and non-iOS implementations of dropAllLocks(),
4433 dropAllLocksUnconditionally(), and grabAllLocks() effectively do the
4434 same work. The main difference is that the iOS implementation acquires
4435 the JSLock spin lock in the DropAllLocks class while the other ports
4436 acquire it when it calls JSLock::lock() and unlock().
4437
4438 The other difference is that the iOS implementation will only increment
4439 m_locksDropDepth if it actually drops locks, whereas other ports will
4440 increment it unconditionally. Analogously, iOS decrements the depth only
4441 when needed while other ports will decrement it unconditionally when
4442 re-grabbing locks.
4443
4444 We can unify the 2 implementations by having both use the iOS
4445 implementation for a start.
4446
4447 * runtime/JSLock.cpp:
4448 (JSC::JSLock::dropAllLocks):
4449 (JSC::JSLock::dropAllLocksUnconditionally):
4450 (JSC::JSLock::grabAllLocks):
4451 (JSC::JSLock::DropAllLocks::DropAllLocks):
4452 (JSC::JSLock::DropAllLocks::~DropAllLocks):
4453
44542014-02-06 Filip Pizlo <fpizlo@apple.com>
4455
4456 More FTL build scaffolding
4457 https://bugs.webkit.org/show_bug.cgi?id=128330
4458
4459 Reviewed by Geoffrey Garen.
4460
4461 * Configurations/FeatureDefines.xcconfig:
4462 * llvm/library/LLVMAnchor.cpp:
4463
44642014-02-07 Mark Lam <mark.lam@apple.com>
4465
4466 iOS port needs to clear VM::stackPointerAtVMEntry when it drops locks.
4467 <https://webkit.org/b/128424>
4468
4469 Reviewed by Geoffrey Garen.
4470
4471 The iOS code path for dropping locks differ from the non-iOS code path
4472 in that it (iOS) does not clear m_vm->stackPointerAtVMEntry nor reset the
4473 VM stack limit. This is now fixed by copying that snippit from
4474 JSLock::unlock().
4475
4476 * runtime/JSLock.cpp:
4477 (JSC::JSLock::dropAllLocks):
4478 (JSC::JSLock::dropAllLocksUnconditionally):
4479
44802014-02-07 Mark Lam <mark.lam@apple.com>
4481
4482 Removed superflous JSLock::entryStackPointer field.
4483 <https://webkit.org/b/128413>
4484
4485 Reviewed by Geoffrey Garen.
4486
4487 * runtime/JSLock.cpp:
4488 (JSC::JSLock::lock):
4489 * runtime/JSLock.h:
4490
44912014-02-07 Mark Lam <mark.lam@apple.com>
4492
4493 Revert workaround committed in http://trac.webkit.org/r163595.
4494 <https://webkit.org/b/128408>
4495
4496 Reviewed by Geoffrey Garen.
4497
4498 Now that we have fixed the bugs in JSLock's stack limit adjusments
4499 in https://bugs.webkit.org/show_bug.cgi?id=128406, we can revert the
4500 workaround in r163595.
4501
4502 * API/JSContextRef.cpp:
4503 (JSContextGroupCreate):
4504 (JSGlobalContextCreateInGroup):
4505 * API/tests/testapi.js:
4506 * runtime/VM.cpp:
4507 (JSC::VM::VM):
4508 (JSC::VM::updateStackLimitWithReservedZoneSize):
4509 * runtime/VM.h:
4510
45112014-02-07 Mark Lam <mark.lam@apple.com>
4512
4513 Fix bug in stack limit adjustments in JSLock.
4514 <https://webkit.org/b/128406>
4515
4516 Reviewed by Geoffrey Garen.
4517
4518 1. JSLock::unlock() was only clearing the VM::stackPointerAtEntry when
4519 m_vm->stackPointerAtVMEntry == entryStackPointer. FYI,
4520 entryStackPointer is a field in JSLock.
4521
4522 When DropAllLocks::~DropAllLocks() will call JSLock::grabAllLocks()
4523 to relock the JSLock, JSLock::grabAllLocks() will set a new
4524 entryStackPointer value. Thereafter, DropAllLocks::~DropAllLocks() will
4525 restore the saved VM::stackPointerAtEntry, which will now defer from
4526 the JSLock's entryStackPointer value.
4527
4528 It turns out that when m_vm->stackPointerAtVMEntry was initialized,
4529 it was set to whatever value entryStackPointer is set to. At no time
4530 do we ever expect the 2 values to differ. The only time it differs is
4531 when this bug manifests.
4532
4533 The fix is to remove the entryStackPointer field in JSLock and its uses
4534 altogether.
4535
4536 2. DropAllLocks was unconditionally clearing VM::stackPointerAtEntry in
4537 its constructor instead of letting JSLock::unlock() do the clearing.
4538
4539 However, DropAllLocks will not actually drop locks if it isn't required
4540 to (e.g. when alwaysDropLocks is DontAlwaysDropLocks), and when we've
4541 already drop locks once (i.e. JSLock::m_lockDropDepth is not 0).
4542
4543 We should not have cleared VM::stackPointerAtEntry here if we don't
4544 actually drop the locks.
4545
4546 * runtime/JSLock.cpp:
4547 (JSC::JSLock::unlock):
4548 (JSC::JSLock::DropAllLocks::DropAllLocks):
4549
45502014-02-07 Joseph Pecoraro <pecoraro@apple.com>
4551
4552 [iOS] Eliminate race between XPC connection queue and Notification queue
4553 https://bugs.webkit.org/show_bug.cgi?id=128384
4554
4555 Reviewed by Timothy Hatcher.
4556
4557 * inspector/remote/RemoteInspector.h:
4558 * inspector/remote/RemoteInspector.mm:
4559 (Inspector::RemoteInspector::RemoteInspector):
4560 (Inspector::RemoteInspector::start):
4561 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
4562 Create the queue to use for RemoteInspector xpc connection
4563 management and the connection itself.
4564
4565 * inspector/remote/RemoteInspectorXPCConnection.h:
4566 * inspector/remote/RemoteInspectorXPCConnection.mm:
4567 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
4568 Use the passed in queue instead of creating one for itself.
4569
45702014-02-07 Oliver Hunt <oliver@apple.com>
4571
4572 REGRESSION (r160628): LLint does not appear to handle impure get own property properly
4573 https://bugs.webkit.org/show_bug.cgi?id=127943
4574
4575 Reviewed by Filip Pizlo.
4576
4577 Make sure the LLINT doesn't attempt to cache property
4578 access on structures with impureGetOwnPropertySlot set.
4579
4580 * llint/LLIntSlowPaths.cpp:
4581 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
4582
45832014-02-06 Michael Saboff <msaboff@apple.com>
4584
4585 Workaround REGRESSION(r163195-r163227): Crash beneath NSErrorUserInfoFromJSException when installing AppleInternal.mpkg
4586 https://bugs.webkit.org/show_bug.cgi?id=128347
4587
4588 Reviewed by Geoffrey Garen.
4589
4590 Added a flag to VM class called m_ignoreStackLimit that disables stack limit checks.
4591 We set this flag in JSContextGroupCreate() and JSGlobalContextCreateInGroup().
4592
4593 Disabled stack overflow tests in testapi.js since it uses these paths.
4594
4595 THis patch will be reverted as part of a comprehensive solution to the problem.
4596
4597 * API/JSContextRef.cpp:
4598 (JSContextGroupCreate):
4599 (JSGlobalContextCreateInGroup):
4600 * API/tests/testapi.js:
4601 * runtime/VM.cpp:
4602 (JSC::VM::VM):
4603 (JSC::VM::updateStackLimitWithReservedZoneSize):
4604 * runtime/VM.h:
4605 (JSC::VM::ignoreStackLimit):
4606
46072014-02-06 Mark Hahnenberg <mhahnenberg@apple.com>
4608
4609 +[JSContext currentCallee] should return the currently executing JS function
4610 https://bugs.webkit.org/show_bug.cgi?id=122621
4611
4612 Reviewed by Geoffrey Garen.
4613
4614 It would be useful if there was a +[JSContext currentObject] API which was
4615 callable from ObjC API callbacks. Its purpose would be to allow convenient
4616 access to the JSValue wrapper for the currently-executing block callback.
4617
4618 * API/JSContext.h:
4619 * API/JSContext.mm:
4620 (+[JSContext currentCallee]):
4621 (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
4622 * API/JSContextInternal.h:
4623 * API/ObjCCallbackFunction.mm:
4624 (JSC::objCCallbackFunctionCallAsFunction):
4625 (JSC::objCCallbackFunctionCallAsConstructor):
4626 * API/tests/testapi.mm:
4627
46282014-02-06 Mark Hahnenberg <mhahnenberg@apple.com>
4629
4630 Fix iOS builds after r163574
4631
4632 * API/JSManagedValue.h:
4633
46342014-02-06 Mark Hahnenberg <mhahnenberg@apple.com>
4635
4636 Heap::writeBarrier shouldn't be static
4637 https://bugs.webkit.org/show_bug.cgi?id=127807
4638
4639 Reviewed by Geoffrey Garen.
4640
4641 Currently it looks up the Heap in which to fire the write barrier by using
4642 the cell passed to it. Almost every call site already has a reference to the
4643 VM or the Heap itself. It seems wasteful to look it up all over again.
4644
4645 * GNUmakefile.list.am:
4646 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4647 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
4648 * JavaScriptCore.xcodeproj/project.pbxproj:
4649 * heap/CopyWriteBarrier.h:
4650 (JSC::CopyWriteBarrier::set):
4651 * heap/Heap.cpp:
4652 (JSC::Heap::writeBarrier):
4653 * heap/Heap.h:
4654 (JSC::Heap::writeBarrier):
4655 * jit/JITOperations.cpp:
4656 * jit/JITWriteBarrier.h:
4657 (JSC::JITWriteBarrierBase::set):
4658 * llint/LLIntSlowPaths.cpp:
4659 (JSC::LLInt::llint_write_barrier_slow):
4660 * runtime/Arguments.h:
4661 * runtime/JSWeakMap.cpp:
4662 * runtime/MapData.cpp:
4663 (JSC::MapData::ensureSpaceForAppend):
4664 * runtime/PropertyTable.cpp:
4665 (JSC::PropertyTable::PropertyTable):
4666 * runtime/Structure.h:
4667 * runtime/WriteBarrier.h:
4668 * runtime/WriteBarrierInlines.h: Added.
4669
46702014-02-06 Mark Hahnenberg <mhahnenberg@apple.com>
4671
4672 JSManagedValue should automatically call removeManagedReference:withOwner: upon dealloc
4673 https://bugs.webkit.org/show_bug.cgi?id=124053
4674
4675 Reviewed by Geoffrey Garen.
4676
4677 * API/JSManagedValue.h:
4678 * API/JSManagedValue.mm:
4679 (+[JSManagedValue managedValueWithValue:andOwner:]):
4680 (-[JSManagedValue initWithValue:]):
4681 (-[JSManagedValue dealloc]):
4682 (-[JSManagedValue didAddOwner:]):
4683 (-[JSManagedValue didRemoveOwner:]):
4684 * API/JSManagedValueInternal.h: Added.
4685 * API/JSVirtualMachine.mm:
4686 (-[JSVirtualMachine addManagedReference:withOwner:]):
4687 (-[JSVirtualMachine removeManagedReference:withOwner:]):
4688 * API/WebKitAvailability.h:
4689 * API/tests/testapi.mm:
4690 (-[TextXYZ click]):
4691 * JavaScriptCore.xcodeproj/project.pbxproj:
4692
46932014-02-06 Joseph Pecoraro <pecoraro@apple.com>
4694
4695 Web Inspector: Add Console support to JSContext Inspection
4696 https://bugs.webkit.org/show_bug.cgi?id=127941
4697
4698 Reviewed by Geoffrey Garen.
4699
4700 * CMakeLists.txt:
4701 * DerivedSources.make:
4702 * GNUmakefile.am:
4703 * GNUmakefile.list.am:
4704 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4705 * JavaScriptCore.xcodeproj/project.pbxproj:
4706 Add new files.
4707
4708 * inspector/agents/InspectorConsoleAgent.cpp: Renamed from Source/WebCore/inspector/InspectorConsoleAgent.cpp.
4709 * inspector/agents/InspectorConsoleAgent.h: Added.
4710 New agent moved from WebCore. Rename a method to work in JS only context.
4711
4712 * inspector/JSGlobalObjectInspectorController.cpp:
4713 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
4714 Instantiate ConsoleAgent.
4715
4716 * inspector/agents/JSGlobalObjectConsoleAgent.h: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h.
4717 * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h.
4718 (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
4719 (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
4720 (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
4721 (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject):
4722 JSGlobalObject implementation.
4723
4724 * inspector/agents/JSGlobalObjectDebuggerAgent.h:
4725 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
4726 (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent):
4727 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
4728 Use ConsoleAgent to report logs.
4729
4730 * inspector/ConsoleMessage.cpp: Renamed from Source/WebCore/inspector/ConsoleMessage.cpp.
4731 * inspector/ConsoleMessage.h: Renamed from Source/WebCore/inspector/ConsoleMessage.h.
4732 * inspector/ConsoleTypes.h: Copied from Source/WebCore/inspector/ConsoleAPITypes.h.
4733 * inspector/IdentifiersFactory.cpp: Renamed from Source/WebCore/inspector/IdentifiersFactory.cpp.
4734 * inspector/IdentifiersFactory.h: Renamed from Source/WebCore/inspector/IdentifiersFactory.h.
4735 * inspector/ScriptArguments.cpp: Renamed from Source/WebCore/inspector/ScriptArguments.cpp.
4736 * inspector/ScriptArguments.h: Renamed from Source/WebCore/inspector/ScriptArguments.h.
4737 * inspector/ScriptCallFrame.cpp: Renamed from Source/WebCore/inspector/ScriptCallFrame.cpp.
4738 * inspector/ScriptCallFrame.h: Renamed from Source/WebCore/inspector/ScriptCallFrame.h.
4739 * inspector/ScriptCallStack.cpp: Renamed from Source/WebCore/inspector/ScriptCallStack.cpp.
4740 * inspector/ScriptCallStack.h: Renamed from Source/WebCore/inspector/ScriptCallStack.h.
4741 * inspector/ScriptCallStackFactory.cpp: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.cpp.
4742 * inspector/ScriptCallStackFactory.h: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.h.
4743 * inspector/protocol/Console.json: Renamed from Source/WebCore/inspector/protocol/Console.json.
4744 * inspector/scripts/generate-combined-inspector-json.py:
4745
47462014-02-06 Commit Queue <commit-queue@webkit.org>
4747
4748 Unreviewed, rolling out r163542.
4749 http://trac.webkit.org/changeset/163542
4750 https://bugs.webkit.org/show_bug.cgi?id=128324
4751
4752 Caused many assertion failures (Requested by ap on #webkit).
4753
4754 * GNUmakefile.list.am:
4755 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4756 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
4757 * JavaScriptCore.xcodeproj/project.pbxproj:
4758 * heap/CopyWriteBarrier.h:
4759 (JSC::CopyWriteBarrier::set):
4760 * heap/Heap.cpp:
4761 (JSC::Heap::writeBarrier):
4762 * heap/Heap.h:
4763 (JSC::Heap::writeBarrier):
4764 * jit/JITOperations.cpp:
4765 * jit/JITWriteBarrier.h:
4766 (JSC::JITWriteBarrierBase::set):
4767 * llint/LLIntSlowPaths.cpp:
4768 (JSC::LLInt::llint_write_barrier_slow):
4769 * runtime/Arguments.h:
4770 * runtime/JSWeakMap.cpp:
4771 * runtime/MapData.cpp:
4772 (JSC::MapData::ensureSpaceForAppend):
4773 * runtime/PropertyTable.cpp:
4774 (JSC::PropertyTable::PropertyTable):
4775 * runtime/Structure.h:
4776 * runtime/WriteBarrier.h:
4777 (JSC::WriteBarrierBase::set):
4778 (JSC::WriteBarrierBase::setMayBeNull):
4779 (JSC::WriteBarrierBase::setEarlyValue):
4780 (JSC::WriteBarrierBase<Unknown>::set):
4781 * runtime/WriteBarrierInlines.h: Removed.
4782
47832014-02-06 Oliver Hunt <oliver@apple.com>
4784
4785 Make 32bit pass the correct this value to custom getters
4786 https://bugs.webkit.org/show_bug.cgi?id=128313
4787
4788 Reviewed by Mark Lam.
4789
4790 Now that the custom getter calling convetion uses a single register
4791 for the slot base we can easily pass the correct |thisValue| instead
4792 of simply relying on the thisValue not be relevant to existing
4793 custom getters. This also means that 32bit can call custom getters
4794 directly.
4795
4796 * jit/CCallHelpers.h:
4797 (JSC::CCallHelpers::setupArgumentsWithExecState):
4798 * jit/Repatch.cpp:
4799 (JSC::generateProtoChainAccessStub):
4800 (JSC::tryBuildGetByIDList):
4801
48022014-02-05 Mark Hahnenberg <mhahnenberg@apple.com>
4803
4804 Heap::writeBarrier shouldn't be static
4805 https://bugs.webkit.org/show_bug.cgi?id=127807
4806
4807 Reviewed by Geoffrey Garen.
4808
4809 Currently it looks up the Heap in which to fire the write barrier by using
4810 the cell passed to it. Almost every call site already has a reference to the
4811 VM or the Heap itself. It seems wasteful to look it up all over again.
4812
4813 * GNUmakefile.list.am:
4814 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4815 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
4816 * JavaScriptCore.xcodeproj/project.pbxproj:
4817 * heap/CopyWriteBarrier.h:
4818 (JSC::CopyWriteBarrier::set):
4819 * heap/Heap.cpp:
4820 (JSC::Heap::writeBarrier):
4821 * heap/Heap.h:
4822 (JSC::Heap::writeBarrier):
4823 * jit/JITOperations.cpp:
4824 * jit/JITWriteBarrier.h:
4825 (JSC::JITWriteBarrierBase::set):
4826 * llint/LLIntSlowPaths.cpp:
4827 (JSC::LLInt::llint_write_barrier_slow):
4828 * runtime/Arguments.h:
4829 * runtime/JSWeakMap.cpp:
4830 * runtime/MapData.cpp:
4831 (JSC::MapData::ensureSpaceForAppend):
4832 * runtime/PropertyTable.cpp:
4833 (JSC::PropertyTable::PropertyTable):
4834 * runtime/Structure.h:
4835 * runtime/WriteBarrier.h:
4836 * runtime/WriteBarrierInlines.h: Added.
4837
48382014-02-04 Filip Pizlo <fpizlo@apple.com>
4839
4840 Make FTL OSR entry something we only try after we've already compiled the function with the FTL and it still got stuck in a loop after that without ever returning like a sensible function oughta have
4841 https://bugs.webkit.org/show_bug.cgi?id=128234
4842
4843 Reviewed by Geoffrey Garen.
4844
4845 Use DFG::JITCode::osrEntryRetry as a counter to decide when to invoke OSR entry. That
4846 comes into play only after we've done a replacement compile.
4847
4848 This appears to still give us a speed-up on the kinds of things that OSR entry is good
4849 for, while also eliminating pointless OSR entry compilations on other things.
4850
4851 * dfg/DFGJITCode.cpp:
4852 (JSC::DFG::JITCode::JITCode):
4853 * dfg/DFGJITCode.h:
4854 * dfg/DFGOperations.cpp:
4855 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
4856 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
4857 * runtime/Options.h:
4858
48592014-02-04 Filip Pizlo <fpizlo@apple.com>
4860
4861 Don't speculate on ToThis if we already know that arg0 has a questionable record with structure checks
4862 https://bugs.webkit.org/show_bug.cgi?id=128229
4863
4864 Reviewed by Geoffrey Garen.
4865
4866 * dfg/DFGByteCodeParser.cpp:
4867 (JSC::DFG::ByteCodeParser::parseBlock):
4868
48692014-02-05 Mark Hahnenberg <mhahnenberg@apple.com>
4870
4871 Handling of opaque roots is wrong in EdenCollections
4872 https://bugs.webkit.org/show_bug.cgi?id=128210
4873
4874 Reviewed by Oliver Hunt.
4875
4876 The set of opaque roots is always cleared during each collection. We should instead persist
4877 the set of opaque roots across EdenCollections and only clear it at the beginning of FullCollections.
4878
4879 Also added a couple of custom objects to the jsc shell that allow us to test this.
4880
4881 * heap/GCThreadSharedData.cpp:
4882 (JSC::GCThreadSharedData::reset):
4883 (JSC::GCThreadSharedData::didStartMarking):
4884 * heap/Heap.cpp:
4885 (JSC::Heap::markRoots):
4886 * heap/Heap.h:
4887 (JSC::Heap::setShouldDoFullCollection):
4888 * heap/SlotVisitor.cpp:
4889 (JSC::SlotVisitor::didStartMarking):
4890 (JSC::SlotVisitor::reset):
4891 * heap/SlotVisitor.h:
4892 * jsc.cpp:
4893 (WTF::Element::Element):
4894 (WTF::Element::root):
4895 (WTF::Element::setRoot):
4896 (WTF::Element::create):
4897 (WTF::Element::createStructure):
4898 (WTF::ElementHandleOwner::isReachableFromOpaqueRoots):
4899 (WTF::Root::Root):
4900 (WTF::Root::element):
4901 (WTF::Root::setElement):
4902 (WTF::Root::create):
4903 (WTF::Root::createStructure):
4904 (WTF::Root::visitChildren):
4905 (WTF::Element::handleOwner):
4906 (WTF::Element::finishCreation):
4907 (GlobalObject::finishCreation):
4908 (functionCreateRoot):
4909 (functionCreateElement):
4910 (functionGetElement):
4911 (functionSetElementRoot):
4912 (functionGCAndSweep):
4913 (functionFullGC):
4914 (functionEdenGC):
4915
49162014-02-05 Anders Carlsson <andersca@apple.com>
4917
4918 Remove unused functions.
4919
4920 * runtime/RegExpConstructor.cpp:
4921 (JSC::RegExpConstructor::getOwnPropertySlot):
4922 * runtime/RegExpObject.cpp:
4923
49242014-02-05 Oliver Hunt <oliver@apple.com>
4925
4926 Change custom getter signature to make the base reference an object pointer
4927 https://bugs.webkit.org/show_bug.cgi?id=128279
4928
4929 Reviewed by Geoffrey Garen.
4930
4931 Make custom getters take a JSObject* instead of EncodedJSValue as the base
4932 reference. This allows us to drop one pointer from the JSVALUE32_64 calling
4933 convention.
4934
4935 * API/JSCallbackObject.h:
4936 * API/JSCallbackObjectFunctions.h:
4937 (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
4938 (JSC::JSCallbackObject<Parent>::callbackGetter):
4939 * jit/JITOperations.cpp:
4940 * jit/Repatch.cpp:
4941 (JSC::generateProtoChainAccessStub):
4942 (JSC::tryBuildGetByIDList):
4943 * runtime/JSActivation.cpp:
4944 (JSC::JSActivation::argumentsGetter):
4945 * runtime/JSActivation.h:
4946 * runtime/JSFunction.cpp:
4947 (JSC::JSFunction::argumentsGetter):
4948 (JSC::JSFunction::callerGetter):
4949 (JSC::JSFunction::lengthGetter):
4950 (JSC::JSFunction::nameGetter):
4951 * runtime/JSFunction.h:
4952 * runtime/JSObject.h:
4953 (JSC::PropertySlot::getValue):
4954 * runtime/NumberConstructor.cpp:
4955 (JSC::numberConstructorNaNValue):
4956 (JSC::numberConstructorNegInfinity):
4957 (JSC::numberConstructorPosInfinity):
4958 (JSC::numberConstructorMaxValue):
4959 (JSC::numberConstructorMinValue):
4960 * runtime/PropertySlot.h:
4961 * runtime/RegExpConstructor.cpp:
4962 (JSC::regExpConstructorDollar1):
4963 (JSC::regExpConstructorDollar2):
4964 (JSC::regExpConstructorDollar3):
4965 (JSC::regExpConstructorDollar4):
4966 (JSC::regExpConstructorDollar5):
4967 (JSC::regExpConstructorDollar6):
4968 (JSC::regExpConstructorDollar7):
4969 (JSC::regExpConstructorDollar8):
4970 (JSC::regExpConstructorDollar9):
4971 (JSC::regExpConstructorInput):
4972 (JSC::regExpConstructorMultiline):
4973 (JSC::regExpConstructorLastMatch):
4974 (JSC::regExpConstructorLastParen):
4975 (JSC::regExpConstructorLeftContext):
4976 (JSC::regExpConstructorRightContext):
4977 * runtime/RegExpObject.cpp:
4978 (JSC::regExpObjectGlobal):
4979 (JSC::regExpObjectIgnoreCase):
4980 (JSC::regExpObjectMultiline):
4981 (JSC::regExpObjectSource):
4982
49832014-02-05 Andreas Kling <akling@apple.com>
4984
4985 Remove ENABLE(DIRECTORY_UPLOAD).
4986 <https://webkit.org/b/128275>
4987
4988 Rubber-stamped by Ryosuke Niwa.
4989
4990 * Configurations/FeatureDefines.xcconfig:
4991
49922014-02-05 Filip Pizlo <fpizlo@apple.com>
4993
4994 Rename useExperimentalFTL to useFTLJIT.
4995
4996 Rubber stamped by Mark Hahnenberg.
4997
4998 * dfg/DFGTierUpCheckInjectionPhase.cpp:
4999 (JSC::DFG::TierUpCheckInjectionPhase::run):
5000 * runtime/Options.h:
5001
50022014-02-05 Brian Burg <bburg@apple.com>
5003
5004 Web Inspector: add probe manager and model objects to the frontend
5005 https://bugs.webkit.org/show_bug.cgi?id=127117
5006
5007 Reviewed by Timothy Hatcher.
5008
5009 The inspector frontend now assigns breakpoint action identifiers,
5010 rather than the backend. Remove return values containing breakpoint
5011 identifiers, and remove tracking and assignment of action identifiers.
5012
5013 * inspector/ScriptDebugListener.h:
5014 * inspector/ScriptDebugServer.cpp:
5015 (Inspector::ScriptDebugServer::evaluateBreakpointAction):
5016 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
5017 Pass BreakpointAction by reference rather than just the action identifier.
5018
5019 * inspector/ScriptDebugServer.h:
5020 * inspector/agents/InspectorDebuggerAgent.cpp:
5021 (Inspector::objectGroupForBreakpointAction):
5022 (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
5023 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
5024 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
5025 (Inspector::InspectorDebuggerAgent::setBreakpoint):
5026 (Inspector::InspectorDebuggerAgent::removeBreakpoint):
5027 (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
5028 * inspector/agents/InspectorDebuggerAgent.h:
5029 * inspector/protocol/Debugger.json: Revert change to setBreakpoint return values. Add optional identifier to breakpoint actions.
5030
50312014-02-05 Filip Pizlo <fpizlo@apple.com>
5032
5033 JSC on Mac should pull LLVM from prefix=/usr/local/LLVMForJavaScriptCore and not /usr/local
5034 https://bugs.webkit.org/show_bug.cgi?id=128269
5035
5036 Reviewed by Mark Hahnenberg.
5037
5038 * Configurations/Base.xcconfig:
5039 * Configurations/LLVMForJSC.xcconfig:
5040
50412014-02-05 Mark Hahnenberg <mhahnenberg@apple.com>
5042
5043 Fix 32-bit builds after r163471
5044
5045 * dfg/DFGOSRExitCompilerCommon.cpp:
5046
50472014-02-05 Mark Hahnenberg <mhahnenberg@apple.com>
5048
5049 Can no longer run OctaneV2 in browser, crashes in speculationFromCell
5050 https://bugs.webkit.org/show_bug.cgi?id=128266
5051
5052 Reviewed by Filip Pizlo.
5053
5054 Move the OSR exit write barriers into OSRExitCompilerCommon. Also reorganize some
5055 of the code to be in more appropriate places.
5056
5057 * dfg/DFGOSRExitCompiler32_64.cpp:
5058 (JSC::DFG::OSRExitCompiler::compileExit):
5059 * dfg/DFGOSRExitCompiler64.cpp:
5060 (JSC::DFG::OSRExitCompiler::compileExit):
5061 * dfg/DFGOSRExitCompilerCommon.cpp:
5062 (JSC::DFG::osrWriteBarrier):
5063 (JSC::DFG::adjustAndJumpToTarget):
5064 * dfg/DFGSpeculativeJIT.cpp:
5065 * dfg/DFGSpeculativeJIT.h:
5066 * jit/AssemblyHelpers.h:
5067 (JSC::AssemblyHelpers::genericWriteBarrier):
5068
50692014-02-05 Mark Hahnenberg <mhahnenberg@apple.com>
5070
5071 Malloc called beneath MachineThreads::gatherFromOtherThread(), while forbidden
5072 https://bugs.webkit.org/show_bug.cgi?id=128202
5073
5074 Reviewed by Geoffrey Garen.
5075
5076 This patch uses the new GCSegmentedArray to replace the Vector that was used
5077 to record the set of currently executing CodeBlocks during the conservative
5078 stack scan. This is primarily to avoid the possibility of the Vector resizing
5079 while FastMalloc is forbidden.
5080
5081 * heap/BlockAllocator.h:
5082 * heap/CodeBlockSet.cpp:
5083 (JSC::CodeBlockSet::CodeBlockSet):
5084 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
5085 * heap/CodeBlockSet.h:
5086 * heap/GCSegmentedArray.h:
5087 (JSC::GCSegmentedArray::begin):
5088 (JSC::GCSegmentedArray::end):
5089 (JSC::GCSegmentedArrayIterator::GCSegmentedArrayIterator):
5090 (JSC::GCSegmentedArrayIterator::get):
5091 (JSC::GCSegmentedArrayIterator::operator*):
5092 (JSC::GCSegmentedArrayIterator::operator->):
5093 (JSC::GCSegmentedArrayIterator::operator==):
5094 (JSC::GCSegmentedArrayIterator::operator!=):
5095 (JSC::GCSegmentedArrayIterator::operator++):
5096 * heap/Heap.cpp:
5097 (JSC::Heap::Heap):
5098
50992014-02-05 Wojciech Bielawski <w.bielawski@samsung.com>
5100
5101 XMLHttpRequest performs too many copies for ArrayBuffer results
5102 https://bugs.webkit.org/show_bug.cgi?id=117458
5103
5104 Reviewed by Alexey Proskuryakov.
5105
5106 Based on blink change: https://chromium.googlesource.com/chromium/blink/+/bed266aa5a43f7c080c87e527bd35e2b80ecc7b7
5107
5108 Add SharedBuffer::createArrayBuffer() and use it to create XMLHttpRequest's response in ArrayBuffer
5109 This cuts
5110 - two memsets (in ArrayBuffer::create and SharedBuffer::m_buffer::resize)
5111 - one copy (SharedBuffer::m_buffer to ArrayBufferContents::m_data)
5112 - one allocation (SharedBuffer::m_buffer)
5113
5114 * runtime/ArrayBuffer.h:
5115
51162014-02-05 Csaba Osztrogonác <ossy@webkit.org>
5117
5118 Remove ENABLE(SVG) guards
5119 https://bugs.webkit.org/show_bug.cgi?id=127991
5120
5121 Reviewed by Sam Weinig.
5122
5123 * Configurations/FeatureDefines.xcconfig:
5124
51252014-02-05 Zan Dobersek <zdobersek@igalia.com>
5126
5127 Remove CLASS_IF_GCC workarounds
5128 https://bugs.webkit.org/show_bug.cgi?id=128207
5129
5130 Reviewed by Anders Carlsson.
5131
5132 Remove the CLASS_IF_GCC macro that was defined to 'class' when using the GCC compiler.
5133 The macro was then used in class friendship declarations for templated classes to avoid
5134 corner-case compiler failures on both GCC pre-4.7 and MSVC pre-2013. The problematic
5135 versions of both compilers are no longer supported, so this macro is good to go.
5136
5137 * heap/HeapBlock.h:
5138 * heap/Region.h:
5139
51402014-02-04 Mark Lam <mark.lam@apple.com>
5141
5142 The stack limit computation does not work for Windows.
5143 <https://webkit.org/b/128226>
5144
5145 Reviewed by Geoffrey Garen.
5146
5147 * llint/LowLevelInterpreter.cpp:
5148 (JSC::CLoopRegister::CLoopRegister):
5149 (JSC::CLoop::execute):
5150 - Suppressed some compiler warnings for the C loop build.
5151 * runtime/VM.cpp:
5152 (JSC::VM::updateStackLimitWithReservedZoneSize):
5153 - Use the new StackBounds::recursionLimit() to compute the stack limit
5154 the right way.
5155
51562014-02-04 Andreas Kling <akling@apple.com>
5157
5158 Remove <iframe seamless> support.
5159 <https://webkit.org/b/128213>
5160
5161 Rubber-stamped by Antti Koivisto.
5162
5163 * Configurations/FeatureDefines.xcconfig:
5164
51652014-02-04 Mark Lam <mark.lam@apple.com>
5166
5167 DFG::operationTypeOf() needs to set the VM::topCallFrame.
5168 <https://webkit.org/b/128228>
5169
5170 Reviewed by Mark Hahnenberg.
5171
5172 * dfg/DFGOperations.cpp:
5173 - operationTypeOf() can end up calling into WebCore which may in turn
5174 call back to JSC, and need a valid VM::topCallFrame. So, we need to
5175 set the value of VM::topCallFrame at the top of operationTypeOf().
5176
51772014-02-04 Mark Hahnenberg <mhahnenberg@apple.com>
5178
5179 Fix !ENABLE(JIT) builds after r163418
5180
5181 * bytecode/CodeBlock.cpp:
5182 (JSC::CodeBlock::reoptimizationRetryCounter): Return 0 if there's no way for us to reoptimize.
5183
51842014-02-04 Mark Hahnenberg <mhahnenberg@apple.com>
5185
5186 Reduce boilerplate in BlockAllocator.h
5187 https://bugs.webkit.org/show_bug.cgi?id=128222
5188
5189 Reviewed by Filip Pizlo.
5190
5191 There are a lot of template specializations for the various types of HeapBlocks
5192 in BlockAllocator.h. We could reduce the spew by using a macro.
5193
5194 * heap/BlockAllocator.h:
5195
51962014-02-04 Filip Pizlo <fpizlo@apple.com>
5197
5198 DFG PutByVal on typed arrays should detect OutOfBounds sooner
5199 https://bugs.webkit.org/show_bug.cgi?id=128162
5200
5201 Reviewed by Mark Hahnenberg.
5202
5203 Just wire the m_outOfBounds flag in ArrayProfile into the OutOfBounds speculation in
5204 DFG::ArrayMode for typed arrays.
5205
5206 Also make it possible to have tests for convergence.
5207
5208 Also turn one of the LayoutTests/js/dfg- tests into a stress test because it
5209 was relying on a specific number of recompiles. Stress tests instead take
5210 the approach of just running for a while. That's more robust.
5211
5212 * bytecode/CodeBlock.h:
5213 * dfg/DFGArrayMode.cpp:
5214 (JSC::DFG::ArrayMode::fromObserved):
5215 (JSC::DFG::ArrayMode::refine):
5216 * dfg/DFGArrayMode.h:
5217 (JSC::DFG::ArrayMode::withSpeculationFromProfile):
5218 (JSC::DFG::ArrayMode::withProfile):
5219 * ftl/FTLLowerDFGToLLVM.cpp:
5220 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
5221 * jit/JITPropertyAccess.cpp:
5222 (JSC::JIT::emitIntTypedArrayPutByVal):
5223 (JSC::JIT::emitFloatTypedArrayPutByVal):
5224 * jsc.cpp:
5225 (GlobalObject::finishCreation):
5226 (functionReoptimizationRetryCount):
5227 * runtime/TestRunnerUtils.cpp:
5228 (JSC::getExecutableForFunction):
5229 (JSC::getSomeBaselineCodeBlockForFunction):
5230 (JSC::numberOfDFGCompiles):
5231 (JSC::setNeverInline):
5232 * runtime/TestRunnerUtils.h:
5233 * tests/stress/float32-repeat-out-of-bounds.js: Added.
5234 (foo):
5235 * tests/stress/int8-repeat-out-of-bounds.js: Added.
5236 (foo):
5237 * tests/stress/string-out-of-bounds-negative-proto-value.js: Added.
5238 (foo):
5239
52402014-02-04 Mark Hahnenberg <mhahnenberg@apple.com>
5241
5242 Refactor MarkStackArray to allow more than JSCells to be stored
5243 https://bugs.webkit.org/show_bug.cgi?id=128203
5244
5245 Reviewed by Geoffrey Garen.
5246
5247 This patch refactors MarkStackArray into a separate template class named GCSegmentedArray.
5248 This class allows subclassing to add functionality that only MarkStackArray wants.
5249 Since it uses the JSC BlockAllocator instead of FastMalloc, this class can be used during
5250 conservative stack scanning, which disallows using FastMalloc.
5251
5252 * GNUmakefile.list.am:
5253 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5254 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
5255 * JavaScriptCore.xcodeproj/project.pbxproj:
5256 * heap/BlockAllocator.h:
5257 * heap/GCSegmentedArray.h: Added.
5258 (JSC::GCArraySegment::GCArraySegment):
5259 (JSC::GCArraySegment::data):
5260 * heap/GCSegmentedArrayInlines.h: Added.
5261 (JSC::GCSegmentedArray<T>::GCSegmentedArray):
5262 (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
5263 (JSC::GCSegmentedArray<T>::clear):
5264 (JSC::GCSegmentedArray<T>::expand):
5265 (JSC::GCSegmentedArray<T>::refill):
5266 (JSC::GCSegmentedArray<T>::fillVector):
5267 (JSC::GCArraySegment<T>::create):
5268 (JSC::GCSegmentedArray<T>::postIncTop):
5269 (JSC::GCSegmentedArray<T>::preDecTop):
5270 (JSC::GCSegmentedArray<T>::setTopForFullSegment):
5271 (JSC::GCSegmentedArray<T>::setTopForEmptySegment):
5272 (JSC::GCSegmentedArray<T>::top):
5273 (JSC::GCSegmentedArray<T>::validatePrevious):
5274 (JSC::GCSegmentedArray<T>::append):
5275 (JSC::GCSegmentedArray<T>::canRemoveLast):
5276 (JSC::GCSegmentedArray<T>::removeLast):
5277 (JSC::GCSegmentedArray<T>::isEmpty):
5278 (JSC::GCSegmentedArray<T>::size):
5279 * heap/MarkStack.cpp:
5280 (JSC::MarkStackArray::MarkStackArray):
5281 (JSC::MarkStackArray::~MarkStackArray):
5282 (JSC::MarkStackArray::donateSomeCellsTo):
5283 (JSC::MarkStackArray::stealSomeCellsFrom):
5284 * heap/MarkStack.h:
5285 * heap/MarkStackInlines.h:
5286
52872014-02-04 Anders Carlsson <andersca@apple.com>
5288
5289 Rename the substring sharing StringImpl::create variants to better indicate what they do
5290 https://bugs.webkit.org/show_bug.cgi?id=128214
5291
5292 Reviewed by Geoffrey Garen.
5293
5294 * runtime/JSString.h:
5295 (JSC::jsSingleCharacterSubstring):
5296 (JSC::jsSubstring8):
5297 (JSC::jsSubstring):
5298 * runtime/SmallStrings.cpp:
5299 (JSC::SmallStringsStorage::SmallStringsStorage):
5300 * runtime/StringPrototype.cpp:
5301 (JSC::jsSpliceSubstrings):
5302 (JSC::jsSpliceSubstringsWithSeparators):
5303 (JSC::replaceUsingStringSearch):
5304
53052014-02-04 Anders Carlsson <andersca@apple.com>
5306
5307 Rename StringImpl::getCharacters to StringImpl::characters
5308 https://bugs.webkit.org/show_bug.cgi?id=128205
5309
5310 Reviewed by Antti Koivisto.
5311
5312 Update for WTF changes.
5313
5314 * runtime/JSStringJoiner.cpp:
5315 (JSC::joinStrings):
5316 * runtime/StringPrototype.cpp:
5317 (JSC::splitStringByOneCharacterImpl):
5318
53192014-02-04 Mark Hahnenberg <mhahnenberg@apple.com>
5320
5321 Fix a mismatch of uint64_t and size_t on 32-bit platforms.
5322
5323 * ftl/FTLDWARFDebugLineInfo.h:
5324
53252014-01-21 Mark Hahnenberg <mhahnenberg@apple.com>
5326
5327 JSC needs to be able to parse DWARF debug_line info
5328 https://bugs.webkit.org/show_bug.cgi?id=127394
5329
5330 Reviewed by Geoffrey Garen.
5331
5332 If we want to encode IR maps in the DWARF debug line info metadata generated by LLVM,
5333 we'll need to know how to decode the .debug_line DWARF section. This patch implements
5334 an interpreter for the .debug_line DWARF section in accordance with the version 3 spec
5335 published at http://www.dwarfstd.org.
5336
5337 * JavaScriptCore.xcodeproj/project.pbxproj:
5338 * ftl/FTLDWARFDebugLineInfo.cpp: Added.
5339 (JSC::FTL::DebugLineInterpreter::DebugLineInterpreter):
5340 (JSC::FTL::read):
5341 (JSC::FTL::DebugLineInterpreter::parseULEB128):
5342 (JSC::FTL::DebugLineInterpreter::parseSLEB128):
5343 (JSC::FTL::DebugLineInterpreter::run):
5344 (JSC::FTL::DebugLineInterpreter::parsePrologue):
5345 (JSC::FTL::DebugLineInterpreter::parseIncludeDirectories):
5346 (JSC::FTL::DebugLineInterpreter::parseFileEntries):
5347 (JSC::FTL::DebugLineInterpreter::parseFileEntry):
5348 (JSC::FTL::DebugLineInterpreter::interpretStatementProgram):
5349 (JSC::FTL::DebugLineInterpreter::interpretOpcode):
5350 (JSC::FTL::DebugLineInterpreter::printLineInfo):
5351 (JSC::FTL::DebugLineInterpreter::resetInterpreterState):
5352 * ftl/FTLDWARFDebugLineInfo.h: Added.
5353 (JSC::FTL::DebugLineInterpreter::Prologue::Prologue):
5354 * ftl/FTLValueRange.cpp: Random build fix for !ENABLE(FTL_JIT).
5355
53562014-02-04 Anders Carlsson <andersca@apple.com>
5357
5358 Rename String::getCharacters to String::characters
5359 https://bugs.webkit.org/show_bug.cgi?id=128196
5360
5361 Reviewed by Andreas Kling.
5362
5363 Update for WTF::String changes.
5364
5365 * yarr/YarrParser.h:
5366 (JSC::Yarr::Parser::Parser):
5367
53682014-02-04 Mark Hahnenberg <mhahnenberg@apple.com>
5369
5370 JSC needs to be able to parse DWARF debug_line info
5371 https://bugs.webkit.org/show_bug.cgi?id=127394
5372
5373 Reviewed by Geoffrey Garen.
5374
5375 If we want to encode IR maps in the DWARF debug line info metadata generated by LLVM,
5376 we'll need to know how to decode the .debug_line DWARF section. This patch implements
5377 an interpreter for the .debug_line DWARF section in accordance with the version 3 spec
5378 published at http://www.dwarfstd.org.
5379
5380 * CMakeLists.txt:
5381 * GNUmakefile.list.am:
5382 * JavaScriptCore.xcodeproj/project.pbxproj:
5383 * ftl/FTLDWARFDebugLineInfo.cpp: Added.
5384 (JSC::FTL::DebugLineInterpreter::DebugLineInterpreter):
5385 (JSC::FTL::read):
5386 (JSC::FTL::DebugLineInterpreter::parseULEB128):
5387 (JSC::FTL::DebugLineInterpreter::parseSLEB128):
5388 (JSC::FTL::DebugLineInterpreter::run):
5389 (JSC::FTL::DebugLineInterpreter::parsePrologue):
5390 (JSC::FTL::DebugLineInterpreter::parseIncludeDirectories):
5391 (JSC::FTL::DebugLineInterpreter::parseFileEntries):
5392 (JSC::FTL::DebugLineInterpreter::parseFileEntry):
5393 (JSC::FTL::DebugLineInterpreter::interpretStatementProgram):
5394 (JSC::FTL::DebugLineInterpreter::interpretOpcode):
5395 (JSC::FTL::DebugLineInterpreter::printLineInfo):
5396 (JSC::FTL::DebugLineInterpreter::resetInterpreterState):
5397 * ftl/FTLDWARFDebugLineInfo.h: Added.
5398 (JSC::FTL::DebugLineInterpreter::Prologue::Prologue):
5399
54002014-02-04 Mark Hahnenberg <mhahnenberg@apple.com>
5401
5402 ASSERT in speculateMachineInt on 32-bit platforms
5403 https://bugs.webkit.org/show_bug.cgi?id=128155
5404
5405 Reviewed by Filip Pizlo.
5406
5407 * dfg/DFGPredictionPropagationPhase.cpp:
5408 (JSC::DFG::PredictionPropagationPhase::propagate):
5409
54102014-02-04 Mark Hahnenberg <mhahnenberg@apple.com>
5411
5412 GC timer should always do a FullCollection
5413 https://bugs.webkit.org/show_bug.cgi?id=128186
5414
5415 Reviewed by Michael Saboff.
5416
5417 Right now the GC timer does whatever type of collection the next collection
5418 would have been, which is almost always an EdenCollection. It then thinks
5419 that it has done all of the work it was supposed to do and never schedules
5420 another GC. Ideally we'd like to have some heuristics for the timer that
5421 would schedule both EdenCollections and FullCollections, but the easiest
5422 fix for now is to always do FullCollections since that will at least be
5423 a non-regression.
5424
5425 * heap/Heap.h:
5426 (JSC::Heap::gcTimerDidFire):
5427 * runtime/GCActivityCallback.cpp:
5428 (JSC::DefaultGCActivityCallback::doWork):
5429
54302014-02-03 Filip Pizlo <fpizlo@apple.com>
5431
5432 Lift the FTL tier-up threshold from 25000 to 100000
5433 https://bugs.webkit.org/show_bug.cgi?id=128158
5434
5435 Rubber stamped by Michael Saboff.
5436
5437 * runtime/Options.h:
5438
54392014-02-03 Mark Hahnenberg <mhahnenberg@apple.com>
5440
5441 LLInt: Regex for pseudo-instructions is too big
5442 https://bugs.webkit.org/show_bug.cgi?id=128148
5443
5444 Reviewed by Mark Lam.
5445
5446 * offlineasm/instructions.rb:
5447 * offlineasm/parser.rb:
5448
54492014-02-03 Brian Burg <bburg@apple.com>
5450
5451 Web Replay: upstream base input classes and the input cursor interface
5452 https://bugs.webkit.org/show_bug.cgi?id=128110
5453
5454 Reviewed by Joseph Pecoraro.
5455
5456 Add the base class for all replay inputs. Add InputTraits, a trait that
5457 provides an input's queue, type, and encode/decode methods statically so
5458 that they can be used within templated helper functions in InputCursor and
5459 EncodedValue.
5460
5461 Add the InputCursor base class which mediates the saving and fetching of
5462 replay inputs from a replay recording by instrumented nondeterministic code.
5463
5464 Add a dummy cursor implementation. This allows us to return a cursor reference
5465 to clients even if no capturing or replaying is happening.
5466
5467 Add the ability to set an InputCursor instance on a JSGlobalObject. This
5468 is the means for connecting a replay recording to a script context.
5469
5470 * JavaScriptCore.xcodeproj/project.pbxproj:
5471 * replay/EmptyInputCursor.h: Added.
5472 (JSC::EmptyInputCursor::~EmptyInputCursor):
5473 (JSC::EmptyInputCursor::create):
5474 (JSC::EmptyInputCursor::EmptyInputCursor):
5475 * replay/InputCursor.h: Added.
5476 (JSC::InputCursor::InputCursor):
5477 (JSC::InputCursor::~InputCursor):
5478 (JSC::InputCursor::appendInput):
5479 (JSC::InputCursor::fetchInput):
5480 * replay/NondeterministicInput.h: Added.
5481 (JSC::NondeterministicInputBase::NondeterministicInputBase):
5482 (JSC::NondeterministicInputBase::~NondeterministicInputBase):
5483 * runtime/JSGlobalObject.cpp:
5484 (JSC::JSGlobalObject::JSGlobalObject):
5485 (JSC::JSGlobalObject::setInputCursor):
5486 * runtime/JSGlobalObject.h:
5487 (JSC::JSGlobalObject::inputCursor):
5488
54892014-02-03 Mark Hahnenberg <mhahnenberg@apple.com>
5490
5491 Fix the cloop due to GenGC
5492 https://bugs.webkit.org/show_bug.cgi?id=128137
5493
5494 Reviewed by Geoffrey Garen.
5495
5496 * llint/LLIntSlowPaths.cpp:
5497 (JSC::LLInt::llint_write_barrier_slow):
5498 * llint/LLIntSlowPaths.h:
5499 * llint/LowLevelInterpreter.cpp:
5500 (JSC::CLoopRegister::operator JSCell*):
5501 * llint/LowLevelInterpreter32_64.asm:
5502 * llint/LowLevelInterpreter64.asm:
5503 * offlineasm/cloop.rb:
5504 * offlineasm/instructions.rb:
5505
55062014-02-03 Michael Saboff <msaboff@apple.com>
5507
5508 REGRESSION (r163011-r163031): Web Inspector: Latest nightly crashes when showing the Web Inspector
5509 https://bugs.webkit.org/show_bug.cgi?id=127901
5510
5511 Reviewed by Geoffrey Garen.
5512
5513 Set VM::topCallFrame before making calls to possible C++ code in
5514 generateProtoChainAccessStub() and tryBuildGetByIDList().
5515
5516 * jit/Repatch.cpp:
5517 (JSC::generateProtoChainAccessStub):
5518 (JSC::tryBuildGetByIDList):
5519
55202014-02-03 Andreas Kling <akling@apple.com>
5521
5522 Keep only captured symbols in CodeBlock symbol tables.
5523 <https://webkit.org/b/128050>
5524
5525 Discard all uncaptured symbols at the end of codegen since only
5526 the captured ones will be used after that point.
5527
5528 ~2MB progression on Membuster OSUS.
5529
5530 Reviewed by Geoffrey Garen.
5531
5532 * bytecode/UnlinkedCodeBlock.h:
5533 (JSC::UnlinkedCodeBlock::setSymbolTable):
5534 * bytecompiler/BytecodeGenerator.cpp:
5535 (JSC::BytecodeGenerator::generate):
5536
55372014-02-03 Mark Hahnenberg <mhahnenberg@apple.com>
5538
5539 Fix the LLInt C loop
5540
5541 Rubber stamped by Mark Lam.
5542
5543 * llint/LLIntSlowPaths.cpp:
5544 (JSC::LLInt::llint_write_barrier_slow):
5545 * llint/LLIntSlowPaths.h:
5546
55472014-02-03 Dean Jackson <dino@apple.com>
5548
5549 Feature flag for shape-inside
5550 https://bugs.webkit.org/show_bug.cgi?id=128001
5551
5552 Reviewed by Simon Fraser.
5553
5554 Add CSS_SHAPE_INSIDE flag.
5555
5556 * Configurations/FeatureDefines.xcconfig:
5557
55582014-02-03 Oliver Hunt <oliver@apple.com>
5559
5560 Deconstructed parameters aren't being placed in the correct scope
5561 https://bugs.webkit.org/show_bug.cgi?id=128126
5562
5563 Reviewed by Antti Koivisto.
5564
5565 Make sure we declare the bound parameter names as variables when
5566 we reparse. In the BytecodeGenerator we now also directly ensure
5567 that bound parameters are placed in the symbol table of the function
5568 we're currently compiling. We then delay binding until just before
5569 we start codegen for the body of the function so that we can ensure
5570 the function has completely initialised all scope details.
5571
5572 * bytecompiler/BytecodeGenerator.cpp:
5573 (JSC::BytecodeGenerator::generate):
5574 (JSC::BytecodeGenerator::BytecodeGenerator):
5575 * bytecompiler/BytecodeGenerator.h:
5576 * parser/Parser.cpp:
5577 (JSC::Parser<LexerType>::Parser):
5578 (JSC::Parser<LexerType>::createBindingPattern):
5579
55802014-02-03 Alexey Proskuryakov <ap@apple.com>
5581
5582 Update JS whitespace definition for changes in Unicode 6.3
5583 https://bugs.webkit.org/show_bug.cgi?id=127450
5584
5585 Reviewed by Oliver Hunt.
5586
5587 * parser/Lexer.h: (JSC::Lexer<UChar>::isWhiteSpace): Part 2 of the fix, update lexer too.
5588
55892014-02-03 Matthew Mirman <mmirman@apple.com>
5590
5591 Added GetTypedArrayByteOffset to FTL
5592 https://bugs.webkit.org/show_bug.cgi?id=127589
5593
5594 Reviewed by Filip Pizlo.
5595
5596 * ftl/FTLAbstractHeapRepository.h:
5597 * ftl/FTLCapabilities.cpp:
5598 (JSC::FTL::canCompile):
5599 * ftl/FTLLowerDFGToLLVM.cpp:
5600 (JSC::FTL::LowerDFGToLLVM::compileNode):
5601 (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
5602 * tests/stress/ftl-gettypedarrayoffset-simple.js: Added.
5603 (foo):
5604 * tests/stress/ftl-gettypedarrayoffset-wasteful.js: Added.
5605 (foo):
5606
56072014-02-03 Mark Lam <mark.lam@apple.com>
5608
5609 Debugger created JSActivations should account for CodeBlock::framePointerOffsetToGetActivationRegisters().
5610 <https://webkit.org/b/128112>
5611
5612 Reviewed by Geoffrey Garen.
5613
5614 Currently, when the DebuggerCallFrame creates the JSActivation object
5615 for a frame, it does not account for the framePointerOffsetToGetActivationRegisters()
5616 offset that needs to be added for DFG frames.
5617
5618 Instead of special casing the fix in DebuggerCallFrame::scope(), we fix
5619 this by adding CodeBlock::framePointerOffsetToGetActivationRegisters() to
5620 callFrame->registers() in the JSActivation::create() method that does not
5621 explicitly take a Register*. This ensures that JSActivation::create() will
5622 always do the right thing instead of only being a special case for the
5623 LLINT and baselineJIT.
5624
5625 Apart from the DebuggerCallFrame, this create() function is only called by
5626 slow paths in the LLINT and baselineJIT. Hence, it is not performance
5627 critical.
5628
5629 * runtime/JSActivation.h:
5630 (JSC::JSActivation::create):
5631
56322014-01-31 Geoffrey Garen <ggaren@apple.com>
5633
5634 Simplified name scope creation for function expressions
5635 https://bugs.webkit.org/show_bug.cgi?id=128031
5636
5637 Reviewed by Mark Lam.
5638
5639 3X speedup on js/regress/script-tests/function-with-eval.js.
5640
5641 We used to emit bytecode to push a name into local scope every
5642 time a function that needed such a name executed. Now, we push the name
5643 into scope once on the function object, and leave it there.
5644
5645 This is faster, and it also reduces the number of variable resolution
5646 modes you have to worry about when thinking about bytecode and the
5647 debugger.
5648
5649 This patch is slightly complicated by the fact that we don't know if
5650 a function needs a name scope until we parse its body. So, there's some
5651 glue code in here to delay filling in a function's scope until we parse
5652 its body for the first time.
5653
5654 * bytecode/UnlinkedCodeBlock.cpp:
5655 (JSC::generateFunctionCodeBlock):
5656 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
5657 * bytecode/UnlinkedCodeBlock.h:
5658 (JSC::UnlinkedFunctionExecutable::functionMode): Renamed
5659 functionNameIsInScopeToggle to functionMode.
5660
5661 * bytecompiler/BytecodeGenerator.cpp:
5662 (JSC::BytecodeGenerator::BytecodeGenerator): No need to emit convert_this
5663 when debugging. The debugger will perform the conversion as needed.
5664
5665 (JSC::BytecodeGenerator::resolveCallee):
5666 (JSC::BytecodeGenerator::addCallee): Simplified this code by removing
5667 the "my function needs a name scope, but didn't allocate one" mode.
5668
5669 * interpreter/Interpreter.cpp:
5670 (JSC::Interpreter::execute):
5671 (JSC::Interpreter::executeCall):
5672 (JSC::Interpreter::executeConstruct):
5673 (JSC::Interpreter::prepareForRepeatCall): Pass a scope slot through to
5674 CodeBlock generation, so we can add a function name scope if the parsed
5675 function body requires one.
5676
5677 * jit/JITOperations.cpp:
5678 * llint/LLIntSlowPaths.cpp:
5679 (JSC::LLInt::setUpCall): Ditto.
5680
5681 * parser/NodeConstructors.h:
5682 (JSC::FuncExprNode::FuncExprNode):
5683 (JSC::FuncDeclNode::FuncDeclNode):
5684 * parser/Nodes.cpp:
5685 (JSC::FunctionBodyNode::finishParsing):
5686 * parser/Nodes.h:
5687 (JSC::FunctionBodyNode::functionMode): Updated for rename.
5688
5689 * parser/ParserModes.h:
5690 (JSC::functionNameIsInScope):
5691 (JSC::functionNameScopeIsDynamic): Helper functions for reasoning about
5692 how crazy JavaScript language semantics are.
5693
5694 * runtime/ArrayPrototype.cpp:
5695 (JSC::isNumericCompareFunction):
5696 (JSC::attemptFastSort): Updated for interface changes above.
5697
5698 * runtime/Executable.cpp:
5699 (JSC::ScriptExecutable::newCodeBlockFor):
5700 (JSC::ScriptExecutable::prepareForExecutionImpl):
5701 (JSC::FunctionExecutable::FunctionExecutable):
5702 * runtime/Executable.h:
5703 (JSC::ScriptExecutable::prepareForExecution):
5704 (JSC::FunctionExecutable::functionMode):
5705 * runtime/JSFunction.cpp:
5706 (JSC::JSFunction::addNameScopeIfNeeded):
5707 * runtime/JSFunction.h:
5708 * runtime/JSNameScope.h:
5709 (JSC::JSNameScope::create):
5710 (JSC::JSNameScope::JSNameScope): Added machinery for pushing a function
5711 name scope onto a function when we first discover that it's needed.
5712
57132014-01-25 Darin Adler <darin@apple.com>
5714
5715 Stop using Unicode.h
5716 https://bugs.webkit.org/show_bug.cgi?id=127633
5717
5718 Reviewed by Anders Carlsson.
5719
5720 * parser/Lexer.h:
5721 * runtime/JSGlobalObjectFunctions.h:
5722 * yarr/YarrCanonicalizeUCS2.h:
5723 * yarr/YarrInterpreter.h:
5724 * yarr/YarrParser.h:
5725 * yarr/YarrPattern.h:
5726 Removed includes of <wtf/unicode/Unicode.h>, adding includes of
5727 ICU headers and <wtf/text/LChar.h> as needed to replace it.
5728
57292014-02-03 Dan Bernstein <mitz@apple.com>
5730
5731 Correctly address Darin’s review comment on the last change.
5732
5733 * runtime/Watchdog.h: Changed an OS(DARWIN) guard around formerly PLATFORM(MAC)-only member
5734 variables to the equivalent OS(DARWIN) && !PLATFORM(EFL) && !PLATFORM(GTK).
5735
57362014-02-03 Dan Bernstein <mitz@apple.com>
5737
5738 Stop using PLATFORM(MAC) in JavaScriptCore except where it means “OS X but not iOS”
5739 https://bugs.webkit.org/show_bug.cgi?id=128098
5740
5741 Reviewed by Darin Adler.
5742
5743 * API/JSValueRef.cpp:
5744 (JSValueUnprotect): Added an explicit !PLATFORM(IOS) in guards for the Evernote workaround,
5745 which is only needed on OS X.
5746
5747 * API/tests/testapi.c:
5748 (main): Changed PLATFORM(MAC) || PLATFORM(IOS) guards to OS(DARWIN), because they were
5749 surrounding tests for code that is itself guarded by OS(DARWIN).
5750
5751 * runtime/Watchdog.h: Changed PLATFORM(MAC) to OS(DARWIN).
5752
5753 * tools/CodeProfiling.cpp:
5754 (JSC::CodeProfiling::begin): Changed PLATFORM(MAC) to
5755 OS(DARWIN) && !PLATFORM(EFL) && !PLATFORM(GTK).
5756 (JSC::CodeProfiling::end): Ditto.
5757
57582014-02-02 Mark Lam <mark.lam@apple.com>
5759
5760 Repatch code is passing the wrong args to lookupExceptionHandler.
5761 <https://webkit.org/b/128085>
5762
5763 Reviewed by Oliver Hunt.
5764
5765 lookupExceptionHandler() is expecting 2 args: VM*, ExecState*.
5766 The repatch code was only passing an ExecState*. A crash ensues.
5767 This is now fixed.
5768
5769 * jit/JIT.cpp:
5770 (JSC::JIT::privateCompileExceptionHandlers):
5771 * jit/Repatch.cpp:
5772 (JSC::generateProtoChainAccessStub):
5773
57742014-02-01 Filip Pizlo <fpizlo@apple.com>
5775
5776 JSC profiler's stub info profiling support should work again
5777 https://bugs.webkit.org/show_bug.cgi?id=128057
5778
5779 Reviewed by Mark Lam.
5780
5781 * bytecode/CodeBlock.cpp:
5782 (JSC::CodeBlock::printGetByIdCacheStatus): We want to know if the cache was ever reset by GC, since the DFG uses this information.
5783 (JSC::CodeBlock::printLocationAndOp): This shouldn't have been inline.
5784 (JSC::CodeBlock::printLocationOpAndRegisterOperand): Ditto.
5785 (JSC::CodeBlock::dumpBytecode): Dump the profiling field, and make sure that the caller can pass a StubInfoMap, which is necessary for dumping StructureStubInfo profiling.
5786 * bytecode/CodeBlock.h: Out-of-line some methods and add the StubInfoMap parameter.
5787 * profiler/ProfilerBytecodeSequence.cpp:
5788 (JSC::Profiler::BytecodeSequence::BytecodeSequence): Create a StubInfoMap before dumping bytecodes.
5789
57902014-02-01 Filip Pizlo <fpizlo@apple.com>
5791
5792 JSC profiler should show reasons for jettison
5793 https://bugs.webkit.org/show_bug.cgi?id=128047
5794
5795 Reviewed by Geoffrey Garen.
5796
5797 Henceforth if you want to jettison a CodeBlock, you gotta tell the Profiler why you did
5798 it. This makes figuring out convergence issues - where some code seems to take a long
5799 time to get into the top tier compiler - a lot easier.
5800
5801 * CMakeLists.txt:
5802 * GNUmakefile.list.am:
5803 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5804 * JavaScriptCore.xcodeproj/project.pbxproj:
5805 * bytecode/CodeBlock.cpp:
5806 (JSC::CodeBlock::finalizeUnconditionally):
5807 (JSC::CodeBlock::jettison):
5808 (JSC::CodeBlock::addBreakpoint):
5809 (JSC::CodeBlock::setSteppingMode):
5810 * bytecode/CodeBlock.h:
5811 * bytecode/CodeBlockJettisoningWatchpoint.cpp:
5812 (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
5813 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
5814 (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
5815 * dfg/DFGOperations.cpp:
5816 * jit/JITOperations.cpp:
5817 * profiler/ProfilerCompilation.cpp:
5818 (JSC::Profiler::Compilation::Compilation):
5819 (JSC::Profiler::Compilation::toJS):
5820 * profiler/ProfilerCompilation.h:
5821 (JSC::Profiler::Compilation::setJettisonReason):
5822 * profiler/ProfilerJettisonReason.cpp: Added.
5823 (WTF::printInternal):
5824 * profiler/ProfilerJettisonReason.h: Added.
5825 * runtime/CommonIdentifiers.h:
5826 * runtime/VM.cpp:
5827 (JSC::SetEnabledProfilerFunctor::operator()):
5828
58292014-02-01 Mark Lam <mark.lam@apple.com>
5830
5831 Saying "jitType() == JITCode::DFGJIT" is almost never correct.
5832 <http://webkit.org/b/128045>
5833
5834 Reviewed by Filip Pizlo.
5835
5836 JITCode::isOptimizingJIT(jitType()) is the right way to say it.
5837
5838 * bytecode/CodeBlock.cpp:
5839 (JSC::CodeBlock::addBreakpoint):
5840 (JSC::CodeBlock::setSteppingMode):
5841 * runtime/VM.cpp:
5842 (JSC::SetEnabledProfilerFunctor::operator()):
5843
58442014-02-01 Michael Saboff <msaboff@apple.com>
5845
5846 REGRESSION (r163027?): CrashTracer: [USER] com.apple.WebKit.WebContent.Development at com.apple.JavaScriptCore: JSC::ArrayProfile::computeUpdatedPrediction + 4
5847 https://bugs.webkit.org/show_bug.cgi?id=128037
5848
5849 Reviewed by Mark Lam.
5850
5851 op_call_varargs ops now needs an ArrayProfile since DFG inlines these since
5852 change set r162739.
5853
5854 * bytecode/CodeBlock.cpp:
5855 (JSC::CodeBlock::CodeBlock):
5856 * bytecompiler/BytecodeGenerator.cpp:
5857 (JSC::BytecodeGenerator::emitCallVarargs):
5858
58592014-01-31 Mark Lam <mark.lam@apple.com>
5860
5861 Gardening: fix build breakage.
5862
5863 Not reviewed.
5864
5865 * interpreter/CallFrame.h:
5866
58672014-01-31 Mark Lam <mark.lam@apple.com>
5868
5869 Gardening: Fix a merge problem to unbreak bots.
5870
5871 Not reviewed.
5872
5873 * bytecompiler/BytecodeGenerator.cpp:
5874 (JSC::BytecodeGenerator::BytecodeGenerator):
5875
58762014-01-31 Oliver Hunt <oliver@apple.com>
5877
5878 Rollout r163195 and related patches
5879
5880 * API/JSCallbackObjectFunctions.h:
5881 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
5882 (JSC::JSCallbackObject<Parent>::put):
5883 (JSC::JSCallbackObject<Parent>::deleteProperty):
5884 (JSC::JSCallbackObject<Parent>::getStaticValue):
5885 (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
5886 (JSC::JSCallbackObject<Parent>::callbackGetter):
5887 * CMakeLists.txt:
5888 * DerivedSources.make:
5889 * GNUmakefile.am:
5890 * GNUmakefile.list.am:
5891 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5892 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
5893 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
5894 * JavaScriptCore.vcxproj/copy-files.cmd:
5895 * JavaScriptCore.xcodeproj/project.pbxproj:
5896 * builtins/Array.prototype.js: Removed.
5897 * builtins/BuiltinExecutables.cpp: Removed.
5898 * builtins/BuiltinExecutables.h: Removed.
5899 * bytecode/CodeBlock.cpp:
5900 (JSC::CodeBlock::CodeBlock):
5901 * bytecode/CodeBlock.h:
5902 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
5903 * bytecode/UnlinkedCodeBlock.cpp:
5904 (JSC::generateFunctionCodeBlock):
5905 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
5906 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
5907 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
5908 * bytecode/UnlinkedCodeBlock.h:
5909 (JSC::ExecutableInfo::ExecutableInfo):
5910 (JSC::UnlinkedFunctionExecutable::create):
5911 * bytecompiler/BytecodeGenerator.cpp:
5912 (JSC::BytecodeGenerator::BytecodeGenerator):
5913 * bytecompiler/BytecodeGenerator.h:
5914 (JSC::BytecodeGenerator::makeFunction):
5915 * bytecompiler/NodesCodegen.cpp:
5916 (JSC::CallFunctionCallDotNode::emitBytecode):
5917 (JSC::ApplyFunctionCallDotNode::emitBytecode):
5918 * create_hash_table:
5919 * dfg/DFGDominators.cpp:
5920 * dfg/DFGJITCode.cpp:
5921 * dfg/DFGOperations.cpp:
5922 * generate-js-builtins: Removed.
5923 * interpreter/CachedCall.h:
5924 (JSC::CachedCall::CachedCall):
5925 * interpreter/Interpreter.cpp:
5926 * interpreter/ProtoCallFrame.cpp:
5927 * jit/JITOpcodes.cpp:
5928 * jit/JITOpcodes32_64.cpp:
5929 * jit/JITOperations.cpp:
5930 * jit/JITPropertyAccess.cpp:
5931 * jit/JITPropertyAccess32_64.cpp:
5932 * jsc.cpp:
5933 * llint/LLIntOffsetsExtractor.cpp:
5934 * llint/LLIntSlowPaths.cpp:
5935 * parser/ASTBuilder.h:
5936 (JSC::ASTBuilder::makeFunctionCallNode):
5937 * parser/Lexer.cpp:
5938 (JSC::Lexer<T>::Lexer):
5939 (JSC::Lexer<LChar>::parseIdentifier):
5940 (JSC::Lexer<UChar>::parseIdentifier):
5941 (JSC::Lexer<T>::lex):
5942 * parser/Lexer.h:
5943 (JSC::Lexer<T>::lexExpectIdentifier):
5944 * parser/Nodes.cpp:
5945 * parser/Nodes.h:
5946 * parser/Parser.cpp:
5947 (JSC::Parser<LexerType>::Parser):
5948 (JSC::Parser<LexerType>::parseInner):
5949 (JSC::Parser<LexerType>::didFinishParsing):
5950 (JSC::Parser<LexerType>::printUnexpectedTokenText):
5951 * parser/Parser.h:
5952 (JSC::parse):
5953 * parser/ParserModes.h:
5954 * parser/ParserTokens.h:
5955 * runtime/Arguments.h:
5956 * runtime/ArgumentsIteratorPrototype.cpp:
5957 * runtime/ArrayPrototype.cpp:
5958 (JSC::arrayProtoFuncEvery):
5959 * runtime/CodeCache.cpp:
5960 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
5961 * runtime/CommonIdentifiers.cpp:
5962 (JSC::CommonIdentifiers::CommonIdentifiers):
5963 * runtime/CommonIdentifiers.h:
5964 * runtime/CommonSlowPaths.cpp:
5965 * runtime/CommonSlowPathsExceptions.cpp:
5966 * runtime/ExceptionHelpers.cpp:
5967 (JSC::createUndefinedVariableError):
5968 * runtime/Executable.h:
5969 (JSC::EvalExecutable::executableInfo):
5970 (JSC::ProgramExecutable::executableInfo):
5971 (JSC::isHostFunction):
5972 * runtime/FunctionPrototype.cpp:
5973 (JSC::functionProtoFuncToString):
5974 * runtime/JSActivation.cpp:
5975 (JSC::JSActivation::symbolTableGet):
5976 (JSC::JSActivation::symbolTablePut):
5977 (JSC::JSActivation::symbolTablePutWithAttributes):
5978 * runtime/JSArgumentsIterator.cpp:
5979 * runtime/JSArray.cpp:
5980 * runtime/JSArrayIterator.cpp:
5981 * runtime/JSCJSValue.cpp:
5982 * runtime/JSCellInlines.h:
5983 * runtime/JSFunction.cpp:
5984 (JSC::JSFunction::calculatedDisplayName):
5985 (JSC::JSFunction::sourceCode):
5986 (JSC::JSFunction::callerGetter):
5987 (JSC::JSFunction::getOwnPropertySlot):
5988 (JSC::JSFunction::getOwnNonIndexPropertyNames):
5989 (JSC::JSFunction::put):
5990 (JSC::JSFunction::defineOwnProperty):
5991 * runtime/JSFunction.h:
5992 * runtime/JSFunctionInlines.h:
5993 (JSC::JSFunction::nativeFunction):
5994 (JSC::JSFunction::nativeConstructor):
5995 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
5996 * runtime/JSGenericTypedArrayViewInlines.h:
5997 * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
5998 * runtime/JSGlobalObject.cpp:
5999 (JSC::JSGlobalObject::reset):
6000 (JSC::JSGlobalObject::visitChildren):
6001 * runtime/JSGlobalObject.h:
6002 (JSC::JSGlobalObject::symbolTableHasProperty):
6003 * runtime/JSObject.cpp:
6004 (JSC::getClassPropertyNames):
6005 (JSC::JSObject::reifyStaticFunctionsForDelete):
6006 * runtime/JSObject.h:
6007 * runtime/JSPromiseConstructor.cpp:
6008 * runtime/JSPromiseDeferred.cpp:
6009 * runtime/JSPromisePrototype.cpp:
6010 * runtime/JSPromiseReaction.h:
6011 * runtime/JSPropertyNameIterator.cpp:
6012 * runtime/JSPropertyNameIterator.h:
6013 * runtime/JSString.h:
6014 (JSC::JSString::getStringPropertySlot):
6015 (JSC::inlineJSValueNotStringtoString):
6016 (JSC::JSValue::toWTFStringInline):
6017 * runtime/JSStringInlines.h: Removed.
6018 * runtime/JSSymbolTableObject.cpp:
6019 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
6020 * runtime/JSSymbolTableObject.h:
6021 (JSC::symbolTableGet):
6022 (JSC::symbolTablePut):
6023 (JSC::symbolTablePutWithAttributes):
6024 * runtime/Lookup.cpp:
6025 (JSC::setUpStaticFunctionSlot):
6026 * runtime/Lookup.h:
6027 (JSC::HashEntry::propertyGetter):
6028 (JSC::HashEntry::propertyPutter):
6029 (JSC::HashTable::entry):
6030 (JSC::getStaticPropertySlot):
6031 (JSC::getStaticValueSlot):
6032 (JSC::putEntry):
6033 * runtime/NativeErrorConstructor.cpp:
6034 * runtime/NativeErrorConstructor.h:
6035 (JSC::NativeErrorConstructor::finishCreation):
6036 * runtime/PropertySlot.h:
6037 * runtime/RegExpConstructor.cpp:
6038 * runtime/RegExpPrototype.cpp:
6039 * runtime/SetConstructor.cpp:
6040 * runtime/StringObject.cpp:
6041 * runtime/Structure.cpp:
6042 * runtime/VM.cpp:
6043 (JSC::VM::VM):
6044 * runtime/VM.h:
6045
60462014-01-31 Filip Pizlo <fpizlo@apple.com>
6047
6048 DFG->FTL tier-up shouldn't assume that LoopHints stay at the tops of loops
6049 https://bugs.webkit.org/show_bug.cgi?id=128030
6050
6051 Reviewed by Oliver Hunt.
6052
6053 Remove a bogus assertion. The only thing that matters is that the LoopHint had at one
6054 point in time been at the top of a loop header, and that it is now at the top of a
6055 basic block. But the basic block that it's at the top of now doesn't have to be the
6056 same as the loop header that it once was the top of.
6057
6058 * dfg/DFGTierUpCheckInjectionPhase.cpp:
6059 (JSC::DFG::TierUpCheckInjectionPhase::run):
6060 * tests/stress/tier-up-in-loop-with-cfg-simplification.js: Added.
6061 (foo):
6062
60632014-01-31 Mark Lam <mark.lam@apple.com>
6064
6065 Avoid eagerly creating the JSActivation when the debugger is attached.
6066 <https://webkit.org/b/127910>
6067
6068 Reviewed by Oliver Hunt.
6069
6070 Octane scores for this patch:
6071 baseline w/o WebInspector: 11621
6072 patched w/o WebInspector: 11801
6073 baseline w/ WebInspector: 3295
6074 patched w/ WebInspector: 7070 2.1x improvement
6075
6076 1. Because debugger can potentially create a closure from any call frame,
6077 we need every function to allocate an activation register and check for
6078 the need to tear off the activation (if needed) on return.
6079
6080 However, we do not need to eagerly create the activation object.
6081 This patch implements the optimization to defer creation of the
6082 activation object until we actually need it i.e. when:
6083
6084 1. We encounter a "eval", "with", or "catch" statement.
6085 2. We've paused in the debugger, and called DebuggerCallFrame::scope().
6086
6087 2. The UnlinkedCodeBlock provides a needsFullScopeChain flag that is used
6088 to indicate whether the linked CodeBlock will need an activation
6089 object or not. Under normal circumstances, needsFullScopeChain and
6090 needsActivation are synonymous. However, with a debugger attached, we
6091 want the CodeBlock to always allocate an activationRegister even if
6092 it does not need a "full scope chain".
6093
6094 Hence, we apply the following definitions to the "flags":
6095
6096 1. UnlinkedCodeBlock::needsFullScopeChain() - this flag indicates that
6097 the parser discovered JS artifacts (e.g. use of "eval", "with", etc.)
6098 that requires an activation.
6099
6100 BytecodeGenerator's destinationForAssignResult() and leftHandSideNeedsCopy()
6101 checks needsFullScopeChain().
6102
6103 2. UnlinkedCodeBlock::hasActivationRegister() - this flag indicates that
6104 an activation register was created for the UnlinkedCodeBlock either
6105 because it needsFullScopeChain() or because the debugger is attached.
6106
6107 3. CodeBlock::needsActivation() reflects UnlinkedCodeBlock's
6108 hasActivationRegister().
6109
6110 3. Introduced BytecodeGenerator::emitPushFunctionNameScope() and
6111 BytecodeGenerator::emitPushCatchScope() because the JSNameScope
6112 pushed for a function name cannot be popped unlike the JSNameScope
6113 pushed for a "catch". Hence, we have 2 functions to handle the 2 cases
6114 differently.
6115
6116 4. Removed DebuggerCallFrame::evaluateWithCallFrame() and require that all
6117 debugger evaluations go through the DebuggerCallFrame::evaluate(). This
6118 ensures that debugger evaluations require a DebuggerCallFrame.
6119
6120 DebuggerCallFrame::evaluateWithCallFrame() was used previously because
6121 we didn't want to instantiate a DebuggerCallFrame on every debug hook
6122 callback. However, we now only call the debug hooks when needed, and
6123 this no longer poses a performance problem.
6124
6125 In addition, when the debug hook does an eval to test a breakpoint
6126 condition, it is incorrect to evaluate it without a DebuggerCallFrame
6127 anyway.
6128
6129 5. Added some utility functions to the CallFrame to make it easier to work
6130 with the activation register in the frame (if present). These utility
6131 functions should only be called if the CodeBlock::needsActivation() is
6132 true (which indicates the presence of the activation register). The
6133 utlity functions are:
6134
6135 1. CallFrame::hasActivation()
6136 - checks if the frame's activation object has been created.
6137
6138 2. CallFrame::activation()
6139 - returns the frame's activation object.
6140
6141 3. CallFrame::uncheckedActivation()
6142 - returns the JSValue in the frame's activation register. May be null.
6143
6144 4. CallFrame::setActivation()
6145 - sets the frame's activation object.
6146
6147 * bytecode/CodeBlock.cpp:
6148 (JSC::CodeBlock::dumpBytecode):
6149 - added symbollic dumping of ResolveMode and ResolveType values for some
6150 bytecodes.
6151 (JSC::CodeBlock::CodeBlock):
6152 * bytecode/CodeBlock.h:
6153 (JSC::CodeBlock::activationRegister):
6154 (JSC::CodeBlock::uncheckedActivationRegister):
6155 (JSC::CodeBlock::needsActivation):
6156 * bytecode/UnlinkedCodeBlock.h:
6157 (JSC::UnlinkedCodeBlock::needsFullScopeChain):
6158 (JSC::UnlinkedCodeBlock::hasActivationRegister):
6159 * bytecompiler/BytecodeGenerator.cpp:
6160 (JSC::BytecodeGenerator::BytecodeGenerator):
6161 (JSC::BytecodeGenerator::resolveCallee):
6162 (JSC::BytecodeGenerator::createActivationIfNecessary):
6163 (JSC::BytecodeGenerator::emitCallEval):
6164 (JSC::BytecodeGenerator::emitReturn):
6165 (JSC::BytecodeGenerator::emitPushWithScope):
6166 (JSC::BytecodeGenerator::emitPushFunctionNameScope):
6167 (JSC::BytecodeGenerator::emitPushCatchScope):
6168 * bytecompiler/BytecodeGenerator.h:
6169 * bytecompiler/NodesCodegen.cpp:
6170 (JSC::TryNode::emitBytecode):
6171 * debugger/Debugger.cpp:
6172 (JSC::Debugger::hasBreakpoint):
6173 (JSC::Debugger::pauseIfNeeded):
6174 * debugger/DebuggerCallFrame.cpp:
6175 (JSC::DebuggerCallFrame::scope):
6176 (JSC::DebuggerCallFrame::evaluate):
6177 * debugger/DebuggerCallFrame.h:
6178 * dfg/DFGByteCodeParser.cpp:
6179 (JSC::DFG::ByteCodeParser::parseCodeBlock):
6180 * dfg/DFGGraph.h:
6181 - Removed an unused function DFGGraph::needsActivation().
6182 * interpreter/CallFrame.cpp:
6183 (JSC::CallFrame::activation):
6184 (JSC::CallFrame::setActivation):
6185 * interpreter/CallFrame.h:
6186 (JSC::ExecState::hasActivation):
6187 (JSC::ExecState::registers):
6188 * interpreter/CallFrameInlines.h:
6189 (JSC::CallFrame::uncheckedActivation):
6190 * interpreter/Interpreter.cpp:
6191 (JSC::unwindCallFrame):
6192 (JSC::Interpreter::unwind):
6193 * jit/JITOperations.cpp:
6194 * llint/LLIntSlowPaths.cpp:
6195 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
6196 * runtime/CommonSlowPaths.cpp:
6197 (JSC::SLOW_PATH_DECL):
6198
6199 * runtime/JSScope.cpp:
6200 * runtime/JSScope.h:
6201 (JSC::resolveModeName):
6202 (JSC::resolveTypeName):
6203 - utility functions for decoding names of the ResolveMode and ResolveType.
6204 These are used in CodeBlock::dumpBytecode().
6205
62062014-01-31 Michael Saboff <msaboff@apple.com>
6207
6208 REGRESSION: Crash in sanitizeStackForVMImpl when scrolling @ lifehacker.com.au
6209 https://bugs.webkit.org/show_bug.cgi?id=128017
6210
6211 Reviewed by Filip Pizlo.
6212
6213 Moved the setting and saving of VM::stackPointerAtVMEntry and the corresponding stack limit
6214 to JSLock and JSLock::DropAllLocks. The saved data is now stored in per-thread in
6215 WTFThreadData.
6216
6217 * runtime/InitializeThreading.cpp:
6218 (JSC::initializeThreading):
6219 * runtime/JSLock.cpp:
6220 (JSC::JSLock::lock):
6221 (JSC::JSLock::unlock):
6222 (JSC::JSLock::DropAllLocks::DropAllLocks):
6223 (JSC::JSLock::DropAllLocks::~DropAllLocks):
6224 * runtime/JSLock.h:
6225 * runtime/VMEntryScope.cpp:
6226 (JSC::VMEntryScope::VMEntryScope):
6227 (JSC::VMEntryScope::~VMEntryScope):
6228 * runtime/VMEntryScope.h:
6229
62302014-01-31 Mark Lam <mark.lam@apple.com>
6231
6232 Don't need a JSNameScope for the callee name just for the debugger.
6233 <https://webkit.org/b/128024>
6234
6235 Reviewed by Geoffrey Garen.
6236
6237 Currently, in the bytecode for a function, we push a JSNamedScope for
6238 the name of the function when a debugger is attached. The name scope for
6239 the function name is only needed for evals which can redefine the name
6240 to resolve to something else, and can later delete the redefined name
6241 which should revert the resolution of the name to the original function.
6242 The debugger does not need this feature because it declares all new vars
6243 in a temporary nested scope. Hence, we can remove the presence of the
6244 debugger as a criteria for pushing the JSNameScope.
6245
6246 * bytecompiler/BytecodeGenerator.cpp:
6247 (JSC::BytecodeGenerator::resolveCallee):
6248 (JSC::BytecodeGenerator::addCallee):
6249
62502014-01-31 Filip Pizlo <fpizlo@apple.com>
6251
6252 Unreviewed, build fix.
6253
6254 * ftl/FTLOSREntry.cpp:
6255
62562014-01-31 Oliver Hunt <oliver@apple.com>
6257
6258 Fix windows
6259
6260 * generate-js-builtins:
6261
62622014-01-31 Oliver Hunt <oliver@apple.com>
6263
6264 Fix 32bit.
6265
6266 * jit/JITPropertyAccess32_64.cpp:
6267
62682014-01-31 Mark Lam <mark.lam@apple.com>
6269
6270 Add options to force debugger / profiler bytecode generation.
6271 <https://webkit.org/b/128014>
6272
6273 Reviewed by Oliver Hunt.
6274
6275 Add Options::forceDebuggerBytecodeGeneration() and
6276 Options::forceProfilerBytecodeGeneration(). These options make it more
6277 convenient to do correctness testing when debugger / profiler bytecodes
6278 are generated.
6279
6280 These options are disabled by default.
6281
6282 * bytecompiler/BytecodeGenerator.cpp:
6283 (JSC::BytecodeGenerator::BytecodeGenerator):
6284 * runtime/Options.h:
6285
62862014-01-29 Oliver Hunt <oliver@apple.com>
6287
6288 Make it possible to implement JS builtins in JS
6289 https://bugs.webkit.org/show_bug.cgi?id=127887
6290
6291 Reviewed by Michael Saboff.
6292
6293 This patch makes it possible to write builtin functions in JS.
6294 The bindings, generators, and definitions are all created automatically
6295 based on js files in the builtins/ directory. This patch includes one
6296 such case: Array.prototype.js with an implementation of every().
6297
6298 There's a lot of refactoring to make it possible for CommonIdentifiers
6299 to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp})
6300 without breaking the offset extractor. The result of this refactoring
6301 is that CommonIdentifiers, and a few other miscellaneous headers now
6302 need to be included directly as they were formerly captured through other
6303 paths.
6304
6305 In addition this adds a flag to the Lookup table's hashentry to indicate
6306 that a static function is actually backed by JS. There is then a lot of
6307 logic to thread the special nature of the functon to where it matters.
6308 This allows toString(), .caller, etc to mimic the behaviour of a host
6309 function.
6310
6311 Notes on writing builtins:
6312 - Each function is compiled independently of the others, and those
6313 implementations cannot currently capture all global properties (as
6314 that could be potentially unsafe). If a function does capture a
6315 global we will deliberately crash.
6316 - For those "global" properties that we do want access to, we use
6317 the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers
6318 are private names, and behave just like regular properties, only
6319 without the risk of adulteration. Again, in the @Object case, we
6320 explicitly duplicate the ObjectConstructor reference on the GlobalObject
6321 so that we have guaranteed access to the original version of the
6322 constructor.
6323 - call, apply, eval, and Function are all rejected identifiers, again
6324 to prevent anything from accidentally using an adulterated object.
6325 Instead @call and @apply are available, and happily they completely
6326 drop the neq_ptr instruction as they're defined as always being the
6327 original call/apply functions.
6328
6329 These restrictions are just intended to make it harder to accidentally
6330 make changes that are incorrect (for instance calling whatever has been
6331 assigned to global.Object, instead of the original constructor function).
6332 However, making a mistake like this should result in a purely semantic
6333 error as fundamentally these functions are treated as though they were
6334 regular JS code in the host global, and have no more privileges than
6335 any other JS.
6336
6337 The initial proof of concept is Array.prototype.every, this shows a 65%
6338 performance improvement, and that improvement is significantly hurt by
6339 our poor optimisation of op_in.
6340
6341 As this is such a limited function, we have not yet exported all symbols
6342 that we could possibly need, but as we implement more, the likelihood
6343 of encountering missing features will reduce.
6344
6345 This did require breaking out a JSStringInlines header, and required
6346 fixing a few objects that were trying to using PropertyName::publicName
6347 rather than PropertyName::uid.
6348
6349 * API/JSCallbackObjectFunctions.h:
6350 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
6351 (JSC::JSCallbackObject<Parent>::put):
6352 (JSC::JSCallbackObject<Parent>::deleteProperty):
6353 (JSC::JSCallbackObject<Parent>::getStaticValue):
6354 (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
6355 (JSC::JSCallbackObject<Parent>::callbackGetter):
6356 * CMakeLists.txt:
6357 * DerivedSources.make:
6358 * GNUmakefile.list.am:
6359 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6360 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
6361 * JavaScriptCore.xcodeproj/project.pbxproj:
6362 * builtins/Array.prototype.js:
6363 (every):
6364 * builtins/BuiltinExecutables.cpp: Added.
6365 (JSC::BuiltinExecutables::BuiltinExecutables):
6366 (JSC::BuiltinExecutables::createBuiltinExecutable):
6367 * builtins/BuiltinExecutables.h:
6368 (JSC::BuiltinExecutables::create):
6369 * bytecode/CodeBlock.cpp:
6370 (JSC::CodeBlock::CodeBlock):
6371 * bytecode/CodeBlock.h:
6372 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
6373 * bytecode/UnlinkedCodeBlock.cpp:
6374 (JSC::generateFunctionCodeBlock):
6375 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
6376 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
6377 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
6378 * bytecode/UnlinkedCodeBlock.h:
6379 (JSC::ExecutableInfo::ExecutableInfo):
6380 (JSC::UnlinkedFunctionExecutable::create):
6381 (JSC::UnlinkedFunctionExecutable::toStrictness):
6382 (JSC::UnlinkedFunctionExecutable::isBuiltinFunction):
6383 (JSC::UnlinkedCodeBlock::isBuiltinFunction):
6384 * bytecompiler/BytecodeGenerator.cpp:
6385 (JSC::BytecodeGenerator::BytecodeGenerator):
6386 * bytecompiler/BytecodeGenerator.h:
6387 (JSC::BytecodeGenerator::isBuiltinFunction):
6388 (JSC::BytecodeGenerator::makeFunction):
6389 * bytecompiler/NodesCodegen.cpp:
6390 (JSC::CallFunctionCallDotNode::emitBytecode):
6391 (JSC::ApplyFunctionCallDotNode::emitBytecode):
6392 * create_hash_table:
6393 * dfg/DFGOperations.cpp:
6394 * generate-js-builtins: Added.
6395 (getCopyright):
6396 (getFunctions):
6397 (generateCode):
6398 (mangleName):
6399 (FunctionExecutable):
6400 (Identifier):
6401 (JSGlobalObject):
6402 (SourceCode):
6403 (UnlinkedFunctionExecutable):
6404 (VM):
6405 * interpreter/Interpreter.cpp:
6406 * interpreter/ProtoCallFrame.cpp:
6407 * jit/JITOpcodes.cpp:
6408 * jit/JITOpcodes32_64.cpp:
6409 * jit/JITOperations.cpp:
6410 * jit/JITPropertyAccess.cpp:
6411 * jit/JITPropertyAccess32_64.cpp:
6412 * jsc.cpp:
6413 * llint/LLIntSlowPaths.cpp:
6414 * parser/ASTBuilder.h:
6415 (JSC::ASTBuilder::makeFunctionCallNode):
6416 * parser/Lexer.cpp:
6417 (JSC::Lexer<T>::Lexer):
6418 (JSC::isSafeIdentifier):
6419 (JSC::Lexer<LChar>::parseIdentifier):
6420 (JSC::Lexer<UChar>::parseIdentifier):
6421 (JSC::Lexer<T>::lex):
6422 * parser/Lexer.h:
6423 (JSC::isSafeIdentifier):
6424 (JSC::Lexer<T>::lexExpectIdentifier):
6425 * parser/Nodes.cpp:
6426 (JSC::ProgramNode::setClosedVariables):
6427 * parser/Nodes.h:
6428 (JSC::ScopeNode::capturedVariables):
6429 (JSC::ScopeNode::setClosedVariables):
6430 (JSC::ProgramNode::closedVariables):
6431 * parser/Parser.cpp:
6432 (JSC::Parser<LexerType>::Parser):
6433 (JSC::Parser<LexerType>::parseInner):
6434 (JSC::Parser<LexerType>::didFinishParsing):
6435 (JSC::Parser<LexerType>::printUnexpectedTokenText):
6436 * parser/Parser.h:
6437 (JSC::Scope::getUsedVariables):
6438 (JSC::Parser::closedVariables):
6439 (JSC::parse):
6440 * parser/ParserModes.h:
6441 * parser/ParserTokens.h:
6442 * runtime/ArgList.cpp:
6443 * runtime/Arguments.cpp:
6444 * runtime/Arguments.h:
6445 * runtime/ArgumentsIteratorConstructor.cpp:
6446 * runtime/ArgumentsIteratorPrototype.cpp:
6447 * runtime/ArrayPrototype.cpp:
6448 * runtime/CodeCache.cpp:
6449 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
6450 * runtime/CommonIdentifiers.cpp:
6451 (JSC::CommonIdentifiers::CommonIdentifiers):
6452 (JSC::CommonIdentifiers::getPrivateName):
6453 (JSC::CommonIdentifiers::getPublicName):
6454 * runtime/CommonIdentifiers.h:
6455 * runtime/CommonSlowPaths.cpp:
6456 * runtime/CommonSlowPathsExceptions.cpp:
6457 * runtime/ExceptionHelpers.cpp:
6458 (JSC::createUndefinedVariableError):
6459 * runtime/Executable.h:
6460 (JSC::EvalExecutable::executableInfo):
6461 (JSC::ProgramExecutable::executableInfo):
6462 (JSC::FunctionExecutable::isBuiltinFunction):
6463 * runtime/FunctionPrototype.cpp:
6464 (JSC::functionProtoFuncToString):
6465 * runtime/JSActivation.cpp:
6466 (JSC::JSActivation::symbolTableGet):
6467 (JSC::JSActivation::symbolTablePut):
6468 (JSC::JSActivation::symbolTablePutWithAttributes):
6469 * runtime/JSArgumentsIterator.cpp:
6470 * runtime/JSArray.cpp:
6471 * runtime/JSArrayIterator.cpp:
6472 * runtime/JSCJSValue.cpp:
6473 * runtime/JSCellInlines.h:
6474 * runtime/JSFunction.cpp:
6475 (JSC::JSFunction::createBuiltinFunction):
6476 (JSC::JSFunction::calculatedDisplayName):
6477 (JSC::JSFunction::sourceCode):
6478 (JSC::JSFunction::isHostOrBuiltinFunction):
6479 (JSC::JSFunction::isBuiltinFunction):
6480 (JSC::JSFunction::callerGetter):
6481 (JSC::JSFunction::getOwnPropertySlot):
6482 (JSC::JSFunction::getOwnNonIndexPropertyNames):
6483 (JSC::JSFunction::put):
6484 (JSC::JSFunction::defineOwnProperty):
6485 * runtime/JSFunction.h:
6486 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
6487 * runtime/JSGenericTypedArrayViewInlines.h:
6488 * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
6489 * runtime/JSGlobalObject.cpp:
6490 (JSC::JSGlobalObject::reset):
6491 (JSC::JSGlobalObject::visitChildren):
6492 * runtime/JSGlobalObject.h:
6493 (JSC::JSGlobalObject::objectConstructor):
6494 (JSC::JSGlobalObject::symbolTableHasProperty):
6495 * runtime/JSObject.cpp:
6496 (JSC::getClassPropertyNames):
6497 (JSC::JSObject::reifyStaticFunctionsForDelete):
6498 (JSC::JSObject::putDirectBuiltinFunction):
6499 * runtime/JSObject.h:
6500 * runtime/JSPropertyNameIterator.cpp:
6501 * runtime/JSPropertyNameIterator.h:
6502 * runtime/JSString.h:
6503 * runtime/JSStringInlines.h: Added.
6504 (JSC::JSString::getStringPropertySlot):
6505 (JSC::inlineJSValueNotStringtoString):
6506 (JSC::JSValue::toWTFStringInline):
6507 * runtime/JSSymbolTableObject.cpp:
6508 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
6509 Don't report private names.
6510 * runtime/JSSymbolTableObject.h:
6511 (JSC::symbolTableGet):
6512 (JSC::symbolTablePut):
6513 (JSC::symbolTablePutWithAttributes):
6514 * runtime/Lookup.cpp:
6515 (JSC::setUpStaticFunctionSlot):
6516 * runtime/Lookup.h:
6517 (JSC::HashEntry::builtinGenerator):
6518 (JSC::HashEntry::propertyGetter):
6519 (JSC::HashEntry::propertyPutter):
6520 (JSC::HashTable::entry):
6521 (JSC::getStaticPropertySlot):
6522 (JSC::getStaticValueSlot):
6523 (JSC::putEntry):
6524 * runtime/NativeErrorConstructor.cpp:
6525 (JSC::NativeErrorConstructor::finishCreation):
6526 * runtime/NativeErrorConstructor.h:
6527 * runtime/PropertySlot.h:
6528 * runtime/RegExpPrototype.cpp:
6529 * runtime/SetConstructor.cpp:
6530 * runtime/StringObject.cpp:
6531 * runtime/Structure.cpp:
6532 * runtime/VM.cpp:
6533 (JSC::VM::VM):
6534 * runtime/VM.h:
6535 (JSC::VM::builtinExecutables):
6536
65372014-01-31 Gabor Rapcsanyi <rgabor@webkit.org>
6538
6539 Fix the ARM Thumb2 build after jsCStack branch merge
6540 https://bugs.webkit.org/show_bug.cgi?id=127903
6541
6542 Reviewed by Michael Saboff.
6543
6544 SP register cannot be used as a destination register of SUB or ADD on Thumb mode.
6545
6546 * llint/LowLevelInterpreter.asm:
6547 * llint/LowLevelInterpreter32_64.asm:
6548
65492014-01-31 Julien Brianceau <jbriance@cisco.com>
6550
6551 [arm] Add missing pushPair/popPair implementations in MacroAssemblerARM.h
6552 https://bugs.webkit.org/show_bug.cgi?id=127904
6553
6554 Reviewed by Zoltan Herczeg.
6555
6556 * assembler/MacroAssemblerARM.h:
6557 (JSC::MacroAssemblerARM::popPair):
6558 (JSC::MacroAssemblerARM::pushPair):
6559
65602014-01-30 Martin Robinson <mrobinson@igalia.com>
6561
6562 [GTK] [CMake] Add support for building against GTK+ 2
6563 https://bugs.webkit.org/show_bug.cgi?id=127959
6564
6565 Reviewed by Anders Carlsson.
6566
6567 * PlatformGTK.cmake: Use the new API version variable and don't use GTK3 directly.
6568
65692014-01-30 Andreas Kling <akling@apple.com>
6570
6571 CodeBlock's cloned SymbolTables only need the captured names.
6572 <https://webkit.org/b/127978>
6573
6574 Renamed SymbolTable::clone() to SymbolTable::cloneCapturedNames()
6575 and make it skip over any symbols that aren't captured, since those
6576 won't be needed after codegen.
6577
6578 This is a first step towards getting rid of redundant symbol tables.
6579
6580 Reviewed by Geoffrey Garen.
6581
6582 * bytecode/CodeBlock.cpp:
6583 (JSC::CodeBlock::CodeBlock):
6584 * runtime/SymbolTable.cpp:
6585 (JSC::SymbolTable::cloneCapturedNames):
6586 * runtime/SymbolTable.h:
6587
65882014-01-28 Timothy Hatcher <timothy@apple.com>
6589
6590 Add column number and call timing support to LegacyProfiler.
6591
6592 https://bugs.webkit.org/show_bug.cgi?id=127764
6593
6594 Reviewed by Joseph Pecoraro.
6595
6596 * interpreter/Interpreter.cpp:
6597 (JSC::Interpreter::execute):
6598 * profiler/CallIdentifier.h:
6599 (JSC::CallIdentifier::CallIdentifier):
6600 (JSC::CallIdentifier::functionName):
6601 (JSC::CallIdentifier::url):
6602 (JSC::CallIdentifier::lineNumber):
6603 (JSC::CallIdentifier::columnNumber):
6604 (JSC::CallIdentifier::operator==):
6605 (JSC::CallIdentifier::operator!=):
6606 (JSC::CallIdentifier::Hash::hash):
6607 (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
6608 (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
6609 * profiler/LegacyProfiler.cpp:
6610 (JSC::LegacyProfiler::willExecute):
6611 (JSC::LegacyProfiler::didExecute):
6612 (JSC::LegacyProfiler::exceptionUnwind):
6613 (JSC::LegacyProfiler::createCallIdentifier):
6614 (JSC::createCallIdentifierFromFunctionImp):
6615 * profiler/LegacyProfiler.h:
6616 * profiler/Profile.cpp:
6617 (JSC::Profile::Profile):
6618 * profiler/Profile.h:
6619 (JSC::Profile::uid):
6620 (JSC::Profile::idleTime):
6621 (JSC::Profile::setIdleTime):
6622 * profiler/ProfileGenerator.cpp:
6623 (JSC::AddParentForConsoleStartFunctor::operator()):
6624 (JSC::ProfileGenerator::addParentForConsoleStart):
6625 (JSC::ProfileGenerator::willExecute):
6626 (JSC::ProfileGenerator::didExecute):
6627 (JSC::ProfileGenerator::stopProfiling):
6628 (JSC::ProfileGenerator::removeProfileStart):
6629 (JSC::ProfileGenerator::removeProfileEnd):
6630 * profiler/ProfileNode.cpp:
6631 (JSC::ProfileNode::ProfileNode):
6632 (JSC::ProfileNode::stopProfiling):
6633 (JSC::ProfileNode::endAndRecordCall):
6634 (JSC::ProfileNode::startTimer):
6635 (JSC::ProfileNode::debugPrintData):
6636 * profiler/ProfileNode.h:
6637 (JSC::ProfileNode::Call::Call):
6638 (JSC::ProfileNode::Call::startTime):
6639 (JSC::ProfileNode::Call::setStartTime):
6640 (JSC::ProfileNode::Call::totalTime):
6641 (JSC::ProfileNode::Call::setTotalTime):
6642 (JSC::ProfileNode::id):
6643 (JSC::ProfileNode::functionName):
6644 (JSC::ProfileNode::url):
6645 (JSC::ProfileNode::lineNumber):
6646 (JSC::ProfileNode::columnNumber):
6647 (JSC::ProfileNode::calls):
6648 (JSC::ProfileNode::lastCall):
6649 (JSC::ProfileNode::numberOfCalls):
6650
66512014-01-26 Timothy Hatcher <timothy@apple.com>
6652
6653 Include profile with FunctionCall and EvaluateScript Timeline records.
6654
6655 https://bugs.webkit.org/show_bug.cgi?id=127663
6656
6657 Reviewed by Joseph Pecoraro.
6658
6659 * inspector/InjectedScriptBase.cpp:
6660 (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
6661 * inspector/InspectorEnvironment.h:
6662 * inspector/JSGlobalObjectInspectorController.h:
6663
66642014-01-29 Filip Pizlo <fpizlo@apple.com>
6665
6666 FTL should support GetById(Untyped:)
6667 https://bugs.webkit.org/show_bug.cgi?id=127750
6668
6669 Reviewed by Oliver Hunt.
6670
6671 This was supposed to be easy. Indeed, the actual GetById UntypedUse case was easy. But
6672 then it expanded coverage by a lot and I got to deal with three bugs. So, this has
6673 some additional changes:
6674
6675 Also make it safe for LLVM to duplicate calls to patchpoints and stackmaps. Previously
6676 we incorrectly assumed that if we emitted a patchpoint, then there would only be one
6677 copy of that patchpoint (with that ID) in the resulting machine code and in the
6678 stackmaps section. That's obviously a bad assumption - LLVM is allowed to do anything
6679 it wants so long as the outcome of executing the code has a semantically equivalent
6680 meaning to the IR we gave it, and duplicating code is trivially OK under this rule. We
6681 should be OK with it, too. The solution is to add Vectors in a bunch of places that
6682 previously just thought they only had one value. For example, an InlineCacheDescriptor
6683 now has a Vector of generators - one generator for each copy that LLVM stamped out.
6684 Normally there will only be one copy, of course - since duplication is usually
6685 unprofitable. But, if LLVM decides that copying would be groovy then we will no longer
6686 barf.
6687
6688 Also fix SSA conversion. It turns out that we mishandled the case where a block had
6689 multiple Phi functions for the same local. If any of those CPS Phis fail to trivialize
6690 in the Aycock-Horspool fixpoint, we need to insert an SSA Phi. Previously, it was
6691 assuming that so long as the head CPS Phi was trivial, we could forego SSA Phi
6692 insertion. That's wrong if the head CPS Phi trivialized but ended up pointing to a
6693 non-trivial CPS Phi in the same block. This madness with trees of Phis occurs because
6694 we try to save on compile times: no Phi ever has more than three children even if the
6695 block has more than three predecessors; we just build out a tree of Phis to satisfy
6696 all predecessors. So weird.
6697
6698 And finally, fix DFG->FTL OSR entry's reconstruction of 'this' in a constructor. That
6699 reconstruction code, JITCode::reconstruct(), had a work-around for the case where we
6700 were entering into a constructor at the prologue. In that case, 'this' is definitely
6701 unavailable. But the OSR code does reconstructions at LoopHints, which aren't at the
6702 prologue, and so 'this' should totally be available.
