]> git.saurik.com Git - apple/javascriptcore.git/blame - ChangeLog-2012-10-02
projects / apple / javascriptcore.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
JavaScriptCore-7601.1.46.3.tar.gz
[apple/javascriptcore.git] / ChangeLog-2012-10-02
CommitLineData
81345200
A		 12012-10-02 Filip Pizlo <fpizlo@apple.com>
2
3 REGRESSION(r128400): ASSERT (crash in release) @ app.asana.com
4 https://bugs.webkit.org/show_bug.cgi?id=98175
5
6 Reviewed by Oliver Hunt.
7
8 It's bad karma to create a new structure while stealing another structure's property table
9 while leaving the m_offset unset. Eventually someone will then steal your property table, and
10 then you won't know how many properties you have anymore.
11
12 * runtime/Structure.cpp:
13 (JSC::Structure::nonPropertyTransition):
14
152012-10-02 Michael Saboff <msaboff@apple.com>
16
17 Comment additions after r130109
18
19 Rubber stamped by Geoffrey Garen.
20
21 Updated comments to how array storage works.
22
23 * runtime/ArrayStorage.h:
24 * runtime/JSArray.cpp:
25
262012-10-01 Mark Hahnenberg <mhahnenberg@apple.com>
27
28 Block freeing thread should sleep indefinitely when there's no work to do
29 https://bugs.webkit.org/show_bug.cgi?id=98084
30
31 Reviewed by Geoffrey Garen.
32
33 Currently the block freeing thread wakes up once a second to check if there are any blocks
34 for it to release back to the OS. This is wasteful. We should change it to sleep when it
35 realizes there are no more blocks to free. Any thread that returns a block to the BlockAllocator
36 should then notify the block freeing thread that there is more work to do now.
37
38 * heap/BlockAllocator.cpp:
39 (JSC::BlockAllocator::BlockAllocator):
40 (JSC::BlockAllocator::blockFreeingThreadMain):
41 * heap/BlockAllocator.h:
42 (BlockAllocator):
43 (JSC::BlockAllocator::deallocate):
44
452012-10-01 Michael Saboff <msaboff@apple.com>
46
47 JSArray::unshiftCountSlowCase needs to clear array slots when adding space to end of array
48 https://bugs.webkit.org/show_bug.cgi?id=98101
49
50 Reviewed by Filip Pizlo.
51
52 Cleared new array entries when adding to end due to shifting contents to lower memory. Also
53 checnaged the order of moving array contents and metadata in the shift left case to avoid
54 clobbering the metadata with array contents. Optimized the to only make a memmove if the
55 count is non-zero.
56
57 * runtime/JSArray.cpp:
58 (JSC::JSArray::unshiftCountSlowCase):
59 (JSC::JSArray::unshiftCount):
60
612012-10-01 Filip Pizlo <fpizlo@apple.com>
62
63 Address a FIXME in JSArray::sort
64 https://bugs.webkit.org/show_bug.cgi?id=98080
65 <rdar://problem/12407844>
66
67 Reviewed by Oliver Hunt.
68
69 Get rid of fast sorting of sparse maps. I don't know that it's broken but I do know that we don't
70 have coverage for it. Then also address the FIXME in JSArray::sort regarding side-effecting
71 compare functions.
72
73 * runtime/ArrayPrototype.cpp:
74 (JSC::arrayProtoFuncSort):
75 * runtime/JSArray.cpp:
76 (JSC::JSArray::sortNumeric):
77 (JSC::JSArray::sort):
78 (JSC::JSArray::compactForSorting):
79 * runtime/JSArray.h:
80 (JSArray):
81 * runtime/JSObject.h:
82 (JSC::JSObject::hasSparseMap):
83 (JSObject):
84
852012-10-01 Jonathan Liu <net147@gmail.com>
86
87 Remove unused sys/mman.h include
88 https://bugs.webkit.org/show_bug.cgi?id=97995
89
90 Reviewed by Kentaro Hara.
91
92 The sys/mman.h is not used and removing it improves portability as not
93 all systems have sys/mman.h.