6703
6704 * dfg/DFGGraph.cpp:
6705 (JSC::DFG::Graph::dump):
6706 * dfg/DFGJITCode.cpp:
6707 (JSC::DFG::JITCode::reconstruct):
6708 * dfg/DFGNode.h:
6709 (JSC::DFG::Node::tryGetVariableAccessData):
6710 * dfg/DFGSSAConversionPhase.cpp:
6711 (JSC::DFG::SSAConversionPhase::run):
6712 * ftl/FTLCapabilities.cpp:
6713 (JSC::FTL::canCompile):
6714 * ftl/FTLCompile.cpp:
6715 (JSC::FTL::generateICFastPath):
6716 (JSC::FTL::fixFunctionBasedOnStackMaps):
6717 * ftl/FTLInlineCacheDescriptor.h:
6718 * ftl/FTLJITFinalizer.cpp:
6719 (JSC::FTL::JITFinalizer::codeSize):
6720 * ftl/FTLJSCall.cpp:
6721 (JSC::FTL::JSCall::JSCall):
6722 * ftl/FTLJSCall.h:
6723 * ftl/FTLLowerDFGToLLVM.cpp:
6724 (JSC::FTL::LowerDFGToLLVM::compileGetById):
6725 (JSC::FTL::LowerDFGToLLVM::getById):
6726 * ftl/FTLOSREntry.cpp:
6727 (JSC::FTL::prepareOSREntry):
6728 * ftl/FTLStackMaps.cpp:
6729 (JSC::FTL::StackMaps::getRecordMap):
6730 * ftl/FTLStackMaps.h:
6731 * tests/stress/get-by-id-untyped.js: Added.
6732 (foo):
6733
67342014-01-30 Geoffrey Garen <ggaren@apple.com>
6735
6736 Part 2: REGRESSION: JavascriptCore crash during OS Installation (due to
6737 Heap::m_operationInProgress ASSERT vs DelayedReleaseScope)
6738 https://bugs.webkit.org/show_bug.cgi?id=127950
6739
6740 Reviewed by Mark Hahnenberg.
6741
6742 Scope the APICallbackShim to make sure that we re-acquire the lock
6743 before putting the heap back into the "unsafe to allocate" state.
6744 Otherwise, the heap will seem to be in the "unsafe to allocate" state
6745 during any GC that happens before we re-acquire the lock.
6746
6747 No regression test because threads.
6748
6749 * heap/DelayedReleaseScope.h:
6750 (JSC::DelayedReleaseScope::~DelayedReleaseScope):
6751
67522014-01-30 Filip Pizlo <fpizlo@apple.com>
6753
6754 Update FTL StackMaps parser to stackSize change
6755 https://bugs.webkit.org/show_bug.cgi?id=127933
6756
6757 Reviewed by Oliver Hunt.
6758
6759 * ftl/FTLStackMaps.cpp:
6760 (JSC::FTL::StackMaps::parse):
6761
67622014-01-30 Zan Dobersek <zdobersek@igalia.com>
6763
6764 [GTK] Only disable -ftree-dce optimization when compiling with GCC
6765 https://bugs.webkit.org/show_bug.cgi?id=127911
6766
6767 Reviewed by Carlos Garcia Campos.
6768
6769 * GNUmakefile.am: Only disable the -ftree-dce optimization when using the GCC compiler.
6770 Some Clang versions/configurations don't support the flag.
6771
67722014-01-30 Zan Dobersek <zdobersek@igalia.com>
6773
6774 [GTK] Disable optimizations for JSC that turned out malignant after jsCStack branch merge
6775 https://bugs.webkit.org/show_bug.cgi?id=127909
6776
6777 Reviewed by Carlos Garcia Campos.
6778
6779 * GNUmakefile.am: Disable the -fomit-frame-pointer optimization to achieve proper register usage
6780 in operationCallEval. Disable the -ftree-dce optimization since it is causing additional failures
6781 when using GCC 4.8, possibly due to a bug in the compiler itself.
6782
67832014-01-29 Csaba Osztrogonác <ossy@webkit.org>
6784
6785 Remove ENABLE(JAVASCRIPT_DEBUGGER) leftovers
6786 https://bugs.webkit.org/show_bug.cgi?id=127845
6787
6788 Reviewed by Joseph Pecoraro.
6789
6790 * Configurations/FeatureDefines.xcconfig:
6791
67922014-01-29 Joseph Pecoraro <pecoraro@apple.com>
6793
6794 Web Inspector: Play Breakpoint Sound in Frontend
6795 https://bugs.webkit.org/show_bug.cgi?id=127885
6796
6797 Reviewed by Timothy Hatcher.
6798
6799 * inspector/ScriptDebugListener.h:
6800 * inspector/ScriptDebugServer.cpp:
6801 (Inspector::ScriptDebugServer::evaluateBreakpointAction):
6802 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
6803 * inspector/ScriptDebugServer.h:
6804 Pass the breakpoint action identifier through when the
6805 sound breakpoint action is triggered.
6806
6807 * inspector/protocol/Debugger.json:
6808 New "playBreakpointActionSound" event when a "sound" breakpoint action triggers.
6809
6810 * inspector/agents/InspectorDebuggerAgent.h:
6811 * inspector/agents/InspectorDebuggerAgent.cpp:
6812 (Inspector::InspectorDebuggerAgent::breakpointActionSound):
6813 Send the new event so the frontend can handle it.
6814
68152014-01-29 Filip Pizlo <fpizlo@apple.com>
6816
6817 Merge final changesets from the jsCStack branch (r162969, r162975, r162992, r163004, r163069).
6818
6819 2014-01-29 Filip Pizlo <fpizlo@apple.com>
6820
6821 DFG ArrayPop double array mishandles the NaN hole installation
6822 https://bugs.webkit.org/show_bug.cgi?id=127813
6823
6824 Reviewed by Mark Rowe.
6825
6826 Our object model for arrays inferred double dictates that we use quiet NaN (QNaN) to
6827 mark holes. Holes, in this context, are any entries in the allocated array buffer
6828 (i.e. from index 0 up to the vectorLength) that don't currently hold a value. Popping
6829 creates a hole, since it deletes the value at publicLength - 1.
6830
6831 But, because of some sloppy copy-and-paste, we were storing (int64_t)0 when creating
6832 the hole, instead of storing QNaN. That's likely because for other kinds of arrays,
6833 64-bit zero is the hole marker, instead of QNaN.
6834
6835 The attached test case illustrates the problem. In the LLInt and Baseline JIT, the
6836 result returned from foo() is "1.5,2.5,,4.5", since array.pop() removes 3.5 and
6837 replaces it with a hole and then the assignment "array[3] = 4.5" creates an element
6838 just beyond that hole. But, once we tier-up to the DFG, the result previously became
6839 "1.5,2.5,0,4.5", which is wrong. The 0 appeared because the IEEE double
6840 interpretation of 64-bit zero is simply zero.
6841
6842 This patch fixes that problem. Now the DFG agrees with the other engines.
6843
6844 This patch also fixes style. For some reason that copy-pasted code wasn't even
6845 indented correctly.
6846
6847 * dfg/DFGSpeculativeJIT64.cpp:
6848 (JSC::DFG::SpeculativeJIT::compile):
6849 * tests/stress/array-pop-double-hole.js: Added.
6850 (foo):
6851
6852 2014-01-28 Filip Pizlo <fpizlo@apple.com>
6853
6854 FTL should support ArrayPush
6855 https://bugs.webkit.org/show_bug.cgi?id=127748
6856
6857 Not reviewed, remove some debug code.
6858
6859 * ftl/FTLLowerDFGToLLVM.cpp:
6860 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
6861
6862 2014-01-27 Filip Pizlo <fpizlo@apple.com>
6863
6864 FTL should support ArrayPush
6865 https://bugs.webkit.org/show_bug.cgi?id=127748
6866
6867 Reviewed by Oliver Hunt.
6868
6869 * ftl/FTLAbstractHeapRepository.h:
6870 (JSC::FTL::AbstractHeapRepository::forArrayType):
6871 * ftl/FTLCapabilities.cpp:
6872 (JSC::FTL::canCompile):
6873 * ftl/FTLIntrinsicRepository.h:
6874 * ftl/FTLLowerDFGToLLVM.cpp:
6875 (JSC::FTL::LowerDFGToLLVM::compileNode):
6876 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
6877 * tests/stress/array-push-contiguous.js: Added.
6878 (foo):
6879 * tests/stress/array-push-double.js: Added.
6880 (foo):
6881
6882 2014-01-28 Filip Pizlo <fpizlo@apple.com>
6883
6884 FTL should support ArrayPop
6885 https://bugs.webkit.org/show_bug.cgi?id=127749
6886
6887 Reviewed by Geoffrey Garen.
6888
6889 * ftl/FTLCapabilities.cpp:
6890 (JSC::FTL::canCompile):
6891 * ftl/FTLIntrinsicRepository.h:
6892 * ftl/FTLLowerDFGToLLVM.cpp:
6893 (JSC::FTL::LowerDFGToLLVM::compileNode):
6894 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
6895 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
6896 * tests/stress/array-pop-contiguous.js: Added.
6897 (foo):
6898 * tests/stress/array-pop-double.js: Added.
6899 (foo):
6900 * tests/stress/array-pop-int32.js: Added.
6901 (foo):
6902
69032014-01-29 Filip Pizlo <fpizlo@apple.com>
6904
6905 DFG::ByteCodeParser::m_dfgCodeBlock is sometimes uninitialized
6906 <rdar://problem/15939032>
6907
6908 Reviewed by Dan Bernstein.
6909
6910 * dfg/DFGByteCodeParser.cpp:
6911 (JSC::DFG::ByteCodeParser::parse):
6912
69132014-01-29 Geoffrey Garen <ggaren@apple.com>
6914
6915 50% time on Dromaeo Selector * benchmark spent allocating oversized backing stores (but not in Chrome)
6916 https://bugs.webkit.org/show_bug.cgi?id=127879
6917
6918 Reviewed by Gavin Barraclough.
6919
6920 Let's not dynamically resize an array whose size is statically known,
6921 mmmkay?
6922
6923 * runtime/ArrayPrototype.cpp:
6924 (JSC::arrayProtoFuncConcat): Use nullptr to disambiguate vs the numeric
6925 argument.
6926
6927 (JSC::arrayProtoFuncSlice): The fix.
6928
6929 (JSC::arrayProtoFuncSort):
6930 (JSC::arrayProtoFuncSplice):
6931 (JSC::arrayProtoFuncFilter):
6932 (JSC::arrayProtoFuncMap): Use nullptr.
6933
69342014-01-29 Joseph Pecoraro <pecoraro@apple.com>
6935
6936 Web Inspector: Run JSC Inspector EventLoop in a custom run loop mode to prevent default observers from running
6937 https://bugs.webkit.org/show_bug.cgi?id=127865
6938
6939 Reviewed by Geoffrey Garen.
6940
6941 When hitting a breakpoint in a JSContext Inspector we want to entirely
6942 pause the process and all access to the JSContext and only move forward
6943 based on debugger commands. Having the nested run loop run in a default
6944 mode allowed NSTimers scheduled on the thread to regularly run and
6945 evaluate code in the JSContext. Using a custom run loop mode gets us
6946 a bit closer to locking down the context. This doesn't handle scenarios
6947 where background threads also access the JSContext, but it handles the
6948 most common scenario.
6949
6950 * inspector/EventLoop.cpp:
6951 (Inspector::EventLoop::cycle):
6952
69532014-01-29 Joseph Pecoraro <pecoraro@apple.com>
6954
6955 Web Inspector: Deadlock hitting breakpoint while inspecting JSContext
6956 https://bugs.webkit.org/show_bug.cgi?id=127864
6957
6958 Reviewed by Geoffrey Garen.
6959
6960 Temporarily drop the lock while we run the nested runloop.
6961
6962 * inspector/JSGlobalObjectScriptDebugServer.cpp:
6963 (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
6964
69652014-01-28 Oliver Hunt <oliver@apple.com>
6966
6967 Make DOM attributes appear to be faux accessor properties
6968 https://bugs.webkit.org/show_bug.cgi?id=127797
6969
6970 Reviewed by Michael Saboff.
6971
6972 Add flag so we can identify which properties should have the old
6973 custom property semantics vs. the new faux accessors. Update the
6974 inspector protocol accordingly.
6975
6976 These faux accessors produce descriptors with "get" and "set"
6977 properties, but both values are undefined so can't be used
6978 directly. A few custom properties actually require their
6979 existing magical behaviour, so we now have a flag to
6980 distinguish the expected output.
6981
6982 * inspector/InjectedScriptSource.js:
6983 (.):
6984 * runtime/JSObject.cpp:
6985 (JSC::JSObject::getOwnPropertyDescriptor):
6986 * runtime/PropertyDescriptor.cpp:
6987 (JSC::PropertyDescriptor::setCustomDescriptor):
6988 * runtime/PropertyDescriptor.h:
6989 * runtime/PropertySlot.h:
6990
69912014-01-29 Beth Dakin <bdakin@apple.com>
6992
6993 Build fix.
6994
6995 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
6996 * llint/LowLevelInterpreter.cpp:
6997
69982014-01-29 Dan Bernstein <mitz@apple.com>
6999
7000 Build fix.
7001
7002 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added a newline at the end of the
7003 file.
7004
70052014-01-28 Michael Saboff <msaboff@apple.com>
7006
7007 Merge the jsCStack branch
7008 https://bugs.webkit.org/show_bug.cgi?id=127763
7009
7010 Reviewed by Mark Hahnenberg.
7011
7012 Changes from http://svn.webkit.org/repository/webkit/branches/jsCStack
7013 up to changeset 162958.
7014
70152014-01-29 Csaba Osztrogonác <ossy@webkit.org>
7016
7017 Remove ENABLE(JAVASCRIPT_DEBUGGER) guards
7018 https://bugs.webkit.org/show_bug.cgi?id=127840
7019
7020 Reviewed by Mark Lam.
7021
7022 * inspector/scripts/CodeGeneratorInspector.py:
7023
70242014-01-28 Commit Queue <commit-queue@webkit.org>
7025
7026 Unreviewed, rolling out r162987.
7027 http://trac.webkit.org/changeset/162987
7028 https://bugs.webkit.org/show_bug.cgi?id=127825
7029
7030 Broke Mountain Lion build (Requested by andersca on #webkit).
7031
7032 * inspector/InjectedScriptSource.js:
7033 (.):
7034 * runtime/JSObject.cpp:
7035 (JSC::JSObject::getOwnPropertyDescriptor):
7036 * runtime/PropertyDescriptor.cpp:
7037 * runtime/PropertyDescriptor.h:
7038 * runtime/PropertySlot.h:
7039
70402014-01-28 Oliver Hunt <oliver@apple.com>
7041
7042 Make DOM attributes appear to be faux accessor properties
7043 https://bugs.webkit.org/show_bug.cgi?id=127797
7044
7045 Reviewed by Michael Saboff.
7046
7047 Add flag so we can identify which properties should have the old
7048 custom property semantics vs. the new faux accessors. Update the
7049 inspector protocol accordingly.
7050
7051 These faux accessors produce descriptors with "get" and "set"
7052 properties, but both values are undefined so can't be used
7053 directly. A few custom properties actually require their
7054 existing magical behaviour, so we now have a flag to
7055 distinguish the expected output.
7056
7057 * inspector/InjectedScriptSource.js:
7058 (.):
7059 * runtime/JSObject.cpp:
7060 (JSC::JSObject::getOwnPropertyDescriptor):
7061 * runtime/PropertyDescriptor.cpp:
7062 (JSC::PropertyDescriptor::setCustomDescriptor):
7063 * runtime/PropertyDescriptor.h:
7064 * runtime/PropertySlot.h:
7065
70662014-01-28 Mark Lam <mark.lam@apple.com>
7067
7068 Remove some unneeded debugger code.
7069 https://bugs.webkit.org/show_bug.cgi?id=127805.
7070
7071 Reviewed by Oliver Hunt.
7072
7073 JSC will now always support the debugger. Hence, the #if ENABLE(JAVASCRIPT_DEBUGGER)
7074 checks can be removed.
7075
7076 DebuggerCallFrame::callFrame() is also unused and will be removed.
7077
7078 * debugger/Breakpoint.h:
7079 * debugger/Debugger.cpp:
7080 * debugger/DebuggerCallFrame.h:
7081 * inspector/InjectedScript.cpp:
7082 (Inspector::InjectedScript::wrapCallFrames):
7083 * inspector/InjectedScript.h:
7084 * inspector/JSGlobalObjectScriptDebugServer.cpp:
7085 * inspector/JSGlobalObjectScriptDebugServer.h:
7086 * inspector/JSJavaScriptCallFrame.cpp:
7087 * inspector/JSJavaScriptCallFrame.h:
7088 * inspector/JSJavaScriptCallFramePrototype.cpp:
7089 * inspector/JSJavaScriptCallFramePrototype.h:
7090 * inspector/JavaScriptCallFrame.cpp:
7091 * inspector/JavaScriptCallFrame.h:
7092 * inspector/ScriptDebugListener.h:
7093 * inspector/ScriptDebugServer.cpp:
7094 * inspector/ScriptDebugServer.h:
7095 * inspector/agents/InspectorDebuggerAgent.cpp:
7096 * inspector/agents/InspectorDebuggerAgent.h:
7097 * inspector/agents/InspectorRuntimeAgent.cpp:
7098 (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
7099 (Inspector::setPauseOnExceptionsState):
7100 (Inspector::InspectorRuntimeAgent::evaluate):
7101 (Inspector::InspectorRuntimeAgent::callFunctionOn):
7102 (Inspector::InspectorRuntimeAgent::getProperties):
7103 * inspector/agents/InspectorRuntimeAgent.h:
7104
71052014-01-28 Geoffrey Garen <ggaren@apple.com>
7106
7107 REGRESSION: JavascriptCore crash during OS Installation (due to
7108 Heap::m_operationInProgress ASSERT vs DelayedReleaseScope)
7109 https://bugs.webkit.org/show_bug.cgi?id=127793
7110
7111 Reviewed by Mark Hahnenberg.
7112
7113 This was a mistaken ASSERT.
7114
7115 * API/tests/testapi.mm:
7116 (-[EvilAllocationObject doEvilThingsWithContext:]): Added a test to verify
7117 that GC from a DelayedReleaseScope doesn't crash.
7118
7119 * heap/DelayedReleaseScope.h:
7120 (JSC::DelayedReleaseScope::~DelayedReleaseScope): Our contract is that
7121 it is valid to do anything while running a DelayedReleaseScope -dealloc
7122 method, so the Heap must be ready for new allocations and collections.
7123
7124 Change the Heap's operationInProgress value to NoOperation while running
7125 -dealloc methods, so that it doesn't ASSERT in the face of new allocations
7126 and collections.
7127
7128 * heap/Heap.h: Made DelayedReleaseScope a friend because exposing a setter
7129 for m_operationInProgress seemed like the worse of the two options for
7130 encapsulation: we don't really want arbitrary clients to set the Heap's
7131 m_operationInProgress.
7132
71332014-01-28 Mark Lam <mark.lam@apple.com>
7134
7135 Jettison DFG code when neither breakpoints or the profiler are active.
7136 <https://webkit.org/b/127766>
7137
7138 Reviewed by Geoffrey Garen.
7139
7140 We need to jettison the DFG CodeBlocks under the following circumstances:
7141 1. When adding breakpoints to a CodeBlock, jettison it if it is a DFG CodeBlock.
7142 2. When enabling stepping mode in a CodeBlock, jettison it if it a DFG CodeBlock.
7143 3. When settign the enabled profiler in the VM, we need to jettison all DFG
7144 CodeBlocks.
7145
7146 Instead of emitting speculation checks, the DFG code will now treat Breakpoint,
7147 ProfileWillCall, and ProfileDidCall as no-ops similar to a Phantom node. We
7148 still need to track these nodes so that they match the corresponding opcodes
7149 in the baseline JIT when we jettison and OSR exit. Without them, we would OSR
7150 exit to the wrong location in the baseline JIT code.
7151
7152 In DFGDriver's compileImpl() and DFGPlan's finalizeWithoutNotifyingCallback()
7153 we fail the compilation effort with a CompilationInvalidated result. This allows
7154 the DFG compiler to re-attampt the compilation of the function after some time
7155 if it is hot. The CompilationInvalidated result is supposed to cause the DFG
7156 to exercise an exponential back off before re-attempting compilation again
7157 (see runtime/CompilationResult.h).
7158
7159 This patch improves the Octane score from ~2950 to ~3067.
7160
7161 * bytecode/CodeBlock.cpp:
7162 (JSC::CodeBlock::addBreakpoint):
7163 (JSC::CodeBlock::setSteppingMode):
7164 * bytecode/CodeBlock.h:
7165 * debugger/Debugger.h:
7166 * dfg/DFGAbstractInterpreterInlines.h:
7167 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
7168 * dfg/DFGClobberize.h:
7169 (JSC::DFG::clobberize):
7170 * dfg/DFGDriver.cpp:
7171 (JSC::DFG::compileImpl):
7172 * dfg/DFGPlan.cpp:
7173 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
7174 * dfg/DFGSpeculativeJIT32_64.cpp:
7175 (JSC::DFG::SpeculativeJIT::compile):
7176 * dfg/DFGSpeculativeJIT64.cpp:
7177 (JSC::DFG::SpeculativeJIT::compile):
7178 * profiler/LegacyProfiler.cpp:
7179 (JSC::LegacyProfiler::startProfiling):
7180 (JSC::LegacyProfiler::stopProfiling):
7181 * runtime/VM.cpp:
7182 (JSC::VM::VM):
7183 (JSC::SetEnabledProfilerFunctor::operator()):
7184 (JSC::VM::setEnabledProfiler):
7185 * runtime/VM.h:
7186 (JSC::VM::enabledProfiler):
7187
71882014-01-27 Joseph Pecoraro <pecoraro@apple.com>
7189
7190 -[JSContext evaluteScript:] calls JSEvaluteScript with startingLineNumber 0, later interpreted as a oneBasedInt
7191 https://bugs.webkit.org/show_bug.cgi?id=127648
7192
7193 Reviewed by Geoffrey Garen.
7194
7195 The actual bug being fixed here is that the line number for
7196 scripts evaluated via the JSC APIs is now sane. However,
7197 there is no good infrastructure in place right now to test that.
7198
7199 * API/tests/testapi.c:
7200 (main):
7201 * API/tests/testapi.mm:
7202 (testObjectiveCAPI):
7203 Add tests for exception line numbers and handling of bad
7204 startingLineNumbers in public APIs. These tests were already
7205 passing, I just add them to make sure they are not regressed
7206 in the future.
7207
7208 * API/JSBase.cpp:
7209 (JSEvaluateScript):
7210 (JSCheckScriptSyntax):
7211 * API/JSBase.h:
7212 * API/JSObjectRef.cpp:
7213 (JSObjectMakeFunction):
7214 * API/JSObjectRef.h:
7215 * API/JSScriptRef.cpp:
7216 * API/JSScriptRefPrivate.h:
7217 * API/JSStringRef.h:
7218 - Clarify documentation that startingLineNumber is 1 based and clamped.
7219 - Add clamping in the implementation to put sane values into JSC::SourceProvider.
7220
7221 * inspector/agents/InspectorDebuggerAgent.cpp:
7222 (Inspector::InspectorDebuggerAgent::didParseSource):
7223 Remove the FIXME now that the SourceProvider is giving us expected values.
7224
72252014-01-27 Joseph Pecoraro <pecoraro@apple.com>
7226
7227 Web Inspector: CRASH when debugger closes remote inspecting JSContext
7228 https://bugs.webkit.org/show_bug.cgi?id=127738
7229
7230 Reviewed by Timothy Hatcher.
7231
7232 RemoteInspectorXPCConnection could be accessed in a background dispatch
7233 queue, while being deallocated on the main thread when a connection
7234 was suddenly terminated.
7235
7236 Make RemoteInspectorXPCConnection a ThreadSafeRefCounted object. Always
7237 keep the connection object ref'd until the main thread calls close()
7238 and removes its reference. At that point we can close the connection,
7239 queue, and deref safely on the background queue.
7240
7241 * inspector/remote/RemoteInspector.h:
7242 * inspector/remote/RemoteInspector.mm:
7243 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
7244 (Inspector::RemoteInspector::xpcConnectionFailed):
7245 For simplicity RemoteInspectorXPCConnections's don't have any threading
7246 primatives to prevent client callbacks after they are closed. RemoteInspector
7247 does, so it just ignores possible callbacks from connections it no longer
7248 cares about.
7249
7250 * inspector/remote/RemoteInspectorXPCConnection.h:
7251 * inspector/remote/RemoteInspectorXPCConnection.mm:
7252 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
7253 (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection):
7254 (Inspector::RemoteInspectorXPCConnection::close):
7255 Keep the connection alive as long as the queue it can be used on
7256 is alive. Clean up everything on the queue when close() is called.
7257
7258 (Inspector::RemoteInspectorXPCConnection::handleEvent):
7259 Checking if closed here is not thread safe so it is meaningless.
7260 Remove the check.
7261
7262 (Inspector::RemoteInspectorXPCConnection::sendMessage):
7263 Bail based on the m_closed state.
7264
72652014-01-27 Joseph Pecoraro <pecoraro@apple.com>
7266
7267 JavaScriptCore: Enable -Wimplicit-fallthrough and add FALLTHROUGH annotation where needed
7268 https://bugs.webkit.org/show_bug.cgi?id=127647
7269
7270 Reviewed by Anders Carlsson.
7271
7272 Explicitly annotate switch case fallthroughs in JavaScriptCore and
7273 enable warnings for unannotated fallthroughs.
7274
7275 * dfg/DFGArithMode.h:
7276 (doesOverflow):
7277 Only insert FALLTHROUGH in release builds. In debug builds, the
7278 FALLTHROUGH would be unreachable (due to the ASSERT_NOT_REACHED)
7279 and would through a warning.
7280
7281 * dfg/DFGSpeculativeJIT64.cpp:
7282 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
7283 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
7284 Due to the templatized nature of this function, a fallthrough
7285 in one of the template expansions would be unreachable. Disable
7286 the warning for this function.
7287
7288 * Configurations/Base.xcconfig:
7289 * bytecode/CodeBlock.cpp:
7290 (JSC::CodeBlock::CodeBlock):
7291 * dfg/DFGCFGSimplificationPhase.cpp:
7292 (JSC::DFG::CFGSimplificationPhase::run):
7293 * dfg/DFGValidate.cpp:
7294 (JSC::DFG::Validate::validateCPS):
7295 * parser/Lexer.cpp:
7296 (JSC::Lexer<T>::lex):
7297 * parser/Parser.cpp:
7298 (JSC::Parser<LexerType>::parseStatement):
7299 (JSC::Parser<LexerType>::parseProperty):
7300 * runtime/JSArray.cpp:
7301 (JSC::JSArray::push):
7302 * runtime/JSONObject.cpp:
7303 (JSC::Walker::walk):
7304 * runtime/JSObject.cpp:
7305 (JSC::JSObject::putByIndex):
7306 (JSC::JSObject::putByIndexBeyondVectorLength):
7307 * runtime/JSObject.h:
7308 (JSC::JSObject::setIndexQuickly):
7309 (JSC::JSObject::initializeIndex):
7310 * runtime/LiteralParser.cpp:
7311 (JSC::LiteralParser<CharType>::parse):
7312 * yarr/YarrInterpreter.cpp:
7313 (JSC::Yarr::Interpreter::backtrackParenthesesOnceBegin):
7314 (JSC::Yarr::Interpreter::backtrackParenthesesOnceEnd):
7315 * yarr/YarrParser.h:
7316 (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
7317 (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBuiltInCharacterClass):
7318 (JSC::Yarr::Parser::parseEscape):
7319 (JSC::Yarr::Parser::parseTokens):
7320
73212014-01-27 Andy Estes <aestes@apple.com>
7322
7323 Scrub WebKit API headers of WTF macros
7324 https://bugs.webkit.org/show_bug.cgi?id=127706
7325
7326 Reviewed by David Kilzer.
7327
7328 * Configurations/FeatureDefines.xcconfig: Added ENABLE_INSPECTOR.
7329
73302014-01-27 Mark Lam <mark.lam@apple.com>
7331
7332 Remove unused CodeBlock::createActivation().
7333 <https://webkit.org/b/127686>
7334
7335 Reviewed by Filip Pizlo.
7336
7337 * bytecode/CodeBlock.cpp:
7338 * bytecode/CodeBlock.h:
7339
73402014-01-26 Andreas Kling <akling@apple.com>
7341
7342 JSC: Pack unlinked instructions harder.
7343 <https://webkit.org/b/127660>
7344
7345 Store UnlinkedCodeBlock's instructions in a variable-length stream
7346 to reduce memory usage. Compression rate ends up around 60-61%.
7347
7348 The format is very simple. Every instruction starts with a 1 byte
7349 opcode. It's followed by an opcode-dependent number of argument
7350 values, each encoded separately for maximum packing. There are
7351 7 packed value formats:
7352
7353 5-bit positive integer
7354 5-bit negative integer
7355 13-bit positive integer
7356 13-bit positive integer
7357 5-bit constant register index
7358 13-bit constant register index
7359 32-bit value (fallback)
7360
7361 27.5 MB progression on Membuster3. (~2% of total memory.)
7362
7363 Reviewed by Filip Pizlo.
7364
7365 * JavaScriptCore.xcodeproj/project.pbxproj:
7366 * bytecode/UnlinkedInstructionStream.h: Added.
7367 (JSC::UnlinkedInstructionStream::count):
7368 (JSC::UnlinkedInstructionStream::Reader::atEnd):
7369 * bytecode/UnlinkedInstructionStream.cpp: Added.
7370 (JSC::UnlinkedInstructionStream::Reader::Reader):
7371 (JSC::UnlinkedInstructionStream::Reader::read8):
7372 (JSC::UnlinkedInstructionStream::Reader::read32):
7373 (JSC::UnlinkedInstructionStream::Reader::next):
7374 (JSC::append8):
7375 (JSC::append32):
7376 (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream):
7377 (JSC::UnlinkedInstructionStream::unpackForDebugging):
7378 * bytecompiler/BytecodeGenerator.cpp:
7379 * bytecode/CodeBlock.cpp:
7380 (JSC::CodeBlock::CodeBlock):
7381 * bytecode/UnlinkedCodeBlock.cpp:
7382 (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
7383 (JSC::dumpLineColumnEntry):
7384 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
7385 (JSC::UnlinkedCodeBlock::setInstructions):
7386 (JSC::UnlinkedCodeBlock::instructions):
7387 * bytecode/UnlinkedCodeBlock.h:
7388 (JSC::BytecodeGenerator::generate):
7389
73902014-01-26 Joseph Pecoraro <pecoraro@apple.com>
7391
7392 Web Inspector: Move InspectorDebuggerAgent into JavaScriptCore
7393 https://bugs.webkit.org/show_bug.cgi?id=127629
7394
7395 Rubber-stamped by Sam Weinig.
7396
7397 * CMakeLists.txt:
7398 * GNUmakefile.list.am:
7399 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7400 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7401 * JavaScriptCore.xcodeproj/project.pbxproj:
7402 - Add new files to the build.
7403 - Also, since non REMOTE_INSPECTOR ports cannot yet connect to a
7404 JSGlobalObject for inspection remove those files as they don't
7405 need to be built.
7406
7407 * inspector/EventLoop.cpp: Added.
7408 (Inspector::EventLoop::cycle):
7409 * inspector/EventLoop.h: Added.
7410 (Inspector::EventLoop::EventLoop):
7411 (Inspector::EventLoop::ended):
7412 Add a JavaScriptCore version of EventLoop. This is currently only
7413 used by the Mac port for JSGlobalObject remote inspection. Keep
7414 the WebCore/platform version alive because for the Mac port it does
7415 slightly different things involving AppKit.
7416
7417 * inspector/JSGlobalObjectInspectorController.cpp:
7418 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
7419 Create DebuggerAgent and hook up ScriptDebugServer where needed.
7420
7421 * inspector/JSGlobalObjectScriptDebugServer.cpp: Added.
7422 (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
7423 (Inspector::JSGlobalObjectScriptDebugServer::addListener):
7424 (Inspector::JSGlobalObjectScriptDebugServer::removeListener):
7425 (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions):
7426 (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
7427 * inspector/JSGlobalObjectScriptDebugServer.h: Added.
7428 Simple implementation of ScriptDebugServer with a JSGlobalObject.
7429
7430 * inspector/agents/InspectorDebuggerAgent.cpp: Renamed from Source/WebCore/inspector/InspectorDebuggerAgent.cpp.
7431 * inspector/agents/InspectorDebuggerAgent.h: Renamed from Source/WebCore/inspector/InspectorDebuggerAgent.h.
7432 Copied from WebCore. A few methods need to be made virtual so that Web implementations
7433 can override and extend the funcitonality. E.g. sourceMapURLForScript and enable/disable.
7434
7435 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: Added.
7436 * inspector/agents/JSGlobalObjectDebuggerAgent.h: Added.
7437 (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent):
7438 (Inspector::JSGlobalObjectDebuggerAgent::startListeningScriptDebugServer):
7439 (Inspector::JSGlobalObjectDebuggerAgent::stopListeningScriptDebugServer):
7440 (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
7441 Simple implementation of DebuggerAGent with a JSGlobalObject.
7442
74432014-01-25 Mark Lam <mark.lam@apple.com>
7444
7445 Gardening: fix build breakage from previous commit.
7446
7447 Not reviewed.
7448
7449 * profiler/ProfileNode.cpp:
7450 (JSC::ProfileNode::debugPrintData):
7451 - Removed obsolete references to "visible" timers.
7452
74532014-01-25 Timothy Hatcher <timothy@apple.com>
7454
7455 Remove dead code from the JSC profiler.
7456
7457 https://bugs.webkit.org/show_bug.cgi?id=127643
7458
7459 Reviewed by Mark Lam.
7460
7461 * profiler/Profile.cpp:
7462 * profiler/Profile.h:
7463 * profiler/ProfileGenerator.cpp:
7464 (JSC::ProfileGenerator::stopProfiling):
7465 * profiler/ProfileNode.cpp:
7466 (JSC::ProfileNode::ProfileNode):
7467 (JSC::ProfileNode::stopProfiling):
7468 (JSC::ProfileNode::endAndRecordCall):
7469 (JSC::ProfileNode::debugPrintData):
7470 (JSC::ProfileNode::debugPrintDataSampleStyle):
7471 * profiler/ProfileNode.h:
7472 (JSC::ProfileNode::totalTime):
7473 (JSC::ProfileNode::setTotalTime):
7474 (JSC::ProfileNode::selfTime):
7475 (JSC::ProfileNode::setSelfTime):
7476 (JSC::ProfileNode::totalPercent):
7477 (JSC::ProfileNode::selfPercent):
7478 Remove support for things like focus and exclude. The Inspector does those in JS now.
7479
74802014-01-25 Sam Weinig <sam@webkit.org>
7481
7482 Remove unused support for DRAGGABLE_REGION
7483 https://bugs.webkit.org/show_bug.cgi?id=127642
7484
7485 Reviewed by Simon Fraser.
7486
7487 * Configurations/FeatureDefines.xcconfig:
7488
74892014-01-25 Darin Adler <darin@apple.com>
7490
7491 Try to fix Mac build.
7492
7493 * runtime/DatePrototype.cpp: Put the include of <unicode/udat.h> inside
7494 a conditional since we don't have that header in our Mac build configuration.
7495
74962014-01-25 Darin Adler <darin@apple.com>
7497
7498 Call deprecatedCharacters instead of characters at more call sites
7499 https://bugs.webkit.org/show_bug.cgi?id=127631
7500
7501 Reviewed by Sam Weinig.
7502
7503 * API/JSValueRef.cpp:
7504 (JSValueMakeFromJSONString):
7505 * API/OpaqueJSString.cpp:
7506 (OpaqueJSString::~OpaqueJSString):
7507 * bindings/ScriptValue.cpp:
7508 (Deprecated::jsToInspectorValue):
7509 * inspector/ContentSearchUtilities.cpp:
7510 (Inspector::ContentSearchUtilities::createSearchRegexSource):
7511 * inspector/InspectorValues.cpp:
7512 * runtime/Identifier.h:
7513 (JSC::Identifier::deprecatedCharacters):
7514 * runtime/JSStringBuilder.h:
7515 (JSC::JSStringBuilder::append):
7516 Use the new name.
7517
75182014-01-25 Darin Adler <darin@apple.com>
7519
7520 Get rid of ICU_UNICODE and WCHAR_UNICODE remnants
7521 https://bugs.webkit.org/show_bug.cgi?id=127623
7522
7523 Reviewed by Anders Carlsson.
7524
7525 * runtime/DatePrototype.cpp: Removed USE(ICU_UNICODE) checks, since that's always true now.
7526
75272014-01-25 Darin Adler <darin@apple.com>
7528
7529 [Mac] Rewrite locale-specific date formatting code to remove strange string creation
7530 https://bugs.webkit.org/show_bug.cgi?id=127624
7531
7532 Reviewed by Anders Carlsson.
7533
7534 * runtime/DatePrototype.cpp:
7535 (JSC::formatLocaleDate): Use some smart pointers and conversion operators we already
7536 have to do the formatting in a more straightforward way.
7537
75382014-01-25 Anders Carlsson <andersca@apple.com>
7539
7540 Remove atomicIncrement/atomicDecrement
7541 https://bugs.webkit.org/show_bug.cgi?id=127625
7542
7543 Reviewed by Andreas Kling.
7544
7545 Replace atomicIncrement/atomicDecrement with std::atomic.
7546
7547 * bytecode/Watchpoint.h:
7548 * ftl/FTLLowerDFGToLLVM.cpp:
7549 (JSC::FTL::LowerDFGToLLVM::lower):
7550 * profiler/ProfilerDatabase.cpp:
7551 (JSC::Profiler::Database::Database):
7552 (JSC::Profiler::Database::addDatabaseToAtExit):
7553
75542014-01-24 Joseph Pecoraro <pecoraro@apple.com>
7555
7556 Web Inspector: Move InspectorRuntimeAgent into JavaScriptCore
7557 https://bugs.webkit.org/show_bug.cgi?id=127605
7558
7559 Reviewed by Timothy Hatcher.
7560
7561 * CMakeLists.txt:
7562 * GNUmakefile.list.am:
7563 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7564 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7565 * JavaScriptCore.xcodeproj/project.pbxproj:
7566 Add new files to the build.
7567
7568 * inspector/agents/InspectorRuntimeAgent.h: Renamed from Source/WebCore/inspector/InspectorRuntimeAgent.h.
7569 * inspector/agents/InspectorRuntimeAgent.cpp: Renamed from Source/WebCore/inspector/InspectorRuntimeAgent.cpp.
7570 (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
7571 (Inspector::InspectorRuntimeAgent::parse):
7572 (Inspector::InspectorRuntimeAgent::evaluate):
7573 (Inspector::InspectorRuntimeAgent::callFunctionOn):
7574 (Inspector::InspectorRuntimeAgent::getProperties):
7575 - Move the agent into JavaScriptCore.
7576 - Modernize and cleanup.
7577 - Make globalVM a pure virtual function for subclasses to implement.
7578
7579 * inspector/agents/JSGlobalObjectRuntimeAgent.h: Added.
7580 * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: Added.
7581 (Inspector::JSGlobalObjectRuntimeAgent::JSGlobalObjectRuntimeAgent):
7582 (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
7583 (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
7584 (Inspector::JSGlobalObjectRuntimeAgent::globalVM):
7585 (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
7586 Straightforward JSGlobalObject implementation.
7587
7588 * inspector/JSGlobalObjectInspectorController.cpp:
7589 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
7590 Add a runtime agent when inspecting a JSContext!
7591
75922014-01-23 Joseph Pecoraro <pecoraro@apple.com>
7593
7594 Move JavaScriptCallFrame and ScriptDebugServer into JavaScriptCore for inspector
7595 https://bugs.webkit.org/show_bug.cgi?id=127543
7596
7597 Reviewed by Geoffrey Garen.
7598
7599 * CMakeLists.txt:
7600 * GNUmakefile.list.am:
7601 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7602 * JavaScriptCore.xcodeproj/project.pbxproj:
7603 Add new files.
7604
7605 * inspector/ScriptDebugListener.h:
7606 Extract WebCore knowledge from ScriptDebugServer. This will
7607 eventually be made to work outside of WebCore.
7608
7609 * inspector/ScriptDebugServer.h: Renamed from Source/WebCore/bindings/js/ScriptDebugServer.h.
7610 * inspector/ScriptDebugServer.cpp: Renamed from Source/WebCore/bindings/js/ScriptDebugServer.cpp.
7611 (Inspector::ScriptDebugServer::evaluateBreakpointAction):
7612 (Inspector::ScriptDebugServer::dispatchDidPause):
7613 (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
7614 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
7615 (Inspector::ScriptDebugServer::sourceParsed):
7616 (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
7617 (Inspector::ScriptDebugServer::handlePause):
7618 Modernize code, and call the new ScriptDebugListener callbacks where appropriate.
7619
7620 * inspector/JSJavaScriptCallFrame.cpp: Renamed from Source/WebCore/bindings/js/JSJavaScriptCallFrameCustom.cpp.
7621 (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame):
7622 (Inspector::JSJavaScriptCallFrame::finishCreation):
7623 (Inspector::JSJavaScriptCallFrame::createPrototype):
7624 (Inspector::JSJavaScriptCallFrame::destroy):
7625 (Inspector::JSJavaScriptCallFrame::releaseImpl):
7626 (Inspector::JSJavaScriptCallFrame::~JSJavaScriptCallFrame):
7627 (Inspector::JSJavaScriptCallFrame::evaluate):
7628 (Inspector::JSJavaScriptCallFrame::scopeType):
7629 (Inspector::JSJavaScriptCallFrame::caller):
7630 (Inspector::JSJavaScriptCallFrame::sourceID):
7631 (Inspector::JSJavaScriptCallFrame::line):
7632 (Inspector::JSJavaScriptCallFrame::column):
7633 (Inspector::JSJavaScriptCallFrame::functionName):
7634 (Inspector::JSJavaScriptCallFrame::scopeChain):
7635 (Inspector::JSJavaScriptCallFrame::thisObject):
7636 (Inspector::JSJavaScriptCallFrame::type):
7637 (Inspector::toJS):
7638 (Inspector::toJSJavaScriptCallFrame):
7639 * inspector/JSJavaScriptCallFrame.h: Added.
7640 (Inspector::JSJavaScriptCallFrame::createStructure):
7641 (Inspector::JSJavaScriptCallFrame::create):
7642 (Inspector::JSJavaScriptCallFrame::impl):
7643 * inspector/JSJavaScriptCallFramePrototype.cpp: Added.
7644 (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
7645 (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
7646 (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
7647 (Inspector::jsJavaScriptCallFrameAttributeCaller):
7648 (Inspector::jsJavaScriptCallFrameAttributeSourceID):
7649 (Inspector::jsJavaScriptCallFrameAttributeLine):
7650 (Inspector::jsJavaScriptCallFrameAttributeColumn):
7651 (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
7652 (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
7653 (Inspector::jsJavaScriptCallFrameAttributeThisObject):
7654 (Inspector::jsJavaScriptCallFrameAttributeType):
7655 (Inspector::jsJavaScriptCallFrameConstantGLOBAL_SCOPE):
7656 (Inspector::jsJavaScriptCallFrameConstantLOCAL_SCOPE):
7657 (Inspector::jsJavaScriptCallFrameConstantWITH_SCOPE):
7658 (Inspector::jsJavaScriptCallFrameConstantCLOSURE_SCOPE):
7659 (Inspector::jsJavaScriptCallFrameConstantCATCH_SCOPE):
7660 * inspector/JSJavaScriptCallFramePrototype.h: Added.
7661 (Inspector::JSJavaScriptCallFramePrototype::create):
7662 (Inspector::JSJavaScriptCallFramePrototype::createStructure):
7663 (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype):
7664 * inspector/JavaScriptCallFrame.cpp: Renamed from Source/WebCore/bindings/js/JavaScriptCallFrame.cpp.
7665 (Inspector::JavaScriptCallFrame::caller):
7666 * inspector/JavaScriptCallFrame.h: Renamed from Source/WebCore/bindings/js/JavaScriptCallFrame.h.
7667 Port of JavaScriptCallFrame.idl to a set of native JS classes.
7668
76692014-01-24 Mark Lam <mark.lam@apple.com>
7670
7671 DebuggerCallFrame::evaluateWithCallFrame() should not execute a null executable.
7672 <https://webkit.org/b/127600>
7673
7674 Reviewed by Oliver Hunt.
7675
7676 In DebuggerCallFrame::evaluateWithCallFrame(), if the script string that
7677 is passed in is bad, it will fail to create an Executable i.e.
7678 EvalExecutable::create() returns a null pointer. However,
7679 DebuggerCallFrame::evaluateWithCallFrame() was just clearing the
7680 exception and proceeded to execute the null pointer as an Executable.
7681 A crash ensues.
7682
7683 Now, if an exception is detected while creating the Executable, we
7684 abort instead.
7685
7686 * debugger/DebuggerCallFrame.cpp:
7687 (JSC::DebuggerCallFrame::evaluateWithCallFrame):
7688
76892014-01-24 Oliver Hunt <oliver@apple.com>
7690
7691 Put functions need to take a base object and a this value, and perform type checks on |this|
7692 https://bugs.webkit.org/show_bug.cgi?id=127594
7693
7694 Reviewed by Geoffrey Garen.
7695
7696 Change the signature for static setter functions, and update uses
7697
7698 * create_hash_table:
7699 * runtime/Lookup.h:
7700 (JSC::putEntry):
7701 * runtime/PutPropertySlot.h:
7702 * runtime/RegExpConstructor.cpp:
7703 (JSC::setRegExpConstructorInput):
7704 (JSC::setRegExpConstructorMultiline):
7705
77062014-01-24 Oliver Hunt <oliver@apple.com>
7707
7708 Generic JSObject::put should handle static properties in the classinfo hierarchy
7709 https://bugs.webkit.org/show_bug.cgi?id=127523
7710
7711 Reviewed by Geoffrey Garen.
7712
7713 This patch makes JSObject::put correctly call static setters
7714 defined by the ClassInfo.
7715
7716 To make this not clobber performance, the ClassInfo HashTable
7717 now includes a flag to indicate that it contains setters. This
7718 required updating the lut generator so that it tracked (and emitted)
7719 this.
7720
7721 The rest of the change was making a number of the methods take
7722 a VM rather than an ExecState*, so that Structure could set the
7723 getter/setter flags during construction (if necessary).
7724
7725 This also means most objects do not need to perform a lookupPut
7726 manually anymore, so most custom ::put's are no longer needed.
7727 DOMWindow is the only exception as it has interesting security
7728 related semantics.
7729
7730 * create_hash_table:
7731 * interpreter/CallFrame.h:
7732 (JSC::ExecState::arrayConstructorTable):
7733 (JSC::ExecState::arrayPrototypeTable):
7734 (JSC::ExecState::booleanPrototypeTable):
7735 (JSC::ExecState::dataViewTable):
7736 (JSC::ExecState::dateTable):
7737 (JSC::ExecState::dateConstructorTable):
7738 (JSC::ExecState::errorPrototypeTable):
7739 (JSC::ExecState::globalObjectTable):
7740 (JSC::ExecState::jsonTable):
7741 (JSC::ExecState::numberConstructorTable):
7742 (JSC::ExecState::numberPrototypeTable):
7743 (JSC::ExecState::objectConstructorTable):
7744 (JSC::ExecState::privateNamePrototypeTable):
7745 (JSC::ExecState::regExpTable):
7746 (JSC::ExecState::regExpConstructorTable):
7747 (JSC::ExecState::regExpPrototypeTable):
7748 (JSC::ExecState::stringConstructorTable):
7749 (JSC::ExecState::promisePrototypeTable):
7750 (JSC::ExecState::promiseConstructorTable):
7751 * runtime/ArrayConstructor.cpp:
7752 (JSC::ArrayConstructor::getOwnPropertySlot):
7753 * runtime/ArrayPrototype.cpp:
7754 (JSC::ArrayPrototype::getOwnPropertySlot):
7755 * runtime/BooleanPrototype.cpp:
7756 (JSC::BooleanPrototype::getOwnPropertySlot):
7757 * runtime/ClassInfo.h:
7758 (JSC::ClassInfo::propHashTable):
7759 * runtime/DateConstructor.cpp:
7760 (JSC::DateConstructor::getOwnPropertySlot):
7761 * runtime/DatePrototype.cpp:
7762 (JSC::DatePrototype::getOwnPropertySlot):
7763 * runtime/ErrorPrototype.cpp:
7764 (JSC::ErrorPrototype::getOwnPropertySlot):
7765 * runtime/JSDataViewPrototype.cpp:
7766 (JSC::JSDataViewPrototype::getOwnPropertySlot):
7767 * runtime/JSGlobalObject.cpp:
7768 (JSC::JSGlobalObject::getOwnPropertySlot):
7769 * runtime/JSONObject.cpp:
7770 (JSC::JSONObject::getOwnPropertySlot):
7771 * runtime/JSObject.cpp:
7772 (JSC::JSObject::put):
7773 (JSC::JSObject::deleteProperty):
7774 * runtime/JSPromiseConstructor.cpp:
7775 (JSC::JSPromiseConstructor::getOwnPropertySlot):
7776 * runtime/JSPromisePrototype.cpp:
7777 (JSC::JSPromisePrototype::getOwnPropertySlot):
7778 * runtime/Lookup.h:
7779 (JSC::HashTable::copy):
7780 (JSC::putEntry):
7781 (JSC::lookupPut):
7782 * runtime/NamePrototype.cpp:
7783 (JSC::NamePrototype::getOwnPropertySlot):
7784 * runtime/NumberConstructor.cpp:
7785 (JSC::NumberConstructor::getOwnPropertySlot):
7786 * runtime/NumberConstructor.h:
7787 * runtime/NumberPrototype.cpp:
7788 (JSC::NumberPrototype::getOwnPropertySlot):
7789 * runtime/ObjectConstructor.cpp:
7790 (JSC::ObjectConstructor::getOwnPropertySlot):
7791 * runtime/RegExpConstructor.cpp:
7792 (JSC::RegExpConstructor::getOwnPropertySlot):
7793 * runtime/RegExpConstructor.h:
7794 * runtime/RegExpObject.cpp:
7795 (JSC::RegExpObject::getOwnPropertySlot):
7796 (JSC::RegExpObject::put):
7797 * runtime/RegExpPrototype.cpp:
7798 (JSC::RegExpPrototype::getOwnPropertySlot):
7799 * runtime/StringConstructor.cpp:
7800 (JSC::StringConstructor::getOwnPropertySlot):
7801 * runtime/Structure.cpp:
7802 (JSC::Structure::Structure):
7803 (JSC::Structure::freezeTransition):
7804 (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
7805
78062014-01-24 Commit Queue <commit-queue@webkit.org>
7807
7808 Unreviewed, rolling out r162713.
7809 http://trac.webkit.org/changeset/162713
7810 https://bugs.webkit.org/show_bug.cgi?id=127593
7811
7812 broke media/network-no-source-const-shadow (Requested by
7813 thorton on #webkit).
7814
7815 * create_hash_table:
7816 * interpreter/CallFrame.h:
7817 (JSC::ExecState::arrayConstructorTable):
7818 (JSC::ExecState::arrayPrototypeTable):
7819 (JSC::ExecState::booleanPrototypeTable):
7820 (JSC::ExecState::dataViewTable):
7821 (JSC::ExecState::dateTable):
7822 (JSC::ExecState::dateConstructorTable):
7823 (JSC::ExecState::errorPrototypeTable):
7824 (JSC::ExecState::globalObjectTable):
7825 (JSC::ExecState::jsonTable):
7826 (JSC::ExecState::numberConstructorTable):
7827 (JSC::ExecState::numberPrototypeTable):
7828 (JSC::ExecState::objectConstructorTable):
7829 (JSC::ExecState::privateNamePrototypeTable):
7830 (JSC::ExecState::regExpTable):
7831 (JSC::ExecState::regExpConstructorTable):
7832 (JSC::ExecState::regExpPrototypeTable):
7833 (JSC::ExecState::stringConstructorTable):
7834 (JSC::ExecState::promisePrototypeTable):
7835 (JSC::ExecState::promiseConstructorTable):
7836 * runtime/ArrayConstructor.cpp:
7837 (JSC::ArrayConstructor::getOwnPropertySlot):
7838 * runtime/ArrayPrototype.cpp:
7839 (JSC::ArrayPrototype::getOwnPropertySlot):
7840 * runtime/BooleanPrototype.cpp:
7841 (JSC::BooleanPrototype::getOwnPropertySlot):
7842 * runtime/ClassInfo.h:
7843 (JSC::ClassInfo::propHashTable):
7844 * runtime/DateConstructor.cpp:
7845 (JSC::DateConstructor::getOwnPropertySlot):
7846 * runtime/DatePrototype.cpp:
7847 (JSC::DatePrototype::getOwnPropertySlot):
7848 * runtime/ErrorPrototype.cpp:
7849 (JSC::ErrorPrototype::getOwnPropertySlot):
7850 * runtime/JSDataViewPrototype.cpp:
7851 (JSC::JSDataViewPrototype::getOwnPropertySlot):
7852 * runtime/JSGlobalObject.cpp:
7853 (JSC::JSGlobalObject::getOwnPropertySlot):
7854 * runtime/JSONObject.cpp:
7855 (JSC::JSONObject::getOwnPropertySlot):
7856 * runtime/JSObject.cpp:
7857 (JSC::JSObject::put):
7858 (JSC::JSObject::deleteProperty):
7859 * runtime/JSPromiseConstructor.cpp:
7860 (JSC::JSPromiseConstructor::getOwnPropertySlot):
7861 * runtime/JSPromisePrototype.cpp:
7862 (JSC::JSPromisePrototype::getOwnPropertySlot):
7863 * runtime/Lookup.h:
7864 (JSC::HashTable::copy):
7865 (JSC::putEntry):
7866 (JSC::lookupPut):
7867 * runtime/NamePrototype.cpp:
7868 (JSC::NamePrototype::getOwnPropertySlot):
7869 * runtime/NumberConstructor.cpp:
7870 (JSC::NumberConstructor::getOwnPropertySlot):
7871 (JSC::NumberConstructor::put):
7872 * runtime/NumberConstructor.h:
7873 * runtime/NumberPrototype.cpp:
7874 (JSC::NumberPrototype::getOwnPropertySlot):
7875 * runtime/ObjectConstructor.cpp:
7876 (JSC::ObjectConstructor::getOwnPropertySlot):
7877 * runtime/RegExpConstructor.cpp:
7878 (JSC::RegExpConstructor::getOwnPropertySlot):
7879 (JSC::RegExpConstructor::put):
7880 * runtime/RegExpConstructor.h:
7881 * runtime/RegExpObject.cpp:
7882 (JSC::RegExpObject::getOwnPropertySlot):
7883 (JSC::RegExpObject::put):
7884 * runtime/RegExpPrototype.cpp:
7885 (JSC::RegExpPrototype::getOwnPropertySlot):
7886 * runtime/StringConstructor.cpp:
7887 (JSC::StringConstructor::getOwnPropertySlot):
7888 * runtime/Structure.cpp:
7889 (JSC::Structure::Structure):
7890 (JSC::Structure::freezeTransition):
7891
78922014-01-24 Mark Lam <mark.lam@apple.com>
7893
7894 ASSERT(!m_markedSpace.m_currentDelayedReleaseScope) reloading page in inspector.
7895 <https://webkit.org/b/127582>
7896
7897 Reviewed by Mark Hahnenberg.
7898
7899 1. We should not enter a HeapIterationScope when we iterate the CodeBlocks.
7900 Apparently, iterating the CodeBlocks does not count as heap iteration.
7901
7902 2. If we're detaching the debugger due to the JSGlobalObject destructing,
7903 then we don't need to clear the debugger requests in the associated
7904 CodeBlocks. The JSGlobalObject destructing would mean that those
7905 CodeBlocks would be destructing too, and it may not be safe to access
7906 them anyway at this point.
7907
7908 The assertion failure is because we had entered a HeapIterationScope
7909 while the JSGlobalObject is destructing, which in turn means that GC
7910 sweeping is in progress. It's not legal to iterate the heap while the GC
7911 is sweeping. Once we fixed the above 2 issues, we will no longer have
7912 the conditions that manifests this assertion failure.
7913
7914 * debugger/Debugger.cpp:
7915 (JSC::Debugger::detach):
7916 (JSC::Debugger::setSteppingMode):
7917 (JSC::Debugger::toggleBreakpoint):
7918 (JSC::Debugger::clearBreakpoints):
7919 (JSC::Debugger::clearDebuggerRequests):
7920 * debugger/Debugger.h:
7921 * runtime/JSGlobalObject.cpp:
7922 (JSC::JSGlobalObject::~JSGlobalObject):
7923
79242014-01-24 Brent Fulgham <bfulgham@apple.com>
7925
7926 [Win] Convert some NMake files to MSBuild project files
7927 https://bugs.webkit.org/show_bug.cgi?id=127579
7928
7929 Reviewed by Tim Horton.
7930
7931 * JavaScriptCore.vcxproj/JavaScriptCore.make: Removed.
7932 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Added.
7933
79342014-01-24 Mark Lam <mark.lam@apple.com>
7935
7936 Fixed a bad assertion in CodeBlock::removeBreakpoint().
7937 <https://webkit.org/b/127581>
7938
7939 Reviewed by Joseph Pecoraro.
7940
7941 * bytecode/CodeBlock.h:
7942 (JSC::CodeBlock::removeBreakpoint):
7943
79442014-01-24 Joseph Pecoraro <pecoraro@apple.com>
7945
7946 fast/profiler tests ASSERTing after moving recompileAllJSFunctions off a timer
7947 https://bugs.webkit.org/show_bug.cgi?id=127566
7948
7949 Reviewed by Oliver Hunt.
7950
7951 Make the VM handle recompilation as soon as possible after it is requested.
7952
7953 * debugger/Debugger.cpp:
7954 (JSC::Debugger::recompileAllJSFunctions):
7955 When in a JavaScript stack, mark for recompilation when possible.
7956
7957 * runtime/VMEntryScope.h:
7958 (JSC::VMEntryScope::setRecompilationNeeded):
7959 * runtime/VMEntryScope.cpp:
7960 (JSC::VMEntryScope::VMEntryScope):
7961 (JSC::VMEntryScope::~VMEntryScope):
7962 Handle recompilation when the top VMEntryScope is popped.
7963 Pass the needs recompilation flag up the stack if needed.
7964
79652014-01-24 Oliver Hunt <oliver@apple.com>
7966
7967 Generic JSObject::put should handle static properties in the classinfo hierarchy
7968 https://bugs.webkit.org/show_bug.cgi?id=127523
7969
7970 Reviewed by Geoffrey Garen.
7971
7972 This patch makes JSObject::put correctly call static setters
7973 defined by the ClassInfo.
7974
7975 To make this not clobber performance, the ClassInfo HashTable
7976 now includes a flag to indicate that it contains setters. This
7977 required updating the lut generator so that it tracked (and emitted)
7978 this.
7979
7980 The rest of the change was making a number of the methods take
7981 a VM rather than an ExecState*, so that Structure could set the
7982 getter/setter flags during construction (if necessary).
7983
7984 This also means most objects do not need to perform a lookupPut
7985 manually anymore, so most custom ::put's are no longer needed.
7986 DOMWindow is the only exception as it has interesting security
7987 related semantics.
7988
7989 * create_hash_table:
7990 * interpreter/CallFrame.h:
7991 (JSC::ExecState::arrayConstructorTable):
7992 (JSC::ExecState::arrayPrototypeTable):
7993 (JSC::ExecState::booleanPrototypeTable):
7994 (JSC::ExecState::dataViewTable):
7995 (JSC::ExecState::dateTable):
7996 (JSC::ExecState::dateConstructorTable):
7997 (JSC::ExecState::errorPrototypeTable):
7998 (JSC::ExecState::globalObjectTable):
7999 (JSC::ExecState::jsonTable):
8000 (JSC::ExecState::numberConstructorTable):
8001 (JSC::ExecState::numberPrototypeTable):
8002 (JSC::ExecState::objectConstructorTable):
8003 (JSC::ExecState::privateNamePrototypeTable):
8004 (JSC::ExecState::regExpTable):
8005 (JSC::ExecState::regExpConstructorTable):
8006 (JSC::ExecState::regExpPrototypeTable):
8007 (JSC::ExecState::stringConstructorTable):
8008 (JSC::ExecState::promisePrototypeTable):
8009 (JSC::ExecState::promiseConstructorTable):
8010 * runtime/ArrayConstructor.cpp:
8011 (JSC::ArrayConstructor::getOwnPropertySlot):
8012 * runtime/ArrayPrototype.cpp:
8013 (JSC::ArrayPrototype::getOwnPropertySlot):
8014 * runtime/BooleanPrototype.cpp:
8015 (JSC::BooleanPrototype::getOwnPropertySlot):
8016 * runtime/ClassInfo.h:
8017 (JSC::ClassInfo::propHashTable):
8018 * runtime/DateConstructor.cpp:
8019 (JSC::DateConstructor::getOwnPropertySlot):
8020 * runtime/DatePrototype.cpp:
8021 (JSC::DatePrototype::getOwnPropertySlot):
8022 * runtime/ErrorPrototype.cpp:
8023 (JSC::ErrorPrototype::getOwnPropertySlot):
8024 * runtime/JSDataViewPrototype.cpp:
8025 (JSC::JSDataViewPrototype::getOwnPropertySlot):
8026 * runtime/JSGlobalObject.cpp:
8027 (JSC::JSGlobalObject::getOwnPropertySlot):
8028 * runtime/JSONObject.cpp:
8029 (JSC::JSONObject::getOwnPropertySlot):
8030 * runtime/JSObject.cpp:
8031 (JSC::JSObject::put):
8032 (JSC::JSObject::deleteProperty):
8033 * runtime/JSPromiseConstructor.cpp:
8034 (JSC::JSPromiseConstructor::getOwnPropertySlot):
8035 * runtime/JSPromisePrototype.cpp:
8036 (JSC::JSPromisePrototype::getOwnPropertySlot):
8037 * runtime/Lookup.h:
8038 (JSC::HashTable::copy):
8039 (JSC::putEntry):
8040 (JSC::lookupPut):
8041 * runtime/NamePrototype.cpp:
8042 (JSC::NamePrototype::getOwnPropertySlot):
8043 * runtime/NumberConstructor.cpp:
8044 (JSC::NumberConstructor::getOwnPropertySlot):
8045 * runtime/NumberConstructor.h:
8046 * runtime/NumberPrototype.cpp:
8047 (JSC::NumberPrototype::getOwnPropertySlot):
8048 * runtime/ObjectConstructor.cpp:
8049 (JSC::ObjectConstructor::getOwnPropertySlot):
8050 * runtime/RegExpConstructor.cpp:
8051 (JSC::RegExpConstructor::getOwnPropertySlot):
8052 * runtime/RegExpConstructor.h:
8053 * runtime/RegExpObject.cpp:
8054 (JSC::RegExpObject::getOwnPropertySlot):
8055 (JSC::RegExpObject::put):
8056 * runtime/RegExpPrototype.cpp:
8057 (JSC::RegExpPrototype::getOwnPropertySlot):
8058 * runtime/StringConstructor.cpp:
8059 (JSC::StringConstructor::getOwnPropertySlot):
8060 * runtime/Structure.cpp:
8061 (JSC::Structure::Structure):
8062 (JSC::Structure::freezeTransition):
8063 (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
8064
80652014-01-24 Mark Lam <mark.lam@apple.com>
8066
8067 Skip op_profiler callbacks if !VM::m_enabledProfiler.
8068 https://bugs.webkit.org/show_bug.cgi?id=127567.
8069
8070 Reviewed by Geoffrey Garen.
8071
8072 The profiler may not be always active (recording). When it's not active
8073 (as in VM::m_enabledProfiler is null), then we might as well skip the
8074 op_profiler callbacks. The callbacks themselves were already previously
8075 gated by a VM::enabledProfiler() check. So, this change does not change
8076 any profiler behavior.
8077
8078 For the DFG, we'll turn the op_profiler handling into speculation checks
8079 and OSR exit to the baseline JIT if the profiler becomes active.
8080
8081 This brings the Octane score up to ~3000 from ~2840.
8082
8083 * dfg/DFGAbstractInterpreterInlines.h:
8084 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
8085 * dfg/DFGByteCodeParser.cpp:
8086 (JSC::DFG::ByteCodeParser::parseBlock):
8087 * dfg/DFGClobberize.h:
8088 (JSC::DFG::clobberize):
8089 * dfg/DFGNodeType.h:
8090 * dfg/DFGSpeculativeJIT32_64.cpp:
8091 (JSC::DFG::SpeculativeJIT::compile):
8092 * dfg/DFGSpeculativeJIT64.cpp:
8093 (JSC::DFG::SpeculativeJIT::compile):
8094 * jit/JITOpcodes.cpp:
8095 (JSC::JIT::emit_op_profile_will_call):
8096 (JSC::JIT::emit_op_profile_did_call):
8097 * jit/JITOpcodes32_64.cpp:
8098 (JSC::JIT::emit_op_profile_will_call):
8099 (JSC::JIT::emit_op_profile_did_call):
8100 * llint/LowLevelInterpreter.asm:
8101 * runtime/VM.h:
8102 (JSC::VM::enabledProfilerAddress):
8103
81042014-01-24 Mark Lam <mark.lam@apple.com>
8105
8106 Removing the need for Debugger* and m_shouldPause op_debug check.
8107 <https://webkit.org/b/127532>
8108
8109 Reviewed by Geoffrey Garen.
8110
8111 This patch replaces the checking of the Debugger::m_shouldPause flag
8112 with a procedure to set a SteppingMode flag on all CodeBlocks under
8113 the management of the debugger. This simplifies the op_debug checking
8114 logic in all the execution engines.
8115
8116 * bytecode/CodeBlock.cpp:
8117 * bytecode/CodeBlock.h:
8118 (JSC::CodeBlock::hasDebuggerRequests):
8119 (JSC::CodeBlock::debuggerRequestsAddress):
8120 (JSC::CodeBlock::setSteppingMode):
8121 (JSC::CodeBlock::clearDebuggerRequests):
8122 - CodeBlock::m_debuggerRequests is a union of m_numBreakpoints and the
8123 new m_steppingMode. The debugger can add/remove breakpoints to the
8124 CodeBlock as well as set the stepping mode. By having
8125 m_debuggerRequests as a union of the 2 bit fields, the op_debug code
8126 can now check if any of the 2 requests made on the CodeBlock is still
8127 in effect just by testing a single int.
8128
8129 * debugger/Debugger.cpp:
8130 (JSC::Debugger::Debugger):
8131 (JSC::Debugger::detach):
8132 - This was bug from before where I forgot to clear the CodeBlock
8133 breakpoints before detaching. We now take care of it by clearing all
8134 debugger requests made to the CodeBlock.
8135
8136 (JSC::Debugger::SetSteppingModeFunctor::SetSteppingModeFunctor):
8137 (JSC::Debugger::SetSteppingModeFunctor::operator()):
8138 (JSC::Debugger::setSteppingMode):
8139 (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::ClearCodeBlockDebuggerRequestsFunctor):
8140 (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator()):
8141 (JSC::Debugger::clearBreakpoints):
8142
8143 (JSC::Debugger::ClearDebuggerRequestsFunctor::ClearDebuggerRequestsFunctor):
8144 (JSC::Debugger::ClearDebuggerRequestsFunctor::operator()):
8145 (JSC::Debugger::clearDebuggerRequests):
8146 - We need a distinct clearDebuggerRequests() from clearBreakpoints()
8147 because:
8148 1. When we detach a globalObject, we only want to clear the debugger
8149 requests in CodeBlocks from that global.
8150 2. Clearing the debugger requests in the CodeBlocks is not the same
8151 as clearing the breakpoints. The breakpoints are still in effect
8152 for the next time a globalObject is attached, or for other
8153 globalObjects that are still attached.
8154
8155 (JSC::Debugger::setPauseOnNextStatement):
8156 (JSC::Debugger::breakProgram):
8157 (JSC::Debugger::stepIntoStatement):
8158 (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
8159 (JSC::Debugger::pauseIfNeeded):
8160 (JSC::Debugger::exception):
8161 (JSC::Debugger::willExecuteProgram):
8162 (JSC::Debugger::didReachBreakpoint):
8163 * debugger/Debugger.h:
8164 - We're always going to support the debugger. So, there's no longer
8165 a need to check ENABLE(JAVASCRIPT_DEBUGGER). Removed the unneeded code.
8166
8167 * dfg/DFGSpeculativeJIT32_64.cpp:
8168 (JSC::DFG::SpeculativeJIT::compile):
8169 * dfg/DFGSpeculativeJIT64.cpp:
8170 (JSC::DFG::SpeculativeJIT::compile):
8171 * interpreter/Interpreter.cpp:
8172 (JSC::Interpreter::debug):
8173 * jit/JITOpcodes.cpp:
8174 (JSC::JIT::emit_op_debug):
8175 * jit/JITOpcodes32_64.cpp:
8176 (JSC::JIT::emit_op_debug):
8177 * llint/LowLevelInterpreter.asm:
8178 * runtime/JSGlobalObject.h:
8179 (JSC::JSGlobalObject::setDebugger):
8180
81812014-01-24 Michael Saboff <msaboff@apple.com>
8182
8183 ARM Offline assembler temporary register allocator has duplicate register when building fat binaries
8184 https://bugs.webkit.org/show_bug.cgi?id=127545
8185
8186 Reviewed by Mark Lam.
8187
8188 Eliminate the conditional addition of r11/r7 from getModifiedListARMCommon as the
8189 .concat will add the new register to ARM_EXTRA_GPRS. If getModifiedListARMCommon is
8190 invoked a second time, there will be a second r11 or r7, which messes things up.
8191 Instead, r6 was added to ARM_EXTRA_GPRS. r6 is currently an unused register.
8192
8193 * offlineasm/arm.rb:
8194
81952014-01-23 Joseph Pecoraro <pecoraro@apple.com>
8196
8197 Move ContentSearchUtils, ScriptBreakpoint, and ScriptDebugListener into JavaScriptCore for inspector
8198 https://bugs.webkit.org/show_bug.cgi?id=127537
8199
8200 Reviewed by Timothy Hatcher.
8201
8202 * CMakeLists.txt:
8203 * GNUmakefile.list.am:
8204 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8205 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8206 * JavaScriptCore.xcodeproj/project.pbxproj:
8207 * inspector/ContentSearchUtilities.cpp: Renamed from Source/WebCore/inspector/ContentSearchUtils.cpp.
8208 (Inspector::ContentSearchUtilities::createSearchRegexSource):
8209 (Inspector::ContentSearchUtilities::sizetExtractor):
8210 (Inspector::ContentSearchUtilities::textPositionFromOffset):
8211 (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines):
8212 (Inspector::ContentSearchUtilities::lineEndings):
8213 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
8214 (Inspector::ContentSearchUtilities::createSearchRegex):
8215 (Inspector::ContentSearchUtilities::countRegularExpressionMatches):
8216 (Inspector::ContentSearchUtilities::searchInTextByLines):
8217 (Inspector::ContentSearchUtilities::scriptCommentPattern):
8218 (Inspector::ContentSearchUtilities::stylesheetCommentPattern):
8219 (Inspector::ContentSearchUtilities::findMagicComment):
8220 (Inspector::ContentSearchUtilities::findScriptSourceURL):
8221 (Inspector::ContentSearchUtilities::findScriptSourceMapURL):
8222 (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
8223 * inspector/ContentSearchUtilities.h: Renamed from Source/WebCore/inspector/ContentSearchUtils.h.
8224 * inspector/ScriptBreakpoint.h: Renamed from Source/WebCore/inspector/ScriptBreakpoint.h.
8225 (Inspector::ScriptBreakpointAction::ScriptBreakpointAction):
8226 (Inspector::ScriptBreakpoint::ScriptBreakpoint):
8227 * inspector/ScriptDebugListener.h: Renamed from Source/WebCore/inspector/ScriptDebugListener.h.
8228 (Inspector::ScriptDebugListener::Script::Script):
8229 (Inspector::ScriptDebugListener::~ScriptDebugListener):
8230 * runtime/RegExp.cpp:
8231 (JSC::RegExp::match):
8232
82332014-01-23 Joseph Pecoraro <pecoraro@apple.com>
8234
8235 Move RegularExpression into JavaScriptCore for inspector
8236 https://bugs.webkit.org/show_bug.cgi?id=127526
8237
8238 Reviewed by Geoffrey Garen.
8239
8240 Move RegularExpression into JavaScriptCore/yarr so it can
8241 be used later on by JavaScriptCore/inspector. Convert to
8242 the JSC::Yarr namespace.
8243
8244 * CMakeLists.txt:
8245 * GNUmakefile.list.am:
8246 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8247 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8248 * JavaScriptCore.xcodeproj/project.pbxproj:
8249 * yarr/RegularExpression.cpp: Renamed from Source/WebCore/platform/text/RegularExpression.cpp.
8250 (JSC::Yarr::RegularExpression::Private::create):
8251 (JSC::Yarr::RegularExpression::Private::Private):
8252 (JSC::Yarr::RegularExpression::Private::compile):
8253 (JSC::Yarr::RegularExpression::RegularExpression):
8254 (JSC::Yarr::RegularExpression::~RegularExpression):
8255 (JSC::Yarr::RegularExpression::operator=):
8256 (JSC::Yarr::RegularExpression::match):
8257 (JSC::Yarr::RegularExpression::searchRev):
8258 (JSC::Yarr::RegularExpression::matchedLength):
8259 (JSC::Yarr::replace):
8260 (JSC::Yarr::RegularExpression::isValid):
8261 * yarr/RegularExpression.h: Renamed from Source/WebCore/platform/text/RegularExpression.h.
8262
82632014-01-23 Joseph Pecoraro <pecoraro@apple.com>
8264
8265 Web Inspector: Remove recompileAllJSFunctions timer in ScriptDebugServer
8266 https://bugs.webkit.org/show_bug.cgi?id=127409
8267
8268 Reviewed by Geoffrey Garen.
8269
8270 * inspector/InspectorAgentBase.h:
8271 When disconnecting agents, provide a InspectorDisconnectReason for
8272 the disconnection. It could be that an inspector frontend is just
8273 disconnecting or that the inspected object is going away entirely
8274 and we can avoid doing some work.
8275
8276 * runtime/JSGlobalObjectDebuggable.h:
8277 * runtime/JSGlobalObjectDebuggable.cpp:
8278 (JSC::JSGlobalObjectDebuggable::~JSGlobalObjectDebuggable):
8279 (JSC::JSGlobalObjectDebuggable::disconnect):
8280 (JSC::JSGlobalObjectDebuggable::disconnectInternal):
8281 Pass different reasons for the different disconnects.
8282
8283 * inspector/InspectorAgentRegistry.cpp:
8284 (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend):
8285 * inspector/InspectorAgentRegistry.h:
8286 * inspector/JSGlobalObjectInspectorController.cpp:
8287 (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
8288 * inspector/JSGlobalObjectInspectorController.h:
8289 * inspector/agents/InspectorAgent.cpp:
8290 (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
8291 * inspector/agents/InspectorAgent.h:
8292 Pass InspectorDisconnectReason around where needed.
8293
82942014-01-23 Mark Lam <mark.lam@apple.com>
8295
8296 Enable DFG for the Debugger and Profiler.
8297 <https://webkit.org/b/122847>
8298
8299 Reviewed by Geoffrey Garen.
8300
8301 In this patch, we implement DFG op_debug as a series of 3 checks:
8302 1. Check if the debugger pointer is non-null. This is needed in case
8303 the debugger has been detached but the DFG code is still running
8304 on the stack.
8305 2. Check if Debugger::m_shouldPause is true.
8306 3. Check if CodeBlock::m_numBreakpoints is non-zero.
8307
8308 These are the same 3 checks done in the LLINT and baselineJIT. But unlike
8309 the LLINT and baselineJIT, these DFG checks are implemented as
8310 speculationChecks. If the check fails, we OSR exit to the baselineJIT and
8311 let it do the work of servicing the op_debug callback.
8312
8313 Stepping through code in the debugger would work the same way. The top
8314 function being debugged has to be a LLINT or baselineJIT function because
8315 we would have OSR exited if there is a breakpoint in that function. When
8316 we step out of that function to its caller, we expect that the caller will
8317 call back to the debugger at the next op_debug. If the caller function is
8318 a DFG function, the op_debug site will fail its speculation check on
8319 Debugger::m_shouldPause and deopt into a baselineJIT function. Execution
8320 continues from there as usual, and the debugger gets its callback.
8321
8322 For the profile, op_profile_will_call and op_profile_did_call are
8323 implemented as simple runtime calls to service the profiler.
8324
8325 With this patch, Octane performance with the WebInspector open jump from
8326 ~2000 to ~2500 (25% progression).
8327
8328 * bytecode/CodeBlock.h:
8329 (JSC::CodeBlock::numBreakpointsAddress):
8330 * bytecode/ExitKind.cpp:
8331 (JSC::exitKindToString):
8332 * bytecode/ExitKind.h:
8333 * debugger/Debugger.cpp:
8334 (JSC::Debugger::toggleBreakpoint):
8335 - removed an obsolete assertion. The debugger can now handle DFG
8336 CodeBlocks too.
8337 * debugger/Debugger.h:
8338 * dfg/DFGAbstractInterpreterInlines.h:
8339 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
8340 * dfg/DFGByteCodeParser.cpp:
8341 (JSC::DFG::ByteCodeParser::parseBlock):
8342 * dfg/DFGCapabilities.cpp:
8343 (JSC::DFG::capabilityLevel):
8344 * dfg/DFGClobberize.h:
8345 (JSC::DFG::clobberize):
8346 * dfg/DFGFixupPhase.cpp:
8347 (JSC::DFG::FixupPhase::fixupNode):
8348 * dfg/DFGNodeType.h:
8349 * dfg/DFGPredictionPropagationPhase.cpp:
8350 (JSC::DFG::PredictionPropagationPhase::propagate):
8351 * dfg/DFGSafeToExecute.h:
8352 (JSC::DFG::safeToExecute):
8353 * dfg/DFGSpeculativeJIT.h:
8354 (JSC::DFG::SpeculativeJIT::callOperation):
8355 * dfg/DFGSpeculativeJIT32_64.cpp:
8356 (JSC::DFG::SpeculativeJIT::compile):
8357 * dfg/DFGSpeculativeJIT64.cpp:
8358 (JSC::DFG::SpeculativeJIT::compile):
8359 * runtime/JSGlobalObject.h:
8360 (JSC::JSGlobalObject::debuggerAddress):
8361
83622014-01-23 Max Vujovic <mvujovic@adobe.com>
8363
8364 Remove CSS Custom Filters code and tests
8365 https://bugs.webkit.org/show_bug.cgi?id=127382
8366
8367 Reviewed by Simon Fraser.
8368
8369 * Configurations/FeatureDefines.xcconfig:
8370
83712014-01-22 Brent Fulgham <bfulgham@apple.com>
8372
8373 [Win] Update project and solution files for 64-bit builds.
8374 https://bugs.webkit.org/show_bug.cgi?id=127457
8375
8376 Reviewed by Eric Carlson.
8377
8378 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Add 64-bit target.
8379 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013
8380 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add missing
8381 file from project view.
8382 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Update for VS2013
8383 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto
8384 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto
8385
83862014-01-22 Mark Lam <mark.lam@apple.com>
8387
8388 Poor man's fast breakpoints for a 2.3x debugger speedup.
8389 <https://webkit.org/b/122836>
8390
8391 Reviewed by Geoffrey Garen.
8392
8393 Previously we gained back some performance (run at baseline JIT speeds)
8394 when the WebInspector is opened provided no breakpoints are set. This
8395 was achieved by simply skipping all op_debug callbacks to the debugger
8396 if no breakpoints are set. If any breakpoints are set, the debugger will
8397 set a m_needsOpDebugCallbacks flag which causes the callbacks to be
8398 called, and we don't get the baseline JIT speeds anymore.
8399
8400 With this patch, we will now track the number of breakpoints set in the
8401 CodeBlock that they are set in. The LLINT and baseline JIT code will
8402 check CodeBlock::m_numBreakpoints to determine if the op_debug callbacks
8403 need to be called. With this, we will only enable op_debug callbacks for
8404 CodeBlocks that need it i.e. those with breakpoints set in them.
8405
8406 Debugger::m_needsOpDebugCallbacks is now obsoleted. The LLINT and baseline
8407 JIT code still needs to check Debugger::m_shouldPause to determine if the
8408 debugger is in stepping mode and hence, needs op_debug callbacks enabled
8409 for everything until the debugger "continues" the run and exit stepping
8410 mode.
8411
8412 Also in this patch, I fixed a regression in DOM breakpoints which relies
8413 Debugger::breakProgram() to pause the debugger.
8414
8415 * bytecode/CodeBlock.cpp:
8416 (JSC::CodeBlock::dumpBytecode):
8417 - Missed accounting for op_debug's new hasBreakpointFlag operand here when
8418 it was added.
8419 (JSC::CodeBlock::CodeBlock):
8420 (JSC::CodeBlock::hasOpDebugForLineAndColumn):
8421 - This is needed in Debugger::toggleBreakpoint() to determine if a
8422 breakpoint falls within a CodeBlock or not. Simply checking the bounds
8423 of the CodeBlock is insufficient. For example, let's say we have the
8424 following JS code:
8425
8426 // begin global scope
8427 function f1() {
8428 function f2() {
8429 ... // set breakpoint here.
8430 }
8431 }
8432 // end global scope
8433
8434 Using the CodeBlock bounds alone, the breakpoint above will to appear
8435 to be in the global program CodeBlock, and the CodeBlocks for function
8436 f1() and f2(). With CodeBlock::hasOpDebugForLineAndColumn() we can
8437 rule out the global program CodeBlock and f1(), and only apply the
8438 breakpoint to f2(0 where it belongs.
8439
8440 CodeBlock::hasOpDebugForLineAndColumn() works by iterating over all
8441 the opcodes in the CodeBlock to look for op_debug's. For each op_debug,
8442 it calls CodeBlock::expressionRangeForBytecodeOffset() to do a binary
8443 seach to get the line and column info for that op_debug. This is a
8444 N * log(N) algorithm. However, a quick hands on test using the
8445 WebInspector (with this patch applied) to exercise setting, breaking
8446 on, and clearing breakpoints, as well as stepping through some code
8447 shows no noticeable degradation of the user experience compared to the
8448 baseline without this patch.
8449
8450 * bytecode/CodeBlock.h:
8451 (JSC::CodeBlock::numBreakpoints):
8452 (JSC::CodeBlock::numBreakpointsOffset):
8453 (JSC::CodeBlock::addBreakpoint):
8454 (JSC::CodeBlock::removeBreakpoint):
8455 (JSC::CodeBlock::clearAllBreakpoints):
8456 * debugger/Breakpoint.h:
8457 - defined Breakpoint::unspecifiedColumn so that we can explicitly indicate
8458 when the WebInspector was setting a line breakpoint and did not provide
8459 a column value. CodeBlock::hasOpDebugForLineAndColumn() needs this
8460 information in order to loosen its matching criteria for op_debug
8461 bytecodes for the specified breakpoint line and column values provided
8462 by the debugger.
8463
8464 Previously, we just hijack a 0 value column as an unspecified column.
8465 However, the WebInspector operates on 0-based ints for column values.
8466 Hence, 0 should be a valid column value and should not be hijacked to
8467 mean an unspecified column.
8468
8469 * debugger/Debugger.cpp:
8470 (JSC::Debugger::Debugger):
8471 - added tracking of the VM that the debugger is used with. This is
8472 needed by Debugger::breakProgram().
8473
8474 The VM pointer is attained from the first JSGlobalObject that the debugger
8475 attaches to. When the debugger detaches from the last JSGlobalObject, it
8476 will nullify its VM pointer to allow a new one to be set on the next
8477 attach.
8478
8479 We were always only using each debugger instance with one VM. This change
8480 makes it explicit with an assert to ensure that all globalObjects that
8481 the debugger attaches to beongs to the same VM.
8482
8483 (JSC::Debugger::attach):
8484 (JSC::Debugger::detach):
8485 (JSC::Debugger::setShouldPause):
8486
8487 (JSC::Debugger::registerCodeBlock):
8488 (JSC::Debugger::unregisterCodeBlock):
8489 - registerCodeBlock() is responsible for applying pre-existing breakpoints
8490 to new CodeBlocks being installed. Similarly, unregisterCodeBlock()
8491 clears the breakpoints.
8492
8493 (JSC::Debugger::toggleBreakpoint):
8494 - This is the workhorse function that checks if a breakpoint falls within
8495 a CodeBlock or not. If it does, then it can either enable or disable
8496 said breakpoint in the CodeBlock. In the current implementation,
8497 enabling/disabling the breakpoint simply means incrementing/decrementing
8498 the CodeBlock's m_numBreakpoints.
8499
8500 (JSC::Debugger::applyBreakpoints):
8501
8502 (JSC::Debugger::ToggleBreakpointFunctor::ToggleBreakpointFunctor):
8503 (JSC::Debugger::ToggleBreakpointFunctor::operator()):
8504 (JSC::Debugger::toggleBreakpoint):
8505 - Iterates all relevant CodeBlocks and apply the specified breakpoint
8506 if appropriate. This is called when a new breakpoint is being defined
8507 by the WebInspector and needs to be applied to an already installed
8508 CodeBlock.
8509
8510 (JSC::Debugger::setBreakpoint):
8511 (JSC::Debugger::removeBreakpoint):
8512 (JSC::Debugger::hasBreakpoint):
8513 (JSC::Debugger::ClearBreakpointsFunctor::ClearBreakpointsFunctor):
8514 (JSC::Debugger::ClearBreakpointsFunctor::operator()):
8515 (JSC::Debugger::clearBreakpoints):
8516
8517 (JSC::Debugger::breakProgram):
8518 - Fixed a regression that broke DOM breakpoints. The issue is that with
8519 the skipping of op_debug callbacks, we don't always have an updated
8520 m_currentCallFrame. Normally, m_currentCallFrame is provided as arg
8521 in the op_debug callback. In this case, we can get the CallFrame* from
8522 m_vm->topCallFrame.
8523
8524 (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
8525 (JSC::Debugger::pauseIfNeeded):
8526 (JSC::Debugger::willExecuteProgram):
8527 * debugger/Debugger.h:
8528 (JSC::Debugger::Debugger):
8529 (JSC::Debugger::shouldPause):
8530
8531 * heap/CodeBlockSet.h:
8532 (JSC::CodeBlockSet::iterate):
8533 * heap/Heap.h:
8534 (JSC::Heap::forEachCodeBlock):
8535 - Added utility to iterate all CodeBlocks in the heap / VM.
8536
8537 * interpreter/Interpreter.cpp:
8538 (JSC::Interpreter::debug):
8539
8540 * jit/JITOpcodes.cpp:
8541 (JSC::JIT::emit_op_debug):
8542 * jit/JITOpcodes32_64.cpp:
8543 (JSC::JIT::emit_op_debug):
8544 * llint/LowLevelInterpreter.asm:
8545 - These now checks CodeBlock::m_numBreakpoints and Debugger::m_shouldPause
8546 instead of Debugger::m_needsOpDebugCallbacks.
8547
8548 * runtime/Executable.cpp:
8549 (JSC::ScriptExecutable::installCode):
8550
85512014-01-22 Myles C. Maxfield <mmaxfield@apple.com>
8552
8553 Remove CSS3_TEXT_DECORATION define
8554 https://bugs.webkit.org/show_bug.cgi?id=127333
8555
8556 This is required for unprefixing the text-decoration-* CSS properties.
8557
8558 Reviewed by Simon Fraser.
8559
8560 * Configurations/FeatureDefines.xcconfig:
8561
85622014-01-22 Alexey Proskuryakov <ap@apple.com>
8563
8564 Update JS whitespace definition for changes in Unicode 6.3
8565 https://bugs.webkit.org/show_bug.cgi?id=127450
8566 <rdar://15863457>
8567
8568 Reviewed by Oliver Hunt.
8569
8570 Covered by existing tests when running against a Unicode back-end that supports
8571 Unicode 6.3 or higher.
8572
8573 * runtime/JSGlobalObjectFunctions.cpp: (JSC::isStrWhiteSpace): Explicitly allow
8574 U+180E MONGOLIAN VOWEL SEPARATOR, because we need to keep recognizing all characters
8575 that used to be whitespace.
8576
85772014-01-21 Mark Hahnenberg <mhahnenberg@apple.com>
8578
8579 Registers used in writeBarrierOnOperand can cause clobbering on some platforms
8580 https://bugs.webkit.org/show_bug.cgi?id=127357
8581
8582 Reviewed by Filip Pizlo.
8583
8584 Some platforms use t0 and t1 for their first two arguments, so using those to load the
8585 cell for the write barrier is a bad idea because it will get clobbered.
8586
8587 * llint/LowLevelInterpreter32_64.asm:
8588 * llint/LowLevelInterpreter64.asm:
8589
85902014-01-21 Mark Rowe <mrowe@apple.com>
8591
8592 Mac production build fix.
8593
8594 Move the shell script build phase to copy jsc into JavaScriptCore.framework
8595 out of the jsc target and in to the All target so that it's not run during
8596 production builds. Xcode appears to the parent directories of paths referenced
8597 in the Output Files of the build phase, which leads to problems when the
8598 SYMROOT for the JavaScriptCore framework and the jsc executables are later merged.
8599
8600 I've also fixed the path to the Resources folder in the script while I'm here.
8601 On iOS the framework bundle is shallow so the correct destination is Resources/
8602 rather than Versions/A/Resources. This is handled by tweaking the
8603 JAVASCRIPTCORE_RESOURCES_DIR configuration setting to be relative rather than
8604 a complete path so we can reuse it in the script. The references in JSC.xcconfig
8605 and ToolExecutable.xcconfig are updated to prepend JAVASCRIPTCORE_FRAMEWORKS_DIR
8606 to preserve their former values.
8607
8608 * Configurations/Base.xcconfig:
8609 * Configurations/JSC.xcconfig:
8610 * Configurations/ToolExecutable.xcconfig:
8611 * JavaScriptCore.xcodeproj/project.pbxproj:
8612
86132014-01-19 Andreas Kling <akling@apple.com>
8614
8615 JSC Parser: Shrink BindingNode.
8616 <https://webkit.org/b/127253>
8617
8618 The "divot" and "end" source locations are always identical for
8619 BindingNodes, so store only "start" and "end" instead.
8620
8621 1.19 MB progression on Membuster3.
8622
8623 Reviewed by Geoff Garen.
8624
8625 * bytecompiler/NodesCodegen.cpp:
8626 (JSC::BindingNode::bindValue):
8627 * parser/ASTBuilder.h:
8628 (JSC::ASTBuilder::createBindingLocation):
8629 * parser/NodeConstructors.h:
8630 (JSC::BindingNode::create):
8631 (JSC::BindingNode::BindingNode):
8632 * parser/Nodes.h:
8633 (JSC::BindingNode::divotStart):
8634 (JSC::BindingNode::divotEnd):
8635 * parser/Parser.cpp:
8636 (JSC::Parser<LexerType>::createBindingPattern):
8637 * parser/SyntaxChecker.h:
8638 (JSC::SyntaxChecker::operatorStackPop):
8639
86402014-01-20 Filip Pizlo <fpizlo@apple.com>
8641
8642 op_captured_mov and op_new_captured_func in UnlinkedCodeBlocks should use the IdentifierMap instead of the strings directly
8643 https://bugs.webkit.org/show_bug.cgi?id=127311
8644 <rdar://problem/15853958>
8645
8646 Reviewed by Andreas Kling.
8647
8648 This makes UnlinkedCodeBlocks use 32-bit instruction streams again.
8649
8650 * bytecode/CodeBlock.cpp:
8651 (JSC::CodeBlock::CodeBlock):
8652 * bytecode/UnlinkedCodeBlock.h:
8653 (JSC::UnlinkedInstruction::UnlinkedInstruction):
8654 * bytecompiler/BytecodeGenerator.cpp:
8655 (JSC::BytecodeGenerator::addVar):
8656 (JSC::BytecodeGenerator::emitInitLazyRegister):
8657 (JSC::BytecodeGenerator::createArgumentsIfNecessary):
8658 * bytecompiler/BytecodeGenerator.h:
8659 (JSC::BytecodeGenerator::watchableVariable):
8660 (JSC::BytecodeGenerator::hasWatchableVariable):
8661
86622014-01-20 Mark Lam <mark.lam@apple.com>
8663
8664 Removing CodeBlock::opDebugBytecodeOffsetForLineAndColumn() and friends.
8665 <https://webkit.org/b/127321>
8666
8667 Reviewed by Geoffrey Garen.
8668
8669 We're changing plans and will be going with CodeBlock level breakpoints
8670 instead of bytecode level breakpoints. As a result, we no longer need
8671 the services of CodeBlock::opDebugBytecodeOffsetForLineAndColumn() (and
8672 friends). This patch will remove that unused code.
8673
8674 * GNUmakefile.list.am:
8675 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8676 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8677 * JavaScriptCore.xcodeproj/project.pbxproj:
8678 * bytecode/CodeBlock.cpp:
8679 * bytecode/CodeBlock.h:
8680 * bytecode/LineColumnInfo.h: Removed.
8681 * bytecode/UnlinkedCodeBlock.cpp:
8682 (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo):
8683 * bytecode/UnlinkedCodeBlock.h:
8684
86852014-01-20 Mark Hahnenberg <mhahnenberg@apple.com>
8686
8687 CodeBlockSet::traceMarked doesn't need to visit the ownerExecutable
8688 https://bugs.webkit.org/show_bug.cgi?id=127301
8689
8690 Reviewed by Oliver Hunt.
8691
8692 We used to just call CodeBlock::visitAggregate, but now we call visitChildren
8693 on the ownerExecutable, which is unnecessary.
8694
8695 * heap/CodeBlockSet.cpp:
8696 (JSC::CodeBlockSet::traceMarked):
8697
86982014-01-20 Anders Carlsson <andersca@apple.com>
8699
8700 Fix build.
8701
8702 * heap/BlockAllocator.h:
8703
87042014-01-20 Anders Carlsson <andersca@apple.com>
8705
8706 Stop using ThreadCondition in BlockAllocator
8707 https://bugs.webkit.org/show_bug.cgi?id=126313
8708
8709 Reviewed by Sam Weinig.
8710
8711 * heap/BlockAllocator.cpp:
8712 (JSC::BlockAllocator::~BlockAllocator):
8713 (JSC::BlockAllocator::waitForDuration):
8714 (JSC::BlockAllocator::blockFreeingThreadMain):
8715 * heap/BlockAllocator.h:
8716 (JSC::BlockAllocator::deallocate):
8717
87182014-01-19 Anders Carlsson <andersca@apple.com>
8719
8720 Convert GCThreadSharedData over to STL threading primitives
8721 https://bugs.webkit.org/show_bug.cgi?id=127256
8722
8723 Reviewed by Andreas Kling.
8724
8725 * heap/GCThread.cpp:
8726 (JSC::GCThread::waitForNextPhase):
8727 (JSC::GCThread::gcThreadMain):
8728 * heap/GCThreadSharedData.cpp:
8729 (JSC::GCThreadSharedData::GCThreadSharedData):
8730 (JSC::GCThreadSharedData::~GCThreadSharedData):
8731 (JSC::GCThreadSharedData::startNextPhase):
8732 (JSC::GCThreadSharedData::endCurrentPhase):
8733 (JSC::GCThreadSharedData::didStartMarking):
8734 (JSC::GCThreadSharedData::didFinishMarking):
8735 * heap/GCThreadSharedData.h:
8736 * heap/SlotVisitor.cpp:
8737 (JSC::SlotVisitor::donateKnownParallel):
8738 (JSC::SlotVisitor::drainFromShared):
8739
87402014-01-18 Andreas Kling <akling@apple.com>
8741
8742 CodeBlock: Size m_callLinkInfos and m_byValInfos to fit earlier.
8743 <https://webkit.org/b/127239>
8744
8745 Reviewed by Anders Carlsson.
8746
8747 * bytecode/CodeBlock.h:
8748 (JSC::CodeBlock::setNumberOfByValInfos):
8749 (JSC::CodeBlock::setNumberOfCallLinkInfos):
8750
8751 Use resizeToFit() instead of grow() for these vectors, since
8752 we know the final size here.
8753
8754 * bytecode/CodeBlock.cpp:
8755 (JSC::CodeBlock::shrinkToFit):
8756
8757 No need to shrink here anymore. We were not even shrinking
8758 m_byValInfo before!
8759
87602014-01-18 Andreas Kling <akling@apple.com>
8761
8762 CodeBlock: Size m_function{Exprs,Decls} to fit from creation.
8763 <https://webkit.org/b/127238>
8764
8765 Reviewed by Anders Carlsson.
8766
8767 * bytecode/CodeBlock.cpp:
8768 (JSC::CodeBlock::CodeBlock):
8769
8770 Use resizeToFit() instead of grow() for m_functionExprs and
8771 m_functionDecls since we know they will never change size.
8772
8773 (JSC::CodeBlock::shrinkToFit):
8774
8775 No need to shrink them here anymore.
8776
87772014-01-18 Andreas Kling <akling@apple.com>
8778
8779 Remove unused CodeBlock::m_additionalIdentifiers member.
8780 <https://webkit.org/b/127237>
8781
8782 Reviewed by Anders Carlsson.
8783
8784 * bytecode/CodeBlock.h:
8785 * bytecode/CodeBlock.cpp:
8786 (JSC::CodeBlock::CodeBlock):
8787 (JSC::CodeBlock::shrinkToFit):
8788
8789 Remove m_additionalIdentifiers, nothing uses it.
8790
87912014-01-18 Andreas Kling <akling@apple.com>
8792
8793 Remove two unused CodeBlock functions.
8794 <https://webkit.org/b/127235>
8795
8796 Kill copyPostParseDataFrom() and copyPostParseDataFromAlternative()
8797 since they are not used.
8798
8799 Reviewed by Anders Carlsson.
8800
8801 * bytecode/CodeBlock.cpp:
8802 * bytecode/CodeBlock.h:
8803
88042014-01-18 Andreas Kling <akling@apple.com>
8805
8806 CodeBlock: Size m_exceptionHandlers to fit from creation.
8807 <https://webkit.org/b/127234>
8808
8809 Avoid allocation churn for CodeBlock::m_exceptionHandlers.
8810
8811 Reviewed by Anders Carlsson.
8812
8813 * bytecode/CodeBlock.h:
8814
8815 Removed unused CodeBlock::allocateHandlers() function.
8816
8817 * bytecode/CodeBlock.cpp:
8818 (JSC::CodeBlock::CodeBlock):
8819
8820 Use resizeToFit() instead of grow() for m_exceptionHandlers
8821 since we know it's never going to change size.
8822
8823 (JSC::CodeBlock::shrinkToFit):
8824
8825 No need to shrink m_exceptionHandlers here since it's already
8826 the perfect size.
8827
88282014-01-18 Mark Lam <mark.lam@apple.com>
8829
8830 Add a hasBreakpointFlag arg to the op_debug bytecode.
8831 https://bugs.webkit.org/show_bug.cgi?id=127230.
8832
8833 Reviewed by Geoffrey Garen.
8834
8835 This is in anticipation of upcoming changes to support bytecode level
8836 breakpoints. This patch adds the flag to the op_debug bytecode and
8837 initializes it, but does not use it yet.
8838
8839 * bytecode/Opcode.h:
8840 (JSC::padOpcodeName):
8841 * bytecompiler/BytecodeGenerator.cpp:
8842 (JSC::BytecodeGenerator::emitDebugHook):
8843 * llint/LowLevelInterpreter.asm:
8844
88452014-01-18 Alberto Garcia <berto@igalia.com>
8846
8847 JavaScriptCore uses PLATFORM(MAC) when it means OS(DARWIN)
8848 https://bugs.webkit.org/show_bug.cgi?id=99683
8849
8850 Reviewed by Anders Carlsson.
8851
8852 * jit/ThunkGenerators.cpp:
8853 * tools/CodeProfile.cpp:
8854 (JSC::symbolName):
8855 (JSC::CodeProfile::sample):
8856
88572014-01-18 Anders Carlsson <andersca@apple.com>
8858
8859 Remove ENABLE_THREADED_HTML_PARSER defines everywhere
8860 https://bugs.webkit.org/show_bug.cgi?id=127225
8861
8862 Reviewed by Andreas Kling.
8863
8864 This concludes the removal of over 8.8 million lines of threaded parser code.
8865
8866 * Configurations/FeatureDefines.xcconfig:
8867
88682014-01-18 Mark Lam <mark.lam@apple.com>
8869
8870 Adding UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn()..
8871 https://bugs.webkit.org/show_bug.cgi?id=127127.
8872
8873 Reviewed by Geoffrey Garen.
8874
8875 In order to implement bytecode level breakpoints, we need a mechanism
8876 for computing the best fit op_debug bytecode offset for any valid given
8877 line and column value in the source. The "best fit" op_debug bytecode
8878 in this case is defined below in the comment for
8879 UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn().
8880
8881 * GNUmakefile.list.am:
8882 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8883 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8884 * JavaScriptCore.xcodeproj/project.pbxproj:
8885 * bytecode/CodeBlock.cpp:
8886 (JSC::CodeBlock::opDebugBytecodeOffsetForLineAndColumn):
8887 - Convert the line and column to unlinked line and column values and
8888 pass them to UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn()
8889 to do the real work.
8890
8891 * bytecode/CodeBlock.h:
8892 * bytecode/LineColumnInfo.h: Added.
8893 (JSC::LineColumnInfo::operator <):
8894 (JSC::LineColumnInfo::LineColumnPair::LineColumnPair):
8895 (JSC::LineColumnInfo::operator ==):
8896 (JSC::LineColumnInfo::operator !=):
8897 (JSC::LineColumnInfo::operator <=):
8898 (JSC::LineColumnInfo::operator >):
8899 (JSC::LineColumnInfo::operator >=):
8900 * bytecode/LineInfo.h: Removed.
8901
8902 * bytecode/UnlinkedCodeBlock.cpp:
8903 (JSC::UnlinkedCodeBlock::decodeExpressionRangeLineAndColumn):
8904 - Factored this out of expressionRangeForBytecodeOffset() so that it can
8905 be called from multiple places.
8906 (JSC::dumpLineColumnEntry):
8907 (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo):
8908 (JSC::UnlinkedCodeBlock::dumpOpDebugLineColumnInfoList):
8909 - Some dumpers for debugging use only.
8910 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
8911 (JSC::UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn):
8912 - Finds the earliest op_debug bytecode whose line and column matches the
8913 specified line and column values. If an exact match is not found, then
8914 finds the nearest op_debug bytecode that precedes the specified line
8915 and column values. If there are more than one op_debug at that preceding
8916 line and column value, then the earliest of those op_debug bytecodes will
8917 be be selected. The offset of the selected bytecode will be returned.
8918
8919 We want the earliest one because when we have multiple op_debug bytecodes
8920 that map to a given line and column, a debugger user would expect to break
8921 on the first one and step through the rest thereafter if needed.
8922
8923 (JSC::compareLineColumnInfo):
8924 (JSC::UnlinkedCodeBlock::opDebugLineColumnInfoList):
8925 - Creates the sorted opDebugLineColumnInfoList on demand. This list is
8926 stored in the UnlinkedCodeBlock's rareData.
8927 * bytecode/UnlinkedCodeBlock.h:
8928
89292014-01-18 Zan Dobersek <zdobersek@igalia.com>
8930
8931 Inspector scripts are not compatible with Python v3
8932 https://bugs.webkit.org/show_bug.cgi?id=127128
8933
8934 Reviewed by Benjamin Poulain.
8935
8936 * inspector/scripts/generate-combined-inspector-json.py: Turn print statements into print function calls.
8937 * inspector/scripts/jsmin.py: Try importing the StringIO class from the StringIO module (which will work for
8938 Python v2) or, on import error, import the class from the io module (which will work for Python v3).
8939
89402014-01-17 Anders Carlsson <andersca@apple.com>
8941
8942 String::is8Bit() crashes if m_impl is null, handle this.
8943
8944 * API/OpaqueJSString.h:
8945 (OpaqueJSString::OpaqueJSString):
8946
89472014-01-17 Anders Carlsson <andersca@apple.com>
8948
8949 Try to fix the Windows build.
8950
8951 * API/OpaqueJSString.cpp:
8952 (OpaqueJSString::~OpaqueJSString):
8953 (OpaqueJSString::characters):
8954 * API/OpaqueJSString.h:
8955 (OpaqueJSString::OpaqueJSString):
8956
89572014-01-17 Anders Carlsson <andersca@apple.com>
8958
8959 Get rid of OpaqueJSString::deprecatedCharacters()
8960 https://bugs.webkit.org/show_bug.cgi?id=127161
8961
8962 Reviewed by Sam Weinig.
8963
8964 Handle OpaqueJSString::m_string being either 8-bit or 16-bit and add extra
8965 code paths for the 8-bit cases.
8966
8967 Unfortunately, JSStringGetCharactersPtr is still expected to return a 16-bit character pointer.
8968 Handle this by storing a separate 16-bit string and initializing it on demand when JSStringGetCharactersPtr
8969 is called and the backing string is 8-bit.
8970
8971 This has the nice side effect of making JSStringGetCharactersPtr thread-safe when it wasn't before.
8972 (In theory, someone could have a JSStringRef backed by an 8-bit string and call JSStringGetCharactersPtr on it
8973 causing an unsafe upconversion to a 16-bit string).
8974
8975 * API/JSStringRef.cpp:
8976 (JSStringGetCharactersPtr):
8977 Call OpaqueJSString::characters.
8978
8979 (JSStringGetUTF8CString):
8980 Add a code path that handles 8-bit strings.
8981
8982 (JSStringIsEqual):
8983 Call OpaqueJSString::equal.
8984
8985 * API/JSStringRefCF.cpp:
8986 (JSStringCreateWithCFString):
8987 Reformat the code to use an early return instead of putting most of the code inside the body of an if statement.
8988
8989 (JSStringCopyCFString):
8990 Create an 8-bit CFStringRef if possible.
8991
8992 * API/OpaqueJSString.cpp:
8993 (OpaqueJSString::create):
8994 Use nullptr.
8995
8996 (OpaqueJSString::~OpaqueJSString):
8997 Free m_characters.
8998
8999 (OpaqueJSString::characters):
9000 Do the up-conversion and store the result in m_characters.
9001
9002 (OpaqueJSString::equal):
9003 New helper function.
9004
9005 * API/OpaqueJSString.h:
9006 (OpaqueJSString::is8Bit):
9007 New function that returns whether a string is 8-bit or not.
9008
9009 (OpaqueJSString::characters8):
9010 (OpaqueJSString::characters16):
9011 Add getters.
9012
90132014-01-17 Peter Molnar <pmolnar.u-szeged@partner.samsung.com>
9014
9015 Remove workaround for compilers not supporting deleted functions
9016 https://bugs.webkit.org/show_bug.cgi?id=127166
9017
9018 Reviewed by Andreas Kling.
9019
9020 * inspector/InspectorAgentRegistry.h:
9021
90222014-01-17 Commit Queue <commit-queue@webkit.org>
9023
9024 Unreviewed, rolling out r162185, r162186, and r162187.
9025 http://trac.webkit.org/changeset/162185
9026 http://trac.webkit.org/changeset/162186
9027 http://trac.webkit.org/changeset/162187
9028 https://bugs.webkit.org/show_bug.cgi?id=127164
9029
9030 Broke JSStringCreateWithCharactersNoCopy, as evidenced by a
9031 JSC API test (Requested by ap on #webkit).
9032
9033 * API/JSStringRef.cpp:
9034 (JSStringGetCharactersPtr):
9035 (JSStringGetUTF8CString):
9036 (JSStringIsEqual):
9037 * API/JSStringRefCF.cpp:
9038 (JSStringCreateWithCFString):
9039 (JSStringCopyCFString):
9040 * API/OpaqueJSString.cpp:
9041 (OpaqueJSString::create):
9042 (OpaqueJSString::identifier):
9043 * API/OpaqueJSString.h:
9044 (OpaqueJSString::create):
9045 (OpaqueJSString::characters):
9046 (OpaqueJSString::deprecatedCharacters):
9047 (OpaqueJSString::OpaqueJSString):
9048
90492014-01-16 Anders Carlsson <andersca@apple.com>
9050
9051 Export OpaqueJSString destructor.
9052
9053 * API/OpaqueJSString.h:
9054
90552014-01-16 Anders Carlsson <andersca@apple.com>
9056
9057 Build fix.
9058
9059 * API/OpaqueJSString.h:
9060
90612014-01-16 Anders Carlsson <andersca@apple.com>
9062
9063 Get rid of OpaqueJSString::deprecatedCharacters()
9064 https://bugs.webkit.org/show_bug.cgi?id=127161
9065
9066 Reviewed by Sam Weinig.
9067
9068 Handle OpaqueJSString::m_string being either 8-bit or 16-bit and add extra
9069 code paths for the 8-bit cases.
9070
9071 Unfortunately, JSStringGetCharactersPtr is still expected to return a 16-bit character pointer.
9072 Handle this by storing a separate 16-bit string and initializing it on demand when JSStringGetCharactersPtr
9073 is called. This has the nice side effect of making JSStringGetCharactersPtr thread-safe when it wasn't before.
9074 (In theory, someone could have a JSStringRef backed by an 8-bit string and call JSStringGetCharactersPtr on it
9075 causing an unsafe upconversion to a 16-bit string).
9076
9077 * API/JSStringRef.cpp:
9078 (JSStringGetCharactersPtr):
9079 Call OpaqueJSString::characters.
9080
9081 (JSStringGetUTF8CString):
9082 Add a code path that handles 8-bit strings.
9083
9084 (JSStringIsEqual):
9085 Call OpaqueJSString::equal.
9086
9087 * API/JSStringRefCF.cpp:
9088 (JSStringCreateWithCFString):
9089 Reformat the code to use an early return instead of putting most of the code inside the body of an if statement.
9090
9091 (JSStringCopyCFString):
9092 Create an 8-bit CFStringRef if possible.
9093
9094 * API/OpaqueJSString.cpp:
9095 (OpaqueJSString::create):
9096 Use nullptr.
9097
9098 (OpaqueJSString::~OpaqueJSString):
9099 Free m_characters.
9100
9101 (OpaqueJSString::characters):
9102 Do the up-conversion and store the result in m_characters.
9103
9104 (OpaqueJSString::equal):
9105 New helper function.
9106
9107 * API/OpaqueJSString.h:
9108 (OpaqueJSString::is8Bit):
9109 New function that returns whether a string is 8-bit or not.
9110
9111 (OpaqueJSString::characters8):
9112 (OpaqueJSString::characters16):
9113 Add getters.
9114
91152014-01-16 Anders Carlsson <andersca@apple.com>
9116
9117 Change all uses of FINAL to final now that all our compilers support it
9118 https://bugs.webkit.org/show_bug.cgi?id=127142
9119
9120 Reviewed by Benjamin Poulain.
9121
9122 * inspector/JSGlobalObjectInspectorController.h:
9123 * inspector/agents/InspectorAgent.h:
9124 * inspector/remote/RemoteInspector.h:
9125 * inspector/remote/RemoteInspectorDebuggableConnection.h:
9126 * inspector/scripts/CodeGeneratorInspector.py:
9127 (Generator.go):
9128 * runtime/JSGlobalObjectDebuggable.h:
9129 * runtime/JSPromiseReaction.cpp:
9130
91312014-01-16 Oliver Hunt <oliver@apple.com>
9132
9133 throwing an objc object (or general binding object) triggers an assertion
9134 https://bugs.webkit.org/show_bug.cgi?id=127146
9135
9136 Reviewed by Alexey Proskuryakov.
9137
9138 This is simply a bogus assertion as we can't guarantee a bindings object
9139 won't intercept assignment to .stack
9140
9141 * interpreter/Interpreter.cpp:
9142 (JSC::Interpreter::unwind):
9143
91442014-01-16 Peter Molnar <pmolnar.u-szeged@partner.samsung.com>
9145
9146 Remove workaround for compilers not supporting explicit override control
9147 https://bugs.webkit.org/show_bug.cgi?id=127111
9148
9149 Reviewed by Anders Carlsson.
9150
9151 Now all compilers support explicit override control, this workaround can be removed.
9152
9153 * API/JSAPIWrapperObject.mm:
9154 * API/JSCallbackObject.h:
9155 * API/JSManagedValue.mm:
9156 * API/JSScriptRef.cpp:
9157 * bytecode/CodeBlock.h:
9158 * bytecode/CodeBlockJettisoningWatchpoint.h:
9159 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h:
9160 * bytecode/StructureStubClearingWatchpoint.h:
9161 * dfg/DFGArrayifySlowPathGenerator.h:
9162 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
9163 * dfg/DFGFailedFinalizer.h:
9164 * dfg/DFGJITCode.h:
9165 * dfg/DFGJITFinalizer.h:
9166 * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
9167 * dfg/DFGSlowPathGenerator.h:
9168 * dfg/DFGSpeculativeJIT64.cpp:
9169 * heap/Heap.h:
9170 * heap/IncrementalSweeper.h:
9171 * heap/SuperRegion.h:
9172 * inspector/InspectorValues.h:
9173 * inspector/JSGlobalObjectInspectorController.h:
9174 * inspector/agents/InspectorAgent.h:
9175 * inspector/remote/RemoteInspector.h:
9176 * inspector/remote/RemoteInspectorDebuggableConnection.h:
9177 * inspector/scripts/CodeGeneratorInspector.py:
9178 (Generator.go):
9179 * jit/ClosureCallStubRoutine.h:
9180 * jit/ExecutableAllocatorFixedVMPool.cpp:
9181 * jit/GCAwareJITStubRoutine.h:
9182 * jit/JITCode.h:
9183 * jit/JITToDFGDeferredCompilationCallback.h:
9184 * parser/Nodes.h:
9185 * parser/SourceProvider.h:
9186 * runtime/DataView.h:
9187 * runtime/GCActivityCallback.h:
9188 * runtime/GenericTypedArrayView.h:
9189 * runtime/JSGlobalObjectDebuggable.h:
9190 * runtime/JSPromiseReaction.cpp:
9191 * runtime/RegExpCache.h:
9192 * runtime/SimpleTypedArrayController.h:
9193 * runtime/SymbolTable.h:
9194 * runtime/WeakMapData.h:
9195
91962014-01-15 Joseph Pecoraro <pecoraro@apple.com>
9197
9198 [iOS] Clean up REMOTE_INSPECTOR code in OpenSource after the iOS merge
9199 https://bugs.webkit.org/show_bug.cgi?id=127069
9200
9201 Reviewed by Timothy Hatcher.
9202
9203 * JavaScriptCore.xcodeproj/project.pbxproj:
9204 Export XPCConnection because it is needed by RemoteInspector.h.
9205
9206 * inspector/remote/RemoteInspectorXPCConnection.h:
9207 * inspector/remote/RemoteInspector.h:
9208 * inspector/remote/RemoteInspector.mm:
9209 (Inspector::RemoteInspector::startDisabled):
9210 (Inspector::RemoteInspector::shared):
9211 Allow RemoteInspector singleton to start disabled.
9212
92132014-01-15 Brian Burg <bburg@apple.com>
9214
9215 Web Inspector: capture probe samples on the backend
9216 https://bugs.webkit.org/show_bug.cgi?id=126668
9217
9218 Reviewed by Joseph Pecoraro.
9219
9220 Add the 'probe' breakpoint action to the protocol. Change the setBreakpoint
9221 commands to return a list of assigned breakpoint action identifiers
9222 Add a type for breakpoint action identifiers. Add an event for sending
9223 captured probe samples to the inspector frontend.
9224
9225 * inspector/protocol/Debugger.json:
9226
92272014-01-10 Mark Hahnenberg <mhahnenberg@apple.com>
9228
9229 Copying should be generational
9230 https://bugs.webkit.org/show_bug.cgi?id=126555
9231
9232 Reviewed by Geoffrey Garen.
9233
9234 This patch adds support for copying to our generational collector. Eden collections
9235 always trigger copying. Full collections use our normal fragmentation-based heuristics.
9236
9237 The way this works is that the CopiedSpace now has the notion of an old generation set of CopiedBlocks
9238 and a new generation of CopiedBlocks. During each mutator cycle new CopiedSpace allocations reside
9239 in the new generation. When a collection occurs, those blocks are moved to the old generation.
9240
9241 One key thing to remember is that both new and old generation objects in the MarkedSpace can
9242 refer to old or new generation allocations in CopiedSpace. This is why we must fire write barriers
9243 when assigning to an old (MarkedSpace) object's Butterfly.
9244
9245 * heap/CopiedAllocator.h:
9246 (JSC::CopiedAllocator::tryAllocateDuringCopying):
9247 * heap/CopiedBlock.h:
9248 (JSC::CopiedBlock::CopiedBlock):
9249 (JSC::CopiedBlock::didEvacuateBytes):
9250 (JSC::CopiedBlock::isOld):
9251 (JSC::CopiedBlock::didPromote):
9252 * heap/CopiedBlockInlines.h:
9253 (JSC::CopiedBlock::reportLiveBytes):
9254 (JSC::CopiedBlock::reportLiveBytesDuringCopying):
9255 * heap/CopiedSpace.cpp:
9256 (JSC::CopiedSpace::CopiedSpace):
9257 (JSC::CopiedSpace::~CopiedSpace):
9258 (JSC::CopiedSpace::init):
9259 (JSC::CopiedSpace::tryAllocateOversize):
9260 (JSC::CopiedSpace::tryReallocateOversize):
9261 (JSC::CopiedSpace::doneFillingBlock):
9262 (JSC::CopiedSpace::didStartFullCollection):
9263 (JSC::CopiedSpace::doneCopying):
9264 (JSC::CopiedSpace::size):
9265 (JSC::CopiedSpace::capacity):
9266 (JSC::CopiedSpace::isPagedOut):
9267 * heap/CopiedSpace.h:
9268 (JSC::CopiedSpace::CopiedGeneration::CopiedGeneration):
9269 * heap/CopiedSpaceInlines.h:
9270 (JSC::CopiedSpace::contains):
9271 (JSC::CopiedSpace::recycleEvacuatedBlock):
9272 (JSC::CopiedSpace::allocateBlock):
9273 (JSC::CopiedSpace::startedCopying):
9274 * heap/CopyVisitor.cpp:
9275 (JSC::CopyVisitor::copyFromShared):
9276 * heap/CopyVisitorInlines.h:
9277 (JSC::CopyVisitor::allocateNewSpace):
9278 (JSC::CopyVisitor::allocateNewSpaceSlow):
9279 * heap/GCThreadSharedData.cpp:
9280 (JSC::GCThreadSharedData::didStartCopying):
9281 * heap/Heap.cpp:
9282 (JSC::Heap::copyBackingStores):
9283 * heap/SlotVisitorInlines.h:
9284 (JSC::SlotVisitor::copyLater):
9285 * heap/TinyBloomFilter.h:
9286 (JSC::TinyBloomFilter::add):
9287
92882014-01-14 Mark Lam <mark.lam@apple.com>
9289
9290 ASSERTION FAILED: !hasError() in JSC::Parser<LexerType>::createSavePoint().
9291 https://bugs.webkit.org/show_bug.cgi?id=126990.
9292
9293 Reviewed by Geoffrey Garen.
9294
9295 * parser/Parser.cpp:
9296 (JSC::Parser<LexerType>::parseConstDeclarationList):
9297 - We were missing an error check after attempting to parse an initializer
9298 expression. This is now fixed.
9299
93002014-01-14 Joseph Pecoraro <pecoraro@apple.com>
9301
9302 Web Inspector: For Remote Inspection link WebProcess's to their parent UIProcess
9303 https://bugs.webkit.org/show_bug.cgi?id=126995
9304
9305 Reviewed by Timothy Hatcher.
9306
9307 * inspector/remote/RemoteInspector.mm:
9308 (Inspector::RemoteInspector::listingForDebuggable):
9309 For each WebView, list the parent process. Listing the parent per WebView
9310 is already supported back when we supported processes that could host WebViews
9311 for multiple applications.
9312
9313 * inspector/remote/RemoteInspectorConstants.h:
9314 Add a separate key for the bundle identifier, separate from application identifier.
9315
9316 * inspector/remote/RemoteInspectorDebuggable.cpp:
9317 (Inspector::RemoteInspectorDebuggable::info):
9318 * inspector/remote/RemoteInspectorDebuggable.h:
9319 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
9320 (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess):
9321 If a RemoteInspectorDebuggable has a non-zero parent process identifier
9322 it is a proxy for the parent process.
9323
93242014-01-14 Brian J. Burg <burg@cs.washington.edu>
9325
9326 Add ENABLE(WEB_REPLAY) feature flag to the build system
9327 https://bugs.webkit.org/show_bug.cgi?id=126949
9328
9329 Reviewed by Joseph Pecoraro.
9330
9331 * Configurations/FeatureDefines.xcconfig:
9332
93332014-01-14 Peter Molnar <pmolnar.u-szeged@partner.samsung.com>
9334
9335 [EFL] FTL buildfix, add missing includes
9336 https://bugs.webkit.org/show_bug.cgi?id=126641
9337
9338 Reviewed by Csaba Osztrogonác.
9339
9340 * ftl/FTLOSREntry.cpp:
9341 * ftl/FTLOSRExitCompiler.cpp:
9342
93432014-01-14 Joseph Pecoraro <pecoraro@apple.com>
9344
9345 Web Inspector: RemoteInspector::updateDebuggable may miss a push
9346 https://bugs.webkit.org/show_bug.cgi?id=126965
9347
9348 Reviewed by Timothy Hatcher.
9349
9350 * inspector/remote/RemoteInspector.mm:
9351 (Inspector::RemoteInspector::updateDebuggable):
9352 Always push an update. If a debuggable went from allowed to
9353 not allowed, we would have missed pushing an update.
9354
93552014-01-13 Mark Hahnenberg <mhahnenberg@apple.com>
9356
9357 Performance regression on dromaeo due to generational marking
9358 https://bugs.webkit.org/show_bug.cgi?id=126901
9359
9360 Reviewed by Oliver Hunt.
9361
9362 We were seeing some performance regression with ENABLE_GGC == 0, so this patch
9363 ifdefs out more things to get rid of the additional overhead.
9364
9365 * heap/Heap.cpp:
9366 (JSC::Heap::markRoots):
9367 (JSC::Heap::writeBarrier):
9368 * heap/MarkedBlock.cpp:
9369 (JSC::MarkedBlock::clearMarks):
9370 (JSC::MarkedBlock::clearMarksWithCollectionType):
9371 * heap/MarkedSpace.cpp:
9372 (JSC::MarkedSpace::resetAllocators):
9373 * heap/MarkedSpace.h:
9374 (JSC::MarkedSpace::didAllocateInBlock):
9375 * heap/SlotVisitorInlines.h:
9376 (JSC::SlotVisitor::internalAppend):
9377 (JSC::SlotVisitor::reportExtraMemoryUsage):
9378
93792014-01-13 Brian Burg <bburg@apple.com>
9380
9381 Web Inspector: protocol generator should support integer-typed declarations
9382 https://bugs.webkit.org/show_bug.cgi?id=126828
9383
9384 Reviewed by Joseph Pecoraro.
9385
9386 Add new binding classes for parameter/ad-hoc and normal integer type declarations.
9387
9388 * inspector/scripts/CodeGeneratorInspector.py:
9389 (TypeBindings.create_type_declaration_):
9390 (TypeBindings.create_type_declaration_.PlainInteger):
9391 (TypeBindings.create_type_declaration_.PlainInteger.resolve_inner):
9392 (TypeBindings.create_type_declaration_.PlainInteger.request_user_runtime_cast):
9393 (TypeBindings.create_type_declaration_.PlainInteger.request_internal_runtime_cast):
9394 (TypeBindings.create_type_declaration_.PlainInteger.get_code_generator):
9395 (TypeBindings.create_type_declaration_.PlainInteger.get_validator_call_text):
9396 (TypeBindings.create_type_declaration_.PlainInteger.reduce_to_raw_type):
9397 (TypeBindings.create_type_declaration_.PlainInteger.get_type_model):
9398 (TypeBindings.create_type_declaration_.PlainInteger.get_setter_value_expression_pattern):
9399 (TypeBindings.create_type_declaration_.PlainInteger.get_array_item_c_type_text):
9400 (TypeBindings.create_type_declaration_.TypedefInteger):
9401 (TypeBindings.create_type_declaration_.TypedefInteger.resolve_inner):
9402 (TypeBindings.create_type_declaration_.TypedefInteger.request_user_runtime_cast):
9403 (TypeBindings.create_type_declaration_.TypedefInteger.request_internal_runtime_cast):
9404 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator):
9405 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator):
9406 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.generate_type_builder):
9407 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.generate_type_builder.int):
9408 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.register_use):
9409 (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.get_generate_pass_id):
9410 (TypeBindings.create_type_declaration_.TypedefInteger.get_validator_call_text):
9411 (TypeBindings.create_type_declaration_.TypedefInteger.reduce_to_raw_type):
9412 (TypeBindings.create_type_declaration_.TypedefInteger.get_type_model):
9413 (TypeBindings.create_type_declaration_.TypedefInteger.get_setter_value_expression_pattern):
9414 (TypeBindings.create_type_declaration_.TypedefInteger.get_array_item_c_type_text):
9415
94162014-01-13 Zalan Bujtas <zalan@apple.com>
9417
9418 Enable SUBPIXEL_LAYOUT on Mac
9419 <https://webkit.org/b/126283>
9420
9421 Reviewed by Simon Fraser.
9422
9423 * Configurations/FeatureDefines.xcconfig:
9424
94252014-01-13 Zan Dobersek <zdobersek@igalia.com>
9426
9427 Unreviewed. Changes in r161686 are exposing a bug in GCC where the global .cfi_startproc directive
9428 is not inserted early enough into the generated assembler code when building in debug mode, causing
9429 compilation failures on ports using the GCC compilers. To work around the problem, only utilize the
9430 OFFLINE_ASM_* macros that use .cfi_ directives when compiling with Clang.
9431
9432 * llint/LowLevelInterpreter.cpp:
9433
94342014-01-12 Commit Queue <commit-queue@webkit.org>
9435
9436 Unreviewed, rolling out r161840.
9437 http://trac.webkit.org/changeset/161840
9438 https://bugs.webkit.org/show_bug.cgi?id=126870
9439
9440 Caused jsscore and layout test failures (Requested by smfr on
9441 #webkit).
9442
9443 * API/JSValueRef.cpp:
9444 (JSValueMakeFromJSONString):
9445 * bindings/ScriptValue.cpp:
9446 (Deprecated::jsToInspectorValue):
9447 * inspector/InspectorValues.cpp:
9448 * runtime/DatePrototype.cpp:
9449 (JSC::formatLocaleDate):
9450 * runtime/Identifier.h:
9451 (JSC::Identifier::characters):
9452 * runtime/JSStringBuilder.h:
9453 (JSC::JSStringBuilder::append):
9454
94552014-01-12 Darin Adler <darin@apple.com>
9456
9457 Add deprecatedCharacters as a synonym for characters and convert most call sites
9458 https://bugs.webkit.org/show_bug.cgi?id=126858
9459
9460 Reviewed by Anders Carlsson.
9461
9462 * API/JSStringRef.cpp:
9463 (JSStringGetCharactersPtr):
9464 (JSStringGetUTF8CString):
9465 (JSStringIsEqual):
9466 * API/JSStringRefCF.cpp:
9467 (JSStringCopyCFString):
9468 * API/OpaqueJSString.h:
9469 (OpaqueJSString::characters):
9470 (OpaqueJSString::deprecatedCharacters):
9471 (OpaqueJSString::length):
9472 (OpaqueJSString::OpaqueJSString):
9473 * inspector/InspectorValues.cpp:
9474 (Inspector::InspectorValue::parseJSON):
9475 * runtime/JSGlobalObjectFunctions.cpp:
9476 (JSC::parseInt):
9477 * runtime/StringPrototype.cpp:
9478 (JSC::localeCompare):
9479 (JSC::stringProtoFuncFontsize):
9480 (JSC::stringProtoFuncLink):
9481 Use deprecatedCharacters instead of characters.
9482
94832014-01-12 Darin Adler <darin@apple.com>
9484
9485 Reduce use of String::characters
9486 https://bugs.webkit.org/show_bug.cgi?id=126854
9487
9488 Reviewed by Sam Weinig.
9489
9490 * API/JSValueRef.cpp:
9491 (JSValueMakeFromJSONString): Use characters16 instead of characters for 16-bit case.
9492 Had to remove length check because an empty string could be either 8 bit or 16 bit.
9493 Don't need a null string check before calling is8Bit because JSStringRef can't hold
9494 a null string.
9495
9496 * bindings/ScriptValue.cpp:
9497 (Deprecated::jsToInspectorValue): Use the existing string here instead of creating
9498 a new one by calling characters and length on the old string. I think this may be
9499 left over from when string types were not the same in JavaScriptCore and WebCore.
9500 Also rewrite the property names loop to use modern for syntax and fewer locals.
9501
9502 * inspector/InspectorValues.cpp:
9503 (Inspector::escapeChar): Changed to use appendLiteral instead of hard-coding string
9504 lengths. Moved handling of "<" and ">" in here instead of at the call site.
9505 (Inspector::doubleQuoteString): Simplify the code so there is no use of characters
9506 and length. This is still an inefficient way of doing this job and could use a rethink.
9507
9508 * runtime/DatePrototype.cpp:
9509 (JSC::formatLocaleDate): Use RetainPtr, createCFString, and the conversion from
9510 CFStringRef to WTF::String to remove a lot of unneeded code.
9511
9512 * runtime/Identifier.h: Removed unneeded Identifier::characters function.
9513
9514 * runtime/JSStringBuilder.h:
9515 (JSC::JSStringBuilder::append): Use characters16 instead of characters function here,
9516 since we have already checked is8Bit above.
9517
95182014-01-12 Andy Estes <aestes@apple.com>
9519
9520 [iOS] Enable the JSC Objective-C API
9521
9522 Rubber-stamped by Simon Fraser.
9523
9524 * API/JSBase.h:
9525
95262014-01-12 Carlos Garcia Campos <cgarcia@igalia.com>
9527
9528 Unreviewed. Fix make distcheck.
9529
9530 * GNUmakefile.am: Add inline-and-minify-stylesheets-and-scripts.py
9531 to EXTRA_DIST and fix InjectedScriptSource.h generation rule.
9532 * GNUmakefile.list.am: Move InjectedScriptSource.h to
9533 built_nosources to make sure it's not disted.
9534
95352014-01-11 Anders Carlsson <andersca@apple.com>
9536
9537 Try again to fix the build.
9538
9539 * inspector/InspectorAgentRegistry.cpp:
9540 * inspector/InspectorAgentRegistry.h:
9541
95422014-01-11 Anders Carlsson <andersca@apple.com>
9543
9544 Try to prevent the Vector copy constructor from being instantiated.
9545
9546 * inspector/InspectorAgentRegistry.cpp:
9547 (Inspector::InspectorAgentRegistry::InspectorAgentRegistry):
9548 * inspector/InspectorAgentRegistry.h:
9549
95502014-01-11 Anders Carlsson <andersca@apple.com>
9551
9552 Try something else.
9553
9554 * inspector/InspectorAgentRegistry.cpp:
9555 (Inspector::InspectorAgentRegistry::~InspectorAgentRegistry):
9556 * inspector/InspectorAgentRegistry.h:
9557
95582014-01-11 Dean Jackson <dino@apple.com>
9559
9560 [JSC] Revise typed array implementations to match ECMAScript and WebGL Specification
9561 https://bugs.webkit.org/show_bug.cgi?id=126754
9562
9563 Reviewed by Filip Pizlo.
9564
9565 The ECMAScript specification forbids calling the typed array
9566 constructors without using "new". Change the call data to return
9567 none so we throw and exception in these cases.
9568
9569 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
9570 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
9571
95722014-01-11 Anders Carlsson <andersca@apple.com>
9573
9574 Try to fix the build by introducing a constructor.
9575
9576 * inspector/InspectorAgentRegistry.cpp:
9577 (Inspector::InspectorAgentRegistry::InspectorAgentRegistry):
9578 * inspector/InspectorAgentRegistry.h:
9579
95802014-01-11 Anders Carlsson <andersca@apple.com>
9581
9582 * inspector/InspectorAgentRegistry.h:
9583
9584 Remove an unused function.
9585
95862014-01-11 Anders Carlsson <andersca@apple.com>
9587
9588 InspectorAgentRegistry should use std::unique_ptr
9589 https://bugs.webkit.org/show_bug.cgi?id=126826
9590
9591 Reviewed by Sam Weinig.
9592
9593 * inspector/InspectorAgentRegistry.cpp:
9594 (Inspector::InspectorAgentRegistry::append):
9595 * inspector/InspectorAgentRegistry.h:
9596 * inspector/JSGlobalObjectInspectorController.cpp:
9597 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
9598 * inspector/agents/InspectorAgent.h:
9599
96002014-01-10 Joseph Pecoraro <pecoraro@apple.com>
9601
9602 Web Inspector: Push InspectorAgent down into JSC, give JSC an InspectorController
9603 https://bugs.webkit.org/show_bug.cgi?id=126763
9604
9605 Reviewed by Timothy Hatcher.
9606
9607 Introduce JSGlobalObjectInspectorController. This is the InspectorController
9608 for a JSContext. It is created by the JSGlobalObject Remote Inspector Debuggable
9609 when a remote frontend connects, and is destroyed when the remote frontend
9610 disconnects of the JSGlobalObject is destroyed.
9611
9612 * inspector/JSGlobalObjectInspectorController.h: Added.
9613 * inspector/JSGlobalObjectInspectorController.cpp: Added.
9614 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
9615 (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
9616 (Inspector::JSGlobalObjectInspectorController::connectFrontend):
9617 (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
9618 (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
9619 (Inspector::JSGlobalObjectInspectorController::functionCallHandler):
9620 (Inspector::JSGlobalObjectInspectorController::evaluateHandler):
9621 Create/destory agents, create/destroy dispatches, implement InspectorEnvironment.
9622
9623 * runtime/JSGlobalObjectDebuggable.h:
9624 * runtime/JSGlobalObjectDebuggable.cpp:
9625 (JSC::JSGlobalObjectDebuggable::~JSGlobalObjectDebuggable):
9626 (JSC::JSGlobalObjectDebuggable::connect):
9627 (JSC::JSGlobalObjectDebuggable::disconnect):
9628 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
9629 Forward actions to the InspectorController object.
9630
9631 * inspector/agents/InspectorAgent.h: Renamed from Source/WebCore/inspector/InspectorAgent.h.
9632 * inspector/agents/InspectorAgent.cpp: Renamed from Source/WebCore/inspector/InspectorAgent.cpp.
9633 (Inspector::InspectorAgent::InspectorAgent):
9634 (Inspector::InspectorAgent::~InspectorAgent):
9635 (Inspector::InspectorAgent::didCreateFrontendAndBackend):
9636 (Inspector::InspectorAgent::inspect):
9637 (Inspector::InspectorAgent::evaluateForTestInFrontend):
9638 Implement InspectorAgent in JavaScriptCore in namespace Inspector.
9639
9640 * JavaScriptCore.xcodeproj/project.pbxproj:
9641 * CMakeLists.txt:
9642 * ChangeLog:
9643 * GNUmakefile.am:
9644 * GNUmakefile.list.am:
9645 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9646 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
9647 * JavaScriptCore.vcxproj/copy-files.cmd:
9648 Add files and new inspector/agents subdirectory.
9649
96502014-01-10 Commit Queue <commit-queue@webkit.org>
9651
9652 Unreviewed, rolling out r161702.
9653 http://trac.webkit.org/changeset/161702
9654 https://bugs.webkit.org/show_bug.cgi?id=126803
9655
9656 Broke multiple tests (Requested by ap on #webkit).
9657
9658 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
9659 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
9660
96612014-01-10 David Kilzer <ddkilzer@apple.com>
9662
9663 Clean up architectures in xcconfig files
9664 <http://webkit.org/b/126794>
9665
9666 Reviewed by Andy Estes.
9667
9668 * Configurations/Base.xcconfig:
9669 * Configurations/JavaScriptCore.xcconfig: Remove armv6, ppc.
9670 * Configurations/ToolExecutable.xcconfig: Sort.
9671 - Add new arch.
9672
96732014-01-10 Dean Jackson <dino@apple.com>
9674
9675 [JSC] Revise typed array implementations to match ECMAScript and WebGL Specification
9676 https://bugs.webkit.org/show_bug.cgi?id=126754
9677
9678 Reviewed by Filip Pizlo.
9679
9680 The ECMAScript specification forbids calling the typed array
9681 constructors without using "new". Change the call data to return
9682 none so we throw and exception in these cases.
9683
9684 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
9685 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):
9686
96872014-01-10 Benjamin Poulain <bpoulain@apple.com>
9688
9689 Remove the BlackBerry port from trunk
9690 https://bugs.webkit.org/show_bug.cgi?id=126715
9691
9692 Reviewed by Anders Carlsson.
9693
9694 * assembler/ARMAssembler.h:
9695 (JSC::ARMAssembler::cacheFlush):
9696 * assembler/ARMv7Assembler.h:
9697 (JSC::ARMv7Assembler::replaceWithJump):
9698 (JSC::ARMv7Assembler::maxJumpReplacementSize):
9699 (JSC::ARMv7Assembler::cacheFlush):
9700 * assembler/MacroAssemblerARMv7.h:
9701 (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
9702 * heap/MachineStackMarker.cpp:
9703 (JSC::getPlatformThreadRegisters):
9704 (JSC::otherThreadStackPointer):
9705 (JSC::freePlatformThreadRegisters):
9706 * jit/ExecutableAllocator.h:
9707
97082014-01-10 Joseph Pecoraro <pecoraro@apple.com>
9709
9710 Web Inspector: Remove unimplemented or static ScriptDebugServer features
9711 https://bugs.webkit.org/show_bug.cgi?id=126784
9712
9713 Reviewed by Timothy Hatcher.
9714
9715 * inspector/protocol/Debugger.json:
9716
97172014-01-10 Michael Saboff <msaboff@apple.com>
9718
9719 REGRESSION(C stack work): stack traces no longer work in CrashTracer, lldb, and other tools
9720 https://bugs.webkit.org/show_bug.cgi?id=126764
9721
9722 Reviewed by Geoffrey Garen.
9723
9724 Updated callToJavaScript and cllToNativeFunction to properly replicate the caller's
9725 return PC and frame pointer in the sentinel frame. For X86-64, added .cfi_
9726 directives to create eh_frame info for all LLInt symbols so that the various
9727 unwinding code understands that we are using a separate JS stack referenced
9728 by BP and at what offsets in that frame the prior PC (register 16) and prior
9729 BP (register 6) can be found. These two changes are sufficient for stack tracing
9730 to work for Mac OSX.
9731
9732 * llint/LowLevelInterpreter.cpp:
9733 * llint/LowLevelInterpreter64.asm:
9734
97352014-01-10 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
9736
9737 [EFL][JSC] Enable udis86 disassembler on efl.
9738 https://bugs.webkit.org/show_bug.cgi?id=125502
9739
9740 Reviewed by Michael Saboff.
9741
9742 Enable udis86 disassembler on efl and fix build warnings.
9743
9744 * CMakeLists.txt:
9745 Add udis86 disassembler source files.
9746 * disassembler/udis86/udis86_decode.c:
9747 (decode_modrm_rm):
9748 Build warning fixes.
9749 * disassembler/udis86/udis86_syn-att.c:
9750 (gen_operand):
9751 Build warning fixes.
9752 * disassembler/udis86/udis86_syn-intel.c:
9753 (gen_operand):
9754 Build warning fixes.
9755 * disassembler/udis86/udis86_types.h:
9756 Correct FMT64 for uint64_t.
9757
97582014-01-09 Benjamin Poulain <bpoulain@apple.com>
9759
9760 Remove the BlackBerry files outside WebCore
9761 https://bugs.webkit.org/show_bug.cgi?id=126715
9762
9763 Reviewed by Anders Carlsson.
9764
9765 * PlatformBlackBerry.cmake: Removed.
9766 * runtime/GCActivityCallbackBlackBerry.cpp: Removed.
9767 * shell/PlatformBlackBerry.cmake: Removed.
9768
97692014-01-10 Geoffrey Garen <ggaren@apple.com>
9770
9771 Removed Blackberry #ifdefs and platform code from JavaScriptCore
9772 https://bugs.webkit.org/show_bug.cgi?id=126757
9773
9774 Reviewed by Sam Weinig.
9775
9776 * PlatformBlackBerry.cmake: Removed.
9777 * heap/HeapTimer.cpp:
9778 * heap/HeapTimer.h:
9779 * heap/IncrementalSweeper.cpp:
9780 * heap/IncrementalSweeper.h:
9781 * jsc.cpp:
9782 (main):
9783 * runtime/GCActivityCallbackBlackBerry.cpp: Removed.
9784 * runtime/MemoryStatistics.cpp:
9785 (JSC::globalMemoryStatistics):
9786
97872014-01-07 Mark Hahnenberg <mhahnenberg@apple.com>
9788
9789 Marking should be generational
9790 https://bugs.webkit.org/show_bug.cgi?id=126552
9791
9792 Reviewed by Geoffrey Garen.
9793
9794 Re-marking the same objects over and over is a waste of effort. This patch implements
9795 the sticky mark bit algorithm (along with our already-present write barriers) to reduce
9796 overhead during garbage collection caused by rescanning objects.
9797
9798 There are now two collection modes, EdenCollection and FullCollection. EdenCollections
9799 only visit new objects or objects that were added to the remembered set by a write barrier.
9800 FullCollections are normal collections that visit all objects regardless of their
9801 generation.
9802
9803 In this patch EdenCollections do not do anything in CopiedSpace. This will be fixed in
9804 https://bugs.webkit.org/show_bug.cgi?id=126555.
9805
9806 * bytecode/CodeBlock.cpp:
9807 (JSC::CodeBlock::visitAggregate):
9808 * bytecode/CodeBlock.h:
9809 (JSC::CodeBlockSet::mark):
9810 * dfg/DFGOperations.cpp:
9811 * heap/CodeBlockSet.cpp:
9812 (JSC::CodeBlockSet::add):
9813 (JSC::CodeBlockSet::traceMarked):
9814 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
9815 * heap/CodeBlockSet.h:
9816 * heap/CopiedBlockInlines.h:
9817 (JSC::CopiedBlock::reportLiveBytes):
9818 * heap/CopiedSpace.cpp:
9819 (JSC::CopiedSpace::didStartFullCollection):
9820 * heap/CopiedSpace.h:
9821 (JSC::CopiedSpace::heap):
9822 * heap/Heap.cpp:
9823 (JSC::Heap::Heap):
9824 (JSC::Heap::didAbandon):
9825 (JSC::Heap::markRoots):
9826 (JSC::Heap::copyBackingStores):
9827 (JSC::Heap::addToRememberedSet):
9828 (JSC::Heap::collectAllGarbage):
9829 (JSC::Heap::collect):
9830 (JSC::Heap::didAllocate):
9831 (JSC::Heap::writeBarrier):
9832 * heap/Heap.h:
9833 (JSC::Heap::isInRememberedSet):
9834 (JSC::Heap::operationInProgress):
9835 (JSC::Heap::shouldCollect):
9836 (JSC::Heap::isCollecting):
9837 (JSC::Heap::isWriteBarrierEnabled):
9838 (JSC::Heap::writeBarrier):
9839 * heap/HeapOperation.h:
9840 * heap/MarkStack.cpp:
9841 (JSC::MarkStackArray::~MarkStackArray):
9842 (JSC::MarkStackArray::clear):
9843 (JSC::MarkStackArray::fillVector):
9844 * heap/MarkStack.h:
9845 * heap/MarkedAllocator.cpp:
9846 (JSC::isListPagedOut):
9847 (JSC::MarkedAllocator::isPagedOut):
9848 (JSC::MarkedAllocator::tryAllocateHelper):
9849 (JSC::MarkedAllocator::addBlock):
9850 (JSC::MarkedAllocator::removeBlock):
9851 (JSC::MarkedAllocator::reset):
9852 * heap/MarkedAllocator.h:
9853 (JSC::MarkedAllocator::MarkedAllocator):
9854 * heap/MarkedBlock.cpp:
9855 (JSC::MarkedBlock::clearMarks):
9856 (JSC::MarkedBlock::clearRememberedSet):
9857 (JSC::MarkedBlock::clearMarksWithCollectionType):
9858 (JSC::MarkedBlock::lastChanceToFinalize):
9859 * heap/MarkedBlock.h: Changed atomSize to 16 bytes because we have no objects smaller
9860 than 16 bytes. This is also to pay for the additional Bitmap for the remembered set.
9861 (JSC::MarkedBlock::didConsumeEmptyFreeList):
9862 (JSC::MarkedBlock::setRemembered):
9863 (JSC::MarkedBlock::clearRemembered):
9864 (JSC::MarkedBlock::atomicClearRemembered):
9865 (JSC::MarkedBlock::isRemembered):
9866 * heap/MarkedSpace.cpp:
9867 (JSC::MarkedSpace::~MarkedSpace):
9868 (JSC::MarkedSpace::resetAllocators):
9869 (JSC::MarkedSpace::visitWeakSets):
9870 (JSC::MarkedSpace::reapWeakSets):
9871 (JSC::VerifyMarked::operator()):
9872 (JSC::MarkedSpace::clearMarks):
9873 * heap/MarkedSpace.h:
9874 (JSC::ClearMarks::operator()):
9875 (JSC::ClearRememberedSet::operator()):
9876 (JSC::MarkedSpace::didAllocateInBlock):
9877 (JSC::MarkedSpace::clearRememberedSet):
9878 * heap/SlotVisitor.cpp:
9879 (JSC::SlotVisitor::~SlotVisitor):
9880 (JSC::SlotVisitor::clearMarkStack):
9881 * heap/SlotVisitor.h:
9882 (JSC::SlotVisitor::markStack):
9883 (JSC::SlotVisitor::sharedData):
9884 * heap/SlotVisitorInlines.h:
9885 (JSC::SlotVisitor::internalAppend):
9886 (JSC::SlotVisitor::unconditionallyAppend):
9887 (JSC::SlotVisitor::copyLater):
9888 (JSC::SlotVisitor::reportExtraMemoryUsage):
9889 (JSC::SlotVisitor::heap):
9890 * jit/Repatch.cpp:
9891 * runtime/JSGenericTypedArrayViewInlines.h:
9892 (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
9893 * runtime/JSPropertyNameIterator.h:
9894 (JSC::StructureRareData::setEnumerationCache):
9895 * runtime/JSString.cpp:
9896 (JSC::JSString::visitChildren):
9897 * runtime/StructureRareDataInlines.h:
9898 (JSC::StructureRareData::setPreviousID):
9899 (JSC::StructureRareData::setObjectToStringValue):
9900 * runtime/WeakMapData.cpp:
9901 (JSC::WeakMapData::visitChildren):
9902
99032014-01-09 Joseph Pecoraro <pecoraro@apple.com>
9904
9905 Unreviewed Windows build fix for r161563.
9906
9907 Copy all scripts, some may not be .py.
9908
9909 * JavaScriptCore.vcxproj/copy-files.cmd:
9910
99112014-01-09 Filip Pizlo <fpizlo@apple.com>
9912
9913 AI for CreateArguments should pass through non-SpecEmpty input values
9914 https://bugs.webkit.org/show_bug.cgi?id=126709
9915
9916 Reviewed by Mark Hahnenberg.
9917
9918 * dfg/DFGAbstractInterpreterInlines.h:
9919 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
9920 * tests/stress/use-arguments-as-object-pointer.js: Added.
9921 (foo):
9922
99232014-01-09 Mark Hahnenberg <mhahnenberg@apple.com>
9924
9925 Constructors for Objective-C classes do not work properly with instanceof
9926 https://bugs.webkit.org/show_bug.cgi?id=126670
9927
9928 Reviewed by Oliver Hunt.
9929
9930 This bug is due to the fact that the JS constructors created for Objective-C classes via the JSC
9931 API inherit from JSCallbackObject, which overrides hasInstance with its own customHasInstance.
9932 JSCallbackObject::customHasInstance only checks the JSClassRefs for hasInstance callbacks.
9933 If it doesn't find any callbacks, it returns false.
9934
9935 This patch adds a hasInstance callback to constructors created for Objective-C wrapper classes.
9936
9937 * API/JSWrapperMap.mm:
9938 (constructorHasInstance):
9939 (constructorWithCustomBrand):
9940 (allocateConstructorForCustomClass):
9941 * API/tests/testapi.mm:
9942
99432014-01-09 Joseph Pecoraro <pecoraro@apple.com>
9944
9945 Web Inspector: Move InjectedScript classes into JavaScriptCore
9946 https://bugs.webkit.org/show_bug.cgi?id=126598
9947
9948 Reviewed by Timothy Hatcher.
9949
9950 Part 5: Move InjectedScript classes into JavaScriptCore
9951
9952 There are pieces of logic that WebCore wants to hook into in the InjectedScript
9953 execution (e.g. for CommandLineAPIModule and InspectorInstrumentation). Create
9954 hooks for those in a base class called InspectorEnvironment. For now, the
9955 InspectorControllers (Page, JSGlobalObject, Worker) will be the InspectorEnvironments
9956 and provide answers to its hooks.
9957
9958 * inspector/InspectorEnvironment.h: Added.
9959 New hooks needed by WebCore in various places. Mostly stubbed in JavaScriptCore.
9960
9961 * inspector/InjectedScript.cpp: Renamed from Source/WebCore/inspector/InjectedScript.cpp.
9962 * inspector/InjectedScript.h: Added.
9963 * inspector/InjectedScriptBase.cpp: Renamed from Source/WebCore/inspector/InjectedScriptBase.cpp.
9964 * inspector/InjectedScriptBase.h: Renamed from Source/WebCore/inspector/InjectedScriptBase.h.
9965 * inspector/InjectedScriptModule.cpp: Renamed from Source/WebCore/inspector/InjectedScriptModule.cpp.
9966 * inspector/InjectedScriptModule.h: Renamed from Source/WebCore/inspector/InjectedScriptModule.h.
9967 Cleanup the style of these files (nullptr, formatting, whitespace, etc).
9968 Use the InspectorEnvironments call/evaluate function for ScriptFunctionCalls and checking access
9969
9970 * inspector/InjectedScriptManager.cpp: Renamed from Source/WebCore/inspector/InjectedScriptManager.cpp.
9971 * inspector/InjectedScriptManager.h: Renamed from Source/WebCore/inspector/InjectedScriptManager.h.
9972 Take an InspectorEnvironment with multiple hooks, instead of a single hook function.
9973
9974 * inspector/InjectedScriptHost.cpp: Added.
9975 * inspector/InjectedScriptHost.h: Added.
9976 * inspector/JSInjectedScriptHost.cpp: Renamed from Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp.
9977 * inspector/JSInjectedScriptHost.h: Added.
9978 * inspector/JSInjectedScriptHostPrototype.cpp: Added.
9979 * inspector/JSInjectedScriptHostPrototype.h: Added.
9980 Implementation of InjectedScriptHost which is passed into the script (InjectedScriptSource.js)
9981 that we inject into the page. This is mostly copied from the original autogenerated code,
9982 then simplified and cleaned up. InjectedScriptHost can be subclasses to provide specialized
9983 implementations of isHTMLAllCollection and type for Web/DOM types unknown to a pure JS context.
9984
9985
9986 Part 4: Move all inspector scripts into JavaScriptCore and update generators.
9987
9988 For OS X be sure to export the scripts as if they are private headers.
9989
9990 * GNUmakefile.am:
9991 * JavaScriptCore.xcodeproj/project.pbxproj:
9992 * inspector/scripts/cssmin.py: Renamed from Source/WebCore/inspector/Scripts/cssmin.py.
9993 * inspector/scripts/inline-and-minify-stylesheets-and-scripts.py: Renamed from Source/WebCore/inspector/Scripts/inline-and-minify-stylesheets-and-scripts.py.
9994 * inspector/scripts/jsmin.py: Renamed from Source/WebCore/inspector/Scripts/jsmin.py.
9995 * inspector/scripts/xxd.pl: Renamed from Source/WebCore/inspector/xxd.pl.
9996
9997
9998 Part 3: Update CodeGeneratorInspector to avoid inlining virtual destructors.
9999
10000 This avoids build errors about duplicate exported virtual inlined methods
10001 are included from multiple places. Just put empty destructors in the
10002 implementation file instead of inlined.
10003
10004 * inspector/scripts/CodeGeneratorInspector.py:
10005 (Generator):
10006 (Generator.go):
10007 * inspector/scripts/CodeGeneratorInspectorStrings.py:
10008
10009
10010 Part 2: Move InjectedScriptSource and generation into JavaScriptCore.
10011
10012 Move InjectedScriptSource.js and derived sources generation.
10013
10014 * CMakeLists.txt:
10015 * DerivedSources.make:
10016 * GNUmakefile.am:
10017 * GNUmakefile.list.am:
10018 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10019 * JavaScriptCore.xcodeproj/project.pbxproj:
10020 * inspector/InjectedScriptSource.js: Renamed from Source/WebCore/inspector/InjectedScriptSource.js.
10021
100222014-01-09 Balazs Kilvady <kilvadyb@homejinni.com>
10023
10024 Regression: failing RegExp tests on 32 bit architectures.
10025 https://bugs.webkit.org/show_bug.cgi?id=126699
10026
10027 Reviewed by Michael Saboff.
10028
10029 Fix setRegExpConstructor functions for 32 bit architectures.
10030
10031 * runtime/RegExpConstructor.cpp:
10032 (JSC::setRegExpConstructorInput):
10033 (JSC::setRegExpConstructorMultiline):
10034
100352014-01-09 Commit Queue <commit-queue@webkit.org>
10036
10037 Unreviewed, rolling out r161540.
10038 http://trac.webkit.org/changeset/161540
10039 https://bugs.webkit.org/show_bug.cgi?id=126704
10040
10041 Caused assertion failures on multiple tests (Requested by ap
10042 on #webkit).
10043
10044 * bytecode/CodeBlock.cpp:
10045 (JSC::CodeBlock::visitAggregate):
10046 * bytecode/CodeBlock.h:
10047 (JSC::CodeBlockSet::mark):
10048 * dfg/DFGOperations.cpp:
10049 * heap/CodeBlockSet.cpp:
10050 (JSC::CodeBlockSet::add):
10051 (JSC::CodeBlockSet::traceMarked):
10052 * heap/CodeBlockSet.h:
10053 * heap/CopiedBlockInlines.h:
10054 (JSC::CopiedBlock::reportLiveBytes):
10055 * heap/CopiedSpace.cpp:
10056 * heap/CopiedSpace.h:
10057 * heap/Heap.cpp:
10058 (JSC::Heap::Heap):
10059 (JSC::Heap::didAbandon):
10060 (JSC::Heap::markRoots):
10061 (JSC::Heap::copyBackingStores):
10062 (JSC::Heap::collectAllGarbage):
10063 (JSC::Heap::collect):
10064 (JSC::Heap::didAllocate):
10065 * heap/Heap.h:
10066 (JSC::Heap::shouldCollect):
10067 (JSC::Heap::isCollecting):
10068 (JSC::Heap::isWriteBarrierEnabled):
10069 (JSC::Heap::writeBarrier):
10070 * heap/HeapOperation.h:
10071 * heap/MarkStack.cpp:
10072 (JSC::MarkStackArray::~MarkStackArray):
10073 * heap/MarkStack.h:
10074 * heap/MarkedAllocator.cpp:
10075 (JSC::MarkedAllocator::isPagedOut):
10076 (JSC::MarkedAllocator::tryAllocateHelper):
10077 (JSC::MarkedAllocator::addBlock):
10078 (JSC::MarkedAllocator::removeBlock):
10079 * heap/MarkedAllocator.h:
10080 (JSC::MarkedAllocator::MarkedAllocator):
10081 (JSC::MarkedAllocator::reset):
10082 * heap/MarkedBlock.cpp:
10083 * heap/MarkedBlock.h:
10084 (JSC::MarkedBlock::lastChanceToFinalize):
10085 (JSC::MarkedBlock::didConsumeEmptyFreeList):
10086 (JSC::MarkedBlock::clearMarks):
10087 * heap/MarkedSpace.cpp:
10088 (JSC::MarkedSpace::~MarkedSpace):
10089 (JSC::MarkedSpace::resetAllocators):
10090 (JSC::MarkedSpace::visitWeakSets):
10091 (JSC::MarkedSpace::reapWeakSets):
10092 * heap/MarkedSpace.h:
10093 (JSC::ClearMarks::operator()):
10094 (JSC::MarkedSpace::clearMarks):
10095 * heap/SlotVisitor.cpp:
10096 (JSC::SlotVisitor::~SlotVisitor):
10097 * heap/SlotVisitor.h:
10098 (JSC::SlotVisitor::sharedData):
10099 * heap/SlotVisitorInlines.h:
10100 (JSC::SlotVisitor::internalAppend):
10101 (JSC::SlotVisitor::copyLater):
10102 (JSC::SlotVisitor::reportExtraMemoryUsage):
10103 * jit/Repatch.cpp:
10104 * runtime/JSGenericTypedArrayViewInlines.h:
10105 (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
10106 * runtime/JSPropertyNameIterator.h:
10107 (JSC::StructureRareData::setEnumerationCache):
10108 * runtime/JSString.cpp:
10109 (JSC::JSString::visitChildren):
10110 * runtime/StructureRareDataInlines.h:
10111 (JSC::StructureRareData::setPreviousID):
10112 (JSC::StructureRareData::setObjectToStringValue):
10113 * runtime/WeakMapData.cpp:
10114 (JSC::WeakMapData::visitChildren):
10115
101162014-01-09 Andreas Kling <akling@apple.com>
10117
10118 Shrink WatchpointSet.
10119 <https://webkit.org/b/126694>
10120
10121 Reorder the members of WatchpointSet, shrinking it by 8 bytes.
10122 767 kB progression on Membuster3.
10123
10124 Reviewed by Antti Koivisto.
10125
10126 * bytecode/Watchpoint.h:
10127
101282014-01-08 Mark Hahnenberg <mhahnenberg@apple.com>
10129
10130 Reverting accidental GC logging
10131
10132 * heap/Heap.cpp:
10133
101342014-01-07 Mark Hahnenberg <mhahnenberg@apple.com>
10135
10136 Marking should be generational
10137 https://bugs.webkit.org/show_bug.cgi?id=126552
10138
10139 Reviewed by Geoffrey Garen.
10140
10141 Re-marking the same objects over and over is a waste of effort. This patch implements
10142 the sticky mark bit algorithm (along with our already-present write barriers) to reduce
10143 overhead during garbage collection caused by rescanning objects.
10144
10145 There are now two collection modes, EdenCollection and FullCollection. EdenCollections
10146 only visit new objects or objects that were added to the remembered set by a write barrier.
10147 FullCollections are normal collections that visit all objects regardless of their
10148 generation.
10149
10150 In this patch EdenCollections do not do anything in CopiedSpace. This will be fixed in
10151 https://bugs.webkit.org/show_bug.cgi?id=126555.
10152
10153 * bytecode/CodeBlock.cpp:
10154 (JSC::CodeBlock::visitAggregate):
10155 * bytecode/CodeBlock.h:
10156 (JSC::CodeBlockSet::mark):
10157 * dfg/DFGOperations.cpp:
10158 * heap/CodeBlockSet.cpp:
10159 (JSC::CodeBlockSet::add):
10160 (JSC::CodeBlockSet::traceMarked):
10161 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
10162 * heap/CodeBlockSet.h:
10163 * heap/CopiedBlockInlines.h:
10164 (JSC::CopiedBlock::reportLiveBytes):
10165 * heap/CopiedSpace.cpp:
10166 (JSC::CopiedSpace::didStartFullCollection):
10167 * heap/CopiedSpace.h:
10168 (JSC::CopiedSpace::heap):
10169 * heap/Heap.cpp:
10170 (JSC::Heap::Heap):
10171 (JSC::Heap::didAbandon):
10172 (JSC::Heap::markRoots):
10173 (JSC::Heap::copyBackingStores):
10174 (JSC::Heap::addToRememberedSet):
10175 (JSC::Heap::collectAllGarbage):
10176 (JSC::Heap::collect):
10177 (JSC::Heap::didAllocate):
10178 (JSC::Heap::writeBarrier):
10179 * heap/Heap.h:
10180 (JSC::Heap::isInRememberedSet):
10181 (JSC::Heap::operationInProgress):
10182 (JSC::Heap::shouldCollect):
10183 (JSC::Heap::isCollecting):
10184 (JSC::Heap::isWriteBarrierEnabled):
10185 (JSC::Heap::writeBarrier):
10186 * heap/HeapOperation.h:
10187 * heap/MarkStack.cpp:
10188 (JSC::MarkStackArray::~MarkStackArray):
10189 (JSC::MarkStackArray::clear):
10190 (JSC::MarkStackArray::fillVector):
10191 * heap/MarkStack.h:
10192 * heap/MarkedAllocator.cpp:
10193 (JSC::isListPagedOut):
10194 (JSC::MarkedAllocator::isPagedOut):
10195 (JSC::MarkedAllocator::tryAllocateHelper):
10196 (JSC::MarkedAllocator::addBlock):
10197 (JSC::MarkedAllocator::removeBlock):
10198 (JSC::MarkedAllocator::reset):
10199 * heap/MarkedAllocator.h:
10200 (JSC::MarkedAllocator::MarkedAllocator):
10201 * heap/MarkedBlock.cpp:
10202 (JSC::MarkedBlock::clearMarks):
10203 (JSC::MarkedBlock::clearRememberedSet):
10204 (JSC::MarkedBlock::clearMarksWithCollectionType):
10205 (JSC::MarkedBlock::lastChanceToFinalize):
10206 * heap/MarkedBlock.h: Changed atomSize to 16 bytes because we have no objects smaller
10207 than 16 bytes. This is also to pay for the additional Bitmap for the remembered set.
10208 (JSC::MarkedBlock::didConsumeEmptyFreeList):
10209 (JSC::MarkedBlock::setRemembered):
10210 (JSC::MarkedBlock::clearRemembered):
10211 (JSC::MarkedBlock::atomicClearRemembered):
10212 (JSC::MarkedBlock::isRemembered):
10213 * heap/MarkedSpace.cpp:
10214 (JSC::MarkedSpace::~MarkedSpace):
10215 (JSC::MarkedSpace::resetAllocators):
10216 (JSC::MarkedSpace::visitWeakSets):
10217 (JSC::MarkedSpace::reapWeakSets):
10218 (JSC::VerifyMarked::operator()):
10219 (JSC::MarkedSpace::clearMarks):
10220 * heap/MarkedSpace.h:
10221 (JSC::ClearMarks::operator()):
10222 (JSC::ClearRememberedSet::operator()):
10223 (JSC::MarkedSpace::didAllocateInBlock):
10224 (JSC::MarkedSpace::clearRememberedSet):
10225 * heap/SlotVisitor.cpp:
10226 (JSC::SlotVisitor::~SlotVisitor):
10227 (JSC::SlotVisitor::clearMarkStack):
10228 * heap/SlotVisitor.h:
10229 (JSC::SlotVisitor::markStack):
10230 (JSC::SlotVisitor::sharedData):
10231 * heap/SlotVisitorInlines.h:
10232 (JSC::SlotVisitor::internalAppend):
10233 (JSC::SlotVisitor::unconditionallyAppend):
10234 (JSC::SlotVisitor::copyLater):
10235 (JSC::SlotVisitor::reportExtraMemoryUsage):
10236 (JSC::SlotVisitor::heap):
10237 * jit/Repatch.cpp:
10238 * runtime/JSGenericTypedArrayViewInlines.h:
10239 (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
10240 * runtime/JSPropertyNameIterator.h:
10241 (JSC::StructureRareData::setEnumerationCache):
10242 * runtime/JSString.cpp:
10243 (JSC::JSString::visitChildren):
10244 * runtime/StructureRareDataInlines.h:
10245 (JSC::StructureRareData::setPreviousID):
10246 (JSC::StructureRareData::setObjectToStringValue):
10247 * runtime/WeakMapData.cpp:
10248 (JSC::WeakMapData::visitChildren):
10249
102502014-01-08 Sam Weinig <sam@webkit.org>
10251
10252 [JS] Should be able to create a promise by calling the Promise constructor as a function
10253 https://bugs.webkit.org/show_bug.cgi?id=126561
10254
10255 Reviewed by Geoffrey Garen.
10256
10257 * runtime/JSPromiseConstructor.cpp:
10258 (JSC::JSPromiseConstructor::getCallData):
10259 Add support for calling the Promise constructor as a function (e.g. var p = Promise(...), note
10260 the missing "new").
10261
102622014-01-08 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
10263
10264 [EFL] Make FTL buildable
10265 https://bugs.webkit.org/show_bug.cgi?id=125777
10266
10267 Reviewed by Csaba Osztrogonác.
10268
10269 * CMakeLists.txt:
10270 * ftl/FTLOSREntry.cpp:
10271 * ftl/FTLOSRExitCompiler.cpp:
10272 * llvm/library/config_llvm.h:
10273
102742014-01-08 Zan Dobersek <zdobersek@igalia.com>
10275
10276 [Automake] Scripts for generated build targets do not necessarily produce their output
10277 https://bugs.webkit.org/show_bug.cgi?id=126378
10278
10279 Reviewed by Carlos Garcia Campos.
10280
10281 * GNUmakefile.am: Touch the build targets that are generated through helper scripts that don't
10282 assure the output is generated every time the script is invoked, most commonly due to unchanged
10283 input. This assures the build targets are up-to-date and can't be older that their dependencies,
10284 which would result in constant regeneration at every build.
10285
102862014-01-07 Filip Pizlo <fpizlo@apple.com>
10287
10288 DFG fixup phase should be responsible for inserting ValueToInt32's as needed and it should use Phantom to keep the original values alive in case of OSR exit
10289 https://bugs.webkit.org/show_bug.cgi?id=126600
10290
10291 Reviewed by Michael Saboff.
10292
10293 This fixes an embarrassing OSR exit liveness bug. It also simplifies the code. We were
10294 already using FixupPhase as the place where conversion nodes get inserted. ValueToInt32
10295 was the only exception to that rule, and that was one of the reasons why we had this bug.
10296
10297 Henceforth ValueToInt32 is only inserted by FixupPhase, and only when it is necessary:
10298 we have a BitOp that will want a ToInt32 conversion and the operand is not predicted to
10299 already be an int32. If FixupPhase inserts any ValueToInt32's then the BitOp will no
10300 longer appear to use the original operand, which will make OSR exit think that the
10301 original operand is dead. We work around this they way we always do: insert a Phantom on
10302 the original operands right after the BitOp. This ensures that any OSR exit in any of the
10303 ValueToInt32's or in the BitOp itself will have values for the original inputs.
10304
10305 * dfg/DFGBackwardsPropagationPhase.cpp:
10306 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
10307 (JSC::DFG::BackwardsPropagationPhase::propagate):
10308 * dfg/DFGByteCodeParser.cpp:
10309 (JSC::DFG::ByteCodeParser::handleIntrinsic):
10310 (JSC::DFG::ByteCodeParser::parseBlock):
10311 * dfg/DFGFixupPhase.cpp:
10312 (JSC::DFG::FixupPhase::fixupNode):
10313 (JSC::DFG::FixupPhase::fixIntEdge):
10314 (JSC::DFG::FixupPhase::fixBinaryIntEdges):
10315 * dfg/DFGPredictionPropagationPhase.cpp:
10316 (JSC::DFG::PredictionPropagationPhase::propagate):
10317 * tests/stress/bit-op-value-to-int32-input-liveness.js: Added.
10318 (foo):
10319
103202014-01-07 Mark Hahnenberg <mhahnenberg@apple.com>
10321
10322 Repatch write barrier slow path call doesn't align the stack in the presence of saved registers
10323 https://bugs.webkit.org/show_bug.cgi?id=126093
10324
10325 Reviewed by Geoffrey Garen.
10326
10327 * jit/Repatch.cpp: Reworked the stack alignment code for calling out to C code on the write barrier slow path.
10328 We need to properly account for the number of reused registers that were saved to the stack, so we have to
10329 pass the ScratchRegisterAllocator around.
10330 (JSC::storeToWriteBarrierBuffer):
10331 (JSC::writeBarrier):
10332 (JSC::emitPutReplaceStub):
10333 (JSC::emitPutTransitionStub):
10334 * jit/ScratchRegisterAllocator.h: Previously the ScratchRegisterAllocator only knew whether or not it had
10335 reused registers, but not how many. In order to correctly align the stack for calls to C slow paths for
10336 the write barriers in inline caches we need to know how the stack is aligned. So now ScratchRegisterAllocator
10337 tracks how many registers it has reused.
10338 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
10339 (JSC::ScratchRegisterAllocator::allocateScratch):
10340 (JSC::ScratchRegisterAllocator::didReuseRegisters):
10341 (JSC::ScratchRegisterAllocator::numberOfReusedRegisters):
10342 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
10343 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
10344 * llint/LowLevelInterpreter64.asm: Random typo fix.
10345
103462014-01-07 Mark Lam <mark.lam@apple.com>
10347
10348 r161364 caused JSC tests regression on non-DFG builds (e.g. C Loop and Windows).
10349 https://bugs.webkit.org/show_bug.cgi?id=126589.
10350
10351 Reviewed by Filip Pizlo.
10352
10353 After the removal of ENABLE(VALUE_PROFILER), the LLINT is now expecting the
10354 relevant opcode operands to point to ValueProfiler data structures and will
10355 write profiling data into them. Hence, we need to allocate these data
10356 structures even though the profiling data won't be used in non-DFG builds.
10357
10358 * bytecode/CodeBlock.cpp:
10359 (JSC::CodeBlock::CodeBlock):
10360
103612014-01-07 Filip Pizlo <fpizlo@apple.com>
10362
10363 ASSERT in compileArithNegate on pdfjs
10364 https://bugs.webkit.org/show_bug.cgi?id=126584
10365
10366 Reviewed by Mark Hahnenberg.
10367
10368 Check negative zero when we should check it, not when we shouldn't check it. :-/
10369
10370 * dfg/DFGSpeculativeJIT.cpp:
10371 (JSC::DFG::SpeculativeJIT::compileArithNegate):
10372
103732014-01-07 Gabor Rapcsanyi <rgabor@webkit.org>
10374
10375 pushFinallyContext saves wrong m_labelScopes size
10376 https://bugs.webkit.org/show_bug.cgi?id=124529
10377
10378 Remove free label scopes before saving finally context.
10379
10380 Reviewed by Geoffrey Garen.
10381
10382 * bytecompiler/BytecodeGenerator.cpp:
10383 (JSC::BytecodeGenerator::pushFinallyContext):
10384
103852014-01-06 Mark Hahnenberg <mhahnenberg@apple.com>
10386
10387 Heap::collect shouldn't be responsible for sweeping
10388 https://bugs.webkit.org/show_bug.cgi?id=126556
10389
10390 Reviewed by Geoffrey Garen.
10391
10392 Sweeping happens at an awkward time during collection due to the fact that destructors can
10393 cause arbitrary reentry into the VM. This patch separates collecting and sweeping, and delays
10394 sweeping until after collection has completely finished.
10395
10396 * heap/Heap.cpp:
10397 (JSC::Heap::collectAllGarbage):
10398 (JSC::Heap::collect):
10399 (JSC::Heap::collectIfNecessaryOrDefer):
10400 * heap/Heap.h:
10401 * heap/MarkedSpace.cpp:
10402 (JSC::MarkedSpace::sweep):
10403 * runtime/GCActivityCallback.cpp:
10404 (JSC::DefaultGCActivityCallback::doWork):
10405
104062014-01-07 Mark Rowe <mrowe@apple.com>
10407
10408 <https://webkit.org/b/126567> Remove the legacy WebKit availability macros
10409
10410 They're no longer used.
10411
10412 Reviewed by Ryosuke Niwa.
10413
10414 * API/WebKitAvailability.h:
10415
104162014-01-07 Filip Pizlo <fpizlo@apple.com>
10417
10418 SetLocal for a FlushedArguments should not claim that the dataFormat is DataFormatJS
10419 https://bugs.webkit.org/show_bug.cgi?id=126563
10420
10421 Reviewed by Gavin Barraclough.
10422
10423 This was a rookie arguments simplification mistake: the SetLocal needs to record the fact
10424 that although it set JSValue(), OSR should think it set Arguments. DataFormatArguments
10425 conveys this, and dataFormatFor(FlushFormat) will do the right thing.
10426
10427 * dfg/DFGSpeculativeJIT32_64.cpp:
10428 (JSC::DFG::SpeculativeJIT::compile):
10429 * dfg/DFGSpeculativeJIT64.cpp:
10430 (JSC::DFG::SpeculativeJIT::compile):
10431 * tests/stress/phantom-arguments-set-local-then-exit-in-same-block.js: Added.
10432 (foo):
10433
104342014-01-06 Filip Pizlo <fpizlo@apple.com>
10435
10436 Make the different flavors of integer arithmetic more explicit, and don't rely on (possibly stale) results of the backwards propagator to decide integer arithmetic semantics
10437 https://bugs.webkit.org/show_bug.cgi?id=125519
10438
10439 Reviewed by Geoffrey Garen.
10440
10441 Adds the Arith::Mode enum to arithmetic nodes, which makes it explicit what sorts of
10442 checks and overflows the node should do. Previously this would be deduced from
10443 backwards analysis results.
10444
10445 This also makes "unchecked" variants really mean that you want the int32 wrapped
10446 result, so ArithIMul is now done in terms of ArithMul(Unchecked). That means that the
10447 constant folder needs to compute exactly the result implied by ArithMode, instead of
10448 just folding the double result.
10449
10450 * CMakeLists.txt:
10451 * GNUmakefile.list.am:
10452 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10453 * JavaScriptCore.xcodeproj/project.pbxproj:
10454 * dfg/DFGAbstractInterpreterInlines.h:
10455 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
10456 * dfg/DFGArithMode.cpp: Added.
10457 (WTF::printInternal):
10458 * dfg/DFGArithMode.h: Added.
10459 (JSC::DFG::doesOverflow):
10460 (JSC::DFG::shouldCheckOverflow):
10461 (JSC::DFG::shouldCheckNegativeZero):
10462 * dfg/DFGCSEPhase.cpp:
10463 (JSC::DFG::CSEPhase::pureCSE):
10464 (JSC::DFG::CSEPhase::performNodeCSE):
10465 * dfg/DFGConstantFoldingPhase.cpp:
10466 (JSC::DFG::ConstantFoldingPhase::foldConstants):
10467 * dfg/DFGFixupPhase.cpp:
10468 (JSC::DFG::FixupPhase::fixupNode):
10469 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
10470 * dfg/DFGGraph.cpp:
10471 (JSC::DFG::Graph::dump):
10472 * dfg/DFGNode.h:
10473 (JSC::DFG::Node::Node):
10474 (JSC::DFG::Node::hasArithMode):
10475 (JSC::DFG::Node::arithMode):
10476 (JSC::DFG::Node::setArithMode):
10477 * dfg/DFGSpeculativeJIT.cpp:
10478 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
10479 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
10480 (JSC::DFG::SpeculativeJIT::compileAdd):
10481 (JSC::DFG::SpeculativeJIT::compileArithSub):
10482 (JSC::DFG::SpeculativeJIT::compileArithNegate):
10483 (JSC::DFG::SpeculativeJIT::compileArithMul):
10484 (JSC::DFG::SpeculativeJIT::compileArithDiv):
10485 (JSC::DFG::SpeculativeJIT::compileArithMod):
10486 * dfg/DFGSpeculativeJIT.h:
10487 * dfg/DFGSpeculativeJIT32_64.cpp:
10488 (JSC::DFG::SpeculativeJIT::compile):
10489 * dfg/DFGSpeculativeJIT64.cpp:
10490 (JSC::DFG::SpeculativeJIT::compile):
10491 * ftl/FTLLowerDFGToLLVM.cpp:
10492 (JSC::FTL::LowerDFGToLLVM::compileAddSub):
10493 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
10494 (JSC::FTL::LowerDFGToLLVM::compileArithDivMod):
10495 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
10496 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
10497
104982014-01-06 Mark Hahnenberg <mhahnenberg@apple.com>
10499
10500 Add write barriers to the LLInt
10501 https://bugs.webkit.org/show_bug.cgi?id=126527
10502
10503 Reviewed by Filip Pizlo.
10504
10505 This patch takes a similar approach to how write barriers work in the baseline JIT.
10506 We execute the write barrier at the beginning of the opcode so we don't have to
10507 worry about saving and restoring live registers across write barrier slow path calls
10508 to C code.
10509
10510 * llint/LLIntOfflineAsmConfig.h:
10511 * llint/LLIntSlowPaths.cpp:
10512 (JSC::LLInt::llint_write_barrier_slow):
10513 * llint/LLIntSlowPaths.h:
10514 * llint/LowLevelInterpreter.asm:
10515 * llint/LowLevelInterpreter32_64.asm:
10516 * llint/LowLevelInterpreter64.asm:
10517 * offlineasm/arm64.rb:
10518 * offlineasm/instructions.rb:
10519 * offlineasm/x86.rb:
10520
105212014-01-05 Sam Weinig <sam@webkit.org>
10522
10523 [JS] Implement Promise.all()
10524 https://bugs.webkit.org/show_bug.cgi?id=126510
10525
10526 Reviewed by Gavin Barraclough.
10527
10528 Add Promise.all() implementation and factor out performing resolves and rejects
10529 on deferreds to share a bit of code. Also moves the abruptRejection helper to
10530 JSPromiseDeferred so it can be used in JSPromiseFunctions.
10531
10532 * runtime/CommonIdentifiers.h:
10533 * runtime/JSPromiseConstructor.cpp:
10534 (JSC::JSPromiseConstructorFuncCast):
10535 (JSC::JSPromiseConstructorFuncResolve):
10536 (JSC::JSPromiseConstructorFuncReject):
10537 (JSC::JSPromiseConstructorFuncAll):
10538 * runtime/JSPromiseDeferred.cpp:
10539 (JSC::updateDeferredFromPotentialThenable):
10540 (JSC::performDeferredResolve):
10541 (JSC::performDeferredReject):
10542 (JSC::abruptRejection):
10543 * runtime/JSPromiseDeferred.h:
10544 * runtime/JSPromiseFunctions.cpp:
10545 (JSC::promiseAllCountdownFunction):
10546 (JSC::createPromiseAllCountdownFunction):
10547 * runtime/JSPromiseFunctions.h:
10548 * runtime/JSPromiseReaction.cpp:
10549 (JSC::ExecutePromiseReactionMicrotask::run):
10550
105512014-01-06 Filip Pizlo <fpizlo@apple.com>
10552
10553 Get rid of ENABLE(VALUE_PROFILER). It's on all the time now.
10554
10555 Rubber stamped by Mark Hahnenberg.
10556
10557 * bytecode/CallLinkStatus.cpp:
10558 (JSC::CallLinkStatus::computeFor):
10559 * bytecode/CodeBlock.cpp:
10560 (JSC::CodeBlock::dumpValueProfiling):
10561 (JSC::CodeBlock::dumpArrayProfiling):
10562 (JSC::CodeBlock::dumpRareCaseProfile):
10563 (JSC::CodeBlock::dumpBytecode):
10564 (JSC::CodeBlock::CodeBlock):
10565 (JSC::CodeBlock::setNumParameters):
10566 (JSC::CodeBlock::shrinkToFit):
10567 (JSC::CodeBlock::shouldOptimizeNow):
10568 * bytecode/CodeBlock.h:
10569 (JSC::CodeBlock::valueProfileForBytecodeOffset):
10570 * bytecode/GetByIdStatus.cpp:
10571 (JSC::GetByIdStatus::computeForChain):
10572 (JSC::GetByIdStatus::computeFor):
10573 * bytecode/LazyOperandValueProfile.cpp:
10574 * bytecode/LazyOperandValueProfile.h:
10575 * bytecode/PutByIdStatus.cpp:
10576 (JSC::PutByIdStatus::computeFor):
10577 * bytecode/ValueProfile.h:
10578 * bytecompiler/BytecodeGenerator.cpp:
10579 (JSC::BytecodeGenerator::newArrayProfile):
10580 (JSC::BytecodeGenerator::newArrayAllocationProfile):
10581 (JSC::BytecodeGenerator::emitProfiledOpcode):
10582 * jit/GPRInfo.h:
10583 * jit/JIT.cpp:
10584 (JSC::JIT::JIT):
10585 (JSC::JIT::privateCompileSlowCases):
10586 (JSC::JIT::privateCompile):
10587 * jit/JIT.h:
10588 * jit/JITArithmetic.cpp:
10589 (JSC::JIT::compileBinaryArithOp):
10590 (JSC::JIT::emit_op_mul):
10591 (JSC::JIT::emit_op_div):
10592 * jit/JITArithmetic32_64.cpp:
10593 (JSC::JIT::emitBinaryDoubleOp):
10594 (JSC::JIT::emit_op_mul):
10595 (JSC::JIT::emitSlow_op_mul):
10596 (JSC::JIT::emit_op_div):
10597 * jit/JITCall.cpp:
10598 (JSC::JIT::emitPutCallResult):
10599 * jit/JITCall32_64.cpp:
10600 (JSC::JIT::emitPutCallResult):
10601 * jit/JITInlines.h:
10602 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
10603 (JSC::JIT::emitValueProfilingSite):
10604 (JSC::JIT::emitArrayProfilingSiteForBytecodeIndex):
10605 (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase):
10606 (JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase):
10607 (JSC::arrayProfileSaw):
10608 (JSC::JIT::chooseArrayMode):
10609 * jit/JITOpcodes.cpp:
10610 (JSC::JIT::emit_op_get_argument_by_val):
10611 * jit/JITOpcodes32_64.cpp:
10612 (JSC::JIT::emit_op_get_argument_by_val):
10613 * jit/JITPropertyAccess.cpp:
10614 (JSC::JIT::emit_op_get_by_val):
10615 (JSC::JIT::emitSlow_op_get_by_val):
10616 (JSC::JIT::emit_op_get_by_id):
10617 (JSC::JIT::emit_op_get_from_scope):
10618 * jit/JITPropertyAccess32_64.cpp:
10619 (JSC::JIT::emit_op_get_by_val):
10620 (JSC::JIT::emitSlow_op_get_by_val):
10621 (JSC::JIT::emit_op_get_by_id):
10622 (JSC::JIT::emit_op_get_from_scope):
10623 * llint/LLIntOfflineAsmConfig.h:
10624 * llint/LLIntSlowPaths.cpp:
10625 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
10626 * llint/LowLevelInterpreter.asm:
10627 * llint/LowLevelInterpreter32_64.asm:
10628 * llint/LowLevelInterpreter64.asm:
10629 * profiler/ProfilerBytecodeSequence.cpp:
10630 (JSC::Profiler::BytecodeSequence::BytecodeSequence):
10631 * runtime/CommonSlowPaths.cpp:
10632
106332014-01-06 Filip Pizlo <fpizlo@apple.com>
10634
10635 LLInt shouldn't check for ENABLE(JIT).
10636
10637 Rubber stamped by Mark Hahnenberg.
10638
10639 * llint/LLIntCommon.h:
10640 * llint/LLIntOfflineAsmConfig.h:
10641 * llint/LLIntSlowPaths.cpp:
10642 (JSC::LLInt::entryOSR):
10643 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
10644 * llint/LowLevelInterpreter.asm:
10645
106462014-01-06 Filip Pizlo <fpizlo@apple.com>
10647
10648 LLInt shouldnt check for ENABLE(JAVASCRIPT_DEBUGGER).
10649
10650 Rubber stamped by Mark Hahnenberg.
10651
10652 * debugger/Debugger.h:
10653 (JSC::Debugger::Debugger):
10654 * llint/LLIntOfflineAsmConfig.h:
10655 * llint/LowLevelInterpreter.asm:
10656
106572014-01-05 Sam Weinig <sam@webkit.org>
10658
10659 [JS] Implement Promise.race()
10660 https://bugs.webkit.org/show_bug.cgi?id=126506
10661
10662 Reviewed by Oliver Hunt.
10663
10664 * runtime/CommonIdentifiers.h:
10665 Add identifier for "cast".
10666
10667 * runtime/JSPromiseConstructor.cpp:
10668 (JSC::abruptRejection):
10669 Helper for the RejectIfAbrupt abstract operation.
10670
10671 (JSC::JSPromiseConstructorFuncRace):
10672 Add implementation of Promise.race()
10673
106742014-01-05 Martin Robinson <mrobinson@igalia.com>
10675
10676 [GTK] [CMake] Ensure that the autotools build and the CMake install the same files
10677 https://bugs.webkit.org/show_bug.cgi?id=116379
10678
10679 Reviewed by Gustavo Noronha Silva.
10680
10681 * PlatformGTK.cmake: Install API headers, gir files, and the pkg-config file.
10682
106832014-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
10684
10685 Use Compiler macros instead of raw "final" and "override"
10686 https://bugs.webkit.org/show_bug.cgi?id=126490
10687
10688 Reviewed by Sam Weinig.
10689
10690 * runtime/JSPromiseReaction.cpp:
10691
106922014-01-04 Martin Robinson <mrobinson@igalia.com>
10693
10694 [GTK] [CMake] Improve the way we locate gobject-introspection
10695 https://bugs.webkit.org/show_bug.cgi?id=126452
10696
10697 Reviewed by Philippe Normand.
10698
10699 * PlatformGTK.cmake: Use the new introspection variables.
10700
107012014-01-04 Zan Dobersek <zdobersek@igalia.com>
10702
10703 Explicitly use the std:: nested name specifier when using std::pair, std::make_pair
10704 https://bugs.webkit.org/show_bug.cgi?id=126439
10705
10706 Reviewed by Andreas Kling.
10707
10708 Instead of relying on std::pair and std::make_pair symbols being present in the current scope
10709 through the pair and make_pair symbols, the std:: specifier should be used explicitly.
10710
10711 * bytecode/Opcode.cpp:
10712 (JSC::compareOpcodePairIndices):
10713 (JSC::OpcodeStats::~OpcodeStats):
10714 * bytecompiler/BytecodeGenerator.cpp:
10715 (JSC::BytecodeGenerator::BytecodeGenerator):
10716 * parser/ASTBuilder.h:
10717 (JSC::ASTBuilder::makeBinaryNode):
10718 * parser/Parser.cpp:
10719 (JSC::Parser<LexerType>::parseIfStatement):
10720 * runtime/Structure.cpp:
10721 (JSC::StructureTransitionTable::contains):
10722 (JSC::StructureTransitionTable::get):
10723 (JSC::StructureTransitionTable::add):
10724
107252014-01-03 David Farler <dfarler@apple.com>
10726
10727 [super dealloc] missing in Source/JavaScriptCore/API/tests/testapi.mm, fails to build with -Werror,-Wobjc-missing-super-calls
10728 https://bugs.webkit.org/show_bug.cgi?id=126454
10729
10730 Reviewed by Geoffrey Garen.
10731
10732 * API/tests/testapi.mm:
10733 (-[TextXYZ dealloc]):
10734 add [super dealloc]
10735 (-[EvilAllocationObject dealloc]):
10736 add [super dealloc]
10737
107382014-01-02 Carlos Garcia Campos <cgarcia@igalia.com>
10739
10740 REGRESSION(r160304): [GTK] Disable libtool fast install
10741 https://bugs.webkit.org/show_bug.cgi?id=126381
10742
10743 Reviewed by Martin Robinson.
10744
10745 Remove -no-fast-install ld flag since fast install is now disabled
10746 globally.
10747
10748 * GNUmakefile.am:
10749
107502014-01-02 Sam Weinig <sam@webkit.org>
10751
10752 Update Promises to the https://github.com/domenic/promises-unwrapping spec
10753 https://bugs.webkit.org/show_bug.cgi?id=120954
10754
10755 Reviewed by Filip Pizlo.
10756
10757 Update Promises to the revised spec. Notable changes:
10758 - JSPromiseResolver is gone.
10759 - TaskContext has been renamed Microtask and now has a virtual run() function.
10760 - Instead of using custom InternalFunction subclasses, JSFunctions are used
10761 with PrivateName properties for internal slots.
10762
10763 * CMakeLists.txt:
10764 * DerivedSources.make:
10765 * GNUmakefile.list.am:
10766 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10767 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
10768 * JavaScriptCore.xcodeproj/project.pbxproj:
10769 * interpreter/CallFrame.h:
10770 (JSC::ExecState::promiseConstructorTable):
10771 * runtime/CommonIdentifiers.cpp:
10772 (JSC::CommonIdentifiers::CommonIdentifiers):
10773 * runtime/CommonIdentifiers.h:
10774 * runtime/JSGlobalObject.cpp:
10775 (JSC::JSGlobalObject::reset):
10776 (JSC::JSGlobalObject::visitChildren):
10777 (JSC::JSGlobalObject::queueMicrotask):
10778 * runtime/JSGlobalObject.h:
10779 (JSC::JSGlobalObject::promiseConstructor):
10780 (JSC::JSGlobalObject::promisePrototype):
10781 (JSC::JSGlobalObject::promiseStructure):
10782 * runtime/JSPromise.cpp:
10783 (JSC::JSPromise::create):
10784 (JSC::JSPromise::JSPromise):
10785 (JSC::JSPromise::finishCreation):
10786 (JSC::JSPromise::visitChildren):
10787 (JSC::JSPromise::reject):
10788 (JSC::JSPromise::resolve):
10789 (JSC::JSPromise::appendResolveReaction):
10790 (JSC::JSPromise::appendRejectReaction):
10791 (JSC::triggerPromiseReactions):
10792 * runtime/JSPromise.h:
10793 (JSC::JSPromise::status):
10794 (JSC::JSPromise::result):
10795 (JSC::JSPromise::constructor):
10796 * runtime/JSPromiseCallback.cpp: Removed.
10797 * runtime/JSPromiseCallback.h: Removed.
10798 * runtime/JSPromiseConstructor.cpp:
10799 (JSC::constructPromise):
10800 (JSC::JSPromiseConstructor::getCallData):
10801 (JSC::JSPromiseConstructorFuncCast):
10802 (JSC::JSPromiseConstructorFuncResolve):
10803 (JSC::JSPromiseConstructorFuncReject):
10804 * runtime/JSPromiseConstructor.h:
10805 * runtime/JSPromiseDeferred.cpp: Added.
10806 (JSC::JSPromiseDeferred::create):
10807 (JSC::JSPromiseDeferred::JSPromiseDeferred):
10808 (JSC::JSPromiseDeferred::finishCreation):
10809 (JSC::JSPromiseDeferred::visitChildren):
10810 (JSC::createJSPromiseDeferredFromConstructor):
10811 (JSC::updateDeferredFromPotentialThenable):
10812 * runtime/JSPromiseDeferred.h: Added.
10813 (JSC::JSPromiseDeferred::createStructure):
10814 (JSC::JSPromiseDeferred::promise):
10815 (JSC::JSPromiseDeferred::resolve):
10816 (JSC::JSPromiseDeferred::reject):
10817 * runtime/JSPromiseFunctions.cpp: Added.
10818 (JSC::deferredConstructionFunction):
10819 (JSC::createDeferredConstructionFunction):
10820 (JSC::identifyFunction):
10821 (JSC::createIdentifyFunction):
10822 (JSC::promiseAllCountdownFunction):
10823 (JSC::createPromiseAllCountdownFunction):
10824 (JSC::promiseResolutionHandlerFunction):
10825 (JSC::createPromiseResolutionHandlerFunction):
10826 (JSC::rejectPromiseFunction):
10827 (JSC::createRejectPromiseFunction):
10828 (JSC::resolvePromiseFunction):
10829 (JSC::createResolvePromiseFunction):
10830 (JSC::throwerFunction):
10831 (JSC::createThrowerFunction):
10832 * runtime/JSPromiseFunctions.h: Added.
10833 * runtime/JSPromisePrototype.cpp:
10834 (JSC::JSPromisePrototypeFuncThen):
10835 (JSC::JSPromisePrototypeFuncCatch):
10836 * runtime/JSPromiseReaction.cpp: Added.
10837 (JSC::createExecutePromiseReactionMicroTask):
10838 (JSC::ExecutePromiseReactionMicroTask::run):
10839 (JSC::JSPromiseReaction::create):
10840 (JSC::JSPromiseReaction::JSPromiseReaction):
10841 (JSC::JSPromiseReaction::finishCreation):
10842 (JSC::JSPromiseReaction::visitChildren):
10843 * runtime/JSPromiseReaction.h: Added.
10844 (JSC::JSPromiseReaction::createStructure):
10845 (JSC::JSPromiseReaction::deferred):
10846 (JSC::JSPromiseReaction::handler):
10847 * runtime/JSPromiseResolver.cpp: Removed.
10848 * runtime/JSPromiseResolver.h: Removed.
10849 * runtime/JSPromiseResolverConstructor.cpp: Removed.
10850 * runtime/JSPromiseResolverConstructor.h: Removed.
10851 * runtime/JSPromiseResolverPrototype.cpp: Removed.
10852 * runtime/JSPromiseResolverPrototype.h: Removed.
10853 * runtime/Microtask.h: Added.
10854 * runtime/VM.cpp:
10855 (JSC::VM::VM):
10856 (JSC::VM::~VM):
10857 * runtime/VM.h:
10858
108592014-01-02 Mark Hahnenberg <mhahnenberg@apple.com>
10860
10861 Add support for StoreBarrier and friends to the FTL
10862 https://bugs.webkit.org/show_bug.cgi?id=126040
10863
10864 Reviewed by Filip Pizlo.
10865
10866 * ftl/FTLAbstractHeapRepository.h:
10867 * ftl/FTLCapabilities.cpp:
10868 (JSC::FTL::canCompile):
10869 * ftl/FTLIntrinsicRepository.h:
10870 * ftl/FTLLowerDFGToLLVM.cpp:
10871 (JSC::FTL::LowerDFGToLLVM::compileNode):
10872 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
10873 (JSC::FTL::LowerDFGToLLVM::compileConditionalStoreBarrier):
10874 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
10875 (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
10876 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
10877 * heap/Heap.cpp:
10878 (JSC::Heap::Heap):
10879 * heap/Heap.h:
10880 (JSC::Heap::writeBarrierBuffer):
10881
108822014-01-02 Mark Hahnenberg <mhahnenberg@apple.com>
10883
10884 Storing new CopiedSpace memory into a JSObject should fire a write barrier
10885 https://bugs.webkit.org/show_bug.cgi?id=126025
10886
10887 Reviewed by Filip Pizlo.
10888
10889 Technically this is creating a pointer between a (potentially) old generation object and a young
10890 generation chunk of memory, thus there needs to be a barrier.
10891
10892 * JavaScriptCore.xcodeproj/project.pbxproj:
10893 * dfg/DFGOperations.cpp:
10894 * heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It
10895 acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to
10896 fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery
10897 collections that objects with new backing stores are visited, even if they are old generation objects.
10898 (JSC::CopyWriteBarrier::CopyWriteBarrier):
10899 (JSC::CopyWriteBarrier::operator!):
10900 (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
10901 (JSC::CopyWriteBarrier::get):
10902 (JSC::CopyWriteBarrier::operator*):
10903 (JSC::CopyWriteBarrier::operator->):
10904 (JSC::CopyWriteBarrier::set):
10905 (JSC::CopyWriteBarrier::setWithoutWriteBarrier):
10906 (JSC::CopyWriteBarrier::clear):
10907 * heap/Heap.h:
10908 * runtime/JSArray.cpp:
10909 (JSC::JSArray::unshiftCountSlowCase):
10910 (JSC::JSArray::shiftCountWithArrayStorage):
10911 (JSC::JSArray::unshiftCountWithArrayStorage):
10912 * runtime/JSCell.h:
10913 (JSC::JSCell::unvalidatedStructure):
10914 * runtime/JSGenericTypedArrayViewInlines.h:
10915 (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
10916 * runtime/JSObject.cpp:
10917 (JSC::JSObject::copyButterfly):
10918 (JSC::JSObject::getOwnPropertySlotByIndex):
10919 (JSC::JSObject::putByIndex):
10920 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
10921 (JSC::JSObject::createInitialIndexedStorage):
10922 (JSC::JSObject::createArrayStorage):
10923 (JSC::JSObject::deletePropertyByIndex):
10924 (JSC::JSObject::getOwnPropertyNames):
10925 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
10926 (JSC::JSObject::countElements):
10927 (JSC::JSObject::increaseVectorLength):
10928 (JSC::JSObject::ensureLengthSlow):
10929 * runtime/JSObject.h:
10930 (JSC::JSObject::butterfly):
10931 (JSC::JSObject::setStructureAndButterfly):
10932 (JSC::JSObject::setButterflyWithoutChangingStructure):
10933 (JSC::JSObject::JSObject):
10934 (JSC::JSObject::putDirectInternal):
10935 (JSC::JSObject::putDirectWithoutTransition):
10936 * runtime/MapData.cpp:
10937 (JSC::MapData::ensureSpaceForAppend):
10938 * runtime/Structure.cpp:
10939 (JSC::Structure::materializePropertyMap):
10940
109412013-12-23 Oliver Hunt <oliver@apple.com>
10942
10943 Refactor PutPropertySlot to be aware of custom properties
10944 https://bugs.webkit.org/show_bug.cgi?id=126187
10945
10946 Reviewed by Antti Koivisto.
10947
10948 Refactor PutPropertySlot, making the constructor take the thisValue
10949 used as a target. This results in a wide range of boilerplate changes
10950 to pass the new parameter.
10951
10952 * API/JSObjectRef.cpp:
10953 (JSObjectSetProperty):
10954 * dfg/DFGOperations.cpp:
10955 (JSC::DFG::operationPutByValInternal):
10956 * interpreter/Interpreter.cpp:
10957 (JSC::Interpreter::execute):
10958 * jit/JITOperations.cpp:
10959 * llint/LLIntSlowPaths.cpp:
10960 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
10961 * runtime/Arguments.cpp:
10962 (JSC::Arguments::putByIndex):
10963 * runtime/ArrayPrototype.cpp:
10964 (JSC::putProperty):
10965 (JSC::arrayProtoFuncPush):
10966 * runtime/JSCJSValue.cpp:
10967 (JSC::JSValue::putToPrimitiveByIndex):
10968 * runtime/JSCell.cpp:
10969 (JSC::JSCell::putByIndex):
10970 * runtime/JSFunction.cpp:
10971 (JSC::JSFunction::put):
10972 * runtime/JSGenericTypedArrayViewInlines.h:
10973 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
10974 * runtime/JSONObject.cpp:
10975 (JSC::Walker::walk):
10976 * runtime/JSObject.cpp:
10977 (JSC::JSObject::putByIndex):
10978 (JSC::JSObject::putDirectNonIndexAccessor):
10979 (JSC::JSObject::deleteProperty):
10980 * runtime/JSObject.h:
10981 (JSC::JSObject::putDirect):
10982 * runtime/Lookup.h:
10983 (JSC::putEntry):
10984 (JSC::lookupPut):
10985 * runtime/PutPropertySlot.h:
10986 (JSC::PutPropertySlot::PutPropertySlot):
10987 (JSC::PutPropertySlot::setCustomProperty):
10988 (JSC::PutPropertySlot::thisValue):
10989 (JSC::PutPropertySlot::isCacheable):
10990
109912014-01-01 Filip Pizlo <fpizlo@apple.com>
10992
10993 Rationalize DFG DCE
10994 https://bugs.webkit.org/show_bug.cgi?id=125523
10995
10996 Reviewed by Mark Hahnenberg.
10997
10998 Adds the ability to DCE more things. It's now the case that if a node is completely
10999 pure, we clear NodeMustGenerate and the node becomes a DCE candidate.
11000
11001 * dfg/DFGAbstractInterpreterInlines.h:
11002 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11003 * dfg/DFGCSEPhase.cpp:
11004 (JSC::DFG::CSEPhase::performNodeCSE):
11005 * dfg/DFGClobberize.h:
11006 (JSC::DFG::clobberize):
11007 * dfg/DFGDCEPhase.cpp:
11008 (JSC::DFG::DCEPhase::cleanVariables):
11009 * dfg/DFGFixupPhase.cpp:
11010 (JSC::DFG::FixupPhase::fixupNode):
11011 * dfg/DFGGraph.h:
11012 (JSC::DFG::Graph::clobbersWorld):
11013 * dfg/DFGNodeType.h:
11014 * dfg/DFGSpeculativeJIT.cpp:
11015 (JSC::DFG::SpeculativeJIT::compileAdd):
11016 * dfg/DFGSpeculativeJIT.h:
11017 * dfg/DFGSpeculativeJIT32_64.cpp:
11018 (JSC::DFG::SpeculativeJIT::compile):
11019 * dfg/DFGSpeculativeJIT64.cpp:
11020 (JSC::DFG::SpeculativeJIT::compile):
11021 * ftl/FTLLowerDFGToLLVM.cpp:
11022 (JSC::FTL::LowerDFGToLLVM::compileNode):
11023 (JSC::FTL::LowerDFGToLLVM::compileValueAdd):
11024
110252014-01-02 Benjamin Poulain <benjamin@webkit.org>
11026
11027 Attempt to fix the build of WebCore's code generator on CMake based system
11028 https://bugs.webkit.org/show_bug.cgi?id=126271
11029
11030 Reviewed by Sam Weinig.
11031
11032 * CMakeLists.txt:
11033
110342013-12-30 Commit Queue <commit-queue@webkit.org>
11035
11036 Unreviewed, rolling out r161157, r161158, r161160, r161161,
11037 r161163, and r161165.
11038 http://trac.webkit.org/changeset/161157
11039 http://trac.webkit.org/changeset/161158
11040 http://trac.webkit.org/changeset/161160
11041 http://trac.webkit.org/changeset/161161
11042 http://trac.webkit.org/changeset/161163
11043 http://trac.webkit.org/changeset/161165
11044 https://bugs.webkit.org/show_bug.cgi?id=126332
11045
11046 Broke WebKit2 on Mountain Lion (Requested by ap on #webkit).
11047
11048 * heap/BlockAllocator.cpp:
11049 (JSC::BlockAllocator::~BlockAllocator):
11050 (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
11051 (JSC::BlockAllocator::waitForRelativeTime):
11052 (JSC::BlockAllocator::blockFreeingThreadMain):
11053 * heap/BlockAllocator.h:
11054 (JSC::BlockAllocator::deallocate):
11055
110562013-12-30 Anders Carlsson <andersca@apple.com>
11057
11058 Fix build.
11059
11060 * heap/BlockAllocator.h:
11061
110622013-12-30 Anders Carlsson <andersca@apple.com>
11063
11064 Stop using ThreadCondition in BlockAllocator
11065 https://bugs.webkit.org/show_bug.cgi?id=126313
11066
11067 Reviewed by Sam Weinig.
11068
11069 * heap/BlockAllocator.cpp:
11070 (JSC::BlockAllocator::~BlockAllocator):
11071 (JSC::BlockAllocator::waitForDuration):
11072 (JSC::BlockAllocator::blockFreeingThreadMain):
11073 * heap/BlockAllocator.h:
11074 (JSC::BlockAllocator::deallocate):
11075
110762013-12-30 Anders Carlsson <andersca@apple.com>
11077
11078 Stop using ThreadCondition in jsc.cpp
11079 https://bugs.webkit.org/show_bug.cgi?id=126311
11080
11081 Reviewed by Sam Weinig.
11082
11083 * jsc.cpp:
11084 (timeoutThreadMain):
11085 (main):
11086
110872013-12-30 Anders Carlsson <andersca@apple.com>
11088
11089 Replace WTF::ThreadingOnce with std::call_once
11090 https://bugs.webkit.org/show_bug.cgi?id=126215
11091
11092 Reviewed by Sam Weinig.
11093
11094 * dfg/DFGWorklist.cpp:
11095 (JSC::DFG::globalWorklist):
11096 * runtime/InitializeThreading.cpp:
11097 (JSC::initializeThreading):
11098
110992013-12-30 Martin Robinson <mrobinson@igalia.com>
11100
11101 [CMake] [GTK] Add support for GObject introspection
11102 https://bugs.webkit.org/show_bug.cgi?id=126162
11103
11104 Reviewed by Daniel Bates.
11105
11106 * PlatformGTK.cmake: Add the GIR targets.
11107
111082013-12-28 Filip Pizlo <fpizlo@apple.com>
11109
11110 Get rid of DFG forward exiting
11111 https://bugs.webkit.org/show_bug.cgi?id=125531
11112
11113 Reviewed by Oliver Hunt.
11114
11115 This finally gets rid of forward exiting. Forward exiting was always a fragile concept
11116 since it involved the compiler trying to figure out how to "roll forward" the
11117 execution from some DFG node to the next bytecode index. It was always easy to find
11118 counterexamples where it broke, and it has always served as an obstacle to adding
11119 compiler improvements - the latest being http://webkit.org/b/125523, which tried to
11120 make DCE work for more things.
11121
11122 This change finishes the work of removing forward exiting. A lot of forward exiting
11123 was already removed in some other bugs, but SetLocal still did forward exits. SetLocal
11124 is in many ways the hardest to remove, since the forward exiting of SetLocal also
11125 implied that any conversion nodes inserted before the SetLocal would then also be
11126 marked as forward-exiting. Hence SetLocal's forward-exiting made a bunch of other
11127 things also forward-exiting, and this was always a source of weirdo bugs.
11128
11129 SetLocal must be able to exit in case it performs a hoisted type speculation. Nodes
11130 inserted just before SetLocal must also be able to exit - for example type check
11131 hoisting may insert a CheckStructure, or fixup phase may insert something like
11132 Int32ToDouble. But if any of those nodes tried to backward exit, then this could lead
11133 to the reexecution of a side-effecting operation, for example:
11134
11135 a: Call(...)
11136 b: SetLocal(@a, r1)
11137
11138 For a long time it seemed like SetLocal *had* to exit forward because of this. But
11139 this change side-steps the problem by changing the ByteCodeParser to always emit a
11140 kind of "two-phase commit" for stores to local variables. Now when the ByteCodeParser
11141 wishes to store to a local, it first emits a MovHint and then enqueues a SetLocal.
11142 The SetLocal isn't actually emitted until the beginning of the next bytecode
11143 instruction (which the exception of op_enter and op_ret, which emit theirs immediately
11144 since it's always safe to reexecute those bytecode instructions and since deferring
11145 SetLocals would be weird there - op_enter has many SetLocals and op_ret is a set
11146 followed by a jump in case of inlining, so we'd have to emit the SetLocal "after" the
11147 jump and that would be awkward). This means that the above IR snippet would look
11148 something like:
11149
11150 a: Call(..., bc#42)
11151 b: MovHint(@a, r1, bc#42)
11152 c: SetLocal(@a, r1, bc#47)
11153
11154 Where the SetLocal exits "backwards" but appears at the beginning of the next bytecode
11155 instruction. This means that by the time we get to that SetLocal, the OSR exit
11156 analysis already knows that r1 is associated with @a, and it means that the SetLocal
11157 or anything hoisted above it can exit backwards as normal.
11158
11159 This change also means that the "forward rewiring" can be killed. Previously, we might
11160 have inserted a conversion node on SetLocal and then the SetLocal died (i.e. turned
11161 into a MovHint) and the conversion node either died completely or had its lifetime
11162 truncated to be less than the actual value's bytecode lifetime. This no longer happens
11163 since conversion nodes are only inserted at SetLocals.
11164
11165 More precisely, this change introduces two laws that we were basically already
11166 following anyway:
11167
11168 1) A MovHint's child should never be changed except if all other uses of that child
11169 are also replaced. Specifically, this prohibits insertion of conversion nodes at
11170 MovHints.
11171
11172 2) Anytime any child is replaced with something else, and all other uses aren't also
11173 replaced, we must insert a Phantom use of the original child.
11174
11175 This is a slight compile-time regression but has no effect on code-gen. It unlocks a
11176 bunch of optimization opportunities so I think it's worth it.