94
95 * jit/ExecutableAllocatorFixedVMPool.cpp:
96
972012-09-28 Filip Pizlo <fpizlo@apple.com>
98
99 ASSERTION in m_graph[tailNodeIndex].op() == Flush || m_graph[tailNodeIndex].op() == SetLocal on plus.google.com
100 https://bugs.webkit.org/show_bug.cgi?id=97656
101
102 Reviewed by Mark Hahnenberg.
103
104 There were two bugs here:
105
106 1) In case of multiple GetLocals to the same captured variable, the bytecode parser would linke the first,
107 rather than the last, of the GetLocals into the vars-at-tail table.
108
109 2) The constant folding phase was asserting that any GetLocal it eliminates must be linked into the
110 vars-at-tail table, when for captured variables only the last of those should be.
111
112 * dfg/DFGByteCodeParser.cpp:
113 (JSC::DFG::ByteCodeParser::getLocal):
114 * dfg/DFGConstantFoldingPhase.cpp:
115 (JSC::DFG::ConstantFoldingPhase::foldConstants):
116
1172012-09-28 Filip Pizlo <fpizlo@apple.com>
118
119 DFGStructureHoistingPhase SetLocal assumes StructureTransitionWatchpoint has a structure set
120 https://bugs.webkit.org/show_bug.cgi?id=97810
121
122 Reviewed by Mark Hahnenberg.
123
124 No tests because this can't happen in ToT: the structure check hoisting phase runs before any
125 CFA or folding, so the only StructureTransitionWatchpoints it will see are the ones inserted
126 by the parser. But the parser will only insert StructureTransitinWatchpoints on constants, which
127 will not be subject to SetLocals.
128
129 Still, it would be good to fix this in case things changed.
130
131 * dfg/DFGStructureCheckHoistingPhase.cpp:
132 (JSC::DFG::StructureCheckHoistingPhase::run):
133
1342012-09-27 Mark Lam <mark.lam@apple.com>
135
136 Put initializeHostCallReturnValue() behind #if ENABLE(JIT).
137 Fixes non JIT builds.
138 https://bugs.webkit.org/show_bug.cgi?id=97838.
139
140 Reviewed by John Sullivan.
141
142 * runtime/JSGlobalData.cpp:
143 (JSC::JSGlobalData::JSGlobalData):
144
1452012-09-27 Mark Lam <mark.lam@apple.com>
146
147 Fixed CallFrameClosure::resetCallFrame() to use the valid
148 range of argument index values.
149 https://bugs.webkit.org/show_bug.cgi?id=97836.
150
151 Reviewed by Gavin Barraclough.
152
153 * interpreter/CallFrame.h:
154 (ExecState):
155 * interpreter/CallFrameClosure.h:
156 (JSC::CallFrameClosure::resetCallFrame):
157
1582012-09-27 Patrick Gansterer <paroga@webkit.org>
159
160 Fix usage of COMPILER() macros
161 https://bugs.webkit.org/show_bug.cgi?id=97642
162
163 Reviewed by Geoffrey Garen.
164
165 Add COMPILER(GCC) around compiler specific code and remove it from generic code.
166 This allows us to implement the DFG code for other compilers to in a next step.
167
168 * dfg/DFGOperations.cpp:
169 * jit/HostCallReturnValue.h:
170
1712012-09-27 Andreas Kling <kling@webkit.org>
172
173 3.20MB below FunctionParameters::create() on Membuster3.
174 <http://webkit.org/b/97730>
175
176 Reviewed by Anders Carlsson.
177
178 Figure out the exact space needed for parameter identifiers and use reserveInitialCapacity().
179 Reduces memory consumption on Membuster3 by ~1.60 MB.
180
181 * parser/Nodes.cpp:
182 (JSC::FunctionParameters::FunctionParameters):
183
1842012-09-27 Csaba Osztrogonác <ossy@webkit.org>, Tor Arne Vestbø <vestbo@webkit.org>
185
186 [Qt] Enable the LLInt on Linux
187 https://bugs.webkit.org/show_bug.cgi?id=95749
188
189 Reviewed by Simon Hausmann.
190
191 * DerivedSources.pri:
192 * JavaScriptCore.pro:
193 * LLIntOffsetsExtractor.pro: Added.