11177
11178 * bytecode/CodeBlock.cpp:
11179 (JSC::CodeBlock::dumpAssumingJITType):
11180 * bytecode/CodeBlock.h:
11181 (JSC::CodeBlock::instructionCount):
11182 * dfg/DFGAbstractInterpreterInlines.h:
11183 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11184 * dfg/DFGArgumentsSimplificationPhase.cpp:
11185 (JSC::DFG::ArgumentsSimplificationPhase::run):
11186 * dfg/DFGArrayifySlowPathGenerator.h:
11187 (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
11188 * dfg/DFGBackwardsPropagationPhase.cpp:
11189 (JSC::DFG::BackwardsPropagationPhase::propagate):
11190 * dfg/DFGByteCodeParser.cpp:
11191 (JSC::DFG::ByteCodeParser::setDirect):
11192 (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
11193 (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
11194 (JSC::DFG::ByteCodeParser::handleInlining):
11195 (JSC::DFG::ByteCodeParser::parseBlock):
11196 * dfg/DFGCSEPhase.cpp:
11197 (JSC::DFG::CSEPhase::eliminate):
11198 * dfg/DFGClobberize.h:
11199 (JSC::DFG::clobberize):
11200 * dfg/DFGCommon.h:
11201 * dfg/DFGConstantFoldingPhase.cpp:
11202 (JSC::DFG::ConstantFoldingPhase::foldConstants):
11203 * dfg/DFGDCEPhase.cpp:
11204 (JSC::DFG::DCEPhase::run):
11205 (JSC::DFG::DCEPhase::fixupBlock):
11206 (JSC::DFG::DCEPhase::cleanVariables):
11207 * dfg/DFGFixupPhase.cpp:
11208 (JSC::DFG::FixupPhase::fixupNode):
11209 (JSC::DFG::FixupPhase::fixEdge):
11210 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
11211 * dfg/DFGLICMPhase.cpp:
11212 (JSC::DFG::LICMPhase::run):
11213 (JSC::DFG::LICMPhase::attemptHoist):
11214 * dfg/DFGMinifiedNode.cpp:
11215 (JSC::DFG::MinifiedNode::fromNode):
11216 * dfg/DFGMinifiedNode.h:
11217 (JSC::DFG::belongsInMinifiedGraph):
11218 (JSC::DFG::MinifiedNode::constantNumber):
11219 (JSC::DFG::MinifiedNode::weakConstant):
11220 * dfg/DFGNode.cpp:
11221 (JSC::DFG::Node::hasVariableAccessData):
11222 * dfg/DFGNode.h:
11223 (JSC::DFG::Node::convertToPhantom):
11224 (JSC::DFG::Node::convertToPhantomUnchecked):
11225 (JSC::DFG::Node::convertToIdentity):
11226 (JSC::DFG::Node::containsMovHint):
11227 (JSC::DFG::Node::hasUnlinkedLocal):
11228 (JSC::DFG::Node::willHaveCodeGenOrOSR):
11229 * dfg/DFGNodeFlags.cpp:
11230 (JSC::DFG::dumpNodeFlags):
11231 * dfg/DFGNodeFlags.h:
11232 * dfg/DFGNodeType.h:
11233 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
11234 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
11235 * dfg/DFGOSREntrypointCreationPhase.cpp:
11236 (JSC::DFG::OSREntrypointCreationPhase::run):
11237 * dfg/DFGOSRExit.cpp:
11238 * dfg/DFGOSRExit.h:
11239 * dfg/DFGOSRExitBase.cpp:
11240 * dfg/DFGOSRExitBase.h:
11241 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
11242 * dfg/DFGPredictionPropagationPhase.cpp:
11243 (JSC::DFG::PredictionPropagationPhase::propagate):
11244 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
11245 * dfg/DFGSSAConversionPhase.cpp:
11246 (JSC::DFG::SSAConversionPhase::run):
11247 * dfg/DFGSafeToExecute.h:
11248 (JSC::DFG::safeToExecute):
11249 * dfg/DFGSpeculativeJIT.cpp:
11250 (JSC::DFG::SpeculativeJIT::speculationCheck):
11251 (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
11252 (JSC::DFG::SpeculativeJIT::typeCheck):
11253 (JSC::DFG::SpeculativeJIT::compileMovHint):
11254 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
11255 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
11256 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
11257 * dfg/DFGSpeculativeJIT.h:
11258 (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
11259 (JSC::DFG::SpeculativeJIT::needsTypeCheck):
11260 * dfg/DFGSpeculativeJIT32_64.cpp:
11261 (JSC::DFG::SpeculativeJIT::compile):
11262 * dfg/DFGSpeculativeJIT64.cpp:
11263 (JSC::DFG::SpeculativeJIT::compile):
11264 * dfg/DFGTypeCheckHoistingPhase.cpp:
11265 (JSC::DFG::TypeCheckHoistingPhase::run):
11266 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
11267 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
11268 * dfg/DFGValidate.cpp:
11269 (JSC::DFG::Validate::validateCPS):
11270 * dfg/DFGVariableAccessData.h:
11271 (JSC::DFG::VariableAccessData::VariableAccessData):
11272 * dfg/DFGVariableEventStream.cpp:
11273 (JSC::DFG::VariableEventStream::reconstruct):
11274 * ftl/FTLCapabilities.cpp:
11275 (JSC::FTL::canCompile):
11276 * ftl/FTLLowerDFGToLLVM.cpp:
11277 (JSC::FTL::LowerDFGToLLVM::compileNode):
11278 (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
11279 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
11280 (JSC::FTL::LowerDFGToLLVM::compileMovHint):
11281 (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
11282 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
11283 (JSC::FTL::LowerDFGToLLVM::speculate):
11284 (JSC::FTL::LowerDFGToLLVM::typeCheck):
11285 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
11286 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
11287 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
11288 * ftl/FTLOSRExit.cpp:
11289 * ftl/FTLOSRExit.h:
11290 * tests/stress/dead-int32-to-double.js: Added.
11291 (foo):
11292 * tests/stress/dead-uint32-to-number.js: Added.
11293 (foo):
11294
112952013-12-25 Commit Queue <commit-queue@webkit.org>
11296
11297 Unreviewed, rolling out r161033 and r161074.
11298 http://trac.webkit.org/changeset/161033
11299 http://trac.webkit.org/changeset/161074
11300 https://bugs.webkit.org/show_bug.cgi?id=126240
11301
11302 Oliver says that a rollout would be better (Requested by ap on
11303 #webkit).
11304
11305 * API/JSObjectRef.cpp:
11306 (JSObjectSetProperty):
11307 * dfg/DFGOperations.cpp:
11308 (JSC::DFG::operationPutByValInternal):
11309 * interpreter/Interpreter.cpp:
11310 (JSC::Interpreter::execute):
11311 * jit/JITOperations.cpp:
11312 * llint/LLIntSlowPaths.cpp:
11313 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
11314 * runtime/Arguments.cpp:
11315 (JSC::Arguments::putByIndex):
11316 * runtime/ArrayPrototype.cpp:
11317 (JSC::putProperty):
11318 (JSC::arrayProtoFuncPush):
11319 * runtime/JSCJSValue.cpp:
11320 (JSC::JSValue::putToPrimitiveByIndex):
11321 * runtime/JSCell.cpp:
11322 (JSC::JSCell::putByIndex):
11323 * runtime/JSFunction.cpp:
11324 (JSC::JSFunction::put):
11325 * runtime/JSGenericTypedArrayViewInlines.h:
11326 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
11327 * runtime/JSONObject.cpp:
11328 (JSC::Walker::walk):
11329 * runtime/JSObject.cpp:
11330 (JSC::JSObject::putByIndex):
11331 (JSC::JSObject::putDirectNonIndexAccessor):
11332 (JSC::JSObject::deleteProperty):
11333 * runtime/JSObject.h:
11334 (JSC::JSObject::putDirect):
11335 * runtime/Lookup.h:
11336 (JSC::putEntry):
11337 (JSC::lookupPut):
11338 * runtime/PutPropertySlot.h:
11339 (JSC::PutPropertySlot::PutPropertySlot):
11340 (JSC::PutPropertySlot::setNewProperty):
11341 (JSC::PutPropertySlot::isCacheable):
11342
113432013-12-25 Filip Pizlo <fpizlo@apple.com>
11344
11345 DFG PhantomArguments shouldn't rely on a dead Phi graph
11346 https://bugs.webkit.org/show_bug.cgi?id=126218
11347
11348 Reviewed by Oliver Hunt.
11349
11350 This change dramatically rationalizes our handling of PhantomArguments (i.e.
11351 speculative elision of arguments object allocation).
11352
11353 It's now the case that if we decide that we can elide arguments allocation, we just
11354 turn the arguments-creating node into a PhantomArguments and mark all locals that
11355 it's stored to as being arguments aliases. Being an arguments alias and being a
11356 PhantomArguments means basically the same thing: in DFG execution you have the empty
11357 value, on OSR exit an arguments object is allocated in your place, and all operations
11358 that use the value now just refer directly to the actual arguments in the call frame
11359 header (or the arguments we know that we passed to the call, in case of inlining).
11360
11361 This means that we no longer have arguments simplification creating a dead Phi graph
11362 that then has to be interpreted by the OSR exit logic. That sort of never made any
11363 sense.
11364
11365 This means that PhantomArguments now has a clear story in SSA: basically SSA just
11366 gets rid of the "locals" but everything else is the same.
11367
11368 Finally, this means that we can more easily get rid of forward exiting. As I was
11369 working on the code to get rid of forward exiting, I realized that I'd have to
11370 carefully preserve the special meanings of MovHint and SetLocal in the case of
11371 PhantomArguments. It was really bizarre: even the semantics of MovHint were tied to
11372 our specific treatment of PhantomArguments. After this change this is no longer the
11373 case.
11374
11375 One of the really cool things about this change is that arguments reification now
11376 just becomes a special kind of FlushFormat. This further unifies things: it means
11377 that a MovHint(PhantomArguments) and a SetLocal(PhantomArguments) both have the same
11378 meaning, since both of them dictate that the way we recover the local on exit is by
11379 reifying arguments. Previously, the SetLocal(PhantomArguments) case needed some
11380 special handling to accomplish this.
11381
11382 A downside of this approach is that we will now emit code to store the empty value
11383 into aliased arguments variables, and we will even emit code to load that empty value
11384 as well. As far as I can tell this doesn't cost anything, since PhantomArguments are
11385 most profitable in cases where it allows us to simplify control flow and kill the
11386 arguments locals entirely. Of course, this isn't an issue in SSA form since SSA form
11387 also eliminates the locals.
11388
11389 * dfg/DFGArgumentsSimplificationPhase.cpp:
11390 (JSC::DFG::ArgumentsSimplificationPhase::run):
11391 (JSC::DFG::ArgumentsSimplificationPhase::detypeArgumentsReferencingPhantomChild):
11392 * dfg/DFGFlushFormat.cpp:
11393 (WTF::printInternal):
11394 * dfg/DFGFlushFormat.h:
11395 (JSC::DFG::resultFor):
11396 (JSC::DFG::useKindFor):
11397 (JSC::DFG::dataFormatFor):
11398 * dfg/DFGSpeculativeJIT.cpp:
11399 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
11400 * dfg/DFGSpeculativeJIT32_64.cpp:
11401 (JSC::DFG::SpeculativeJIT::compile):
11402 * dfg/DFGSpeculativeJIT64.cpp:
11403 (JSC::DFG::SpeculativeJIT::compile):
11404 * dfg/DFGValueSource.h:
11405 (JSC::DFG::ValueSource::ValueSource):
11406 (JSC::DFG::ValueSource::forFlushFormat):
11407 * dfg/DFGVariableAccessData.h:
11408 (JSC::DFG::VariableAccessData::flushFormat):
11409 * ftl/FTLLowerDFGToLLVM.cpp:
11410 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
11411
114122013-12-23 Oliver Hunt <oliver@apple.com>
11413
11414 Refactor PutPropertySlot to be aware of custom properties
11415 https://bugs.webkit.org/show_bug.cgi?id=126187
11416
11417 Reviewed by msaboff.
11418
11419 Refactor PutPropertySlot, making the constructor take the thisValue
11420 used as a target. This results in a wide range of boilerplate changes
11421 to pass the new parameter.
11422
11423 * API/JSObjectRef.cpp:
11424 (JSObjectSetProperty):
11425 * dfg/DFGOperations.cpp:
11426 (JSC::DFG::operationPutByValInternal):
11427 * interpreter/Interpreter.cpp:
11428 (JSC::Interpreter::execute):
11429 * jit/JITOperations.cpp:
11430 * llint/LLIntSlowPaths.cpp:
11431 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
11432 * runtime/Arguments.cpp:
11433 (JSC::Arguments::putByIndex):
11434 * runtime/ArrayPrototype.cpp:
11435 (JSC::putProperty):
11436 (JSC::arrayProtoFuncPush):
11437 * runtime/JSCJSValue.cpp:
11438 (JSC::JSValue::putToPrimitiveByIndex):
11439 * runtime/JSCell.cpp:
11440 (JSC::JSCell::putByIndex):
11441 * runtime/JSFunction.cpp:
11442 (JSC::JSFunction::put):
11443 * runtime/JSGenericTypedArrayViewInlines.h:
11444 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
11445 * runtime/JSONObject.cpp:
11446 (JSC::Walker::walk):
11447 * runtime/JSObject.cpp:
11448 (JSC::JSObject::putByIndex):
11449 (JSC::JSObject::putDirectNonIndexAccessor):
11450 (JSC::JSObject::deleteProperty):
11451 * runtime/JSObject.h:
11452 (JSC::JSObject::putDirect):
11453 * runtime/Lookup.h:
11454 (JSC::putEntry):
11455 (JSC::lookupPut):
11456 * runtime/PutPropertySlot.h:
11457 (JSC::PutPropertySlot::PutPropertySlot):
11458 (JSC::PutPropertySlot::setCustomProperty):
11459 (JSC::PutPropertySlot::thisValue):
11460 (JSC::PutPropertySlot::isCacheable):
11461
114622013-12-23 Benjamin Poulain <benjamin@webkit.org>
11463
11464 Add class matching to the Selector Code Generator
11465 https://bugs.webkit.org/show_bug.cgi?id=126176
11466
11467 Reviewed by Antti Koivisto and Oliver Hunt.
11468
11469 Add test and branch based on BaseIndex addressing for x86_64.
11470 Fast loops are needed to compete with clang on tight loops.
11471
11472 * assembler/MacroAssembler.h:
11473 * assembler/MacroAssemblerX86_64.h:
11474 (JSC::MacroAssemblerX86_64::branch64):
11475 (JSC::MacroAssemblerX86_64::branchPtr):
11476 * assembler/X86Assembler.h:
11477 (JSC::X86Assembler::cmpq_rm):
11478
114792013-12-23 Oliver Hunt <oliver@apple.com>
11480
11481 Update custom setter implementations to perform type checks
11482 https://bugs.webkit.org/show_bug.cgi?id=126171
11483
11484 Reviewed by Daniel Bates.
11485
11486 Modify the setter function signature to take encoded values
11487 as we're changing the setter usage everywhere anyway.
11488
11489 * runtime/Lookup.h:
11490 (JSC::putEntry):
11491
114922013-12-23 Lucas Forschler <lforschler@apple.com>
11493
11494 <rdar://problem/15682948> Update copyright strings
11495
11496 Reviewed by Dan Bernstein.
11497
11498 * Info.plist:
11499 * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist:
11500
115012013-12-23 Zan Dobersek <zdobersek@igalia.com>
11502
11503 [GTK] Clean up compiler optimizations flags for libWTF, libJSC
11504 https://bugs.webkit.org/show_bug.cgi?id=126157
11505
11506 Reviewed by Gustavo Noronha Silva.
11507
11508 * GNUmakefile.am: Remove the -fstrict-aliasing and -O3 compiler flags for libWTF.la. -O3 gets
11509 overridden by -O2 that's listed in CXXFLAGS (or -O0 in case of debug builds) and -fstrict-aliasing
11510 is enabled when -O2 is used (and shouldn't be enabled in debug builds anyway).
11511
115122013-12-22 Martin Robinson <mrobinson@igalia.com>
11513
11514 [CMake] Fix typo from r160812
11515 https://bugs.webkit.org/show_bug.cgi?id=126145
11516
11517 Reviewed by Gustavo Noronha Silva.
11518
11519 * CMakeLists.txt: Fix typo when detecting the type of library.
11520
115212013-12-22 Martin Robinson <mrobinson@igalia.com>
11522
11523 [GTK][CMake] libtool-compatible soversion calculation
11524 https://bugs.webkit.org/show_bug.cgi?id=125511
11525
11526 Reviewed by Gustavo Noronha Silva.
11527
11528 * CMakeLists.txt: Use the POPULATE_LIBRARY_VERSION macro and the
11529 library-specific version information.
11530
115312013-12-23 Gustavo Noronha Silva <gns@gnome.org>
11532
11533 [GTK] [CMake] Generate pkg-config files
11534 https://bugs.webkit.org/show_bug.cgi?id=125685
11535
11536 Reviewed by Martin Robinson.
11537
11538 * PlatformGTK.cmake: Added. Generate javascriptcoregtk-3.0.pc.
11539
115402013-12-22 Benjamin Poulain <benjamin@webkit.org>
11541
11542 Create a skeleton for CSS Selector code generation
11543 https://bugs.webkit.org/show_bug.cgi?id=126044
11544
11545 Reviewed by Antti Koivisto and Gavin Barraclough.
11546
11547 * assembler/LinkBuffer.h:
11548 Add a new owner UID for code compiled for CSS.
11549 Export the symbols needed to link code from WebCore.
11550
115512013-12-19 Mark Hahnenberg <mhahnenberg@apple.com>
11552
11553 Clean up DFG write barriers
11554 https://bugs.webkit.org/show_bug.cgi?id=126047
11555
11556 Reviewed by Filip Pizlo.
11557
11558 * dfg/DFGSpeculativeJIT.cpp:
11559 (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Use the register allocator to
11560 determine which registers need saving instead of saving every single one of them.
11561 (JSC::DFG::SpeculativeJIT::osrWriteBarrier): We don't need to save live register state
11562 because the write barriers during OSR execute when there are no live registers. Also we
11563 don't need to use pushes to pad the stack pointer for pokes on x86; we can just use an add.
11564 (JSC::DFG::SpeculativeJIT::writeBarrier):
11565 * dfg/DFGSpeculativeJIT.h:
11566 * jit/Repatch.cpp:
11567 (JSC::emitPutReplaceStub):
11568 (JSC::emitPutTransitionStub):
11569 * runtime/VM.h: Get rid of writeBarrierRegisterBuffer since it's no longer used.
11570
115712013-12-20 Balazs Kilvady <kilvadyb@homejinni.com>
11572
11573 [MIPS] Missing MacroAssemblerMIPS::branchTest8(ResultCondition, BaseIndex, TrustedImm32)
11574 https://bugs.webkit.org/show_bug.cgi?id=126062
11575
11576 Reviewed by Mark Hahnenberg.
11577
11578 * assembler/MacroAssemblerMIPS.h:
11579 (JSC::MacroAssemblerMIPS::branchTest8):
11580
115812013-12-20 Julien Brianceau <jbriance@cisco.com>
11582
11583 [sh4] Add missing implementation in MacroAssembler to fix build.
11584 https://bugs.webkit.org/show_bug.cgi?id=126063
11585
11586 Reviewed by Mark Hahnenberg.
11587
11588 * assembler/MacroAssemblerSH4.h:
11589 (JSC::MacroAssemblerSH4::branchTest8):
11590
115912013-12-20 Julien Brianceau <jbriance@cisco.com>
11592
11593 [arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build.
11594 https://bugs.webkit.org/show_bug.cgi?id=126064
11595
11596 Reviewed by Mark Hahnenberg.
11597
11598 * assembler/MacroAssemblerARM.h:
11599 (JSC::MacroAssemblerARM::branchTest8):
11600
116012013-12-19 Joseph Pecoraro <pecoraro@apple.com>
11602
11603 Web Inspector: Add InspectorFrontendHost.debuggableType to let the frontend know it's backend is JavaScript or Web
11604 https://bugs.webkit.org/show_bug.cgi?id=126016
11605
11606 Reviewed by Timothy Hatcher.
11607
11608 * inspector/remote/RemoteInspector.mm:
11609 (Inspector::RemoteInspector::listingForDebuggable):
11610 * inspector/remote/RemoteInspectorConstants.h:
11611 Include a debuggable type identifier in the debuggable listing,
11612 so the remote frontend can know if it is debugging a Web Page
11613 or JS Context.
11614
116152013-12-19 Benjamin Poulain <benjamin@webkit.org>
11616
11617 Add an utility class to simplify generating function calls
11618 https://bugs.webkit.org/show_bug.cgi?id=125972
11619
11620 Reviewed by Geoffrey Garen.
11621
11622 Split branchTest32 in two functions: test32AndSetFlags and branchOnFlags.
11623 This is done to allow code where the flags are set, multiple operation that
11624 do not modify the flags occur, then the flags are used.
11625
11626 This is used for function calls to test the return value while discarding the
11627 return register.
11628
11629 * assembler/MacroAssemblerX86Common.h:
11630 (JSC::MacroAssemblerX86Common::test32AndSetFlags):
11631 (JSC::MacroAssemblerX86Common::branchOnFlags):
11632 (JSC::MacroAssemblerX86Common::branchTest32):
11633
116342013-12-19 Mark Hahnenberg <mhahnenberg@apple.com>
11635
11636 Put write barriers in the right places in the baseline JIT
11637 https://bugs.webkit.org/show_bug.cgi?id=125975
11638
11639 Reviewed by Filip Pizlo.
11640
11641 * jit/JIT.cpp:
11642 (JSC::JIT::privateCompileSlowCases):
11643 * jit/JIT.h:
11644 * jit/JITInlines.h:
11645 (JSC::JIT::callOperation):
11646 (JSC::JIT::emitArrayProfilingSite):
11647 * jit/JITOpcodes.cpp:
11648 (JSC::JIT::emit_op_enter):
11649 (JSC::JIT::emitSlow_op_enter):
11650 * jit/JITOpcodes32_64.cpp:
11651 (JSC::JIT::emit_op_enter):
11652 (JSC::JIT::emitSlow_op_enter):
11653 * jit/JITPropertyAccess.cpp:
11654 (JSC::JIT::emit_op_put_by_val):
11655 (JSC::JIT::emitGenericContiguousPutByVal):
11656 (JSC::JIT::emitArrayStoragePutByVal):
11657 (JSC::JIT::emit_op_put_by_id):
11658 (JSC::JIT::emitPutGlobalProperty):
11659 (JSC::JIT::emitPutGlobalVar):
11660 (JSC::JIT::emitPutClosureVar):
11661 (JSC::JIT::emit_op_init_global_const):
11662 (JSC::JIT::checkMarkWord):
11663 (JSC::JIT::emitWriteBarrier):
11664 (JSC::JIT::privateCompilePutByVal):
11665 * jit/JITPropertyAccess32_64.cpp:
11666 (JSC::JIT::emitGenericContiguousPutByVal):
11667 (JSC::JIT::emitArrayStoragePutByVal):
11668 (JSC::JIT::emit_op_put_by_id):
11669 (JSC::JIT::emitSlow_op_put_by_id):
11670 (JSC::JIT::emitPutGlobalProperty):
11671 (JSC::JIT::emitPutGlobalVar):
11672 (JSC::JIT::emitPutClosureVar):
11673 (JSC::JIT::emit_op_init_global_const):
11674 * jit/Repatch.cpp:
11675 (JSC::emitPutReplaceStub):
11676 (JSC::emitPutTransitionStub):
11677 (JSC::repatchPutByID):
11678 * runtime/CommonSlowPaths.cpp:
11679 (JSC::SLOW_PATH_DECL):
11680 * runtime/CommonSlowPaths.h:
11681
116822013-12-19 Brent Fulgham <bfulgham@apple.com>
11683
11684 Implement ArrayBuffer.isView
11685 https://bugs.webkit.org/show_bug.cgi?id=126004
11686
11687 Reviewed by Filip Pizlo.
11688
11689 Test coverage in webgl/1.0.2/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html
11690
11691 * runtime/JSArrayBufferConstructor.cpp:
11692 (JSC::JSArrayBufferConstructor::finishCreation): Add 'isView' to object constructor.
11693 (JSC::arrayBufferFuncIsView): New method.
11694
116952013-12-19 Mark Lam <mark.lam@apple.com>
11696
11697 Fix broken C loop LLINT build.
11698 https://bugs.webkit.org/show_bug.cgi?id=126024.
11699
11700 Reviewed by Oliver Hunt.
11701
11702 * runtime/VM.h:
11703
117042013-12-18 Mark Hahnenberg <mhahnenberg@apple.com>
11705
11706 DelayedReleaseScope is in the wrong place
11707 https://bugs.webkit.org/show_bug.cgi?id=125876
11708
11709 Reviewed by Geoffrey Garen.
11710
11711 The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper.
11712 This location gives us a good safe point between getting ready to allocate (i.e. identifying a non-empty
11713 free list) and doing the actual allocation (popping the free list).
11714
11715 * heap/MarkedAllocator.cpp:
11716 (JSC::MarkedAllocator::tryAllocateHelper):
11717 (JSC::MarkedAllocator::allocateSlowCase):
11718 (JSC::MarkedAllocator::addBlock):
11719 * runtime/JSCellInlines.h:
11720 (JSC::allocateCell):
11721
117222013-12-18 Gustavo Noronha Silva <gns@gnome.org>
11723
11724 [GTK][CMake] make libjavascriptcoregtk a public shared library again
11725 https://bugs.webkit.org/show_bug.cgi?id=125512
11726
11727 Reviewed by Martin Robinson.
11728
11729 * CMakeLists.txt: use target type instead of SHARED_CORE to decide whether
11730 JavaScriptCore is a shared library, since it's always shared for GTK+ regardless
11731 of SHARED_CORE.
11732
117332013-12-18 Benjamin Poulain <benjamin@webkit.org>
11734
11735 Add a simple stack abstraction for x86_64
11736 https://bugs.webkit.org/show_bug.cgi?id=125908
11737
11738 Reviewed by Geoffrey Garen.
11739
11740 * assembler/MacroAssemblerX86_64.h:
11741 (JSC::MacroAssemblerX86_64::addPtrNoFlags):
11742 Add an explicit abstraction for the "lea" instruction. This is needed
11743 by the experimental JIT to have add and substract without changing the flags.
11744
11745 This is useful for function calls to test the return value, restore the registers,
11746 then branch on the flags from the return value.
11747
117482013-12-18 Mark Hahnenberg <mhahnenberg@apple.com>
11749
11750 DFG should have a separate StoreBarrier node
11751 https://bugs.webkit.org/show_bug.cgi?id=125530
11752
11753 Reviewed by Filip Pizlo.
11754
11755 This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly
11756 part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase.
11757 They are inserted during the fixup phase. Initially they do not generate any code.
11758
11759 * CMakeLists.txt:
11760 * GNUmakefile.list.am:
11761 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11762 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11763 * JavaScriptCore.xcodeproj/project.pbxproj:
11764 * dfg/DFGAbstractHeap.h:
11765 * dfg/DFGAbstractInterpreter.h:
11766 (JSC::DFG::AbstractInterpreter::isKnownNotCell):
11767 * dfg/DFGAbstractInterpreterInlines.h:
11768 (JSC::DFG::::executeEffects):
11769 * dfg/DFGClobberize.h:
11770 (JSC::DFG::clobberizeForAllocation):
11771 (JSC::DFG::clobberize):
11772 * dfg/DFGConstantFoldingPhase.cpp:
11773 (JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers,
11774 we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and
11775 ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first,
11776 which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier.
11777 If we ever require that write barriers occur before stores, we'll have to split these nodes into
11778 AllocatePropertyStorage + StoreBarrier + PutPropertyStorage.
11779 * dfg/DFGFixupPhase.cpp:
11780 (JSC::DFG::FixupPhase::fixupNode):
11781 (JSC::DFG::FixupPhase::insertStoreBarrier):
11782 * dfg/DFGNode.h:
11783 (JSC::DFG::Node::isStoreBarrier):
11784 * dfg/DFGNodeType.h:
11785 * dfg/DFGOSRExitCompiler32_64.cpp:
11786 (JSC::DFG::OSRExitCompiler::compileExit):
11787 * dfg/DFGOSRExitCompiler64.cpp:
11788 (JSC::DFG::OSRExitCompiler::compileExit):
11789 * dfg/DFGPlan.cpp:
11790 (JSC::DFG::Plan::compileInThreadImpl):
11791 * dfg/DFGPredictionPropagationPhase.cpp:
11792 (JSC::DFG::PredictionPropagationPhase::propagate):
11793 * dfg/DFGSafeToExecute.h:
11794 (JSC::DFG::safeToExecute):
11795 * dfg/DFGSpeculativeJIT.cpp:
11796 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
11797 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
11798 (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
11799 (JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the
11800 byte that contains the mark bit of the object.
11801 (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the
11802 cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call.
11803 (JSC::DFG::SpeculativeJIT::writeBarrier):
11804 (JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed
11805 during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles
11806 are properly cleared during GC.
11807 * dfg/DFGSpeculativeJIT.h:
11808 (JSC::DFG::SpeculativeJIT::callOperation):
11809 * dfg/DFGSpeculativeJIT32_64.cpp:
11810 (JSC::DFG::SpeculativeJIT::cachedPutById):
11811 (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
11812 (JSC::DFG::SpeculativeJIT::compile):
11813 (JSC::DFG::SpeculativeJIT::writeBarrier):
11814 * dfg/DFGSpeculativeJIT64.cpp:
11815 (JSC::DFG::SpeculativeJIT::cachedPutById):
11816 (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
11817 (JSC::DFG::SpeculativeJIT::compile):
11818 (JSC::DFG::SpeculativeJIT::writeBarrier):
11819 * dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant
11820 StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that
11821 that object doesn't need any more StoreBarriers.
11822 (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
11823 (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the
11824 objects known in the current block.
11825 (JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically
11826 sets the bit for that object since if a GC occurred as the result of that object's allocation then that
11827 object would not need a barrier since it would be guaranteed to be a young generation object until the
11828 next GC point.
11829 (JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject):
11830 (JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore):
11831 (JSC::DFG::StoreBarrierElisionPhase::shouldBeElided):
11832 (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
11833 (JSC::DFG::StoreBarrierElisionPhase::handleNode):
11834 (JSC::DFG::StoreBarrierElisionPhase::handleBlock):
11835 (JSC::DFG::StoreBarrierElisionPhase::run):
11836 (JSC::DFG::performStoreBarrierElision):
11837 * dfg/DFGStoreBarrierElisionPhase.h: Added.
11838 * heap/Heap.cpp:
11839 (JSC::Heap::Heap):
11840 (JSC::Heap::flushWriteBarrierBuffer):
11841 * heap/Heap.h:
11842 (JSC::Heap::writeBarrier):
11843 * heap/MarkedBlock.h:
11844 (JSC::MarkedBlock::offsetOfMarks):
11845 * heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting
11846 a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly
11847 to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer
11848 until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to
11849 each EdenCollection.
11850 (JSC::WriteBarrierBuffer::WriteBarrierBuffer):
11851 (JSC::WriteBarrierBuffer::~WriteBarrierBuffer):
11852 (JSC::WriteBarrierBuffer::flush):
11853 (JSC::WriteBarrierBuffer::reset):
11854 (JSC::WriteBarrierBuffer::add):
11855 * heap/WriteBarrierBuffer.h: Added.
11856 (JSC::WriteBarrierBuffer::currentIndexOffset):
11857 (JSC::WriteBarrierBuffer::capacityOffset):
11858 (JSC::WriteBarrierBuffer::bufferOffset):
11859 * jit/JITOperations.cpp:
11860 * jit/JITOperations.h:
11861 * runtime/VM.h:
11862
118632013-12-18 Carlos Garcia Campos <cgarcia@igalia.com>
11864
11865 Unreviewed. Fix make distcheck.
11866
11867 * GNUmakefile.am:
11868
118692013-12-17 Julien Brianceau <jbriance@cisco.com>
11870
11871 Fix armv7 and sh4 builds.
11872 https://bugs.webkit.org/show_bug.cgi?id=125848
11873
11874 Reviewed by Csaba Osztrogonác.
11875
11876 * assembler/ARMv7Assembler.h: Include limits.h for INT_MIN.
11877 * assembler/SH4Assembler.h: Include limits.h for INT_MIN.
11878
118792013-12-16 Oliver Hunt <oliver@apple.com>
11880
11881 Avoid indirect function calls for custom getters
11882 https://bugs.webkit.org/show_bug.cgi?id=125821
11883
11884 Reviewed by Mark Hahnenberg.
11885
11886 Rather than invoking a helper function to perform an indirect call
11887 through a function pointer, just have the JIT call the function directly.
11888
11889 Unfortunately this only works in JSVALUE64 at the moment as there
11890 is not an obvious way to pass two EncodedJSValues uniformly over
11891 the various effected JITs.
11892
11893 * jit/CCallHelpers.h:
11894 (JSC::CCallHelpers::setupArguments):
11895 * jit/Repatch.cpp:
11896 (JSC::generateProtoChainAccessStub):
11897 (JSC::tryBuildGetByIDList):
11898
118992013-12-16 Joseph Pecoraro <pecoraro@apple.com>
11900
11901 Fix some whitespace issues in inspector code
11902 https://bugs.webkit.org/show_bug.cgi?id=125814
11903
11904 Reviewed by Darin Adler.
11905
11906 * inspector/protocol/Debugger.json:
11907 * inspector/protocol/Runtime.json:
11908 * inspector/scripts/CodeGeneratorInspector.py:
11909 (Generator.process_command):
11910
119112013-12-16 Mark Hahnenberg <mhahnenberg@apple.com>
11912
11913 Add some missing functions to MacroAssembler
11914 https://bugs.webkit.org/show_bug.cgi?id=125809
11915
11916 Reviewed by Oliver Hunt.
11917
11918 * assembler/AbstractMacroAssembler.h:
11919 * assembler/AssemblerBuffer.h:
11920 * assembler/LinkBuffer.cpp:
11921 * assembler/MacroAssembler.h:
11922 (JSC::MacroAssembler::storePtr):
11923 (JSC::MacroAssembler::andPtr):
11924 * assembler/MacroAssemblerARM64.h:
11925 (JSC::MacroAssemblerARM64::and64):
11926 (JSC::MacroAssemblerARM64::branchTest8):
11927 * assembler/MacroAssemblerARMv7.h:
11928 (JSC::MacroAssemblerARMv7::branchTest8):
11929 * assembler/X86Assembler.h:
11930
119312013-12-16 Brent Fulgham <bfulgham@apple.com>
11932
11933 [Win] Remove dead code after conversion to VS2013
11934 https://bugs.webkit.org/show_bug.cgi?id=125795
11935
11936 Reviewed by Darin Adler.
11937
11938 * API/tests/testapi.c: Remove local nan implementation
11939
119402013-12-16 Oliver Hunt <oliver@apple.com>
11941
11942 Cache getters and custom accessors on the prototype chain
11943 https://bugs.webkit.org/show_bug.cgi?id=125602
11944
11945 Reviewed by Michael Saboff.
11946
11947 Support caching of custom getters and accessors on the prototype chain.
11948 This is relatively trivial and just requires a little work compared to
11949 the direct access mode as we're under more register pressure.
11950
11951 * bytecode/StructureStubInfo.h:
11952 Removed the unsued initGetByIdProto as it was confusing to still have it present.
11953 * jit/Repatch.cpp:
11954 (JSC::generateProtoChainAccessStub):
11955 (JSC::tryCacheGetByID):
11956 (JSC::tryBuildGetByIDList):
11957
119582013-12-16 Mark Lam <mark.lam@apple.com>
11959
11960 Change slow path result to take a void* instead of a ExecState*.
11961 https://bugs.webkit.org/show_bug.cgi?id=125802.
11962
11963 Reviewed by Filip Pizlo.
11964
11965 This is in preparation for C Stack OSR entry work that is coming soon.
11966 In the OSR entry case, we'll be returning a topOfFrame pointer value
11967 instead of the ExecState*.
11968
11969 * offlineasm/cloop.rb:
11970 * runtime/CommonSlowPaths.h:
11971 (JSC::encodeResult):
11972 (JSC::decodeResult):
11973
119742013-12-16 Alex Christensen <achristensen@webkit.org>
11975
11976 Fixed Win64 build on VS2013.
11977 https://bugs.webkit.org/show_bug.cgi?id=125753
11978
11979 Reviewed by Brent Fulgham.
11980
11981 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11982 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
11983 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
11984 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
11985 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
11986 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
11987 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
11988 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
11989 Added correct PlatformToolset for 64-bit builds.
11990
119912013-12-16 Peter Szanka <h868064@stud.u-szeged.hu>
11992
11993 Delete RVCT related code parts.
11994 https://bugs.webkit.org/show_bug.cgi?id=125626
11995
11996 Reviewed by Darin Adler.
11997
11998 * assembler/ARMAssembler.cpp:
11999 * assembler/ARMAssembler.h:
12000 (JSC::ARMAssembler::cacheFlush):
12001 * assembler/MacroAssemblerARM.cpp:
12002 (JSC::isVFPPresent):
12003 * jit/JITStubsARM.h:
12004 * jit/JITStubsARMv7.h:
12005
120062013-12-15 Ryosuke Niwa <rniwa@webkit.org>
12007
12008 REGRESSION: 2x regression on Dromaeo DOM query tests
12009 https://bugs.webkit.org/show_bug.cgi?id=125377
12010
12011 Reviewed by Filip Pizlo.
12012
12013 The bug was caused by JSC not JIT'ing property access on "document" due to its type info having
12014 HasImpureGetOwnPropertySlot flag.
12015
12016 Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline
12017 JIT to generate byte code for access properties on an object with named properties (a.k.a.
12018 custom name getter) in DOM. When a new named property appears on the object, VM is notified via
12019 VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch.
12020
12021 * bytecode/GetByIdStatus.cpp:
12022 (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure
12023 properties in the prototype chain.
12024 (JSC::GetByIdStatus::computeForChain): Ditto.
12025
12026 * jit/Repatch.cpp:
12027 (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any
12028 object in the prototype chain via StructureStubClearingWatchpoint.
12029 (JSC::generateProtoChainAccessStub): Ditto.
12030 (JSC::tryCacheGetByID):
12031 (JSC::tryBuildGetByIDList):
12032 (JSC::tryRepatchIn): Ditto.
12033
12034 * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints.
12035 (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added.
12036
12037 * runtime/Operations.h:
12038 (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new
12039 impure property even if the object had impure properties.
12040
12041 * runtime/Structure.h:
12042 (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and
12043 asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true.
12044
12045 * runtime/VM.cpp:
12046 (JSC::VM::registerWatchpointForImpureProperty): Added.
12047 (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property.
12048
12049 * runtime/VM.h:
12050
120512013-12-15 Andy Estes <aestes@apple.com>
12052
12053 [iOS] Upstream changes to FeatureDefines.xcconfig
12054 https://bugs.webkit.org/show_bug.cgi?id=125742
12055
12056 Reviewed by Dan Bernstein.
12057
12058 * Configurations/FeatureDefines.xcconfig:
12059
120602013-12-14 Filip Pizlo <fpizlo@apple.com>
12061
12062 FTL should *really* know when things are flushed
12063 https://bugs.webkit.org/show_bug.cgi?id=125747
12064
12065 Reviewed by Sam Weinig.
12066
12067 Fix more codegen badness. This makes V8v7's crypto am3() function run faster in the FTL
12068 than in DFG. This means that even if we just compile those functions in V8v7 that don't
12069 make calls, the FTL gives us a 2% speed-up over the DFG. That's pretty good considering
12070 that we have still more optimizations to fix and we can make calls work.
12071
12072 * dfg/DFGSSAConversionPhase.cpp:
12073 (JSC::DFG::SSAConversionPhase::run):
12074 * ftl/FTLCompile.cpp:
12075 (JSC::FTL::fixFunctionBasedOnStackMaps):
12076
120772013-12-14 Andy Estes <aestes@apple.com>
12078
12079 Unify FeatureDefines.xcconfig
12080 https://bugs.webkit.org/show_bug.cgi?id=125741
12081
12082 Rubber-stamped by Dan Bernstein.
12083
12084 * Configurations/FeatureDefines.xcconfig: Enable ENABLE_MEDIA_SOURCE.
12085
120862013-12-14 Mark Rowe <mrowe@apple.com>
12087
12088 Build fix after r160557.
12089
12090 r160557 added the first generated header to JavaScriptCore that needs to be installed in to
12091 the framework wrapper. Sadly JavaScriptCore's Derived Sources target was not set to generate
12092 headers when invoked as part of the installhdrs action. This resulted in the build failing
12093 due to Xcode being unable to find the header file to install. The fix for this is to configure
12094 the Derived Sources target to use JavaScriptCore.xcconfig, which sets INSTALLHDRS_SCRIPT_PHASE
12095 to YES and allows Xcode to generate derived sources during the installhdrs action.
12096
12097 Enabling INSTALLHDRS_SCRIPT_PHASE required tweaking the Generate Derived Sources script build
12098 phase to skip running code related to offlineasm that depends on JSCLLIntOffsetExtractor
12099 having been compiled, which isn't the case at installhdrs time.
12100
12101 * JavaScriptCore.xcodeproj/project.pbxproj:
12102
121032013-12-13 Joseph Pecoraro <pecoraro@apple.com>
12104
12105 Some Set and Map prototype functions have incorrect function lengths
12106 https://bugs.webkit.org/show_bug.cgi?id=125732
12107
12108 Reviewed by Oliver Hunt.
12109
12110 * runtime/MapPrototype.cpp:
12111 (JSC::MapPrototype::finishCreation):
12112 * runtime/SetPrototype.cpp:
12113 (JSC::SetPrototype::finishCreation):
12114
121152013-12-13 Joseph Pecoraro <pecoraro@apple.com>
12116
12117 Web Inspector: Move Inspector and Debugger protocol domains into JavaScriptCore
12118 https://bugs.webkit.org/show_bug.cgi?id=125707
12119
12120 Reviewed by Timothy Hatcher.
12121
12122 * CMakeLists.txt:
12123 * DerivedSources.make:
12124 * GNUmakefile.am:
12125 * inspector/protocol/Debugger.json: Renamed from Source/WebCore/inspector/protocol/Debugger.json.
12126 * inspector/protocol/GenericTypes.json: Added.
12127 * inspector/protocol/InspectorDomain.json: Renamed from Source/WebCore/inspector/protocol/InspectorDomain.json.
12128 Add new files to inspector generation.
12129
12130 * inspector/scripts/CodeGeneratorInspector.py:
12131 (Generator.go):
12132 Only build TypeBuilder output if the domain only has types. Avoid
12133 backend/frontend dispatchers and backend commands.
12134
12135 (TypeBindings.create_type_declaration_.EnumBinding.get_setter_value_expression_pattern):
12136 (format_setter_value_expression):
12137 (Generator.process_command):
12138 (Generator.generate_send_method):
12139 * inspector/scripts/CodeGeneratorInspectorStrings.py:
12140 Export and name the get{JS,Web}EnumConstant function.
12141
121422013-12-11 Filip Pizlo <fpizlo@apple.com>
12143
12144 Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction
12145 https://bugs.webkit.org/show_bug.cgi?id=125553
12146
12147 Reviewed by Oliver Hunt.
12148
12149 UInt32ToNumber was a super complicated node because it had to do a speculation, but it
12150 would do it after we already had computed the urshift. It couldn't just back to the
12151 beginning of the urshift because the inputs to the urshift weren't necessarily live
12152 anymore. We couldn't jump forward to the beginning of the next instruction because the
12153 result of the urshift was not yet unsigned-converted.
12154
12155 For a while we solved this by forward-exiting in UInt32ToNumber. But that's really
12156 gross and I want to get rid of all forward exits. They cause a lot of bugs.
12157
12158 We could also have turned UInt32ToNumber to a backwards exit by forcing the inputs to
12159 the urshift to be live. I figure that this might be a bit too extreme.
12160
12161 So, I just created a new place that we can exit to: I split op_urshift into op_urshift
12162 followed by op_unsigned. op_unsigned is an "unsigned cast" along the lines of what
12163 UInt32ToNumber does. This allows me to get rid of all of the nastyness in the DFG for
12164 forward exiting in UInt32ToNumber.
12165
12166 This patch enables massive code carnage in the DFG and FTL, and brings us closer to
12167 eliminating one of the DFG's most confusing concepts. On the flipside, it does make the
12168 bytecode slightly more complex (one new instruction). This is a profitable trade. We
12169 want the DFG and FTL to trend towards simplicity, since they are both currently too
12170 complicated.
12171
12172 * bytecode/BytecodeUseDef.h:
12173 (JSC::computeUsesForBytecodeOffset):
12174 (JSC::computeDefsForBytecodeOffset):
12175 * bytecode/CodeBlock.cpp:
12176 (JSC::CodeBlock::dumpBytecode):
12177 * bytecode/Opcode.h:
12178 (JSC::padOpcodeName):
12179 * bytecode/ValueRecovery.cpp:
12180 (JSC::ValueRecovery::dumpInContext):
12181 * bytecode/ValueRecovery.h:
12182 (JSC::ValueRecovery::gpr):
12183 * bytecompiler/NodesCodegen.cpp:
12184 (JSC::BinaryOpNode::emitBytecode):
12185 (JSC::emitReadModifyAssignment):
12186 * dfg/DFGByteCodeParser.cpp:
12187 (JSC::DFG::ByteCodeParser::toInt32):
12188 (JSC::DFG::ByteCodeParser::parseBlock):
12189 * dfg/DFGClobberize.h:
12190 (JSC::DFG::clobberize):
12191 * dfg/DFGNodeType.h:
12192 * dfg/DFGOSRExitCompiler32_64.cpp:
12193 (JSC::DFG::OSRExitCompiler::compileExit):
12194 * dfg/DFGOSRExitCompiler64.cpp:
12195 (JSC::DFG::OSRExitCompiler::compileExit):
12196 * dfg/DFGSpeculativeJIT.cpp:
12197 (JSC::DFG::SpeculativeJIT::compileMovHint):
12198 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
12199 * dfg/DFGSpeculativeJIT.h:
12200 * dfg/DFGSpeculativeJIT32_64.cpp:
12201 * dfg/DFGSpeculativeJIT64.cpp:
12202 * dfg/DFGStrengthReductionPhase.cpp:
12203 (JSC::DFG::StrengthReductionPhase::handleNode):
12204 (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
12205 (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild1):
12206 (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild2):
12207 * ftl/FTLFormattedValue.h:
12208 (JSC::FTL::int32Value):
12209 * ftl/FTLLowerDFGToLLVM.cpp:
12210 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
12211 * ftl/FTLValueFormat.cpp:
12212 (JSC::FTL::reboxAccordingToFormat):
12213 (WTF::printInternal):
12214 * ftl/FTLValueFormat.h:
12215 * jit/JIT.cpp:
12216 (JSC::JIT::privateCompileMainPass):
12217 (JSC::JIT::privateCompileSlowCases):
12218 * jit/JIT.h:
12219 * jit/JITArithmetic.cpp:
12220 (JSC::JIT::emit_op_urshift):
12221 (JSC::JIT::emitSlow_op_urshift):
12222 (JSC::JIT::emit_op_unsigned):
12223 (JSC::JIT::emitSlow_op_unsigned):
12224 * jit/JITArithmetic32_64.cpp:
12225 (JSC::JIT::emitRightShift):
12226 (JSC::JIT::emitRightShiftSlowCase):
12227 (JSC::JIT::emit_op_unsigned):
12228 (JSC::JIT::emitSlow_op_unsigned):
12229 * llint/LowLevelInterpreter32_64.asm:
12230 * llint/LowLevelInterpreter64.asm:
12231 * runtime/CommonSlowPaths.cpp:
12232 (JSC::SLOW_PATH_DECL):
12233 * runtime/CommonSlowPaths.h:
12234
122352013-12-13 Mark Hahnenberg <mhahnenberg@apple.com>
12236
12237 LLInt should not conditionally branch to to labels outside of its function
12238 https://bugs.webkit.org/show_bug.cgi?id=125713
12239
12240 Reviewed by Geoffrey Garen.
12241
12242 Conditional branches are insufficient for jumping to out-of-function labels.
12243 The fix is to use an unconditional jmp to the label combined with a conditional branch around the jmp.
12244
12245 * llint/LowLevelInterpreter32_64.asm:
12246 * llint/LowLevelInterpreter64.asm:
12247
122482013-12-13 Joseph Pecoraro <pecoraro@apple.com>
12249
12250 [GTK] Remove Warnings in building about duplicate INSPECTOR variables
12251 https://bugs.webkit.org/show_bug.cgi?id=125710
12252
12253 Reviewed by Tim Horton.
12254
12255 * GNUmakefile.am:
12256
122572013-12-13 Joseph Pecoraro <pecoraro@apple.com>
12258
12259 Cleanup CodeGeneratorInspectorStrings a bit
12260 https://bugs.webkit.org/show_bug.cgi?id=125705
12261
12262 Reviewed by Timothy Hatcher.
12263
12264 * inspector/scripts/CodeGeneratorInspectorStrings.py:
12265 Use ${foo} variable syntax and add an ASCIILiteral.
12266
122672013-12-13 Brent Fulgham <bfulgham@apple.com>
12268
12269 [Win] Unreviewed build fix after r160563
12270
12271 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Missed the Debug
12272 target in my last patch.
12273
122742013-12-13 Brent Fulgham <bfulgham@apple.com>
12275
12276 [Win] Unreviewed build fix after r160548
12277
12278 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Specify
12279 that we are using the vs12_xp target for Makefile-based projects.
12280 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Ditto
12281 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Ditto.
12282
122832013-12-13 Joseph Pecoraro <pecoraro@apple.com>
12284
12285 Make inspector folder groups smarter in JavaScriptCore.xcodeproj
12286 https://bugs.webkit.org/show_bug.cgi?id=125663
12287
12288 Reviewed by Darin Adler.
12289
12290 * JavaScriptCore.xcodeproj/project.pbxproj:
12291
122922013-12-13 Joseph Pecoraro <pecoraro@apple.com>
12293
12294 Web Inspector: Add Inspector Code Generation to JavaScriptCore for Runtime Domain
12295 https://bugs.webkit.org/show_bug.cgi?id=125595
12296
12297 Reviewed by Timothy Hatcher.
12298
12299 - Move CodeGeneration scripts from WebCore into JavaScriptCore/inspector/scripts
12300 - For ports that build WebKit frameworks separately, export the scripts as PrivateHeaders
12301 - Update CodeGeneratorInspector.py in a few ways:
12302 - output dynamic filenames, so JavaScriptCore generates InspectorJSFoo.* and WebCore generates InspectorWebFoo.*
12303 - take in more then one protocol JSON file. The first contains domains to generate, the others are dependencies
12304 that are generated elsewhere that we can depend on for Types.
12305 - Add DerivedSources build step to generate the Inspector Interfaces
12306
12307 * CMakeLists.txt:
12308 * DerivedSources.make:
12309 * GNUmakefile.am:
12310 * GNUmakefile.list.am:
12311 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12312 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12313 * JavaScriptCore.vcxproj/copy-files.cmd:
12314 * JavaScriptCore.xcodeproj/project.pbxproj:
12315 Add scripts and code generation.
12316
12317 * inspector/protocol/Runtime.json: Renamed from Source/WebCore/inspector/protocol/Runtime.json.
12318 Move protocol file into JavaScriptCore so its types will be generated in JavaScriptCore.
12319
12320 * inspector/scripts/CodeGeneratorInspector.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspector.py.
12321 Updates to the script as listed above.
12322
12323 * inspector/scripts/CodeGeneratorInspectorStrings.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspectorStrings.py.
12324 * inspector/scripts/generate-combined-inspector-json.py: Renamed from Source/WebCore/inspector/Scripts/generate-combined-inspector-json.py.
12325 Moved from WebCore into JavaScriptCore for code generation.
12326
123272013-12-13 Peter Szanka <h868064@stud.u-szeged.hu>
12328
12329 Delete INTEL C compiler related code parts.
12330 https://bugs.webkit.org/show_bug.cgi?id=125625
12331
12332 Reviewed by Darin Adler.
12333
12334 * jsc.cpp:
12335 * testRegExp.cpp:
12336
123372013-12-13 Brent Fulgham <bfulgham@apple.com>
12338
12339 [Win] Switch WebKit solution to Visual Studio 2013
12340 https://bugs.webkit.org/show_bug.cgi?id=125192
12341
12342 Reviewed by Anders Carlsson.
12343
12344 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013
12345 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
12346 Ditto
12347 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto
12348 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto
12349 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto
12350
123512013-12-12 Joseph Pecoraro <pecoraro@apple.com>
12352
12353 Add a few more ASCIILiterals
12354 https://bugs.webkit.org/show_bug.cgi?id=125662
12355
12356 Reviewed by Darin Adler.
12357
12358 * inspector/InspectorBackendDispatcher.cpp:
12359 (Inspector::InspectorBackendDispatcher::dispatch):
12360
123612013-12-12 Joseph Pecoraro <pecoraro@apple.com>
12362
12363 Test new JSContext name APIs
12364 https://bugs.webkit.org/show_bug.cgi?id=125607
12365
12366 Reviewed by Darin Adler.
12367
12368 * API/JSContext.h:
12369 * API/JSContextRef.h:
12370 Fix whitespace issues.
12371
12372 * API/tests/testapi.c:
12373 (globalContextNameTest):
12374 (main):
12375 * API/tests/testapi.mm:
12376 Add tests for JSContext set/get name APIs.
12377
123782013-12-11 Filip Pizlo <fpizlo@apple.com>
12379
12380 ARM64: Hang running pdfjs test, suspect DFG generated code for "in"
12381 https://bugs.webkit.org/show_bug.cgi?id=124727
12382 <rdar://problem/15566923>
12383
12384 Reviewed by Michael Saboff.
12385
12386 Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin,
12387 and it was the only IC that used that field, which was wasteful. Moreover, it used it
12388 to store two separate locations: the label for patching the jump and the label right
12389 after the jump. The code was relying on those two being the same label, which is true
12390 on X86 and some other platforms, but it isn't true on ARM64.
12391
12392 This gets rid of hotPathBegin and makes In express those two locations as offsets from
12393 the callReturnLocation, which is analogous to what the other IC's do.
12394
12395 This fixes a bug where any successful In patching would result in a trivially infinite
12396 loop - and hence a hang - on ARM64.
12397
12398 * bytecode/StructureStubInfo.h:
12399 * dfg/DFGJITCompiler.cpp:
12400 (JSC::DFG::JITCompiler::link):
12401 * dfg/DFGJITCompiler.h:
12402 (JSC::DFG::InRecord::InRecord):
12403 * dfg/DFGSpeculativeJIT.cpp:
12404 (JSC::DFG::SpeculativeJIT::compileIn):
12405 * jit/JITInlineCacheGenerator.cpp:
12406 (JSC::JITByIdGenerator::finalize):
12407 * jit/Repatch.cpp:
12408 (JSC::replaceWithJump):
12409 (JSC::patchJumpToGetByIdStub):
12410 (JSC::tryCachePutByID):
12411 (JSC::tryBuildPutByIdList):
12412 (JSC::tryRepatchIn):
12413 (JSC::resetGetByID):
12414 (JSC::resetPutByID):
12415 (JSC::resetIn):
12416
124172013-12-11 Joseph Pecoraro <pecoraro@apple.com>
12418
12419 Web Inspector: Push More Inspector Required Classes Down into JavaScriptCore
12420 https://bugs.webkit.org/show_bug.cgi?id=125324
12421
12422 Reviewed by Timothy Hatcher.
12423
12424 * CMakeLists.txt:
12425 * GNUmakefile.am:
12426 * GNUmakefile.list.am:
12427 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12428 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12429 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
12430 * JavaScriptCore.vcxproj/copy-files.cmd:
12431 * JavaScriptCore.xcodeproj/project.pbxproj:
12432 * bindings/ScriptFunctionCall.cpp: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.cpp.
12433 * bindings/ScriptFunctionCall.h: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.h.
12434 * bindings/ScriptObject.cpp: Copied from Source/WebCore/inspector/WorkerConsoleAgent.cpp.
12435 * bindings/ScriptObject.h: Renamed from Source/WebCore/inspector/InspectorBaseAgent.h.
12436 * bindings/ScriptValue.cpp: Renamed from Source/WebCore/bindings/js/ScriptValue.cpp.
12437 * bindings/ScriptValue.h: Renamed from Source/WebCore/bindings/js/ScriptValue.h.
12438 * inspector/InspectorAgentBase.h: Copied from Source/WebCore/inspector/InspectorAgentRegistry.h.
12439 * inspector/InspectorAgentRegistry.cpp: Renamed from Source/WebCore/inspector/InspectorAgentRegistry.cpp.
12440 * inspector/InspectorBackendDispatcher.h: Renamed from Source/WebCore/inspector/InspectorBackendDispatcher.h.
12441 (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
12442 (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher):
12443 * inspector/InspectorValues.cpp: Renamed from Source/WebCore/inspector/InspectorValues.cpp.
12444 * inspector/InspectorValues.h: Renamed from Source/WebCore/inspector/InspectorValues.h.
12445
124462013-12-11 Laszlo Vidacs <lac@inf.u-szeged.hu>
12447
12448 Store SHA1 hash in std::array
12449 https://bugs.webkit.org/show_bug.cgi?id=125446
12450
12451 Reviewed by Darin Adler.
12452
12453 Change Vector to std::array and use typedef.
12454
12455 * bytecode/CodeBlockHash.cpp:
12456 (JSC::CodeBlockHash::CodeBlockHash):
12457
124582013-12-11 Mark Rowe <mrowe@apple.com>
12459
12460 <https://webkit.org/b/125141> Modernize the JavaScriptCore API headers
12461 <rdar://problem/15540121>
12462
12463 This consists of three main changes:
12464 1) Converting the return type of initializer methods to instancetype.
12465 2) Declaring properties rather than getters and setters.
12466 3) Tagging C API methods with information about their memory management semantics.
12467
12468 Changing the declarations from getters and setters to properties also required
12469 updating the headerdoc in a number of places.
12470
12471 Reviewed by Anders Carlsson.
12472
12473 * API/JSContext.h:
12474 * API/JSContext.mm:
12475 * API/JSManagedValue.h:
12476 * API/JSManagedValue.mm:
12477 * API/JSStringRefCF.h:
12478 * API/JSValue.h:
12479 * API/JSVirtualMachine.h:
12480 * API/JSVirtualMachine.mm:
12481
124822013-12-11 Mark Rowe <mrowe@apple.com>
12483
12484 <https://webkit.org/b/125559> Move JavaScriptCore off the legacy WebKit availability macros
12485
12486 The legacy WebKit availability macros are verbose, confusing, and provide no benefit over
12487 using the system availability macros directly. The original vision was that they'd serve
12488 a cross-platform purpose but that never came to be.
12489
12490 Map from WebKit version to OS X version based on the mapping in WebKitAvailability.h.
12491 All iOS versions are specified as 7.0 as that is when the JavaScriptCore C API was made
12492 public.
12493
12494 Part of <rdar://problem/15512304>.
12495
12496 Reviewed by Anders Carlsson.
12497
12498 * API/JSBasePrivate.h:
12499 * API/JSContextRef.h:
12500 * API/JSContextRefPrivate.h:
12501 * API/JSObjectRef.h:
12502 * API/JSValueRef.h:
12503
125042013-12-10 Filip Pizlo <fpizlo@apple.com>
12505
12506 Get rid of forward exit on DoubleAsInt32
12507 https://bugs.webkit.org/show_bug.cgi?id=125552
12508
12509 Reviewed by Oliver Hunt.
12510
12511 The forward exit was just there so that we wouldn't have to keep the inputs alive up to
12512 the DoubleAsInt32. That's dumb. Forward exits are a complicated piece of machinery and
12513 we shouldn't have it just for a bit of liveness micro-optimization.
12514
12515 Also add a bunch of machinery to test this case on X86.
12516
12517 * assembler/AbstractMacroAssembler.h:
12518 (JSC::optimizeForARMv7s):
12519 (JSC::optimizeForARM64):
12520 (JSC::optimizeForX86):
12521 * dfg/DFGFixupPhase.cpp:
12522 (JSC::DFG::FixupPhase::fixupNode):
12523 * dfg/DFGNodeType.h:
12524 * dfg/DFGSpeculativeJIT.cpp:
12525 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
12526 * runtime/Options.h:
12527 * tests/stress/double-as-int32.js: Added.
12528 (foo):
12529 (test):
12530
125312013-12-10 Filip Pizlo <fpizlo@apple.com>
12532
12533 Simplify CSE's treatment of NodeRelevantToOSR
12534 https://bugs.webkit.org/show_bug.cgi?id=125538
12535
12536 Reviewed by Oliver Hunt.
12537
12538 Make the NodeRelevantToOSR thing obvious: if there is any MovHint on a node then the
12539 node is relevant to OSR.
12540
12541 * dfg/DFGCSEPhase.cpp:
12542 (JSC::DFG::CSEPhase::run):
12543 (JSC::DFG::CSEPhase::performNodeCSE):
12544 (JSC::DFG::CSEPhase::performBlockCSE):
12545
125462013-12-10 Filip Pizlo <fpizlo@apple.com>
12547
12548 Get rid of forward exit in GetByVal on Uint32Array
12549 https://bugs.webkit.org/show_bug.cgi?id=125543
12550
12551 Reviewed by Oliver Hunt.
12552
12553 * dfg/DFGSpeculativeJIT.cpp:
12554 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
12555 * ftl/FTLLowerDFGToLLVM.cpp:
12556 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
12557
125582013-12-10 Balazs Kilvady <kilvadyb@homejinni.com>
12559
12560 [MIPS] Redundant instructions in code generated from offlineasm.
12561 https://bugs.webkit.org/show_bug.cgi?id=125528
12562
12563 Reviewed by Michael Saboff.
12564
12565 Optimize lowering of offlineasm BaseIndex Addresses.
12566
12567 * offlineasm/mips.rb:
12568
125692013-12-10 Oliver Hunt <oliver@apple.com>
12570
12571 Reduce the mass templatizing of the JS parser
12572 https://bugs.webkit.org/show_bug.cgi?id=125535
12573
12574 Reviewed by Michael Saboff.
12575
12576 The various caches we have now have removed the need for many of
12577 the template vs. regular parameters. This patch converts those
12578 template parameters to regular parameters and updates the call
12579 sites. This reduces the code size of the parser by around 15%.
12580
12581 * parser/ASTBuilder.h:
12582 (JSC::ASTBuilder::createGetterOrSetterProperty):
12583 (JSC::ASTBuilder::createProperty):
12584 * parser/Parser.cpp:
12585 (JSC::::parseInner):
12586 (JSC::::parseSourceElements):
12587 (JSC::::parseVarDeclarationList):
12588 (JSC::::createBindingPattern):
12589 (JSC::::tryParseDeconstructionPatternExpression):
12590 (JSC::::parseDeconstructionPattern):
12591 (JSC::::parseSwitchClauses):
12592 (JSC::::parseSwitchDefaultClause):
12593 (JSC::::parseBlockStatement):
12594 (JSC::::parseFormalParameters):
12595 (JSC::::parseFunctionInfo):
12596 (JSC::::parseFunctionDeclaration):
12597 (JSC::::parseProperty):
12598 (JSC::::parseObjectLiteral):
12599 (JSC::::parseStrictObjectLiteral):
12600 (JSC::::parseMemberExpression):
12601 * parser/Parser.h:
12602 * parser/SyntaxChecker.h:
12603 (JSC::SyntaxChecker::createProperty):
12604 (JSC::SyntaxChecker::createGetterOrSetterProperty):
12605
126062013-12-10 Mark Hahnenberg <mhahnenberg@apple.com>
12607
12608 ASSERT !heap.vm()->isInitializingObject() when finishing DFG compilation at beginning of GC
12609 https://bugs.webkit.org/show_bug.cgi?id=125472
12610
12611 Reviewed by Geoff Garen.
12612
12613 This patch makes it look like it's okay to allocate so that the DFG plan finalization stuff
12614 can do what it needs to do. We already expected that we might do allocation during plan
12615 finalization and we increased the deferral depth to handle this, but we need to fix this other
12616 ASSERT stuff too.
12617
12618 * GNUmakefile.list.am:
12619 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12620 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12621 * JavaScriptCore.xcodeproj/project.pbxproj:
12622 * heap/Heap.cpp:
12623 (JSC::Heap::collect):
12624 * heap/Heap.h:
12625 * heap/RecursiveAllocationScope.h: Added.
12626 (JSC::RecursiveAllocationScope::RecursiveAllocationScope):
12627 (JSC::RecursiveAllocationScope::~RecursiveAllocationScope):
12628 * runtime/VM.h:
12629
126302013-12-09 Filip Pizlo <fpizlo@apple.com>
12631
12632 Impose and enforce some basic rules of sanity for where Phi functions are allowed to occur and where their (optional) corresponding MovHints can be
12633 https://bugs.webkit.org/show_bug.cgi?id=125480
12634
12635 Reviewed by Geoffrey Garen.
12636
12637 Previously, if you wanted to insert some speculation right after where a value was
12638 produced, you'd get super confused if that value was produced by a Phi node. You can't
12639 necessarily insert speculations after a Phi node because Phi nodes appear in this
12640 special sequence of Phis and MovHints that establish the OSR exit state for a block.
12641 So, you'd probably want to search for the next place where it's safe to insert things.
12642 We already do this "search for beginning of next bytecode instruction" search by
12643 looking at the next node that has a different CodeOrigin. But this would be hard for a
12644 Phi because those Phis and MovHints have basically random CodeOrigins and they can all
12645 have different CodeOrigins.
12646
12647 This change imposes some sanity for this situation:
12648
12649 - Phis must have unset CodeOrigins.
12650
12651 - In each basic block, all nodes that have unset CodeOrigins must come before all nodes
12652 that have set CodeOrigins.
12653
12654 This all ends up working out just great because prior to this change we didn't have a
12655 use for unset CodeOrigins. I think it's appropriate to make "unset CodeOrigin" mean
12656 that we're in the prologue of a basic block.
12657
12658 It's interesting what this means for block merging, which we don't yet do in SSA.
12659 Consider merging the edge A->B. One possibility is that the block merger is now
12660 required to clean up Phi/Upsilons, and reascribe the MovHints to have the CodeOrigin of
12661 the A's block terminal. But an answer that might be better is that the originless
12662 nodes at the top of the B are just given the origin of the terminal and we keep the
12663 Phis. That would require changing the above rules. We'll see how it goes, and what we
12664 end up picking...
12665
12666 Overall, this special-things-at-the-top rule is analogous to what other SSA-based
12667 compilers do. For example, LLVM has rules mandating that Phis appear at the top of a
12668 block.
12669
12670 * bytecode/CodeOrigin.cpp:
12671 (JSC::CodeOrigin::dump):
12672 * dfg/DFGOSRExitBase.h:
12673 (JSC::DFG::OSRExitBase::OSRExitBase):
12674 * dfg/DFGSSAConversionPhase.cpp:
12675 (JSC::DFG::SSAConversionPhase::run):
12676 * dfg/DFGValidate.cpp:
12677 (JSC::DFG::Validate::validate):
12678 (JSC::DFG::Validate::validateSSA):
12679
126802013-12-08 Filip Pizlo <fpizlo@apple.com>
12681
12682 Reveal array bounds checks in DFG IR
12683 https://bugs.webkit.org/show_bug.cgi?id=125253
12684
12685 Reviewed by Oliver Hunt and Mark Hahnenberg.
12686
12687 In SSA mode, this reveals array bounds checks and the load of array length in DFG IR,
12688 making this a candidate for LICM.
12689
12690 This also fixes a long-standing performance bug where the JSObject slow paths would
12691 always create contiguous storage, rather than type-specialized storage, when doing a
12692 "storage creating" storage, like:
12693
12694 var o = {};
12695 o[0] = 42;
12696
12697 * CMakeLists.txt:
12698 * GNUmakefile.list.am:
12699 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12700 * JavaScriptCore.xcodeproj/project.pbxproj:
12701 * bytecode/ExitKind.cpp:
12702 (JSC::exitKindToString):
12703 (JSC::exitKindIsCountable):
12704 * bytecode/ExitKind.h:
12705 * dfg/DFGAbstractInterpreterInlines.h:
12706 (JSC::DFG::::executeEffects):
12707 * dfg/DFGArrayMode.cpp:
12708 (JSC::DFG::permitsBoundsCheckLowering):
12709 (JSC::DFG::ArrayMode::permitsBoundsCheckLowering):
12710 * dfg/DFGArrayMode.h:
12711 (JSC::DFG::ArrayMode::lengthNeedsStorage):
12712 * dfg/DFGClobberize.h:
12713 (JSC::DFG::clobberize):
12714 * dfg/DFGConstantFoldingPhase.cpp:
12715 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12716 * dfg/DFGFixupPhase.cpp:
12717 (JSC::DFG::FixupPhase::fixupNode):
12718 * dfg/DFGNodeType.h:
12719 * dfg/DFGPlan.cpp:
12720 (JSC::DFG::Plan::compileInThreadImpl):
12721 * dfg/DFGPredictionPropagationPhase.cpp:
12722 (JSC::DFG::PredictionPropagationPhase::propagate):
12723 * dfg/DFGSSALoweringPhase.cpp: Added.
12724 (JSC::DFG::SSALoweringPhase::SSALoweringPhase):
12725 (JSC::DFG::SSALoweringPhase::run):
12726 (JSC::DFG::SSALoweringPhase::handleNode):
12727 (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
12728 (JSC::DFG::performSSALowering):
12729 * dfg/DFGSSALoweringPhase.h: Added.
12730 * dfg/DFGSafeToExecute.h:
12731 (JSC::DFG::safeToExecute):
12732 * dfg/DFGSpeculativeJIT.cpp:
12733 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
12734 * dfg/DFGSpeculativeJIT32_64.cpp:
12735 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
12736 (JSC::DFG::SpeculativeJIT::compile):
12737 * dfg/DFGSpeculativeJIT64.cpp:
12738 (JSC::DFG::SpeculativeJIT::compile):
12739 * ftl/FTLCapabilities.cpp:
12740 (JSC::FTL::canCompile):
12741 * ftl/FTLLowerDFGToLLVM.cpp:
12742 (JSC::FTL::LowerDFGToLLVM::compileNode):
12743 (JSC::FTL::LowerDFGToLLVM::compileCheckInBounds):
12744 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
12745 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
12746 (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
12747 * runtime/JSObject.cpp:
12748 (JSC::JSObject::convertUndecidedForValue):
12749 (JSC::JSObject::createInitialForValueAndSet):
12750 (JSC::JSObject::putByIndexBeyondVectorLength):
12751 (JSC::JSObject::putDirectIndexBeyondVectorLength):
12752 * runtime/JSObject.h:
12753 * tests/stress/float32array-out-of-bounds.js: Added.
12754 (make):
12755 (foo):
12756 (test):
12757 * tests/stress/int32-object-out-of-bounds.js: Added.
12758 (make):
12759 (foo):
12760 (test):
12761 * tests/stress/int32-out-of-bounds.js: Added.
12762 (foo):
12763 (test):
12764
127652013-12-09 Sam Weinig <sam@webkit.org>
12766
12767 Replace use of WTF::FixedArray with std::array
12768 https://bugs.webkit.org/show_bug.cgi?id=125475
12769
12770 Reviewed by Anders Carlsson.
12771
12772 * bytecode/CodeBlockHash.cpp:
12773 (JSC::CodeBlockHash::dump):
12774 * bytecode/Opcode.cpp:
12775 (JSC::OpcodeStats::~OpcodeStats):
12776 * dfg/DFGCSEPhase.cpp:
12777 * ftl/FTLAbstractHeap.h:
12778 * heap/MarkedSpace.h:
12779 * parser/ParserArena.h:
12780 * runtime/CodeCache.h:
12781 * runtime/DateInstanceCache.h:
12782 * runtime/JSGlobalObject.cpp:
12783 (JSC::JSGlobalObject::reset):
12784 * runtime/JSGlobalObject.h:
12785 * runtime/JSString.h:
12786 * runtime/LiteralParser.h:
12787 * runtime/NumericStrings.h:
12788 * runtime/RegExpCache.h:
12789 * runtime/SmallStrings.h:
12790
127912013-12-09 Joseph Pecoraro <pecoraro@apple.com>
12792
12793 Remove miscellaneous unnecessary build statements
12794 https://bugs.webkit.org/show_bug.cgi?id=125466
12795
12796 Reviewed by Darin Adler.
12797
12798 * DerivedSources.make:
12799 * JavaScriptCore.vcxproj/build-generated-files.sh:
12800 * JavaScriptCore.xcodeproj/project.pbxproj:
12801 * make-generated-sources.sh:
12802
128032013-12-08 Filip Pizlo <fpizlo@apple.com>
12804
12805 CSE should work in SSA
12806 https://bugs.webkit.org/show_bug.cgi?id=125430
12807
12808 Reviewed by Oliver Hunt and Mark Hahnenberg.
12809
12810 * dfg/DFGCSEPhase.cpp:
12811 (JSC::DFG::CSEPhase::run):
12812 (JSC::DFG::CSEPhase::performNodeCSE):
12813 * dfg/DFGPlan.cpp:
12814 (JSC::DFG::Plan::compileInThreadImpl):
12815
128162013-12-09 Joseph Pecoraro <pecoraro@apple.com>
12817
12818 Remove docs/make-bytecode-docs.pl
12819 https://bugs.webkit.org/show_bug.cgi?id=125462
12820
12821 This sript is very old and no longer outputs useful data since the
12822 op code definitions have moved from Interpreter.cpp.
12823
12824 Reviewed by Darin Adler.
12825
12826 * DerivedSources.make:
12827 * docs/make-bytecode-docs.pl: Removed.
12828
128292013-12-09 Julien Brianceau <jbriance@cisco.com>
12830
12831 Fix sh4 LLINT build.
12832 https://bugs.webkit.org/show_bug.cgi?id=125454
12833
12834 Reviewed by Michael Saboff.
12835
12836 In LLINT, sh4 backend implementation didn't handle properly conditional jumps using
12837 a LabelReference instance. This patch fixes it through sh4LowerMisplacedLabels phase.
12838 Also, to avoid the need of a 4th temporary gpr, this phase is triggered later in
12839 getModifiedListSH4.
12840
12841 * offlineasm/sh4.rb:
12842
128432013-12-08 Filip Pizlo <fpizlo@apple.com>
12844
12845 Add the notion of ConstantStoragePointer to DFG IR
12846 https://bugs.webkit.org/show_bug.cgi?id=125395
12847
12848 Reviewed by Oliver Hunt.
12849
12850 This pushes more typed array folding into StrengthReductionPhase, and enables CSE on
12851 storage pointers. Previously, you might have separate nodes for the same storage
12852 pointer and this would cause some bad register pressure in the DFG. Note that this
12853 was really a theoretical problem and not, to my knowledge a practical one - so this
12854 patch is basically just a clean-up.
12855
12856 * dfg/DFGAbstractInterpreterInlines.h:
12857 (JSC::DFG::::executeEffects):
12858 * dfg/DFGCSEPhase.cpp:
12859 (JSC::DFG::CSEPhase::constantStoragePointerCSE):
12860 (JSC::DFG::CSEPhase::performNodeCSE):
12861 * dfg/DFGClobberize.h:
12862 (JSC::DFG::clobberize):
12863 * dfg/DFGFixupPhase.cpp:
12864 (JSC::DFG::FixupPhase::fixupNode):
12865 * dfg/DFGGraph.cpp:
12866 (JSC::DFG::Graph::dump):
12867 * dfg/DFGNode.h:
12868 (JSC::DFG::Node::convertToConstantStoragePointer):
12869 (JSC::DFG::Node::hasStoragePointer):
12870 (JSC::DFG::Node::storagePointer):
12871 * dfg/DFGNodeType.h:
12872 * dfg/DFGPredictionPropagationPhase.cpp:
12873 (JSC::DFG::PredictionPropagationPhase::propagate):
12874 * dfg/DFGSafeToExecute.h:
12875 (JSC::DFG::safeToExecute):
12876 * dfg/DFGSpeculativeJIT.cpp:
12877 (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
12878 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
12879 * dfg/DFGSpeculativeJIT.h:
12880 * dfg/DFGSpeculativeJIT32_64.cpp:
12881 (JSC::DFG::SpeculativeJIT::compile):
12882 * dfg/DFGSpeculativeJIT64.cpp:
12883 (JSC::DFG::SpeculativeJIT::compile):
12884 * dfg/DFGStrengthReductionPhase.cpp:
12885 (JSC::DFG::StrengthReductionPhase::handleNode):
12886 (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
12887 (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
12888 * dfg/DFGWatchpointCollectionPhase.cpp:
12889 (JSC::DFG::WatchpointCollectionPhase::handle):
12890 * ftl/FTLLowerDFGToLLVM.cpp:
12891 (JSC::FTL::LowerDFGToLLVM::compileNode):
12892 (JSC::FTL::LowerDFGToLLVM::compileConstantStoragePointer):
12893 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
12894
128952013-12-08 Filip Pizlo <fpizlo@apple.com>
12896
12897 FTL should support UntypedUse versions of Compare nodes
12898 https://bugs.webkit.org/show_bug.cgi?id=125426
12899
12900 Reviewed by Oliver Hunt.
12901
12902 This adds UntypedUse versions of all comparisons except CompareStrictEq, which is
12903 sufficiently different that I thought I'd do it in another patch.
12904
12905 This also extends our ability to abstract over comparison kind and removes a bunch of
12906 copy-paste code.
12907
12908 * dfg/DFGSpeculativeJIT64.cpp:
12909 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
12910 * ftl/FTLCapabilities.cpp:
12911 (JSC::FTL::canCompile):
12912 * ftl/FTLIntrinsicRepository.h:
12913 * ftl/FTLLowerDFGToLLVM.cpp:
12914 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
12915 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
12916 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
12917 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
12918 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
12919 (JSC::FTL::LowerDFGToLLVM::compare):
12920 (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
12921 * ftl/FTLOutput.h:
12922 (JSC::FTL::Output::icmp):
12923 (JSC::FTL::Output::equal):
12924 (JSC::FTL::Output::notEqual):
12925 (JSC::FTL::Output::above):
12926 (JSC::FTL::Output::aboveOrEqual):
12927 (JSC::FTL::Output::below):
12928 (JSC::FTL::Output::belowOrEqual):
12929 (JSC::FTL::Output::greaterThan):
12930 (JSC::FTL::Output::greaterThanOrEqual):
12931 (JSC::FTL::Output::lessThan):
12932 (JSC::FTL::Output::lessThanOrEqual):
12933 (JSC::FTL::Output::fcmp):
12934 (JSC::FTL::Output::doubleEqual):
12935 (JSC::FTL::Output::doubleNotEqualOrUnordered):
12936 (JSC::FTL::Output::doubleLessThan):
12937 (JSC::FTL::Output::doubleLessThanOrEqual):
12938 (JSC::FTL::Output::doubleGreaterThan):
12939 (JSC::FTL::Output::doubleGreaterThanOrEqual):
12940 (JSC::FTL::Output::doubleEqualOrUnordered):
12941 (JSC::FTL::Output::doubleNotEqual):
12942 (JSC::FTL::Output::doubleLessThanOrUnordered):
12943 (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
12944 (JSC::FTL::Output::doubleGreaterThanOrUnordered):
12945 (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
12946 * tests/stress/untyped-equality.js: Added.
12947 (foo):
12948 * tests/stress/untyped-less-than.js: Added.
12949 (foo):
12950
129512013-12-07 Filip Pizlo <fpizlo@apple.com>
12952
12953 Fold typedArray.length if typedArray is constant
12954 https://bugs.webkit.org/show_bug.cgi?id=125252
12955
12956 Reviewed by Sam Weinig.
12957
12958 This was meant to be easy. The problem is that there was no good place for putting
12959 the folding of typedArray.length to a constant. You can't quite do it in the
12960 bytecode parser because at that point you don't yet know if typedArray is really
12961 a typed array. You can't do it as part of constant folding because the folder
12962 assumes that it can opportunistically forward-flow a constant value without changing
12963 the IR; this doesn't work since we need to first change the IR to register a
12964 desired watchpoint and only after that can we introduce that constant. We could have
12965 done it in Fixup but that would have been awkward since Fixup's code for turning a
12966 GetById of "length" into GetArrayLength is already somewhat complex. We could have
12967 done it in CSE but CSE is already fairly gnarly and will probably get rewritten.
12968
12969 So I introduced a new phase, called StrengthReduction. This phase should have any
12970 transformations that don't requite CFA or CSE and that it would be weird to put into
12971 those other phases.
12972
12973 I also took the opportunity to refactor some of the other folding code.
12974
12975 This also adds a test, but the test couldn't quite be a LayoutTests/js/regress so I
12976 introduced the notion of JavaScriptCore/tests/stress.
12977
12978 The goal of this patch isn't really to improve performance or anything like that.
12979 It adds an optimization for completeness, and in doing so it unlocks a bunch of new
12980 possibilities. The one that I'm most excited about is revealing array length checks
12981 in DFG IR, which will allow for array bounds check hoisting and elimination.
12982
12983 * CMakeLists.txt:
12984 * GNUmakefile.list.am:
12985 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12986 * JavaScriptCore.xcodeproj/project.pbxproj:
12987 * dfg/DFGAbstractInterpreterInlines.h:
12988 (JSC::DFG::::executeEffects):
12989 * dfg/DFGClobberize.h:
12990 (JSC::DFG::clobberize):
12991 * dfg/DFGFixupPhase.cpp:
12992 (JSC::DFG::FixupPhase::fixupNode):
12993 * dfg/DFGGraph.cpp:
12994 (JSC::DFG::Graph::tryGetFoldableView):
12995 (JSC::DFG::Graph::tryGetFoldableViewForChild1):
12996 * dfg/DFGGraph.h:
12997 * dfg/DFGNode.h:
12998 (JSC::DFG::Node::hasTypedArray):
12999 (JSC::DFG::Node::typedArray):
13000 * dfg/DFGNodeType.h:
13001 * dfg/DFGPlan.cpp:
13002 (JSC::DFG::Plan::compileInThreadImpl):
13003 * dfg/DFGPredictionPropagationPhase.cpp:
13004 (JSC::DFG::PredictionPropagationPhase::propagate):
13005 * dfg/DFGSafeToExecute.h:
13006 (JSC::DFG::safeToExecute):
13007 * dfg/DFGSpeculativeJIT.cpp:
13008 (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
13009 (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
13010 * dfg/DFGSpeculativeJIT32_64.cpp:
13011 (JSC::DFG::SpeculativeJIT::compile):
13012 * dfg/DFGSpeculativeJIT64.cpp:
13013 (JSC::DFG::SpeculativeJIT::compile):
13014 * dfg/DFGStrengthReductionPhase.cpp: Added.
13015 (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
13016 (JSC::DFG::StrengthReductionPhase::run):
13017 (JSC::DFG::StrengthReductionPhase::handleNode):
13018 (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
13019 (JSC::DFG::performStrengthReduction):
13020 * dfg/DFGStrengthReductionPhase.h: Added.
13021 * dfg/DFGWatchpointCollectionPhase.cpp:
13022 (JSC::DFG::WatchpointCollectionPhase::handle):
13023 * ftl/FTLCapabilities.cpp:
13024 (JSC::FTL::canCompile):
13025 * ftl/FTLLowerDFGToLLVM.cpp:
13026 (JSC::FTL::LowerDFGToLLVM::compileNode):
13027 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
13028 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
13029 (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
13030 * jsc.cpp:
13031 (GlobalObject::finishCreation):
13032 (functionTransferArrayBuffer):
13033 * runtime/ArrayBufferView.h:
13034 * tests/stress: Added.
13035 * tests/stress/fold-typed-array-properties.js: Added.
13036 (foo):
13037
130382013-12-07 peavo@outlook.com <peavo@outlook.com>
13039
13040 [Win][64-bit] Hitting breakpoint assembler instruction in callToJavaScript.
13041 https://bugs.webkit.org/show_bug.cgi?id=125382
13042
13043 Reviewed by Michael Saboff.
13044
13045 The WinCairo results from run-javascriptcore-tests are the same as the WinCairo 32-bits results, when removing these breakpoints.
13046
13047 * jit/JITStubsMSVC64.asm: Remove breakpoint instructions.
13048
130492013-12-06 Filip Pizlo <fpizlo@apple.com>
13050
13051 FTL should support all of Branch/LogicalNot
13052 https://bugs.webkit.org/show_bug.cgi?id=125370
13053
13054 Reviewed by Mark Hahnenberg.
13055
13056 * ftl/FTLCapabilities.cpp:
13057 (JSC::FTL::canCompile):
13058 * ftl/FTLIntrinsicRepository.h:
13059 * ftl/FTLLowerDFGToLLVM.cpp:
13060 (JSC::FTL::LowerDFGToLLVM::boolify):
13061
130622013-12-06 Roger Fong <roger_fong@apple.com> and Brent Fulgham <bfulgham@apple.com>
13063
13064 [Win] Support compiling with VS2013
13065 https://bugs.webkit.org/show_bug.cgi?id=125353
13066
13067 Reviewed by Anders Carlsson.
13068
13069 * API/tests/testapi.c: Use C99 defines if available.
13070 * jit/JITOperations.cpp: Don't attempt to define C linkage when
13071 returning a C++ object.
13072
130732013-12-06 Filip Pizlo <fpizlo@apple.com>
13074
13075 FTL should support generic ByVal accesses
13076 https://bugs.webkit.org/show_bug.cgi?id=125368
13077
13078 Reviewed by Mark Hahnenberg.
13079
13080 * dfg/DFGGraph.h:
13081 (JSC::DFG::Graph::isStrictModeFor):
13082 (JSC::DFG::Graph::ecmaModeFor):
13083 * ftl/FTLCapabilities.cpp:
13084 (JSC::FTL::canCompile):
13085 * ftl/FTLIntrinsicRepository.h:
13086 * ftl/FTLLowerDFGToLLVM.cpp:
13087 (JSC::FTL::LowerDFGToLLVM::compileNode):
13088 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
13089 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
13090
130912013-12-06 Filip Pizlo <fpizlo@apple.com>
13092
13093 FTL should support hole/OOB array accesses
13094 https://bugs.webkit.org/show_bug.cgi?id=118077
13095
13096 Reviewed by Oliver Hunt and Mark Hahnenberg.
13097
13098 * ftl/FTLCapabilities.cpp:
13099 (JSC::FTL::canCompile):
13100 * ftl/FTLIntrinsicRepository.h:
13101 * ftl/FTLLowerDFGToLLVM.cpp:
13102 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
13103 (JSC::FTL::LowerDFGToLLVM::baseIndex):
13104
131052013-12-06 Michael Saboff <msaboff@apple.com>
13106
13107 Split sizing of VarArgs frames from loading arguments for the frame
13108 https://bugs.webkit.org/show_bug.cgi?id=125331
13109
13110 Reviewed by Filip Pizlo.
13111
13112 Split loadVarargs into sizeAndAllocFrameForVarargs() and loadVarargs() in
13113 preparation for moving onto the C stack. sizeAndAllocFrameForVarargs() will
13114 compute the size of the callee frame and allocate it, while loadVarargs()
13115 actually loads the argument values.
13116
13117 As part of moving onto the C stack, sizeAndAllocFrameForVarargs() will be
13118 changed to a function that just computes the size. The caller will use that
13119 size to allocate the new frame on the stack before calling loadVargs() and
13120 actually making the call.
13121
13122 * interpreter/Interpreter.cpp:
13123 (JSC::sizeAndAllocFrameForVarargs):
13124 (JSC::loadVarargs):
13125 * interpreter/Interpreter.h:
13126 * jit/JIT.h:
13127 * jit/JITCall.cpp:
13128 (JSC::JIT::compileLoadVarargs):
13129 * jit/JITCall32_64.cpp:
13130 (JSC::JIT::compileLoadVarargs):
13131 * jit/JITInlines.h:
13132 (JSC::JIT::callOperation):
13133 * jit/JITOperations.cpp:
13134 * jit/JITOperations.h:
13135 * llint/LLIntSlowPaths.cpp:
13136 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
13137 * llint/LLIntSlowPaths.h:
13138 * llint/LowLevelInterpreter.asm:
13139 * llint/LowLevelInterpreter32_64.asm:
13140 * llint/LowLevelInterpreter64.asm:
13141 * runtime/VM.h:
13142
131432013-12-06 Filip Pizlo <fpizlo@apple.com>
13144
13145 FTL should support all of ValueToInt32
13146 https://bugs.webkit.org/show_bug.cgi?id=125283
13147
13148 Reviewed by Mark Hahnenberg.
13149
13150 * ftl/FTLCapabilities.cpp:
13151 (JSC::FTL::canCompile):
13152 * ftl/FTLLowerDFGToLLVM.cpp:
13153 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
13154 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
13155 (JSC::FTL::LowerDFGToLLVM::lowCell):
13156 (JSC::FTL::LowerDFGToLLVM::isCell):
13157
131582013-12-06 Filip Pizlo <fpizlo@apple.com>
13159
13160 FTL shouldn't have a doubleToUInt32 path
13161 https://bugs.webkit.org/show_bug.cgi?id=125360
13162
13163 Reviewed by Mark Hahnenberg.
13164
13165 This code existed because I incorrectly thought it was necessary. It's now basically
13166 dead.
13167
13168 * ftl/FTLLowerDFGToLLVM.cpp:
13169 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
13170
131712013-12-06 Laszlo Vidacs <lac@inf.u-szeged.hu>
13172
13173 Define SHA1 hash size in SHA1.h and use it at various places.
13174 https://bugs.webkit.org/show_bug.cgi?id=125345
13175
13176 Reviewed by Darin Adler.
13177
13178 Use SHA1::hashSize instead of local variables.
13179
13180 * bytecode/CodeBlockHash.cpp:
13181 (JSC::CodeBlockHash::CodeBlockHash): use SHA1::hashSize
13182
131832013-12-05 Michael Saboff <msaboff@apple.com>
13184
13185 REGRESSION(r160213): Crash in js/dom/JSON-parse.html
13186 https://bugs.webkit.org/show_bug.cgi?id=125335
13187
13188 Reviewed by Mark Lam.
13189
13190 Changed _llint_op_catch to materialize the VM via the scope chain instead of
13191 the CodeBlock. CallFrames always have a scope chain, but may have a null CodeBlock.
13192
13193 * llint/LowLevelInterpreter32_64.asm:
13194 (_llint_op_catch):
13195 * llint/LowLevelInterpreter64.asm:
13196 (_llint_op_catch):
13197
131982013-12-05 Michael Saboff <msaboff@apple.com>
13199
13200 JSC: Simplify interface between throw and catch handler
13201 https://bugs.webkit.org/show_bug.cgi?id=125328
13202
13203 Reviewed by Geoffrey Garen.
13204
13205 Simplified the throw - catch interface. The throw side is only responsible for
13206 jumping to the appropriate op_catch handler or returnFromJavaScript for uncaught
13207 exceptions. The handler uses the exception values like VM.callFrameForThrow
13208 as appropriate and no longer relies on the throw side putting anything in
13209 registers.
13210
13211 * jit/CCallHelpers.h:
13212 (JSC::CCallHelpers::jumpToExceptionHandler):
13213 * jit/JITOpcodes.cpp:
13214 (JSC::JIT::emit_op_catch):
13215 * jit/JITOpcodes32_64.cpp:
13216 (JSC::JIT::emit_op_catch):
13217 * llint/LowLevelInterpreter32_64.asm:
13218 (_llint_op_catch):
13219 (_llint_throw_from_slow_path_trampoline):
13220 * llint/LowLevelInterpreter64.asm:
13221 (_llint_op_catch):
13222 (_llint_throw_from_slow_path_trampoline):
13223
132242013-12-04 Oliver Hunt <oliver@apple.com>
13225
13226 Refactor static getter function prototype to include thisValue in addition to the base object
13227 https://bugs.webkit.org/show_bug.cgi?id=124461
13228
13229 Reviewed by Geoffrey Garen.
13230
13231 Add thisValue parameter to static getter prototype, and switch
13232 from JSValue to EncodedJSValue for parameters and return value.
13233
13234 Currently none of the static getters use the thisValue, but
13235 separating out the refactoring will prevent future changes
13236 from getting lost in the noise of refactoring. This means
13237 that this patch does not result in any change in behaviour.
13238
13239 * API/JSCallbackObject.h:
13240 * API/JSCallbackObjectFunctions.h:
13241 (JSC::::asCallbackObject):
13242 (JSC::::staticFunctionGetter):
13243 (JSC::::callbackGetter):
13244 * jit/JITOperations.cpp:
13245 * runtime/JSActivation.cpp:
13246 (JSC::JSActivation::argumentsGetter):
13247 * runtime/JSActivation.h:
13248 * runtime/JSFunction.cpp:
13249 (JSC::JSFunction::argumentsGetter):
13250 (JSC::JSFunction::callerGetter):
13251 (JSC::JSFunction::lengthGetter):
13252 (JSC::JSFunction::nameGetter):
13253 * runtime/JSFunction.h:
13254 * runtime/JSObject.h:
13255 (JSC::PropertySlot::getValue):
13256 * runtime/NumberConstructor.cpp:
13257 (JSC::numberConstructorNaNValue):
13258 (JSC::numberConstructorNegInfinity):
13259 (JSC::numberConstructorPosInfinity):
13260 (JSC::numberConstructorMaxValue):
13261 (JSC::numberConstructorMinValue):
13262 * runtime/PropertySlot.h:
13263 * runtime/RegExpConstructor.cpp:
13264 (JSC::asRegExpConstructor):
13265 (JSC::regExpConstructorDollar1):
13266 (JSC::regExpConstructorDollar2):
13267 (JSC::regExpConstructorDollar3):
13268 (JSC::regExpConstructorDollar4):
13269 (JSC::regExpConstructorDollar5):
13270 (JSC::regExpConstructorDollar6):
13271 (JSC::regExpConstructorDollar7):
13272 (JSC::regExpConstructorDollar8):
13273 (JSC::regExpConstructorDollar9):
13274 (JSC::regExpConstructorInput):
13275 (JSC::regExpConstructorMultiline):
13276 (JSC::regExpConstructorLastMatch):
13277 (JSC::regExpConstructorLastParen):
13278 (JSC::regExpConstructorLeftContext):
13279 (JSC::regExpConstructorRightContext):
13280 * runtime/RegExpObject.cpp:
13281 (JSC::asRegExpObject):
13282 (JSC::regExpObjectGlobal):
13283 (JSC::regExpObjectIgnoreCase):
13284 (JSC::regExpObjectMultiline):
13285 (JSC::regExpObjectSource):
13286
132872013-12-04 Filip Pizlo <fpizlo@apple.com>
13288
13289 FTL should use cvttsd2si directly for double-to-int32 conversions
13290 https://bugs.webkit.org/show_bug.cgi?id=125275
13291
13292 Reviewed by Michael Saboff.
13293
13294 Wow. This was an ordeal. Using cvttsd2si was actually easy, but I learned, and
13295 sometimes even fixed, some interesting things:
13296
13297 - The llvm.x86.sse2.cvttsd2si intrinsic can actually result in LLVM emitting a
13298 vcvttsd2si. I guess the intrinsic doesn't actually imply the instruction.
13299
13300 - That whole thing about branchTruncateDoubleToUint32? Yeah we don't need that. It's
13301 better to use branchTruncateDoubleToInt32 instead. It has the right semantics for
13302 all of its callers (err, its one-and-only caller), and it's more likely to take
13303 fast path. This patch kills branchTruncateDoubleToUint32.
13304
13305 - "a[i] = v; v = a[i]". Does this change v? OK, assume that 'a[i]' is a pure-ish
13306 operation - like an array access with 'i' being an integer index and we're not
13307 having a bad time. Now does this change v? CSE assumes that it doesn't. That's
13308 wrong. If 'a' is a typed array - the most sensible and pure kind of array - then
13309 this can be a truncating cast. For example 'v' could be a double and 'a' could be
13310 an integer array.
13311
13312 - "v1 = a[i]; v2 = a[i]". Is v1 === v2 assuming that 'a[i]' is pure-ish? The answer
13313 is no. You could have a different arrayMode in each access. I know this sounds
13314 weird, but with concurrent JIT that might happen.
13315
13316 This patch adds tests for all of this stuff, except for the first issue (it's weird
13317 but probably doesn't matter) and the last issue (it's too much of a freakshow).
13318
13319 * assembler/MacroAssemblerARM64.h:
13320 * assembler/MacroAssemblerARMv7.h:
13321 * assembler/MacroAssemblerX86Common.h:
13322 * dfg/DFGCSEPhase.cpp:
13323 (JSC::DFG::CSEPhase::getByValLoadElimination):
13324 (JSC::DFG::CSEPhase::performNodeCSE):
13325 * dfg/DFGSpeculativeJIT.cpp:
13326 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
13327 * ftl/FTLAbbreviations.h:
13328 (JSC::FTL::vectorType):
13329 (JSC::FTL::getUndef):
13330 (JSC::FTL::buildInsertElement):
13331 * ftl/FTLIntrinsicRepository.h:
13332 * ftl/FTLLowerDFGToLLVM.cpp:
13333 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
13334 (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
13335 (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
13336 * ftl/FTLOutput.h:
13337 (JSC::FTL::Output::insertElement):
13338 (JSC::FTL::Output::hasSensibleDoubleToInt):
13339 (JSC::FTL::Output::sensibleDoubleToInt):
13340
133412013-12-05 Commit Queue <commit-queue@webkit.org>
13342
13343 Unreviewed, rolling out r160133.
13344 http://trac.webkit.org/changeset/160133
13345 https://bugs.webkit.org/show_bug.cgi?id=125325
13346
13347 broke bindings tests on all the bots (Requested by thorton on
13348 #webkit).
13349
13350 * API/JSCallbackObject.h:
13351 * API/JSCallbackObjectFunctions.h:
13352 (JSC::::staticFunctionGetter):
13353 (JSC::::callbackGetter):
13354 * jit/JITOperations.cpp:
13355 * runtime/JSActivation.cpp:
13356 (JSC::JSActivation::argumentsGetter):
13357 * runtime/JSActivation.h:
13358 * runtime/JSFunction.cpp:
13359 (JSC::JSFunction::argumentsGetter):
13360 (JSC::JSFunction::callerGetter):
13361 (JSC::JSFunction::lengthGetter):
13362 (JSC::JSFunction::nameGetter):
13363 * runtime/JSFunction.h:
13364 * runtime/JSObject.h:
13365 (JSC::PropertySlot::getValue):
13366 * runtime/NumberConstructor.cpp:
13367 (JSC::numberConstructorNaNValue):
13368 (JSC::numberConstructorNegInfinity):
13369 (JSC::numberConstructorPosInfinity):
13370 (JSC::numberConstructorMaxValue):
13371 (JSC::numberConstructorMinValue):
13372 * runtime/PropertySlot.h:
13373 * runtime/RegExpConstructor.cpp:
13374 (JSC::regExpConstructorDollar1):
13375 (JSC::regExpConstructorDollar2):
13376 (JSC::regExpConstructorDollar3):
13377 (JSC::regExpConstructorDollar4):
13378 (JSC::regExpConstructorDollar5):
13379 (JSC::regExpConstructorDollar6):
13380 (JSC::regExpConstructorDollar7):
13381 (JSC::regExpConstructorDollar8):
13382 (JSC::regExpConstructorDollar9):
13383 (JSC::regExpConstructorInput):
13384 (JSC::regExpConstructorMultiline):
13385 (JSC::regExpConstructorLastMatch):
13386 (JSC::regExpConstructorLastParen):
13387 (JSC::regExpConstructorLeftContext):
13388 (JSC::regExpConstructorRightContext):
13389 * runtime/RegExpObject.cpp:
13390 (JSC::regExpObjectGlobal):
13391 (JSC::regExpObjectIgnoreCase):
13392 (JSC::regExpObjectMultiline):
13393 (JSC::regExpObjectSource):
13394
133952013-12-05 Mark Lam <mark.lam@apple.com>
13396
13397 Make the C Loop LLINT work with callToJavaScript.
13398 https://bugs.webkit.org/show_bug.cgi?id=125294.
13399
13400 Reviewed by Michael Saboff.
13401
13402 1. Changed the C Loop LLINT to dispatch to an Executable via its JITCode
13403 instance which is consistent with how the ASM LLINT works.
13404 2. Changed CLoop::execute() to take an Opcode instead of an OpcodeID.
13405 This makes it play nice with the use of JITCode for dispatching.
13406 3. Introduce a callToJavaScript and callToNativeFunction for the C Loop
13407 LLINT. These will call JSStack::pushFrame() and popFrame() to setup
13408 and teardown the CallFrame.
13409 4. Also introduced a C Loop returnFromJavaScript which is just a
13410 replacement for ctiOpThrowNotCaught which had the same function.
13411 5. Remove a lot of #if ENABLE(LLINT_C_LOOP) code now that the dispatch
13412 mechanism is consistent.
13413
13414 This patch has been tested with both configurations of COMPUTED_GOTOs
13415 on and off.
13416
13417 * interpreter/CachedCall.h:
13418 (JSC::CachedCall::CachedCall):
13419 (JSC::CachedCall::call):
13420 (JSC::CachedCall::setArgument):
13421 * interpreter/CallFrameClosure.h:
13422 (JSC::CallFrameClosure::setThis):
13423 (JSC::CallFrameClosure::setArgument):
13424 (JSC::CallFrameClosure::resetCallFrame):
13425 * interpreter/Interpreter.cpp:
13426 (JSC::Interpreter::execute):
13427 (JSC::Interpreter::executeCall):
13428 (JSC::Interpreter::executeConstruct):
13429 (JSC::Interpreter::prepareForRepeatCall):
13430 * interpreter/Interpreter.h:
13431 * interpreter/JSStack.h:
13432 * interpreter/JSStackInlines.h:
13433 (JSC::JSStack::pushFrame):
13434 * interpreter/ProtoCallFrame.h:
13435 (JSC::ProtoCallFrame::scope):
13436 (JSC::ProtoCallFrame::callee):
13437 (JSC::ProtoCallFrame::thisValue):
13438 (JSC::ProtoCallFrame::argument):
13439 (JSC::ProtoCallFrame::setArgument):
13440 * jit/JITCode.cpp:
13441 (JSC::JITCode::execute):
13442 * jit/JITCode.h:
13443 * jit/JITExceptions.cpp:
13444 (JSC::genericUnwind):
13445 * llint/LLIntCLoop.cpp:
13446 (JSC::LLInt::CLoop::initialize):
13447 * llint/LLIntCLoop.h:
13448 * llint/LLIntEntrypoint.cpp:
13449 (JSC::LLInt::setFunctionEntrypoint):
13450 (JSC::LLInt::setEvalEntrypoint):
13451 (JSC::LLInt::setProgramEntrypoint):
13452 - Inverted the check for vm.canUseJIT(). This allows the JIT case to be
13453 #if'd out nicely when building the C Loop LLINT.
13454 * llint/LLIntOpcode.h:
13455 * llint/LLIntThunks.cpp:
13456 (JSC::doCallToJavaScript):
13457 (JSC::executeJS):
13458 (JSC::callToJavaScript):
13459 (JSC::executeNative):
13460 (JSC::callToNativeFunction):
13461 * llint/LLIntThunks.h:
13462 * llint/LowLevelInterpreter.cpp:
13463 (JSC::CLoop::execute):
13464 * runtime/Executable.h:
13465 (JSC::ExecutableBase::offsetOfNumParametersFor):
13466 (JSC::ExecutableBase::hostCodeEntryFor):
13467 (JSC::ExecutableBase::jsCodeEntryFor):
13468 (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
13469 (JSC::NativeExecutable::create):
13470 (JSC::NativeExecutable::finishCreation):
13471 (JSC::ProgramExecutable::generatedJITCode):
13472 * runtime/JSArray.cpp:
13473 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
13474 * runtime/StringPrototype.cpp:
13475 (JSC::replaceUsingRegExpSearch):
13476 * runtime/VM.cpp:
13477 (JSC::VM::getHostFunction):
13478
134792013-12-05 Laszlo Vidacs <lac@inf.u-szeged.hu>
13480
13481 Fix JavaScriptCore build if cloop is enabled after r160094
13482 https://bugs.webkit.org/show_bug.cgi?id=125292
13483
13484 Reviewed by Michael Saboff.
13485
13486 Move ProtoCallFrame outside the JIT guard.
13487
13488 * jit/JITCode.h:
13489
134902013-12-04 Filip Pizlo <fpizlo@apple.com>
13491
13492 Fold constant typed arrays
13493 https://bugs.webkit.org/show_bug.cgi?id=125205
13494
13495 Reviewed by Oliver Hunt and Mark Hahnenberg.
13496
13497 If by some other mechanism we have a typed array access on a compile-time constant
13498 typed array pointer, then fold:
13499
13500 - Array bounds checks. Specifically, fold the load of length.
13501
13502 - Loading the vector.
13503
13504 This needs to install a watchpoint on the array itself because of the possibility of
13505 neutering. Neutering is ridiculous. We do this without bloating the size of
13506 ArrayBuffer or JSArrayBufferView in the common case (i.e. the case where you
13507 allocated an array that didn't end up becoming a compile-time constant). To install
13508 the watchpoint, we slowDownAndWasteMemory and then create an incoming reference to
13509 the ArrayBuffer, where that incoming reference is from a watchpoint object. The
13510 ArrayBuffer already knows about such incoming references and can fire the
13511 watchpoints that way.
13512
13513 * CMakeLists.txt:
13514 * GNUmakefile.list.am:
13515 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13516 * JavaScriptCore.xcodeproj/project.pbxproj:
13517 * dfg/DFGDesiredWatchpoints.cpp:
13518 (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
13519 (JSC::DFG::DesiredWatchpoints::addLazily):
13520 * dfg/DFGDesiredWatchpoints.h:
13521 (JSC::DFG::GenericSetAdaptor::add):
13522 (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
13523 (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
13524 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
13525 (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
13526 (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
13527 (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
13528 (JSC::DFG::DesiredWatchpoints::isStillValid):
13529 (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
13530 (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
13531 * dfg/DFGGraph.cpp:
13532 (JSC::DFG::Graph::tryGetFoldableView):
13533 * dfg/DFGGraph.h:
13534 * dfg/DFGSpeculativeJIT.cpp:
13535 (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
13536 (JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck):
13537 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
13538 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
13539 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
13540 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
13541 (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
13542 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
13543 * dfg/DFGSpeculativeJIT.h:
13544 * dfg/DFGWatchpointCollectionPhase.cpp:
13545 (JSC::DFG::WatchpointCollectionPhase::handle):
13546 (JSC::DFG::WatchpointCollectionPhase::addLazily):
13547 * ftl/FTLLowerDFGToLLVM.cpp:
13548 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
13549 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
13550 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
13551 (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
13552 * runtime/ArrayBuffer.cpp:
13553 (JSC::ArrayBuffer::transfer):
13554 * runtime/ArrayBufferNeuteringWatchpoint.cpp: Added.
13555 (JSC::ArrayBufferNeuteringWatchpoint::ArrayBufferNeuteringWatchpoint):
13556 (JSC::ArrayBufferNeuteringWatchpoint::~ArrayBufferNeuteringWatchpoint):
13557 (JSC::ArrayBufferNeuteringWatchpoint::finishCreation):
13558 (JSC::ArrayBufferNeuteringWatchpoint::destroy):
13559 (JSC::ArrayBufferNeuteringWatchpoint::create):
13560 (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
13561 * runtime/ArrayBufferNeuteringWatchpoint.h: Added.
13562 (JSC::ArrayBufferNeuteringWatchpoint::set):
13563 * runtime/VM.cpp:
13564 (JSC::VM::VM):
13565 * runtime/VM.h:
13566
135672013-12-04 Commit Queue <commit-queue@webkit.org>
13568
13569 Unreviewed, rolling out r160116.
13570 http://trac.webkit.org/changeset/160116
13571 https://bugs.webkit.org/show_bug.cgi?id=125264
13572
13573 Change doesn't work as intended. See bug comments for details.
13574 (Requested by bfulgham on #webkit).
13575
13576 * runtime/InitializeThreading.cpp:
13577 (JSC::initializeThreading):
13578
135792013-12-04 Oliver Hunt <oliver@apple.com>
13580
13581 Refactor static getter function prototype to include thisValue in addition to the base object
13582 https://bugs.webkit.org/show_bug.cgi?id=124461
13583
13584 Reviewed by Geoffrey Garen.
13585
13586 Add thisValue parameter to static getter prototype, and switch
13587 from JSValue to EncodedJSValue for parameters and return value.
13588
13589 Currently none of the static getters use the thisValue, but
13590 separating out the refactoring will prevent future changes
13591 from getting lost in the noise of refactoring. This means
13592 that this patch does not result in any change in behaviour.
13593
13594 * API/JSCallbackObject.h:
13595 * API/JSCallbackObjectFunctions.h:
13596 (JSC::::asCallbackObject):
13597 (JSC::::staticFunctionGetter):
13598 (JSC::::callbackGetter):
13599 * jit/JITOperations.cpp:
13600 * runtime/JSActivation.cpp:
13601 (JSC::JSActivation::argumentsGetter):
13602 * runtime/JSActivation.h:
13603 * runtime/JSFunction.cpp:
13604 (JSC::JSFunction::argumentsGetter):
13605 (JSC::JSFunction::callerGetter):
13606 (JSC::JSFunction::lengthGetter):
13607 (JSC::JSFunction::nameGetter):
13608 * runtime/JSFunction.h:
13609 * runtime/JSObject.h:
13610 (JSC::PropertySlot::getValue):
13611 * runtime/NumberConstructor.cpp:
13612 (JSC::numberConstructorNaNValue):
13613 (JSC::numberConstructorNegInfinity):
13614 (JSC::numberConstructorPosInfinity):
13615 (JSC::numberConstructorMaxValue):
13616 (JSC::numberConstructorMinValue):
13617 * runtime/PropertySlot.h:
13618 * runtime/RegExpConstructor.cpp:
13619 (JSC::asRegExpConstructor):
13620 (JSC::regExpConstructorDollar1):
13621 (JSC::regExpConstructorDollar2):
13622 (JSC::regExpConstructorDollar3):
13623 (JSC::regExpConstructorDollar4):
13624 (JSC::regExpConstructorDollar5):
13625 (JSC::regExpConstructorDollar6):
13626 (JSC::regExpConstructorDollar7):
13627 (JSC::regExpConstructorDollar8):
13628 (JSC::regExpConstructorDollar9):
13629 (JSC::regExpConstructorInput):
13630 (JSC::regExpConstructorMultiline):
13631 (JSC::regExpConstructorLastMatch):
13632 (JSC::regExpConstructorLastParen):
13633 (JSC::regExpConstructorLeftContext):
13634 (JSC::regExpConstructorRightContext):
13635 * runtime/RegExpObject.cpp:
13636 (JSC::asRegExpObject):
13637 (JSC::regExpObjectGlobal):
13638 (JSC::regExpObjectIgnoreCase):
13639 (JSC::regExpObjectMultiline):
13640 (JSC::regExpObjectSource):
13641
136422013-12-04 Daniel Bates <dabates@apple.com>
13643
13644 [iOS] Enable Objective-C ARC when building JSC tools for iOS simulator
13645 https://bugs.webkit.org/show_bug.cgi?id=125170
13646
13647 Reviewed by Geoffrey Garen.
13648
13649 * API/tests/testapi.mm:
13650 * Configurations/ToolExecutable.xcconfig:
13651
136522013-12-04 peavo@outlook.com <peavo@outlook.com>
13653
13654 Use ThreadingOnce class to encapsulate pthread_once functionality.
13655 https://bugs.webkit.org/show_bug.cgi?id=125228
13656
13657 Reviewed by Brent Fulgham.
13658
13659 * runtime/InitializeThreading.cpp:
13660 (JSC::initializeThreading):
13661
136622013-12-04 Mark Lam <mark.lam@apple.com>
13663
13664 Remove unneeded semicolons.
13665 https://bugs.webkit.org/show_bug.cgi?id=125083.
13666
13667 Rubber-stamped by Filip Pizlo.
13668
13669 * debugger/Debugger.h:
13670 (JSC::Debugger::detach):
13671 (JSC::Debugger::sourceParsed):
13672 (JSC::Debugger::exception):
13673 (JSC::Debugger::atStatement):
13674 (JSC::Debugger::callEvent):
13675 (JSC::Debugger::returnEvent):
13676 (JSC::Debugger::willExecuteProgram):
13677 (JSC::Debugger::didExecuteProgram):
13678 (JSC::Debugger::didReachBreakpoint):
13679
136802013-12-04 Andy Estes <aestes@apple.com>
13681
13682 [iOS] Build projects with $(ARCHS_STANDARD_32_64_BIT)
13683 https://bugs.webkit.org/show_bug.cgi?id=125236
13684
13685 Reviewed by Sam Weinig.
13686
13687 $(ARCHS_STANDARD_32_64_BIT) is what we want for both device and simulator builds.
13688
13689 * Configurations/DebugRelease.xcconfig:
13690
136912013-12-03 Filip Pizlo <fpizlo@apple.com>
13692
13693 Infer constant closure variables
13694 https://bugs.webkit.org/show_bug.cgi?id=124630
13695
13696 Reviewed by Geoffrey Garen.
13697
13698 Captured variables that are assigned once (not counting op_enter's Undefined
13699 initialization) and that are contained within a function that has thus far only been
13700 entered once are now constant folded. It's pretty awesome.
13701
13702 This involves a watchpoint on the assignment to variables and a watchpoint on entry
13703 into the function. The former is reused from global variable constant inference and the
13704 latter is reused from one-time closure inference.
13705
13706 * GNUmakefile.list.am:
13707 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13708 * JavaScriptCore.xcodeproj/project.pbxproj:
13709 * bytecode/CodeBlock.cpp:
13710 (JSC::CodeBlock::dumpBytecode):
13711 (JSC::CodeBlock::CodeBlock):
13712 * bytecode/Instruction.h:
13713 (JSC::Instruction::Instruction):
13714 * bytecode/Opcode.h:
13715 (JSC::padOpcodeName):
13716 * bytecode/UnlinkedCodeBlock.h:
13717 (JSC::UnlinkedInstruction::UnlinkedInstruction):
13718 * bytecode/VariableWatchpointSet.h:
13719 (JSC::VariableWatchpointSet::invalidate):
13720 * bytecode/Watchpoint.h:
13721 (JSC::WatchpointSet::invalidate):
13722 * bytecompiler/BytecodeGenerator.cpp:
13723 (JSC::BytecodeGenerator::addVar):
13724 (JSC::BytecodeGenerator::BytecodeGenerator):
13725 (JSC::BytecodeGenerator::emitInitLazyRegister):
13726 (JSC::BytecodeGenerator::emitMove):
13727 (JSC::BytecodeGenerator::emitNewFunctionInternal):
13728 (JSC::BytecodeGenerator::createArgumentsIfNecessary):
13729 * bytecompiler/BytecodeGenerator.h:
13730 (JSC::BytecodeGenerator::addVar):
13731 (JSC::BytecodeGenerator::watchableVariable):
13732 * dfg/DFGByteCodeParser.cpp:
13733 (JSC::DFG::ByteCodeParser::getLocal):
13734 (JSC::DFG::ByteCodeParser::inferredConstant):
13735 (JSC::DFG::ByteCodeParser::parseBlock):
13736 (JSC::DFG::ByteCodeParser::parse):
13737 * dfg/DFGGraph.cpp:
13738 (JSC::DFG::Graph::tryGetActivation):
13739 (JSC::DFG::Graph::tryGetRegisters):
13740 * dfg/DFGGraph.h:
13741 * jit/JIT.cpp:
13742 (JSC::JIT::privateCompileMainPass):
13743 (JSC::JIT::privateCompileSlowCases):
13744 * jit/JIT.h:
13745 * jit/JITOpcodes.cpp:
13746 (JSC::JIT::emit_op_mov):
13747 (JSC::JIT::emit_op_captured_mov):
13748 (JSC::JIT::emit_op_new_captured_func):
13749 (JSC::JIT::emitSlow_op_captured_mov):
13750 * jit/JITOpcodes32_64.cpp:
13751 (JSC::JIT::emit_op_mov):
13752 (JSC::JIT::emit_op_captured_mov):
13753 * llint/LowLevelInterpreter32_64.asm:
13754 * llint/LowLevelInterpreter64.asm:
13755 * runtime/CommonSlowPaths.cpp:
13756 (JSC::SLOW_PATH_DECL):
13757 * runtime/CommonSlowPaths.h:
13758 * runtime/ConstantMode.h: Added.
13759 * runtime/JSGlobalObject.h:
13760 * runtime/JSScope.cpp:
13761 (JSC::abstractAccess):
13762 * runtime/SymbolTable.cpp:
13763 (JSC::SymbolTableEntry::prepareToWatch):
13764
137652013-12-04 Brent Fulgham <bfulgham@apple.com>
13766
13767 [Win] Unreviewed project file gardening.
13768
13769 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Remove deleted files from project.
13770 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Put files in proper directory
13771 folders to match the directory structure of the source code.
13772
137732013-12-04 Joseph Pecoraro <pecoraro@apple.com>
13774
13775 Unreviewed Windows Build Fix attempt after r160099.
13776
13777 * JavaScriptCore.vcxproj/copy-files.cmd:
13778
137792013-12-04 Julien Brianceau <jbriance@cisco.com>
13780
13781 REGRESSION (r160094): Fix lots of crashes for sh4 architecture.
13782 https://bugs.webkit.org/show_bug.cgi?id=125227
13783
13784 Reviewed by Michael Saboff.
13785
13786 * llint/LowLevelInterpreter32_64.asm: Do not use t4 and t5 as they match a0 and a1.
13787 * offlineasm/registers.rb: Add t7, t8 and t9 in register list for sh4 port.
13788 * offlineasm/sh4.rb: Rearrange RegisterID list and add the missing ones.
13789
137902013-12-03 Joseph Pecoraro <pecoraro@apple.com>
13791
13792 Web Inspector: Push Remote Inspector debugging connection management into JavaScriptCore
13793 https://bugs.webkit.org/show_bug.cgi?id=124613
13794
13795 Reviewed by Timothy Hatcher.
13796
13797 Move the ENABLE(REMOTE_INSPECTOR) remote debugger connection management
13798 into JavaScriptCore (originally from WebKit/mac). Include enhancements:
13799
13800 * allow for different types of remote debuggable targets,
13801 eventually at least a JSContext, WebView, WKView.
13802 * allow debuggables to be registered and debugged on any thread. Unlike
13803 WebViews, JSContexts may be run entirely off of the main thread.
13804 * move the remote connection (XPC connection) itself off of the main thread,
13805 it doesn't need to be on the main thread.
13806
13807 Make JSContext @class and JavaScriptCore::JSContextRef
13808 "JavaScript" Remote Debuggables.
13809
13810 * inspector/remote/RemoteInspectorDebuggable.h: Added.
13811 * inspector/remote/RemoteInspectorDebuggable.cpp: Added.
13812 (Inspector::RemoteInspectorDebuggable::RemoteInspectorDebuggable):
13813 (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
13814 (Inspector::RemoteInspectorDebuggable::init):
13815 (Inspector::RemoteInspectorDebuggable::update):
13816 (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
13817 (Inspector::RemoteInspectorDebuggable::info):
13818 RemoteInspectorDebuggable defines a debuggable target. As long as
13819 something creates a debuggable and is set to allow remote inspection
13820 it will be listed in remote debuggers. For the different types of
13821 debuggables (JavaScript and Web) there is different basic information
13822 that may be listed.
13823
13824 * inspector/InspectorFrontendChannel.h: Added.
13825 (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel):
13826 The only thing a debuggable needs for remote debugging is an
13827 InspectorFrontendChannel a way to send messages to a remote frontend.
13828 This class provides that method, and is vended to the
13829 RemoteInspectorDebuggable when a remote connection is setup.
13830
13831 * inspector/remote/RemoteInspector.h: Added.
13832 * inspector/remote/RemoteInspector.mm: Added.
13833 Singleton, created at least when the first Debuggable is created.
13834 This class manages the list of debuggables, any connection to a
13835 remote debugger proxy (XPC service "com.apple.webinspector").
13836
13837 (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable):
13838 (Inspector::RemoteInspector::shared):
13839 (Inspector::RemoteInspector::RemoteInspector):
13840 (Inspector::RemoteInspector::nextAvailableIdentifier):
13841 (Inspector::RemoteInspector::registerDebuggable):
13842 (Inspector::RemoteInspector::unregisterDebuggable):
13843 (Inspector::RemoteInspector::updateDebuggable):
13844 Debuggable management. When debuggables are added, removed, or updated
13845 we stash a copy of the debuggable information and push an update to
13846 debuggers. Stashing a copy of the information in the RemoteInspector
13847 is a thread safe way to avoid walking over all debuggables to gather
13848 the information when it is needed.
13849
13850 (Inspector::RemoteInspector::start):
13851 (Inspector::RemoteInspector::stop):
13852 Runtime API to enable / disable the feature.
13853
13854 (Inspector::RemoteInspector::listingForDebuggable):
13855 (Inspector::RemoteInspector::pushListingNow):
13856 (Inspector::RemoteInspector::pushListingSoon):
13857 Pushing a listing to remote debuggers.
13858
13859 (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
13860 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
13861 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
13862 (Inspector::RemoteInspector::xpcConnectionFailed):
13863 (Inspector::RemoteInspector::xpcConnectionUnhandledMessage):
13864 XPC setup, send, and receive handling.
13865
13866 (Inspector::RemoteInspector::updateHasActiveDebugSession):
13867 Applications being debugged may want to know when a debug
13868 session is active. This provides that notification.
13869
13870 (Inspector::RemoteInspector::receivedSetupMessage):
13871 (Inspector::RemoteInspector::receivedDataMessage):
13872 (Inspector::RemoteInspector::receivedDidCloseMessage):
13873 (Inspector::RemoteInspector::receivedGetListingMessage):
13874 (Inspector::RemoteInspector::receivedIndicateMessage):
13875 (Inspector::RemoteInspector::receivedConnectionDiedMessage):
13876 Dispatching incoming remote debugging protocol messages.
13877 These are wrapping above the inspector protocol messages.
13878
13879 * inspector/remote/RemoteInspectorConstants.h: Added.
13880 Protocol messages and dictionary keys inside the messages.
13881
13882 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
13883 * inspector/remote/RemoteInspectorDebuggableConnection.h: Added.
13884 * inspector/remote/RemoteInspectorDebuggableConnection.mm: Added.
13885 This is a connection between the RemoteInspector singleton and a RemoteInspectorDebuggable.
13886
13887 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
13888 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
13889 Allow for dispatching messages on JavaScript debuggables on a dispatch_queue
13890 instead of the main queue.
13891
13892 (Inspector::RemoteInspectorDebuggableConnection::destination):
13893 (Inspector::RemoteInspectorDebuggableConnection::connectionIdentifier):
13894 Needed in the remote debugging protocol to identify the remote debugger.
13895
13896 (Inspector::RemoteInspectorDebuggableConnection::dispatchSyncOnDebuggable):
13897 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
13898 (Inspector::RemoteInspectorDebuggableConnection::setup):
13899 (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
13900 (Inspector::RemoteInspectorDebuggableConnection::close):
13901 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
13902 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
13903 The connection is a thin channel between the two sides that can be closed
13904 from either side, so there is some logic around multi-threaded access.
13905
13906 * inspector/remote/RemoteInspectorXPCConnection.h: Added.
13907 (Inspector::RemoteInspectorXPCConnection::Client::~Client):
13908 * inspector/remote/RemoteInspectorXPCConnection.mm: Added.
13909 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
13910 (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection):
13911 (Inspector::RemoteInspectorXPCConnection::close):
13912 (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
13913 (Inspector::RemoteInspectorXPCConnection::handleEvent):
13914 (Inspector::RemoteInspectorXPCConnection::sendMessage):
13915 This is a connection between the RemoteInspector singleton and an XPC service
13916 named "com.apple.webinspector". This handles serialization of the dictionary
13917 messages to and from the service. The receiving is done on a non-main queue.
13918
13919 * API/JSContext.h:
13920 * API/JSContext.mm:
13921 (-[JSContext name]):
13922 (-[JSContext setName:]):
13923 ObjC API to enable/disable JSContext remote inspection and give a name.
13924
13925 * API/JSContextRef.h:
13926 * API/JSContextRef.cpp:
13927 (JSGlobalContextGetName):
13928 (JSGlobalContextSetName):
13929 C API to give a JSContext a name.
13930
13931 * runtime/JSGlobalObject.cpp:
13932 (JSC::JSGlobalObject::setName):
13933 * runtime/JSGlobalObject.h:
13934 (JSC::JSGlobalObject::name):
13935 Shared handling of the APIs above.
13936
13937 * runtime/JSGlobalObjectDebuggable.cpp: Added.
13938 (JSC::JSGlobalObjectDebuggable::JSGlobalObjectDebuggable):
13939 (JSC::JSGlobalObjectDebuggable::name):
13940 (JSC::JSGlobalObjectDebuggable::connect):
13941 (JSC::JSGlobalObjectDebuggable::disconnect):
13942 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
13943 * runtime/JSGlobalObjectDebuggable.h: Added.
13944 Stub for the actual remote debugging implementation. We will push
13945 down the appropriate WebCore/inspector peices suitable for debugging
13946 just a JavaScript context.
13947
13948 * CMakeLists.txt:
13949 * JavaScriptCore.xcodeproj/project.pbxproj:
13950 * GNUmakefile.am:
13951 * GNUmakefile.list.am:
13952 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13953 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
13954 Update build files.
13955
139562013-12-04 Michael Saboff <msaboff@apple.com>
13957
13958 Move the setting up of callee's callFrame from pushFrame to callToJavaScript thunk
13959 https://bugs.webkit.org/show_bug.cgi?id=123999
13960
13961 Reviewed by Filip Pizlo.
13962
13963 Changed LLInt and/or JIT enabled ports to allocate the stack frame in the
13964 callToJavaScript stub. Added an additional stub, callToNativeFunction that
13965 allocates a stack frame in a similar way for calling native entry points
13966 that take a single ExecState* argument. These stubs are implemented
13967 using common macros in LowLevelInterpreter{32_64,64}.asm. There are also
13968 Windows X86 and X86-64 versions in the corresponding JitStubsXX.h.
13969 The stubs allocate and create a sentinel frame, then create the callee's
13970 frame, populating the header and arguments from the passed in ProtoCallFrame*.
13971 It is assumed that the caller of either stub does a check for enough stack space
13972 via JSStack::entryCheck().
13973
13974 For ports using the C-Loop interpreter, the prior method for allocating stack
13975 frame and invoking functions is used, namely with JSStack::pushFrame() and
13976 ::popFrame().
13977
13978 Made spelling changes "sentinal" -> "sentinel".
13979
13980 * CMakeLists.txt:
13981 * GNUmakefile.list.am:
13982 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13983 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
13984 * JavaScriptCore.xcodeproj/project.pbxproj:
13985 * interpreter/CachedCall.h:
13986 (JSC::CachedCall::CachedCall):
13987 (JSC::CachedCall::setThis):
13988 (JSC::CachedCall::setArgument):
13989 * interpreter/CallFrameClosure.h:
13990 (JSC::CallFrameClosure::resetCallFrame):
13991 * interpreter/Interpreter.cpp:
13992 (JSC::Interpreter::execute):
13993 (JSC::Interpreter::executeCall):
13994 (JSC::Interpreter::executeConstruct):
13995 (JSC::Interpreter::prepareForRepeatCall):
13996 * interpreter/Interpreter.h:
13997 * interpreter/JSStack.h:
13998 * interpreter/JSStackInlines.h:
13999 (JSC::JSStack::entryCheck):
14000 (JSC::JSStack::pushFrame):
14001 (JSC::JSStack::popFrame):
14002 * interpreter/ProtoCallFrame.cpp: Added.
14003 (JSC::ProtoCallFrame::init):
14004 * interpreter/ProtoCallFrame.h: Added.
14005 (JSC::ProtoCallFrame::codeBlock):
14006 (JSC::ProtoCallFrame::setCodeBlock):
14007 (JSC::ProtoCallFrame::setScope):
14008 (JSC::ProtoCallFrame::setCallee):
14009 (JSC::ProtoCallFrame::argumentCountIncludingThis):
14010 (JSC::ProtoCallFrame::argumentCount):
14011 (JSC::ProtoCallFrame::setArgumentCountIncludingThis):
14012 (JSC::ProtoCallFrame::setPaddedArgsCount):
14013 (JSC::ProtoCallFrame::clearCurrentVPC):
14014 (JSC::ProtoCallFrame::setThisValue):
14015 (JSC::ProtoCallFrame::setArgument):
14016 * jit/JITCode.cpp:
14017 (JSC::JITCode::execute):
14018 * jit/JITCode.h:
14019 * jit/JITOperations.cpp:
14020 * jit/JITStubs.h:
14021 * jit/JITStubsMSVC64.asm:
14022 * jit/JITStubsX86.h:
14023 * llint/LLIntOffsetsExtractor.cpp:
14024 * llint/LLIntThunks.h:
14025 * llint/LowLevelInterpreter.asm:
14026 * llint/LowLevelInterpreter32_64.asm:
14027 * llint/LowLevelInterpreter64.asm:
14028 * runtime/ArgList.h:
14029 (JSC::ArgList::data):
14030 * runtime/JSArray.cpp:
14031 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
14032 * runtime/StringPrototype.cpp:
14033 (JSC::replaceUsingRegExpSearch):
14034
140352013-12-04 László Langó <lango@inf.u-szeged.hu>
14036
14037 Remove stdio.h from JSC files.
14038 https://bugs.webkit.org/show_bug.cgi?id=125220
14039
14040 Reviewed by Michael Saboff.
14041
14042 * interpreter/VMInspector.cpp:
14043 * jit/JITArithmetic.cpp:
14044 * jit/JITArithmetic32_64.cpp:
14045 * jit/JITCall.cpp:
14046 * jit/JITCall32_64.cpp:
14047 * jit/JITPropertyAccess.cpp:
14048 * jit/JITPropertyAccess32_64.cpp:
14049 * runtime/Completion.cpp:
14050 * runtime/IndexingType.cpp:
14051 * runtime/Lookup.h:
14052 * runtime/Operations.cpp:
14053 * runtime/Options.cpp:
14054 * runtime/RegExp.cpp:
14055
140562013-12-04 László Langó <lango@inf.u-szeged.hu>
14057
14058 Avoid to add zero offset in BaseIndex.
14059 https://bugs.webkit.org/show_bug.cgi?id=125215
14060
14061 Reviewed by Michael Saboff.
14062
14063 When using cloop do not generate offsets additions for BaseIndex if the offset is zero.
14064
14065 * offlineasm/cloop.rb:
14066
140672013-12-04 Peter Molnar <pmolnar.u-szeged@partner.samsung.com>
14068
14069 Fix !ENABLE(JAVASCRIPT_DEBUGGER) build.
14070 https://bugs.webkit.org/show_bug.cgi?id=125083
14071
14072 Reviewed by Mark Lam.
14073
14074 * debugger/Debugger.cpp:
14075 * debugger/Debugger.h:
14076 (JSC::Debugger::Debugger):
14077 (JSC::Debugger::needsOpDebugCallbacks):
14078 (JSC::Debugger::needsExceptionCallbacks):
14079 (JSC::Debugger::detach):
14080 (JSC::Debugger::sourceParsed):
14081 (JSC::Debugger::exception):
14082 (JSC::Debugger::atStatement):
14083 (JSC::Debugger::callEvent):
14084 (JSC::Debugger::returnEvent):
14085 (JSC::Debugger::willExecuteProgram):
14086 (JSC::Debugger::didExecuteProgram):
14087 (JSC::Debugger::didReachBreakpoint):
14088 * debugger/DebuggerPrimitives.h:
14089 * jit/JITOpcodes.cpp:
14090 (JSC::JIT::emit_op_debug):
14091 * jit/JITOpcodes32_64.cpp:
14092 (JSC::JIT::emit_op_debug):
14093 * llint/LLIntOfflineAsmConfig.h:
14094 * llint/LowLevelInterpreter.asm:
14095
140962013-12-03 Mark Lam <mark.lam@apple.com>
14097
14098 testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size().
14099 https://bugs.webkit.org/show_bug.cgi?id=121972.
14100
14101 Reviewed by Brent Fulgham.
14102
14103 * interpreter/JSStack.cpp:
14104 (JSC::JSStack::~JSStack):
14105 - Reverting the change from r160004 since it's better to fix OSAllocatorWin
14106 to be consistent with OSAllocatorPosix.
14107
141082013-12-03 Mark Lam <mark.lam@apple.com>
14109
14110 Fix LLINT_C_LOOP build for Win64.
14111 https://bugs.webkit.org/show_bug.cgi?id=125186.
14112
14113 Reviewed by Michael Saboff.
14114
14115 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14116 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14117 * jit/JITOperationsMSVC64.cpp: Added.
14118 (JSC::getHostCallReturnValueWithExecState):
14119 - Win64 will build JITStubMSVC64.asm even when !ENABLE(JIT). This results
14120 in a linkage error due to a missing getHostCallReturnValueWithExecState().
14121 So, we add a stub getHostCallReturnValueWithExecState() here to satisfy
14122 that linkage. This function will never be called.
14123 The alternative to providing such a stub is to make the MSVC project
14124 recognize if the JIT is enabled or not, and exclude JITStubMSVC64.asm
14125 if it's not enabled. We don't currently set ENABLE(JIT) via the MSVC
14126 project and the work to do that is too much trouble for what we're trying
14127 to achieve here. So, we're opting for this simpler workaround instead.
14128
14129 * llint/LowLevelInterpreter.asm:
14130 * llint/LowLevelInterpreter.cpp:
14131 (JSC::CLoop::execute):
14132 - Don't build callToJavaScript if we're building the C loop. Otherwise,
14133 the C loop won't build if !ENABLE(COMPUTE_GOTO_OPCODES).
14134
141352013-12-03 Michael Saboff <msaboff@apple.com>
14136
14137 ARM64: Crash in JIT code due to improper reuse of cached memory temp register
14138 https://bugs.webkit.org/show_bug.cgi?id=125181
14139
14140 Reviewed by Geoffrey Garen.
14141
14142 Changed load8() and load() to invalidate the memory temp CachedTempRegister when the
14143 destination of an absolute load is the memory temp register since the source address
14144 is also the memory temp register. Change branch{8,32,64} of an AbsoluteAddress with
14145 a register to use the dataTempRegister as the destinate of the absolute load to
14146 reduce the chance that we need to invalidate the memory temp register cache.
14147 In the process, found and fixed an outright bug in branch8() where we'd load into
14148 the data temp register and then compare and branch on the memory temp register.
14149
14150 * assembler/MacroAssemblerARM64.h:
14151 (JSC::MacroAssemblerARM64::load8):
14152 (JSC::MacroAssemblerARM64::branch32):
14153 (JSC::MacroAssemblerARM64::branch64):
14154 (JSC::MacroAssemblerARM64::branch8):
14155 (JSC::MacroAssemblerARM64::load):
14156
141572013-12-03 Michael Saboff <msaboff@apple.com>
14158
14159 jit/JITArithmetic.cpp doesn't build for non-X86 ports
14160 https://bugs.webkit.org/show_bug.cgi?id=125185
14161
14162 Rubber stamped by Mark Hahnenberg.
14163
14164 Removed unused declarations and related UNUSED_PARAM().
14165
14166 * jit/JITArithmetic.cpp:
14167 (JSC::JIT::emit_op_mod):
14168
141692013-12-03 Filip Pizlo <fpizlo@apple.com>
14170
14171 ObjectAllocationProfile is racy and the DFG should be cool with that
14172 https://bugs.webkit.org/show_bug.cgi?id=125172
14173 <rdar://problem/15233487>
14174
14175 Reviewed by Mark Hahnenberg.
14176
14177 We would previously sometimes get a null Structure because checking if the profile is non-null and loading
14178 the structure from it were two separate operations.
14179
14180 * dfg/DFGAbstractInterpreterInlines.h:
14181 (JSC::DFG::::executeEffects):
14182 * dfg/DFGAbstractValue.cpp:
14183 (JSC::DFG::AbstractValue::setFuturePossibleStructure):
14184 * dfg/DFGByteCodeParser.cpp:
14185 (JSC::DFG::ByteCodeParser::parseBlock):
14186 * runtime/JSFunction.h:
14187 (JSC::JSFunction::allocationProfile):
14188 (JSC::JSFunction::allocationStructure):
14189
141902013-12-03 peavo@outlook.com <peavo@outlook.com>
14191
14192 testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()
14193 https://bugs.webkit.org/show_bug.cgi?id=121972
14194
14195 Reviewed by Michael Saboff.
14196
14197 The reason for the crash is that the wrong memory block is decommitted.
14198 This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
14199 In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
14200 If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
14201 if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.
14202
14203 * interpreter/JSStack.cpp:
14204 (JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed.
14205
142062013-12-03 László Langó <lango@inf.u-szeged.hu>
14207
14208 Guard JIT include.
14209 https://bugs.webkit.org/show_bug.cgi?id=125063
14210
14211 Reviewed by Filip Pizlo.
14212
14213 * llint/LLIntThunks.cpp:
14214
142152013-12-03 Julien Brianceau <jbriance@cisco.com>
14216
14217 Merge mips and arm/sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions.
14218 https://bugs.webkit.org/show_bug.cgi?id=125067
14219
14220 Reviewed by Michael Saboff.
14221
14222 * jit/JITOpcodes32_64.cpp:
14223 (JSC::JIT::privateCompileCTINativeCall):
14224 * jit/ThunkGenerators.cpp:
14225 (JSC::nativeForGenerator):
14226
142272013-12-02 Mark Lam <mark.lam@apple.com>
14228
14229 Build failure when disabling JIT, YARR_JIT, and ASSEMBLER.
14230 https://bugs.webkit.org/show_bug.cgi?id=123809.
14231
14232 Reviewed by Geoffrey Garen.
14233
14234 Also fixed build when disabling the DISASSEMBLER.
14235 Added some needed #if's and some comments.
14236
14237 * assembler/LinkBuffer.cpp:
14238 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
14239 * dfg/DFGDisassembler.cpp:
14240 * dfg/DFGDisassembler.h:
14241 (JSC::DFG::Disassembler::Disassembler):
14242 (JSC::DFG::Disassembler::setStartOfCode):
14243 (JSC::DFG::Disassembler::setForBlockIndex):
14244 (JSC::DFG::Disassembler::setForNode):
14245 (JSC::DFG::Disassembler::setEndOfMainPath):
14246 (JSC::DFG::Disassembler::setEndOfCode):
14247 (JSC::DFG::Disassembler::dump):
14248 (JSC::DFG::Disassembler::reportToProfiler):
14249 * disassembler/Disassembler.cpp:
14250 * disassembler/X86Disassembler.cpp:
14251 * jit/FPRInfo.h:
14252 * jit/GPRInfo.h:
14253 * jit/JITDisassembler.cpp:
14254 * jit/JITDisassembler.h:
14255 (JSC::JITDisassembler::JITDisassembler):
14256 (JSC::JITDisassembler::setStartOfCode):
14257 (JSC::JITDisassembler::setForBytecodeMainPath):
14258 (JSC::JITDisassembler::setForBytecodeSlowPath):
14259 (JSC::JITDisassembler::setEndOfSlowPath):
14260 (JSC::JITDisassembler::setEndOfCode):
14261 (JSC::JITDisassembler::dump):
14262 (JSC::JITDisassembler::reportToProfiler):
14263
142642013-12-02 Filip Pizlo <fpizlo@apple.com>
14265
14266 Baseline JIT calls to CommonSlowPaths shouldn't restore the last result
14267 https://bugs.webkit.org/show_bug.cgi?id=125107
14268
14269 Reviewed by Mark Hahnenberg.
14270
14271 Just killing dead code.
14272
14273 * jit/JITArithmetic.cpp:
14274 (JSC::JIT::emitSlow_op_negate):
14275 (JSC::JIT::emitSlow_op_lshift):
14276 (JSC::JIT::emitSlow_op_rshift):
14277 (JSC::JIT::emitSlow_op_urshift):
14278 (JSC::JIT::emitSlow_op_bitand):
14279 (JSC::JIT::emitSlow_op_inc):
14280 (JSC::JIT::emitSlow_op_dec):
14281 (JSC::JIT::emitSlow_op_mod):
14282 (JSC::JIT::emit_op_mod):
14283 (JSC::JIT::compileBinaryArithOpSlowCase):
14284 (JSC::JIT::emitSlow_op_div):
14285 * jit/JITArithmetic32_64.cpp:
14286 (JSC::JIT::emitSlow_op_negate):
14287 (JSC::JIT::emitSlow_op_lshift):
14288 (JSC::JIT::emitRightShiftSlowCase):
14289 (JSC::JIT::emitSlow_op_bitand):
14290 (JSC::JIT::emitSlow_op_bitor):
14291 (JSC::JIT::emitSlow_op_bitxor):
14292 (JSC::JIT::emitSlow_op_inc):
14293 (JSC::JIT::emitSlow_op_dec):
14294 (JSC::JIT::emitSlow_op_add):
14295 (JSC::JIT::emitSlow_op_sub):
14296 (JSC::JIT::emitSlow_op_mul):
14297 (JSC::JIT::emitSlow_op_div):
14298 * jit/JITOpcodes.cpp:
14299 (JSC::JIT::emit_op_strcat):
14300 (JSC::JIT::emitSlow_op_get_callee):
14301 (JSC::JIT::emitSlow_op_create_this):
14302 (JSC::JIT::emitSlow_op_to_this):
14303 (JSC::JIT::emitSlow_op_to_primitive):
14304 (JSC::JIT::emitSlow_op_not):
14305 (JSC::JIT::emitSlow_op_bitxor):
14306 (JSC::JIT::emitSlow_op_bitor):
14307 (JSC::JIT::emitSlow_op_stricteq):
14308 (JSC::JIT::emitSlow_op_nstricteq):
14309 (JSC::JIT::emitSlow_op_to_number):
14310 * jit/JITOpcodes32_64.cpp:
14311 (JSC::JIT::emitSlow_op_to_primitive):
14312 (JSC::JIT::emitSlow_op_not):
14313 (JSC::JIT::emitSlow_op_stricteq):
14314 (JSC::JIT::emitSlow_op_nstricteq):
14315 (JSC::JIT::emitSlow_op_to_number):
14316 (JSC::JIT::emitSlow_op_get_callee):
14317 (JSC::JIT::emitSlow_op_create_this):
14318 (JSC::JIT::emitSlow_op_to_this):
14319
143202013-12-01 Filip Pizlo <fpizlo@apple.com>
14321
14322 Stores to local captured variables should be intercepted
14323 https://bugs.webkit.org/show_bug.cgi?id=124883
14324
14325 Reviewed by Mark Hahnenberg.
14326
14327 Previously, in bytecode, you could assign to a captured variable just as you would
14328 assign to any other kind of variable. This complicates closure variable constant
14329 inference because we don't have any place where we can intercept stores to captured
14330 variables in the LLInt.
14331
14332 This patch institutes a policy that only certain instructions can store to captured
14333 variables. If you interpret those instructions and you are required to notifyWrite()
14334 then you need to check if the relevant variable is captured. Those instructions are
14335 tracked in CodeBlock.cpp's VerifyCapturedDef. The main one is simply op_captured_mov.
14336 In the future, we'll probably modify those instructions to have a pointer directly to
14337 the VariableWatchpointSet; but for now we just introduce the captured instructions as
14338 placeholders.
14339
14340 In order to validate that the placeholders are inserted correctly, this patch improves
14341 the CodeBlock validation to be able to inspect every def in the bytecode. To do that,
14342 this patch refactors the liveness analysis' use/def calculator to be reusable; it now
14343 takes a functor for each use or def.
14344
14345 In the process of refactoring the liveness analysis, I noticed that op_enter was
14346 claiming to def all callee registers. That's wrong; it only defs the non-temporary
14347 variables. Making that change revealed preexisting bugs in the liveness analysis, since
14348 now the validator would pick up cases where the bytecode claimed to use a temporary and
14349 the def calculator never noticed the definition (or the converse - where the bytecode
14350 was actually not using a temporary but the liveness analysis thought that it was a
14351 use). This patch fixes a few of those bugs.
14352
14353 * GNUmakefile.list.am:
14354 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14355 * JavaScriptCore.xcodeproj/project.pbxproj:
14356 * bytecode/BytecodeLivenessAnalysis.cpp:
14357 (JSC::stepOverInstruction):
14358 * bytecode/BytecodeUseDef.h: Added.
14359 (JSC::computeUsesForBytecodeOffset):
14360 (JSC::computeDefsForBytecodeOffset):
14361 * bytecode/CodeBlock.cpp:
14362 (JSC::CodeBlock::dumpBytecode):
14363 (JSC::CodeBlock::isCaptured):
14364 (JSC::CodeBlock::validate):
14365 * bytecode/CodeBlock.h:
14366 * bytecode/Opcode.h:
14367 (JSC::padOpcodeName):
14368 * bytecompiler/BytecodeGenerator.cpp:
14369 (JSC::BytecodeGenerator::BytecodeGenerator):
14370 (JSC::BytecodeGenerator::resolveCallee):
14371 (JSC::BytecodeGenerator::emitMove):
14372 (JSC::BytecodeGenerator::isCaptured):
14373 (JSC::BytecodeGenerator::local):
14374 (JSC::BytecodeGenerator::constLocal):
14375 (JSC::BytecodeGenerator::emitNewFunction):
14376 (JSC::BytecodeGenerator::emitLazyNewFunction):
14377 (JSC::BytecodeGenerator::emitNewFunctionInternal):
14378 * bytecompiler/BytecodeGenerator.h:
14379 (JSC::Local::Local):
14380 (JSC::Local::isCaptured):
14381 (JSC::Local::captureMode):
14382 (JSC::BytecodeGenerator::captureMode):
14383 (JSC::BytecodeGenerator::emitNode):
14384 (JSC::BytecodeGenerator::pushOptimisedForIn):
14385 * bytecompiler/NodesCodegen.cpp:
14386 (JSC::PostfixNode::emitResolve):
14387 (JSC::PrefixNode::emitResolve):
14388 (JSC::ReadModifyResolveNode::emitBytecode):
14389 (JSC::AssignResolveNode::emitBytecode):
14390 (JSC::ConstDeclNode::emitCodeSingle):
14391 (JSC::ForInNode::emitBytecode):
14392 * dfg/DFGByteCodeParser.cpp:
14393 (JSC::DFG::ByteCodeParser::parseBlock):
14394 * dfg/DFGCapabilities.cpp:
14395 (JSC::DFG::capabilityLevel):
14396 * jit/JIT.cpp:
14397 (JSC::JIT::privateCompileMainPass):
14398 * llint/LowLevelInterpreter32_64.asm:
14399 * llint/LowLevelInterpreter64.asm:
14400 * runtime/SymbolTable.h:
14401 (JSC::SymbolTable::isCaptured):
14402
144032013-12-02 Filip Pizlo <fpizlo@apple.com>
14404
14405 Instead of watchpointing activation allocation, we should watchpoint entry into functions that have captured variables
14406 https://bugs.webkit.org/show_bug.cgi?id=125052
14407
14408 Reviewed by Mark Hahnenberg.
14409
14410 This makes us watch function entry rather than activation creation. We only incur the
14411 costs of doing so for functions that have captured variables, and only on the first two
14412 entries into the function. This means that closure variable constant inference will
14413 naturally work even for local uses of the captured variable, like:
14414
14415 (function(){
14416 var blah = 42;
14417 ... // stuff
14418 function () { ... blah /* we can fold this to 42 */ }
14419 ... blah // we can also fold this to 42.
14420 })();
14421
14422 Previously, only the nested use would have been foldable.
14423
14424 * bytecode/BytecodeLivenessAnalysis.cpp:
14425 (JSC::computeUsesForBytecodeOffset):
14426 (JSC::computeDefsForBytecodeOffset):
14427 * bytecode/CodeBlock.cpp:
14428 (JSC::CodeBlock::dumpBytecode):
14429 * bytecode/Opcode.h:
14430 (JSC::padOpcodeName):
14431 * bytecode/Watchpoint.h:
14432 (JSC::WatchpointSet::touch):
14433 (JSC::InlineWatchpointSet::touch):
14434 * bytecompiler/BytecodeGenerator.cpp:
14435 (JSC::BytecodeGenerator::BytecodeGenerator):
14436 * dfg/DFGAbstractInterpreterInlines.h:
14437 (JSC::DFG::::executeEffects):
14438 * dfg/DFGByteCodeParser.cpp:
14439 (JSC::DFG::ByteCodeParser::parseBlock):
14440 * dfg/DFGCapabilities.cpp:
14441 (JSC::DFG::capabilityLevel):
14442 * dfg/DFGClobberize.h:
14443 (JSC::DFG::clobberize):
14444 * dfg/DFGFixupPhase.cpp:
14445 (JSC::DFG::FixupPhase::fixupNode):
14446 * dfg/DFGNode.h:
14447 (JSC::DFG::Node::hasSymbolTable):
14448 * dfg/DFGNodeType.h:
14449 * dfg/DFGPredictionPropagationPhase.cpp:
14450 (JSC::DFG::PredictionPropagationPhase::propagate):
14451 * dfg/DFGSafeToExecute.h:
14452 (JSC::DFG::safeToExecute):
14453 * dfg/DFGSpeculativeJIT32_64.cpp:
14454 (JSC::DFG::SpeculativeJIT::compile):
14455 * dfg/DFGSpeculativeJIT64.cpp:
14456 (JSC::DFG::SpeculativeJIT::compile):
14457 * dfg/DFGWatchpointCollectionPhase.cpp:
14458 (JSC::DFG::WatchpointCollectionPhase::handle):
14459 * ftl/FTLCapabilities.cpp:
14460 (JSC::FTL::canCompile):
14461 * ftl/FTLLowerDFGToLLVM.cpp:
14462 (JSC::FTL::LowerDFGToLLVM::compileNode):
14463 * jit/JIT.cpp:
14464 (JSC::JIT::privateCompileMainPass):
14465 * jit/JIT.h:
14466 * jit/JITOpcodes.cpp:
14467 (JSC::JIT::emit_op_touch_entry):
14468 * llint/LowLevelInterpreter.asm:
14469 * runtime/CommonSlowPaths.cpp:
14470 (JSC::SLOW_PATH_DECL):
14471 * runtime/CommonSlowPaths.h:
14472 * runtime/JSActivation.h:
14473 (JSC::JSActivation::create):
14474 * runtime/SymbolTable.cpp:
14475 (JSC::SymbolTable::SymbolTable):
14476 * runtime/SymbolTable.h:
14477
144782013-12-02 Nick Diego Yamane <nick.yamane@openbossa.org>
14479
14480 [JSC] Get rid of some unused parameters in LLIntSlowPaths.cpp macros
14481 https://bugs.webkit.org/show_bug.cgi?id=125075
14482
14483 Reviewed by Michael Saboff.
14484
14485 * llint/LLIntSlowPaths.cpp:
14486 (JSC::LLInt::handleHostCall): added UNUSED_PARAM(pc).
14487 (JSC::LLInt::setUpCall): Doesn't pass 'pc' to LLINT_CALL macros.
14488 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Ditto.
14489
144902013-12-02 László Langó <lango@inf.u-szeged.hu>
14491
14492 Remove stdio.h from JSC files.
14493 https://bugs.webkit.org/show_bug.cgi?id=125066
14494
14495 Reviewed by Michael Saboff.
14496
14497 Remove stdio.h, when it is not necessary to be included.
14498
14499 * bytecode/CodeBlock.cpp:
14500 * bytecode/StructureSet.h:
14501 * profiler/LegacyProfiler.cpp:
14502 * profiler/Profile.cpp:
14503 * profiler/ProfileNode.cpp:
14504 * yarr/YarrInterpreter.cpp:
14505
145062013-12-02 László Langó <lango@inf.u-szeged.hu>
14507
14508 Unused include files when building without JIT.
14509 https://bugs.webkit.org/show_bug.cgi?id=125062
14510
14511 Reviewed by Michael Saboff.
14512
14513 We should organize the includes, and guard JIT methods
14514 in ValueRecovery.
14515
14516 * bytecode/ValueRecovery.cpp: Guard include files.
14517 * bytecode/ValueRecovery.h: Guard JIT methods.
14518
145192013-12-02 Balazs Kilvady <kilvadyb@homejinni.com>
14520
14521 [MIPS] Small stack frame causes regressions.
14522 https://bugs.webkit.org/show_bug.cgi?id=124945
14523
14524 Reviewed by Michael Saboff.
14525
14526 Fix stack space for LLInt on MIPS.
14527
14528 * llint/LowLevelInterpreter32_64.asm:
14529
145302013-12-02 Brian J. Burg <burg@cs.washington.edu>
14531
14532 jsc: implement a native readFile function
14533 https://bugs.webkit.org/show_bug.cgi?id=125059
14534
14535 Reviewed by Filip Pizlo.
14536
14537 This adds a native readFile() function to jsc, used to slurp
14538 an entire file into a JavaScript string.
14539
14540 * jsc.cpp:
14541 (GlobalObject::finishCreation): Add readFile() to globals.
14542 (functionReadFile): Added.
14543
145442013-12-02 László Langó <lango@inf.u-szeged.hu>
14545
14546 JSC does not build if OPCODE_STATS is enabled.
14547 https://bugs.webkit.org/show_bug.cgi?id=125011
14548
14549 Reviewed by Filip Pizlo.
14550
14551 * bytecode/Opcode.cpp:
14552
145532013-11-29 Filip Pizlo <fpizlo@apple.com>
14554
14555 Finally remove those DFG_ENABLE things
14556 https://bugs.webkit.org/show_bug.cgi?id=125025
14557
14558 Rubber stamped by Sam Weinig.
14559
14560 This removes a bunch of unused and untested insanity.
14561
14562 * bytecode/CodeBlock.cpp:
14563 (JSC::CodeBlock::tallyFrequentExitSites):
14564 * dfg/DFGArgumentsSimplificationPhase.cpp:
14565 (JSC::DFG::ArgumentsSimplificationPhase::run):
14566 * dfg/DFGByteCodeParser.cpp:
14567 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
14568 (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
14569 (JSC::DFG::ByteCodeParser::makeSafe):
14570 (JSC::DFG::ByteCodeParser::makeDivSafe):
14571 (JSC::DFG::ByteCodeParser::handleCall):
14572 (JSC::DFG::ByteCodeParser::handleInlining):
14573 (JSC::DFG::ByteCodeParser::parseBlock):
14574 (JSC::DFG::ByteCodeParser::linkBlock):
14575 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
14576 (JSC::DFG::ByteCodeParser::parseCodeBlock):
14577 (JSC::DFG::ByteCodeParser::parse):
14578 (JSC::DFG::parse):
14579 * dfg/DFGCFGSimplificationPhase.cpp:
14580 (JSC::DFG::CFGSimplificationPhase::run):
14581 (JSC::DFG::CFGSimplificationPhase::convertToJump):
14582 (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
14583 * dfg/DFGCSEPhase.cpp:
14584 (JSC::DFG::CSEPhase::endIndexForPureCSE):
14585 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
14586 (JSC::DFG::CSEPhase::setReplacement):
14587 (JSC::DFG::CSEPhase::eliminate):
14588 (JSC::DFG::CSEPhase::performNodeCSE):
14589 * dfg/DFGCommon.h:
14590 (JSC::DFG::verboseCompilationEnabled):
14591 (JSC::DFG::logCompilationChanges):
14592 (JSC::DFG::shouldDumpGraphAtEachPhase):
14593 * dfg/DFGConstantFoldingPhase.cpp:
14594 (JSC::DFG::ConstantFoldingPhase::foldConstants):
14595 * dfg/DFGFixupPhase.cpp:
14596 (JSC::DFG::FixupPhase::fixupNode):
14597 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
14598 * dfg/DFGInPlaceAbstractState.cpp:
14599 (JSC::DFG::InPlaceAbstractState::initialize):
14600 (JSC::DFG::InPlaceAbstractState::endBasicBlock):
14601 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
14602 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
14603 * dfg/DFGJITCompiler.cpp:
14604 (JSC::DFG::JITCompiler::compileBody):
14605 (JSC::DFG::JITCompiler::link):
14606 * dfg/DFGOSRExitCompiler.cpp:
14607 * dfg/DFGOSRExitCompiler32_64.cpp:
14608 (JSC::DFG::OSRExitCompiler::compileExit):
14609 * dfg/DFGOSRExitCompiler64.cpp:
14610 (JSC::DFG::OSRExitCompiler::compileExit):
14611 * dfg/DFGOSRExitCompilerCommon.cpp:
14612 (JSC::DFG::adjustAndJumpToTarget):
14613 * dfg/DFGPredictionInjectionPhase.cpp:
14614 (JSC::DFG::PredictionInjectionPhase::run):
14615 * dfg/DFGPredictionPropagationPhase.cpp:
14616 (JSC::DFG::PredictionPropagationPhase::run):
14617 (JSC::DFG::PredictionPropagationPhase::propagate):
14618 (JSC::DFG::PredictionPropagationPhase::propagateForward):
14619 (JSC::DFG::PredictionPropagationPhase::propagateBackward):
14620 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
14621 * dfg/DFGScoreBoard.h:
14622 (JSC::DFG::ScoreBoard::use):
14623 * dfg/DFGSlowPathGenerator.h:
14624 (JSC::DFG::SlowPathGenerator::generate):
14625 * dfg/DFGSpeculativeJIT.cpp:
14626 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
14627 (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
14628 (JSC::DFG::SpeculativeJIT::dump):
14629 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
14630 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
14631 * dfg/DFGSpeculativeJIT.h:
14632 * dfg/DFGSpeculativeJIT32_64.cpp:
14633 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
14634 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
14635 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
14636 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
14637 (JSC::DFG::SpeculativeJIT::compile):
14638 * dfg/DFGSpeculativeJIT64.cpp:
14639 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
14640 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
14641 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
14642 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
14643 (JSC::DFG::SpeculativeJIT::compile):
14644 * dfg/DFGVariableEventStream.cpp:
14645 (JSC::DFG::VariableEventStream::reconstruct):
14646 * dfg/DFGVariableEventStream.h:
14647 (JSC::DFG::VariableEventStream::appendAndLog):
14648 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
14649 (JSC::DFG::VirtualRegisterAllocationPhase::run):
14650 * jit/JIT.cpp:
14651 (JSC::JIT::privateCompile):
14652
146532013-11-29 Filip Pizlo <fpizlo@apple.com>
14654
14655 FTL IC should nop-fill to make up the difference between the actual IC size and the requested patchpoint size
14656 https://bugs.webkit.org/show_bug.cgi?id=124960
14657
14658 Reviewed by Sam Weinig.
14659
14660 * assembler/LinkBuffer.h:
14661 (JSC::LinkBuffer::size):
14662 * assembler/X86Assembler.h:
14663 (JSC::X86Assembler::fillNops):
14664 * dfg/DFGDisassembler.cpp:
14665 (JSC::DFG::Disassembler::dumpHeader):
14666 * ftl/FTLCompile.cpp:
14667 (JSC::FTL::generateICFastPath):
14668 * jit/JITDisassembler.cpp:
14669 (JSC::JITDisassembler::dumpHeader):
14670
146712013-11-29 Julien Brianceau <jbriance@cisco.com>
14672
14673 Use moveDoubleToInts in SpecializedThunkJIT::returnDouble for non-X86 JSVALUE32_64 ports.
14674 https://bugs.webkit.org/show_bug.cgi?id=124936
14675
14676 Reviewed by Zoltan Herczeg.
14677
14678 The moveDoubleToInts implementations in ARM, MIPS and SH4 macro assemblers do not clobber
14679 src FPRegister and are likely to be more efficient than the current generic implementation
14680 using the stack.
14681
14682 * jit/SpecializedThunkJIT.h:
14683 (JSC::SpecializedThunkJIT::returnDouble):
14684
146852013-11-29 Julien Brianceau <jbriance@cisco.com>
14686
14687 Merge arm and sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions.
14688 https://bugs.webkit.org/show_bug.cgi?id=124892
14689
14690 Reviewed by Zoltan Herczeg.
14691
14692 * assembler/MacroAssemblerSH4.h:
14693 (JSC::MacroAssemblerSH4::call): Pick a scratch register instead of getting it as a
14694 parameter. The sh4 port was the only one to have this call(Address, RegisterID) prototype.
14695 * jit/JITOpcodes32_64.cpp:
14696 (JSC::JIT::privateCompileCTINativeCall): Use argumentGPRx and merge arm and sh4 paths.
14697 * jit/ThunkGenerators.cpp:
14698 (JSC::nativeForGenerator): Use argumentGPRx and merge arm and sh4 paths.
14699
147002013-11-28 Nadav Rotem <nrotem@apple.com>
14701
14702 Revert the X86 assembler peephole changes
14703 https://bugs.webkit.org/show_bug.cgi?id=124988
14704
14705 Reviewed by Csaba Osztrogonác.
14706
14707 * assembler/MacroAssemblerX86.h:
14708 (JSC::MacroAssemblerX86::add32):
14709 (JSC::MacroAssemblerX86::add64):
14710 (JSC::MacroAssemblerX86::or32):
14711 * assembler/MacroAssemblerX86Common.h:
14712 (JSC::MacroAssemblerX86Common::add32):
14713 (JSC::MacroAssemblerX86Common::or32):
14714 (JSC::MacroAssemblerX86Common::branchAdd32):
14715 * assembler/MacroAssemblerX86_64.h:
14716 (JSC::MacroAssemblerX86_64::add32):
14717 (JSC::MacroAssemblerX86_64::or32):
14718 (JSC::MacroAssemblerX86_64::add64):
14719 (JSC::MacroAssemblerX86_64::or64):
14720 (JSC::MacroAssemblerX86_64::xor64):
14721
147222013-11-28 Antti Koivisto <antti@apple.com>
14723
14724 Remove feature: CSS variables
14725 https://bugs.webkit.org/show_bug.cgi?id=114119
14726
14727 Reviewed by Andreas Kling.
14728
14729 * Configurations/FeatureDefines.xcconfig:
14730
147312013-11-28 Peter Gal <galpeter@inf.u-szeged.hu>
14732
14733 Typo fix after r159834 to fix 32 bit builds.
14734
14735 Reviewed by Csaba Osztrogonác.
14736
14737 * dfg/DFGSpeculativeJIT32_64.cpp:
14738 (JSC::DFG::SpeculativeJIT::compile):
14739
147402013-11-27 Nadav Rotem <nrotem@apple.com>
14741
14742 Add a bunch of early exits and local optimizations to the x86 assembler.
14743 https://bugs.webkit.org/show_bug.cgi?id=124904
14744
14745 Reviewed by Filip Pizlo.
14746
14747 * assembler/MacroAssemblerX86.h:
14748 (JSC::MacroAssemblerX86::add32):
14749 (JSC::MacroAssemblerX86::add64):
14750 (JSC::MacroAssemblerX86::or32):
14751 * assembler/MacroAssemblerX86Common.h:
14752 (JSC::MacroAssemblerX86Common::add32):
14753 (JSC::MacroAssemblerX86Common::or32):
14754 * assembler/MacroAssemblerX86_64.h:
14755 (JSC::MacroAssemblerX86_64::add32):
14756 (JSC::MacroAssemblerX86_64::or32):
14757 (JSC::MacroAssemblerX86_64::add64):
14758 (JSC::MacroAssemblerX86_64::or64):
14759 (JSC::MacroAssemblerX86_64::xor64):
14760
147612013-11-27 Filip Pizlo <fpizlo@apple.com>
14762
14763 Infer one-time scopes
14764 https://bugs.webkit.org/show_bug.cgi?id=124812
14765
14766 Reviewed by Oliver Hunt.
14767
14768 This detects JSActivations that are created only once. The JSActivation pointer is then
14769 baked into the machine code.
14770
14771 This takes advantage of the one-time scope inference to reduce the number of
14772 indirections needed to get to a closure variable in case where the scope is only
14773 allocated once. This isn't really a speed-up since in the common case the total number
14774 of instruction bytes needed to load the scope from the stack is about equal to the
14775 number of instruction bytes needed to materialize the absolute address of a scoped
14776 variable. But, this is a necessary prerequisite to
14777 https://bugs.webkit.org/show_bug.cgi?id=124630, so it's probably a good idea anyway.
14778
14779 * bytecode/CodeBlock.cpp:
14780 (JSC::CodeBlock::dumpBytecode):
14781 (JSC::CodeBlock::CodeBlock):
14782 (JSC::CodeBlock::finalizeUnconditionally):
14783 * bytecode/Instruction.h:
14784 * bytecode/Opcode.h:
14785 (JSC::padOpcodeName):
14786 * bytecode/Watchpoint.h:
14787 (JSC::WatchpointSet::notifyWrite):
14788 (JSC::InlineWatchpointSet::notifyWrite):
14789 * bytecompiler/BytecodeGenerator.cpp:
14790 (JSC::BytecodeGenerator::emitResolveScope):
14791 * dfg/DFGAbstractInterpreterInlines.h:
14792 (JSC::DFG::::executeEffects):
14793 * dfg/DFGByteCodeParser.cpp:
14794 (JSC::DFG::ByteCodeParser::parseBlock):
14795 * dfg/DFGCSEPhase.cpp:
14796 (JSC::DFG::CSEPhase::scopedVarLoadElimination):
14797 (JSC::DFG::CSEPhase::scopedVarStoreElimination):
14798 (JSC::DFG::CSEPhase::getLocalLoadElimination):
14799 (JSC::DFG::CSEPhase::setLocalStoreElimination):
14800 * dfg/DFGClobberize.h:
14801 (JSC::DFG::clobberize):
14802 * dfg/DFGFixupPhase.cpp:
14803 (JSC::DFG::FixupPhase::fixupNode):
14804 * dfg/DFGGraph.cpp:
14805 (JSC::DFG::Graph::tryGetRegisters):
14806 * dfg/DFGGraph.h:
14807 * dfg/DFGNode.h:
14808 (JSC::DFG::Node::varNumber):
14809 (JSC::DFG::Node::hasSymbolTable):
14810 (JSC::DFG::Node::symbolTable):
14811 * dfg/DFGNodeType.h:
14812 * dfg/DFGPredictionPropagationPhase.cpp:
14813 (JSC::DFG::PredictionPropagationPhase::propagate):
14814 * dfg/DFGSafeToExecute.h:
14815 (JSC::DFG::safeToExecute):
14816 * dfg/DFGSpeculativeJIT32_64.cpp:
14817 (JSC::DFG::SpeculativeJIT::compile):
14818 * dfg/DFGSpeculativeJIT64.cpp:
14819 (JSC::DFG::SpeculativeJIT::compile):
14820 * dfg/DFGWatchpointCollectionPhase.cpp:
14821 (JSC::DFG::WatchpointCollectionPhase::handle):
14822 * ftl/FTLCapabilities.cpp:
14823 (JSC::FTL::canCompile):
14824 * ftl/FTLLowerDFGToLLVM.cpp:
14825 (JSC::FTL::LowerDFGToLLVM::compileNode):
14826 (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
14827 * llint/LowLevelInterpreter32_64.asm:
14828 * llint/LowLevelInterpreter64.asm:
14829 * runtime/JSActivation.h:
14830 (JSC::JSActivation::create):
14831 * runtime/JSScope.cpp:
14832 (JSC::abstractAccess):
14833 (JSC::JSScope::abstractResolve):
14834 * runtime/JSScope.h:
14835 (JSC::ResolveOp::ResolveOp):
14836 * runtime/JSVariableObject.h:
14837 (JSC::JSVariableObject::registers):
14838 * runtime/SymbolTable.cpp:
14839 (JSC::SymbolTable::SymbolTable):
14840 * runtime/SymbolTable.h:
14841
148422013-11-27 Filip Pizlo <fpizlo@apple.com>
14843
14844 Finally fix some obvious Bartlett bugs
14845 https://bugs.webkit.org/show_bug.cgi?id=124951
14846
14847 Reviewed by Mark Hahnenberg.
14848
14849 Sanitize the stack (i.e. zero parts of it known to be dead) at three key points:
14850
14851 - GC.
14852
14853 - At beginning of OSR entry.
14854
14855 - Just as we finish preparing OSR entry. This clears those slots on the stack that
14856 could have been live in baseline but that are known to be dead in DFG.
14857
14858 This is as much as a 2x speed-up on splay if you run it in certain modes, and run it
14859 for a long enough interval. It appears to fix all instances of the dreaded exponential
14860 heap growth that splay gets into when some stale pointer stays around.
14861
14862 This doesn't have much of an effect on real-world programs. This bug has only ever
14863 manifested in splay and for that reason we thus far opted against fixing it. But splay
14864 is, for what it's worth, the premiere GC stress test in JavaScript - so making sure we
14865 can run it without pathologies - even when you tweak its configuration - is probably
14866 fairly important.
14867
14868 * dfg/DFGJITCompiler.h:
14869 (JSC::DFG::JITCompiler::noticeOSREntry):
14870 * dfg/DFGOSREntry.cpp:
14871 (JSC::DFG::prepareOSREntry):
14872 * dfg/DFGOSREntry.h:
14873 * heap/Heap.cpp:
14874 (JSC::Heap::markRoots):
14875 * interpreter/JSStack.cpp:
14876 (JSC::JSStack::JSStack):
14877 (JSC::JSStack::sanitizeStack):
14878 * interpreter/JSStack.h:
14879
148802013-11-26 Filip Pizlo <fpizlo@apple.com>
14881
14882 Do bytecode validation as part of testing
14883 https://bugs.webkit.org/show_bug.cgi?id=124913
14884
14885 Reviewed by Oliver Hunt.
14886
14887 Also fix some small bugs in the bytecode liveness analysis that I found by doing
14888 this validation thingy.
14889
14890 * bytecode/BytecodeLivenessAnalysis.cpp:
14891 (JSC::isValidRegisterForLiveness):
14892 (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
14893 * bytecode/CodeBlock.cpp:
14894 (JSC::CodeBlock::validate):
14895 (JSC::CodeBlock::beginValidationDidFail):
14896 (JSC::CodeBlock::endValidationDidFail):
14897 * bytecode/CodeBlock.h:
14898 * runtime/Executable.cpp:
14899 (JSC::ScriptExecutable::prepareForExecutionImpl):
14900 * runtime/Options.h:
14901
149022013-11-27 Andreas Kling <akling@apple.com>
14903
14904 Structure::m_staticFunctionReified should be a single bit.
14905 <https://webkit.org/b/124912>
14906
14907 Shave 8 bytes off of JSC::Structure by jamming m_staticFunctionReified
14908 into the bitfield just above.
14909
14910 Reviewed by Antti Koivisto.
14911
149122013-11-27 Andreas Kling <akling@apple.com>
14913
14914 JSActivation constructor should use NotNull placement new.
14915 <https://webkit.org/b/124909>
14916
14917 Knock a null check outta the storage initialization loop.
14918
14919 Reviewed by Antti Koivisto.
14920
149212013-11-26 Filip Pizlo <fpizlo@apple.com>
14922
14923 Restructure global variable constant inference so that it could work for any kind of symbol table variable
14924 https://bugs.webkit.org/show_bug.cgi?id=124760
14925
14926 Reviewed by Oliver Hunt.
14927
14928 This changes the way global variable constant inference works so that it can be reused
14929 for closure variable constant inference. Some of the premises that originally motivated
14930 this patch are somewhat wrong, but it led to some simplifications anyway and I suspect
14931 that we'll be able to fix those premises in the future. The main point of this patch is
14932 to make it easy to reuse global variable constant inference for closure variable
14933 constant inference, and this will be possible provided we can also either (a) infer
14934 one-shot closures (easy) or (b) infer closure variables that are always assigned prior
14935 to first use.
14936
14937 One of the things that this patch is meant to enable is constant inference for closure
14938 variables that may be part of a multi-shot closure. Closure variables may be
14939 instantiated multiple times, like:
14940
14941 function foo() {
14942 var WIDTH = 45;
14943 function bar() {
14944 ... use WIDTH ...
14945 }
14946 ...
14947 }
14948
14949 Even if foo() is called many times and WIDTH is assigned to multiple times, that
14950 doesn't change the fact that it's a constant. The goal of closure variable constant
14951 inference is to catch any case where a closure variable has been assigned at least once
14952 and its value has never changed. This patch doesn't implement that, but it does change
14953 global variable constant inference to have most of the powers needed to do that. Note
14954 that most likely we will use this functionality only to implement constant inference
14955 for one-shot closures, but the resulting machinery is still simpler than what we had
14956 before.
14957
14958 This involves three changes:
14959
14960 - The watchpoint object now contains the inferred value. This involves creating a
14961 new kind of watchpoint set, the VariableWatchpointSet. We will reuse this object
14962 for closure variables.
14963
14964 - Writing to a variable that is watchpointed still involves these three states that
14965 we proceed through monotonically (Uninitialized->Initialized->Invalidated) but
14966 now, the Initialized->Invalidated state transition only happens if we change the
14967 variable's value, rather than store to the variable. Repeatedly storing the same
14968 value won't change the variable's state.
14969
14970 - On 64-bit systems (the only systems on which we do concurrent JIT), you no longer
14971 need fancy fencing to get a consistent view of the watchpoint in the JIT. The
14972 state of the VariableWatchpointSet for the purposes of constant folding is
14973 entirely encapsulated in the VariableWatchpointSet::m_inferredValue. If that is
14974 JSValue() then you cannot fold (either because the set is uninitialized or
14975 because it's invalidated - doesn't matter which); on the other hand if the value
14976 is anything other than JSValue() then you can fold, and that's the value you fold
14977 to. Simple!
14978
14979 This also changes the way that DFG IR deals with variable watchpoints. It's now
14980 oblivious to global variables. You install a watchpoint using VariableWatchpoint and
14981 you notify write using NotifyWrite. Easy!
14982
14983 Note that this will requires some more tweaks because of the fact that op_enter will
14984 store Undefined into every captured variable. Hence it won't even work for one-shot
14985 closures. One-shot closures are easily fixed by introducing another state (so we'll
14986 have Uninitialized->Undefined->Initialized->Invalidated). Multi-shot closures will
14987 require static analysis. One-shot closures are clearly a higher priority.
14988
14989 * GNUmakefile.list.am:
14990 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14991 * JavaScriptCore.xcodeproj/project.pbxproj:
14992 * bytecode/Instruction.h:
14993 * bytecode/VariableWatchpointSet.h: Added.
14994 (JSC::VariableWatchpointSet::VariableWatchpointSet):
14995 (JSC::VariableWatchpointSet::~VariableWatchpointSet):
14996 (JSC::VariableWatchpointSet::inferredValue):
14997 (JSC::VariableWatchpointSet::notifyWrite):
14998 (JSC::VariableWatchpointSet::invalidate):
14999 (JSC::VariableWatchpointSet::finalizeUnconditionally):
15000 (JSC::VariableWatchpointSet::addressOfInferredValue):
15001 * bytecode/Watchpoint.h:
15002 * dfg/DFGAbstractInterpreterInlines.h:
15003 (JSC::DFG::::executeEffects):
15004 * dfg/DFGByteCodeParser.cpp:
15005 (JSC::DFG::ByteCodeParser::parseBlock):
15006 * dfg/DFGCSEPhase.cpp:
15007 (JSC::DFG::CSEPhase::performNodeCSE):
15008 * dfg/DFGClobberize.h:
15009 (JSC::DFG::clobberize):
15010 * dfg/DFGFixupPhase.cpp:
15011 (JSC::DFG::FixupPhase::fixupNode):
15012 * dfg/DFGNode.h:
15013 (JSC::DFG::Node::hasRegisterPointer):
15014 (JSC::DFG::Node::hasVariableWatchpointSet):
15015 (JSC::DFG::Node::variableWatchpointSet):
15016 * dfg/DFGNodeType.h:
15017 * dfg/DFGOperations.cpp:
15018 * dfg/DFGOperations.h:
15019 * dfg/DFGPredictionPropagationPhase.cpp:
15020 (JSC::DFG::PredictionPropagationPhase::propagate):
15021 * dfg/DFGSafeToExecute.h:
15022 (JSC::DFG::safeToExecute):
15023 * dfg/DFGSpeculativeJIT.cpp:
15024 (JSC::DFG::SpeculativeJIT::compileArithMod):
15025 * dfg/DFGSpeculativeJIT.h:
15026 (JSC::DFG::SpeculativeJIT::callOperation):
15027 * dfg/DFGSpeculativeJIT32_64.cpp:
15028 (JSC::DFG::SpeculativeJIT::compile):
15029 * dfg/DFGSpeculativeJIT64.cpp:
15030 (JSC::DFG::SpeculativeJIT::compile):
15031 * dfg/DFGWatchpointCollectionPhase.cpp:
15032 (JSC::DFG::WatchpointCollectionPhase::handle):
15033 * ftl/FTLCapabilities.cpp:
15034 (JSC::FTL::canCompile):
15035 * ftl/FTLLowerDFGToLLVM.cpp:
15036 (JSC::FTL::LowerDFGToLLVM::compileNode):
15037 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
15038 * jit/JIT.h:
15039 * jit/JITOperations.h:
15040 * jit/JITPropertyAccess.cpp:
15041 (JSC::JIT::emitNotifyWrite):
15042 (JSC::JIT::emitPutGlobalVar):
15043 * jit/JITPropertyAccess32_64.cpp:
15044 (JSC::JIT::emitNotifyWrite):
15045 (JSC::JIT::emitPutGlobalVar):
15046 * llint/LowLevelInterpreter32_64.asm:
15047 * llint/LowLevelInterpreter64.asm:
15048 * runtime/JSGlobalObject.cpp:
15049 (JSC::JSGlobalObject::addGlobalVar):
15050 (JSC::JSGlobalObject::addFunction):
15051 * runtime/JSGlobalObject.h:
15052 * runtime/JSScope.h:
15053 (JSC::ResolveOp::ResolveOp):
15054 * runtime/JSSymbolTableObject.h:
15055 (JSC::symbolTablePut):
15056 (JSC::symbolTablePutWithAttributes):
15057 * runtime/SymbolTable.cpp:
15058 (JSC::SymbolTableEntry::inferredValue):
15059 (JSC::SymbolTableEntry::prepareToWatch):
15060 (JSC::SymbolTableEntry::addWatchpoint):
15061 (JSC::SymbolTableEntry::notifyWriteSlow):
15062 (JSC::SymbolTable::visitChildren):
15063 (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup):
15064 (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup):
15065 (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
15066 * runtime/SymbolTable.h:
15067 (JSC::SymbolTableEntry::watchpointSet):
15068 (JSC::SymbolTableEntry::notifyWrite):
15069
150702013-11-24 Filip Pizlo <fpizlo@apple.com>
15071
15072 Create a new SymbolTable every time code is loaded so that the watchpoints don't get reused
15073 https://bugs.webkit.org/show_bug.cgi?id=124824
15074
15075 Reviewed by Oliver Hunt.
15076
15077 This helps with one shot closure inference as well as closure variable constant
15078 inference, since without this, if code was reloaded from the cache then we would
15079 think that the first run was actually an Nth run. This would cause us to think that
15080 the watchpoint(s) should all be invalidated.
15081
15082 * bytecode/CodeBlock.cpp:
15083 (JSC::CodeBlock::CodeBlock):
15084 (JSC::CodeBlock::stronglyVisitStrongReferences):
15085 * bytecode/CodeBlock.h:
15086 (JSC::CodeBlock::symbolTable):
15087 * runtime/Executable.cpp:
15088 (JSC::FunctionExecutable::symbolTable):
15089 * runtime/Executable.h:
15090 * runtime/SymbolTable.cpp:
15091 (JSC::SymbolTable::clone):
15092 * runtime/SymbolTable.h:
15093
150942013-11-26 Oliver Hunt <oliver@apple.com>
15095
15096 Crash in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
15097 https://bugs.webkit.org/show_bug.cgi?id=124886
15098
15099 Reviewed by Sam Weinig.
15100
15101 Make sure the error macros propagate an existing error before
15102 trying to create a new error message. We need to do this as
15103 the parser state may not be safe for any specific error message
15104 if we are already unwinding due to an error.
15105
15106 * parser/Parser.cpp:
15107
151082013-11-26 Nadav Rotem <nrotem@apple.com>
15109
15110 Optimize away OR with zero - a common ASM.js pattern.
15111 https://bugs.webkit.org/show_bug.cgi?id=124869
15112
15113 Reviewed by Filip Pizlo.
15114
15115 * dfg/DFGFixupPhase.cpp:
15116 (JSC::DFG::FixupPhase::fixupNode):
15117
151182013-11-25 Julien Brianceau <jbriance@cisco.com>
15119
15120 [arm][mips] Fix crash in dfg-arrayify-elimination layout jsc test.
15121 https://bugs.webkit.org/show_bug.cgi?id=124839
15122
15123 Reviewed by Michael Saboff.
15124
15125 In ARM EABI and MIPS, 64-bit values have to be aligned on stack too.
15126
15127 * jit/CCallHelpers.h:
15128 (JSC::CCallHelpers::setupArgumentsWithExecState):
15129 * jit/JITInlines.h:
15130 (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
15131
151322013-11-23 Filip Pizlo <fpizlo@apple.com>
15133
15134 Fix more fallout from failed attempts at div/mod DFG strength reductions
15135 https://bugs.webkit.org/show_bug.cgi?id=124813
15136
15137 Reviewed by Geoffrey Garen.
15138
15139 * dfg/DFGSpeculativeJIT.cpp:
15140 (JSC::DFG::SpeculativeJIT::compileArithMod):
15141
151422013-11-22 Mark Hahnenberg <mhahnenberg@apple.com>
15143
15144 JSC Obj-C API should have real documentation
15145 https://bugs.webkit.org/show_bug.cgi?id=124805
15146
15147 Reviewed by Geoffrey Garen.
15148
15149 Massaging the header comments into proper headerdocs.
15150
15151 * API/JSContext.h:
15152 * API/JSExport.h:
15153 * API/JSManagedValue.h:
15154 * API/JSValue.h:
15155 * API/JSVirtualMachine.h:
15156
151572013-11-22 Filip Pizlo <fpizlo@apple.com>
15158
15159 CodeBlock::m_numCalleeRegisters shouldn't also mean frame size, frame size needed for exit, or any other unrelated things
15160 https://bugs.webkit.org/show_bug.cgi?id=124793
15161
15162 Reviewed by Mark Hahnenberg.
15163
15164 Now m_numCalleeRegisters always refers to the number of locals that the attached
15165 bytecode uses. It never means anything else.
15166
15167 For frame size, we now have it lazily computed from m_numCalleeRegisters for the
15168 baseline engines and we have it stored in DFG::CommonData for the optimizing JITs.
15169
15170 For frame-size-needed-at-exit, we store that in DFG::CommonData, too.
15171
15172 The code no longer implies that there is any arithmetic relationship between
15173 m_numCalleeRegisters and frameSize. Previously it implied that the latter is greater
15174 than the former.
15175
15176 The code no longer implies that there is any arithmetic relationship between the
15177 frame Size and the frame-size-needed-at-exit. Previously it implied that the latter
15178 is greater that the former.
15179
15180 * bytecode/CodeBlock.cpp:
15181 (JSC::CodeBlock::frameRegisterCount):
15182 * bytecode/CodeBlock.h:
15183 * dfg/DFGCommonData.h:
15184 (JSC::DFG::CommonData::CommonData):
15185 (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
15186 * dfg/DFGGraph.cpp:
15187 (JSC::DFG::Graph::frameRegisterCount):
15188 (JSC::DFG::Graph::requiredRegisterCountForExit):
15189 (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
15190 * dfg/DFGGraph.h:
15191 * dfg/DFGJITCompiler.cpp:
15192 (JSC::DFG::JITCompiler::link):
15193 (JSC::DFG::JITCompiler::compileFunction):
15194 * dfg/DFGOSREntry.cpp:
15195 (JSC::DFG::prepareOSREntry):
15196 * dfg/DFGSpeculativeJIT.cpp:
15197 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
15198 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
15199 (JSC::DFG::VirtualRegisterAllocationPhase::run):
15200 * ftl/FTLLink.cpp:
15201 (JSC::FTL::link):
15202 * ftl/FTLLowerDFGToLLVM.cpp:
15203 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
15204 * ftl/FTLOSREntry.cpp:
15205 (JSC::FTL::prepareOSREntry):
15206 * interpreter/CallFrame.cpp:
15207 (JSC::CallFrame::frameExtentInternal):
15208 * interpreter/JSStackInlines.h:
15209 (JSC::JSStack::pushFrame):
15210 * jit/JIT.h:
15211 (JSC::JIT::frameRegisterCountFor):
15212 * jit/JITOperations.cpp:
15213 * llint/LLIntEntrypoint.cpp:
15214 (JSC::LLInt::frameRegisterCountFor):
15215 * llint/LLIntEntrypoint.h:
15216
152172013-11-21 Filip Pizlo <fpizlo@apple.com>
15218
15219 Combine SymbolTable and SharedSymbolTable
15220 https://bugs.webkit.org/show_bug.cgi?id=124761
15221
15222 Reviewed by Geoffrey Garen.
15223
15224 SymbolTable was never used directly; we now always used SharedSymbolTable. So, this
15225 gets rid of SymbolTable and renames SharedSymbolTable to SymbolTable.
15226
15227 * bytecode/CodeBlock.h:
15228 (JSC::CodeBlock::symbolTable):
15229 * bytecode/UnlinkedCodeBlock.h:
15230 (JSC::UnlinkedFunctionExecutable::symbolTable):
15231 (JSC::UnlinkedCodeBlock::symbolTable):
15232 (JSC::UnlinkedCodeBlock::finishCreation):
15233 * bytecompiler/BytecodeGenerator.h:
15234 (JSC::BytecodeGenerator::symbolTable):
15235 * dfg/DFGSpeculativeJIT32_64.cpp:
15236 (JSC::DFG::SpeculativeJIT::compile):
15237 * dfg/DFGSpeculativeJIT64.cpp:
15238 (JSC::DFG::SpeculativeJIT::compile):
15239 * dfg/DFGStackLayoutPhase.cpp:
15240 (JSC::DFG::StackLayoutPhase::run):
15241 * jit/AssemblyHelpers.h:
15242 (JSC::AssemblyHelpers::symbolTableFor):
15243 * runtime/Arguments.h:
15244 (JSC::Arguments::finishCreation):
15245 * runtime/Executable.h:
15246 (JSC::FunctionExecutable::symbolTable):
15247 * runtime/JSActivation.h:
15248 (JSC::JSActivation::create):
15249 (JSC::JSActivation::JSActivation):
15250 (JSC::JSActivation::registersOffset):
15251 (JSC::JSActivation::allocationSize):
15252 * runtime/JSSymbolTableObject.h:
15253 (JSC::JSSymbolTableObject::symbolTable):
15254 (JSC::JSSymbolTableObject::JSSymbolTableObject):
15255 (JSC::JSSymbolTableObject::finishCreation):
15256 * runtime/JSVariableObject.h:
15257 (JSC::JSVariableObject::JSVariableObject):
15258 * runtime/SymbolTable.cpp:
15259 (JSC::SymbolTable::destroy):
15260 (JSC::SymbolTable::SymbolTable):
15261 * runtime/SymbolTable.h:
15262 (JSC::SymbolTable::create):
15263 (JSC::SymbolTable::createStructure):
15264 * runtime/VM.cpp:
15265 (JSC::VM::VM):
15266 * runtime/VM.h:
15267
152682013-11-22 Mark Lam <mark.lam@apple.com>
15269
15270 Remove residual references to "dynamicGlobalObject".
15271 https://bugs.webkit.org/show_bug.cgi?id=124787.
15272
15273 Reviewed by Filip Pizlo.
15274
15275 * JavaScriptCore.order:
15276 * interpreter/CallFrame.h:
15277
152782013-11-22 Mark Lam <mark.lam@apple.com>
15279
15280 Ensure that arity fixups honor stack alignment requirements.
15281 https://bugs.webkit.org/show_bug.cgi?id=124756.
15282
15283 Reviewed by Geoffrey Garen.
15284
15285 The LLINT and all the JITs rely on CommonSlowPaths::arityCheckFor() to
15286 compute the arg count adjustment for the arity fixup. We take advantage
15287 of this choke point and introduce the stack alignment padding there in
15288 the guise of additional args.
15289
15290 The only cost of this approach is that the padding will also be
15291 initialized to undefined values as if they were args. Since arity fixups
15292 are considered a slow path that is rarely taken, this cost is not a
15293 concern.
15294
15295 * runtime/CommonSlowPaths.h:
15296 (JSC::CommonSlowPaths::arityCheckFor):
15297 * runtime/VM.h:
15298 (JSC::VM::isSafeToRecurse):
15299
153002013-11-21 Filip Pizlo <fpizlo@apple.com>
15301
15302 BytecodeGenerator should align the stack according to native conventions
15303 https://bugs.webkit.org/show_bug.cgi?id=124735
15304
15305 Reviewed by Mark Lam.
15306
15307 Rolling this back in because it actually fixed fast/dom/gc-attribute-node.html, but
15308 our infrastructure misleads peole into thinking that fixing a test constitutes
15309 breaking it.
15310
15311 * bytecompiler/BytecodeGenerator.h:
15312 (JSC::CallArguments::registerOffset):
15313 (JSC::CallArguments::argumentCountIncludingThis):
15314 * bytecompiler/NodesCodegen.cpp:
15315 (JSC::CallArguments::CallArguments):
15316
153172013-11-21 Filip Pizlo <fpizlo@apple.com>
15318
15319 Get rid of CodeBlock::dumpStatistics()
15320 https://bugs.webkit.org/show_bug.cgi?id=124762
15321
15322 Reviewed by Mark Hahnenberg.
15323
15324 * bytecode/CodeBlock.cpp:
15325 (JSC::CodeBlock::CodeBlock):
15326 (JSC::CodeBlock::~CodeBlock):
15327 * bytecode/CodeBlock.h:
15328
153292013-11-22 Commit Queue <commit-queue@webkit.org>
15330
15331 Unreviewed, rolling out r159652.
15332 http://trac.webkit.org/changeset/159652
15333 https://bugs.webkit.org/show_bug.cgi?id=124778
15334
15335 broke fast/dom/gc-attribute-node.html (Requested by ap on
15336 #webkit).
15337
15338 * bytecompiler/BytecodeGenerator.cpp:
15339 (JSC::BytecodeGenerator::emitCall):
15340 (JSC::BytecodeGenerator::emitConstruct):
15341 * bytecompiler/BytecodeGenerator.h:
15342 (JSC::CallArguments::registerOffset):
15343 (JSC::CallArguments::argumentCountIncludingThis):
15344 * bytecompiler/NodesCodegen.cpp:
15345 (JSC::CallArguments::CallArguments):
15346 (JSC::CallArguments::newArgument):
15347
153482013-11-21 Filip Pizlo <fpizlo@apple.com>
15349
15350 Fix a typo (requriements->requirements).
15351
15352 * runtime/StackAlignment.h:
15353
153542013-11-21 Mark Lam <mark.lam@apple.com>
15355
15356 CodeBlock::m_numCalleeRegisters need to honor native stack alignment.
15357 https://bugs.webkit.org/show_bug.cgi?id=124754.
15358
15359 Reviewed by Filip Pizlo.
15360
15361 * bytecompiler/BytecodeGenerator.cpp:
15362 (JSC::BytecodeGenerator::newRegister):
15363 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
15364 (JSC::DFG::VirtualRegisterAllocationPhase::run):
15365
153662013-11-21 Mark Rowe <mrowe@apple.com>
15367
15368 <https://webkit.org/b/124702> Stop overriding VALID_ARCHS.
15369
15370 All modern versions of Xcode set it appropriately for our needs.
15371
15372 Reviewed by Alexey Proskuryakov.
15373
15374 * Configurations/Base.xcconfig:
15375
153762013-11-21 Mark Rowe <mrowe@apple.com>
15377
15378 <https://webkit.org/b/124701> Fix an error in a few Xcode configuration setting files.
15379
15380 Reviewed by Alexey Proskuryakov.
15381
15382 * Configurations/Base.xcconfig:
15383
153842013-11-21 Michael Saboff <msaboff@apple.com>
15385
15386 ARM64: Implement push/pop equivalents in LLInt
15387 https://bugs.webkit.org/show_bug.cgi?id=124721
15388
15389 Reviewed by Filip Pizlo.
15390
15391 Added pushLRAndFP and popLRAndFP that push and pop the link register and frame pointer register.
15392 These ops emit code just like what the compiler emits in the prologue and epilogue. Also changed
15393 pushCalleeSaves and popCalleeSaves to use the same store pair and load pair instructions to do
15394 the actually pushing and popping. Finally changed the implementation of push and pop to raise
15395 an exception since we don't have (or need) a single register push or pop.
15396
15397 * llint/LowLevelInterpreter64.asm:
15398 * offlineasm/arm64.rb:
15399 * offlineasm/instructions.rb:
15400
154012013-11-21 Michael Saboff <msaboff@apple.com>
15402
15403 JSC: Removed unused opcodes from offline assembler
15404 https://bugs.webkit.org/show_bug.cgi?id=124749
15405
15406 Reviewed by Mark Hahnenberg.
15407
15408 Removed the unused, X86 only peekq and pokeq.
15409
15410 * offlineasm/instructions.rb:
15411 * offlineasm/x86.rb:
15412
154132013-11-21 Michael Saboff <msaboff@apple.com>
15414
15415 REGRESSION(159395) Fix branch8(…, AbsoluteAddress, …) in ARM64 MacroAssembler
15416 https://bugs.webkit.org/show_bug.cgi?id=124688
15417
15418 Reviewed by Geoffrey Garen.
15419
15420 Changed handling of the address for the load8() in the branch8(AbsoluteAddress) to be like
15421 the rest of the branchXX(AbsoluteAddress) fucntions.
15422
15423 * assembler/MacroAssemblerARM64.h:
15424 (JSC::MacroAssemblerARM64::branch8):
15425
154262013-11-21 Filip Pizlo <fpizlo@apple.com>
15427
15428 BytecodeGenerator should align the stack according to native conventions
15429 https://bugs.webkit.org/show_bug.cgi?id=124735
15430
15431 Reviewed by Mark Lam.
15432
15433 * bytecompiler/BytecodeGenerator.h:
15434 (JSC::CallArguments::registerOffset):
15435 (JSC::CallArguments::argumentCountIncludingThis):
15436 * bytecompiler/NodesCodegen.cpp:
15437 (JSC::CallArguments::CallArguments):
15438
154392013-11-21 Filip Pizlo <fpizlo@apple.com>
15440
15441 Unreviewed, preemptive build fix.
15442
15443 * runtime/StackAlignment.h:
15444 (JSC::stackAlignmentBytes):
15445 (JSC::stackAlignmentRegisters):
15446
154472013-11-21 Filip Pizlo <fpizlo@apple.com>
15448
15449 JSC should know what the stack alignment conventions are
15450 https://bugs.webkit.org/show_bug.cgi?id=124736
15451
15452 Reviewed by Mark Lam.
15453
15454 * GNUmakefile.list.am:
15455 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
15456 * JavaScriptCore.xcodeproj/project.pbxproj:
15457 * runtime/StackAlignment.h: Added.
15458 (JSC::stackAlignmentBytes):
15459 (JSC::stackAlignmentRegisters):
15460
154612013-11-21 Balazs Kilvady <kilvadyb@homejinni.com>
15462
15463 [MIPS] Build fails since r159545.
15464 https://bugs.webkit.org/show_bug.cgi?id=124716
15465
15466 Reviewed by Michael Saboff.
15467
15468 Add missing implementations in MacroAssembler and LLInt for MIPS.
15469
15470 * assembler/MIPSAssembler.h:
15471 (JSC::MIPSAssembler::sync):
15472 * assembler/MacroAssemblerMIPS.h:
15473 (JSC::MacroAssemblerMIPS::store8):
15474 (JSC::MacroAssemblerMIPS::memoryFence):
15475 * offlineasm/mips.rb:
15476
154772013-11-21 Julien Brianceau <jbriance@cisco.com>
15478
15479 Fix sh4 build after r159545.
15480 https://bugs.webkit.org/show_bug.cgi?id=124713
15481
15482 Reviewed by Michael Saboff.
15483
15484 Add missing implementations in macro assembler and LLINT for sh4.
15485
15486 * assembler/MacroAssemblerSH4.h:
15487 (JSC::MacroAssemblerSH4::load8):
15488 (JSC::MacroAssemblerSH4::store8):
15489 (JSC::MacroAssemblerSH4::memoryFence):
15490 * assembler/SH4Assembler.h:
15491 (JSC::SH4Assembler::synco):
15492 * offlineasm/sh4.rb: Handle "memfence" opcode.
15493
154942013-11-20 Mark Lam <mark.lam@apple.com>
15495
15496 Introducing VMEntryScope to update the VM stack limit.
15497 https://bugs.webkit.org/show_bug.cgi?id=124634.
15498
15499 Reviewed by Geoffrey Garen.
15500
15501 1. Introduced USE(SEPARATE_C_AND_JS_STACK) (defined in Platform.h).
15502 Currently, it is hardcoded to use separate C and JS stacks. Once we
15503 switch to using the C stack for JS frames, we'll need to fix this to
15504 only be enabled when ENABLE(LLINT_C_LOOP).
15505
15506 2. Stack limits are now tracked in the VM.
15507
15508 Logically, there are 2 stack limits:
15509 a. m_stackLimit for the native C stack, and
15510 b. m_jsStackLimit for the JS stack.
15511
15512 If USE(SEPARATE_C_AND_JS_STACK), then the 2 limits are the same
15513 value, and are implemented as 2 fields in a union.
15514
15515 3. The VM native stackLimit is set as follows:
15516 a. Initially, the VM sets it to the limit of the stack of the thread that
15517 instantiated the VM. This allows the parser and bytecode generator to
15518 run before we enter the VM to execute JS code.
15519
15520 b. Upon entry into the VM to execute JS code (via one of the
15521 Interpreter::execute...() functions), we instantiate a VMEntryScope
15522 that sets the VM's stackLimit to the limit of the current thread's
15523 stack. The VMEntryScope will automatically restore the previous
15524 entryScope and stack limit upon destruction.
15525
15526 If USE(SEPARATE_C_AND_JS_STACK), the JSStack's methods will set the VM's
15527 jsStackLimit whenever it grows or shrinks.
15528
15529 4. The VM now provides a isSafeToRecurse() function that compares the
15530 current stack pointer against its native stackLimit. This subsumes and
15531 obsoletes the VMStackBounds class.
15532
15533 5. The VMEntryScope class also subsumes DynamicGlobalObjectScope for
15534 tracking the JSGlobalObject that we last entered the VM with.
15535
15536 6. Renamed dynamicGlobalObject() to vmEntryGlobalObject() since that is
15537 the value that the function retrieves.
15538
15539 7. Changed JIT and LLINT code to do stack checks against the jsStackLimit
15540 in the VM class instead of the JSStack.
15541
15542 * API/JSBase.cpp:
15543 (JSEvaluateScript):
15544 (JSCheckScriptSyntax):
15545 * API/JSContextRef.cpp:
15546 (JSGlobalContextRetain):
15547 (JSGlobalContextRelease):
15548 * CMakeLists.txt:
15549 * GNUmakefile.list.am:
15550 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
15551 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
15552 * JavaScriptCore.xcodeproj/project.pbxproj:
15553 * bytecompiler/BytecodeGenerator.cpp:
15554 (JSC::BytecodeGenerator::BytecodeGenerator):
15555 * bytecompiler/BytecodeGenerator.h:
15556 (JSC::BytecodeGenerator::emitNode):
15557 (JSC::BytecodeGenerator::emitNodeInConditionContext):
15558 * debugger/Debugger.cpp:
15559 (JSC::Debugger::detach):
15560 (JSC::Debugger::recompileAllJSFunctions):
15561 (JSC::Debugger::pauseIfNeeded):
15562 * debugger/DebuggerCallFrame.cpp:
15563 (JSC::DebuggerCallFrame::vmEntryGlobalObject):
15564 * debugger/DebuggerCallFrame.h:
15565 * dfg/DFGJITCompiler.cpp:
15566 (JSC::DFG::JITCompiler::compileFunction):
15567 * dfg/DFGOSREntry.cpp:
15568 * ftl/FTLLink.cpp:
15569 (JSC::FTL::link):
15570 * ftl/FTLOSREntry.cpp:
15571 * heap/Heap.cpp:
15572 (JSC::Heap::lastChanceToFinalize):
15573 (JSC::Heap::deleteAllCompiledCode):
15574 * interpreter/CachedCall.h:
15575 (JSC::CachedCall::CachedCall):
15576 * interpreter/CallFrame.cpp:
15577 (JSC::CallFrame::vmEntryGlobalObject):
15578 * interpreter/CallFrame.h:
15579 * interpreter/Interpreter.cpp:
15580 (JSC::unwindCallFrame):
15581 (JSC::Interpreter::unwind):
15582 (JSC::Interpreter::execute):
15583 (JSC::Interpreter::executeCall):
15584 (JSC::Interpreter::executeConstruct):
15585 (JSC::Interpreter::prepareForRepeatCall):
15586 (JSC::Interpreter::debug):
15587 * interpreter/JSStack.cpp:
15588 (JSC::JSStack::JSStack):
15589 (JSC::JSStack::growSlowCase):
15590 * interpreter/JSStack.h:
15591 * interpreter/JSStackInlines.h:
15592 (JSC::JSStack::shrink):
15593 (JSC::JSStack::grow):
15594 - Moved these inlined functions here from JSStack.h. It reduces some
15595 #include dependencies of JSSTack.h which had previously resulted
15596 in some EWS bots' unhappiness with this patch.
15597 (JSC::JSStack::updateStackLimit):
15598 * jit/JIT.cpp:
15599 (JSC::JIT::privateCompile):
15600 * jit/JITCall.cpp:
15601 (JSC::JIT::compileLoadVarargs):
15602 * jit/JITCall32_64.cpp:
15603 (JSC::JIT::compileLoadVarargs):
15604 * jit/JITOperations.cpp:
15605 * llint/LLIntSlowPaths.cpp:
15606 * llint/LowLevelInterpreter.asm:
15607 * parser/Parser.cpp:
15608 (JSC::::Parser):
15609 * parser/Parser.h:
15610 (JSC::Parser::canRecurse):
15611 * runtime/CommonSlowPaths.h:
15612 * runtime/Completion.cpp:
15613 (JSC::evaluate):
15614 * runtime/FunctionConstructor.cpp:
15615 (JSC::constructFunctionSkippingEvalEnabledCheck):
15616 * runtime/JSGlobalObject.cpp:
15617 * runtime/JSGlobalObject.h:
15618 * runtime/StringRecursionChecker.h:
15619 (JSC::StringRecursionChecker::performCheck):
15620 * runtime/VM.cpp:
15621 (JSC::VM::VM):
15622 (JSC::VM::releaseExecutableMemory):
15623 (JSC::VM::throwException):
15624 * runtime/VM.h:
15625 (JSC::VM::addressOfJSStackLimit):
15626 (JSC::VM::jsStackLimit):
15627 (JSC::VM::setJSStackLimit):
15628 (JSC::VM::stackLimit):
15629 (JSC::VM::setStackLimit):
15630 (JSC::VM::isSafeToRecurse):
15631 * runtime/VMEntryScope.cpp: Added.
15632 (JSC::VMEntryScope::VMEntryScope):
15633 (JSC::VMEntryScope::~VMEntryScope):
15634 (JSC::VMEntryScope::requiredCapacity):
15635 * runtime/VMEntryScope.h: Added.
15636 (JSC::VMEntryScope::globalObject):
15637 * runtime/VMStackBounds.h: Removed.
15638
156392013-11-20 Michael Saboff <msaboff@apple.com>
15640
15641 [Win] JavaScript JIT crash (with DFG enabled).
15642 https://bugs.webkit.org/show_bug.cgi?id=124675
15643
15644 Reviewed by Geoffrey Garen.
15645
15646 Similar to the change in r159427, changed linkClosureCall to use regT0/regT1 (payload/tag) for the callee.
15647 linkForThunkGenerator already expected the callee in regT0/regT1, but changed the comment to reflect that.
15648
15649 * jit/Repatch.cpp:
15650 (JSC::linkClosureCall):
15651 * jit/ThunkGenerators.cpp:
15652 (JSC::linkForThunkGenerator):
15653
156542013-11-20 Michael Saboff <msaboff@apple.com>
15655
15656 ARMv7: Crash due to use after free of AssemblerBuffer
15657 https://bugs.webkit.org/show_bug.cgi?id=124611
15658
15659 Reviewed by Geoffrey Garen.
15660
15661 Changed JITFinalizer constructor to take a MacroAssemblerCodePtr instead of a Label.
15662 In finalizeFunction(), we use that value instead of calculating it from the label.
15663
15664 * assembler/MacroAssembler.cpp:
15665 * dfg/DFGJITFinalizer.cpp:
15666 (JSC::DFG::JITFinalizer::JITFinalizer):
15667 (JSC::DFG::JITFinalizer::finalizeFunction):
15668 * dfg/DFGJITFinalizer.h:
15669
156702013-11-20 Julien Brianceau <jbriance@cisco.com>
15671
15672 Fix CPU(ARM_TRADITIONAL) build after r159545.
15673 https://bugs.webkit.org/show_bug.cgi?id=124649
15674
15675 Reviewed by Michael Saboff.
15676
15677 Add missing memoryFence, load8 and store8 implementations in macro assembler.
15678
15679 * assembler/ARMAssembler.h:
15680 (JSC::ARMAssembler::dmbSY):
15681 * assembler/MacroAssemblerARM.h:
15682 (JSC::MacroAssemblerARM::load8):
15683 (JSC::MacroAssemblerARM::store8):
15684 (JSC::MacroAssemblerARM::memoryFence):
15685
156862013-11-20 Julien Brianceau <jbriance@cisco.com>
15687
15688 [armv7][arm64] Speculative build fix after r159545.
15689 https://bugs.webkit.org/show_bug.cgi?id=124646
15690
15691 Reviewed by Filip Pizlo.
15692
15693 * assembler/ARMv7Assembler.h:
15694 * assembler/MacroAssemblerARM64.h:
15695 (JSC::MacroAssemblerARM64::memoryFence):
15696 * assembler/MacroAssemblerARMv7.h:
15697 (JSC::MacroAssemblerARMv7::memoryFence):
15698
156992013-11-19 Ryosuke Niwa <rniwa@webkit.org>
15700
15701 Enable HTMLTemplateElement on Mac port
15702 https://bugs.webkit.org/show_bug.cgi?id=124637
15703
15704 Reviewed by Tim Horton.
15705
15706 * Configurations/FeatureDefines.xcconfig:
15707
157082013-11-19 Filip Pizlo <fpizlo@apple.com>
15709
15710 Unreviewed, remove completely bogus assertion.
15711
15712 * runtime/JSGlobalObject.cpp:
15713 (JSC::JSGlobalObject::addFunction):
15714
157152013-11-19 Filip Pizlo <fpizlo@apple.com>
15716
15717 Unreviewed, debug build fix.
15718
15719 * runtime/JSGlobalObject.cpp:
15720 (JSC::JSGlobalObject::addFunction):
15721
157222013-11-19 Filip Pizlo <fpizlo@apple.com>
15723
15724 Infer constant global variables
15725 https://bugs.webkit.org/show_bug.cgi?id=124464
15726
15727 Reviewed by Sam Weinig.
15728
15729 All global variables that are candidates for watchpoint-based constant inference (i.e.
15730 not 'const' variables) will now have WatchpointSet's associated with them and those
15731 are used to drive the inference by tracking three states of each variable:
15732
15733 Uninitialized: the variable's value is Undefined and the WatchpointSet state is
15734 ClearWatchpoint.
15735
15736 Initialized: the variable's value was set to something (could even be explicitly set
15737 to Undefined) and the WatchpointSet state is IsWatching.
15738
15739 Invalidated: the variable's value was set to something else (could even be the same
15740 thing as before but the point is that a put operation did execute again) and the
15741 WatchpointSet is IsInvalidated.
15742
15743 If the compiler tries to compile a GetGlobalVar and the WatchpointSet state is
15744 IsWatching, then the current value of the variable can be folded in place of the get,
15745 and a watchpoint on the variable can be registered.
15746
15747 We handle race conditions between the mutator and compiler by mandating that:
15748
15749 - The mutator changes the WatchpointSet state after executing the put.
15750
15751 - There is no opportunity to install code or call functions between when the mutator
15752 executes a put and changes the WatchpointSet state.
15753
15754 - The compiler checks the WatchpointSet state prior to reading the value.
15755
15756 The concrete algorithm used by the mutator is:
15757
15758 1. Store the new value into the variable.
15759 --- Execute a store-store fence.
15760 2. Bump the state (ClearWatchpoing becomes IsWatching, IsWatching becomes
15761 IsInvalidated); the IsWatching->IsInvalidated transition may end up firing
15762 watchpoints.
15763
15764 The concrete algorithm that the compiler uses is:
15765
15766 1. Load the state. If it's *not* IsWatching, then give up on constant inference.
15767 --- Execute a load-load fence.
15768 2. Load the value of the variable and use that for folding, while also registering
15769 a DesiredWatchpoint. The various parts of this step can be done in any order.
15770
15771 The desired watchpoint registration will fail if the watchpoint set is already
15772 invalidated. Now consider the following interesting interleavings:
15773
15774 Uninitialized->M1->M2->C1->C2: Compiler sees IsWatching because of the mutator's store
15775 operation, and the variable is folded. The fencing ensures that C2 sees the value
15776 stored in M1 - i.e. we fold on the value that will actually be watchpointed. If
15777 before the compilation is installed the mutator executes another store then we
15778 will be sure that it will be a complete sequence of M1+M2 since compilations get
15779 installed at safepoints and never "in the middle" of a put_to_scope. Hence that
15780 compilation installation will be invalidated. If the M1+M2 sequence happens after
15781 the code is installed, then the code will be invalidated by triggering a jettison.
15782
15783 Uninitialized->M1->C1->C2->M2: Compiler sees Uninitialized and will not fold. This is
15784 a sensible outcome since if the compiler read the variable's value, it would have
15785 seen Undefined.