194 * Target.pri:
195
1962012-09-27 Patrick Gansterer <paroga@webkit.org>
197
198 [CMake] Fix build with static JavaScriptCore library
199
200 * shell/CMakeLists.txt: Define STATICALLY_LINKED_WITH_JavaScriptCore if
201 JavaScriptCore_LIBRARY_TYPE is set to STATIC.
202
2032012-09-26 Gavin Barraclough <barraclough@apple.com>
204
205 Proxy the global this in JSC
206 https://bugs.webkit.org/show_bug.cgi?id=97734
207
208 Reviewed by Filip Pizlo.
209
210 Eeep – fix a bug - was leaving the global this proxy's structure's globalObject as 0,
211 and setting the proxy's prototype as the global object, rather than its prototype.
212
213 * jsc.cpp:
214 (GlobalObject::create):
215 * runtime/JSProxy.h:
216 (JSC::JSProxy::createStructure):
217
2182012-09-26 Gavin Barraclough <barraclough@apple.com>
219
220 Speculative Windows build fix.
221
222 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
223
2242012-09-26 Filip Pizlo <fpizlo@apple.com>
225
226 Unreviewed, 32-bit build fix.
227
228 * llint/LowLevelInterpreter32_64.asm:
229
2302012-09-26 Filip Pizlo <fpizlo@apple.com>
231
232 jneq_ptr shouldn't have a pointer
233 https://bugs.webkit.org/show_bug.cgi?id=97739
234
235 Reviewed by Oliver Hunt.
236
237 Slamming pointers directly into bytecode is sometimes cool, but in this case it's
238 unwieldy and confusing. Switched the instruction to use an enum instead. This has
239 zero effect on code gen behavior in the JITs. In the LLInt, there is now more
240 indirection, but that doesn't affect benchmarks.
241
242 * CMakeLists.txt:
243 * GNUmakefile.list.am:
244 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
245 * JavaScriptCore.xcodeproj/project.pbxproj:
246 * Target.pri:
247 * bytecode/Instruction.h:
248 (JSC::Instruction::Instruction):
249 (Instruction):
250 * bytecode/SpecialPointer.cpp: Added.
251 (JSC):
252 (JSC::actualPointerFor):
253 * bytecode/SpecialPointer.h: Added.
254 (JSC):
255 (JSC::pointerIsFunction):
256 (JSC::pointerIsCell):
257 * bytecompiler/BytecodeGenerator.cpp:
258 (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
259 (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
260 * dfg/DFGByteCodeParser.cpp:
261 (JSC::DFG::ByteCodeParser::parseBlock):
262 * jit/JITOpcodes.cpp:
263 (JSC::JIT::emit_op_jneq_ptr):
264 * jit/JITOpcodes32_64.cpp:
265 (JSC::JIT::emit_op_jneq_ptr):
266 * llint/LowLevelInterpreter32_64.asm:
267 * llint/LowLevelInterpreter64.asm:
268 * runtime/JSGlobalObject.cpp:
269 (JSC::JSGlobalObject::reset):
270 (JSC):
271 * runtime/JSGlobalObject.h:
272 (JSGlobalObject):
273 (JSC::JSGlobalObject::actualPointerFor):
274
2752012-09-26 Gavin Barraclough <barraclough@apple.com>
276
277 REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms
278 https://bugs.webkit.org/show_bug.cgi?id=97529
279
280 Reviewed by Filip Pizlo.
281
282 A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers.
283
284 JSC currently throws an EvalError if you try to call eval with a this object that doesn't
285 match the given eval function. This does not match other browsers, which generally just
286 ignore the this value that was passed, and eval the string in the eval function's environment.
287
288 * runtime/JSGlobalObjectFunctions.cpp:
289 (JSC::globalFuncEval):
290 - Remove EvalError, ignore passed this value.