15786
15787 Uninitialized->C1->C2->M1->M2: Compiler sees Uninitialized and will not fold.
15788 Uninitialized->C1->M1->C2->M2: Compiler sees Uninitialized and will not fold.
15789 Uninitialized->C1->M1->M2->C2: Compiler sees Uninitialized and will not fold.
15790 Uninitialized->M1->C1->M2->C2: Compiler sees Uninitialized and will not fold.
15791
15792 IsWatched->M1->M2->C1->C2: Compiler sees IsInvalidated and will not fold.
15793
15794 IsWatched->M1->C1->C2->M2: Compiler will fold, but will also register a desired
15795 watchpoint, and that watchpoint will get invalidated before the code is installed.
15796
15797 IsWatched->M1->C1->M2->C2: As above, will fold but the code will get invalidated.
15798 IsWatched->C1->C2->M1->M2: As above, will fold but the code will get invalidated.
15799 IsWatched->C1->M1->C2->M2: As above, will fold but the code will get invalidated.
15800 IsWatched->C1->M1->M2->C2: As above, will fold but the code will get invalidated.
15801
15802 Note that this kind of reasoning shows why having the mutator first bump the state and
15803 then store the new value would be wrong. If we had done that (M1 = bump state, M2 =
15804 execute put) then we could have the following deadly interleavings:
15805
15806 Uninitialized->M1->C1->C2->M2:
15807 Uninitialized->M1->C1->M2->C2: Mutator bumps the state to IsWatched and then the
15808 compiler folds Undefined, since M2 hasn't executed yet. Although C2 will set the
15809 watchpoint, M1 didn't notify it - it mearly initiated watching. M2 then stores a
15810 value other than Undefined, and you're toast.
15811
15812 You could fix this sort of thing by making the Desired Watchpoints machinery more
15813 sophisticated, for example having it track the value that was folded; if the global
15814 variable's value was later found to be different then we could invalidate the
15815 compilation. You could also fix it by having the compiler also check that the value of
15816 the variable is not Undefined before folding. While those all sound great, I decided
15817 to instead just use the right interleaving since that results in less code and feels
15818 more intuitive.
15819
15820 This is a 0.5% speed-up on SunSpider, mostly due to a 20% speed-up on math-cordic.
15821 It's a 0.6% slow-down on LongSpider, mostly due to a 25% slow-down on 3d-cube. This is
15822 because 3d-cube takes global variable assignment slow paths very often. Note that this
15823 3d-cube slow-down doesn't manifest as much in SunSpider (only 6% there). This patch is
15824 also a 1.5% speed-up on V8v7 and a 2.8% speed-up on Octane v1, mostly due to deltablue
15825 (3.7%), richards (4%), and mandreel (26%). This is a 2% speed-up on Kraken, mostly due
15826 to a 17.5% speed-up on imaging-gaussian-blur. Something that really illustrates the
15827 slam-dunk-itude of this patch is the wide range of speed-ups on JSRegress. Casual JS
15828 programming often leads to global-var-based idioms and those variables tend to be
15829 assigned once, leading to excellent constant folding opportunities in an optimizing
15830 JIT. This is very evident in the speed-ups on JSRegress.
15831
15832 * assembler/ARM64Assembler.h:
15833 (JSC::ARM64Assembler::dmbSY):
15834 * assembler/ARMv7Assembler.h:
15835 (JSC::ARMv7Assembler::dmbSY):
15836 * assembler/MacroAssemblerARM64.h:
15837 (JSC::MacroAssemblerARM64::memfence):
15838 * assembler/MacroAssemblerARMv7.h:
15839 (JSC::MacroAssemblerARMv7::load8):
15840 (JSC::MacroAssemblerARMv7::memfence):
15841 * assembler/MacroAssemblerX86.h:
15842 (JSC::MacroAssemblerX86::load8):
15843 (JSC::MacroAssemblerX86::store8):
15844 * assembler/MacroAssemblerX86Common.h:
15845 (JSC::MacroAssemblerX86Common::getUnusedRegister):
15846 (JSC::MacroAssemblerX86Common::store8):
15847 (JSC::MacroAssemblerX86Common::memoryFence):
15848 * assembler/MacroAssemblerX86_64.h:
15849 (JSC::MacroAssemblerX86_64::load8):
15850 (JSC::MacroAssemblerX86_64::store8):
15851 * assembler/X86Assembler.h:
15852 (JSC::X86Assembler::movb_rm):
15853 (JSC::X86Assembler::movzbl_mr):
15854 (JSC::X86Assembler::mfence):
15855 (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
15856 (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
15857 * bytecode/CodeBlock.cpp:
15858 (JSC::CodeBlock::CodeBlock):
15859 * bytecode/Watchpoint.cpp:
15860 (JSC::WatchpointSet::WatchpointSet):
15861 (JSC::WatchpointSet::add):
15862 (JSC::WatchpointSet::notifyWriteSlow):
15863 * bytecode/Watchpoint.h:
15864 (JSC::WatchpointSet::state):
15865 (JSC::WatchpointSet::isStillValid):
15866 (JSC::WatchpointSet::addressOfSetIsNotEmpty):
15867 * dfg/DFGAbstractInterpreterInlines.h:
15868 (JSC::DFG::::executeEffects):
15869 * dfg/DFGByteCodeParser.cpp:
15870 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
15871 (JSC::DFG::ByteCodeParser::getJSConstant):
15872 (JSC::DFG::ByteCodeParser::parseBlock):
15873 * dfg/DFGClobberize.h:
15874 (JSC::DFG::clobberize):
15875 * dfg/DFGFixupPhase.cpp:
15876 (JSC::DFG::FixupPhase::fixupNode):
15877 * dfg/DFGNode.h:
15878 (JSC::DFG::Node::isStronglyProvedConstantIn):
15879 (JSC::DFG::Node::hasIdentifierNumberForCheck):
15880 (JSC::DFG::Node::hasRegisterPointer):
15881 * dfg/DFGNodeFlags.h:
15882 * dfg/DFGNodeType.h:
15883 * dfg/DFGOperations.cpp:
15884 * dfg/DFGOperations.h:
15885 * dfg/DFGPredictionPropagationPhase.cpp:
15886 (JSC::DFG::PredictionPropagationPhase::propagate):
15887 * dfg/DFGSafeToExecute.h:
15888 (JSC::DFG::safeToExecute):
15889 * dfg/DFGSpeculativeJIT.cpp:
15890 (JSC::DFG::SpeculativeJIT::compileNotifyPutGlobalVar):
15891 * dfg/DFGSpeculativeJIT.h:
15892 (JSC::DFG::SpeculativeJIT::callOperation):
15893 * dfg/DFGSpeculativeJIT32_64.cpp:
15894 (JSC::DFG::SpeculativeJIT::compile):
15895 * dfg/DFGSpeculativeJIT64.cpp:
15896 (JSC::DFG::SpeculativeJIT::compile):
15897 * ftl/FTLAbbreviatedTypes.h:
15898 * ftl/FTLAbbreviations.h:
15899 (JSC::FTL::buildFence):
15900 * ftl/FTLCapabilities.cpp:
15901 (JSC::FTL::canCompile):
15902 * ftl/FTLIntrinsicRepository.h:
15903 * ftl/FTLLowerDFGToLLVM.cpp:
15904 (JSC::FTL::LowerDFGToLLVM::compileNode):
15905 (JSC::FTL::LowerDFGToLLVM::compileNotifyPutGlobalVar):
15906 * ftl/FTLOutput.h:
15907 (JSC::FTL::Output::fence):
15908 * jit/JIT.h:
15909 * jit/JITOperations.h:
15910 * jit/JITPropertyAccess.cpp:
15911 (JSC::JIT::emitPutGlobalVar):
15912 (JSC::JIT::emit_op_put_to_scope):
15913 (JSC::JIT::emitSlow_op_put_to_scope):
15914 * jit/JITPropertyAccess32_64.cpp:
15915 (JSC::JIT::emitPutGlobalVar):
15916 (JSC::JIT::emit_op_put_to_scope):
15917 (JSC::JIT::emitSlow_op_put_to_scope):
15918 * llint/LowLevelInterpreter32_64.asm:
15919 * llint/LowLevelInterpreter64.asm:
15920 * llvm/LLVMAPIFunctions.h:
15921 * offlineasm/arm.rb:
15922 * offlineasm/arm64.rb:
15923 * offlineasm/cloop.rb:
15924 * offlineasm/instructions.rb:
15925 * offlineasm/x86.rb:
15926 * runtime/JSGlobalObject.cpp:
15927 (JSC::JSGlobalObject::addGlobalVar):
15928 (JSC::JSGlobalObject::addFunction):
15929 * runtime/JSGlobalObject.h:
15930 (JSC::JSGlobalObject::addVar):
15931 (JSC::JSGlobalObject::addConst):
15932 * runtime/JSScope.cpp:
15933 (JSC::abstractAccess):
15934 * runtime/JSSymbolTableObject.h:
15935 (JSC::symbolTablePut):
15936 (JSC::symbolTablePutWithAttributes):
15937 * runtime/SymbolTable.cpp:
15938 (JSC::SymbolTableEntry::couldBeWatched):
15939 (JSC::SymbolTableEntry::prepareToWatch):
15940 (JSC::SymbolTableEntry::notifyWriteSlow):
15941 * runtime/SymbolTable.h:
15942
159432013-11-19 Michael Saboff <msaboff@apple.com>
15944
15945 REGRESSION(158384) ARMv7 point checks too restrictive for native calls to traditional ARM code
15946 https://bugs.webkit.org/show_bug.cgi?id=124612
15947
15948 Reviewed by Geoffrey Garen.
15949
15950 Removed ASSERT checks (i.e. lower bit set) for ARM Thumb2 destination addresses related to
15951 calls since we are calling native ARM traditional functions like sin() and cos().
15952
15953 * assembler/ARMv7Assembler.h:
15954 (JSC::ARMv7Assembler::linkCall):
15955 (JSC::ARMv7Assembler::relinkCall):
15956 * assembler/MacroAssemblerCodeRef.h:
15957
159582013-11-19 Commit Queue <commit-queue@webkit.org>
15959
15960 Unreviewed, rolling out r159459.
15961 http://trac.webkit.org/changeset/159459
15962 https://bugs.webkit.org/show_bug.cgi?id=124616
15963
15964 tons of assertions on launch (Requested by thorton on
15965 #webkit).
15966
15967 * API/JSContext.mm:
15968 (-[JSContext setException:]):
15969 (-[JSContext wrapperForObjCObject:]):
15970 (-[JSContext wrapperForJSObject:]):
15971 * API/JSContextRef.cpp:
15972 (JSContextGroupRelease):
15973 (JSGlobalContextRelease):
15974 * API/JSManagedValue.mm:
15975 (-[JSManagedValue initWithValue:]):
15976 (-[JSManagedValue value]):
15977 * API/JSObjectRef.cpp:
15978 (JSObjectIsFunction):
15979 (JSObjectCopyPropertyNames):
15980 * API/JSValue.mm:
15981 (containerValueToObject):
15982 * API/JSWrapperMap.mm:
15983 (tryUnwrapObjcObject):
15984
159852013-11-19 Filip Pizlo <fpizlo@apple.com>
15986
15987 Rename WatchpointSet::notifyWrite() should be renamed to WatchpointSet::fireAll()
15988 https://bugs.webkit.org/show_bug.cgi?id=124609
15989
15990 Rubber stamped by Mark Lam.
15991
15992 notifyWrite() is a thing that SymbolTable does. WatchpointSet uses that terminology
15993 because it was original designed to match exactly SymbolTable's semantics. But now
15994 it's a confusing term.
15995
15996 * bytecode/Watchpoint.cpp:
15997 (JSC::WatchpointSet::fireAllSlow):
15998 * bytecode/Watchpoint.h:
15999 (JSC::WatchpointSet::fireAll):
16000 (JSC::InlineWatchpointSet::fireAll):
16001 * interpreter/Interpreter.cpp:
16002 (JSC::Interpreter::execute):
16003 * runtime/JSFunction.cpp:
16004 (JSC::JSFunction::put):
16005 (JSC::JSFunction::defineOwnProperty):
16006 * runtime/JSGlobalObject.cpp:
16007 (JSC::JSGlobalObject::haveABadTime):
16008 * runtime/Structure.h:
16009 (JSC::Structure::notifyTransitionFromThisStructure):
16010 * runtime/SymbolTable.cpp:
16011 (JSC::SymbolTableEntry::notifyWriteSlow):
16012
160132013-11-18 Michael Saboff <msaboff@apple.com>
16014
16015 REGRESSION (r159395): Error compiling for ARMv7
16016 https://bugs.webkit.org/show_bug.cgi?id=124552
16017
16018 Reviewed by Geoffrey Garen.
16019
16020 Fixed the implementation of branch8(RelationalCondition cond, AbsoluteAddress address, TrustedImm32 right)
16021 to materialize and use address similar to other ARMv7 branchXX() functions.
16022
16023 * assembler/MacroAssemblerARMv7.h:
16024 (JSC::MacroAssemblerARMv7::branch8):
16025
160262013-11-19 Mark Lam <mark.lam@apple.com>
16027
16028 Add tracking of endColumn for Executables.
16029 https://bugs.webkit.org/show_bug.cgi?id=124245.
16030
16031 Reviewed by Geoffrey Garen.
16032
16033 1. Fixed computation of columns to take into account the startColumn from
16034 <script> tags. Previously, we were only computing the column relative
16035 to the char after the <script> tag. Now, the column number that JSC
16036 computes is always the column number you'll see when viewing the source
16037 in a text editor (assuming the first column position is 1, not 0).
16038
16039 2. Previously, unlinkedExecutables kept the a base-1 startColumn for
16040 ProgramExecutables and EvalExecutables, but uses base-0 columns for
16041 FunctionExecutables. This has been fixed so that they all use base-0
16042 columns. When the executable gets linked, the column is adjusted into
16043 a base-1 value.
16044
16045 3. In the UnlinkedFunctionExecutable, renamed m_functionStartOffset to
16046 m_unlinkedFunctionNameStart because it actually points to the start
16047 column in the name part of the function declaration.
16048
16049 Similarly, renamed m_functionStartColumn to m_unlinkedBodyStartColumn
16050 because it points to the first character in the function body. This is
16051 usually '{' except for functions created from "global code" which
16052 excludes its braces. See FunctionExecutable::fromGlobalCode().
16053
16054 The exclusion of braces for the global code case is needed so that
16055 computed start and end columns will more readily map to what a JS
16056 developer would expect them to be. Otherwise, the first column of the
16057 function source will not be 1 (includes prepended characters added in
16058 constructFunctionSkippingEvalEnabledCheck()).
16059
16060 Also, similarly, a m_unlinkedBodyEndColumn has been added to track the
16061 end column of the UnlinkedFunctionExecutable.
16062
16063 4. For unlinked executables, end column values are either:
16064 a. Relative to the start of the last line if (last line != first line).
16065 b. Relative to the start column position if (last line == first line).
16066
16067 The second case is needed so that we can add an appropriate adjustment
16068 to the end column value (just like we do for the start column) when we
16069 link the executable.
16070
16071 5. This is not new to this patch, but it worth noting that the lineCount
16072 values used through this patch has the following meaning:
16073 - a lineCount of 0 means the source for this code block is on 1 line.
16074 - a lineCount of N means there are N + l lines of source.
16075
16076 This interpretation is janky, but was present before this patch. We can
16077 clean that up later in another patch.
16078
16079
16080 * JavaScriptCore.xcodeproj/project.pbxproj:
16081 - In order to implement WebCore::Internals::parserMetaData(), we need to
16082 move some seemingly unrelated header files from the Project section to
16083 the Private section so that they can be #include'd by the forwarding
16084 CodeBlock.h from WebCore.
16085 * bytecode/CodeBlock.cpp:
16086 (JSC::CodeBlock::sourceCodeForTools):
16087 (JSC::CodeBlock::CodeBlock):
16088 * bytecode/UnlinkedCodeBlock.cpp:
16089 (JSC::generateFunctionCodeBlock):
16090 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
16091 - m_isFromGlobalCode is needed to support the exclusion of the open brace /
16092 prepended code for functions created from "global code".
16093 (JSC::UnlinkedFunctionExecutable::link):
16094 (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
16095 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
16096 * bytecode/UnlinkedCodeBlock.h:
16097 (JSC::UnlinkedFunctionExecutable::create):
16098 (JSC::UnlinkedFunctionExecutable::unlinkedFunctionNameStart):
16099 (JSC::UnlinkedFunctionExecutable::unlinkedBodyStartColumn):
16100 (JSC::UnlinkedFunctionExecutable::unlinkedBodyEndColumn):
16101 (JSC::UnlinkedFunctionExecutable::recordParse):
16102 (JSC::UnlinkedCodeBlock::recordParse):
16103 (JSC::UnlinkedCodeBlock::endColumn):
16104 * bytecompiler/NodesCodegen.cpp:
16105 (JSC::FunctionBodyNode::emitBytecode):
16106 * parser/ASTBuilder.h:
16107 (JSC::ASTBuilder::createFunctionBody):
16108 (JSC::ASTBuilder::setFunctionNameStart):
16109 * parser/Lexer.cpp:
16110 (JSC::::shiftLineTerminator):
16111 - Removed an unused SourceCode Lexer<T>::sourceCode() function.
16112 * parser/Lexer.h:
16113 (JSC::Lexer::positionBeforeLastNewline):
16114 (JSC::Lexer::prevTerminator):
16115 - Added tracking of m_positionBeforeLastNewline in the Lexer to enable us
16116 to exclude the close brace / appended code for functions created from "global
16117 code".
16118 * parser/Nodes.cpp:
16119 (JSC::ProgramNode::ProgramNode):
16120 (JSC::ProgramNode::create):
16121 (JSC::EvalNode::EvalNode):
16122 (JSC::EvalNode::create):
16123 (JSC::FunctionBodyNode::FunctionBodyNode):
16124 (JSC::FunctionBodyNode::create):
16125 (JSC::FunctionBodyNode::setEndPosition):
16126 - setEndPosition() is needed to fixed up the end position so that we can
16127 exclude the close brace / appended code for functions created from "global
16128 code".
16129 * parser/Nodes.h:
16130 (JSC::ProgramNode::startColumn):
16131 (JSC::ProgramNode::endColumn):
16132 (JSC::EvalNode::startColumn):
16133 (JSC::EvalNode::endColumn):
16134 (JSC::FunctionBodyNode::setFunctionNameStart):
16135 (JSC::FunctionBodyNode::functionNameStart):
16136 (JSC::FunctionBodyNode::endColumn):
16137 * parser/Parser.cpp:
16138 (JSC::::parseFunctionBody):
16139 (JSC::::parseFunctionInfo):
16140 * parser/Parser.h:
16141 (JSC::Parser::positionBeforeLastNewline):
16142 (JSC::::parse):
16143 - Subtracted 1 from startColumn here to keep the node column values consistently
16144 base-0. See note 2 above.
16145 (JSC::parse):
16146 * parser/SourceProviderCacheItem.h:
16147 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
16148 * parser/SyntaxChecker.h:
16149 (JSC::SyntaxChecker::createFunctionBody):
16150 (JSC::SyntaxChecker::setFunctionNameStart):
16151 * runtime/CodeCache.cpp:
16152 (JSC::CodeCache::getGlobalCodeBlock):
16153 (JSC::CodeCache::getProgramCodeBlock):
16154 (JSC::CodeCache::getEvalCodeBlock):
16155 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
16156 * runtime/CodeCache.h:
16157 * runtime/Executable.cpp:
16158 (JSC::ScriptExecutable::newCodeBlockFor):
16159 (JSC::FunctionExecutable::FunctionExecutable):
16160 (JSC::ProgramExecutable::initializeGlobalProperties):
16161 (JSC::FunctionExecutable::fromGlobalCode):
16162 * runtime/Executable.h:
16163 (JSC::ExecutableBase::isEvalExecutable):
16164 (JSC::ExecutableBase::isProgramExecutable):
16165 (JSC::ScriptExecutable::ScriptExecutable):
16166 (JSC::ScriptExecutable::endColumn):
16167 (JSC::ScriptExecutable::recordParse):
16168 (JSC::FunctionExecutable::create):
16169 (JSC::FunctionExecutable::bodyIncludesBraces):
16170 * runtime/FunctionConstructor.cpp:
16171 (JSC::constructFunctionSkippingEvalEnabledCheck):
16172 * runtime/FunctionPrototype.cpp:
16173 (JSC::insertSemicolonIfNeeded):
16174 (JSC::functionProtoFuncToString):
16175 * runtime/JSGlobalObject.cpp:
16176 (JSC::JSGlobalObject::createProgramCodeBlock):
16177 (JSC::JSGlobalObject::createEvalCodeBlock):
16178
161792013-11-19 Dean Jackson <dino@apple.com>
16180
16181 MarkedSpace::resumeAllocating needs to delay release
16182 https://bugs.webkit.org/show_bug.cgi?id=124596
16183
16184 Reviewed by Geoffrey Garen.
16185
16186 * heap/MarkedSpace.cpp:
16187 (JSC::MarkedSpace::resumeAllocating): Add DelayedReleaseScope protection.
16188
161892013-11-19 Mark Hahnenberg <mhahnenberg@apple.com>
16190
16191 IncrementalSweeper needs to use DelayedReleaseScope too
16192 https://bugs.webkit.org/show_bug.cgi?id=124558
16193
16194 Reviewed by Filip Pizlo.
16195
16196 It does sweeping too, so it needs to use it. Also refactored an
16197 ASSERT that should have caught this sooner.
16198
16199 * heap/DelayedReleaseScope.h:
16200 (JSC::DelayedReleaseScope::isInEffectFor):
16201 * heap/IncrementalSweeper.cpp:
16202 (JSC::IncrementalSweeper::doSweep):
16203 * heap/MarkedBlock.cpp:
16204 (JSC::MarkedBlock::sweep):
16205 * heap/MarkedSpace.cpp:
16206 (JSC::MarkedSpace::sweep):
16207
162082013-11-18 Michael Saboff <msaboff@apple.com>
16209
16210 ARM64 CRASH: Debug builds crash in emitPointerValidation()
16211 https://bugs.webkit.org/show_bug.cgi?id=124545
16212
16213 Reviewed by Filip Pizlo.
16214
16215 Changed emitPointerValidation() to use pushToSave() and popToRestore() as
16216 all macro assemblers have an implementation of these functions.
16217
16218 * jit/ThunkGenerators.cpp:
16219 (JSC::emitPointerValidation):
16220
162212013-11-18 Michael Saboff <msaboff@apple.com>
16222
16223 ARM64: Update getHostCallReturnValue() to use architected frame pointer register
16224 https://bugs.webkit.org/show_bug.cgi?id=124520
16225
16226 Reviewed by Filip Pizlo.
16227
16228 Changed from using the prior JSC specific x25 callframe register to the ARM64
16229 architected x29 (fp) register. This change should have been done as part of
16230 https://bugs.webkit.org/show_bug.cgi?id=123956.
16231
16232 * jit/JITOperations.cpp:
16233
162342013-11-18 Filip Pizlo <fpizlo@apple.com>
16235
16236 put_to_scope[5] should not point to the structure if it's a variable access, but it should point to the WatchpointSet
16237 https://bugs.webkit.org/show_bug.cgi?id=124539
16238
16239 Reviewed by Mark Hahnenberg.
16240
16241 This is in preparation for getting put_to_scope to directly invalidate the watchpoint set
16242 on stores, which will allow us to run constant inference on all globals.
16243
16244 * bytecode/CodeBlock.cpp:
16245 (JSC::CodeBlock::CodeBlock):
16246 (JSC::CodeBlock::finalizeUnconditionally):
16247 * bytecode/Instruction.h:
16248 * dfg/DFGByteCodeParser.cpp:
16249 (JSC::DFG::ByteCodeParser::parseBlock):
16250 * runtime/JSScope.cpp:
16251 (JSC::abstractAccess):
16252 (JSC::JSScope::abstractResolve):
16253 * runtime/JSScope.h:
16254 (JSC::ResolveOp::ResolveOp):
16255 * runtime/SymbolTable.h:
16256 (JSC::SymbolTableEntry::watchpointSet):
16257
162582013-11-18 Mark Hahnenberg <mhahnenberg@apple.com>
16259
16260 APIEntryShims need some love
16261 https://bugs.webkit.org/show_bug.cgi?id=124540
16262
16263 Reviewed by Filip Pizlo.
16264
16265 We were missing them in key places which some other hacking revealed. These could have manifested as
16266 race conditions for VMs being used in multithreaded environments.
16267
16268 * API/JSContext.mm:
16269 (-[JSContext setException:]):
16270 (-[JSContext wrapperForObjCObject:]):
16271 (-[JSContext wrapperForJSObject:]):
16272 * API/JSContextRef.cpp:
16273 (JSContextGroupRelease):
16274 (JSGlobalContextRelease):
16275 * API/JSManagedValue.mm:
16276 (-[JSManagedValue initWithValue:]):
16277 (-[JSManagedValue value]):
16278 * API/JSObjectRef.cpp:
16279 (JSObjectIsFunction):
16280 (JSObjectCopyPropertyNames):
16281 * API/JSValue.mm:
16282 (containerValueToObject):
16283 * API/JSWrapperMap.mm:
16284 (tryUnwrapObjcObject):
16285
162862013-11-18 Filip Pizlo <fpizlo@apple.com>
16287
16288 Allow the FTL debug dumps to include the new size field
16289 https://bugs.webkit.org/show_bug.cgi?id=124479
16290
16291 Reviewed by Mark Hahnenberg.
16292
16293 * ftl/FTLStackMaps.cpp:
16294 (JSC::FTL::StackMaps::Location::parse):
16295 (JSC::FTL::StackMaps::Location::dump):
16296 * ftl/FTLStackMaps.h:
16297
162982013-11-18 peavo@outlook.com <peavo@outlook.com>
16299
16300 [Win] Link fails when DFG JIT is enabled.
16301 https://bugs.webkit.org/show_bug.cgi?id=123614
16302
16303 Reviewed by Brent Fulgham.
16304
16305 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added new files.
16306 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
16307
163082013-11-18 Julien Brianceau <jbriance@cisco.com>
16309
16310 [sh4] Add missing implementation in MacroAssembler to fix build (broken since r159395).
16311 https://bugs.webkit.org/show_bug.cgi?id=124484
16312
16313 Reviewed by Michael Saboff.
16314
16315 * assembler/MacroAssemblerSH4.h:
16316 (JSC::MacroAssemblerSH4::load8):
16317 (JSC::MacroAssemblerSH4::branch8):
16318
163192013-11-18 Michael Saboff <msaboff@apple.com>
16320
16321 ARM64 CRASH: Improper offset in getHostCallReturnValue() to access callerFrame in CallFrame
16322 https://bugs.webkit.org/show_bug.cgi?id=124481
16323
16324 Reviewed by Mark Lam.
16325
16326 Fixed the offset to access CallerFrame in the ARM64 version of getHostCallReturnValue() to be 0
16327 to correspond with the change in CallFrame layout done in r158315.
16328
16329 * jit/JITOperations.cpp:
16330
163312013-11-18 Michael Saboff <msaboff@apple.com>
16332
16333 Crash in virtualForThunkGenerator generated code on ARM64
16334 https://bugs.webkit.org/show_bug.cgi?id=124447
16335
16336 Reviewed by Geoffrey Garen.
16337
16338 The baseline JIT generates slow path call code with the caller in regT0. The DFG
16339 generates call code with the caller in nonArgGPR0. The virtualForThunkGenerator
16340 generates code with the caller in nonArgGPR0. For X86 and X86_64, regT0 and nonArgGPR0
16341 are the same CPU register, eax. For other platforms this isn't the case. The same
16342 issue exists for JSVALUE32_64 ports as well, where there also is an issue with the callee
16343 tag registers being regT1 and nonArgGPR1 in the various locations.
16344
16345 Changed nonArgGPR0, nonArgGPR1 and nonArgGPR2 for X86 and X86_64 to not match up with
16346 regT0-2. Changing these registers will cause a crash on all ports should we have a
16347 similar problem in the future. Changed the DFG call generating code to use regT0 and
16348 regT1. Now all slow path call code is generated using regT0 and for JSVALUE32_64 regT1.
16349 Added r12 to X86_64 as a new temp register (regT9) and moved r13 down to regT10.
16350 The new temp register decreases the likelihood of inadvertant register overlap.
16351
16352 * dfg/DFGSpeculativeJIT32_64.cpp:
16353 (JSC::DFG::SpeculativeJIT::emitCall):
16354 * dfg/DFGSpeculativeJIT64.cpp:
16355 (JSC::DFG::SpeculativeJIT::emitCall):
16356 * jit/GPRInfo.h:
16357 (JSC::GPRInfo::toRegister):
16358 (JSC::GPRInfo::toIndex):
16359 * jit/ThunkGenerators.cpp:
16360 (JSC::virtualForThunkGenerator):
16361
163622013-11-18 Balazs Kilvady <kilvadyb@homejinni.com>
16363
16364 Add missing load8/branch8 with AbsoluteAddress parameter to MIPS port.
16365
16366 [MIPS] Build fails since r159395.
16367 https://bugs.webkit.org/show_bug.cgi?id=124491
16368
16369 Reviewed by Michael Saboff.
16370
16371 * assembler/MacroAssemblerMIPS.h:
16372 (JSC::MacroAssemblerMIPS::load8):
16373 (JSC::MacroAssemblerMIPS::branch8):
16374
163752013-11-18 Csaba Osztrogonác <ossy@webkit.org>
16376
16377 REGRESSION(r159351): It made zillion tests assert on !CF platforms
16378 https://bugs.webkit.org/show_bug.cgi?id=124490
16379
16380 Reviewed by Mark Hahnenberg.
16381
16382 * heap/MarkedSpace.cpp:
16383 (JSC::MarkedSpace::sweep):
16384
163852013-11-18 Julien Brianceau <jbriance@cisco.com>
16386
16387 Remove architecture specific code in LowLevelInterpreter.
16388 https://bugs.webkit.org/show_bug.cgi?id=124501
16389
16390 Reviewed by Michael Saboff.
16391
16392 * llint/LowLevelInterpreter.asm: Use generic path instead of sh4 specific code.
16393 * llint/LowLevelInterpreter32_64.asm: Merge sh4/mips path with arm path. The
16394 "move t0, a0" is not needed for arm because t0 == a0 with this architecture.
16395 * offlineasm/sh4.rb: Handle move opcode with pr register.
16396
163972013-11-18 Julien Brianceau <jbriance@cisco.com>
16398
16399 [arm] Add missing implementation in MacroAssembler to fix build (broken since r159395).
16400 https://bugs.webkit.org/show_bug.cgi?id=124488
16401
16402 Reviewed by Zoltan Herczeg.
16403
16404 * assembler/MacroAssemblerARM.h:
16405 (JSC::MacroAssemblerARM::branch8):
16406
164072013-11-17 Julien Brianceau <jbriance@cisco.com>
16408
16409 [sh4] Fix revertJumpReplacementToBranchPtrWithPatch in MacroAssembler.
16410 https://bugs.webkit.org/show_bug.cgi?id=124468
16411
16412 Reviewed by Michael Saboff.
16413
16414 Current implementation of revertJumpReplacementToBranchPtrWithPatch is wrong in
16415 the sh4 MacroAssembler part, leading to random instabilities. This patch fixes it
16416 and also renames the bad-named revertJumpToMove to revertJumpReplacementToBranchPtrWithPatch
16417 in the SH4Assembler.
16418
16419 * assembler/MacroAssemblerSH4.h:
16420 (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch):
16421 * assembler/SH4Assembler.h:
16422 (JSC::SH4Assembler::replaceWithJump):
16423 (JSC::SH4Assembler::revertJumpReplacementToBranchPtrWithPatch):
16424
164252013-11-16 Filip Pizlo <fpizlo@apple.com>
16426
16427 Simplify WatchpointSet state tracking
16428 https://bugs.webkit.org/show_bug.cgi?id=124465
16429
16430 Reviewed by Sam Weinig.
16431
16432 We previously represented the state of watchpoint sets using two booleans. But that
16433 makes it awkward to case over the state.
16434
16435 We also previously supported a watchpoint set being both watched and invalidated. We
16436 never used that capability, and its presence was just purely confusing.
16437
16438 This turns the whole thing into an enum.
16439
16440 * assembler/MacroAssemblerARM64.h:
16441 (JSC::MacroAssemblerARM64::branch8):
16442 * assembler/MacroAssemblerARMv7.h:
16443 (JSC::MacroAssemblerARMv7::branch8):
16444 * assembler/MacroAssemblerX86.h:
16445 (JSC::MacroAssemblerX86::branch8):
16446 * assembler/MacroAssemblerX86_64.h:
16447 (JSC::MacroAssemblerX86_64::branch8):
16448 * bytecode/Watchpoint.cpp:
16449 (JSC::WatchpointSet::WatchpointSet):
16450 (JSC::WatchpointSet::add):
16451 (JSC::WatchpointSet::notifyWriteSlow):
16452 (JSC::InlineWatchpointSet::inflateSlow):
16453 * bytecode/Watchpoint.h:
16454 (JSC::WatchpointSet::state):
16455 (JSC::WatchpointSet::isStillValid):
16456 (JSC::WatchpointSet::startWatching):
16457 (JSC::WatchpointSet::notifyWrite):
16458 (JSC::WatchpointSet::addressOfState):
16459 (JSC::InlineWatchpointSet::InlineWatchpointSet):
16460 (JSC::InlineWatchpointSet::hasBeenInvalidated):
16461 (JSC::InlineWatchpointSet::startWatching):
16462 (JSC::InlineWatchpointSet::notifyWrite):
16463 (JSC::InlineWatchpointSet::decodeState):
16464 (JSC::InlineWatchpointSet::encodeState):
16465 * jit/JITPropertyAccess.cpp:
16466 (JSC::JIT::emitVarInjectionCheck):
16467 * jit/JITPropertyAccess32_64.cpp:
16468 (JSC::JIT::emitVarInjectionCheck):
16469 * llint/LowLevelInterpreter.asm:
16470 * llint/LowLevelInterpreter32_64.asm:
16471 * llint/LowLevelInterpreter64.asm:
16472 * runtime/JSFunction.cpp:
16473 (JSC::JSFunction::JSFunction):
16474 * runtime/JSFunctionInlines.h:
16475 (JSC::JSFunction::JSFunction):
16476 * runtime/JSGlobalObject.cpp:
16477 (JSC::JSGlobalObject::JSGlobalObject):
16478 * runtime/Structure.cpp:
16479 (JSC::Structure::Structure):
16480 * runtime/SymbolTable.cpp:
16481 (JSC::SymbolTableEntry::attemptToWatch):
16482 * runtime/SymbolTable.h:
16483
164842013-11-16 Filip Pizlo <fpizlo@apple.com>
16485
16486 FTL should have an explicit notion of bytecode liveness
16487 https://bugs.webkit.org/show_bug.cgi?id=124181
16488
16489 Reviewed by Sam Weinig.
16490
16491 This makes FTL OSR exit use bytecode liveness analysis to determine which variables
16492 to include values for. The decision of how to get the values of variables is based on
16493 forward propagation of MovHints and SetLocals.
16494
16495 This fixes a bunch of bugs (like https://bugs.webkit.org/show_bug.cgi?id=124138 but
16496 also others that I noticed when I started writing more targetted tests) and allows us
16497 to remove some sketchy code.
16498
16499 * CMakeLists.txt:
16500 * GNUmakefile.list.am:
16501 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16502 * JavaScriptCore.xcodeproj/project.pbxproj:
16503 * bytecode/BytecodeBasicBlock.h:
16504 * bytecode/BytecodeLivenessAnalysis.cpp:
16505 (JSC::isValidRegisterForLiveness):
16506 (JSC::setForOperand):
16507 (JSC::computeUsesForBytecodeOffset):
16508 (JSC::computeDefsForBytecodeOffset):
16509 (JSC::stepOverInstruction):
16510 (JSC::computeLocalLivenessForBytecodeOffset):
16511 (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
16512 (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
16513 (JSC::getLivenessInfo):
16514 (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
16515 (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
16516 * bytecode/BytecodeLivenessAnalysis.h:
16517 * bytecode/BytecodeLivenessAnalysisInlines.h: Added.
16518 (JSC::operandIsAlwaysLive):
16519 (JSC::operandThatIsNotAlwaysLiveIsLive):
16520 (JSC::operandIsLive):
16521 * bytecode/CodeBlock.h:
16522 (JSC::CodeBlock::captureCount):
16523 (JSC::CodeBlock::captureStart):
16524 (JSC::CodeBlock::captureEnd):
16525 * bytecode/CodeOrigin.cpp:
16526 (JSC::InlineCallFrame::dumpInContext):
16527 * bytecode/FullBytecodeLiveness.h: Added.
16528 (JSC::FullBytecodeLiveness::FullBytecodeLiveness):
16529 (JSC::FullBytecodeLiveness::getOut):
16530 (JSC::FullBytecodeLiveness::operandIsLive):
16531 (JSC::FullBytecodeLiveness::getLiveness):
16532 * dfg/DFGAvailability.cpp: Added.
16533 (JSC::DFG::Availability::dump):
16534 (JSC::DFG::Availability::dumpInContext):
16535 * dfg/DFGAvailability.h: Added.
16536 (JSC::DFG::Availability::Availability):
16537 (JSC::DFG::Availability::unavailable):
16538 (JSC::DFG::Availability::withFlush):
16539 (JSC::DFG::Availability::withNode):
16540 (JSC::DFG::Availability::withUnavailableNode):
16541 (JSC::DFG::Availability::nodeIsUndecided):
16542 (JSC::DFG::Availability::nodeIsUnavailable):
16543 (JSC::DFG::Availability::hasNode):
16544 (JSC::DFG::Availability::node):
16545 (JSC::DFG::Availability::flushedAt):
16546 (JSC::DFG::Availability::operator!):
16547 (JSC::DFG::Availability::operator==):
16548 (JSC::DFG::Availability::merge):
16549 (JSC::DFG::Availability::mergeNodes):
16550 (JSC::DFG::Availability::unavailableMarker):
16551 * dfg/DFGBasicBlock.h:
16552 * dfg/DFGByteCodeParser.cpp:
16553 (JSC::DFG::ByteCodeParser::parseBlock):
16554 * dfg/DFGDisassembler.cpp:
16555 (JSC::DFG::Disassembler::Disassembler):
16556 * dfg/DFGFlushFormat.cpp:
16557 (WTF::printInternal):
16558 * dfg/DFGFlushFormat.h:
16559 (JSC::DFG::resultFor):
16560 (JSC::DFG::useKindFor):
16561 (JSC::DFG::dataFormatFor):
16562 * dfg/DFGFlushedAt.cpp:
16563 (JSC::DFG::FlushedAt::dump):
16564 * dfg/DFGFlushedAt.h:
16565 (JSC::DFG::FlushedAt::FlushedAt):
16566 (JSC::DFG::FlushedAt::merge):
16567 * dfg/DFGGraph.cpp:
16568 (JSC::DFG::Graph::dump):
16569 (JSC::DFG::Graph::livenessFor):
16570 (JSC::DFG::Graph::isLiveInBytecode):
16571 * dfg/DFGGraph.h:
16572 (JSC::DFG::Graph::baselineCodeBlockFor):
16573 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
16574 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
16575 * dfg/DFGOSRAvailabilityAnalysisPhase.h:
16576 * dfg/DFGPlan.cpp:
16577 (JSC::DFG::Plan::compileInThreadImpl):
16578 * dfg/DFGResurrectionForValidationPhase.cpp: Added.
16579 (JSC::DFG::ResurrectionForValidationPhase::ResurrectionForValidationPhase):
16580 (JSC::DFG::ResurrectionForValidationPhase::run):
16581 (JSC::DFG::performResurrectionForValidation):
16582 * dfg/DFGResurrectionForValidationPhase.h: Added.
16583 * dfg/DFGSSAConversionPhase.cpp:
16584 (JSC::DFG::SSAConversionPhase::run):
16585 * dfg/DFGValueSource.h:
16586 (JSC::DFG::ValueSource::forFlushFormat):
16587 * dfg/DFGVariableAccessData.h:
16588 * ftl/FTLExitValue.cpp:
16589 (JSC::FTL::ExitValue::dumpInContext):
16590 * ftl/FTLInlineCacheSize.cpp:
16591 (JSC::FTL::sizeOfGetById):
16592 * ftl/FTLLocation.cpp:
16593 (JSC::FTL::Location::gpr):
16594 (JSC::FTL::Location::fpr):
16595 (JSC::FTL::Location::directGPR):
16596 * ftl/FTLLowerDFGToLLVM.cpp:
16597 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
16598 (JSC::FTL::LowerDFGToLLVM::compileBlock):
16599 (JSC::FTL::LowerDFGToLLVM::compileNode):
16600 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
16601 (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
16602 (JSC::FTL::LowerDFGToLLVM::compilePutById):
16603 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
16604 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
16605 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
16606 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
16607 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
16608 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
16609 (JSC::FTL::LowerDFGToLLVM::observeMovHint):
16610 * ftl/FTLOutput.h:
16611 (JSC::FTL::Output::alloca):
16612 * ftl/FTLValueSource.cpp: Removed.
16613 * ftl/FTLValueSource.h: Removed.
16614 * llvm/LLVMAPIFunctions.h:
16615 * runtime/DumpContext.cpp:
16616 (JSC::DumpContext::DumpContext):
16617 * runtime/DumpContext.h:
16618 * runtime/Options.h:
16619 * runtime/SymbolTable.h:
16620 (JSC::SharedSymbolTable::captureStart):
16621 (JSC::SharedSymbolTable::captureEnd):
16622 (JSC::SharedSymbolTable::captureCount):
16623
166242013-11-16 Filip Pizlo <fpizlo@apple.com>
16625
16626 Fix indentation of JSActivation.h.
16627
16628 Rubber stamped by Mark Hahnenberg.
16629
16630 * runtime/JSActivation.h:
16631
166322013-11-16 Filip Pizlo <fpizlo@apple.com>
16633
16634 Fix indentation of JSVariableObject.h.
16635
16636 Rubber stamped by Mark Hahnenberg.
16637
16638 I'm about to do some damage to this file. I wanted to give it some sanity first.
16639
16640 * runtime/JSVariableObject.h:
16641
166422013-11-16 Julien Brianceau <jbriance@cisco.com>
16643
16644 [sh4] Fix build (broken since r159346).
16645 https://bugs.webkit.org/show_bug.cgi?id=124455
16646
16647 Reviewed by Oliver Hunt.
16648
16649 Fix LLINT implementation for sh4 architecture to handle properly load and store operations with pr register.
16650
16651 * offlineasm/sh4.rb:
16652
166532013-11-15 Alexey Proskuryakov <ap@apple.com>
16654
16655 Support exporting symmetric keys as JWK
16656 https://bugs.webkit.org/show_bug.cgi?id=124442
16657
16658 Reviewed by Sam Weinig.
16659
16660 * runtime/JSONObject.h: Export JSONStringify.
16661
166622013-11-15 peavo@outlook.com <peavo@outlook.com>
16663
16664 [Win] JavaScript crashes on 64-bit with JIT enabled.
16665 https://bugs.webkit.org/show_bug.cgi?id=124409
16666
16667 Reviewed by Michael Saboff.
16668
16669 These are issues found with JIT on 64-bit:
16670 - The registers rsi and rdi in callToJavaScript needs to be saved and restored. This is required by the Windows 64-bit ABI.
16671 - The getHostCallReturnValue function needs to be updated according to it's GCC counterpart.
16672 - The poke argument offset needs to be 20h, because Windows 64-bit ABI requires stack space allocated for the 4 argument registers.
16673
16674 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Re-added JITStubsMSVC64.asm to project.
16675 * jit/CCallHelpers.h: Set poke argument offset.
16676 (JSC::CCallHelpers::setupArguments): Compile fix, added needed method.
16677 * jit/JITStubsMSVC64.asm: Save and restore registers rsi and rdi.
16678 Update getHostCallReturnValue according to the GCC version.
16679
166802013-11-14 David Farler <dfarler@apple.com>
16681
16682 Copy ASAN flag settings to WebCore and JavaScriptCore intermediate build tools
16683 https://bugs.webkit.org/show_bug.cgi?id=124362
16684
16685 Reviewed by David Kilzer.
16686
16687 * Configurations/ToolExecutable.xcconfig:
16688 Use ASAN_C*FLAGS.
16689
166902013-11-15 Mark Hahnenberg <mhahnenberg@apple.com>
16691
16692 Remove JSChunk
16693 https://bugs.webkit.org/show_bug.cgi?id=124435
16694
16695 Reviewed by Geoffrey Garen.
16696
16697 It's empty and has been since it was added 3 years ago.
16698
16699 * CMakeLists.txt:
16700 * runtime/JSChunk.cpp: Removed.
16701 * runtime/JSChunk.h: Removed.
16702
167032013-11-15 Mark Hahnenberg <mhahnenberg@apple.com>
16704
16705 Remove VTableSpectrum
16706 https://bugs.webkit.org/show_bug.cgi?id=124427
16707
16708 Reviewed by Filip Pizlo.
16709
16710 * CMakeLists.txt:
16711 * GNUmakefile.list.am:
16712 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16713 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
16714 * JavaScriptCore.xcodeproj/project.pbxproj:
16715 * heap/Heap.cpp:
16716 (JSC::Heap::lastChanceToFinalize):
16717 * heap/Heap.h:
16718 * heap/MarkedBlock.cpp:
16719 (JSC::MarkedBlock::callDestructor):
16720 * heap/SlotVisitor.cpp:
16721 (JSC::visitChildren):
16722 * heap/SlotVisitor.h:
16723 * heap/VTableSpectrum.cpp: Removed.
16724 * heap/VTableSpectrum.h: Removed.
16725
167262013-11-14 Mark Hahnenberg <mhahnenberg@apple.com>
16727
16728 -dealloc callbacks from wrapped Objective-C objects can happen at bad times
16729 https://bugs.webkit.org/show_bug.cgi?id=123821
16730
16731 Reviewed by Darin Adler.
16732
16733 Currently with the JSC Obj-C API, JS wrappers for client Obj-C objects retain their associated Obj-C
16734 object. When they are swept, they release their Obj-C objects which can trigger a call to that
16735 object's -dealloc method. These -dealloc methods can then call back into the same VM, which is not
16736 allowed during sweeping or VM shutdown.
16737
16738 We can handle this case by creating our own pool of Obj-C objects to be released when it is safe to do so.
16739 This is accomplished by using DelayedReleaseScope, an RAII-style object that will retain all objects
16740 that are unsafe to release until the end of the DelayedReleaseScope.
16741
16742 * API/APIShims.h:
16743 (JSC::APICallbackShim::APICallbackShim):
16744 (JSC::APICallbackShim::vmForDropAllLocks):
16745 (JSC::APICallbackShim::execForDropAllLocks):
16746 * API/JSAPIWrapperObject.mm:
16747 (JSAPIWrapperObjectHandleOwner::finalize):
16748 * API/ObjCCallbackFunction.mm:
16749 (JSC::ObjCCallbackFunctionImpl::destroy):
16750 (JSC::ObjCCallbackFunction::destroy):
16751 * API/tests/testapi.mm:
16752 (-[TinyDOMNode initWithVirtualMachine:]):
16753 (-[TinyDOMNode dealloc]):
16754 (-[TinyDOMNode appendChild:]):
16755 (-[TinyDOMNode removeChildAtIndex:]):
16756 (-[EvilAllocationObject initWithContext:]):
16757 (-[EvilAllocationObject dealloc]):
16758 (-[EvilAllocationObject doEvilThingsWithContext:]):
16759 * JavaScriptCore.xcodeproj/project.pbxproj:
16760 * heap/DelayedReleaseScope.h: Added.
16761 (JSC::DelayedReleaseScope::DelayedReleaseScope):
16762 (JSC::DelayedReleaseScope::~DelayedReleaseScope):
16763 (JSC::DelayedReleaseScope::releaseSoon):
16764 (JSC::MarkedSpace::releaseSoon):
16765 * heap/Heap.cpp:
16766 (JSC::Heap::collectAllGarbage):
16767 * heap/Heap.h:
16768 (JSC::Heap::releaseSoon):
16769 * heap/MarkedAllocator.cpp:
16770 (JSC::MarkedAllocator::allocateSlowCase):
16771 * heap/MarkedSpace.cpp:
16772 (JSC::MarkedSpace::MarkedSpace):
16773 (JSC::MarkedSpace::lastChanceToFinalize):
16774 (JSC::MarkedSpace::sweep):
16775 * heap/MarkedSpace.h:
16776
167772013-11-15 Michael Saboff <msaboff@apple.com>
16778
16779 REGRESSION (r158586): callToJavaScript needs to save return PC to Sentinel frame
16780 https://bugs.webkit.org/show_bug.cgi?id=124420
16781
16782 Reviewed by Filip Pizlo.
16783
16784 Save the return PC into the sentinel frame.
16785
16786 * jit/JITStubsMSVC64.asm:
16787 * jit/JITStubsX86.h:
16788 * llint/LowLevelInterpreter32_64.asm:
16789 * llint/LowLevelInterpreter64.asm:
16790
167912013-11-14 Oliver Hunt <oliver@apple.com>
16792
16793 Make CLoop easier to build, and make it work
16794 https://bugs.webkit.org/show_bug.cgi?id=124359
16795
16796 Reviewed by Geoffrey Garen.
16797
16798 Add --cloop to build-jsc, build-webkit and friends.
16799
16800 Also make CLoop build and work again - This meant adding a
16801 couple of missing ENABLE(DFG_JIT) blocks, and fixing a few
16802 other references.
16803
16804 * Configurations/FeatureDefines.xcconfig:
16805 * bytecode/BytecodeLivenessAnalysis.cpp:
16806 (JSC::computeUsesForBytecodeOffset):
16807 (JSC::computeDefsForBytecodeOffset):
16808 * bytecode/DFGExitProfile.cpp:
16809 * dfg/DFGCapabilities.cpp:
16810 * dfg/DFGCompilationKey.cpp:
16811 * dfg/DFGCompilationMode.cpp:
16812 * jit/JITExceptions.cpp:
16813 (JSC::genericUnwind):
16814
168152013-11-14 Michael Saboff <msaboff@apple.com>
16816
16817 REGRESSION (r159276): Fix lots of crashes for arm_traditional architecture.
16818 https://bugs.webkit.org/show_bug.cgi?id=124365
16819
16820 Reviewed by Oliver Hunt.
16821
16822 Crashes were caused by a mixup between regular registers and temporary registers in ARM_EXTRA_GPRS.
16823
16824 * llint/LowLevelInterpreter32_64.asm: Warning, t3 != a3. It's safer to use an implementation using aX
16825 registers like the MIPS one for cCallX macros.
16826 * offlineasm/arm.rb: Rearrange ARM_EXTRA_GPRS according to the new register distribution in LLINT.
16827
168282013-11-14 Michael Saboff <msaboff@apple.com>
16829
16830 REGRESSION (r159276): rbp register overwritten in Win 64 version of callToJavascript stub
16831 https://bugs.webkit.org/show_bug.cgi?id=124361
16832
16833 Reviewed by Oliver Hunt.
16834
16835 Swapped operand ordering to: mov rax, rbp
16836
16837 * jit/JITStubsMSVC64.asm:
16838
168392013-11-14 Julien Brianceau <jbriance@cisco.com>
16840
16841 REGRESSION (r159276): Fix lots of crashes for sh4 architecture.
16842 https://bugs.webkit.org/show_bug.cgi?id=124347
16843
16844 Reviewed by Michael Saboff.
16845
16846 Since r159276, we have (t4 == a0 == r4) and (t5 == a1 == r5) in LLINT for sh4.
16847 This leads to argument register trampling in cCallX macros, especially with cCall2
16848 macro when arg1 == t4.
16849
16850 * llint/LowLevelInterpreter32_64.asm: Use a new "setargs" pseudo-op to setup arguments for sh4.
16851 * offlineasm/instructions.rb:
16852 * offlineasm/sh4.rb: Lower "setargs" pseudo-op to setup argument registers and prevent register trampling issues.
16853
168542013-11-14 Julien Brianceau <jbriance@cisco.com>
16855
16856 Fix build for sh4 architectures (broken since r159276).
16857 https://bugs.webkit.org/show_bug.cgi?id=124344
16858
16859 Reviewed by Csaba Osztrogonác.
16860
16861 * offlineasm/sh4.rb: There is no fp alias for r14 register for sh4.
16862
168632013-11-13 Michael Saboff <msaboff@apple.com>
16864
16865 Change callToJavaScript thunk into an offline assembled stub
16866 https://bugs.webkit.org/show_bug.cgi?id=124251
16867
16868 Reviewed by Geoffrey Garen.
16869
16870 Changed callToJavaScript and throwNotCaught into stubs generated by the offline assembler.
16871 Added popCalleeSaves and pushCalleeSaves pseudo ops to the offline assembler to handle
16872 the saving and restoring of callee save registers. Fixed callFrameRegister differences
16873 between arm traditional (r11) and arm Thumb2 (r7) in GPRInfo.h. Also fixed implementation
16874 of pop & push in arm.rb.
16875
16876 Since the offline assembler and therefore the LLInt don't work on Windows, the Windows stubs
16877 are handled as inline assembly in JITStubsX86.h and JITStubsMSVC64.asm.
16878
16879 * dfg/DFGDriver.cpp:
16880 (JSC::DFG::compileImpl):
16881 * jit/GPRInfo.h:
16882 (JSC::GPRInfo::toIndex):
16883 (JSC::GPRInfo::debugName):
16884 * jit/JITCode.cpp:
16885 (JSC::JITCode::execute):
16886 * jit/JITExceptions.cpp:
16887 (JSC::genericUnwind):
16888 * jit/JITStubs.h:
16889 * jit/JITStubsMSVC64.asm:
16890 * jit/JITStubsX86.h:
16891 * jit/ThunkGenerators.cpp:
16892 * jit/ThunkGenerators.h:
16893 * llint/LLIntThunks.h:
16894 * llint/LowLevelInterpreter.asm:
16895 * llint/LowLevelInterpreter32_64.asm:
16896 * llint/LowLevelInterpreter64.asm:
16897 * offlineasm/arm.rb:
16898 * offlineasm/arm64.rb:
16899 * offlineasm/instructions.rb:
16900 * offlineasm/mips.rb:
16901 * offlineasm/registers.rb:
16902 * offlineasm/sh4.rb:
16903 * offlineasm/x86.rb:
16904 * runtime/VM.cpp:
16905 (JSC::VM::VM):
16906 * runtime/VM.h:
16907
169082013-11-13 Andy Estes <aestes@apple.com>
16909
16910 Fix the ARM64 build after recent JavaScriptCore changes
16911 https://bugs.webkit.org/show_bug.cgi?id=124315
16912
16913 Reviewed by Michael Saboff.
16914
16915 Based on patches by myself, Filip Pizlo, Benjamin Poulain, and Michael Saboff.
16916
16917 * Configurations/JavaScriptCore.xcconfig: Hid the symbol for
16918 std::bad_function_call.
16919 * JavaScriptCore.xcodeproj/project.pbxproj: Marked
16920 MacroAssemblerARM64.h and ARM64Assembler.h as Private headers.
16921 * assembler/ARM64Assembler.h:
16922 (JSC::ARM64Assembler::executableOffsetFor):
16923 * assembler/MacroAssemblerARM64.h: Removed ARM64's executableCopy(),
16924 which was removed from other assembler backends in r157690.
16925 (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch): Added.
16926 (JSC::MacroAssemblerARM64::lshift64): Added.
16927 (JSC::MacroAssemblerARM64::mul64): Added.
16928 (JSC::MacroAssemblerARM64::rshift64): Added.
16929 (JSC::MacroAssemblerARM64::convertInt64ToDouble): Added.
16930 (JSC::MacroAssemblerARM64::branchMul64): Added.
16931 (JSC::MacroAssemblerARM64::branchNeg64): Added.
16932 (JSC::MacroAssemblerARM64::scratchRegisterForBlinding): Added.
16933 * dfg/DFGSpeculativeJIT.cpp:
16934 (JSC::DFG::SpeculativeJIT::compileArithDiv): Changed
16935 SpeculateIntegerOperand to SpeculateInt32Operand,
16936 nodeCanIgnoreNegativeZero() to bytecodeCanIgnoreNegativeZero(), and
16937 nodeUsedAsNumber() to bytecodeUsesAsNumber().
16938 (JSC::DFG::SpeculativeJIT::compileArithMod): Changed
16939 nodeCanIgnoreNegativeZero() to bytecodeCanIgnoreNegativeZero().
16940
169412013-11-13 Oliver Hunt <oliver@apple.com>
16942
16943 Fix debug build.
16944
16945 * parser/Parser.cpp:
16946
169472013-11-13 Tim Horton <timothy_horton@apple.com>
16948
16949 r159210 added a period where there previously wasn't one, breaking >100 tests
16950
16951 Rubber-stamped by Oliver Hunt.
16952
16953 * parser/Parser.cpp:
16954 (JSC::::logError):
16955 Remove the extra period.
16956
169572013-11-13 Oliver Hunt <oliver@apple.com>
16958
16959 REGRESSION (r158014): Many webpages throw stack overflow exceptions on iOS (because Parser::parseMemberExpression uses ~130K more stack)
16960 https://bugs.webkit.org/show_bug.cgi?id=124177
16961
16962 Reviewed by Michael Saboff.
16963
16964 This patch pushes error handling into NEVER_INLINE functions to perform
16965 the actual error message construction. This dramatically reduces the
16966 stack usage of the Parser. For the large functions (such as parseMemberExpression)
16967 the improvement is on the order of 2.5x reduction in stack usage. For
16968 smaller functions the reduction is in the order of 5-6x.
16969
16970 * parser/Parser.cpp:
16971 (JSC::::logError):
16972 * parser/Parser.h:
16973
169742013-11-13 Julien Brianceau <jbriance@cisco.com>
16975
16976 [sh4] Protect repatchCompact from flushConstantPool.
16977 https://bugs.webkit.org/show_bug.cgi?id=124278
16978
16979 Reviewed by Michael Saboff.
16980
16981 Random crashes may occur with sh4 architecture, when a flushConstantPool occurs in
16982 movlMemRegCompact. As in this case a branch opcode and the constant pool are put
16983 before the movlMemRegCompact, the branch itself is patched when calling repatchCompact
16984 instead of the mov instruction, which is really bad.
16985
16986 * assembler/SH4Assembler.h:
16987 (JSC::SH4Assembler::repatchCompact): Handle this specific case and add an ASSERT.
16988
169892013-11-12 Alexey Proskuryakov <ap@apple.com>
16990
16991 Disable WebCrypto on Mountain Lion
16992 https://bugs.webkit.org/show_bug.cgi?id=124261
16993
16994 Rubber-stamped by Sam Weinig.
16995
16996 * Configurations/FeatureDefines.xcconfig:
16997
169982013-11-12 Julien Brianceau <jbriance@cisco.com>
16999
17000 [sh4] Fix load32WithUnalignedHalfWords function in baseline JIT.
17001 https://bugs.webkit.org/show_bug.cgi?id=124233
17002
17003 Reviewed by Michael Saboff.
17004
17005 * assembler/MacroAssemblerSH4.h:
17006 (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords): Do not claim scratch register too early.
17007 Test already covered by fast/regex/pcre-test-1.
17008
170092013-11-12 Filip Pizlo <fpizlo@apple.com>
17010
17011 Liveness analysis should take less memory in CodeBlock when it is unused
17012 https://bugs.webkit.org/show_bug.cgi?id=124225
17013
17014 Reviewed by Mark Hahnenberg.
17015
17016 Basically, I turned CodeBlock::m_livenessAnalysis into a pointer that is null by
17017 default.
17018
17019 * bytecode/BytecodeLivenessAnalysis.cpp:
17020 (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
17021 (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
17022 (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
17023 (JSC::BytecodeLivenessAnalysis::dumpResults):
17024 (JSC::BytecodeLivenessAnalysis::compute):
17025 * bytecode/BytecodeLivenessAnalysis.h:
17026 * bytecode/CodeBlock.cpp:
17027 (JSC::CodeBlock::CodeBlock):
17028 * bytecode/CodeBlock.h:
17029 (JSC::CodeBlock::livenessAnalysis):
17030
170312013-11-11 Oliver Hunt <oliver@apple.com>
17032
17033 Support unprefixed deconstructing assignment
17034 https://bugs.webkit.org/show_bug.cgi?id=124172
17035
17036 Reviewed by Mark Lam.
17037
17038 Add support for unprefixed descontructive assignment.
17039
17040 Happily non-reference types on the left hand side of an assignment
17041 are a runtime error, so we're able to defer validation of the binding
17042 pattern to codegen time when we're already doing a lot more work.
17043
17044 We're also able to predicate our attempt to parse on the existence of
17045 '[' or '{' as they are not as common as other constructs.
17046
17047 * bytecompiler/NodesCodegen.cpp:
17048 (JSC::ArrayPatternNode::emitDirectBinding):
17049 * parser/ASTBuilder.h:
17050 * parser/Parser.cpp:
17051 (JSC::::createBindingPattern):
17052 (JSC::::tryParseDeconstructionPatternExpression):
17053 (JSC::::parseDeconstructionPattern):
17054 (JSC::::parseForStatement):
17055 (JSC::::parseAssignmentExpression):
17056 * parser/Parser.h:
17057 (JSC::Parser::createSavePoint):
17058 (JSC::Parser::restoreSavePoint):
17059 * parser/SyntaxChecker.h:
17060
170612013-11-12 Andy Estes <aestes@apple.com>
17062
17063 Run JavaScriptCore Objective-C API tests on all supported platforms
17064 https://bugs.webkit.org/show_bug.cgi?id=124214
17065
17066 Reviewed by Mark Hahnenberg.
17067
17068 Now that we support the API on iOS and on OS X 10.8, there's no reason
17069 to limit the tests to OS X 10.9 (or greater).
17070
17071 * API/tests/CurrentThisInsideBlockGetterTest.h:
17072 * API/tests/CurrentThisInsideBlockGetterTest.mm:
17073 * API/tests/testapi.mm:
17074
170752013-08-02 Mark Hahnenberg <mhahnenberg@apple.com>
17076
17077 CodeBlocks should be able to determine bytecode liveness
17078 https://bugs.webkit.org/show_bug.cgi?id=118546
17079
17080 Reviewed by Filip Pizlo.
17081
17082 This will simplify some things in the DFG related to OSR exits and determining
17083 which bytecode variables are live at which points during execution. It will
17084 also be useful for making our conservative GC scan more precise. Currently it
17085 doesn't properly account for liveness while the DFG is running, so it will be
17086 off by default behing a runtime Options flag.
17087
17088 * JavaScriptCore.xcodeproj/project.pbxproj:
17089 * bytecode/BytecodeBasicBlock.cpp: Added.
17090 (JSC::isBranch): Used to determine the end of basic blocks.
17091 (JSC::isUnconditionalBranch): Used to determine when a branch at the end of a
17092 basic block can't possibly fall through to the next basic block in program order.
17093 (JSC::isTerminal): Also used to detect the end of a block.
17094 (JSC::isThrow):
17095 (JSC::isJumpTarget): Used to correctly separate basic blocks. Any jump destination
17096 must be the head of its own basic block.
17097 (JSC::linkBlocks): Links two blocks together in a bi-direcitonal fashion.
17098 (JSC::computeBytecodeBasicBlocks): Creates a set of basic blocks given a particular
17099 CodeBlock and links them together.
17100 * bytecode/BytecodeBasicBlock.h: Added.
17101 (JSC::BytecodeBasicBlock::isEntryBlock): Entry blocks are a special basic blocks
17102 that indicate the beginning of the function.
17103 (JSC::BytecodeBasicBlock::isExitBlock): Exit blocks are a special basic block that
17104 all blocks that exit the function have as a successor. Entry and exit blocks allows
17105 the various code paths to be more regular.
17106 (JSC::BytecodeBasicBlock::leaderBytecodeOffset): The leader bytecode offset is the
17107 bytecode offset of the first instruction in the block.
17108 (JSC::BytecodeBasicBlock::totalBytecodeLength): The total length of all the bytecodes
17109 in this block.
17110 (JSC::BytecodeBasicBlock::bytecodeOffsets): The bytecode offsets in this particular
17111 basic block. This Vector allows us to iterate over the bytecodes in reverse order
17112 which wouldn't be possible normally since they are of variable size.
17113 (JSC::BytecodeBasicBlock::addPredecessor): Links a block to a specified predecessor.
17114 Only creates one direction of the link.
17115 (JSC::BytecodeBasicBlock::addSuccessor): Same as addPredecessor, but for successors.
17116 (JSC::BytecodeBasicBlock::predecessors): Getter for predecessors.
17117 (JSC::BytecodeBasicBlock::successors): Getter for successors.
17118 (JSC::BytecodeBasicBlock::in): Getter for the liveness info at the head of the block.
17119 (JSC::BytecodeBasicBlock::out): Getter for the liveness info at the tail of the block.
17120 (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
17121 (JSC::BytecodeBasicBlock::addBytecodeLength): When creating basic blocks we call
17122 this function when we want to add the next bytecode in program order to this block.
17123 * bytecode/BytecodeLivenessAnalysis.cpp: Added.
17124 (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
17125 (JSC::numberOfCapturedVariables): Convenience wrapper. Returns the
17126 number of captured variables for a particular CodeBlock, or 0 if
17127 the CodeBlock has no SymbolTable.
17128 (JSC::captureStart): Ditto, but for captureStart().
17129 (JSC::captureEnd): Ditto, but for captureEnd().
17130 (JSC::isValidRegisterForLiveness): Returns true if the liveness analysis should
17131 track the liveness of a particular operand. We ignore constants, arguments, and
17132 captured variables. We ignore arguments because they're live for the duration of
17133 a function call. We ignore captured variables because we also treat them as live
17134 for the duration of the function. This could probably be improved to be more precise,
17135 but it didn't seem worth it for now.
17136 (JSC::setForOperand): Convenience wrapper that sets the bit in the provided bit
17137 vector for the provided operand. It handles skipping over captured variables.
17138 (JSC::computeUsesForBytecodeOffset): Computes which operands are used by a particular bytecode.
17139 (JSC::computeDefsForBytecodeOffset): Computes which operands are defined by a particular
17140 bytecode. Typically this is just the left-most operand.
17141 (JSC::findBasicBlockWithLeaderOffset):
17142 (JSC::findBasicBlockForBytecodeOffset): Scans over basic blocks to find the block
17143 which contains a particular bytecode offset.
17144 (JSC::computeLocalLivenessForBytecodeOffset): Computes block-local liveness from the
17145 bottom of the block until a specified bytecode offset is reached.
17146 (JSC::computeLocalLivenessForBlock): Computes liveness for the entire block and
17147 stores the resulting liveness at the head.
17148 (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): Runs backward flow liveness
17149 analysis to fixpoint.
17150 (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset):
17151 Slow path to get liveness info for non-captured, non-argument variable.
17152 (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
17153 (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset): Returns the liveness
17154 info for both captured and non-captured vars at a particular bytecode offset.
17155 (JSC::BytecodeLivenessAnalysis::dumpResults): Dumps the output of the liveness analysis.
17156 Controlled by new flag in Options.h/.cpp.
17157 (JSC::BytecodeLivenessAnalysis::compute): Creates bytecode basic blocks and runs
17158 full liveness analysis.
17159 * bytecode/BytecodeLivenessAnalysis.h: Added.
17160 (JSC::BytecodeLivenessAnalysis::hasBeenComputed):
17161 (JSC::BytecodeLivenessAnalysis::computeIfNecessary):
17162 * bytecode/CodeBlock.cpp:
17163 (JSC::CodeBlock::CodeBlock):
17164 * bytecode/CodeBlock.h:
17165 (JSC::CodeBlock::livenessAnalysis):
17166 * bytecode/PreciseJumpTargets.cpp: Refactored to be able to get the jump targets for
17167 a particular bytecode offset for use during bytecode basic block construction.
17168 (JSC::getJumpTargetsForBytecodeOffset):
17169 (JSC::computePreciseJumpTargets):
17170 (JSC::findJumpTargetsForBytecodeOffset):
17171 * bytecode/PreciseJumpTargets.h:
17172 * runtime/Options.cpp:
17173 (JSC::Options::initialize):
17174 * runtime/Options.h:
17175
171762013-11-11 Andy Estes <aestes@apple.com>
17177
17178 [iOS] Define JSC_OBJC_API_ENABLED
17179 https://bugs.webkit.org/show_bug.cgi?id=124192
17180
17181 Reviewed by Geoffrey Garen.
17182
17183 * API/JSBase.h: JSC_OBJC_API_ENABLED should evaluate to true if
17184 TARGET_OS_IPHONE is true.
17185 * API/JSValue.h: Ensure CG types referenced later in the file are defined.
17186
171872013-11-12 Balazs Kilvady <kilvadyb@homejinni.com>
17188
17189 Fix undefined reference issues in JavaScriptCore build.
17190 https://bugs.webkit.org/show_bug.cgi?id=124152
17191
17192 Reviewed by Michael Saboff.
17193
17194 Missing includes added.
17195
17196 * runtime/SymbolTable.cpp:
17197
171982013-11-12 Alexandru Chiculita <achicu@adobe.com>
17199
17200 Web Inspector: Crash when closing the Inspector while debugging an exception inside a breakpoint condition.
17201 https://bugs.webkit.org/show_bug.cgi?id=124078
17202
17203 Reviewed by Joseph Pecoraro.
17204
17205 The crash would happen because the Debugger is not designed to support nested
17206 breaks. For example, when the debugger handles a breakpoint and the Inspector
17207 executes a console command that would hit the breakpoint again, the Debugger
17208 will just ignore the breakpoint.
17209
17210 There were no checks for conditions and actions. Because of that conditions and actions
17211 could trigger exceptions and breakpoints. This patch disables that functionality as it
17212 cannot be supported without a bigger rewrite of the code.
17213
17214 * debugger/Debugger.cpp:
17215 (JSC::TemporaryPausedState::TemporaryPausedState):
17216 (JSC::TemporaryPausedState::~TemporaryPausedState):
17217 (JSC::Debugger::hasBreakpoint):
17218 (JSC::Debugger::pauseIfNeeded):
17219 * debugger/Debugger.h:
17220
172212013-11-12 Julien Brianceau <jbriance@cisco.com>
17222
17223 InvalidIndex shouldn't be private in GPRInfo and FPRInfo for sh4, mips and arm64 architectures.
17224 https://bugs.webkit.org/show_bug.cgi?id=124156
17225
17226 Reviewed by Michael Saboff.
17227
17228 * jit/FPRInfo.h:
17229 (JSC::FPRInfo::debugName):
17230 * jit/GPRInfo.h:
17231 (JSC::GPRInfo::debugName):
17232
172332013-11-11 Andreas Kling <akling@apple.com>
17234
17235 CodeBlock: Un-segment some Vectors.
17236 <https://webkit.org/b/124188>
17237
17238 Turn some SegmentedVectors into Vectors where the final item count
17239 is known at CodeBlock construction time. This removes unnecessary
17240 allocation and indirection.
17241
17242 I've got ~4.5 MB below SegmentedVector<ValueProfile>::ensureSegment
17243 on Membuster3 (peak, before pressure signal) so this should help
17244 take a bit of the edge off there.
17245
17246 Reviewed by Geoffrey Garen.
17247
172482013-11-11 Filip Pizlo <fpizlo@apple.com>
17249
17250 Get rid of the lastResultRegister optimization in the baseline JIT
17251 https://bugs.webkit.org/show_bug.cgi?id=124171
17252
17253 Rubber stamped by Mark Hahnenberg.
17254
17255 The baseline JIT no longer needs amazing throughput. And this optimization has caused
17256 way too many OSR exit bugs. And it constrains how much we can do in the DFG/FTL. So,
17257 I'm getting rid of it.
17258
17259 * dfg/DFGOSRExit.cpp:
17260 (JSC::DFG::OSRExit::OSRExit):
17261 (JSC::DFG::OSRExit::convertToForward):
17262 * dfg/DFGOSRExit.h:
17263 * dfg/DFGOSRExitCompiler32_64.cpp:
17264 (JSC::DFG::OSRExitCompiler::compileExit):
17265 * dfg/DFGOSRExitCompiler64.cpp:
17266 (JSC::DFG::OSRExitCompiler::compileExit):
17267 * dfg/DFGSpeculativeJIT.cpp:
17268 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
17269 (JSC::DFG::SpeculativeJIT::compileMovHint):
17270 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
17271 * dfg/DFGSpeculativeJIT.h:
17272 * ftl/FTLLowerDFGToLLVM.cpp:
17273 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
17274 (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
17275 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
17276 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
17277 (JSC::FTL::LowerDFGToLLVM::observeMovHint):
17278 * ftl/FTLOSRExit.cpp:
17279 (JSC::FTL::OSRExit::OSRExit):
17280 (JSC::FTL::OSRExit::convertToForward):
17281 * ftl/FTLOSRExit.h:
17282 * ftl/FTLOSRExitCompiler.cpp:
17283 (JSC::FTL::compileStub):
17284 * jit/JIT.cpp:
17285 (JSC::JIT::JIT):
17286 (JSC::JIT::privateCompileMainPass):
17287 (JSC::JIT::privateCompileSlowCases):
17288 * jit/JIT.h:
17289 (JSC::JIT::appendCall):
17290 * jit/JITArithmetic32_64.cpp:
17291 (JSC::JIT::emit_op_lshift):
17292 (JSC::JIT::emitRightShift):
17293 (JSC::JIT::emit_op_bitand):
17294 (JSC::JIT::emit_op_bitor):
17295 (JSC::JIT::emit_op_bitxor):
17296 (JSC::JIT::emit_op_inc):
17297 (JSC::JIT::emit_op_dec):
17298 * jit/JITCall.cpp:
17299 (JSC::JIT::emitPutCallResult):
17300 (JSC::JIT::compileLoadVarargs):
17301 * jit/JITInlines.h:
17302 (JSC::JIT::emitGetFromCallFrameHeaderPtr):
17303 (JSC::JIT::emitGetFromCallFrameHeader32):
17304 (JSC::JIT::emitGetFromCallFrameHeader64):
17305 (JSC::JIT::emitLoadTag):
17306 (JSC::JIT::emitLoadPayload):
17307 (JSC::JIT::emitLoad2):
17308 (JSC::JIT::emitGetVirtualRegister):
17309 (JSC::JIT::emitGetVirtualRegisters):
17310 (JSC::JIT::emitPutVirtualRegister):
17311 * jit/JITOpcodes.cpp:
17312 (JSC::JIT::emit_op_mov):
17313 (JSC::JIT::emit_op_catch):
17314 (JSC::JIT::emit_op_new_func):
17315 * jit/JITOpcodes32_64.cpp:
17316 (JSC::JIT::emit_op_mov):
17317 (JSC::JIT::emit_op_to_primitive):
17318 (JSC::JIT::emit_op_to_number):
17319 (JSC::JIT::emit_op_catch):
17320 * jit/JITPropertyAccess.cpp:
17321 (JSC::JIT::emit_op_resolve_scope):
17322 (JSC::JIT::emit_op_get_from_scope):
17323 (JSC::JIT::emit_op_put_to_scope):
17324 * jit/JITPropertyAccess32_64.cpp:
17325 (JSC::JIT::emit_op_get_by_val):
17326 (JSC::JIT::emit_op_get_by_id):
17327 (JSC::JIT::emit_op_get_by_pname):
17328 (JSC::JIT::emitResolveClosure):
17329 (JSC::JIT::emit_op_resolve_scope):
17330 (JSC::JIT::emit_op_get_from_scope):
17331 (JSC::JIT::emit_op_init_global_const):
17332 * jit/SlowPathCall.h:
17333 (JSC::JITSlowPathCall::call):
17334
173352013-11-11 Filip Pizlo <fpizlo@apple.com>
17336
17337 Remove ConstantFoldingPhase's weirdo compile-time optimization
17338 https://bugs.webkit.org/show_bug.cgi?id=124169
17339
17340 Reviewed by Mark Hahnenberg.
17341
17342 It turns out that this compile-time optimization doesn't optimize compile times
17343 anymore. Kill it with fire.
17344
17345 * dfg/DFGConstantFoldingPhase.cpp:
17346 (JSC::DFG::ConstantFoldingPhase::foldConstants):
17347
173482013-11-11 Filip Pizlo <fpizlo@apple.com>
17349
17350 Make bytecode dumping use the right opcode names for inc/dec.
17351
17352 Rubber stamped by Mark Hahnenberg.
17353
17354 * bytecode/CodeBlock.cpp:
17355 (JSC::CodeBlock::dumpBytecode):
17356
173572013-11-10 Filip Pizlo <fpizlo@apple.com>
17358
17359 DFG Int52 boxing code may clobber the source without telling anyone
17360 https://bugs.webkit.org/show_bug.cgi?id=124137
17361
17362 Reviewed by Mark Hahnenberg.
17363
17364 * dfg/DFGSpeculativeJIT64.cpp:
17365 (JSC::DFG::SpeculativeJIT::boxInt52): This is called in places where source is expected to be unchanged. We never call this expecting super-amazing codegen. So, preserve the source's value the dumb way (by recovering it mathematically).
17366 * jit/AssemblyHelpers.h: Document the invariant for boxInt52.
17367 * jsc.cpp:
17368 (GlobalObject::finishCreation): It's been super annoying that sometimes we say noInline() and sometimes we say neverInlineFunction(). The LayoutTests harnesses ensure that we have something called noInline(), but it's great to also ensure that the shell has it.
17369
173702013-11-11 Oliver Hunt <oliver@apple.com>
17371
17372 ExtJS breaks with modern Array.prototype.values API due to use of with()
17373 https://bugs.webkit.org/show_bug.cgi?id=123440
17374
17375 Reviewed by Beth Dakin.
17376
17377 As with our attempt to make Arguments use the Array prototype, ExtJS has
17378 a weird dependency on not adding new APIs to core types. In this case
17379 Array.prototype.values. The fix is to remove it, and push for ES6 to drop
17380 the API.
17381
17382 * runtime/ArrayPrototype.cpp:
17383
173842013-11-11 Gabor Rapcsanyi <rgabor@webkit.org>
17385
17386 Fix CPU(ARM_TRADITIONAL) build after r159039.
17387 https://bugs.webkit.org/show_bug.cgi?id=124149
17388
17389 Reviewed by Geoffrey Garen.
17390
17391 * assembler/ARMAssembler.h:
17392 (JSC::ARMAssembler::firstRegister):
17393 (JSC::ARMAssembler::lastRegister):
17394 (JSC::ARMAssembler::firstFPRegister):
17395 (JSC::ARMAssembler::lastFPRegister):
17396 * assembler/MacroAssemblerARM.h:
17397 * jit/FPRInfo.h:
17398
173992013-11-09 Filip Pizlo <fpizlo@apple.com>
17400
17401 Switch FTL GetById/PutById IC's over to using AnyRegCC
17402 https://bugs.webkit.org/show_bug.cgi?id=124094
17403
17404 Reviewed by Sam Weinig.
17405
17406 This closes the loop on inline caches (IC's) in the FTL. The goal is to have IC's
17407 in LLVM-generated code that are just as efficient (if not more so) than what a
17408 custom JIT could do. As in zero sources of overhead. Not a single extra instruction
17409 or even register allocation pathology. We accomplish this by having two thingies in
17410 LLVM. First is the llvm.experimental.patchpoint intrinsic, which is sort of an
17411 inline machine code snippet that we can fill in with whatever we want and then
17412 modify subsequently. But you have only two choices of how to pass values to a
17413 patchpoint: (1) via the calling convention or (2) via the stackmap. Neither are good
17414 for operands to an IC (like the base pointer for a GetById, for example). (1) is bad
17415 because it results in things being pinned to certain registers a priori; a custom
17416 JIT (like the DFG) will not pin IC operands to any registers a priori but will allow
17417 the register allocator to do whatever it wants. (2) is bad because the operands may
17418 be spilled or may be represented in other crazy ways. You generally want an IC to
17419 have its operands in registers. Also, patchpoints only return values using the
17420 calling convention, which is unfortunate since it pins the return value to a
17421 register a priori. This is where the second thingy comes in: the AnyRegCC. This is
17422 a special calling convention only for use with patchpoints. It means that arguments
17423 passed "by CC" in the patchpoint can be placed in any register, and the register
17424 that gets used is reported as part of the stackmap. It also means that the return
17425 value (if there is one) can be placed in any register, and the stackmap will tell
17426 you which one it was. Thus, patchpoints combined with AnyRegCC mean that you not
17427 only get the kind of self-modifying code that you want for IC's, but you also get
17428 all of the register allocation goodness that a custom JIT would have given you.
17429 Except that you're getting it from LLVM and not a custom JIT. Awesome.
17430
17431 Even though all of the fun stuff is on the LLVM side, this patch was harder than
17432 you'd expect.
17433
17434 First the obvious bits:
17435
17436 - IC patchpoints now use AnyRegCC instead of the C CC. (CC = calling convention.)
17437
17438 - FTL::fixFunctionBasedOnStackMaps() now correctly figures out which registers the
17439 IC is supposed to use instead of assuming C CC argument registers.
17440
17441 And then all of the stuff that broke and that this patch fixes:
17442
17443 - IC sizing based on generating a dummy IC (what FTLInlineCacheSize did) is totally
17444 bad on x86-64, where various register permutations lead to bizarre header bytes
17445 and eclectic SIB encodings. I changed that to have magic constants, for now.
17446
17447 - Slow path calls didn't preserve the CC return register.
17448
17449 - Repatch's scratch register allocation would get totally confused if the operand
17450 registers weren't one of the DFG-style "temp" registers. And by "totally confused"
17451 I mean that it would crash.
17452
17453 - We assumed that r10 is callee-saved. It's not. That one dude's PPT about x86-64
17454 cdecl that I found on the intertubes was not a trustworthy source of information,
17455 apparently.
17456
17457 - Call repatching didn't know that the FTL does its IC slow calls via specially
17458 generated thunks. This was particularly fun to fix: basically, now when we relink
17459 an IC call in the FTL, we use the old call target to find the SlowPathCallKey,
17460 which tells us everything we need to know to generate (or look up) a new thunk for
17461 the new function we want to call.
17462
17463 * assembler/MacroAssemblerCodeRef.h:
17464 (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
17465 (JSC::MacroAssemblerCodePtr::isEmptyValue):
17466 (JSC::MacroAssemblerCodePtr::isDeletedValue):
17467 (JSC::MacroAssemblerCodePtr::hash):
17468 (JSC::MacroAssemblerCodePtr::emptyValue):
17469 (JSC::MacroAssemblerCodePtr::deletedValue):
17470 (JSC::MacroAssemblerCodePtrHash::hash):
17471 (JSC::MacroAssemblerCodePtrHash::equal):
17472 * assembler/MacroAssemblerX86Common.h:
17473 * assembler/RepatchBuffer.h:
17474 (JSC::RepatchBuffer::RepatchBuffer):
17475 (JSC::RepatchBuffer::codeBlock):
17476 * ftl/FTLAbbreviations.h:
17477 (JSC::FTL::setInstructionCallingConvention):
17478 * ftl/FTLCompile.cpp:
17479 (JSC::FTL::fixFunctionBasedOnStackMaps):
17480 * ftl/FTLInlineCacheSize.cpp:
17481 (JSC::FTL::sizeOfGetById):
17482 (JSC::FTL::sizeOfPutById):
17483 * ftl/FTLJITFinalizer.cpp:
17484 (JSC::FTL::JITFinalizer::finalizeFunction):
17485 * ftl/FTLLocation.cpp:
17486 (JSC::FTL::Location::forStackmaps):
17487 * ftl/FTLLocation.h:
17488 * ftl/FTLLowerDFGToLLVM.cpp:
17489 (JSC::FTL::LowerDFGToLLVM::compileGetById):
17490 (JSC::FTL::LowerDFGToLLVM::compilePutById):
17491 * ftl/FTLOSRExitCompiler.cpp:
17492 (JSC::FTL::compileStub):
17493 * ftl/FTLSlowPathCall.cpp:
17494 * ftl/FTLSlowPathCallKey.h:
17495 (JSC::FTL::SlowPathCallKey::withCallTarget):
17496 * ftl/FTLStackMaps.cpp:
17497 (JSC::FTL::StackMaps::Location::directGPR):
17498 (JSC::FTL::StackMaps::Location::restoreInto):
17499 * ftl/FTLStackMaps.h:
17500 * ftl/FTLThunks.h:
17501 (JSC::FTL::generateIfNecessary):
17502 (JSC::FTL::keyForThunk):
17503 (JSC::FTL::Thunks::keyForSlowPathCallThunk):
17504 * jit/FPRInfo.h:
17505 (JSC::FPRInfo::toIndex):
17506 * jit/GPRInfo.h:
17507 (JSC::GPRInfo::toIndex):
17508 (JSC::GPRInfo::debugName):
17509 * jit/RegisterSet.cpp:
17510 (JSC::RegisterSet::calleeSaveRegisters):
17511 * jit/RegisterSet.h:
17512 (JSC::RegisterSet::filter):
17513 * jit/Repatch.cpp:
17514 (JSC::readCallTarget):
17515 (JSC::repatchCall):
17516 (JSC::repatchByIdSelfAccess):
17517 (JSC::tryCacheGetByID):
17518 (JSC::tryCachePutByID):
17519 (JSC::tryBuildPutByIdList):
17520 (JSC::resetGetByID):
17521 (JSC::resetPutByID):
17522 * jit/ScratchRegisterAllocator.h:
17523 (JSC::ScratchRegisterAllocator::lock):
17524
175252013-11-10 Oliver Hunt <oliver@apple.com>
17526
17527 Implement Set iterators
17528 https://bugs.webkit.org/show_bug.cgi?id=124129
17529
17530 Reviewed by Antti Koivisto.
17531
17532 Add Set iterator classes and implementations
17533
17534 * JavaScriptCore.xcodeproj/project.pbxproj:
17535 * runtime/CommonIdentifiers.h:
17536 * runtime/JSGlobalObject.cpp:
17537 * runtime/JSGlobalObject.h:
17538 * runtime/JSSetIterator.cpp: Added.
17539 (JSC::JSSetIterator::finishCreation):
17540 (JSC::JSSetIterator::visitChildren):
17541 (JSC::JSSetIterator::createPair):
17542 * runtime/JSSetIterator.h: Added.
17543 (JSC::JSSetIterator::createStructure):
17544 (JSC::JSSetIterator::create):
17545 (JSC::JSSetIterator::next):
17546 (JSC::JSSetIterator::JSSetIterator):
17547 * runtime/SetIteratorConstructor.cpp: Added.
17548 (JSC::SetIteratorConstructor::finishCreation):
17549 * runtime/SetIteratorConstructor.h: Added.
17550 (JSC::SetIteratorConstructor::create):
17551 (JSC::SetIteratorConstructor::createStructure):
17552 (JSC::SetIteratorConstructor::SetIteratorConstructor):
17553 * runtime/SetIteratorPrototype.cpp: Added.
17554 (JSC::SetIteratorPrototype::finishCreation):
17555 (JSC::SetIteratorPrototypeFuncIterator):
17556 (JSC::SetIteratorPrototypeFuncNext):
17557 * runtime/SetIteratorPrototype.h: Added.
17558 (JSC::SetIteratorPrototype::create):
17559 (JSC::SetIteratorPrototype::createStructure):
17560 (JSC::SetIteratorPrototype::SetIteratorPrototype):
17561 * runtime/SetPrototype.cpp:
17562 (JSC::SetPrototype::finishCreation):
17563 (JSC::setProtoFuncValues):
17564 (JSC::setProtoFuncEntries):
17565 (JSC::setProtoFuncKeys):
17566
175672013-11-09 Oliver Hunt <oliver@apple.com>
17568
17569 Add Map Iterators
17570 https://bugs.webkit.org/show_bug.cgi?id=124109
17571
17572 Reviewed by Andreas Kling.
17573
17574 Added new Map iterator implementation. This is a mostly boilerplate patch
17575 however there's a a little bit of additional logic added to the MapData iterator
17576 to deal with the possibility of map mutation between creation of the iterator
17577 and use of it. We'll be able to improve the performance of this substantially
17578 by using intrinsics, however I'm pondering coming up with a better way to define
17579 these thunks without requiring so much duplicated logic.
17580
17581 * CMakeLists.txt:
17582 * GNUmakefile.list.am:
17583 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
17584 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
17585 * JavaScriptCore.xcodeproj/project.pbxproj:
17586 * runtime/CommonIdentifiers.h:
17587 * runtime/JSGlobalObject.cpp:
17588 * runtime/JSGlobalObject.h:
17589 * runtime/JSMapIterator.cpp: Added.
17590 (JSC::JSMapIterator::finishCreation):
17591 (JSC::JSMapIterator::visitChildren):
17592 (JSC::JSMapIterator::createPair):
17593 * runtime/JSMapIterator.h: Added.
17594 (JSC::JSMapIterator::createStructure):
17595 (JSC::JSMapIterator::create):
17596 (JSC::JSMapIterator::next):
17597 (JSC::JSMapIterator::JSMapIterator):
17598 * runtime/MapData.h:
17599 (JSC::MapData::const_iterator::ensureSlot):
17600 * runtime/MapIteratorConstructor.cpp: Added.
17601 (JSC::MapIteratorConstructor::finishCreation):
17602 * runtime/MapIteratorConstructor.h: Added.
17603 (JSC::MapIteratorConstructor::create):
17604 (JSC::MapIteratorConstructor::createStructure):
17605 (JSC::MapIteratorConstructor::MapIteratorConstructor):
17606 * runtime/MapIteratorPrototype.cpp: Added.
17607 (JSC::MapIteratorPrototype::finishCreation):
17608 (JSC::MapIteratorPrototypeFuncIterator):
17609 (JSC::MapIteratorPrototypeFuncNext):
17610 * runtime/MapIteratorPrototype.h: Added.
17611 (JSC::MapIteratorPrototype::create):
17612 (JSC::MapIteratorPrototype::createStructure):
17613 (JSC::MapIteratorPrototype::MapIteratorPrototype):
17614 * runtime/MapPrototype.cpp:
17615 (JSC::MapPrototype::finishCreation):
17616 (JSC::mapProtoFuncValues):
17617 (JSC::mapProtoFuncEntries):
17618 (JSC::mapProtoFuncKeys):
17619
176202013-11-08 Zan Dobersek <zdobersek@igalia.com>
17621
17622 Unreviewed GTK build fix.
17623
17624 * GNUmakefile.list.am: Remove redundant build targets.
17625
176262013-11-08 Filip Pizlo <fpizlo@apple.com>
17627
17628 Remove dead FTL C ABI support
17629 https://bugs.webkit.org/show_bug.cgi?id=124100
17630
17631 Reviewed by Jer Noble.
17632
17633 * JavaScriptCore.xcodeproj/project.pbxproj:
17634 * ftl/FTLCArgumentGetter.cpp: Removed.
17635 * ftl/FTLCArgumentGetter.h: Removed.
17636 * ftl/FTLOSRExitCompiler.cpp:
17637 * jit/FPRInfo.h:
17638
176392013-11-08 Filip Pizlo <fpizlo@apple.com>
17640
17641 FTL should support Phantom(FinalObject:)
17642 https://bugs.webkit.org/show_bug.cgi?id=124092
17643
17644 Reviewed by Oliver Hunt.
17645
17646 * ftl/FTLAbstractHeapRepository.h:
17647 * ftl/FTLCapabilities.cpp:
17648 (JSC::FTL::canCompile):
17649 * ftl/FTLLowerDFGToLLVM.cpp:
17650 (JSC::FTL::LowerDFGToLLVM::speculate):
17651 (JSC::FTL::LowerDFGToLLVM::isType):
17652 (JSC::FTL::LowerDFGToLLVM::isNotType):
17653 (JSC::FTL::LowerDFGToLLVM::speculateFinalObject):
17654
176552013-11-08 Filip Pizlo <fpizlo@apple.com>
17656
17657 Get rid of the FTL tail call APIs since they are unused
17658 https://bugs.webkit.org/show_bug.cgi?id=124093
17659
17660 Reviewed by Oliver Hunt.
17661
17662 * ftl/FTLAbbreviations.h:
17663 (JSC::FTL::buildCall):
17664 * ftl/FTLOutput.h:
17665
176662013-11-08 Filip Pizlo <fpizlo@apple.com>
17667
17668 FTL should support AllocatePropertyStorage
17669 https://bugs.webkit.org/show_bug.cgi?id=124086
17670
17671 Reviewed by Oliver Hunt.
17672
17673 Also rationalized some offsets in the DFG.
17674
17675 * dfg/DFGSpeculativeJIT.cpp:
17676 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
17677 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
17678 * ftl/FTLCapabilities.cpp:
17679 (JSC::FTL::canCompile):
17680 * ftl/FTLIntrinsicRepository.h:
17681 * ftl/FTLLowerDFGToLLVM.cpp:
17682 (JSC::FTL::LowerDFGToLLVM::compileNode):
17683 (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
17684
176852013-11-08 Filip Pizlo <fpizlo@apple.com>
17686
17687 Get rid of the bizarre Darwin/x86-only MacroAssembler::shouldBlindForSpecificArch(uintptr_t) overload
17688 https://bugs.webkit.org/show_bug.cgi?id=124087
17689
17690 Reviewed by Michael Saboff.
17691
17692 * assembler/MacroAssembler.h:
17693 (JSC::MacroAssembler::shouldBlindPointerForSpecificArch):
17694 (JSC::MacroAssembler::shouldBlind):
17695 * assembler/MacroAssemblerX86Common.h:
17696 (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):
17697
176982013-11-08 Filip Pizlo <fpizlo@apple.com>
17699
17700 FTL should support NewArrayBuffer
17701 https://bugs.webkit.org/show_bug.cgi?id=124067
17702
17703 Reviewed by Michael Saboff.
17704
17705 This expanded coverage and revealed some bugs.
17706
17707 This revealed a bug in FTL::OSRExitCompiler where it was assuming that it could save
17708 the framePointer in regT3 even though DFG::reifyInlinedCallFrames() would clobber it.
17709 It turns out that this can be fixed by just completely restoring the stack prior to
17710 doing reifyInlineCallFrames().
17711
17712 I used this as an opportunity to simplify NewArray. That revealed a bug; whenever we say
17713 lowJSValue() in there we need to use ManualOperandSpeculation since we're using it to
17714 rebox values even when we also have to do some speculations. The speculations are done
17715 at the top of compileNewArray().
17716
17717 This also revealed a bug in StringCharAt() for the OOB case.
17718
17719 * ftl/FTLAbstractHeapRepository.h:
17720 (JSC::FTL::AbstractHeapRepository::forIndexingType):
17721 * ftl/FTLCapabilities.cpp:
17722 (JSC::FTL::canCompile):
17723 * ftl/FTLIntrinsicRepository.h:
17724 * ftl/FTLLowerDFGToLLVM.cpp:
17725 (JSC::FTL::LowerDFGToLLVM::compileNode):
17726 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
17727 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
17728 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
17729 * ftl/FTLOSRExitCompiler.cpp:
17730 (JSC::FTL::compileStub):
17731
177322013-11-08 Filip Pizlo <fpizlo@apple.com>
17733
17734 It should be easy to disable blinding on a per-architecture basis
17735 https://bugs.webkit.org/show_bug.cgi?id=124083
17736
17737 Reviewed by Michael Saboff.
17738
17739 * assembler/AbstractMacroAssembler.h:
17740 (JSC::AbstractMacroAssembler::haveScratchRegisterForBlinding):
17741 (JSC::AbstractMacroAssembler::scratchRegisterForBlinding):
17742 (JSC::AbstractMacroAssembler::canBlind):
17743 (JSC::AbstractMacroAssembler::shouldBlindForSpecificArch):
17744 * assembler/MacroAssembler.h:
17745 (JSC::MacroAssembler::shouldBlind):
17746 (JSC::MacroAssembler::store32):
17747 (JSC::MacroAssembler::branch32):
17748 (JSC::MacroAssembler::branchAdd32):
17749 (JSC::MacroAssembler::branchMul32):
17750 * assembler/MacroAssemblerX86Common.h:
17751 (JSC::MacroAssemblerX86Common::canBlind):
17752 * assembler/MacroAssemblerX86_64.h:
17753 (JSC::MacroAssemblerX86_64::haveScratchRegisterForBlinding):
17754
177552013-11-08 Oliver Hunt <oliver@apple.com>
17756
17757 Remove more accidentally added files.
17758
17759 * runtime/SetIteratorConstructor.cpp: Removed.
17760 * runtime/SetIteratorConstructor.h: Removed.
17761 * runtime/SetIteratorPrototype.cpp: Removed.
17762 * runtime/SetIteratorPrototype.h: Removed.
17763
177642013-11-08 Oliver Hunt <oliver@apple.com>
17765
17766 Remove accidentally added files.
17767
17768 * runtime/JSSetIterator.cpp: Removed.
17769 * runtime/JSSetIterator.h: Removed.
17770
177712013-11-08 Oliver Hunt <oliver@apple.com>
17772
17773 Fix minor (unobservable) bug in ArrayIterator::next()
17774 https://bugs.webkit.org/show_bug.cgi?id=124061
17775
17776 Reviewed by Beth Dakin.
17777
17778 I noticed this while reading the array iterator code. Due to how
17779 ArrayIterator::next() and our enumeration behaviour is implemented
17780 this is not actually a code path that can be hit. But in order to
17781 future proof this it should be correct.
17782
17783 * runtime/JSArrayIterator.cpp:
17784 (JSC::arrayIteratorNext):
17785
177862013-11-08 Mark Lam <mark.lam@apple.com>
17787
17788 Move breakpoint (and exception break) functionality into JSC::Debugger.
17789 https://bugs.webkit.org/show_bug.cgi?id=121796.
17790
17791 Reviewed by Geoffrey Garen.
17792
17793 - In ScriptDebugServer and JSC::Debugger, SourceID and BreakpointID are
17794 now numeric tokens.
17795
17796 - JSC::Debugger now tracks user defined breakpoints in a JSC::Breakpoint
17797 record. Previously, this info is tracked in the ScriptBreakpoint record
17798 in ScriptDebugServer. The only element of ScriptBreakpoint that is not
17799 being tracked by JSC::Breakpoint is the ScriptBreakpointAction.
17800 The ScriptBreakpointAction is still tracked by the ScriptDebugServer
17801 in a list keyed on the corresponding BreakpointID.
17802 The ScriptBreakpoint record is now only used as a means of passing
17803 breakpoint paramaters to the ScriptDebugServer.
17804
17805 - ScriptDebugServer now no longer accesses the JSC::CallFrame* directly.
17806 It always goes through the DebuggerCallFrame.
17807
17808 * GNUmakefile.list.am:
17809 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
17810 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
17811 * JavaScriptCore.xcodeproj/project.pbxproj:
17812 * debugger/Breakpoint.h: Added.
17813 (JSC::Breakpoint::Breakpoint):
17814 - Breakpoint class to track info for each breakpoint in JSC::Debugger.
17815 * debugger/Debugger.cpp:
17816 (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope):
17817 (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope):
17818 (JSC::Debugger::Debugger):
17819 (JSC::Debugger::detach):
17820 (JSC::Debugger::updateNeedForOpDebugCallbacks):
17821 (JSC::Debugger::setBreakpoint):
17822 (JSC::Debugger::removeBreakpoint):
17823 (JSC::Debugger::hasBreakpoint):
17824 (JSC::Debugger::clearBreakpoints):
17825 (JSC::Debugger::setBreakpointsActivated):
17826 (JSC::Debugger::setPauseOnExceptionsState):
17827 (JSC::Debugger::setPauseOnNextStatement):
17828 (JSC::Debugger::breakProgram):
17829 (JSC::Debugger::continueProgram):
17830 (JSC::Debugger::stepIntoStatement):
17831 (JSC::Debugger::stepOverStatement):
17832 (JSC::Debugger::stepOutOfFunction):
17833 (JSC::Debugger::updateCallFrame):
17834 (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
17835 (JSC::Debugger::pauseIfNeeded):
17836 (JSC::Debugger::exception):
17837 (JSC::Debugger::atStatement):
17838 (JSC::Debugger::callEvent):
17839 (JSC::Debugger::returnEvent):
17840 (JSC::Debugger::willExecuteProgram):
17841 (JSC::Debugger::didExecuteProgram):
17842 (JSC::Debugger::didReachBreakpoint):
17843 (JSC::Debugger::currentDebuggerCallFrame):
17844 * debugger/Debugger.h:
17845 * debugger/DebuggerCallFrame.cpp:
17846 (JSC::DebuggerCallFrame::sourceID):
17847 (JSC::DebuggerCallFrame::sourceIDForCallFrame):
17848 * debugger/DebuggerCallFrame.h:
17849 * debugger/DebuggerPrimitives.h: Added.
17850 - define SourceID, noSourceID, BreakpointID, and noBreakpointID.
17851
178522013-11-08 Oliver Hunt <oliver@apple.com>
17853
17854 Map.forEach crashes on deleted values
17855 https://bugs.webkit.org/show_bug.cgi?id=124017
17856
17857 Reviewed by Ryosuke Niwa.
17858
17859 MapData iterator did not consider the case of the first entries
17860 being holes. To fix this I've refactored iteration so that we
17861 can perform an initialisation increment on construction, whle
17862 retaining the useful assertion in MapData::const_iterator::operator++
17863
17864 * runtime/MapData.h:
17865 (JSC::MapData::const_iterator::operator++):
17866 (JSC::MapData::const_iterator::internalIncrement):
17867 (JSC::MapData::const_iterator::const_iterator):
17868
178692013-11-08 Julien Brianceau <jbriance@cisco.com>
17870
17871 REGRESSION(r158883): Fix crashes for ARM architecture.
17872 https://bugs.webkit.org/show_bug.cgi?id=124038
17873
17874 Reviewed by Michael Saboff.
17875
17876 * jit/GPRInfo.h: Remove r11 from the temporary register set, use a free register for
17877 nonPreservedNonReturnGPR and remove obsolete declaration of bucketCounterRegister.
17878 (JSC::GPRInfo::toRegister):
17879 (JSC::GPRInfo::toIndex):
17880 * jit/JITOperations.cpp: Frame pointer register is r11 for ARM_TRADITIONAL and
17881 r7 for ARM_THUMB2 instead of r5 since r158883.
17882
178832013-11-08 Julien Brianceau <jbriance@cisco.com>
17884
17885 REGRESSION(r158883): Fix crashes for MIPS architecture.
17886 https://bugs.webkit.org/show_bug.cgi?id=124044
17887
17888 Reviewed by Michael Saboff.
17889
17890 * jit/JITOperations.cpp: Frame pointer register is fp instead of s0 since r158883 for MIPS.
17891 * jit/ThunkGenerators.cpp: Save and restore the new frame pointer register.
17892 (JSC::returnFromJavaScript):
17893 (JSC::callToJavaScript):
17894
178952013-11-08 peavo@outlook.com <peavo@outlook.com>
17896
17897 [Win] JavaScript crash in getHostCallReturnValue.
17898 https://bugs.webkit.org/show_bug.cgi?id=124040
17899
17900 Reviewed by Geoffrey Garen.
17901
17902 * jit/JITOperations.cpp: Update MSVC assembler code in getHostCallReturnValue according to gcc x86 version.
17903
179042013-11-08 Julien Brianceau <jbriance@cisco.com>
17905
17906 [mips] Fix typo (introduced in r158751).
17907 https://bugs.webkit.org/show_bug.cgi?id=124033.
17908
17909 Reviewed by Csaba Osztrogonác.
17910
17911 * jit/ThunkGenerators.cpp:
17912 (JSC::callToJavaScript):
17913
179142013-11-08 Julien Brianceau <jbriance@cisco.com>
17915
17916 [arm] Use specific PatchableJump implementation for CPU(ARM_TRADITIONAL).
17917 https://bugs.webkit.org/show_bug.cgi?id=123891
17918
17919 Reviewed by Michael Saboff.
17920
17921 Although patchableBranch32 is implemented in MacroAssemblerARM.h, the used implementation
17922 is the generic one in MacroAssembler.h. This patch fixes it and also implements the
17923 patchableJump() function for CPU(ARM_TRADITIONAL). These specific implementations are
17924 needed for this architecture backend to ensure that these jumps can be relinked.
17925
17926 * assembler/MacroAssembler.h:
17927 * assembler/MacroAssemblerARM.h:
17928 (JSC::MacroAssemblerARM::patchableJump):
17929 * jit/GPRInfo.h: Remove static_cast that are generating warnings in debug builds.
17930 (JSC::GPRInfo::toIndex):
17931 (JSC::GPRInfo::debugName):
17932
179332013-11-07 Mark Lam <mark.lam@apple.com>
17934
17935 Get rid of the regT* definitions in JSInterfaceJIT.h.
17936 https://bugs.webkit.org/show_bug.cgi?id=123806.
17937
17938 Reviewed by Geoffrey Garen.
17939
17940 JSInterfaceJIT now inherits from GPRInfo and FPRInfo, and relies on them
17941 to provide all the register definitions.
17942
17943 * jit/GPRInfo.h:
17944 (JSC::GPRInfo::toArgumentRegister):
17945 * jit/JIT.cpp:
17946 (JSC::JIT::emitEnterOptimizationCheck):
17947 (JSC::JIT::privateCompile):
17948 * jit/JITArithmetic.cpp:
17949 (JSC::JIT::emit_compareAndJumpSlow):
17950 * jit/JITArithmetic32_64.cpp:
17951 (JSC::JIT::emit_compareAndJumpSlow):
17952 * jit/JITCall.cpp:
17953 (JSC::JIT::compileLoadVarargs):
17954 * jit/JITCall32_64.cpp:
17955 (JSC::JIT::compileLoadVarargs):
17956 * jit/JITInlines.h:
17957 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
17958 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
17959 * jit/JITOpcodes.cpp:
17960 (JSC::JIT::emit_op_end):
17961 (JSC::JIT::emitSlow_op_new_object):
17962 (JSC::JIT::emit_op_ret):
17963 (JSC::JIT::emit_op_ret_object_or_this):
17964 (JSC::JIT::emit_op_throw):
17965 (JSC::JIT::emit_op_get_pnames):
17966 (JSC::JIT::emit_op_switch_imm):
17967 (JSC::JIT::emit_op_switch_char):
17968 (JSC::JIT::emit_op_switch_string):
17969 (JSC::JIT::emit_op_create_activation):
17970 (JSC::JIT::emit_op_create_arguments):
17971 (JSC::JIT::emitSlow_op_jfalse):
17972 (JSC::JIT::emitSlow_op_jtrue):
17973 (JSC::JIT::emitSlow_op_eq):
17974 (JSC::JIT::emitSlow_op_neq):
17975 (JSC::JIT::emitSlow_op_get_argument_by_val):
17976 (JSC::JIT::emitSlow_op_loop_hint):
17977 * jit/JITOpcodes32_64.cpp:
17978 (JSC::JIT::privateCompileCTINativeCall):
17979 (JSC::JIT::emit_op_end):
17980 (JSC::JIT::emitSlow_op_new_object):
17981 (JSC::JIT::emitSlow_op_jfalse):
17982 (JSC::JIT::emitSlow_op_jtrue):
17983 (JSC::JIT::emitSlow_op_eq):
17984 (JSC::JIT::emitSlow_op_neq):
17985 (JSC::JIT::emit_op_throw):
17986 (JSC::JIT::emit_op_get_pnames):
17987 (JSC::JIT::emit_op_switch_imm):
17988 (JSC::JIT::emit_op_switch_char):
17989 (JSC::JIT::emit_op_switch_string):
17990 (JSC::JIT::emit_op_create_activation):
17991 (JSC::JIT::emit_op_create_arguments):
17992 (JSC::JIT::emitSlow_op_get_argument_by_val):
17993 * jit/JSInterfaceJIT.h:
17994 (JSC::JSInterfaceJIT::JSInterfaceJIT):
17995 * jit/SlowPathCall.h:
17996 (JSC::JITSlowPathCall::call):
17997 * jit/ThunkGenerators.cpp:
17998
179992013-11-07 Filip Pizlo <fpizlo@apple.com>
18000
18001 FTL should support NewArray
18002 https://bugs.webkit.org/show_bug.cgi?id=124010
18003
18004 Reviewed by Oliver Hunt.
18005
18006 * ftl/FTLCapabilities.cpp:
18007 (JSC::FTL::canCompile):
18008 * ftl/FTLIntrinsicRepository.h:
18009 * ftl/FTLLowerDFGToLLVM.cpp:
18010 (JSC::FTL::LowerDFGToLLVM::compileNode):
18011 (JSC::FTL::LowerDFGToLLVM::compileNewObject):
18012 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
18013 (JSC::FTL::LowerDFGToLLVM::allocateCell):
18014 (JSC::FTL::LowerDFGToLLVM::allocateObject):
18015 (JSC::FTL::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
18016 (JSC::FTL::LowerDFGToLLVM::ArrayValues::ArrayValues):
18017 (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
18018 * ftl/FTLOutput.h:
18019 (JSC::FTL::Output::loadDouble):
18020 (JSC::FTL::Output::storeDouble):
18021
180222013-11-07 Michael Saboff <msaboff@apple.com>
18023
18024 Change CallFrameRegister to architected frame pointer register
18025 https://bugs.webkit.org/show_bug.cgi?id=123956
18026
18027 Reviewed by Geoffrey Garen.
18028
18029 Changed X86 and ARM variants as well as MIPS to use their respective architected
18030 frame pointer registers. The freed up callFrameRegisteris are made available to
18031 the DFG register allocator. Modified the FTL OSR exit compiler to use a temporary
18032 register as a stand in for the destination callFrameRegister since the FTL frame
18033 pointer register is needed to extract values from the FTL stack.
18034
18035 Reviewed by Geoffrey Garen.
18036
18037 * assembler/ARMAssembler.h:
18038 * assembler/ARMv7Assembler.h:
18039 * assembler/MacroAssemblerMIPS.h:
18040 * ftl/FTLOSRExitCompiler.cpp:
18041 (JSC::FTL::compileStub):
18042 * jit/AssemblyHelpers.h:
18043 (JSC::AssemblyHelpers::addressFor):
18044 * jit/GPRInfo.h:
18045 (JSC::GPRInfo::toRegister):
18046 (JSC::GPRInfo::toIndex):
18047 * jit/JITOperations.cpp:
18048 * jit/JSInterfaceJIT.h:
18049 * jit/ThunkGenerators.cpp:
18050 (JSC::callToJavaScript):
18051 * offlineasm/arm.rb:
18052 * offlineasm/arm64.rb:
18053 * offlineasm/mips.rb:
18054 * offlineasm/x86.rb:
18055
180562013-11-07 Oliver Hunt <oliver@apple.com>
18057
18058 Reproducible crash when using Map (affects Web Inspector)
18059 https://bugs.webkit.org/show_bug.cgi?id=123940
18060
18061 Reviewed by Geoffrey Garen.
18062
18063 Trivial fix. Once again we get bitten by attempting to be clever when
18064 growing while adding entries to indexing maps.
18065
18066 Now we simply do a find(), and then add() _after_ we've ensured there is
18067 sufficient space in the MapData list.
18068
18069 * runtime/MapData.cpp:
18070 (JSC::MapData::add):
18071
180722013-11-07 Mark Lam <mark.lam@apple.com>
18073
18074 Cosmetic: rename xxxId to xxxID for ScriptId, SourceId, and BreakpointId.
18075 https://bugs.webkit.org/show_bug.cgi?id=123945.
18076
18077 Reviewed by Geoffrey Garen.
18078
18079 * debugger/DebuggerCallFrame.cpp:
18080 (JSC::DebuggerCallFrame::sourceID):
18081 (JSC::DebuggerCallFrame::sourceIDForCallFrame):
18082 * debugger/DebuggerCallFrame.h:
18083
180842013-11-07 Michael Saboff <msaboff@apple.com>
18085
18086 returnFromJavaScript() for ARM_THUMB2 uses push()s which should be pop()s
18087 https://bugs.webkit.org/show_bug.cgi?id=124006
18088
18089 Rubber stamped by Mark Hahnenberg.
18090
18091 Changed the push() calls to pop().
18092
18093 * jit/ThunkGenerators.cpp:
18094 (JSC::returnFromJavaScript):
18095
180962013-11-07 Michael Saboff <msaboff@apple.com>
18097
18098 Remove unneeded moving of ESP to ECX in callToJavaScript for COMPILER(MSVC)
18099 https://bugs.webkit.org/show_bug.cgi?id=123998
18100
18101 Reviewed by Mark Lam.
18102
18103 Dead code removal. Passing esp as the first "C" argument to a JavaScript
18104 function is no longer needed.
18105
18106 * jit/ThunkGenerators.cpp:
18107 (JSC::callToJavaScript):
18108
181092013-11-07 Julien Brianceau <jbriance@cisco.com>
18110
18111 Fix build for architectures with 4 argument registers (broken since r158820).
18112 https://bugs.webkit.org/show_bug.cgi?id=123969
18113
18114 Reviewed by Andreas Kling.
18115
18116 * jit/CCallHelpers.h:
18117 (JSC::CCallHelpers::setupArguments):
18118
181192013-11-05 Filip Pizlo <fpizlo@apple.com>
18120
18121 FTL should support CheckFunction
18122 https://bugs.webkit.org/show_bug.cgi?id=123862
18123
18124 Reviewed by Sam Weinig.
18125
18126 * ftl/FTLCapabilities.cpp:
18127 (JSC::FTL::canCompile):
18128 * ftl/FTLLowerDFGToLLVM.cpp:
18129 (JSC::FTL::LowerDFGToLLVM::compileNode):
18130 (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
18131
181322013-11-06 Filip Pizlo <fpizlo@apple.com>
18133
18134 IC code should handle the call frame register not being the callFrameRegister
18135 https://bugs.webkit.org/show_bug.cgi?id=123865
18136
18137 Reviewed by Geoffrey Garen.
18138
18139 For now, in the FTL, the call frame may be something other than our frame pointer,
18140 since it's an argument passed in according to whatever convention LLVM picks.
18141
18142 This is temporary in two ways - pretty soon the callFrameRegister will be the actual
18143 frame pointer and not some other register, and LLVM will not pass the frame pointer
18144 as an argument to IC's.
18145
18146 * bytecode/StructureStubInfo.h:
18147 * dfg/DFGSpeculativeJIT32_64.cpp:
18148 (JSC::DFG::SpeculativeJIT::cachedGetById):
18149 (JSC::DFG::SpeculativeJIT::cachedPutById):
18150 * dfg/DFGSpeculativeJIT64.cpp:
18151 (JSC::DFG::SpeculativeJIT::cachedGetById):
18152 (JSC::DFG::SpeculativeJIT::cachedPutById):
18153 * ftl/FTLCompile.cpp:
18154 (JSC::FTL::fixFunctionBasedOnStackMaps):
18155 * ftl/FTLInlineCacheSize.cpp:
18156 (JSC::FTL::sizeOfGetById):
18157 (JSC::FTL::sizeOfPutById):
18158 * jit/CCallHelpers.h:
18159 (JSC::CCallHelpers::setupArguments):
18160 * jit/JITInlineCacheGenerator.cpp:
18161 (JSC::JITByIdGenerator::JITByIdGenerator):
18162 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
18163 * jit/JITInlineCacheGenerator.h:
18164 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
18165 * jit/JITPropertyAccess.cpp:
18166 (JSC::JIT::emit_op_get_by_id):
18167 (JSC::JIT::emit_op_put_by_id):
18168 * jit/JITPropertyAccess32_64.cpp:
18169 (JSC::JIT::emit_op_get_by_id):
18170 (JSC::JIT::emit_op_put_by_id):
18171 * jit/Repatch.cpp:
18172 (JSC::tryBuildGetByIDList):
18173 (JSC::emitPutTransitionStub):
18174
181752013-11-06 Daniel Bates <dabates@apple.com>
18176
18177 [iOS] Upstream Letterpress effect
18178 https://bugs.webkit.org/show_bug.cgi?id=123932
18179
18180 Reviewed by Sam Weinig.
18181
18182 Add feature define ENABLE_LETTERPRESS disabled by default. We only enable
18183 letterpress on iOS.
18184
18185 * Configurations/FeatureDefines.xcconfig:
18186
181872013-11-05 Oliver Hunt <oliver@apple.com>
18188
18189 Support iteration of the Arguments object
18190 https://bugs.webkit.org/show_bug.cgi?id=123835
18191
18192 Reviewed by Mark Lam.
18193
18194 Add an ArgumentsIterator object, and associated classes so that we can support
18195 iteration of the arguments object.
18196
18197 This is a largely mechanical patch. The only gnarliness is in the
18198 logic to avoid reifying the Arguments object in for(... of arguments)
18199 scenarios.
18200
18201 * GNUmakefile.list.am:
18202 * JavaScriptCore.xcodeproj/project.pbxproj:
18203 * bytecompiler/BytecodeGenerator.cpp:
18204 (JSC::BytecodeGenerator::emitEnumeration):
18205 * runtime/Arguments.cpp:
18206 (JSC::Arguments::getOwnPropertySlot):
18207 (JSC::argumentsFuncIterator):
18208 * runtime/Arguments.h:
18209 * runtime/ArgumentsIteratorConstructor.cpp: Added.
18210 (JSC::ArgumentsIteratorConstructor::finishCreation):
18211 * runtime/ArgumentsIteratorConstructor.h: Added.
18212 (JSC::ArgumentsIteratorConstructor::create):
18213 (JSC::ArgumentsIteratorConstructor::createStructure):
18214 (JSC::ArgumentsIteratorConstructor::ArgumentsIteratorConstructor):
18215 * runtime/ArgumentsIteratorPrototype.cpp: Added.
18216 (JSC::ArgumentsIteratorPrototype::finishCreation):
18217 (JSC::argumentsIteratorPrototypeFuncIterator):
18218 (JSC::argumentsIteratorPrototypeFuncNext):
18219 * runtime/ArgumentsIteratorPrototype.h: Added.
18220 (JSC::ArgumentsIteratorPrototype::create):
18221 (JSC::ArgumentsIteratorPrototype::createStructure):
18222 (JSC::ArgumentsIteratorPrototype::ArgumentsIteratorPrototype):
18223 * runtime/CommonIdentifiers.h:
18224 * runtime/JSArgumentsIterator.cpp: Added.
18225 (JSC::JSArgumentsIterator::finishCreation):
18226 * runtime/JSArgumentsIterator.h: Added.
18227 (JSC::JSArgumentsIterator::createStructure):
18228 (JSC::JSArgumentsIterator::create):
18229 (JSC::JSArgumentsIterator::next):
18230 (JSC::JSArgumentsIterator::JSArgumentsIterator):
18231 * runtime/JSArrayIterator.cpp:
18232 (JSC::createIteratorResult):
18233 * runtime/JSGlobalObject.cpp:
18234 * runtime/JSGlobalObject.h:
18235
182362013-11-06 Filip Pizlo <fpizlo@apple.com>
18237
18238 DFG CheckArray(NonArray) should prove that the child isn't an array
18239 https://bugs.webkit.org/show_bug.cgi?id=123911
18240 <rdar://problem/15202803>
18241
18242 Reviewed by Mark Hahnenberg.
18243
18244 * dfg/DFGSpeculativeJIT.cpp:
18245 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
18246 * ftl/FTLLowerDFGToLLVM.cpp:
18247 (JSC::FTL::LowerDFGToLLVM::isArrayType):
18248
182492013-11-06 Mark Hahnenberg <mhahnenberg@apple.com>
18250
18251 JSExport doesn't support constructors
18252 https://bugs.webkit.org/show_bug.cgi?id=123380
18253
18254 Reviewed by Geoffrey Garen.
18255
18256 Needed another linked-on-or-after check for when we're deciding whether
18257 we should copy over init family methods.
18258
18259 Factored out the link time checks into a separate function so that they can be cached.
18260
18261 Factored out the check for init-family method selectors into helper function and changed it to
18262 match the description in the clang docs, namely that there can be underscores at the beginning
18263 and the first letter after 'init' part of the selector (if there is one) must be a capital letter.
18264
18265 Updated tests to make sure we don't treat "initialize" as an init-family method and that we do
18266 treat "_init" as an init-family method.
18267
18268 * API/JSWrapperMap.h:
18269 * API/JSWrapperMap.mm:
18270 (isInitFamilyMethod):
18271 (shouldSkipMethodWithName):
18272 (copyMethodsToObject):
18273 (allocateConstructorForCustomClass):
18274 (supportsInitMethodConstructors):
18275 * API/tests/testapi.mm:
18276 (-[ClassA initialize]):
18277 (-[ClassD initialize]):
18278
182792013-11-06 Michael Saboff <msaboff@apple.com>
18280
18281 Change ctiTrampoline into a thunk
18282 https://bugs.webkit.org/show_bug.cgi?id=123844
18283
18284 Reviewed by Filip Pizlo.
18285
18286 Converted ctiTrampoline and ctiOpThrowNotCaught into thunks named callToJavaScript
18287 and returnFromJavaScript. Cleaned up and in some cases removed JITStubsXXX.h files
18288 after removing ctiTrampoline and ctiOpThrowNotCaught. Added callJavaScriptJITFunction
18289 to VM that is a function pointer to the callToJavaScript thunk.
18290
18291 * GNUmakefile.list.am:
18292 * JavaScriptCore.xcodeproj/project.pbxproj:
18293 * dfg/DFGDriver.cpp:
18294 (JSC::DFG::compileImpl):
18295 * jit/JITCode.cpp:
18296 (JSC::JITCode::execute):
18297 * jit/JITExceptions.cpp:
18298 (JSC::genericUnwind):
18299 * jit/JITStubs.cpp:
18300 * jit/JITStubs.h:
18301 * jit/JITStubsARM.h:
18302 * jit/JITStubsARM64.h: Removed.
18303 * jit/JITStubsARMv7.h:
18304 * jit/JITStubsMIPS.h: Removed.
18305 * jit/JITStubsMSVC64.asm:
18306 * jit/JITStubsSH4.h: Removed.
18307 * jit/JITStubsX86.h:
18308 * jit/JITStubsX86_64.h:
18309 * jit/JSInterfaceJIT.h:
18310 * jit/ThunkGenerators.cpp:
18311 (JSC::returnFromJavaScript):
18312 (JSC::callToJavaScript):
18313 * jit/ThunkGenerators.h:
18314 * runtime/VM.cpp:
18315 (JSC::VM::VM):
18316 * runtime/VM.h:
18317
183182013-11-05 Filip Pizlo <fpizlo@apple.com>
18319
18320 FTL should support StringCharCodeAt
18321 https://bugs.webkit.org/show_bug.cgi?id=123854
18322
18323 Reviewed by Sam Weinig.
18324
18325 * ftl/FTLCapabilities.cpp:
18326 (JSC::FTL::canCompile):
18327 * ftl/FTLLowerDFGToLLVM.cpp:
18328 (JSC::FTL::LowerDFGToLLVM::compileNode):
18329 (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
18330
183312013-11-05 Filip Pizlo <fpizlo@apple.com>
18332
18333 FTL should support NewObject
18334 https://bugs.webkit.org/show_bug.cgi?id=123849
18335
18336 Reviewed by Oliver Hunt.
18337
18338 * ftl/FTLAbstractHeapRepository.cpp:
18339 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
18340 * ftl/FTLAbstractHeapRepository.h:
18341 * ftl/FTLCapabilities.cpp:
18342 (JSC::FTL::canCompile):
18343 * ftl/FTLIntrinsicRepository.h:
18344 * ftl/FTLLowerDFGToLLVM.cpp:
18345 (JSC::FTL::LowerDFGToLLVM::compileNode):
18346 (JSC::FTL::LowerDFGToLLVM::compileNewObject):
18347 (JSC::FTL::LowerDFGToLLVM::allocate):
18348
183492013-11-05 Filip Pizlo <fpizlo@apple.com>
18350
18351 FTL should support StringCharAt
18352 https://bugs.webkit.org/show_bug.cgi?id=123855
18353
18354 Reviewed by Oliver Hunt.
18355
18356 This is just like GetByVal for String, so we reuse that code.
18357
18358 * ftl/FTLCapabilities.cpp:
18359 (JSC::FTL::canCompile):
18360 * ftl/FTLLowerDFGToLLVM.cpp:
18361 (JSC::FTL::LowerDFGToLLVM::compileNode):
18362 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
18363 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
18364
183652013-11-05 Filip Pizlo <fpizlo@apple.com>
18366
18367 Remove old unused code for hypothetical LLVM intrinsics
18368 https://bugs.webkit.org/show_bug.cgi?id=123824
18369
18370 Reviewed by Oliver Hunt.
18371
18372 * ftl/FTLIntrinsicRepository.h:
18373
183742013-11-05 Filip Pizlo <fpizlo@apple.com>
18375
18376 FTL should support String character access operations
18377 https://bugs.webkit.org/show_bug.cgi?id=123783
18378
18379 Reviewed by Oliver Hunt.
18380
18381 Implements:
18382
18383 - string.length
18384
18385 - string[index]
18386
18387 * ftl/FTLAbstractHeapRepository.h:
18388 * ftl/FTLCapabilities.cpp:
18389 (JSC::FTL::canCompile):
18390 * ftl/FTLIntrinsicRepository.h:
18391 * ftl/FTLLowerDFGToLLVM.cpp:
18392 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
18393 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
18394 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
18395
183962013-11-05 Mark Hahnenberg <mhahnenberg@apple.com>
18397
18398 ObjCCallbackFunctionImpl's NSInvocation shouldn't retain its target or arguments
18399 https://bugs.webkit.org/show_bug.cgi?id=123822
18400
18401 Reviewed by Geoffrey Garen.
18402
18403 Using -retainArguments on ObjCCallbackFunctionImpl's NSInvocation leads to memory leaks.
18404 We should handle retaining/releasing the target ourselves, and we should never retain the arguments.
18405
18406 * API/ObjCCallbackFunction.mm:
18407 (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl):
18408 (JSC::ObjCCallbackFunctionImpl::name):
18409 (objCCallbackFunctionForInvocation):
18410 (objCCallbackFunctionForMethod):
18411 (objCCallbackFunctionForBlock):
18412
184132013-11-05 Julien Brianceau <jbriance@cisco.com>
18414
18415 Fix build for architectures with 4 argument registers (broken since r158681).
18416 https://bugs.webkit.org/show_bug.cgi?id=123826
18417
18418 Reviewed by Michael Saboff.
18419
18420 * jit/CCallHelpers.h:
18421 (JSC::CCallHelpers::setupArgumentsWithExecState):
18422 (JSC::CCallHelpers::setupArguments):
18423
184242013-11-05 Filip Pizlo <fpizlo@apple.com>
18425
18426 Fix register allocation inside control flow in GetByVal String
18427 https://bugs.webkit.org/show_bug.cgi?id=123816
18428
18429 Reviewed by Geoffrey Garen.
18430
18431 * dfg/DFGSpeculativeJIT.cpp:
18432 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
18433
184342013-11-05 Filip Pizlo <fpizlo@apple.com>
18435
18436 Remove FTL::LowerDFGToLLVM::compileJSConstant()
18437 https://bugs.webkit.org/show_bug.cgi?id=123817
18438
18439 Reviewed by Geoffrey Garen.
18440
18441 * ftl/FTLLowerDFGToLLVM.cpp:
18442
184432013-11-04 Filip Pizlo <fpizlo@apple.com>
18444
18445 FTL should support PutById
18446 https://bugs.webkit.org/show_bug.cgi?id=123784
18447
18448 Reviewed by Geoffrey Garen.
18449
18450 * ftl/FTLAbbreviations.h:
18451 (JSC::FTL::buildCall):
18452 * ftl/FTLCapabilities.cpp:
18453 (JSC::FTL::canCompile):
18454 * ftl/FTLCompile.cpp:
18455 (JSC::FTL::generateICFastPath):
18456 (JSC::FTL::fixFunctionBasedOnStackMaps):
18457 * ftl/FTLInlineCacheDescriptor.h:
18458 (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
18459 (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
18460 (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
18461 (JSC::FTL::PutByIdDescriptor::ecmaMode):
18462 (JSC::FTL::PutByIdDescriptor::putKind):
18463 * ftl/FTLIntrinsicRepository.h:
18464 * ftl/FTLLowerDFGToLLVM.cpp:
18465 (JSC::FTL::LowerDFGToLLVM::compileNode):
18466 (JSC::FTL::LowerDFGToLLVM::compilePutById):
18467 * ftl/FTLOutput.h:
18468 (JSC::FTL::Output::call):
18469 * ftl/FTLSlowPathCall.cpp:
18470 (JSC::FTL::callOperation):
18471 * ftl/FTLSlowPathCall.h:
18472 * ftl/FTLState.h:
18473 * jit/CCallHelpers.h:
18474 (JSC::CCallHelpers::setupArguments):
18475 * runtime/Executable.h:
18476 (JSC::ScriptExecutable::ecmaMode):
18477
184782013-11-04 Filip Pizlo <fpizlo@apple.com>
18479
18480 GetById->GetByOffset and PutById->PutByOffset folding should mark haveStructures since it may result in structure transition watchpoints
18481 https://bugs.webkit.org/show_bug.cgi?id=123788
18482
18483 Reviewed by Geoffrey Garen.
18484
18485 haveStructures is true if there are any currentlyKnownStructures that have
18486 interesting values, since that's the only time when clobbering needs to do things.
18487 It's a really important compile-time optimization. But that also means that anytime
18488 we might cause currentlyKnownStructures to get set - like when we might insert some
18489 structure transition watchpoints - we need to set haveStructures. We were forgetting
18490 to do that for GetById->GetByOffset and PutById->PutByOffset because, I guess, we
18491 forgot that those might insert structure transition watchpoints.
18492
18493 * dfg/DFGAbstractInterpreterInlines.h:
18494 (JSC::DFG::::executeEffects):
18495
184962013-11-05 Julien Brianceau <jbriance@cisco.com>
18497
18498 [mips] Make regTx registers match between JSInterfaceJIT and GPRInfo.
18499 https://bugs.webkit.org/show_bug.cgi?id=123807
18500
18501 Reviewed by Mark Lam.
18502
18503 * jit/GPRInfo.h:
18504 (JSC::GPRInfo::toIndex):
18505 * jit/JSInterfaceJIT.h:
18506
185072013-11-05 Julien Brianceau <jbriance@cisco.com>
18508
18509 REGRESSION(r158315): Fix register mixup in JIT::compileOpCall.
18510 https://bugs.webkit.org/show_bug.cgi?id=123799
18511
18512 Reviewed by Mark Lam.
18513
18514 Changeset r158315 is crashing architectures where JSInterfaceJIT::regT3 is
18515 different from GPRInfo::regT3. This is the case for MIPS architecture.
18516
18517 * jit/JITCall32_64.cpp:
18518 (JSC::JIT::compileOpCall):
18519
185202013-11-05 Julien Brianceau <jbriance@cisco.com>
18521
18522 [mips] Fix build for MIPS platforms.
18523 https://bugs.webkit.org/show_bug.cgi?id=123796
18524
18525 Reviewed by Michael Saboff.
18526
18527 * assembler/LinkBuffer.cpp:
18528 (JSC::LinkBuffer::linkCode): Add specific MIPS call to relocateJumps.
18529 * assembler/MIPSAssembler.h: Remove executableCopy (because of r157690) and set relocateJumps function public.
18530 (JSC::MIPSAssembler::firstRegister):
18531 (JSC::MIPSAssembler::lastRegister):
18532 (JSC::MIPSAssembler::firstFPRegister):
18533 (JSC::MIPSAssembler::lastFPRegister):
18534 (JSC::MIPSAssembler::buffer): Needed since r157690.
18535 * assembler/MacroAssemblerMIPS.h: Add framePointerRegister.
18536 (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch): Remove unused parameter warning.
18537
185382013-11-04 Filip Pizlo <fpizlo@apple.com>
18539
18540 internal-js-tests.yaml/Octane/stress-tests/pdfjs.js.default: ASSERTION FAILED: m_state.forNode(child).m_futurePossibleStructure.isSubsetOf(StructureSet(structure)) at DFGConstantFoldingPhase.cpp:249
18541 https://bugs.webkit.org/show_bug.cgi?id=123778
18542
18543 Unreviewed, remove the other such assertion.
18544
18545 * dfg/DFGConstantFoldingPhase.cpp:
18546 (JSC::DFG::ConstantFoldingPhase::foldConstants):
18547
185482013-11-04 Michael Saboff <msaboff@apple.com>
18549
18550 REGRESSION(r158586): plugins/refcount-leaks.html fails
18551 https://bugs.webkit.org/show_bug.cgi?id=123765
18552
18553 We were leaving a hole of one slot above a new frame when pushing the new frame on
18554 the stack with pushFrame(). This unused slot can contain residual values that will
18555 be marked during GC.
18556
18557 Reviewed by Filip Pizlo.
18558
18559 * interpreter/JSStackInlines.h:
18560 (JSC::JSStack::pushFrame):
18561
185622013-11-04 Filip Pizlo <fpizlo@apple.com>
18563
18564 internal-js-tests.yaml/Octane/stress-tests/pdfjs.js.default: ASSERTION FAILED: m_state.forNode(child).m_futurePossibleStructure.isSubsetOf(StructureSet(structure)) at DFGConstantFoldingPhase.cpp:249
18565 https://bugs.webkit.org/show_bug.cgi?id=123778
18566
18567 Reviewed by Geoffrey Garen.
18568
18569 This assertion was just wrong: ee do an execute() above the assertion. The assertion
18570 is asserting that if we need a watchpoint (i.e. the best proven structure was not the
18571 current structure) then it must be the future possible structure. But while that may
18572 have been true before execute(), it won't be true after if the PutById was a
18573 transition. Of course, this can only happen in the concurrent JIT in which case the
18574 code would be invalidated anyway since we would only transform the code in a way that
18575 leveraged the lack of a transition if we inserted a watchpoint, in which case we
18576 would realize that the watchpoint had been fired during compilation.
18577
18578 Since this requires concurrent JIT awesomeness, I don't know how to test it.
18579
18580 * dfg/DFGConstantFoldingPhase.cpp:
18581 (JSC::DFG::ConstantFoldingPhase::foldConstants):
18582
185832013-11-04 Filip Pizlo <fpizlo@apple.com>
18584
18585 DFG CheckArray(String) should just be a Phantom(String:)
18586 https://bugs.webkit.org/show_bug.cgi?id=123779
18587
18588 Reviewed by Geoffrey Garen.
18589
18590 This should be a speed-up since Phantom(String:) is smart enough to use the string
18591 structure. It should also be a simplification since CheckArray(String) was totally
18592 redundant.
18593
18594 Also FixupPhase was assuming that it may see CheckArray's. That's wrong. It can
18595 create CheckArray's but it won't see them as input since no previous phase can
18596 create them.
18597
18598 * dfg/DFGFixupPhase.cpp:
18599 (JSC::DFG::FixupPhase::fixupNode):
18600 (JSC::DFG::FixupPhase::checkArray):
18601 * dfg/DFGSpeculativeJIT.cpp:
18602 (JSC::DFG::SpeculativeJIT::checkArray):
18603
186042013-11-04 Filip Pizlo <fpizlo@apple.com>
18605
18606 DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing
18607 https://bugs.webkit.org/show_bug.cgi?id=123760
18608 <rdar://problem/15356705>
18609
18610 Reviewed by Mark Hahnenberg and Oliver Hunt.
18611
18612 * dfg/DFGOperations.cpp:
18613
186142013-11-04 Michael Saboff <msaboff@apple.com>
18615
18616 Eliminate HostCall bit from JSC Stack CallerFrame
18617 https://bugs.webkit.org/show_bug.cgi?id=123642
18618
18619 Reviewed by Geoffrey Garen.
18620
18621 Replace the HostCallFrame bit or'ed to the CallerFrame value in a CallFrame with
18622 a VM entry sentinel CallFrame. Logically, the VM entry sentinel call frame is
18623 pushed on the stack before the callee frame when calling from native to JavaScript
18624 code. The callee frame's CallerFrame points at the VM entry sentinel call frame
18625 and the VM entry sentinel call frame's CallerFrame points to the real caller.
18626 The VM entry sentinel call frame has a sentinel (1) in the CodeBlock to indicate
18627 its a VM entry sentinel call frame. It's ScopeChain has vm.topCallFrame at the
18628 time of the call. This allows for a complete stack walk as well as walking just
18629 the contiguous JS frames.
18630
18631 The VM entry sentinel call frame and callee frame are currently allocated and
18632 initialized in ExecState::init(), but this initialization will be moved to
18633 ctiTrampoline when we actually move onto the native stack.
18634
18635 * bytecode/CodeBlock.cpp:
18636 (JSC::CodeBlock::noticeIncomingCall):
18637 * debugger/DebuggerCallFrame.cpp:
18638 (JSC::DebuggerCallFrame::callerFrame):
18639 * dfg/DFGJITCompiler.cpp:
18640 (JSC::DFG::JITCompiler::compileExceptionHandlers):
18641 * interpreter/CallFrame.h:
18642 (JSC::ExecState::frameExtent):
18643 (JSC::ExecState::currentVPC):
18644 (JSC::ExecState::setCurrentVPC):
18645 (JSC::ExecState::init):
18646 (JSC::ExecState::noCaller):
18647 (JSC::ExecState::isVMEntrySentinel):
18648 (JSC::ExecState::vmEntrySentinelCallerFrame):
18649 (JSC::ExecState::initializeVMEntrySentinelFrame):
18650 (JSC::ExecState::callerFrameSkippingVMEntrySentinel):
18651 (JSC::ExecState::vmEntrySentinelCodeBlock):
18652 * interpreter/Interpreter.cpp:
18653 (JSC::unwindCallFrame):
18654 (JSC::Interpreter::getStackTrace):
18655 * interpreter/Interpreter.h:
18656 (JSC::TopCallFrameSetter::TopCallFrameSetter):
18657 (JSC::TopCallFrameSetter::~TopCallFrameSetter):
18658 (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
18659 * interpreter/JSStack.cpp:
18660 (JSC::JSStack::~JSStack):
18661 * interpreter/JSStackInlines.h:
18662 (JSC::JSStack::getStartOfFrame):
18663 (JSC::JSStack::pushFrame):
18664 (JSC::JSStack::popFrame):
18665 * interpreter/Register.h:
18666 (JSC::Register::operator=):
18667 (JSC::Register::callFrame):
18668 * interpreter/StackVisitor.cpp:
18669 (JSC::StackVisitor::readFrame):
18670 (JSC::StackVisitor::readNonInlinedFrame):
18671 (JSC::StackVisitor::readInlinedFrame):
18672 (JSC::StackVisitor::Frame::print):
18673 * interpreter/VMInspector.cpp:
18674 (JSC::VMInspector::countFrames):
18675 * jit/JIT.cpp:
18676 (JSC::JIT::privateCompileExceptionHandlers):
18677 * jit/JITOperations.cpp:
18678 * jit/JITStubsARM.h:
18679 (JSC::ctiTrampoline):
18680 * jit/JITStubsARM64.h:
18681 * jit/JITStubsARMv7.h:
18682 (JSC::ctiTrampoline):
18683 * jit/JITStubsMIPS.h:
18684 * jit/JITStubsMSVC64.asm:
18685 * jit/JITStubsSH4.h:
18686 * jit/JITStubsX86.h:
18687 * jit/JITStubsX86_64.h:
18688 * jsc.cpp:
18689 (functionDumpCallFrame):
18690 * llint/LowLevelInterpreter.cpp:
18691 (JSC::CLoop::execute):
18692 * runtime/VM.cpp:
18693 (JSC::VM::VM):
18694 (JSC::VM::throwException):
18695
186962013-11-04 Mark Hahnenberg <mhahnenberg@apple.com>
18697
18698 JSArrayBufferViews of length 0 allocate 0 CopiedSpace bytes, which is invalid
18699 https://bugs.webkit.org/show_bug.cgi?id=123746
18700
18701 Reviewed by Geoffrey Garen.
18702
18703 This patch disallows clients from allocating 0 bytes in CopiedSpace. We enforce this invariant
18704 with an ASSERT in C++ code and a breakpoint in JIT code. Clients who care about 0-byte
18705 allocations (like JSArrayBufferViews) must handle that case themselves, but we don't punish
18706 anybody else for the rare case that somebody decides to allocate a 0-length typed array.
18707 It also makes the allocation and copying cases consistent for CopiedSpace: no 0-byte allocations,
18708 no 0-byte copying.
18709
18710 Also added a check so that JSArrayBufferViews don't try to copy their m_vector backing store when
18711 their length is 0. Also sprinkled several ASSERTs throughout the JSArrayBufferView code to make sure that
18712 when length is 0 m_vector is null.
18713
18714 * dfg/DFGSpeculativeJIT.cpp:
18715 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
18716 * dfg/DFGSpeculativeJIT.h:
18717 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
18718 * heap/CopiedSpaceInlines.h:
18719 (JSC::CopiedSpace::tryAllocate):
18720 * runtime/ArrayBuffer.h:
18721 (JSC::ArrayBuffer::create):
18722 * runtime/JSArrayBufferView.cpp:
18723 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
18724 * runtime/JSGenericTypedArrayViewInlines.h:
18725 (JSC::::visitChildren):
18726 (JSC::::copyBackingStore):
18727 (JSC::::slowDownAndWasteMemory):
18728
187292013-11-04 Julien Brianceau <jbriance@cisco.com>
18730
18731 [sh4] Refactor jumps in baseline JIT to return label after the jump.
18732 https://bugs.webkit.org/show_bug.cgi?id=123734
18733
18734 Reviewed by Michael Saboff.
18735
18736 Current implementation of jumps in sh4 baseline JIT returns a label on the jump itself
18737 and not after it. This is not correct and leads to issues like infinite loop the DFG
18738 (https://bugs.webkit.org/show_bug.cgi?id=122597 for instance). This refactor fixes this
18739 and also simplifies the link and relink procedures for sh4 jumps.
18740
18741 * assembler/MacroAssemblerSH4.h:
18742 (JSC::MacroAssemblerSH4::branchDouble):
18743 (JSC::MacroAssemblerSH4::branchTrue):
18744 (JSC::MacroAssemblerSH4::branchFalse):
18745 * assembler/SH4Assembler.h:
18746 (JSC::SH4Assembler::jmp):
18747 (JSC::SH4Assembler::extraInstrForBranch):
18748 (JSC::SH4Assembler::jne):
18749 (JSC::SH4Assembler::je):
18750 (JSC::SH4Assembler::bra):
18751 (JSC::SH4Assembler::linkJump):
18752 (JSC::SH4Assembler::relinkJump):
18753
187542013-11-03 Filip Pizlo <fpizlo@apple.com>
18755
18756 Generated color wheel displays incorrectly (regressed in r155567)
18757 https://bugs.webkit.org/show_bug.cgi?id=123664
18758
18759 Reviewed by Andreas Kling.
18760
18761 Interestingly, r155567 just "un-broke" the attempt to constant-fold ArithMod, but
18762 that constant folding was just wrong to begin with. There is no evidence that this
18763 constant folding rule is profitable. I'm removing it instead of trying to think
18764 about what it means for it to be correct.
18765
18766 * dfg/DFGAbstractInterpreterInlines.h:
18767 (JSC::DFG::::executeEffects):
18768
187692013-11-03 Filip Pizlo <fpizlo@apple.com>
18770
18771 Unreviewed, it is no longer necessary to call DisablePrettyStackTrace.
18772
18773 * llvm/library/LLVMExports.cpp:
18774 (initializeAndGetJSCLLVMAPI):
18775
187762013-11-02 Mark Lam <mark.lam@apple.com>
18777
18778 Assertion failure in non-JIT'ed LLInt on ARM Thumb.
18779 https://bugs.webkit.org/show_bug.cgi?id=97569.
18780
18781 Reviewed by Geoffrey Garen.
18782
18783 * assembler/MacroAssemblerCodeRef.h:
18784 - Thumb2 alignment assertions do not apply to the C Loop LLINT because
18785 the arguments passed to those assertions are actually OpcodeIDs
18786 masquerading as addresses.
18787 * llint/LLIntOfflineAsmConfig.h:
18788 - Some of the #defines belong in the !ENABLE(LLINT_C_LOOP) section.
18789 Moving them there.
18790 * llint/LowLevelInterpreter.cpp:
18791 - Keep the compiler happy from some unreferenced C Loop labels.
18792
187932013-11-02 Filip Pizlo <fpizlo@apple.com>
18794
18795 FTL should use LLVM intrinsics for OSR exit, watchpoints, inline caches, and stack layout
18796 https://bugs.webkit.org/show_bug.cgi?id=122318
18797
18798 Reviewed by Geoffrey Garen.
18799
18800 This all now works. This patch just updates our implementation to work with LLVM trunk,
18801 and removes all of the old code that tried to do OSR exits and heap accesses without
18802 the benefit of those intrinsics.
18803
18804 In particular:
18805
18806 - StackMaps parsing now uses the new, less compact, but more future-proof, format.
18807
18808 - Remove the ftlUsesStackmaps() option and hard-code ftlUsesStackmaps = true. Remove
18809 all code for ftlUsesStackmaps = false, since that was only there for back when we
18810 didn't have the intrinsics.
18811
18812 - Remove the other experimental OSR options (useLLVMOSRExitIntrinsic,
18813 ftlTrapsOnOSRExit, and FTLOSRExitOmitsMarshalling).
18814
18815 - Remove LowerDFGToLLVM's use of the ExitThunkGenerator since we don't need to generate
18816 the exit thunks until after we parse the stackmaps.
18817
18818 - Remove all of the exit thunk and compiler code for the no-stackmaps case.
18819
18820 * dfg/DFGDriver.cpp:
18821 (JSC::DFG::compileImpl):
18822 * ftl/FTLCompile.cpp:
18823 (JSC::FTL::mmAllocateDataSection):
18824 * ftl/FTLExitThunkGenerator.cpp:
18825 (JSC::FTL::ExitThunkGenerator::emitThunk):
18826 * ftl/FTLIntrinsicRepository.h:
18827 * ftl/FTLLocation.cpp:
18828 (JSC::FTL::Location::forStackmaps):
18829 * ftl/FTLLowerDFGToLLVM.cpp:
18830 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
18831 (JSC::FTL::LowerDFGToLLVM::lower):
18832 (JSC::FTL::LowerDFGToLLVM::compileGetById):
18833 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
18834 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
18835 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
18836 (JSC::FTL::LowerDFGToLLVM::callStackmap):
18837 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
18838 * ftl/FTLOSRExitCompilationInfo.h:
18839 (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
18840 * ftl/FTLOSRExitCompiler.cpp:
18841 (JSC::FTL::compileStub):
18842 (JSC::FTL::compileFTLOSRExit):
18843 * ftl/FTLStackMaps.cpp:
18844 (JSC::FTL::StackMaps::Location::parse):
18845 (JSC::FTL::StackMaps::parse):
18846 (WTF::printInternal):
18847 * ftl/FTLStackMaps.h:
18848 * ftl/FTLThunks.cpp:
18849 (JSC::FTL::osrExitGenerationThunkGenerator):
18850 * ftl/FTLThunks.h:
18851 (JSC::FTL::Thunks::getOSRExitGenerationThunk):
18852 * runtime/Options.h:
18853
188542013-11-02 Patrick Gansterer <paroga@webkit.org>
18855
18856 Add missing getHostCallReturnValue() for MSVC ARM
18857 https://bugs.webkit.org/show_bug.cgi?id=123685
18858
18859 Reviewed by Darin Adler.
18860
18861 * jit/JITStubsARM.h:
18862
188632013-11-02 Patrick Gansterer <paroga@webkit.org>
18864
18865 Fix MSVC warning about unary minus operator
18866 https://bugs.webkit.org/show_bug.cgi?id=123674
18867
18868 Reviewed by Darin Adler.
18869
18870 Change some static_cast<> to silence the following warning of Microsoft compiler:
18871 warning C4146: unary minus operator applied to unsigned type, result still unsigned
18872
18873 * jit/Repatch.cpp:
18874 (JSC::emitPutTransitionStub):
18875
188762013-11-02 Filip Pizlo <fpizlo@apple.com>
18877
18878 Disable LLVM's pretty stack traces, which involve intercepting fatal signals
18879 https://bugs.webkit.org/show_bug.cgi?id=123681
18880
18881 Reviewed by Geoffrey Garen.
18882
18883 * llvm/library/LLVMExports.cpp:
18884 (initializeAndGetJSCLLVMAPI):
18885
188862013-11-02 Filip Pizlo <fpizlo@apple.com>
18887
18888 LLVM assertion failures should funnel into WTF's crash handling
18889 https://bugs.webkit.org/show_bug.cgi?id=123682
18890
18891 Reviewed by Geoffrey Garen.
18892
18893 Inside llvmForJSC, we override assertion-related functions and funnel them
18894 into g_llvmTrapCallback(). We also now register a fatal error handler inside
18895 the library and funnel that into g_llvmTrapCallback, and have
18896 initializeAndGetJSCLLVMAPI() take such a callback as an argument.
18897
18898 Inside JSC, we no longer call LLVMInstallFatalErrorHandler() but instead we
18899 pass WTFLogAlwaysAndCrash() as the trap callback for llvmForJSC.
18900
18901 * llvm/InitializeLLVM.cpp:
18902 (JSC::initializeLLVM):
18903 * llvm/InitializeLLVMPOSIX.cpp:
18904 (JSC::initializeLLVMPOSIX):
18905 * llvm/library/LLVMExports.cpp:
18906 (llvmCrash):
18907 (initializeAndGetJSCLLVMAPI):
18908 * llvm/library/LLVMOverrides.cpp:
18909 (raise):
18910 (__assert_rtn):
18911 (abort):
18912 * llvm/library/LLVMTrapCallback.h: Added.
18913
189142013-11-02 Filip Pizlo <fpizlo@apple.com>
18915
18916 CodeBlock::jettison() shouldn't call baselineVersion()
18917 https://bugs.webkit.org/show_bug.cgi?id=123675
18918
18919 Reviewed by Geoffrey Garen.
18920
18921 Fix more uses of baselineVersion().
18922
18923 * bytecode/CodeBlock.cpp:
18924 (JSC::CodeBlock::jettison):
18925 * bytecode/CodeBlock.h:
18926 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
18927 (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
18928
189292013-11-02 Filip Pizlo <fpizlo@apple.com>
18930
18931 LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js
18932 https://bugs.webkit.org/show_bug.cgi?id=123535
18933
18934 Reviewed by Geoffrey Garen.
18935
18936 Use double comparisons for doubles.
18937
18938 * ftl/FTLLowerDFGToLLVM.cpp:
18939 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
18940
189412013-11-02 Patrick Gansterer <paroga@webkit.org>
18942
18943 Various small WinCE build fixes
18944
18945 * jsc.cpp:
18946 (main):
18947
189482013-11-02 Patrick Gansterer <paroga@webkit.org>
18949
18950 Fix MSVC ARM build after r157581.
18951
18952 * jit/JITStubsARM.h:
18953
189542013-11-01 Filip Pizlo <fpizlo@apple.com>
18955
18956 FTL should use a simple optimization pipeline by default
18957 https://bugs.webkit.org/show_bug.cgi?id=123638
18958
18959 Reviewed by Geoffrey Garen.
18960
18961 20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true.
18962
18963 * ftl/FTLCompile.cpp:
18964 (JSC::FTL::compile):
18965 * runtime/Options.h:
18966
189672013-11-01 Andreas Kling <akling@apple.com>
18968
18969 Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds.
18970 <https://webkit.org/b/123639>
18971
18972 JSC::ParserArenaRefCounted really needed to have the new/delete
18973 operators overridden, in order for JSC::ScopeNode to be able to
18974 choose that "operator new" out of the two it inherits.
18975
18976 Reviewed by Anders Carlsson.
18977
189782013-11-01 Filip Pizlo <fpizlo@apple.com>
18979
18980 OSR exit profiling should be robust against all code being cleared
18981 https://bugs.webkit.org/show_bug.cgi?id=123629
18982 <rdar://problem/15365476>
18983
18984 Reviewed by Michael Saboff.
18985
18986 The problem here is two-fold:
18987
18988 1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we
18989 have cleared the CodeBlock for all or some Executables. This means that doing
18990 codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since
18991 there wasn't a baseline code block reachable from the Executable anymore. The
18992 solution is that we shouldn't be asking for the baseline code block reachable from
18993 the owning executable (what baselineVersion did), but instead we should be asking
18994 for the baseline version reachable from the code block being watchpointed (basically
18995 what CodeBlock::alternative() did).
18996
18997 2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock()
18998 may return null, for the same reason as above - we might have cleared the baseline
18999 codeblock for the executable that was inlined. The solution is to just not do
19000 profiling if there isn't a baseline code block anymore.
19001
19002 * bytecode/CodeBlock.cpp:
19003 (JSC::CodeBlock::baselineAlternative):
19004 (JSC::CodeBlock::baselineVersion):
19005 (JSC::CodeBlock::jettison):
19006 * bytecode/CodeBlock.h:
19007 * bytecode/CodeBlockJettisoningWatchpoint.cpp:
19008 (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
19009 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
19010 (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
19011 * dfg/DFGOSRExitBase.cpp:
19012 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
19013 * jit/AssemblyHelpers.h:
19014 (JSC::AssemblyHelpers::AssemblyHelpers):
19015 * runtime/Executable.cpp:
19016 (JSC::FunctionExecutable::baselineCodeBlockFor):
19017
190182013-10-31 Oliver Hunt <oliver@apple.com>
19019
19020 JavaScript parser bug
19021 https://bugs.webkit.org/show_bug.cgi?id=123506
19022
19023 Reviewed by Mark Lam.
19024
19025 Add ParserState as an abstraction and use that to save and restore
19026 the parser state around nested functions (We'll need to use this in
19027 more places in future). Also fix a minor error typo this testcases
19028 hit.
19029
19030 * parser/Parser.cpp:
19031 (JSC::::parseFunctionInfo):
19032 (JSC::::parseAssignmentExpression):
19033 * parser/Parser.h:
19034 (JSC::Parser::saveState):
19035 (JSC::Parser::restoreState):
19036
190372013-10-31 Filip Pizlo <fpizlo@apple.com>
19038
19039 FTL Int32ToDouble should handle the forward type check case where you need a recovery
19040 https://bugs.webkit.org/show_bug.cgi?id=123605
19041
19042 Reviewed by Mark Hahnenberg.
19043
19044 If you have a Int32ToDouble that needs to do a type check and it's required to do a
19045 forward exit, then it needs to manually pass in a value recovery for itself in the
19046 OSR exit - since this is one of those forward-exiting nodes that doesn't have a
19047 preceding MovHint.
19048
19049 * ftl/FTLLowerDFGToLLVM.cpp:
19050 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
19051 (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
19052
190532013-10-31 Filip Pizlo <fpizlo@apple.com>
19054
19055 FTL should implement InvalidationPoint in terms of llvm.stackmap
19056 https://bugs.webkit.org/show_bug.cgi?id=113647
19057
19058 Reviewed by Mark Hahnenberg.
19059
19060 This is pretty straightforward now that InvalidationPoint has exactly the semantics
19061 that agree with llvm.stackmap.
19062
19063 * ftl/FTLCompile.cpp:
19064 (JSC::FTL::fixFunctionBasedOnStackMaps):
19065 * ftl/FTLLowerDFGToLLVM.cpp:
19066 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
19067 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
19068 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
19069 (JSC::FTL::LowerDFGToLLVM::callStackmap):
19070 * ftl/FTLOSRExitCompilationInfo.h:
19071 (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
19072
190732013-10-30 Oliver Hunt <oliver@apple.com>
19074
19075 Implement basic ES6 Math functions
19076 https://bugs.webkit.org/show_bug.cgi?id=123536
19077
19078 Reviewed by Michael Saboff.
19079
19080 Fairly trivial patch to implement the core ES6 Math functions.
19081
19082 This doesn't implement Math.hypot as it is not a trivial function.
19083 I've also skipped Math.sign as I am yet to be convinced the spec
19084 behaviour is good. Everything else is trivial.
19085
19086 * runtime/MathObject.cpp:
19087 (JSC::MathObject::finishCreation):
19088 (JSC::mathProtoFuncACosh):
19089 (JSC::mathProtoFuncASinh):
19090 (JSC::mathProtoFuncATanh):
19091 (JSC::mathProtoFuncCbrt):
19092 (JSC::mathProtoFuncCosh):
19093 (JSC::mathProtoFuncExpm1):
19094 (JSC::mathProtoFuncFround):
19095 (JSC::mathProtoFuncLog1p):
19096 (JSC::mathProtoFuncLog10):
19097 (JSC::mathProtoFuncLog2):
19098 (JSC::mathProtoFuncSinh):
19099 (JSC::mathProtoFuncTanh):
19100 (JSC::mathProtoFuncTrunc):
19101
191022013-10-31 Filip Pizlo <fpizlo@apple.com>
19103
19104 FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame
19105 https://bugs.webkit.org/show_bug.cgi?id=123591
19106
19107 Reviewed by Mark Hahnenberg.
19108
19109 This gets us to pass more tests with ftlUsesStackmaps.
19110
19111 * ftl/FTLLocation.cpp:
19112 (JSC::FTL::Location::restoreInto):
19113 * ftl/FTLLocation.h:
19114 * ftl/FTLThunks.cpp:
19115 (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
19116
191172013-10-31 Alexey Proskuryakov <ap@apple.com>
19118
19119 Enable WebCrypto on Mac
19120 https://bugs.webkit.org/show_bug.cgi?id=123587
19121
19122 Reviewed by Anders Carlsson.
19123
19124 * Configurations/FeatureDefines.xcconfig: Do it.
19125
191262013-10-31 Filip Pizlo <fpizlo@apple.com>
19127
19128 Unreviewed, really remove CachedTranscendentalFunction.h.
19129
19130 * GNUmakefile.list.am:
19131 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19132
191332013-10-31 Filip Pizlo <fpizlo@apple.com>
19134
19135 Remove CachedTranscendentalFunction because caching math functions is an ugly idea
19136 https://bugs.webkit.org/show_bug.cgi?id=123574
19137
19138 Reviewed by Mark Hahnenberg.
19139
19140 This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
19141 we gain the "overhead" of actually computing sin and cos but we lose the overhead of
19142 going through the native call thunks.
19143
19144 Caching transcendental functions is a really ugly idea. It works for SunSpider because
19145 that benchmark makes very predictable calls into Math.sin. But I don't believe that this
19146 is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
19147 that this was doing was adding more call overhead and some hashing overhead.
19148
19149 * JavaScriptCore.xcodeproj/project.pbxproj:
19150 * dfg/DFGAbstractInterpreterInlines.h:
19151 (JSC::DFG::::executeEffects):
19152 * dfg/DFGBackwardsPropagationPhase.cpp:
19153 (JSC::DFG::BackwardsPropagationPhase::propagate):
19154 * dfg/DFGByteCodeParser.cpp:
19155 (JSC::DFG::ByteCodeParser::handleIntrinsic):
19156 * dfg/DFGCSEPhase.cpp:
19157 (JSC::DFG::CSEPhase::performNodeCSE):
19158 * dfg/DFGClobberize.h:
19159 (JSC::DFG::clobberize):
19160 * dfg/DFGFixupPhase.cpp:
19161 (JSC::DFG::FixupPhase::fixupNode):
19162 * dfg/DFGNodeType.h:
19163 * dfg/DFGPredictionPropagationPhase.cpp:
19164 (JSC::DFG::PredictionPropagationPhase::propagate):
19165 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
19166 * dfg/DFGSafeToExecute.h:
19167 (JSC::DFG::safeToExecute):
19168 * dfg/DFGSpeculativeJIT.h:
19169 (JSC::DFG::SpeculativeJIT::callOperation):
19170 * dfg/DFGSpeculativeJIT32_64.cpp:
19171 (JSC::DFG::SpeculativeJIT::compile):
19172 * dfg/DFGSpeculativeJIT64.cpp:
19173 (JSC::DFG::SpeculativeJIT::compile):
19174 * jit/JITOperations.h:
19175 * runtime/CachedTranscendentalFunction.h: Removed.
19176 * runtime/DateInstanceCache.h:
19177 * runtime/Intrinsic.h:
19178 * runtime/MathObject.cpp:
19179 (JSC::MathObject::finishCreation):
19180 (JSC::mathProtoFuncCos):
19181 (JSC::mathProtoFuncSin):
19182 * runtime/VM.h:
19183
191842013-10-30 Filip Pizlo <fpizlo@apple.com>
19185
19186 Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
19187 https://bugs.webkit.org/show_bug.cgi?id=123551
19188 <rdar://problem/15356238>
19189
19190 Reviewed by Mark Hahnenberg.
19191
19192 WatchpointSets have always had this "fire everything on deletion" policy because it
19193 seemed like a good fail-safe at the time I first implemented WatchpointSets. But
19194 it's actually causing bugs rather than providing safety:
19195
19196 - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
19197 for either keeping the WatchpointSets alive or noticing when they are collected.
19198 So this wasn't actually providing any safety.
19199
19200 One example of this is Structures, where:
19201
19202 - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
19203 register weak references to the Structure, and the GC will jettison a CodeBlock
19204 if the Structure(s) it cares about dies.
19205
19206 - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
19207 also be cleared by GC if the Structures die.
19208
19209 - The WatchpointSet destructor would get invoked from finalization/destruction.
19210 This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
19211 method requires doing things that access heap objects. This would usually cause
19212 problems on VM destruction, since then the CodeBlocks would still be alive but the
19213 whole heap would be destroyed.
19214
19215 This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
19216 that method doesn't really allocate objects, and it is likely necessary because
19217 jettison() may be called from deep in the stack.
19218
19219 * bytecode/CodeBlock.cpp:
19220 (JSC::CodeBlock::jettison):
19221 * bytecode/Watchpoint.cpp:
19222 (JSC::WatchpointSet::~WatchpointSet):
19223 * bytecode/Watchpoint.h:
19224
192252013-10-30 Mark Lam <mark.lam@apple.com>
19226
19227 Unreviewed, fix C Loop LLINT build.
19228
19229 * bytecode/CodeBlockJettisoningWatchpoint.cpp:
19230 (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
19231 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
19232 (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
19233
192342013-10-30 Filip Pizlo <fpizlo@apple.com>
19235
19236 Unreviewed, fix FTL build.
19237
19238 * ftl/FTLAbstractHeapRepository.h:
19239 * ftl/FTLLowerDFGToLLVM.cpp:
19240 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
19241
192422013-10-30 Alexey Proskuryakov <ap@apple.com>
19243
19244 Add a way to fulfill promises from DOM code
19245 https://bugs.webkit.org/show_bug.cgi?id=123466
19246
19247 Reviewed by Sam Weinig.
19248
19249 * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
19250 private headers for WebCore to use.
19251
19252 * runtime/JSPromise.h:
19253 * runtime/JSPromiseResolver.h:
19254 Export functions that JSDOMPromise will use.
19255
192562013-10-30 Mark Lam <mark.lam@apple.com>
19257
19258 Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
19259 https://bugs.webkit.org/show_bug.cgi?id=123444.
19260
19261 Reviewed by Geoffrey Garen.
19262
19263 - Introduced an explicit CallerFrameAndPC struct.
19264 - A CallFrame is expected to start with a CallerFrameAndPC struct.
19265 - The Register class no longer supports CallFrame* and Instruction*.
19266
19267 These hides the differences between JSVALUE32_64 and JSVALUE64 in
19268 terms of managing the callerFrame() and returnPC() values.
19269
19270 - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
19271 go through CallFrame to access the appropriate values and offsets.
19272 CallFrame, in turn, will access the callerFrame and returnPC via
19273 the CallerFrameAndPC struct.
19274
19275 - InlineCallFrame will provide offsets for its callerFrame and
19276 returnPC. It will make use of CallFrame::callerFrameOffset() and
19277 CallerFrame::returnPCOffset() to compute these.
19278
19279 * bytecode/CodeOrigin.h:
19280 (JSC::InlineCallFrame::callerFrameOffset):
19281 (JSC::InlineCallFrame::returnPCOffset):
19282 * dfg/DFGJITCompiler.cpp:
19283 (JSC::DFG::JITCompiler::compileEntry):
19284 (JSC::DFG::JITCompiler::compileExceptionHandlers):
19285 * dfg/DFGOSRExitCompilerCommon.cpp:
19286 (JSC::DFG::reifyInlinedCallFrames):
19287 * dfg/DFGSpeculativeJIT.h:
19288 (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
19289 (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
19290 (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
19291 (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
19292 (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
19293 (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
19294 - Prefixed all the above with callee since they apply to the callee frame.
19295 (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
19296 - Added to set the callerFrame pointer in the callee frame.
19297
19298 * dfg/DFGSpeculativeJIT32_64.cpp:
19299 (JSC::DFG::SpeculativeJIT::emitCall):
19300 (JSC::DFG::SpeculativeJIT::compile):
19301 * dfg/DFGSpeculativeJIT64.cpp:
19302 (JSC::DFG::SpeculativeJIT::emitCall):
19303 (JSC::DFG::SpeculativeJIT::compile):
19304 * ftl/FTLLink.cpp:
19305 (JSC::FTL::compileEntry):
19306 (JSC::FTL::link):
19307 * interpreter/CallFrame.h:
19308 (JSC::ExecState::callerFrame):
19309 (JSC::ExecState::callerFrameOffset):
19310 (JSC::ExecState::returnPC):
19311 (JSC::ExecState::hasReturnPC):
19312 (JSC::ExecState::clearReturnPC):
19313 (JSC::ExecState::returnPCOffset):
19314 (JSC::ExecState::setCallerFrame):
19315 (JSC::ExecState::setReturnPC):
19316 (JSC::ExecState::callerFrameAndPC):
19317 * interpreter/JSStack.h:
19318 * interpreter/Register.h:
19319 * jit/AssemblyHelpers.h:
19320 (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
19321 - Convert to using storePtr() here and simplify the code.
19322 (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
19323 (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
19324 (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
19325 (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
19326 - Helpers to emit gets/puts of the callerFrame and returnPC.
19327 (JSC::AssemblyHelpers::addressForByteOffset):
19328 * jit/JIT.cpp:
19329 (JSC::JIT::JIT):
19330 (JSC::JIT::privateCompile):
19331 (JSC::JIT::privateCompileExceptionHandlers):
19332 * jit/JITCall.cpp:
19333 (JSC::JIT::compileCallEval):
19334 (JSC::JIT::compileOpCall):
19335 * jit/JITCall32_64.cpp:
19336 (JSC::JIT::emit_op_ret):
19337 (JSC::JIT::emit_op_ret_object_or_this):
19338 (JSC::JIT::compileCallEval):
19339 (JSC::JIT::compileOpCall):
19340 * jit/JITInlines.h:
19341 (JSC::JIT::unmap):
19342 * jit/JITOpcodes.cpp:
19343 (JSC::JIT::emit_op_end):
19344 (JSC::JIT::emit_op_ret):
19345 (JSC::JIT::emit_op_ret_object_or_this):
19346 * jit/JITOpcodes32_64.cpp:
19347 (JSC::JIT::privateCompileCTINativeCall):
19348 (JSC::JIT::emit_op_end):
19349 * jit/JITOperations.cpp:
19350 * jit/SpecializedThunkJIT.h:
19351 (JSC::SpecializedThunkJIT::returnJSValue):
19352 (JSC::SpecializedThunkJIT::returnDouble):
19353 (JSC::SpecializedThunkJIT::returnInt32):
19354 (JSC::SpecializedThunkJIT::returnJSCell):
19355 * jit/ThunkGenerators.cpp:
19356 (JSC::throwExceptionFromCallSlowPathGenerator):
19357 (JSC::slowPathFor):
19358 (JSC::nativeForGenerator):
19359
19360 * llint/LLIntData.cpp:
19361 (JSC::LLInt::Data::performAssertions):
19362 * llint/LowLevelInterpreter.asm:
19363 - Updated offsets and asserts to match the new CallFrame layout.
19364
193652013-10-30 Filip Pizlo <fpizlo@apple.com>
19366
19367 Unreviewed, fix Mac.
19368
19369 * assembler/AbstractMacroAssembler.h:
19370 (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
19371 (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
19372
193732013-10-30 Filip Pizlo <fpizlo@apple.com>
19374
19375 Unreviewed, fix Windows.
19376
19377 * bytecode/CodeBlock.cpp:
19378 (JSC::CodeBlock::jettison):
19379
193802013-10-30 Filip Pizlo <fpizlo@apple.com>
19381
19382 Unreviewed, fix Windows.
19383
19384 * bytecode/CodeBlock.h:
19385 (JSC::CodeBlock::addFrequentExitSite):
19386
193872013-10-29 Filip Pizlo <fpizlo@apple.com>
19388
19389 Add InvalidationPoints to the DFG and use them for all watchpoints
19390 https://bugs.webkit.org/show_bug.cgi?id=123472
19391
19392 Reviewed by Mark Hahnenberg.
19393
19394 This makes a fundamental change to how watchpoints work in the DFG.
19395
19396 Previously, a watchpoint was an instruction whose execution semantics were something
19397 like:
19398
19399 if (watchpoint->invalidated)
19400 exit
19401
19402 We would implement this without any branch by using jump replacement.
19403
19404 This is a very good optimization. But it's a bit awkward once you get a lot of
19405 watchpoints: semantically we will have lots of these branches in the code, which the
19406 compiler needs to reason about even though they don't actually result in any emitted
19407 code.
19408
19409 Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
19410 be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
19411 called into again, but it would do nothing for CodeBlocks that were already on the
19412 stack.
19413
19414 This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
19415 replacement has nothing to do with watchpoints; instead it's something that happens if
19416 you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
19417 all of the potential call-return safe-exit-points in a CodeBlock. We call these
19418 "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
19419 collect all of the watchpoint sets that the CodeBlock cares about, and then registering
19420 a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
19421 jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
19422 (because the entrypoint now points to baseline code) and can't be returned into
19423 (because returning exits to baseline before the next bytecode instruction).
19424
19425 This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
19426 for jettison() to be used effectively for things like breakpointing and single-stepping
19427 in the debugger.
19428
19429 Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
19430 can, at any time and for any reason, request that an optimized CodeBlock is rendered
19431 immediately invalid. You can use this for many cool things, I'm sure.
19432
19433 * CMakeLists.txt:
19434 * GNUmakefile.list.am:
19435 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19436 * JavaScriptCore.xcodeproj/project.pbxproj:
19437 * assembler/AbstractMacroAssembler.h:
19438 * bytecode/CodeBlock.cpp:
19439 (JSC::CodeBlock::jettison):
19440 * bytecode/CodeBlock.h:
19441 * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
19442 (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
19443 * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
19444 (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
19445 * bytecode/ExitKind.cpp:
19446 (JSC::exitKindToString):
19447 * bytecode/ExitKind.h:
19448 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
19449 (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
19450 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
19451 (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
19452 * dfg/DFGAbstractHeap.h:
19453 * dfg/DFGAbstractInterpreterInlines.h:
19454 (JSC::DFG::::executeEffects):
19455 * dfg/DFGClobberize.cpp:
19456 (JSC::DFG::writesOverlap):
19457 * dfg/DFGClobberize.h:
19458 (JSC::DFG::clobberize):
19459 (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
19460 (JSC::DFG::AbstractHeapOverlaps::operator()):
19461 (JSC::DFG::AbstractHeapOverlaps::result):
19462 * dfg/DFGCommonData.cpp:
19463 (JSC::DFG::CommonData::invalidate):
19464 * dfg/DFGCommonData.h:
19465 (JSC::DFG::CommonData::CommonData):
19466 * dfg/DFGDesiredWatchpoints.cpp:
19467 (JSC::DFG::DesiredWatchpoints::addLazily):
19468 (JSC::DFG::DesiredWatchpoints::reallyAdd):
19469 * dfg/DFGDesiredWatchpoints.h:
19470 (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
19471 (JSC::DFG::GenericDesiredWatchpoints::addLazily):
19472 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
19473 (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
19474 * dfg/DFGFixupPhase.cpp:
19475 (JSC::DFG::FixupPhase::fixupNode):
19476 * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
19477 (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
19478 (JSC::DFG::InvalidationPointInjectionPhase::run):
19479 (JSC::DFG::InvalidationPointInjectionPhase::handle):
19480 (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
19481 (JSC::DFG::performInvalidationPointInjection):
19482 * dfg/DFGInvalidationPointInjectionPhase.h: Added.
19483 * dfg/DFGJITCode.h:
19484 * dfg/DFGJITCompiler.cpp:
19485 (JSC::DFG::JITCompiler::linkOSRExits):
19486 (JSC::DFG::JITCompiler::link):
19487 * dfg/DFGJITCompiler.h:
19488 * dfg/DFGJumpReplacement.cpp: Added.
19489 (JSC::DFG::JumpReplacement::fire):
19490 * dfg/DFGJumpReplacement.h: Added.
19491 (JSC::DFG::JumpReplacement::JumpReplacement):
19492 * dfg/DFGNodeType.h:
19493 * dfg/DFGOSRExitCompilationInfo.h:
19494 * dfg/DFGOperations.cpp:
19495 * dfg/DFGPlan.cpp:
19496 (JSC::DFG::Plan::compileInThreadImpl):
19497 (JSC::DFG::Plan::reallyAdd):
19498 * dfg/DFGPredictionPropagationPhase.cpp:
19499 (JSC::DFG::PredictionPropagationPhase::propagate):
19500 * dfg/DFGSafeToExecute.h:
19501 (JSC::DFG::safeToExecute):
19502 * dfg/DFGSpeculativeJIT.cpp:
19503 (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
19504 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
19505 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
19506 * dfg/DFGSpeculativeJIT.h:
19507 (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
19508 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
19509 * dfg/DFGSpeculativeJIT32_64.cpp:
19510 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
19511 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
19512 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
19513 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
19514 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
19515 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
19516 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
19517 (JSC::DFG::SpeculativeJIT::compile):
19518 * dfg/DFGSpeculativeJIT64.cpp:
19519 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
19520 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
19521 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
19522 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
19523 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
19524 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
19525 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
19526 (JSC::DFG::SpeculativeJIT::compile):
19527 * dfg/DFGWatchpointCollectionPhase.cpp: Added.
19528 (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
19529 (JSC::DFG::WatchpointCollectionPhase::run):
19530 (JSC::DFG::WatchpointCollectionPhase::handle):
19531 (JSC::DFG::WatchpointCollectionPhase::handleEdge):
19532 (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
19533 (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
19534 (JSC::DFG::WatchpointCollectionPhase::addLazily):
19535 (JSC::DFG::WatchpointCollectionPhase::globalObject):
19536 (JSC::DFG::performWatchpointCollection):
19537 * dfg/DFGWatchpointCollectionPhase.h: Added.
19538 * ftl/FTLCapabilities.cpp:
19539 (JSC::FTL::canCompile):
19540 * ftl/FTLLowerDFGToLLVM.cpp:
19541 (JSC::FTL::LowerDFGToLLVM::compileNode):
19542 (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
19543 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
19544 (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
19545 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
19546 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
19547 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
19548 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
19549 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
19550 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
19551 * jit/JITOperations.cpp:
19552 * jit/JumpReplacementWatchpoint.cpp: Removed.
19553 * jit/JumpReplacementWatchpoint.h: Removed.
19554
195552013-10-25 Mark Hahnenberg <mhahnenberg@apple.com>
19556
19557 JSExport doesn't support constructors
19558 https://bugs.webkit.org/show_bug.cgi?id=123380
19559
19560 Reviewed by Geoffrey Garen.
19561
19562 Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to
19563 Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class
19564 are met with a type error stating that it cannot be called as a constructor.
19565
19566 It would be nice to expand JSExport's functionality to support this idiom. It is a natural
19567 extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and
19568 JavaScript client code.
19569
19570 The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes.
19571 Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown
19572 ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
19573
19574 * API/JSWrapperMap.mm:
19575 (copyMethodsToObject):
19576 (allocateConstructorForCustomClass):
19577 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
19578 (tryUnwrapObjcObject):
19579 * API/ObjCCallbackFunction.h:
19580 (JSC::ObjCCallbackFunction::impl):
19581 * API/ObjCCallbackFunction.mm:
19582 (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
19583 (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
19584 (JSC::ObjCCallbackFunctionImpl::isConstructible):
19585 (JSC::ObjCCallbackFunction::getConstructData):
19586 (JSC::ObjCCallbackFunctionImpl::name):
19587 (JSC::ObjCCallbackFunctionImpl::call):
19588 (objCCallbackFunctionForInvocation):
19589 (objCCallbackFunctionForInit):
19590 (tryUnwrapConstructor):
19591 * API/tests/testapi.mm:
19592 (-[TextXYZ initWithString:]):
19593 (-[ClassA initWithA:]):
19594 (-[ClassB initWithA:b:]):
19595 (-[ClassC initWithA:]):
19596 (-[ClassC initWithA:b:]):
19597
195982013-10-30 peavo@outlook.com <peavo@outlook.com>
19599
19600 [Win] Compile errors when enabling DFG JIT.
19601 https://bugs.webkit.org/show_bug.cgi?id=120998
19602
19603 Reviewed by Brent Fulgham.
19604
19605 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
19606 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
19607 * dfg/DFGAllocator.h: Removed scope.
19608 * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
19609 (JSC::DFG::globalWorklist):
19610 * heap/DeferGC.h: Link fix, member needs to be public.
19611 * jit/JITOperationWrappers.h: Added required assembler macros.
19612
196132013-10-30 Iago Toral Quiroga <itoral@igalia.com>
19614
19615 Add result caching for Math.cos
19616 https://bugs.webkit.org/show_bug.cgi?id=123255
19617
19618 Reviewed by Brent Fulgham.
19619
19620 * runtime/MathObject.cpp:
19621 (JSC::mathProtoFuncCos):
19622 * runtime/VM.h:
19623
196242013-10-30 Alex Christensen <achristensen@webkit.org>
19625
19626 Disabled JIT on Win64.
19627 https://bugs.webkit.org/show_bug.cgi?id=122472
19628
19629 Reviewed by Geoffrey Garen.
19630
19631 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19632 Disabled building JITStubsMSVC64.
19633
196342013-10-29 Michael Saboff <msaboff@apple.com>
19635
19636 Change local variable register allocation to start at offset -1
19637 https://bugs.webkit.org/show_bug.cgi?id=123182
19638
19639 Reviewed by Geoffrey Garen.
19640
19641 Adjusted the virtual register mapping down by one slot. Reduced
19642 the CallFrame header slots offsets by one. They now start at 0.
19643 Changed arity fixup to no longer skip passed register slot 0 as this
19644 is now part of the CallFrame header.
19645
19646 * bytecode/VirtualRegister.h:
19647 (JSC::operandIsLocal):
19648 (JSC::operandIsArgument):
19649 (JSC::VirtualRegister::localToOperand):
19650 (JSC::VirtualRegister::operandToLocal):
19651 Adjusted functions for shift in mapping from local to register offset.
19652
19653 * dfg/DFGByteCodeParser.cpp:
19654 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
19655 (JSC::DFG::ByteCodeParser::addCall):
19656 (JSC::DFG::ByteCodeParser::handleInlining):
19657 (JSC::DFG::ByteCodeParser::parseBlock):
19658 * dfg/DFGVariableEventStream.cpp:
19659 (JSC::DFG::VariableEventStream::reconstruct):
19660 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
19661 (JSC::DFG::VirtualRegisterAllocationPhase::run):
19662 * interpreter/CallFrame.h:
19663 (JSC::ExecState::frameExtent):
19664 (JSC::ExecState::offsetFor):
19665 * interpreter/Interpreter.cpp:
19666 (JSC::loadVarargs):
19667 (JSC::Interpreter::dumpRegisters):
19668 (JSC::Interpreter::executeCall):
19669 * llint/LLIntData.cpp:
19670 (JSC::LLInt::Data::performAssertions):
19671 * llint/LowLevelInterpreter.asm:
19672 Adjusted math to accomodate for shift in call frame slots.
19673
19674 * dfg/DFGJITCompiler.cpp:
19675 (JSC::DFG::JITCompiler::compileFunction):
19676 * dfg/DFGSpeculativeJIT.h:
19677 (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
19678 * interpreter/CallFrame.cpp:
19679 (JSC::CallFrame::frameExtentInternal):
19680 * interpreter/JSStackInlines.h:
19681 (JSC::JSStack::pushFrame):
19682 * jit/JIT.cpp:
19683 (JSC::JIT::privateCompile):
19684 * jit/JITOperations.cpp:
19685 * llint/LLIntSlowPaths.cpp:
19686 (JSC::LLInt::llint_slow_path_stack_check):
19687 * runtime/CommonSlowPaths.h:
19688 (JSC::CommonSlowPaths::arityCheckFor):
19689 Fixed offset calculation to use VirtualRegister and related calculation instead of
19690 doing seperate calculations.
19691
19692 * interpreter/JSStack.h:
19693 Adjusted CallFrame slots down by one. Did some miscellaneous fixing of dumpRegisters()
19694 in the process of testing the fixes.
19695
19696 * jit/ThunkGenerators.cpp:
19697 (JSC::arityFixup):
19698 Changed arity fixup to no longer skip passed register slot 0 as this
19699 is now part of the CallFrame header.
19700
19701 * llint/LowLevelInterpreter32_64.asm:
19702 * llint/LowLevelInterpreter64.asm:
19703 Changed arity fixup to no longer skip passed register slot 0 as this
19704 is now part of the CallFrame header. Updated op_enter processing for
19705 the change in local registers.
19706
19707 * runtime/JSGlobalObject.h:
19708 Removed the now unneeded extra slot in the global callframe
19709
197102013-10-29 Julien Brianceau <jbriance@cisco.com>
19711
19712 [arm] Fix lots of crashes because of 4th argument register trampling.
19713 https://bugs.webkit.org/show_bug.cgi?id=123421
19714
19715 Reviewed by Michael Saboff.
19716
19717 r3 register is the 4th argument register for ARM and also a scratch
19718 register in the baseline JIT for this architecture. We can use r6
19719 instead, as this used to be the timeoutCheckRegister and it is no
19720 longer used since r148119.
19721
19722 * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
19723 * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
19724 * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
19725 (JSC::GPRInfo::toRegister):
19726 (JSC::GPRInfo::toIndex):
19727 * jit/JITStubsARM.h:
19728 (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
19729 * jit/JITStubsARMv7.h:
19730 (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
19731 * jit/JSInterfaceJIT.h: Remove useless stuff.
19732 * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
19733 (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
19734 (JSC::Yarr::YarrGenerator::generateReturn):
19735
197362013-10-29 Julien Brianceau <jbriance@cisco.com>
19737
19738 Fix CPU(ARM_TRADITIONAL) build after r157690.
19739 https://bugs.webkit.org/show_bug.cgi?id=123247
19740
19741 Reviewed by Michael Saboff.
19742
19743 Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
19744 and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
19745 As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
19746 this part of code still needs to be called and absolute jumps must be corrected to anticipate
19747 the copy of the executable code through memcpy.
19748
19749 * assembler/ARMAssembler.cpp:
19750 (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
19751 and correct absolute jump values using the delta between the source and destination buffers.
19752 * assembler/ARMAssembler.h:
19753 * assembler/LinkBuffer.cpp:
19754 (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
19755
197562013-10-28 Filip Pizlo <fpizlo@apple.com>
19757
19758 OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
19759 https://bugs.webkit.org/show_bug.cgi?id=123423
19760
19761 Reviewed by Mark Hahnenberg.
19762
19763 Also enable ExitKind to tell you if it's a watchpoint.
19764
19765 * bytecode/ExitKind.cpp:
19766 (JSC::exitKindToString):
19767 * bytecode/ExitKind.h:
19768 (JSC::isWatchpoint):
19769 * dfg/DFGByteCodeParser.cpp:
19770 (JSC::DFG::ByteCodeParser::setLocal):
19771 (JSC::DFG::ByteCodeParser::setArgument):
19772 (JSC::DFG::ByteCodeParser::handleCall):
19773 (JSC::DFG::ByteCodeParser::handleGetById):
19774 (JSC::DFG::ByteCodeParser::parseBlock):
19775 * dfg/DFGJITCompiler.cpp:
19776 (JSC::DFG::JITCompiler::linkOSRExits):
19777 (JSC::DFG::JITCompiler::link):
19778 * dfg/DFGJITCompiler.h:
19779 (JSC::DFG::JITCompiler::appendExitInfo):
19780 * dfg/DFGOSRExit.cpp:
19781 (JSC::DFG::OSRExit::OSRExit):
19782 * dfg/DFGOSRExit.h:
19783 * dfg/DFGOSRExitCompilationInfo.h:
19784 (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
19785 * dfg/DFGOSRExitCompiler.cpp:
19786 * dfg/DFGSpeculativeJIT.cpp:
19787 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
19788 * dfg/DFGSpeculativeJIT32_64.cpp:
19789 (JSC::DFG::SpeculativeJIT::compile):
19790 * dfg/DFGSpeculativeJIT64.cpp:
19791 (JSC::DFG::SpeculativeJIT::compile):
19792
197932013-10-28 Myles C. Maxfield <mmaxfield@apple.com>
19794
19795 Parsing support for -webkit-text-decoration-skip: ink
19796 https://bugs.webkit.org/show_bug.cgi?id=123358
19797
19798 Reviewed by Dean Jackson.
19799
19800 Adding ENABLE(CSS3_TEXT_DECORATION)
19801
19802 * Configurations/FeatureDefines.xcconfig:
19803
198042013-10-24 Filip Pizlo <fpizlo@apple.com>
19805
19806 Get rid of InlineStart so that I don't have to implement it in FTL
19807 https://bugs.webkit.org/show_bug.cgi?id=123302
19808
19809 Reviewed by Geoffrey Garen.
19810
19811 InlineStart was a special instruction that we would insert at the top of inlined code,
19812 so that the backend could capture the OSR state of arguments to an inlined call. It used
19813 to be that only the backend had this information, so this instruction was sort of an ugly
19814 callback from the backend for filling in some data structures.
19815
19816 But in the time since when that code was written (two years ago?), we rationalized how
19817 variables work. It's now the case that variables that the runtime must know about are
19818 treated specially in IR (they are "flushed") and we know how we will represent them even
19819 before we get to the backend. The last place that makes changes to their representation
19820 is the StackLayoutPhase.
19821
19822 So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
19823 instruction had. Instead of handling the bookkeeping in the backend, we handle it in
19824 StackLayoutPhase. This means that the DFG and FTL can share code for handling this
19825 bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
19826
19827 Of course, giving the FTL the ability to handle code blocks that had inlining means that
19828 we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
19829 frames. This patch also fixes that.
19830
19831 * dfg/DFGAbstractInterpreterInlines.h:
19832 (JSC::DFG::::executeEffects):
19833 * dfg/DFGByteCodeParser.cpp:
19834 (JSC::DFG::ByteCodeParser::handleInlining):
19835 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
19836 * dfg/DFGClobberize.h:
19837 (JSC::DFG::clobberize):
19838 * dfg/DFGFixupPhase.cpp:
19839 (JSC::DFG::FixupPhase::fixupNode):
19840 * dfg/DFGGraph.h:
19841 * dfg/DFGNode.h:
19842 * dfg/DFGNodeType.h:
19843 * dfg/DFGPredictionPropagationPhase.cpp:
19844 (JSC::DFG::PredictionPropagationPhase::propagate):
19845 * dfg/DFGSafeToExecute.h:
19846 (JSC::DFG::safeToExecute):
19847 * dfg/DFGSpeculativeJIT.cpp:
19848 * dfg/DFGSpeculativeJIT.h:
19849 * dfg/DFGSpeculativeJIT32_64.cpp:
19850 (JSC::DFG::SpeculativeJIT::compile):
19851 * dfg/DFGSpeculativeJIT64.cpp:
19852 (JSC::DFG::SpeculativeJIT::compile):
19853 * dfg/DFGStackLayoutPhase.cpp:
19854 (JSC::DFG::StackLayoutPhase::run):
19855 * ftl/FTLLink.cpp:
19856 (JSC::FTL::link):
19857
198582013-10-24 Filip Pizlo <fpizlo@apple.com>
19859
19860 The GetById->GetByOffset AI-based optimization should actually do things
19861 https://bugs.webkit.org/show_bug.cgi?id=123299
19862
19863 Reviewed by Oliver Hunt.
19864
19865 20% speed-up on Octane/gbemu.
19866
19867 * bytecode/GetByIdStatus.cpp:
19868 (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
19869
198702013-10-28 Carlos Garcia Campos <cgarcia@igalia.com>
19871
19872 Unreviewed. Fix make distcheck.
19873
19874 * GNUmakefile.list.am: Add missing files to compilation.
19875
198762013-10-25 Oliver Hunt <oliver@apple.com>
19877
19878 Refactor parser rollback logic
19879 https://bugs.webkit.org/show_bug.cgi?id=123372
19880
19881 Reviewed by Brady Eidson.
19882
19883 Add a sane abstraction for rollbacks in the parser.
19884
19885 * parser/Parser.cpp:
19886 (JSC::::parseSourceElements):
19887 (JSC::::parseObjectLiteral):
19888 * parser/Parser.h:
19889 (JSC::Parser::createSavePoint):
19890 (JSC::Parser::restoreSavePoint):
19891
198922013-10-25 peavo@outlook.com <peavo@outlook.com>
19893
19894 [Win] Javascript crash with DFG JIT enabled.
19895 https://bugs.webkit.org/show_bug.cgi?id=121001
19896
19897 Reviewed by Geoffrey Garen.
19898
19899 On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
19900 results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
19901 where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
19902 This causes the register to be written to address 0, hence the crash.
19903
19904 * assembler/MacroAssemblerX86.h:
19905 (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
19906 * dfg/DFGOSRExitCompiler32_64.cpp:
19907 (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
19908 * dfg/DFGThunks.cpp:
19909 (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
19910
199112013-10-25 Oliver Hunt <oliver@apple.com>
19912
19913 Fix a number of problems with destructuring of arguments
19914 https://bugs.webkit.org/show_bug.cgi?id=123357
19915
19916 Reviewed by Filip Pizlo.
19917
19918 This renames the destructuring node's emitBytecode to bindValue
19919 in order to remove the existing confusion over what was happening.
19920
19921 We then fix an incorrect fall through in the destructuring arguments
19922 logic, and fix the then exposed bug where we placed the index rather
19923 than value into the bound property.
19924
19925 * bytecompiler/BytecodeGenerator.cpp:
19926 (JSC::BytecodeGenerator::BytecodeGenerator):
19927 * bytecompiler/NodesCodegen.cpp:
19928 (JSC::ForInNode::emitBytecode):
19929 (JSC::ForOfNode::emitBytecode):
19930 (JSC::DeconstructingAssignmentNode::emitBytecode):
19931 (JSC::ArrayPatternNode::bindValue):
19932 (JSC::ArrayPatternNode::emitDirectBinding):
19933 (JSC::ObjectPatternNode::bindValue):
19934 (JSC::BindingNode::bindValue):
19935 * parser/Nodes.h:
19936
199372013-10-25 Joseph Pecoraro <pecoraro@apple.com>
19938
19939 Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
19940 https://bugs.webkit.org/show_bug.cgi?id=123111
19941
19942 Reviewed by Timothy Hatcher.
19943
19944 * Configurations/FeatureDefines.xcconfig:
19945
199462013-10-25 Oliver Hunt <oliver@apple.com>
19947
19948 Fix MSVC again
19949
19950 * parser/Parser.cpp:
19951
199522013-10-25 Oliver Hunt <oliver@apple.com>
19953
19954 Fix MSVC
19955
19956 * parser/Parser.cpp:
19957
199582013-10-25 Oliver Hunt <oliver@apple.com>
19959
19960 Improve JSC Parser error messages
19961 https://bugs.webkit.org/show_bug.cgi?id=123341
19962
19963 Reviewed by Andreas Kling.
19964
19965 This patch moves away from the current cludgy mechanisms used to produce
19966 error messages and moves to something closer to case by case errors.
19967
19968 This results in a large change size as previously we may just have
19969 'failIfFalse(foo)', but now the logic becomes either
19970 'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
19971 Or alternatively
19972
19973 if (!foo)
19974 check for 'interesting' errors, before falling back to generic error
19975
19976 This means that this patch is large, but produces no semantic changes, and
19977 only hits slow (e.g. error) paths.
19978
19979 * parser/Parser.cpp:
19980 (JSC::::Parser):
19981 (JSC::::parseSourceElements):
19982 (JSC::::parseVarDeclaration):
19983 (JSC::::parseConstDeclaration):
19984 (JSC::::parseDoWhileStatement):
19985 (JSC::::parseWhileStatement):
19986 (JSC::::parseVarDeclarationList):
19987 (JSC::::createBindingPattern):
19988 (JSC::::parseDeconstructionPattern):
19989 (JSC::::parseConstDeclarationList):
19990 (JSC::::parseForStatement):
19991 (JSC::::parseBreakStatement):
19992 (JSC::::parseContinueStatement):
19993 (JSC::::parseReturnStatement):
19994 (JSC::::parseThrowStatement):
19995 (JSC::::parseWithStatement):
19996 (JSC::::parseSwitchStatement):
19997 (JSC::::parseSwitchClauses):
19998 (JSC::::parseSwitchDefaultClause):
19999 (JSC::::parseTryStatement):
20000 (JSC::::parseDebuggerStatement):
20001 (JSC::::parseBlockStatement):
20002 (JSC::::parseStatement):
20003 (JSC::::parseFormalParameters):
20004 (JSC::::parseFunctionBody):
20005 (JSC::stringForFunctionMode):
20006 (JSC::::parseFunctionInfo):
20007 (JSC::::parseFunctionDeclaration):
20008 (JSC::::parseExpressionOrLabelStatement):
20009 (JSC::::parseExpressionStatement):
20010 (JSC::::parseIfStatement):
20011 (JSC::::parseExpression):
20012 (JSC::::parseAssignmentExpression):
20013 (JSC::::parseConditionalExpression):
20014 (JSC::::parseBinaryExpression):
20015 (JSC::::parseProperty):
20016 (JSC::::parseObjectLiteral):
20017 (JSC::::parseStrictObjectLiteral):
20018 (JSC::::parseArrayLiteral):
20019 (JSC::::parsePrimaryExpression):
20020 (JSC::::parseArguments):
20021 (JSC::::parseMemberExpression):
20022 (JSC::operatorString):
20023 (JSC::::parseUnaryExpression):
20024 (JSC::::printUnexpectedTokenText):
20025 * parser/Parser.h:
20026 (JSC::Scope::hasDeclaredVariable):
20027 (JSC::Scope::hasDeclaredParameter):
20028 (JSC::Parser::hasDeclaredVariable):
20029 (JSC::Parser::hasDeclaredParameter):
20030 (JSC::Parser::setErrorMessage):
20031
200322013-10-24 Mark Rowe <mrowe@apple.com>
20033
20034 Remove references to OS X 10.7 from Xcode configuration settings.
20035
20036 Now that we're not building for OS X 10.7 they're no longer needed.
20037
20038 Reviewed by Anders Carlsson.
20039
20040 * Configurations/Base.xcconfig:
20041 * Configurations/DebugRelease.xcconfig:
20042 * Configurations/FeatureDefines.xcconfig:
20043 * Configurations/Version.xcconfig:
20044
200452013-10-24 Mark Rowe <mrowe@apple.com>
20046
20047 <rdar://problem/15312643> Prepare for the mysterious future.
20048
20049 Reviewed by David Kilzer.
20050
20051 * Configurations/Base.xcconfig:
20052 * Configurations/DebugRelease.xcconfig:
20053 * Configurations/FeatureDefines.xcconfig:
20054 * Configurations/Version.xcconfig:
20055
200562013-10-24 Mark Lam <mark.lam@apple.com>
20057
20058 Better way to fix part of broken C Loop LLINT build.
20059 https://bugs.webkit.org/show_bug.cgi?id=123271.
20060
20061 Reviewed by Geoffrey Garen.
20062
20063 Undoing offline asm hackery.
20064
20065 * llint/LowLevelInterpreter.cpp:
20066 * llint/LowLevelInterpreter32_64.asm:
20067 * llint/LowLevelInterpreter64.asm:
20068 * offlineasm/cloop.rb:
20069 * offlineasm/instructions.rb:
20070
200712013-10-24 Mark Lam <mark.lam@apple.com>
20072
20073 Fix broken C Loop LLINT build.
20074 https://bugs.webkit.org/show_bug.cgi?id=123271.
20075
20076 Reviewed by Michael Saboff.
20077
20078 * bytecode/CodeBlock.cpp:
20079 (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
20080 (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
20081 * bytecode/GetByIdStatus.cpp:
20082 (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
20083 * bytecode/PutByIdStatus.cpp:
20084 (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
20085 * bytecode/StructureStubInfo.h:
20086 - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
20087 in function prototypes even when !ENABLE(JIT). Rather that adding #if's
20088 in many places, we just provide a stub/placeholder implementation that
20089 is unused but keeps the compiler happy.
20090 * jit/JITOperations.h: Added #if ENABLE(JIT).
20091 * llint/LowLevelInterpreter32_64.asm:
20092 * llint/LowLevelInterpreter64.asm:
20093 - The putByVal() macro reifies a slow path which is never taken in one case.
20094 This translates into a label that is never used in the C Loop LLINT. The
20095 C++ compiler doesn't like unused labels. So, we fix this by adding a
20096 cloopUnusedLabel offline asm instruction that synthesizes the following:
20097
20098 if (false) goto unusedLabel;
20099
20100 This keeps the C++ compiler happy without changing code behavior.
20101 * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
20102 * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
20103 * runtime/Executable.cpp:
20104 (JSC::setupJIT): Added UNUSED_PARAM()s.
20105 (JSC::ScriptExecutable::prepareForExecutionImpl):
20106 - run-javascriptcore-tests have phases that forces the LLINT to be off
20107 which in turn asserts that the JIT is enabled. With the C Loop LLINT,
20108 this combination is illegal. So, we override the setup code here to
20109 always use the LLINT if !ENABLE(JIT) regardless of what options are
20110 passed in.
20111
201122013-10-24 peavo@outlook.com <peavo@outlook.com>
20113
20114 Uninitialized member causes crash when DFG JIT is not enabled.
20115 https://bugs.webkit.org/show_bug.cgi?id=123270
20116
20117 Reviewed by Brent Fulgham.
20118
20119 The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
20120 This causes an early crash on Windows, which doesn't have DFG JIT enabled.
20121
20122 * runtime/VM.cpp:
20123 (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
20124
201252013-10-24 Ryuan Choi <ryuan.choi@samsung.com>
20126
20127 [EFL] Build break with latest EFL 1.8 libraries.
20128 https://bugs.webkit.org/show_bug.cgi?id=123245
20129
20130 Reviewed by Gyuyoung Kim.
20131
20132 After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
20133 Eo typedef and splitted header files which contain version macro.
20134
20135 * PlatformEfl.cmake: Added EO path to include directories.
20136 * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
20137
201382013-10-23 Filip Pizlo <fpizlo@apple.com>
20139
20140 Put all uses of LLVM intrinsics behind a single Option
20141 https://bugs.webkit.org/show_bug.cgi?id=123219
20142
20143 Reviewed by Mark Hahnenberg.
20144
20145 * ftl/FTLExitThunkGenerator.cpp:
20146 (JSC::FTL::ExitThunkGenerator::emitThunk):
20147 * ftl/FTLLowerDFGToLLVM.cpp:
20148 (JSC::FTL::generateExitThunks):
20149 (JSC::FTL::LowerDFGToLLVM::compileGetById):
20150 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
20151 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
20152 * ftl/FTLOSRExitCompiler.cpp:
20153 (JSC::FTL::compileFTLOSRExit):
20154 * runtime/Options.h:
20155
201562013-10-23 Daniel Bates <dabates@apple.com>
20157
20158 Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
20159 (https://bugs.webkit.org/show_bug.cgi?id=123169)
20160
20161 Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
20162
20163 * Configurations/Base.xcconfig:
20164
201652013-10-23 Michael Saboff <msaboff@apple.com>
20166
20167 LLInt arity check exception processing should start unwinding from caller
20168 https://bugs.webkit.org/show_bug.cgi?id=123209
20169
20170 Reviewed by Oliver Hunt.
20171
20172 Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
20173
20174 * llint/LowLevelInterpreter32_64.asm:
20175 * llint/LowLevelInterpreter64.asm:
20176
201772013-10-22 Filip Pizlo <fpizlo@apple.com>
20178
20179 FTL should be able to do some simple inline caches using LLVM patchpoints
20180 https://bugs.webkit.org/show_bug.cgi?id=123164
20181
20182 Reviewed by Mark Hahnenberg.
20183
20184 This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
20185
20186 The idea is that we ask LLVM for a nop slide the size of a GetById inline
20187 cache and then fill in the code after LLVM compilation is complete. For now, we
20188 just use the system calling convention for the arguments and return. We also
20189 still make some assumptions about registers that aren't correct. But, most of
20190 the scaffolding is there and this will successfully patch an inline cache.
20191
20192 * JavaScriptCore.xcodeproj/project.pbxproj:
20193 * assembler/AbstractMacroAssembler.h:
20194 * assembler/LinkBuffer.cpp:
20195 (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
20196 (JSC::LinkBuffer::linkCode):
20197 (JSC::LinkBuffer::allocate):
20198 * assembler/LinkBuffer.h:
20199 (JSC::LinkBuffer::LinkBuffer):
20200 (JSC::LinkBuffer::link):
20201 * ftl/FTLAbbreviations.h:
20202 (JSC::FTL::constNull):
20203 (JSC::FTL::buildCall):
20204 * ftl/FTLCapabilities.cpp:
20205 (JSC::FTL::canCompile):
20206 * ftl/FTLCompile.cpp:
20207 (JSC::FTL::fixFunctionBasedOnStackMaps):
20208 * ftl/FTLInlineCacheDescriptor.h: Added.
20209 (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
20210 (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
20211 (JSC::FTL::GetByIdDescriptor::stackmapID):
20212 (JSC::FTL::GetByIdDescriptor::codeOrigin):
20213 (JSC::FTL::GetByIdDescriptor::uid):
20214 * ftl/FTLInlineCacheSize.cpp: Added.
20215 (JSC::FTL::sizeOfGetById):
20216 (JSC::FTL::sizeOfPutById):
20217 * ftl/FTLInlineCacheSize.h: Added.
20218 * ftl/FTLIntrinsicRepository.h:
20219 * ftl/FTLJITFinalizer.cpp:
20220 (JSC::FTL::JITFinalizer::finalizeFunction):
20221 * ftl/FTLJITFinalizer.h:
20222 * ftl/FTLLocation.cpp:
20223 (JSC::FTL::Location::directGPR):
20224 * ftl/FTLLocation.h:
20225 * ftl/FTLLowerDFGToLLVM.cpp:
20226 (JSC::FTL::LowerDFGToLLVM::compileGetById):
20227 * ftl/FTLOutput.h:
20228 (JSC::FTL::Output::call):
20229 * ftl/FTLSlowPathCall.cpp: Added.
20230 (JSC::FTL::callOperation):
20231 * ftl/FTLSlowPathCall.h: Added.
20232 (JSC::FTL::SlowPathCall::SlowPathCall):
20233 (JSC::FTL::SlowPathCall::call):
20234 (JSC::FTL::SlowPathCall::key):
20235 * ftl/FTLSlowPathCallKey.cpp: Added.
20236 (JSC::FTL::SlowPathCallKey::dump):
20237 * ftl/FTLSlowPathCallKey.h: Added.
20238 (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
20239 (JSC::FTL::SlowPathCallKey::usedRegisters):
20240 (JSC::FTL::SlowPathCallKey::callTarget):
20241 (JSC::FTL::SlowPathCallKey::offset):
20242 (JSC::FTL::SlowPathCallKey::isEmptyValue):
20243 (JSC::FTL::SlowPathCallKey::isDeletedValue):
20244 (JSC::FTL::SlowPathCallKey::operator==):
20245 (JSC::FTL::SlowPathCallKey::hash):
20246 (JSC::FTL::SlowPathCallKeyHash::hash):
20247 (JSC::FTL::SlowPathCallKeyHash::equal):
20248 * ftl/FTLStackMaps.cpp:
20249 (JSC::FTL::StackMaps::Location::directGPR):
20250 * ftl/FTLStackMaps.h:
20251 * ftl/FTLState.h:
20252 * ftl/FTLThunks.cpp:
20253 (JSC::FTL::slowPathCallThunkGenerator):
20254 * ftl/FTLThunks.h:
20255 (JSC::FTL::Thunks::getSlowPathCallThunk):
20256 * jit/CCallHelpers.h:
20257 (JSC::CCallHelpers::setupArguments):
20258 * jit/GPRInfo.h:
20259 * jit/JITInlineCacheGenerator.cpp:
20260 (JSC::garbageStubInfo):
20261 (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
20262 (JSC::JITByIdGenerator::finalize):
20263 * jit/JITInlineCacheGenerator.h:
20264 (JSC::JITByIdGenerator::slowPathBegin):
20265 * jit/RegisterSet.cpp:
20266 (JSC::RegisterSet::stackRegisters):
20267 (JSC::RegisterSet::specialRegisters):
20268 (JSC::RegisterSet::calleeSaveRegisters):
20269 (JSC::RegisterSet::allGPRs):
20270 (JSC::RegisterSet::allFPRs):
20271 (JSC::RegisterSet::allRegisters):
20272 (JSC::RegisterSet::dump):
20273 * jit/RegisterSet.h:
20274 (JSC::RegisterSet::exclude):
20275 (JSC::RegisterSet::numberOfSetRegisters):
20276 (JSC::RegisterSet::RegisterSet):
20277 (JSC::RegisterSet::isEmptyValue):
20278 (JSC::RegisterSet::isDeletedValue):
20279 (JSC::RegisterSet::operator==):
20280 (JSC::RegisterSet::hash):
20281 (JSC::RegisterSetHash::hash):
20282 (JSC::RegisterSetHash::equal):
20283 * runtime/Options.h:
20284
202852013-10-22 Filip Pizlo <fpizlo@apple.com>
20286
20287 jitCompileAndSetHeuristics should DeferGCForAWhile
20288 https://bugs.webkit.org/show_bug.cgi?id=123196
20289
20290 Reviewed by Mark Hahnenberg.
20291
20292 This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
20293 my machines. I don't think this is testable; we just need to steadily converge towards
20294 getting our uses of DeferGC to be right and then be careful not to regress. We're not
20295 there yet, obviously.
20296
20297 * llint/LLIntSlowPaths.cpp:
20298 (JSC::LLInt::jitCompileAndSetHeuristics):
20299
203002013-10-23 Daniel Bates <dabates@apple.com>
20301
20302 [iOS] Upstream more JavaScriptCore build configuration changes
20303 https://bugs.webkit.org/show_bug.cgi?id=123169
20304
20305 Reviewed by David Kilzer.
20306
20307 * Configurations/Base.xcconfig:
20308 * Configurations/Version.xcconfig:
20309 * Configurations/iOS.xcconfig: Added.
20310 * JavaScriptCore.xcodeproj/project.pbxproj:
20311
203122013-10-23 Daniel Bates <dabates@apple.com>
20313
20314 [iOS] Export DefaultGCActivityCallback member functions
20315 https://bugs.webkit.org/show_bug.cgi?id=123175
20316
20317 Reviewed by David Kilzer.
20318
20319 * runtime/GCActivityCallback.h:
20320
203212013-10-23 Daniel Bates <dabates@apple.com>
20322
20323 [iOS] Upstream more ARMv7s bits
20324 https://bugs.webkit.org/show_bug.cgi?id=123052
20325
20326 Reviewed by Joseph Pecoraro.
20327
20328 * Configurations/JavaScriptCore.xcconfig:
20329
203302013-10-22 Andreas Kling <akling@apple.com>
20331
20332 Minor VM* -> VM& cleanups in HashTable and Keywords.
20333 <https://webkit.org/b/123183>
20334
20335 Turn some VM* variables that will never be null into VM&.
20336
20337 Reviewed by Geoffrey Garen.
20338
203392013-10-22 Geoffrey Garen <ggaren@apple.com>
20340
20341 REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
20342 https://bugs.webkit.org/show_bug.cgi?id=123179
20343
20344 Reviewed by Mark Hahnenberg.
20345
20346 * parser/NodeConstructors.h:
20347 (JSC::LogicalOpNode::LogicalOpNode):
20348 * parser/ResultType.h:
20349 (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
20350 This is JavaScript (aka Sparta).
20351
203522013-10-22 Commit Queue <commit-queue@webkit.org>
20353
20354 Unreviewed, rolling out r157819.
20355 http://trac.webkit.org/changeset/157819
20356 https://bugs.webkit.org/show_bug.cgi?id=123180
20357
20358 Broke 32-bit builds (Requested by smfr on #webkit).
20359
20360 * Configurations/JavaScriptCore.xcconfig:
20361 * Configurations/ToolExecutable.xcconfig:
20362
203632013-10-22 Daniel Bates <dabates@apple.com>
20364
20365 [iOS] Upstream more ARMv7s bits
20366 https://bugs.webkit.org/show_bug.cgi?id=123052
20367
20368 Reviewed by Joseph Pecoraro.
20369
20370 * Configurations/JavaScriptCore.xcconfig:
20371 * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
20372 modifying a file in JavaScriptCore/Configurations.
20373
203742013-10-22 Daniel Bates <dabates@apple.com>
20375
20376 [iOS] Upstream JSLock changes
20377 https://bugs.webkit.org/show_bug.cgi?id=123107
20378
20379 Reviewed by Geoffrey Garen.
20380
20381 * runtime/JSLock.cpp:
20382 (JSC::JSLock::unlock):
20383 (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
20384 (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
20385 use pre-increment instead of post-increment when we're not using the return value of the instruction.
20386 (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
20387 places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
20388 since we don't use the return value of such instructions.
20389 (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
20390 Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
20391 (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
20392 * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
20393 the argument is sufficiently descriptive of its purpose.
20394
203952013-10-22 Julien Brianceau <jbriance@cisco.com>
20396
20397 [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
20398 https://bugs.webkit.org/show_bug.cgi?id=123166
20399
20400 Reviewed by Michael Saboff.
20401
20402 * jit/CCallHelpers.h:
20403 (JSC::CCallHelpers::setupArgumentsWithExecState):
20404
204052013-10-22 Julien Brianceau <jbriance@cisco.com>
20406
20407 [sh4][mips][arm] Fix crashes in JSC (32-bit only).
20408 https://bugs.webkit.org/show_bug.cgi?id=123165
20409
20410 Reviewed by Michael Saboff.
20411
20412 * jit/JITInlines.h:
20413 (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
20414 (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
20415 (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
20416 (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
20417
204182013-10-22 Julien Brianceau <jbriance@cisco.com>
20419
20420 REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
20421 https://bugs.webkit.org/show_bug.cgi?id=123092
20422
20423 Reviewed by Michael Saboff.
20424
20425 Impacted architectures are SH4 and ARM_TRADITIONAL.
20426
20427 * assembler/ARMAssembler.h:
20428 (JSC::ARMAssembler::buffer):
20429 * assembler/AssemblerBufferWithConstantPool.h:
20430 (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
20431 * assembler/LinkBuffer.cpp:
20432 (JSC::LinkBuffer::linkCode):
20433 * assembler/SH4Assembler.h:
20434 (JSC::SH4Assembler::buffer):
20435
204362013-10-22 Julien Brianceau <jbriance@cisco.com>
20437
20438 Remove unused stuff in JIT stubs.
20439 https://bugs.webkit.org/show_bug.cgi?id=123155
20440
20441 Reviewed by Michael Saboff.
20442
20443 * jit/JITStubs.h:
20444 * jit/JITStubsARM.h:
20445 (JSC::ctiTrampoline):
20446 * jit/JITStubsARM64.h:
20447 * jit/JITStubsARMv7.h:
20448 * jit/JITStubsMIPS.h:
20449 * jit/JITStubsSH4.h:
20450 * jit/JITStubsX86.h:
20451 * jit/JITStubsX86_64.h:
20452
204532013-10-22 Daniel Bates <dabates@apple.com>
20454
20455 [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
20456 https://bugs.webkit.org/show_bug.cgi?id=123115
20457 <rdar://problem/13696872>
20458
20459 Reviewed by Andy Estes.
20460
20461 Based on a patch by Mark Hahnenberg.
20462
20463 Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
20464
20465 * API/JSBase.cpp:
20466
204672013-10-22 Julien Brianceau <jbriance@cisco.com>
20468
20469 [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister().
20470 https://bugs.webkit.org/show_bug.cgi?id=123157
20471
20472 Reviewed by Andreas Kling.
20473
20474 * assembler/SH4Assembler.h:
20475 (JSC::SH4Assembler::lastRegister):
20476 (JSC::SH4Assembler::firstFPRegister):
20477 (JSC::SH4Assembler::lastFPRegister):
20478
204792013-10-22 Brian Holt <brian.holt@samsung.com>
20480
20481 Build break on ARMv7 after r157209
20482 https://bugs.webkit.org/show_bug.cgi?id=122890
20483
20484 Reviewed by Csaba Osztrogonác.
20485
20486 Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
20487
20488 * assembler/ARMAssembler.h:
20489 * assembler/MacroAssemblerARM.h:
20490 (JSC::MacroAssemblerARM::firstRegister):
20491 (JSC::MacroAssemblerARM::lastRegister):
20492 (JSC::MacroAssemblerARM::firstFPRegister):
20493 (JSC::MacroAssemblerARM::lastFPRegister):
20494
204952013-10-21 Daniel Bates <dabates@apple.com>
20496
20497 [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
20498 https://bugs.webkit.org/show_bug.cgi?id=123045
20499
20500 Reviewed by Joseph Pecoraro.
20501
20502 * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
20503 to global method table.
20504 * runtime/JSGlobalObject.cpp: Ditto.
20505 * runtime/JSGlobalObject.h:
20506 (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
20507
205082013-10-21 Daniel Bates <dabates@apple.com>
20509
20510 [iOS] Upstream JSC Objective-C API compiler warning fixes
20511 https://bugs.webkit.org/show_bug.cgi?id=123125
20512
20513 Reviewed by Mark Hahnenberg.
20514
20515 Based on a patch by Mark Hahnenberg.
20516
20517 * API/JSValue.mm:
20518 (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
20519 (-[JSValue toSize]): Ditto.
20520 * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
20521
205222013-10-21 Daniel Bates <dabates@apple.com>
20523
20524 [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
20525 available since iOS 7.0
20526 https://bugs.webkit.org/show_bug.cgi?id=123122
20527
20528 Reviewed by Dan Bernstein.
20529
20530 * API/JSContext.h:
20531 * API/JSManagedValue.h:
20532 * API/JSValue.h:
20533 * API/JSVirtualMachine.h:
20534
205352013-10-20 Mark Lam <mark.lam@apple.com>
20536
20537 Avoid JSC debugger overhead unless needed.
20538 https://bugs.webkit.org/show_bug.cgi?id=123084.
20539
20540 Reviewed by Geoffrey Garen.
20541
20542 - If no breakpoints are set, we now avoid calling the debug hook callbacks.
20543 - If no break on exception is set, we also avoid exception event debug callbacks.
20544 - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
20545 longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
20546 pointer in the ScriptDebugServer may become stale. To avoid this issue, before
20547 returning, the ScriptDebugServer will clear its m_currentCallFrame if
20548 needsOpDebugCallbacks() is false.
20549
20550 * debugger/Debugger.cpp:
20551 (JSC::Debugger::Debugger):
20552 (JSC::Debugger::setNeedsExceptionCallbacks):
20553 (JSC::Debugger::setShouldPause):
20554 (JSC::Debugger::updateNumberOfBreakpoints):
20555 (JSC::Debugger::updateNeedForOpDebugCallbacks):
20556 * debugger/Debugger.h:
20557 * interpreter/Interpreter.cpp:
20558 (JSC::Interpreter::unwind):
20559 (JSC::Interpreter::debug):
20560 * jit/JITOpcodes.cpp:
20561 (JSC::JIT::emit_op_debug):
20562 * jit/JITOpcodes32_64.cpp:
20563 (JSC::JIT::emit_op_debug):
20564 * llint/LLIntOffsetsExtractor.cpp:
20565 * llint/LowLevelInterpreter.asm:
20566
205672013-10-21 Brent Fulgham <bfulgham@apple.com>
20568
20569 [WIN] Unreviewed build correction.
20570
20571 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
20572 sources, not header files.
20573 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
20574
205752013-10-21 Oliver Hunt <oliver@apple.com>
20576
20577 Support computed property names in object literals
20578 https://bugs.webkit.org/show_bug.cgi?id=123112
20579
20580 Reviewed by Michael Saboff.
20581
20582 Add support for computed property names to the parser.
20583
20584 * bytecompiler/NodesCodegen.cpp:
20585 (JSC::PropertyListNode::emitBytecode):
20586 * parser/ASTBuilder.h:
20587 (JSC::ASTBuilder::createProperty):
20588 (JSC::ASTBuilder::getName):
20589 * parser/NodeConstructors.h:
20590 (JSC::PropertyNode::PropertyNode):
20591 * parser/Nodes.h:
20592 (JSC::PropertyNode::expressionName):
20593 (JSC::PropertyNode::name):
20594 * parser/Parser.cpp:
20595 (JSC::::parseProperty):
20596 (JSC::::parseStrictObjectLiteral):
20597 * parser/SyntaxChecker.h:
20598 (JSC::SyntaxChecker::Property::Property):
20599 (JSC::SyntaxChecker::createProperty):
20600 (JSC::SyntaxChecker::operatorStackPop):
20601
206022013-10-21 Michael Saboff <msaboff@apple.com>
20603
20604 Add option so that JSC will crash if it can't allocate executable memory for the JITs
20605 https://bugs.webkit.org/show_bug.cgi?id=123048
20606 <rdar://problem/12856193>
20607
20608 Reviewed by Geoffrey Garen.
20609
20610 Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
20611 when checking the validity of the executable allocator. The default value for this option is
20612 false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
20613 the app can obtain executable memory.
20614
20615 * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
20616 (main):
20617 * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
20618 * runtime/VM.cpp:
20619 (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
20620 is enabled.
20621
206222013-10-21 Nadav Rotem <nrotem@apple.com>
20623
20624 Remove AllInOneFile.cpp
20625 https://bugs.webkit.org/show_bug.cgi?id=123055
20626
20627 Reviewed by Csaba Osztrogonác.
20628
20629 * AllInOneFile.cpp: Removed.
20630
206312013-10-20 Filip Pizlo <fpizlo@apple.com>
20632
20633 Unreviewed, cleanup a FIXME comment.
20634
20635 * jit/Repatch.cpp:
20636
206372013-10-20 Filip Pizlo <fpizlo@apple.com>
20638
20639 StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
20640 https://bugs.webkit.org/show_bug.cgi?id=123076
20641
20642 Reviewed by Sam Weinig.
20643
20644 Start preparing for a world in which we are patching code generated by LLVM, which may have
20645 very different register usage conventions than our JITs. This requires us being more explicit
20646 about the registers we are using. For example, the repatching code shouldn't take for granted
20647 that tagMaskRegister holds the TagMask or that the register is even in use.
20648
20649 * CMakeLists.txt:
20650 * GNUmakefile.list.am:
20651 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
20652 * JavaScriptCore.xcodeproj/project.pbxproj:
20653 * assembler/MacroAssembler.h:
20654 (JSC::MacroAssembler::numberOfRegisters):
20655 (JSC::MacroAssembler::registerIndex):
20656 (JSC::MacroAssembler::numberOfFPRegisters):
20657 (JSC::MacroAssembler::fpRegisterIndex):
20658 (JSC::MacroAssembler::totalNumberOfRegisters):
20659 * bytecode/StructureStubInfo.h:
20660 * dfg/DFGSpeculativeJIT.cpp:
20661 (JSC::DFG::SpeculativeJIT::usedRegisters):
20662 * dfg/DFGSpeculativeJIT.h:
20663 * ftl/FTLSaveRestore.cpp:
20664 (JSC::FTL::bytesForGPRs):
20665 (JSC::FTL::bytesForFPRs):
20666 (JSC::FTL::offsetOfGPR):
20667 (JSC::FTL::offsetOfFPR):
20668 * jit/JITInlineCacheGenerator.cpp:
20669 (JSC::JITByIdGenerator::JITByIdGenerator):
20670 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
20671 * jit/JITInlineCacheGenerator.h:
20672 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
20673 * jit/JITPropertyAccess.cpp:
20674 (JSC::JIT::emit_op_get_by_id):
20675 (JSC::JIT::emit_op_put_by_id):
20676 * jit/JITPropertyAccess32_64.cpp:
20677 (JSC::JIT::emit_op_get_by_id):
20678 (JSC::JIT::emit_op_put_by_id):
20679 * jit/RegisterSet.cpp: Added.
20680 (JSC::RegisterSet::specialRegisters):
20681 * jit/RegisterSet.h: Added.
20682 (JSC::RegisterSet::RegisterSet):
20683 (JSC::RegisterSet::set):
20684 (JSC::RegisterSet::clear):
20685 (JSC::RegisterSet::get):
20686 (JSC::RegisterSet::merge):
20687 * jit/Repatch.cpp:
20688 (JSC::generateProtoChainAccessStub):
20689 (JSC::tryCacheGetByID):
20690 (JSC::tryBuildGetByIDList):
20691 (JSC::emitPutReplaceStub):
20692 (JSC::tryRepatchIn):
20693 (JSC::linkClosureCall):
20694 * jit/TempRegisterSet.cpp: Added.
20695 (JSC::TempRegisterSet::TempRegisterSet):
20696 * jit/TempRegisterSet.h:
20697
206982013-10-20 Julien Brianceau <jbriance@cisco.com>
20699
20700 [sh4] Fix build (broken since r157690).
20701 https://bugs.webkit.org/show_bug.cgi?id=123081
20702
20703 Reviewed by Andreas Kling.
20704
20705 * assembler/AssemblerBufferWithConstantPool.h:
20706 * assembler/SH4Assembler.h:
20707 (JSC::SH4Assembler::buffer):
20708 (JSC::SH4Assembler::readCallTarget):
20709
207102013-10-19 Filip Pizlo <fpizlo@apple.com>
20711
20712 Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
20713 https://bugs.webkit.org/show_bug.cgi?id=123079
20714
20715 Reviewed by Geoffrey Garen.
20716
20717 * jit/TempRegisterSet.h:
20718
207192013-10-19 Filip Pizlo <fpizlo@apple.com>
20720
20721 Rename RegisterSet to TempRegisterSet
20722 https://bugs.webkit.org/show_bug.cgi?id=123077
20723
20724 Reviewed by Dan Bernstein.
20725
20726 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
20727 * JavaScriptCore.xcodeproj/project.pbxproj:
20728 * bytecode/StructureStubInfo.h:
20729 * dfg/DFGJITCompiler.h:
20730 * dfg/DFGSpeculativeJIT.h:
20731 (JSC::DFG::SpeculativeJIT::usedRegisters):
20732 * jit/JITInlineCacheGenerator.cpp:
20733 (JSC::JITByIdGenerator::JITByIdGenerator):
20734 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
20735 * jit/JITInlineCacheGenerator.h:
20736 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
20737 * jit/JITPropertyAccess.cpp:
20738 (JSC::JIT::emit_op_get_by_id):
20739 (JSC::JIT::emit_op_put_by_id):
20740 * jit/JITPropertyAccess32_64.cpp:
20741 (JSC::JIT::emit_op_get_by_id):
20742 (JSC::JIT::emit_op_put_by_id):
20743 * jit/RegisterSet.h: Removed.
20744 * jit/ScratchRegisterAllocator.h:
20745 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
20746 * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
20747 (JSC::TempRegisterSet::TempRegisterSet):
20748 (JSC::TempRegisterSet::asPOD):
20749 (JSC::TempRegisterSet::copyInfo):
20750
207512013-10-19 Filip Pizlo <fpizlo@apple.com>
20752
20753 Restructure LinkBuffer to allow for alternate allocation strategies
20754 https://bugs.webkit.org/show_bug.cgi?id=123071
20755
20756 Reviewed by Oliver Hunt.
20757
20758 The idea is to eventually allow a LinkBuffer to place the code into an already
20759 allocated region of memory. That region of memory could be the nop-slide left behind
20760 by a llvm.webkit.patchpoint.
20761
20762 * assembler/ARM64Assembler.h:
20763 (JSC::ARM64Assembler::buffer):
20764 * assembler/AssemblerBuffer.h:
20765 * assembler/LinkBuffer.cpp:
20766 (JSC::LinkBuffer::copyCompactAndLinkCode):
20767 (JSC::LinkBuffer::linkCode):
20768 (JSC::LinkBuffer::allocate):
20769 (JSC::LinkBuffer::shrink):
20770 * assembler/LinkBuffer.h:
20771 (JSC::LinkBuffer::LinkBuffer):
20772 (JSC::LinkBuffer::didFailToAllocate):
20773 * assembler/X86Assembler.h:
20774 (JSC::X86Assembler::buffer):
20775 (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
20776
207772013-10-19 Alexey Proskuryakov <ap@apple.com>
20778
20779 Some includes in JSC seem to use an incorrect style
20780 https://bugs.webkit.org/show_bug.cgi?id=123057
20781
20782 Reviewed by Geoffrey Garen.
20783
20784 Changed pseudo-system includes to user ones.
20785
20786 * API/JSContextRef.cpp:
20787 * API/JSStringRefCF.cpp:
20788 * API/JSValueRef.cpp:
20789 * API/OpaqueJSString.cpp:
20790 * jit/JIT.h:
20791 * parser/SyntaxChecker.h:
20792 * runtime/WeakGCMap.h:
20793
207942013-10-19 Filip Pizlo <fpizlo@apple.com>
20795
20796 Baseline JIT and DFG IC code generation should be unified and rationalized
20797 https://bugs.webkit.org/show_bug.cgi?id=122939
20798
20799 Reviewed by Geoffrey Garen.
20800
20801 Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
20802 some register info and creates JIT inline caches for you. Used this to even furhter
20803 unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
20804 is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
20805 that it needs to do the equivalent of get_by_id, so with this generator it will be able
20806 to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
20807
20808 * CMakeLists.txt:
20809 * GNUmakefile.list.am:
20810 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
20811 * JavaScriptCore.xcodeproj/project.pbxproj:
20812 * assembler/AbstractMacroAssembler.h:
20813 (JSC::AbstractMacroAssembler::DataLabelCompact::label):
20814 * bytecode/CodeBlock.h:
20815 (JSC::CodeBlock::ecmaMode):
20816 * dfg/DFGInlineCacheWrapper.h: Added.
20817 (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
20818 * dfg/DFGInlineCacheWrapperInlines.h: Added.
20819 (JSC::DFG::::finalize):
20820 * dfg/DFGJITCompiler.cpp:
20821 (JSC::DFG::JITCompiler::link):
20822 * dfg/DFGJITCompiler.h:
20823 (JSC::DFG::JITCompiler::addGetById):
20824 (JSC::DFG::JITCompiler::addPutById):
20825 * dfg/DFGSpeculativeJIT32_64.cpp:
20826 (JSC::DFG::SpeculativeJIT::cachedGetById):
20827 (JSC::DFG::SpeculativeJIT::cachedPutById):
20828 * dfg/DFGSpeculativeJIT64.cpp:
20829 (JSC::DFG::SpeculativeJIT::cachedGetById):
20830 (JSC::DFG::SpeculativeJIT::cachedPutById):
20831 (JSC::DFG::SpeculativeJIT::compile):
20832 * jit/AssemblyHelpers.h:
20833 (JSC::AssemblyHelpers::isStrictModeFor):
20834 (JSC::AssemblyHelpers::strictModeFor):
20835 * jit/GPRInfo.h:
20836 (JSC::JSValueRegs::tagGPR):
20837 * jit/JIT.cpp:
20838 (JSC::JIT::JIT):
20839 (JSC::JIT::privateCompileSlowCases):
20840 (JSC::JIT::privateCompile):
20841 * jit/JIT.h:
20842 * jit/JITInlineCacheGenerator.cpp: Added.
20843 (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
20844 (JSC::JITByIdGenerator::JITByIdGenerator):
20845 (JSC::JITByIdGenerator::finalize):
20846 (JSC::JITByIdGenerator::generateFastPathChecks):
20847 (JSC::JITGetByIdGenerator::generateFastPath):
20848 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
20849 (JSC::JITPutByIdGenerator::generateFastPath):
20850 (JSC::JITPutByIdGenerator::slowPathFunction):
20851 * jit/JITInlineCacheGenerator.h: Added.
20852 (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
20853 (JSC::JITInlineCacheGenerator::stubInfo):
20854 (JSC::JITByIdGenerator::JITByIdGenerator):
20855 (JSC::JITByIdGenerator::reportSlowPathCall):
20856 (JSC::JITByIdGenerator::slowPathJump):
20857 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
20858 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
20859 * jit/JITPropertyAccess.cpp:
20860 (JSC::JIT::emit_op_get_by_id):
20861 (JSC::JIT::emitSlow_op_get_by_id):
20862 (JSC::JIT::emit_op_put_by_id):
20863 (JSC::JIT::emitSlow_op_put_by_id):
20864 * jit/JITPropertyAccess32_64.cpp:
20865 (JSC::JIT::emit_op_get_by_id):
20866 (JSC::JIT::emitSlow_op_get_by_id):
20867 (JSC::JIT::emit_op_put_by_id):
20868 (JSC::JIT::emitSlow_op_put_by_id):
20869 * jit/RegisterSet.h:
20870 (JSC::RegisterSet::set):
20871
208722013-10-19 Alexey Proskuryakov <ap@apple.com>
20873
20874 APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
20875 https://bugs.webkit.org/show_bug.cgi?id=123067
20876
20877 Reviewed by Geoffrey Garen.
20878
20879 * API/APICast.h: Include it.
20880
208812013-10-19 Filip Pizlo <fpizlo@apple.com>
20882
20883 FTL::Location should treat the offset as an addend in the case of a Register location
20884 https://bugs.webkit.org/show_bug.cgi?id=123062
20885
20886 Reviewed by Sam Weinig.
20887
20888 * ftl/FTLLocation.cpp:
20889 (JSC::FTL::Location::forStackmaps):
20890 (JSC::FTL::Location::dump):
20891 (JSC::FTL::Location::restoreInto):
20892 * ftl/FTLLocation.h:
20893 (JSC::FTL::Location::forRegister):
20894 (JSC::FTL::Location::hasAddend):
20895 (JSC::FTL::Location::addend):
20896
208972013-10-19 Nadav Rotem <nrotem@apple.com>
20898
20899 DFG dominators: document and rename stuff.
20900 https://bugs.webkit.org/show_bug.cgi?id=123056
20901
20902 Reviewed by Filip Pizlo.
20903
20904 Documented the code and renamed some variables.
20905
20906 * dfg/DFGDominators.cpp:
20907 (JSC::DFG::Dominators::compute):
20908 (JSC::DFG::Dominators::pruneDominators):
20909 * dfg/DFGDominators.h:
20910
209112013-10-19 Julien Brianceau <jbriance@cisco.com>
20912
20913 Fix build failure for architectures with 4 argument registers.
20914 https://bugs.webkit.org/show_bug.cgi?id=123060
20915
20916 Reviewed by Michael Saboff.
20917
20918 Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
20919 Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
20920
20921 * dfg/DFGSpeculativeJIT.h:
20922 (JSC::DFG::SpeculativeJIT::callOperation):
20923 * jit/CCallHelpers.h:
20924 (JSC::CCallHelpers::setupArgumentsWithExecState):
20925 * jit/JITInlines.h:
20926 (JSC::JIT::callOperation):
20927
209282013-10-18 Filip Pizlo <fpizlo@apple.com>
20929
20930 Unreviewed, fix FTL build.
20931
20932 * ftl/FTLIntrinsicRepository.h:
20933 * ftl/FTLLowerDFGToLLVM.cpp:
20934 (JSC::FTL::LowerDFGToLLVM::compileGetById):
20935
209362013-10-18 Filip Pizlo <fpizlo@apple.com>
20937
20938 A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
20939 https://bugs.webkit.org/show_bug.cgi?id=122940
20940
20941 Reviewed by Oliver Hunt.
20942
20943 This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
20944 whereas previously it was in a Vector, so it moved. This allows you to use pointers to
20945 StructureStubInfo. This also eliminates the use of return PC as a way of finding the
20946 StructureStubInfo's. It removes some of the need for the compile-time property access
20947 records; for example the DFG no longer has to save information about registers in a
20948 property access record only to later save it to the stub info.
20949
20950 The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
20951 at any stage of compilation.
20952
20953 * bytecode/CodeBlock.cpp:
20954 (JSC::CodeBlock::printGetByIdCacheStatus):
20955 (JSC::CodeBlock::dumpBytecode):
20956 (JSC::CodeBlock::~CodeBlock):
20957 (JSC::CodeBlock::propagateTransitions):
20958 (JSC::CodeBlock::finalizeUnconditionally):
20959 (JSC::CodeBlock::addStubInfo):
20960 (JSC::CodeBlock::getStubInfoMap):
20961 (JSC::CodeBlock::shrinkToFit):
20962 * bytecode/CodeBlock.h:
20963 (JSC::CodeBlock::begin):
20964 (JSC::CodeBlock::end):
20965 (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
20966 * bytecode/CodeOrigin.h:
20967 (JSC::CodeOrigin::CodeOrigin):
20968 (JSC::CodeOrigin::isHashTableDeletedValue):
20969 (JSC::CodeOrigin::hash):
20970 (JSC::CodeOriginHash::hash):
20971 (JSC::CodeOriginHash::equal):
20972 * bytecode/GetByIdStatus.cpp:
20973 (JSC::GetByIdStatus::computeFor):
20974 * bytecode/GetByIdStatus.h:
20975 * bytecode/PutByIdStatus.cpp:
20976 (JSC::PutByIdStatus::computeFor):
20977 * bytecode/PutByIdStatus.h:
20978 * bytecode/StructureStubInfo.h:
20979 (JSC::getStructureStubInfoCodeOrigin):
20980 * dfg/DFGByteCodeParser.cpp:
20981 (JSC::DFG::ByteCodeParser::parseBlock):
20982 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
20983 * dfg/DFGJITCompiler.cpp:
20984 (JSC::DFG::JITCompiler::link):
20985 * dfg/DFGJITCompiler.h:
20986 (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
20987 (JSC::DFG::InRecord::InRecord):
20988 * dfg/DFGSpeculativeJIT.cpp:
20989 (JSC::DFG::SpeculativeJIT::compileIn):
20990 * dfg/DFGSpeculativeJIT.h:
20991 (JSC::DFG::SpeculativeJIT::callOperation):
20992 * dfg/DFGSpeculativeJIT32_64.cpp:
20993 (JSC::DFG::SpeculativeJIT::cachedGetById):
20994 (JSC::DFG::SpeculativeJIT::cachedPutById):
20995 * dfg/DFGSpeculativeJIT64.cpp:
20996 (JSC::DFG::SpeculativeJIT::cachedGetById):
20997 (JSC::DFG::SpeculativeJIT::cachedPutById):
20998 * jit/CCallHelpers.h:
20999 (JSC::CCallHelpers::setupArgumentsWithExecState):
21000 * jit/JIT.cpp:
21001 (JSC::PropertyStubCompilationInfo::copyToStubInfo):
21002 (JSC::JIT::privateCompile):
21003 * jit/JIT.h:
21004 (JSC::PropertyStubCompilationInfo::slowCaseInfo):
21005 * jit/JITInlines.h:
21006 (JSC::JIT::callOperation):
21007 * jit/JITOperations.cpp:
21008 * jit/JITOperations.h:
21009 * jit/JITPropertyAccess.cpp:
21010 (JSC::JIT::emitSlow_op_get_by_id):
21011 (JSC::JIT::emitSlow_op_put_by_id):
21012 * jit/JITPropertyAccess32_64.cpp:
21013 (JSC::JIT::emitSlow_op_get_by_id):
21014 (JSC::JIT::emitSlow_op_put_by_id):
21015 * jit/Repatch.cpp:
21016 (JSC::appropriateGenericPutByIdFunction):
21017 (JSC::appropriateListBuildingPutByIdFunction):
21018 (JSC::resetPutByID):
21019
210202013-10-18 Oliver Hunt <oliver@apple.com>
21021
21022 Spread operator should be performing direct "puts" and not triggering setters
21023 https://bugs.webkit.org/show_bug.cgi?id=123047
21024
21025 Reviewed by Geoffrey Garen.
21026
21027 Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
21028 to array construct. This required a new PutByValDirect node to be introduced to
21029 the DFG. The current implementation simply changes the slow path function that
21030 is called, but in future this could be made faster as it does not need to check
21031 the prototype chain.
21032
21033 * bytecode/CodeBlock.cpp:
21034 (JSC::CodeBlock::dumpBytecode):
21035 (JSC::CodeBlock::CodeBlock):
21036 * bytecode/Opcode.h:
21037 (JSC::padOpcodeName):
21038 * bytecompiler/BytecodeGenerator.cpp:
21039 (JSC::BytecodeGenerator::emitDirectPutByVal):
21040 * bytecompiler/BytecodeGenerator.h:
21041 * bytecompiler/NodesCodegen.cpp:
21042 (JSC::ArrayNode::emitBytecode):
21043 * dfg/DFGAbstractInterpreterInlines.h:
21044 (JSC::DFG::::executeEffects):
21045 * dfg/DFGBackwardsPropagationPhase.cpp:
21046 (JSC::DFG::BackwardsPropagationPhase::propagate):
21047 * dfg/DFGByteCodeParser.cpp:
21048 (JSC::DFG::ByteCodeParser::parseBlock):
21049 * dfg/DFGCSEPhase.cpp:
21050 (JSC::DFG::CSEPhase::getArrayLengthElimination):
21051 (JSC::DFG::CSEPhase::getByValLoadElimination):
21052 (JSC::DFG::CSEPhase::checkStructureElimination):
21053 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
21054 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
21055 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
21056 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
21057 (JSC::DFG::CSEPhase::performNodeCSE):
21058 * dfg/DFGCapabilities.cpp:
21059 (JSC::DFG::capabilityLevel):
21060 * dfg/DFGClobberize.h:
21061 (JSC::DFG::clobberize):
21062 * dfg/DFGFixupPhase.cpp:
21063 (JSC::DFG::FixupPhase::fixupNode):
21064 * dfg/DFGGraph.h:
21065 (JSC::DFG::Graph::clobbersWorld):
21066 * dfg/DFGNode.h:
21067 (JSC::DFG::Node::hasArrayMode):
21068 * dfg/DFGNodeType.h:
21069 * dfg/DFGOperations.cpp:
21070 (JSC::DFG::putByVal):
21071 (JSC::DFG::operationPutByValInternal):
21072 * dfg/DFGOperations.h:
21073 * dfg/DFGPredictionPropagationPhase.cpp:
21074 (JSC::DFG::PredictionPropagationPhase::propagate):
21075 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
21076 * dfg/DFGSafeToExecute.h:
21077 (JSC::DFG::safeToExecute):
21078 * dfg/DFGSpeculativeJIT32_64.cpp:
21079 (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
21080 (JSC::DFG::SpeculativeJIT::compile):
21081 * dfg/DFGSpeculativeJIT64.cpp:
21082 (JSC::DFG::SpeculativeJIT::compile):
21083 * dfg/DFGTypeCheckHoistingPhase.cpp:
21084 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
21085 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
21086 * jit/JIT.cpp:
21087 (JSC::JIT::privateCompileMainPass):
21088 (JSC::JIT::privateCompileSlowCases):
21089 * jit/JIT.h:
21090 (JSC::JIT::compileDirectPutByVal):
21091 * jit/JITOperations.cpp:
21092 * jit/JITOperations.h:
21093 * jit/JITPropertyAccess.cpp:
21094 (JSC::JIT::emitSlow_op_put_by_val):
21095 (JSC::JIT::privateCompilePutByVal):
21096 * jit/JITPropertyAccess32_64.cpp:
21097 (JSC::JIT::emitSlow_op_put_by_val):
21098 * llint/LLIntSlowPaths.cpp:
21099 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
21100 * llint/LLIntSlowPaths.h:
21101 * llint/LowLevelInterpreter32_64.asm:
21102 * llint/LowLevelInterpreter64.asm:
21103
211042013-10-18 Daniel Bates <dabates@apple.com>
21105
21106 [iOS] Export symbol for VM::sharedInstanceExists()
21107 https://bugs.webkit.org/show_bug.cgi?id=123046
21108
21109 Reviewed by Mark Hahnenberg.
21110
21111 * runtime/VM.h:
21112
211132013-10-18 Daniel Bates <dabates@apple.com>
21114
21115 [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
21116 https://bugs.webkit.org/show_bug.cgi?id=123049
21117
21118 Reviewed by Mark Hahnenberg.
21119
21120 * heap/Heap.cpp:
21121 (JSC::Heap::setIncrementalSweeper):
21122 * heap/Heap.h:
21123 * heap/HeapTimer.h:
21124 * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
21125 Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
21126 (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
21127 (duplicates the include in the .cpp).
21128 * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
21129 making use of this now, but we'll make use of it in a subsequent patch.
21130
211312013-10-18 Anders Carlsson <andersca@apple.com>
21132
21133 Remove spaces between template angle brackets
21134 https://bugs.webkit.org/show_bug.cgi?id=123040
21135
21136 Reviewed by Andreas Kling.
21137
21138 * API/JSCallbackObject.cpp:
21139 (JSC::::create):
21140 * API/JSObjectRef.cpp:
21141 * bytecode/CodeBlock.h:
21142 (JSC::CodeBlock::constants):
21143 (JSC::CodeBlock::setConstantRegisters):
21144 * bytecode/DFGExitProfile.h:
21145 * bytecode/EvalCodeCache.h:
21146 * bytecode/Operands.h:
21147 * bytecode/UnlinkedCodeBlock.h:
21148 (JSC::UnlinkedCodeBlock::constantRegisters):
21149 * bytecode/Watchpoint.h:
21150 * bytecompiler/BytecodeGenerator.h:
21151 * bytecompiler/StaticPropertyAnalysis.h:
21152 * bytecompiler/StaticPropertyAnalyzer.h:
21153 * dfg/DFGArgumentsSimplificationPhase.cpp:
21154 * dfg/DFGBlockInsertionSet.h:
21155 * dfg/DFGCSEPhase.cpp:
21156 (JSC::DFG::performCSE):
21157 (JSC::DFG::performStoreElimination):
21158 * dfg/DFGCommonData.h:
21159 * dfg/DFGDesiredStructureChains.h:
21160 * dfg/DFGDesiredWatchpoints.h:
21161 * dfg/DFGJITCompiler.h:
21162 * dfg/DFGOSRExitCompiler32_64.cpp:
21163 (JSC::DFG::OSRExitCompiler::compileExit):
21164 * dfg/DFGOSRExitCompiler64.cpp:
21165 (JSC::DFG::OSRExitCompiler::compileExit):
21166 * dfg/DFGWorklist.h:
21167 * heap/BlockAllocator.h:
21168 (JSC::CopiedBlock):
21169 (JSC::MarkedBlock):
21170 (JSC::WeakBlock):
21171 (JSC::MarkStackSegment):
21172 (JSC::CopyWorkListSegment):
21173 (JSC::HandleBlock):
21174 * heap/Heap.h:
21175 * heap/Local.h:
21176 * heap/MarkedBlock.h:
21177 * heap/Strong.h:
21178 * jit/AssemblyHelpers.cpp:
21179 (JSC::AssemblyHelpers::decodedCodeMapFor):
21180 * jit/AssemblyHelpers.h:
21181 * jit/SpecializedThunkJIT.h:
21182 * parser/Nodes.h:
21183 * parser/Parser.cpp:
21184 (JSC::::parseIfStatement):
21185 * parser/Parser.h:
21186 (JSC::Scope::copyCapturedVariablesToVector):
21187 (JSC::parse):
21188 * parser/ParserArena.h:
21189 * parser/SourceProviderCacheItem.h:
21190 * profiler/LegacyProfiler.cpp:
21191 (JSC::dispatchFunctionToProfiles):
21192 * profiler/LegacyProfiler.h:
21193 (JSC::LegacyProfiler::currentProfiles):
21194 * profiler/ProfileNode.h:
21195 (JSC::ProfileNode::children):
21196 * profiler/ProfilerDatabase.h:
21197 * runtime/Butterfly.h:
21198 (JSC::Butterfly::contiguousInt32):
21199 (JSC::Butterfly::contiguous):
21200 * runtime/GenericTypedArrayViewInlines.h:
21201 (JSC::::create):
21202 * runtime/Identifier.h:
21203 (JSC::Identifier::add):
21204 * runtime/JSPromise.h:
21205 * runtime/PropertyMapHashTable.h:
21206 * runtime/PropertyNameArray.h:
21207 * runtime/RegExpCache.h:
21208 * runtime/SparseArrayValueMap.h:
21209 * runtime/SymbolTable.h:
21210 * runtime/VM.h:
21211 * tools/CodeProfile.cpp:
21212 (JSC::truncateTrace):
21213 * tools/CodeProfile.h:
21214 * yarr/YarrInterpreter.cpp:
21215 * yarr/YarrInterpreter.h:
21216 (JSC::Yarr::BytecodePattern::BytecodePattern):
21217 * yarr/YarrJIT.cpp:
21218 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
21219 (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
21220 (JSC::Yarr::YarrGenerator::opCompileBody):
21221 * yarr/YarrPattern.cpp:
21222 (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
21223 (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
21224 * yarr/YarrPattern.h:
21225
212262013-10-18 Mark Lam <mark.lam@apple.com>
21227
21228 Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
21229 https://bugs.webkit.org/show_bug.cgi?id=123037.
21230
21231 Reviewed by Geoffrey Garen.
21232
21233 * jit/JITStubsMSVC64.asm:
21234 * jit/JITStubsX86.h:
21235 * jit/JITStubsX86_64.h:
21236
212372013-10-18 Filip Pizlo <fpizlo@apple.com>
21238
21239 Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
21240 https://bugs.webkit.org/show_bug.cgi?id=121661
21241
21242 Reviewed by Mark Hahnenberg.
21243
21244 This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
21245 so I added a return-early check using isCompilationThread().
21246
21247 Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
21248 it is describing: m_offset and the property table. Most structures only have m_offset and report
21249 null for the property table. If the property table is there, it will tell you additional
21250 information and that information subsumes m_offset - but the m_offset is still there. So, when
21251 we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
21252 machinery to do this.
21253
21254 Changing the property table only happens on the main thread.
21255
21256 Because the machinery to change the property table is so complex, especially with respect to
21257 keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
21258 called at key points before and after changes to the property table or the offset.
21259
21260 Most clients of Structure who care about object layout, including the concurrent thread, will
21261 want to know m_offset and not the property table. If they want the property table, they will
21262 already be super careful. The concurrent thread has special methods for this, like
21263 Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
21264 view of the property table.
21265
21266 Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
21267 called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
21268
21269 But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
21270 which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
21271 because we have found that it helps quickly identify situations where the property table and
21272 m_offset get out of sync - mainly because code that changes either of those things will usually
21273 also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
21274 need the property table; it uses the m_offset. The concurrent JIT is correct to call
21275 outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
21276 it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
21277 outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
21278 locks, and that same structure is having its property table modified by the main thread, we end
21279 up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
21280 property table modified - instead what happens is that some downstream structure steals the
21281 property table and then starts adding things to it. The concurrent thread loads the property
21282 table before it's stolen, and hence the badness.
21283
21284 I suspect there are other code paths that lead to the concurrent JIT calling some Structure
21285 method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
21286 and then you have a possible crash.
21287
21288 The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
21289 aware of its uselessness to the concurrent JIT thread. This change makes it return early if
21290 it's in the concurrent JIT.
21291
21292 * runtime/StructureInlines.h:
21293 (JSC::Structure::checkOffsetConsistency):
21294
212952013-10-18 Daniel Bates <dabates@apple.com>
21296
21297 Add SPI to disable the garbage collector timer
21298 https://bugs.webkit.org/show_bug.cgi?id=122921
21299
21300 Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
21301 omitted.
21302
21303 * heap/Heap.cpp:
21304 (JSC::Heap::setGarbageCollectionTimerEnabled):
21305
213062013-10-18 Julien Brianceau <jbriance@cisco.com>
21307
21308 Group 64-bit specific and 32-bit specific callOperation implementations.
21309 https://bugs.webkit.org/show_bug.cgi?id=123024
21310
21311 Reviewed by Michael Saboff.
21312
21313 This is not a big deal, but could be less confusing when reading the code.
21314
21315 * jit/JITInlines.h:
21316 (JSC::JIT::callOperation):
21317 (JSC::JIT::callOperationWithCallFrameRollbackOnException):
21318 (JSC::JIT::callOperationNoExceptionCheck):
21319
213202013-10-18 Nadav Rotem <nrotem@apple.com>
21321
21322 Fix a FlushLiveness problem.
21323 https://bugs.webkit.org/show_bug.cgi?id=122984
21324
21325 Reviewed by Filip Pizlo.
21326
21327 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
21328 (JSC::DFG::FlushLivenessAnalysisPhase::process):
21329
213302013-10-18 Michael Saboff <msaboff@apple.com>
21331
21332 Change native function call stubs to use JIT operations instead of ctiVMHandleException
21333 https://bugs.webkit.org/show_bug.cgi?id=122982
21334
21335 Reviewed by Geoffrey Garen.
21336
21337 Change ctiVMHandleException to operationVMHandleException. Change all exception operations to
21338 return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
21339 This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
21340 in the process.
21341
21342 * dfg/DFGJITCompiler.cpp:
21343 (JSC::DFG::JITCompiler::compileExceptionHandlers):
21344 * jit/CCallHelpers.h:
21345 (JSC::CCallHelpers::jumpToExceptionHandler):
21346 * jit/JIT.cpp:
21347 (JSC::JIT::privateCompileExceptionHandlers):
21348 * jit/JIT.h:
21349 * jit/JITExceptions.cpp:
21350 (JSC::genericUnwind):
21351 * jit/JITExceptions.h:
21352 * jit/JITInlines.h:
21353 (JSC::JIT::callOperationNoExceptionCheck):
21354 * jit/JITOpcodes.cpp:
21355 (JSC::JIT::emit_op_throw):
21356 * jit/JITOpcodes32_64.cpp:
21357 (JSC::JIT::privateCompileCTINativeCall):
21358 (JSC::JIT::emit_op_throw):
21359 * jit/JITOperations.cpp:
21360 * jit/JITOperations.h:
21361 * jit/JITStubs.cpp:
21362 * jit/JITStubs.h:
21363 * jit/JITStubsARM.h:
21364 * jit/JITStubsARM64.h:
21365 * jit/JITStubsARMv7.h:
21366 * jit/JITStubsMIPS.h:
21367 * jit/JITStubsMSVC64.asm:
21368 * jit/JITStubsSH4.h:
21369 * jit/JITStubsX86.h:
21370 * jit/JITStubsX86_64.h:
21371 * jit/Repatch.cpp:
21372 (JSC::tryBuildGetByIDList):
21373 * jit/SlowPathCall.h:
21374 (JSC::JITSlowPathCall::call):
21375 * jit/ThunkGenerators.cpp:
21376 (JSC::throwExceptionFromCallSlowPathGenerator):
21377 (JSC::nativeForGenerator):
21378 * runtime/VM.h:
21379 (JSC::VM::callFrameForThrowOffset):
21380 (JSC::VM::targetMachinePCForThrowOffset):
21381
213822013-10-18 Julien Brianceau <jbriance@cisco.com>
21383
21384 Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
21385 https://bugs.webkit.org/show_bug.cgi?id=123023
21386
21387 Reviewed by Michael Saboff.
21388
21389 * jit/JITInlines.h:
21390 (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
21391 using EABI_32BIT_DUMMY_ARG here.
21392
213932013-10-17 Filip Pizlo <fpizlo@apple.com>
21394
21395 Unreviewed, another ARM64 build fix.
21396
21397 Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
21398 on ARM64 and none of its uses are legit - they should all be using
21399 andPtr(TrustedImm32, blah) anyway.
21400
21401 * assembler/MacroAssembler.h:
21402 * assembler/MacroAssemblerARM64.h:
21403 * dfg/DFGJITCompiler.cpp:
21404 (JSC::DFG::JITCompiler::compileExceptionHandlers):
21405 * jit/JIT.cpp:
21406 (JSC::JIT::privateCompileExceptionHandlers):
21407
214082013-10-17 Filip Pizlo <fpizlo@apple.com>
21409
21410 Unreviewed, speculative ARM64 build fix.
21411
21412 move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
21413 implemented. So, you have to use TrustedImmPtr in the superclasses.
21414
21415 * assembler/MacroAssemblerARM64.h:
21416 (JSC::MacroAssemblerARM64::store8):
21417 (JSC::MacroAssemblerARM64::branchTest8):
21418
214192013-10-17 Filip Pizlo <fpizlo@apple.com>
21420
21421 Unreviewed, speculative ARM build fix.
21422 https://bugs.webkit.org/show_bug.cgi?id=122890
21423 <rdar://problem/15258624>
21424
21425 * assembler/ARM64Assembler.h:
21426 (JSC::ARM64Assembler::firstRegister):
21427 (JSC::ARM64Assembler::lastRegister):
21428 (JSC::ARM64Assembler::firstFPRegister):
21429 (JSC::ARM64Assembler::lastFPRegister):
21430 * assembler/MacroAssemblerARM64.h:
21431 * assembler/MacroAssemblerARMv7.h:
21432
214332013-10-17 Andreas Kling <akling@apple.com>
21434
21435 Pass VM instead of JSGlobalObject to JSONObject constructor.
21436 <https://webkit.org/b/122999>
21437
21438 JSONObject was only use the JSGlobalObject to grab at the VM.
21439 Dodge a few loads by passing the VM directly instead.
21440
21441 Reviewed by Geoffrey Garen.
21442
21443 * runtime/JSONObject.cpp:
21444 (JSC::JSONObject::JSONObject):
21445 (JSC::JSONObject::finishCreation):
21446 * runtime/JSONObject.h:
21447 (JSC::JSONObject::create):
21448
214492013-10-17 Geoffrey Garen <ggaren@apple.com>
21450
21451 Removed the JITStackFrame struct
21452 https://bugs.webkit.org/show_bug.cgi?id=123001
21453
21454 Reviewed by Anders Carlsson.
21455
21456 * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
21457 our helper functions obey the C function call ABI.
21458
214592013-10-17 Geoffrey Garen <ggaren@apple.com>
21460
21461 Removed an unused #define
21462 https://bugs.webkit.org/show_bug.cgi?id=123000
21463
21464 Reviewed by Anders Carlsson.
21465
21466 * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
21467 since it is unused now. This is a step toward using the C stack.
21468
214692013-10-17 Geoffrey Garen <ggaren@apple.com>
21470
21471 Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
21472 https://bugs.webkit.org/show_bug.cgi?id=122973
21473
21474 Reviewed by Michael Saboff.
21475
21476 * jit/ThunkGenerators.cpp:
21477 (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
21478 so I removed it.
21479
21480 The code acted as if it needed to pass an argument to
21481 lookupExceptionHandler, and as if it passed that argument to itself
21482 through JITStackFrame. However, lookupExceptionHandler does not take
21483 an argument (other than the default ExecState argument), and the code
21484 did not initialize the thing that it thought it passed to itself!
21485
214862013-10-17 Alex Christensen <achristensen@webkit.org>
21487
21488 Run JavaScriptCore tests again on Windows.
21489 https://bugs.webkit.org/show_bug.cgi?id=122787
21490
21491 Reviewed by Tim Horton.
21492
21493 * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
21494 * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
21495
214962013-10-17 Geoffrey Garen <ggaren@apple.com>
21497
21498 Removed restoreArgumentReference (another use of JITStackFrame)
21499 https://bugs.webkit.org/show_bug.cgi?id=122997
21500
21501 Reviewed by Oliver Hunt.
21502
21503 * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
21504 toward using the C stack.
21505
215062013-10-17 Oliver Hunt <oliver@apple.com>
21507
21508 Remove JITStubCall.h
21509 https://bugs.webkit.org/show_bug.cgi?id=122991
21510
21511 Reviewed by Geoff Garen.
21512
21513 Happily this is no longer used
21514
21515 * GNUmakefile.list.am:
21516 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
21517 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
21518 * JavaScriptCore.xcodeproj/project.pbxproj:
21519 * jit/JIT.cpp:
21520 * jit/JITArithmetic.cpp:
21521 * jit/JITArithmetic32_64.cpp:
21522 * jit/JITCall.cpp:
21523 * jit/JITCall32_64.cpp:
21524 * jit/JITOpcodes.cpp:
21525 * jit/JITOpcodes32_64.cpp:
21526 * jit/JITPropertyAccess.cpp:
21527 * jit/JITPropertyAccess32_64.cpp:
21528 * jit/JITStubCall.h: Removed.
21529
215302013-10-17 Geoffrey Garen <ggaren@apple.com>
21531
21532 Removed a use of JITSTACKFRAME_ARGS_INDEX
21533 https://bugs.webkit.org/show_bug.cgi?id=122989
21534
21535 Reviewed by Oliver Hunt.
21536
21537 * jit/JITStubCall.h: Removed an unused function. This is one step closer
21538 to using the C stack.
21539
215402013-10-17 Geoffrey Garen <ggaren@apple.com>
21541
21542 Change emit_op_catch to use another method to materialize VM
21543 https://bugs.webkit.org/show_bug.cgi?id=122977
21544
21545 Reviewed by Oliver Hunt.
21546
21547 * jit/JITOpcodes.cpp:
21548 (JSC::JIT::emit_op_catch):
21549 * jit/JITOpcodes32_64.cpp:
21550 (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
21551 on JITStackFrame. It is also faster and simpler.
21552
215532013-10-17 Geoffrey Garen <ggaren@apple.com>
21554
21555 Eliminate emitGetJITStubArg() - dead code
21556 https://bugs.webkit.org/show_bug.cgi?id=122975
21557
21558 Reviewed by Anders Carlsson.
21559
21560 * jit/JIT.h:
21561 * jit/JITInlines.h: Removed unused, deprecated function.
21562
215632013-10-17 Mark Lam <mark.lam@apple.com>
21564
21565 Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
21566 https://bugs.webkit.org/show_bug.cgi?id=122979.
21567
21568 Reviewed by Michael Saboff.
21569
21570 * jit/JITStubs.cpp:
21571 * jit/JITStubs.h:
21572 * jit/JITStubsARM.h:
21573 * jit/JITStubsARM64.h:
21574 * jit/JITStubsARMv7.h:
21575 * jit/JITStubsMIPS.h:
21576 * jit/JITStubsSH4.h:
21577 * jit/JITStubsX86.h:
21578 * jit/JITStubsX86_64.h:
21579 * runtime/VM.cpp:
21580 (JSC::VM::VM):
21581
215822013-10-17 Michael Saboff <msaboff@apple.com>
21583
21584 Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
21585 https://bugs.webkit.org/show_bug.cgi?id=122974
21586
21587 Reviewed by Geoffrey Garen.
21588
21589 Eliminated unneeded storing to JITStackFrame.
21590
21591 * dfg/DFGJITCompiler.cpp:
21592 (JSC::DFG::JITCompiler::compileFunction):
21593
215942013-10-17 Michael Saboff <msaboff@apple.com>
21595
21596 Transition cti_op_throw and cti_vm_throw to a JIT operation
21597 https://bugs.webkit.org/show_bug.cgi?id=122931
21598
21599 Reviewed by Filip Pizlo.
21600
21601 Moved cti_op_throw to operationThrow. Made the caller responsible for jumping to the
21602 catch handler. Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
21603 and their callers as it is now dead code. There is some work needed on the Microsoft X86
21604 callOperation to handle the need to provide space for structure return value.
21605
21606 * jit/JIT.h:
21607 * jit/JITInlines.h:
21608 (JSC::JIT::callOperation):
21609 * jit/JITOpcodes.cpp:
21610 (JSC::JIT::emit_op_throw):
21611 * jit/JITOpcodes32_64.cpp:
21612 (JSC::JIT::emit_op_throw):
21613 (JSC::JIT::emit_op_catch):
21614 * jit/JITOperations.cpp:
21615 * jit/JITOperations.h:
21616 * jit/JITStubs.cpp:
21617 * jit/JITStubs.h:
21618 * jit/JITStubsARM.h:
21619 * jit/JITStubsARM64.h:
21620 * jit/JITStubsARMv7.h:
21621 * jit/JITStubsMIPS.h:
21622 * jit/JITStubsMSVC64.asm:
21623 * jit/JITStubsSH4.h:
21624 * jit/JITStubsX86.h:
21625 * jit/JITStubsX86_64.h:
21626 * jit/JSInterfaceJIT.h:
21627
216282013-10-17 Mark Lam <mark.lam@apple.com>
21629
21630 Remove JITStackFrame references in the C Loop LLINT.
21631 https://bugs.webkit.org/show_bug.cgi?id=122950.
21632
21633 Reviewed by Michael Saboff.
21634
21635 * jit/JITStubs.h:
21636 * llint/LowLevelInterpreter.cpp:
21637 (JSC::CLoop::execute):
21638 * offlineasm/cloop.rb:
21639
216402013-10-17 Mark Lam <mark.lam@apple.com>
21641
21642 Remove JITStackFrame references in JIT probes.
21643 https://bugs.webkit.org/show_bug.cgi?id=122947.
21644
21645 Reviewed by Michael Saboff.
21646
21647 * assembler/MacroAssemblerARM.cpp:
21648 (JSC::MacroAssemblerARM::ProbeContext::dump):
21649 * assembler/MacroAssemblerARM.h:
21650 * assembler/MacroAssemblerARMv7.cpp:
21651 (JSC::MacroAssemblerARMv7::ProbeContext::dump):
21652 * assembler/MacroAssemblerARMv7.h:
21653 * assembler/MacroAssemblerX86Common.cpp:
21654 (JSC::MacroAssemblerX86Common::ProbeContext::dump):
21655 * assembler/MacroAssemblerX86Common.h:
21656 * jit/JITStubsARM.h:
21657 * jit/JITStubsARMv7.h:
21658 * jit/JITStubsX86.h:
21659 * jit/JITStubsX86Common.h:
21660 * jit/JITStubsX86_64.h:
21661
216622013-10-17 Julien Brianceau <jbriance@cisco.com>
21663
21664 Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
21665 https://bugs.webkit.org/show_bug.cgi?id=122949
21666
21667 Reviewed by Andreas Kling.
21668
21669 * jit/CCallHelpers.h:
21670 (JSC::CCallHelpers::setupArgumentsWithExecState):
21671
216722013-10-16 Mark Lam <mark.lam@apple.com>
21673
21674 Transition remaining op_get* JITStubs to JIT operations.
21675 https://bugs.webkit.org/show_bug.cgi?id=122925.
21676
21677 Reviewed by Geoffrey Garen.
21678
21679 Transitioning:
21680 cti_op_get_by_id_generic
21681 cti_op_get_by_val
21682 cti_op_get_by_val_generic
21683 cti_op_get_by_val_string
21684
21685 * dfg/DFGOperations.cpp:
21686 * dfg/DFGOperations.h:
21687 * jit/JIT.h:
21688 * jit/JITInlines.h:
21689 (JSC::JIT::callOperation):
21690 * jit/JITOpcodes.cpp:
21691 (JSC::JIT::emitSlow_op_get_arguments_length):
21692 (JSC::JIT::emitSlow_op_get_argument_by_val):
21693 * jit/JITOpcodes32_64.cpp:
21694 (JSC::JIT::emitSlow_op_get_arguments_length):
21695 (JSC::JIT::emitSlow_op_get_argument_by_val):
21696 * jit/JITOperations.cpp:
21697 * jit/JITOperations.h:
21698 * jit/JITPropertyAccess.cpp:
21699 (JSC::JIT::emitSlow_op_get_by_val):
21700 (JSC::JIT::emitSlow_op_get_by_pname):
21701 (JSC::JIT::privateCompileGetByVal):
21702 * jit/JITPropertyAccess32_64.cpp:
21703 (JSC::JIT::emitSlow_op_get_by_val):
21704 (JSC::JIT::emitSlow_op_get_by_pname):
21705 * jit/JITStubs.cpp:
21706 * jit/JITStubs.h:
21707 * runtime/Executable.cpp:
21708 (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
21709 * runtime/Options.cpp:
21710 (JSC::Options::initialize):
21711
217122013-10-16 Filip Pizlo <fpizlo@apple.com>
21713
21714 Introduce WTF::Bag and start using it for InlineCallFrameSet
21715 https://bugs.webkit.org/show_bug.cgi?id=122941
21716
21717 Reviewed by Geoffrey Garen.
21718
21719 Use Bag for InlineCallFrameSet. If this works out then I'll make other
21720 SegmentedVectors into Bags as well.
21721
21722 * bytecode/InlineCallFrameSet.cpp:
21723 (JSC::InlineCallFrameSet::add):
21724 * bytecode/InlineCallFrameSet.h:
21725 (JSC::InlineCallFrameSet::begin):
21726 (JSC::InlineCallFrameSet::end):
21727 * dfg/DFGArgumentsSimplificationPhase.cpp:
21728 (JSC::DFG::ArgumentsSimplificationPhase::run):
21729 * dfg/DFGJITCompiler.cpp:
21730 (JSC::DFG::JITCompiler::link):
21731 * dfg/DFGStackLayoutPhase.cpp:
21732 (JSC::DFG::StackLayoutPhase::run):
21733 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
21734 (JSC::DFG::VirtualRegisterAllocationPhase::run):
21735
217362013-10-16 Filip Pizlo <fpizlo@apple.com>
21737
21738 libllvmForJSC shouldn't call exit(1) on report_fatal_error()
21739 https://bugs.webkit.org/show_bug.cgi?id=122905
21740 <rdar://problem/15237856>
21741
21742 Reviewed by Michael Saboff.
21743
21744 Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
21745 then always call it to install something that calls CRASH().
21746
21747 * llvm/InitializeLLVM.cpp:
21748 (JSC::llvmCrash):
21749 (JSC::initializeLLVMOnce):
21750 (JSC::initializeLLVM):
21751 * llvm/LLVMAPIFunctions.h:
21752
217532013-10-16 Filip Pizlo <fpizlo@apple.com>
21754
21755 Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
21756 https://bugs.webkit.org/show_bug.cgi?id=122938
21757
21758 Reviewed by Sam Weinig.
21759
21760 This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
21761
21762 * jit/Repatch.cpp:
21763 (JSC::tryBuildGetByIDList):
21764
217652013-10-16 Filip Pizlo <fpizlo@apple.com>
21766
21767 JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
21768 https://bugs.webkit.org/show_bug.cgi?id=122937
21769
21770 Reviewed by Geoffrey Garen.
21771
21772 JITStubCall used to do it.
21773
21774 This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
21775
21776 * jit/JIT.h:
21777 (JSC::JIT::appendCall):
21778
217792013-10-16 Michael Saboff <msaboff@apple.com>
21780
21781 transition void cti_op_put_by_val* stubs to JIT operations
21782 https://bugs.webkit.org/show_bug.cgi?id=122903
21783
21784 Reviewed by Geoffrey Garen.
21785
21786 Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
21787 operationPutByValGeneric.
21788
21789 * jit/CCallHelpers.h:
21790 (JSC::CCallHelpers::setupArgumentsWithExecState):
21791 * jit/JIT.h:
21792 * jit/JITInlines.h:
21793 (JSC::JIT::callOperation):
21794 * jit/JITOperations.cpp:
21795 * jit/JITOperations.h:
21796 * jit/JITPropertyAccess.cpp:
21797 (JSC::JIT::emitSlow_op_put_by_val):
21798 (JSC::JIT::privateCompilePutByVal):
21799 * jit/JITPropertyAccess32_64.cpp:
21800 (JSC::JIT::emitSlow_op_put_by_val):
21801 * jit/JITStubs.cpp:
21802 * jit/JITStubs.h:
21803 * jit/JSInterfaceJIT.h:
21804
218052013-10-16 Oliver Hunt <oliver@apple.com>
21806
21807 Implement ES6 spread operator
21808 https://bugs.webkit.org/show_bug.cgi?id=122911
21809
21810 Reviewed by Michael Saboff.
21811
21812 Implement the ES6 spread operator
21813
21814 This has a little bit of refactoring to move the enumeration logic out ForOfNode
21815 and into BytecodeGenerator, and then adds the logic to make it nicely callback
21816 driven.
21817
21818 The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
21819 and actually handling the spread.
21820
21821 * bytecompiler/BytecodeGenerator.cpp:
21822 (JSC::BytecodeGenerator::emitNewArray):
21823 (JSC::BytecodeGenerator::emitCall):
21824 (JSC::BytecodeGenerator::emitEnumeration):
21825 * bytecompiler/BytecodeGenerator.h:
21826 * bytecompiler/NodesCodegen.cpp:
21827 (JSC::ArrayNode::emitBytecode):
21828 (JSC::ForOfNode::emitBytecode):
21829 (JSC::SpreadExpressionNode::emitBytecode):
21830 * parser/ASTBuilder.h:
21831 (JSC::ASTBuilder::createSpreadExpression):
21832 * parser/Lexer.cpp:
21833 (JSC::::lex):
21834 * parser/NodeConstructors.h:
21835 (JSC::SpreadExpressionNode::SpreadExpressionNode):
21836 * parser/Nodes.h:
21837 (JSC::ExpressionNode::isSpreadExpression):
21838 (JSC::SpreadExpressionNode::expression):
21839 * parser/Parser.cpp:
21840 (JSC::::parseArrayLiteral):
21841 (JSC::::parseArguments):
21842 (JSC::::parseMemberExpression):
21843 * parser/Parser.h:
21844 (JSC::Parser::getTokenName):
21845 (JSC::Parser::updateErrorMessageSpecialCase):
21846 * parser/ParserTokens.h:
21847 * parser/SyntaxChecker.h:
21848 (JSC::SyntaxChecker::createSpreadExpression):
21849
218502013-10-16 Filip Pizlo <fpizlo@apple.com>
21851
21852 Add a useLLInt option to jsc
21853 https://bugs.webkit.org/show_bug.cgi?id=122930
21854
21855 Reviewed by Geoffrey Garen.
21856
21857 * runtime/Executable.cpp:
21858 (JSC::setupLLInt):
21859 (JSC::setupJIT):
21860 (JSC::ScriptExecutable::prepareForExecutionImpl):
21861 * runtime/Options.h:
21862
218632013-10-16 Mark Hahnenberg <mhahnenberg@apple.com>
21864
21865 Build fix.
21866
21867 Forgot to svn add DeferGC.cpp
21868
21869 * heap/DeferGC.cpp: Added.
21870
218712013-10-16 Filip Pizlo <fpizlo@apple.com>
21872
21873 r157411 fails run-javascriptcore-tests when run with Baseline JIT
21874 https://bugs.webkit.org/show_bug.cgi?id=122902
21875
21876 Reviewed by Mark Hahnenberg.
21877
21878 It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
21879 not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
21880 logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
21881 didn't. Turns out that there's even a helpful method,
21882 Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
21883
21884 * jit/Repatch.cpp:
21885 (JSC::tryCachePutByID):
21886
218872013-10-16 Mark Hahnenberg <mhahnenberg@apple.com>
21888
21889 llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
21890 https://bugs.webkit.org/show_bug.cgi?id=122667
21891
21892 Reviewed by Geoffrey Garen.
21893
21894 The issue this patch is attempting to fix is that there are places in our codebase
21895 where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
21896 operations that can initiate a garbage collection. Garbage collection then calls
21897 some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
21898 always necessarily run during garbage collection). This causes a deadlock.
21899
21900 To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores
21901 into a thread-local field that indicates that it is unsafe to perform any operation
21902 that could trigger garbage collection on the current thread. In debug builds,
21903 ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly
21904 detect deadlocks.
21905
21906 This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
21907 which uses the DeferGC mechanism to prevent collections from occurring while the
21908 lock is held.
21909
21910 * CMakeLists.txt:
21911 * GNUmakefile.list.am:
21912 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
21913 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
21914 * JavaScriptCore.xcodeproj/project.pbxproj:
21915 * heap/DeferGC.h:
21916 (JSC::DisallowGC::DisallowGC):
21917 (JSC::DisallowGC::~DisallowGC):
21918 (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
21919 (JSC::DisallowGC::initialize):
21920 * jit/Repatch.cpp:
21921 (JSC::repatchPutByID):
21922 (JSC::buildPutByIdList):
21923 * llint/LLIntSlowPaths.cpp:
21924 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
21925 * runtime/ConcurrentJITLock.h:
21926 (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
21927 (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
21928 (JSC::ConcurrentJITLockerBase::unlockEarly):
21929 (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
21930 (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
21931 (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
21932 (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
21933 * runtime/InitializeThreading.cpp:
21934 (JSC::initializeThreadingOnce):
21935 * runtime/JSCellInlines.h:
21936 (JSC::allocateCell):
21937 * runtime/JSSymbolTableObject.h:
21938 (JSC::symbolTablePut):
21939 * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
21940 can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but
21941 before the caller has a chance to use the newly created PropertyTable. The garbage collection
21942 clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
21943 we must DeferGC until the caller is done getting the newly materialized PropertyTable from
21944 the Structure.
21945 (JSC::Structure::materializePropertyMap):
21946 (JSC::Structure::despecifyDictionaryFunction):
21947 (JSC::Structure::changePrototypeTransition):
21948 (JSC::Structure::despecifyFunctionTransition):
21949 (JSC::Structure::attributeChangeTransition):
21950 (JSC::Structure::toDictionaryTransition):
21951 (JSC::Structure::preventExtensionsTransition):
21952 (JSC::Structure::takePropertyTableOrCloneIfPinned):
21953 (JSC::Structure::isSealed):
21954 (JSC::Structure::isFrozen):
21955 (JSC::Structure::addPropertyWithoutTransition):
21956 (JSC::Structure::removePropertyWithoutTransition):
21957 (JSC::Structure::get):
21958 (JSC::Structure::despecifyFunction):
21959 (JSC::Structure::despecifyAllFunctions):
21960 (JSC::Structure::putSpecificValue):
21961 (JSC::Structure::createPropertyMap):
21962 (JSC::Structure::getPropertyNamesFromStructure):
21963 * runtime/Structure.h:
21964 (JSC::Structure::materializePropertyMapIfNecessary):
21965 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
21966 * runtime/StructureInlines.h:
21967 (JSC::Structure::get):
21968 * runtime/SymbolTable.h:
21969 (JSC::SymbolTable::find):
21970 (JSC::SymbolTable::end):
21971
219722013-10-16 Daniel Bates <dabates@apple.com>
21973
21974 Add SPI to disable the garbage collector timer
21975 https://bugs.webkit.org/show_bug.cgi?id=122921
21976
21977 Reviewed by Geoffrey Garen.
21978
21979 Based on a patch by Mark Hahnenberg.
21980
21981 * API/JSBase.cpp:
21982 (JSDisableGCTimer): Added; SPI function.
21983 * API/JSBasePrivate.h:
21984 * heap/BlockAllocator.cpp:
21985 (JSC::createBlockFreeingThread): Added.
21986 (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
21987 to conditionally create the "block freeing" thread depending on the value of
21988 GCActivityCallback::s_shouldCreateGCTimer.
21989 (JSC::BlockAllocator::~BlockAllocator):
21990 * heap/BlockAllocator.h:
21991 (JSC::BlockAllocator::deallocate):
21992 * heap/Heap.cpp:
21993 (JSC::Heap::didAbandon):
21994 (JSC::Heap::collect):
21995 (JSC::Heap::didAllocate):
21996 * heap/HeapTimer.cpp:
21997 (JSC::HeapTimer::timerDidFire):
21998 * runtime/GCActivityCallback.cpp:
21999 * runtime/GCActivityCallback.h:
22000 (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
22001 when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
22002 object (since DefaultGCActivityCallback ultimately extends HeapTimer).
22003
220042013-10-16 Commit Queue <commit-queue@webkit.org>
22005
22006 Unreviewed, rolling out r157529.
22007 http://trac.webkit.org/changeset/157529
22008 https://bugs.webkit.org/show_bug.cgi?id=122919
22009
22010 Caused score test failures and some build failures. (Requested
22011 by rfong on #webkit).
22012
22013 * bytecompiler/BytecodeGenerator.cpp:
22014 (JSC::BytecodeGenerator::emitNewArray):
22015 (JSC::BytecodeGenerator::emitCall):
22016 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
22017 * bytecompiler/BytecodeGenerator.h:
22018 * bytecompiler/NodesCodegen.cpp:
22019 (JSC::ArrayNode::emitBytecode):
22020 (JSC::CallArguments::CallArguments):
22021 (JSC::ForOfNode::emitBytecode):
22022 (JSC::BindingNode::collectBoundIdentifiers):
22023 * parser/ASTBuilder.h:
22024 * parser/Lexer.cpp:
22025 (JSC::::lex):
22026 * parser/NodeConstructors.h:
22027 (JSC::DotAccessorNode::DotAccessorNode):
22028 * parser/Nodes.h:
22029 * parser/Parser.cpp:
22030 (JSC::::parseArrayLiteral):
22031 (JSC::::parseArguments):
22032 (JSC::::parseMemberExpression):
22033 * parser/Parser.h:
22034 (JSC::Parser::getTokenName):
22035 (JSC::Parser::updateErrorMessageSpecialCase):
22036 * parser/ParserTokens.h:
22037 * parser/SyntaxChecker.h:
22038
220392013-10-16 Julien Brianceau <jbriance@cisco.com>
22040
22041 Remove useless architecture specific implementation in DFG.
22042 https://bugs.webkit.org/show_bug.cgi?id=122917.
22043
22044 Reviewed by Michael Saboff.
22045
22046 With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
22047 as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
22048
22049 * dfg/DFGSpeculativeJIT.h:
22050
220512013-10-16 Julien Brianceau <jbriance@cisco.com>
22052
22053 Remove unused JIT::restoreArgumentReferenceForTrampoline function.
22054 https://bugs.webkit.org/show_bug.cgi?id=122916.
22055
22056 Reviewed by Michael Saboff.
22057
22058 This architecture specific function is not used anymore, so get rid of it.
22059
22060 * jit/JIT.h:
22061 * jit/JITInlines.h:
22062
220632013-10-16 Oliver Hunt <oliver@apple.com>
22064
22065 Implement ES6 spread operator
22066 https://bugs.webkit.org/show_bug.cgi?id=122911
22067
22068 Reviewed by Michael Saboff.
22069
22070 Implement the ES6 spread operator
22071
22072 This has a little bit of refactoring to move the enumeration logic out ForOfNode
22073 and into BytecodeGenerator, and then adds the logic to make it nicely callback
22074 driven.
22075
22076 The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
22077 and actually handling the spread.
22078
22079 * bytecompiler/BytecodeGenerator.cpp:
22080 (JSC::BytecodeGenerator::emitNewArray):
22081 (JSC::BytecodeGenerator::emitCall):
22082 (JSC::BytecodeGenerator::emitEnumeration):
22083 * bytecompiler/BytecodeGenerator.h:
22084 * bytecompiler/NodesCodegen.cpp:
22085 (JSC::ArrayNode::emitBytecode):
22086 (JSC::ForOfNode::emitBytecode):
22087 (JSC::SpreadExpressionNode::emitBytecode):
22088 * parser/ASTBuilder.h:
22089 (JSC::ASTBuilder::createSpreadExpression):
22090 * parser/Lexer.cpp:
22091 (JSC::::lex):
22092 * parser/NodeConstructors.h:
22093 (JSC::SpreadExpressionNode::SpreadExpressionNode):
22094 * parser/Nodes.h:
22095 (JSC::ExpressionNode::isSpreadExpression):
22096 (JSC::SpreadExpressionNode::expression):
22097 * parser/Parser.cpp:
22098 (JSC::::parseArrayLiteral):
22099 (JSC::::parseArguments):
22100 (JSC::::parseMemberExpression):
22101 * parser/Parser.h:
22102 (JSC::Parser::getTokenName):
22103 (JSC::Parser::updateErrorMessageSpecialCase):
22104 * parser/ParserTokens.h:
22105 * parser/SyntaxChecker.h:
22106 (JSC::SyntaxChecker::createSpreadExpression):
22107
221082013-10-16 Mark Lam <mark.lam@apple.com>
22109
22110 Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
22111 https://bugs.webkit.org/show_bug.cgi?id=122899.
22112
22113 Reviewed by Michael Saboff.
22114
22115 * jit/JITOpcodes32_64.cpp:
22116 (JSC::JIT::emit_op_tear_off_activation):
22117 (JSC::JIT::emit_op_tear_off_arguments):
22118 * jit/JITStubs.cpp:
22119 * jit/JITStubs.h:
22120
221212013-10-16 Julien Brianceau <jbriance@cisco.com>
22122
22123 Remove more of the UNINTERRUPTED_SEQUENCE thing
22124 https://bugs.webkit.org/show_bug.cgi?id=122885
22125
22126 Reviewed by Andreas Kling.
22127
22128 It was not completely removed by r157481, leading to build failure for sh4 architecture.
22129
22130 * jit/JIT.h:
22131 * jit/JITInlines.h:
22132
221332013-10-15 Filip Pizlo <fpizlo@apple.com>
22134
22135 Get rid of the StructureStubInfo::patch union
22136 https://bugs.webkit.org/show_bug.cgi?id=122877
22137
22138 Reviewed by Sam Weinig.
22139
22140 Just simplifying code by getting rid of data structures that ain't used no more.
22141
22142 Note that I replace the patch union with a patch struct. This means we say things like
22143 stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
22144 encapsulation makes the code more readable: the patch struct contains just those things
22145 that you need to know to perform patching.
22146
22147 * bytecode/StructureStubInfo.h:
22148 * dfg/DFGJITCompiler.cpp:
22149 (JSC::DFG::JITCompiler::link):
22150 * jit/JIT.cpp:
22151 (JSC::PropertyStubCompilationInfo::copyToStubInfo):
22152 * jit/Repatch.cpp:
22153 (JSC::repatchByIdSelfAccess):
22154 (JSC::replaceWithJump):
22155 (JSC::linkRestoreScratch):
22156 (JSC::generateProtoChainAccessStub):
22157 (JSC::tryCacheGetByID):
22158 (JSC::getPolymorphicStructureList):
22159 (JSC::patchJumpToGetByIdStub):
22160 (JSC::tryBuildGetByIDList):
22161 (JSC::emitPutReplaceStub):
22162 (JSC::emitPutTransitionStub):
22163 (JSC::tryCachePutByID):
22164 (JSC::tryBuildPutByIdList):
22165 (JSC::tryRepatchIn):
22166 (JSC::resetGetByID):
22167 (JSC::resetPutByID):
22168 (JSC::resetIn):
22169
221702013-10-15 Nadav Rotem <nrotem@apple.com>
22171
22172 FTL: add support for Int52ToValue and fix putByVal of int52s.
22173 https://bugs.webkit.org/show_bug.cgi?id=122873
22174
22175 Reviewed by Filip Pizlo.
22176
22177 * ftl/FTLCapabilities.cpp:
22178 (JSC::FTL::canCompile):
22179 * ftl/FTLLowerDFGToLLVM.cpp:
22180 (JSC::FTL::LowerDFGToLLVM::compileNode):
22181 (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
22182 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
22183
221842013-10-15 Filip Pizlo <fpizlo@apple.com>
22185
22186 Get rid of the UNINTERRUPTED_SEQUENCE thing
22187 https://bugs.webkit.org/show_bug.cgi?id=122876
22188
22189 Reviewed by Mark Hahnenberg.
22190
22191 It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
22192
22193 Moreover, we should resist the temptation to bring anything like this back. We don't
22194 want to have inline caches that only work if the assembler lays out code in a specific
22195 predetermined way.
22196
22197 * jit/JIT.h:
22198 * jit/JITCall.cpp:
22199 (JSC::JIT::compileOpCall):
22200 * jit/JITCall32_64.cpp:
22201 (JSC::JIT::compileOpCall):
22202
222032013-10-15 Filip Pizlo <fpizlo@apple.com>
22204
22205 Baseline JIT should use the DFG GetById IC
22206 https://bugs.webkit.org/show_bug.cgi?id=122861
22207
22208 Reviewed by Oliver Hunt.
22209
22210 This mostly just kills a ton of code.
22211
22212 Note that this doesn't yet do all of the simplifications that can be done, but it does
22213 kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
22214
22215 * bytecode/CodeBlock.cpp:
22216 (JSC::CodeBlock::resetStubInternal):
22217 * jit/JIT.cpp:
22218 (JSC::PropertyStubCompilationInfo::copyToStubInfo):
22219 * jit/JIT.h:
22220 (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
22221 * jit/JITInlines.h:
22222 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
22223 (JSC::JIT::callOperation):
22224 * jit/JITPropertyAccess.cpp:
22225 (JSC::JIT::compileGetByIdHotPath):
22226 (JSC::JIT::emitSlow_op_get_by_id):
22227 (JSC::JIT::emitSlow_op_get_from_scope):
22228 * jit/JITPropertyAccess32_64.cpp:
22229 (JSC::JIT::compileGetByIdHotPath):
22230 (JSC::JIT::emitSlow_op_get_by_id):
22231 (JSC::JIT::emitSlow_op_get_from_scope):
22232 * jit/JITStubs.cpp:
22233 * jit/JITStubs.h:
22234 * jit/Repatch.cpp:
22235 (JSC::repatchGetByID):
22236 (JSC::buildGetByIDList):
22237 * jit/ThunkGenerators.cpp:
22238 * jit/ThunkGenerators.h:
22239
222402013-10-15 Dean Jackson <dino@apple.com>
22241
22242 Add ENABLE_WEB_ANIMATIONS flag
22243 https://bugs.webkit.org/show_bug.cgi?id=122871
22244
22245 Reviewed by Tim Horton.
22246
22247 Eventually might be http://dev.w3.org/fxtf/web-animations/
22248 but this is just engine-internal work at the moment.
22249
22250 * Configurations/FeatureDefines.xcconfig:
22251
222522013-10-15 Julien Brianceau <jbriance@cisco.com>
22253
22254 [sh4] Some calls don't match sh4 ABI.
22255 https://bugs.webkit.org/show_bug.cgi?id=122863
22256
22257 Reviewed by Michael Saboff.
22258
22259 * dfg/DFGSpeculativeJIT.h:
22260 (JSC::DFG::SpeculativeJIT::callOperation):
22261 * jit/CCallHelpers.h:
22262 (JSC::CCallHelpers::setupArgumentsWithExecState):
22263 * jit/JITInlines.h:
22264 (JSC::JIT::callOperation):
22265
222662013-10-15 Daniel Bates <dabates@apple.com>
22267
22268 [iOS] Upstream JavaScriptCore support for ARM64
22269 https://bugs.webkit.org/show_bug.cgi?id=122762
22270
22271 Reviewed by Oliver Hunt and Filip Pizlo.
22272
22273 * Configurations/Base.xcconfig:
22274 * Configurations/DebugRelease.xcconfig:
22275 * Configurations/JavaScriptCore.xcconfig:
22276 * Configurations/ToolExecutable.xcconfig:
22277 * JavaScriptCore.xcodeproj/project.pbxproj:
22278 * assembler/ARM64Assembler.h: Added.
22279 * assembler/AbstractMacroAssembler.h:
22280 (JSC::isARM64):
22281 (JSC::AbstractMacroAssembler::Label::Label):
22282 (JSC::AbstractMacroAssembler::Jump::Jump):
22283 (JSC::AbstractMacroAssembler::Jump::link):
22284 (JSC::AbstractMacroAssembler::Jump::linkTo):
22285 (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
22286 (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
22287 (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
22288 (JSC::AbstractMacroAssembler::CachedTempRegister::value):
22289 (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
22290 (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
22291 (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
22292 (JSC::AbstractMacroAssembler::isTempRegisterValid):
22293 (JSC::AbstractMacroAssembler::clearTempRegisterValid):
22294 (JSC::AbstractMacroAssembler::setTempRegisterValid):
22295 * assembler/LinkBuffer.cpp:
22296 (JSC::LinkBuffer::copyCompactAndLinkCode):
22297 (JSC::LinkBuffer::linkCode):
22298 * assembler/LinkBuffer.h:
22299 * assembler/MacroAssembler.h:
22300 (JSC::MacroAssembler::isPtrAlignedAddressOffset):
22301 (JSC::MacroAssembler::pushToSave):
22302 (JSC::MacroAssembler::popToRestore):
22303 (JSC::MacroAssembler::patchableBranchTest32):
22304 * assembler/MacroAssemblerARM64.h: Added.
22305 * assembler/MacroAssemblerARMv7.h:
22306 * dfg/DFGFixupPhase.cpp:
22307 (JSC::DFG::FixupPhase::fixupNode):
22308 * dfg/DFGOSRExitCompiler32_64.cpp:
22309 (JSC::DFG::OSRExitCompiler::compileExit):
22310 * dfg/DFGOSRExitCompiler64.cpp:
22311 (JSC::DFG::OSRExitCompiler::compileExit):
22312 * dfg/DFGSpeculativeJIT.cpp:
22313 (JSC::DFG::SpeculativeJIT::compileArithDiv):
22314 (JSC::DFG::SpeculativeJIT::compileArithMod):
22315 * disassembler/ARM64/A64DOpcode.cpp: Added.
22316 * disassembler/ARM64/A64DOpcode.h: Added.
22317 * disassembler/ARM64Disassembler.cpp: Added.
22318 * heap/MachineStackMarker.cpp:
22319 (JSC::getPlatformThreadRegisters):
22320 (JSC::otherThreadStackPointer):
22321 * heap/Region.h:
22322 * jit/AssemblyHelpers.h:
22323 (JSC::AssemblyHelpers::debugCall):
22324 * jit/CCallHelpers.h:
22325 * jit/ExecutableAllocator.h:
22326 * jit/FPRInfo.h:
22327 (JSC::FPRInfo::toRegister):
22328 (JSC::FPRInfo::toIndex):
22329 (JSC::FPRInfo::debugName):
22330 * jit/GPRInfo.h:
22331 (JSC::GPRInfo::toRegister):
22332 (JSC::GPRInfo::toIndex):
22333 (JSC::GPRInfo::debugName):
22334 * jit/JITInlines.h:
22335 (JSC::JIT::restoreArgumentReferenceForTrampoline):
22336 * jit/JITOperationWrappers.h:
22337 * jit/JITOperations.cpp:
22338 * jit/JITStubs.cpp:
22339 (JSC::performPlatformSpecificJITAssertions):
22340 (JSC::tryCachePutByID):
22341 * jit/JITStubs.h:
22342 (JSC::JITStackFrame::returnAddressSlot):
22343 * jit/JITStubsARM64.h: Added.
22344 * jit/JSInterfaceJIT.h:
22345 * jit/Repatch.cpp:
22346 (JSC::emitRestoreScratch):
22347 (JSC::generateProtoChainAccessStub):
22348 (JSC::tryCacheGetByID):
22349 (JSC::emitPutReplaceStub):
22350 (JSC::tryCachePutByID):
22351 (JSC::tryRepatchIn):
22352 * jit/ScratchRegisterAllocator.h:
22353 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
22354 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
22355 * jit/ThunkGenerators.cpp:
22356 (JSC::nativeForGenerator):
22357 (JSC::floorThunkGenerator):
22358 (JSC::ceilThunkGenerator):
22359 * jsc.cpp:
22360 (main):
22361 * llint/LLIntOfflineAsmConfig.h:
22362 * llint/LLIntSlowPaths.cpp:
22363 (JSC::LLInt::handleHostCall):
22364 * llint/LowLevelInterpreter.asm:
22365 * llint/LowLevelInterpreter64.asm:
22366 * offlineasm/arm.rb:
22367 * offlineasm/arm64.rb: Added.
22368 * offlineasm/backends.rb:
22369 * offlineasm/instructions.rb:
22370 * offlineasm/risc.rb:
22371 * offlineasm/transform.rb:
22372 * yarr/YarrJIT.cpp:
22373 (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
22374 (JSC::Yarr::YarrGenerator::initCallFrame):
22375 (JSC::Yarr::YarrGenerator::removeCallFrame):
22376 (JSC::Yarr::YarrGenerator::generateEnter):
22377 * yarr/YarrJIT.h:
22378
223792013-10-15 Mark Lam <mark.lam@apple.com>
22380
22381 Fix 3 operand sub operation in C loop LLINT.
22382 https://bugs.webkit.org/show_bug.cgi?id=122866.
22383
22384 Reviewed by Geoffrey Garen.
22385
22386 * offlineasm/cloop.rb:
22387
223882013-10-15 Mark Hahnenberg <mhahnenberg@apple.com>
22389
22390 ObjCCallbackFunctionImpl shouldn't store a JSContext
22391 https://bugs.webkit.org/show_bug.cgi?id=122531
22392
22393 Reviewed by Geoffrey Garen.
22394
22395 The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct
22396 in the common case. It's also no longer necessary in that we can look up the current JSContext
22397 by looking using the globalObject of the callee when the function callback is invoked.
22398
22399 Also added a new test that would cause us to crash previously. The test required making
22400 JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
22401 in C API callbacks.
22402
22403 * API/JSContextRef.h:
22404 * API/JSContextRefPrivate.h:
22405 * API/ObjCCallbackFunction.mm:
22406 (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
22407 (JSC::objCCallbackFunctionCallAsFunction):
22408 (objCCallbackFunctionForInvocation):
22409 * API/WebKitAvailability.h:
22410 * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
22411 * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
22412 (CallAsConstructor):
22413 (ConstructorFinalize):
22414 (ConstructorClass):
22415 (+[JSValue valueWithConstructorDescriptor:inContext:]):
22416 (-[JSContext valueWithConstructorDescriptor:]):
22417 (currentThisInsideBlockGetterTest):
22418 * API/tests/testapi.mm:
22419 * JavaScriptCore.xcodeproj/project.pbxproj:
22420 * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
22421
224222013-10-15 Julien Brianceau <jbriance@cisco.com>
22423
22424 Fix build after r157457 for architecture with 4 argument registers.
22425 https://bugs.webkit.org/show_bug.cgi?id=122860
22426
22427 Reviewed by Michael Saboff.
22428
22429 * jit/CCallHelpers.h:
22430 (JSC::CCallHelpers::setupStubArguments134):
22431
224322013-10-14 Michael Saboff <msaboff@apple.com>
22433
22434 transition void cti_op_* methods to JIT operations.
22435 https://bugs.webkit.org/show_bug.cgi?id=122617
22436
22437 Reviewed by Geoffrey Garen.
22438
22439 Converted the follow stubs to JIT operations:
22440 cti_handle_watchdog_timer
22441 cti_op_debug
22442 cti_op_pop_scope
22443 cti_op_profile_did_call
22444 cti_op_profile_will_call
22445 cti_op_put_by_index
22446 cti_op_put_getter_setter
22447 cti_op_tear_off_activation
22448 cti_op_tear_off_arguments
22449 cti_op_throw_static_error
22450 cti_optimize
22451
22452 * dfg/DFGOperations.cpp:
22453 * dfg/DFGOperations.h:
22454 * jit/CCallHelpers.h:
22455 (JSC::CCallHelpers::setupArgumentsWithExecState):
22456 (JSC::CCallHelpers::setupThreeStubArgsGPR):
22457 (JSC::CCallHelpers::setupStubArguments):
22458 (JSC::CCallHelpers::setupStubArguments134):
22459 * jit/JIT.cpp:
22460 (JSC::JIT::emitEnterOptimizationCheck):
22461 * jit/JIT.h:
22462 * jit/JITInlines.h:
22463 (JSC::JIT::callOperation):
22464 * jit/JITOpcodes.cpp:
22465 (JSC::JIT::emit_op_tear_off_activation):
22466 (JSC::JIT::emit_op_tear_off_arguments):
22467 (JSC::JIT::emit_op_push_with_scope):
22468 (JSC::JIT::emit_op_pop_scope):
22469 (JSC::JIT::emit_op_push_name_scope):
22470 (JSC::JIT::emit_op_throw_static_error):
22471 (JSC::JIT::emit_op_debug):
22472 (JSC::JIT::emit_op_profile_will_call):
22473 (JSC::JIT::emit_op_profile_did_call):
22474 (JSC::JIT::emitSlow_op_loop_hint):
22475 * jit/JITOpcodes32_64.cpp:
22476 (JSC::JIT::emit_op_push_with_scope):
22477 (JSC::JIT::emit_op_pop_scope):
22478 (JSC::JIT::emit_op_push_name_scope):
22479 (JSC::JIT::emit_op_throw_static_error):
22480 (JSC::JIT::emit_op_debug):
22481 (JSC::JIT::emit_op_profile_will_call):
22482 (JSC::JIT::emit_op_profile_did_call):
22483 * jit/JITOperations.cpp:
22484 * jit/JITOperations.h:
22485 * jit/JITPropertyAccess.cpp:
22486 (JSC::JIT::emit_op_put_by_index):
22487 (JSC::JIT::emit_op_put_getter_setter):
22488 * jit/JITPropertyAccess32_64.cpp:
22489 (JSC::JIT::emit_op_put_by_index):
22490 (JSC::JIT::emit_op_put_getter_setter):
22491 * jit/JITStubs.cpp:
22492 * jit/JITStubs.h:
22493
224942013-10-15 Julien Brianceau <jbriance@cisco.com>
22495
22496 [sh4] Introduce const pools in LLINT.
22497 https://bugs.webkit.org/show_bug.cgi?id=122746
22498
22499 Reviewed by Michael Saboff.
22500
22501 In current implementation of LLINT for sh4, immediate values outside range -128..127 are
22502 loaded this way:
22503
22504 mov.l .label, rx
22505 bra out
22506 nop
22507 .balign 4
22508 .label: .long immvalue
22509 out:
22510
22511 This change introduces const pools for sh4 implementation to avoid lots of useless branches
22512 and reduce code size. It also removes lines of dirty code, like jmpf and callf.
22513
22514 * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
22515 * offlineasm/sh4.rb:
22516
225172013-10-15 Mark Lam <mark.lam@apple.com>
22518
22519 Fix broken C Loop LLINT build.
22520 https://bugs.webkit.org/show_bug.cgi?id=122839.
22521
22522 Reviewed by Michael Saboff.
22523
22524 * dfg/DFGFlushedAt.cpp:
22525 * jit/JITOperations.h:
22526
225272013-10-14 Mark Lam <mark.lam@apple.com>
22528
22529 Transition *switch* and *scope* JITStubs to JIT operations.
22530 https://bugs.webkit.org/show_bug.cgi?id=122757.
22531
22532 Reviewed by Geoffrey Garen.
22533
22534 Transitioning:
22535 cti_op_switch_char
22536 cti_op_switch_imm
22537 cti_op_switch_string
22538 cti_op_resolve_scope
22539 cti_op_get_from_scope
22540 cti_op_put_to_scope
22541
22542 * jit/JIT.h:
22543 * jit/JITInlines.h:
22544 (JSC::JIT::callOperation):
22545 * jit/JITOpcodes.cpp:
22546 (JSC::JIT::emit_op_switch_imm):
22547 (JSC::JIT::emit_op_switch_char):
22548 (JSC::JIT::emit_op_switch_string):
22549 * jit/JITOpcodes32_64.cpp:
22550 (JSC::JIT::emit_op_switch_imm):
22551 (JSC::JIT::emit_op_switch_char):
22552 (JSC::JIT::emit_op_switch_string):
22553 * jit/JITOperations.cpp:
22554 * jit/JITOperations.h:
22555 * jit/JITPropertyAccess.cpp:
22556 (JSC::JIT::emitSlow_op_resolve_scope):
22557 (JSC::JIT::emitSlow_op_get_from_scope):
22558 (JSC::JIT::emitSlow_op_put_to_scope):
22559 * jit/JITPropertyAccess32_64.cpp:
22560 (JSC::JIT::emitSlow_op_resolve_scope):
22561 (JSC::JIT::emitSlow_op_get_from_scope):
22562 (JSC::JIT::emitSlow_op_put_to_scope):
22563 * jit/JITStubs.cpp:
22564 * jit/JITStubs.h:
22565
225662013-10-14 Filip Pizlo <fpizlo@apple.com>
22567
22568 DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
22569 https://bugs.webkit.org/show_bug.cgi?id=122786
22570
22571 Reviewed by Mark Hahnenberg.
22572
22573 * bytecode/CodeBlock.cpp:
22574 (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
22575 * jit/Repatch.cpp:
22576 (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
22577 (JSC::buildPutByIdList): Ditto.
22578
225792013-10-14 Nadav Rotem <nrotem@apple.com>
22580
22581 Add FTL support for LogicalNot(string)
22582 https://bugs.webkit.org/show_bug.cgi?id=122765
22583
22584 Reviewed by Filip Pizlo.
22585
22586 This patch is tested by:
22587 regress/script-tests/emscripten-cube2hash.js.ftl-eager
22588
22589 * ftl/FTLCapabilities.cpp:
22590 (JSC::FTL::canCompile):
22591 * ftl/FTLLowerDFGToLLVM.cpp:
22592 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
22593
225942013-10-14 Julien Brianceau <jbriance@cisco.com>
22595
22596 [sh4] Fixes after r157404 and r157411.
22597 https://bugs.webkit.org/show_bug.cgi?id=122782
22598
22599 Reviewed by Michael Saboff.
22600
22601 * dfg/DFGSpeculativeJIT.h:
22602 (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
22603 * jit/CCallHelpers.h:
22604 (JSC::CCallHelpers::setupArgumentsWithExecState):
22605 * jit/JITInlines.h:
22606 (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
22607 * jit/JITPropertyAccess32_64.cpp:
22608 (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
22609
226102013-10-14 Commit Queue <commit-queue@webkit.org>
22611
22612 Unreviewed, rolling out r157413.
22613 http://trac.webkit.org/changeset/157413
22614 https://bugs.webkit.org/show_bug.cgi?id=122779
22615
22616 Appears to have caused frequent crashes (Requested by ap on
22617 #webkit).
22618
22619 * CMakeLists.txt:
22620 * GNUmakefile.list.am:
22621 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
22622 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
22623 * JavaScriptCore.xcodeproj/project.pbxproj:
22624 * heap/DeferGC.cpp: Removed.
22625 * heap/DeferGC.h:
22626 * jit/JITStubs.cpp:
22627 (JSC::tryCacheGetByID):
22628 (JSC::DEFINE_STUB_FUNCTION):
22629 * llint/LLIntSlowPaths.cpp:
22630 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
22631 * runtime/ConcurrentJITLock.h:
22632 * runtime/InitializeThreading.cpp:
22633 (JSC::initializeThreadingOnce):
22634 * runtime/JSCellInlines.h:
22635 (JSC::allocateCell):
22636 * runtime/Structure.cpp:
22637 (JSC::Structure::materializePropertyMap):
22638 (JSC::Structure::putSpecificValue):
22639 (JSC::Structure::createPropertyMap):
22640 * runtime/Structure.h:
22641
226422013-10-14 Mark Hahnenberg <mhahnenberg@apple.com>
22643
22644 COLLECT_ON_EVERY_ALLOCATION causes assertion failures
22645 https://bugs.webkit.org/show_bug.cgi?id=122652
22646
22647 Reviewed by Filip Pizlo.
22648
22649 COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
22650 so we would end up ASSERTing during garbage collection.
22651
22652 * heap/MarkedAllocator.cpp:
22653 (JSC::MarkedAllocator::allocateSlowCase):
22654
226552013-10-11 Oliver Hunt <oliver@apple.com>
22656
22657 Separate out array iteration intrinsics
22658 https://bugs.webkit.org/show_bug.cgi?id=122656
22659
22660 Reviewed by Michael Saboff.
22661
22662 Separate out the intrinsics for key and values iteration
22663 of arrays.
22664
22665 This requires moving moving array iteration into the iterator
22666 instance, rather than the prototype, but this is essentially
22667 unobservable so we'll live with it for now.
22668
22669 * jit/ThunkGenerators.cpp:
22670 (JSC::arrayIteratorNextThunkGenerator):
22671 (JSC::arrayIteratorNextKeyThunkGenerator):
22672 (JSC::arrayIteratorNextValueThunkGenerator):
22673 * jit/ThunkGenerators.h:
22674 * runtime/ArrayIteratorPrototype.cpp:
22675 (JSC::ArrayIteratorPrototype::finishCreation):
22676 * runtime/Intrinsic.h:
22677 * runtime/JSArrayIterator.cpp:
22678 (JSC::JSArrayIterator::finishCreation):
22679 (JSC::createIteratorResult):
22680 (JSC::arrayIteratorNext):
22681 (JSC::arrayIteratorNextKey):
22682 (JSC::arrayIteratorNextValue):
22683 (JSC::arrayIteratorNextGeneric):
22684 * runtime/VM.cpp:
22685 (JSC::thunkGeneratorForIntrinsic):
22686
226872013-10-11 Mark Hahnenberg <mhahnenberg@apple.com>
22688
22689 llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
22690 https://bugs.webkit.org/show_bug.cgi?id=122667
22691
22692 Reviewed by Filip Pizlo.
22693
22694 The issue this patch is attempting to fix is that there are places in our codebase
22695 where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
22696 operations that can initiate a garbage collection. Garbage collection then calls
22697 some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
22698 always necessarily run during garbage collection). This causes a deadlock.
22699
22700 To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores
22701 into a thread-local field that indicates that it is unsafe to perform any operation
22702 that could trigger garbage collection on the current thread. In debug builds,
22703 ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly
22704 detect deadlocks.
22705
22706 This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
22707 which uses the DeferGC mechanism to prevent collections from occurring while the
22708 lock is held.
22709
22710 * CMakeLists.txt:
22711 * GNUmakefile.list.am:
22712 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
22713 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
22714 * JavaScriptCore.xcodeproj/project.pbxproj:
22715 * heap/DeferGC.cpp: Added.
22716 * heap/DeferGC.h:
22717 (JSC::DisallowGC::DisallowGC):
22718 (JSC::DisallowGC::~DisallowGC):
22719 (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
22720 (JSC::DisallowGC::initialize):
22721 * jit/JITStubs.cpp:
22722 (JSC::tryCachePutByID):
22723 (JSC::tryCacheGetByID):
22724 (JSC::DEFINE_STUB_FUNCTION):
22725 * llint/LLIntSlowPaths.cpp:
22726 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
22727 * runtime/ConcurrentJITLock.h:
22728 (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
22729 (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
22730 (JSC::ConcurrentJITLockerBase::unlockEarly):
22731 (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
22732 (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
22733 * runtime/InitializeThreading.cpp:
22734 (JSC::initializeThreadingOnce):
22735 * runtime/JSCellInlines.h:
22736 (JSC::allocateCell):
22737 * runtime/Structure.cpp:
22738 (JSC::Structure::materializePropertyMap):
22739 (JSC::Structure::putSpecificValue):
22740 (JSC::Structure::createPropertyMap):
22741 * runtime/Structure.h:
22742
227432013-10-14 Filip Pizlo <fpizlo@apple.com>
22744
22745 Baseline JIT should use the DFG's PutById IC
22746 https://bugs.webkit.org/show_bug.cgi?id=122704
22747
22748 Reviewed by Mark Hahnenberg.
22749
22750 Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
22751 that JIT to use the DFG's (i.e. JITOperations) PutById IC.
22752
22753 The only complicated part was that the PutById operations assumed that we first did a
22754 cell speculation, which the baseline JIT obviously won't do. So I changed all of those
22755 slow paths to deal with EncodedJSValue's.
22756
22757 * bytecode/CodeBlock.cpp:
22758 (JSC::CodeBlock::resetStubInternal):
22759 * bytecode/PutByIdStatus.cpp:
22760 (JSC::PutByIdStatus::computeFor):
22761 * dfg/DFGSpeculativeJIT.h:
22762 (JSC::DFG::SpeculativeJIT::callOperation):
22763 * dfg/DFGSpeculativeJIT32_64.cpp:
22764 (JSC::DFG::SpeculativeJIT::cachedPutById):
22765 * dfg/DFGSpeculativeJIT64.cpp:
22766 (JSC::DFG::SpeculativeJIT::cachedPutById):
22767 * jit/CCallHelpers.h:
22768 (JSC::CCallHelpers::setupArgumentsWithExecState):
22769 * jit/JIT.cpp:
22770 (JSC::PropertyStubCompilationInfo::copyToStubInfo):
22771 * jit/JIT.h:
22772 (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
22773 (JSC::PropertyStubCompilationInfo::slowCaseInfo):
22774 * jit/JITInlines.h:
22775 (JSC::JIT::callOperation):
22776 * jit/JITOperationWrappers.h:
22777 * jit/JITOperations.cpp:
22778 * jit/JITOperations.h:
22779 * jit/JITPropertyAccess.cpp:
22780 (JSC::JIT::compileGetByIdHotPath):
22781 (JSC::JIT::compileGetByIdSlowCase):
22782 (JSC::JIT::emit_op_put_by_id):
22783 (JSC::JIT::emitSlow_op_put_by_id):
22784 * jit/JITPropertyAccess32_64.cpp:
22785 (JSC::JIT::compileGetByIdSlowCase):
22786 (JSC::JIT::emit_op_put_by_id):
22787 (JSC::JIT::emitSlow_op_put_by_id):
22788 * jit/JITStubs.cpp:
22789 * jit/JITStubs.h:
22790 * jit/Repatch.cpp:
22791 (JSC::appropriateGenericPutByIdFunction):
22792 (JSC::appropriateListBuildingPutByIdFunction):
22793 (JSC::resetPutByID):
22794
227952013-10-13 Filip Pizlo <fpizlo@apple.com>
22796
22797 FTL should have an inefficient but correct implementation of GetById
22798 https://bugs.webkit.org/show_bug.cgi?id=122740
22799
22800 Reviewed by Mark Hahnenberg.
22801
22802 It took some effort to realize that the node->prediction() check in the DFG backends
22803 are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
22804 if !prediction.
22805
22806 But other than that this was an easy patch.
22807
22808 * dfg/DFGByteCodeParser.cpp:
22809 (JSC::DFG::ByteCodeParser::handleGetById):
22810 * dfg/DFGSpeculativeJIT32_64.cpp:
22811 (JSC::DFG::SpeculativeJIT::compile):
22812 * dfg/DFGSpeculativeJIT64.cpp:
22813 (JSC::DFG::SpeculativeJIT::compile):
22814 * ftl/FTLCapabilities.cpp:
22815 (JSC::FTL::canCompile):
22816 * ftl/FTLIntrinsicRepository.h:
22817 * ftl/FTLLowerDFGToLLVM.cpp:
22818 (JSC::FTL::LowerDFGToLLVM::compileNode):
22819 (JSC::FTL::LowerDFGToLLVM::compileGetById):
22820
228212013-10-13 Mark Lam <mark.lam@apple.com>
22822
22823 Transition misc cti_op_* JITStubs to JIT operations.
22824 https://bugs.webkit.org/show_bug.cgi?id=122645.
22825
22826 Reviewed by Michael Saboff.
22827
22828 Stubs converted:
22829 cti_op_check_has_instance
22830 cti_op_create_arguments
22831 cti_op_del_by_id
22832 cti_op_instanceof
22833 cti_to_object
22834 cti_op_push_activation
22835 cti_op_get_pnames
22836 cti_op_load_varargs
22837
22838 * dfg/DFGOperations.cpp:
22839 * dfg/DFGOperations.h:
22840 * jit/CCallHelpers.h:
22841 (JSC::CCallHelpers::setupArgumentsWithExecState):
22842 * jit/JIT.h:
22843 (JSC::JIT::emitStoreCell):
22844 * jit/JITCall.cpp:
22845 (JSC::JIT::compileLoadVarargs):
22846 * jit/JITCall32_64.cpp:
22847 (JSC::JIT::compileLoadVarargs):
22848 * jit/JITInlines.h:
22849 (JSC::JIT::callOperation):
22850 * jit/JITOpcodes.cpp:
22851 (JSC::JIT::emit_op_get_pnames):
22852 (JSC::JIT::emit_op_create_activation):
22853 (JSC::JIT::emit_op_create_arguments):
22854 (JSC::JIT::emitSlow_op_check_has_instance):
22855 (JSC::JIT::emitSlow_op_instanceof):
22856 (JSC::JIT::emitSlow_op_get_argument_by_val):
22857 * jit/JITOpcodes32_64.cpp:
22858 (JSC::JIT::emitSlow_op_check_has_instance):
22859 (JSC::JIT::emitSlow_op_instanceof):
22860 (JSC::JIT::emit_op_get_pnames):
22861 (JSC::JIT::emit_op_create_activation):
22862 (JSC::JIT::emit_op_create_arguments):
22863 (JSC::JIT::emitSlow_op_get_argument_by_val):
22864 * jit/JITOperations.cpp:
22865 * jit/JITOperations.h:
22866 * jit/JITPropertyAccess.cpp:
22867 (JSC::JIT::emit_op_del_by_id):
22868 * jit/JITPropertyAccess32_64.cpp:
22869 (JSC::JIT::emit_op_del_by_id):
22870 * jit/JITStubs.cpp:
22871 * jit/JITStubs.h:
22872
228732013-10-13 Filip Pizlo <fpizlo@apple.com>
22874
22875 FTL OSR exit should perform zero extension on values smaller than 64-bit
22876 https://bugs.webkit.org/show_bug.cgi?id=122688
22877
22878 Reviewed by Gavin Barraclough.
22879
22880 In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
22881 register will have zeros on the high bits. In the few cases where the high bits are
22882 non-zero, the DFG sort of tells us this explicitly.
22883
22884 But when working with llvm.webkit.stackmap, it doesn't work that way. Consider we might
22885 emit LLVM IR like:
22886
22887 %2 = trunc i64 %1 to i32
22888 stuff %2
22889 call @llvm.webkit.stackmap(...., %2)
22890
22891 LLVM may never actually emit a truncation instruction of any kind. And that's great - in
22892 many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
22893 bits anyway. Hence LLVM may tell us that %2 is in the register that still had the value
22894 from before truncation, and that register may have garbage in the high bits.
22895
22896 This means that on our end, if we want a 32-bit value and we want that value to be
22897 zero-extended, we should zero-extend it ourselves. This is pretty easy and should be
22898 cheap, so we should just do it and not make it a requirement that LLVM does it on its
22899 end.
22900
22901 This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
22902
22903 * ftl/FTLOSRExitCompiler.cpp:
22904 (JSC::FTL::compileStubWithOSRExitStackmap):
22905 * ftl/FTLValueFormat.cpp:
22906 (JSC::FTL::reboxAccordingToFormat):
22907
22908== Rolled over to ChangeLog-2013-10-13 ==