291
2922012-09-26 Gavin Barraclough <barraclough@apple.com>
293
294 Proxy the global this in JSC
295 https://bugs.webkit.org/show_bug.cgi?id=97734
296
297 Reviewed by Oliver Hunt.
298
299 Having jsc diverge from WebCore here is not beneficial; it potentially masks bugs and/or performance
300 problems from command line testing.
301
302 * jsc.cpp:
303 (GlobalObject::create):
304 - Create a this value proxy for the global object.
305 * runtime/JSGlobalObject.h:
306 (JSGlobalObject):
307 - Make setGlobalThis protected.
308 * runtime/JSProxy.h:
309 (JSC::JSProxy::create):
310 (JSC::JSProxy::target):
311 (JSC::JSProxy::finishCreation):
312 (JSProxy):
313 - Allow proxy target to be a JSObject, add target to create method.
314
3152012-09-26 Gavin Barraclough <barraclough@apple.com>
316
317 Speculative Windows build fix.
318
319 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
320
3212012-09-26 Filip Pizlo <fpizlo@apple.com>
322
323 JSObject::ensureArrayStorage() ignores the possibility that extensions have been prevented
324 https://bugs.webkit.org/show_bug.cgi?id=97719
325
326 Reviewed by Gavin Barraclough.
327
328 * runtime/JSObject.cpp:
329 (JSC::JSObject::ensureArrayStorageSlow):
330 (JSC):
331 * runtime/JSObject.h:
332 (JSC::JSObject::ensureArrayStorage):
333 (JSObject):
334
3352012-09-26 Gavin Barraclough <barraclough@apple.com>
336
337 Generalize JSGlobalThis as JSProxy
338 https://bugs.webkit.org/show_bug.cgi?id=97716
339
340 Reviewed by Oliver Hunt.
341
342 Generalize JSGlobalThis as JSProxy and move proxying functionality up from the window shell into JSProxy.
343
344 * CMakeLists.txt:
345 * GNUmakefile.list.am:
346 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
347 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
348 * JavaScriptCore.xcodeproj/project.pbxproj:
349 * Target.pri:
350 * runtime/JSGlobalObject.cpp:
351 (JSC::JSGlobalObject::toThisObject):
352 - Hoist toThisObject from WebCore.
353 (JSC):
354 * runtime/JSGlobalObject.h:
355 - removed include.
356 (JSC::JSGlobalObject::finishCreation):
357 - JSGlobalThis -> JSObject
358 (JSGlobalObject):
359 - Hoist toThisObject from WebCore.
360 * runtime/JSGlobalThis.cpp: Removed.
361 * runtime/JSGlobalThis.h: Removed.
362 * runtime/JSObject.cpp:
363 - removed include.
364 * runtime/JSObject.h:
365 (JSObject):
366 (JSC::JSObject::isProxy):
367 - isGlobalThis -> isProxy
368 - GlobalThisType -> ProxyType
369 * runtime/JSProxy.cpp: Copied from Source/JavaScriptCore/runtime/JSGlobalThis.cpp.
370 (JSC):
371 (JSC::JSProxy::visitChildren):
372 (JSC::JSProxy::setTarget):
373 (JSC::JSProxy::className):
374 (JSC::JSProxy::getOwnPropertySlot):
375 (JSC::JSProxy::getOwnPropertySlotByIndex):
376 (JSC::JSProxy::getOwnPropertyDescriptor):
377 (JSC::JSProxy::put):
378 (JSC::JSProxy::putByIndex):
379 (JSC::JSProxy::putDirectVirtual):
380 (JSC::JSProxy::defineOwnProperty):
381 (JSC::JSProxy::deleteProperty):
382 (JSC::JSProxy::deletePropertyByIndex):
383 (JSC::JSProxy::getPropertyNames):
384 (JSC::JSProxy::getOwnPropertyNames):
385 - Class cretaed from JSGlobalThis, JSDOMWindowShell.
386 * runtime/JSProxy.h: Copied from Source/JavaScriptCore/runtime/JSGlobalThis.h.
387 (JSC::JSProxy::create):
388 (JSC::JSProxy::createStructure):
389 (JSProxy):
390 (JSC::JSProxy::target):
391 (JSC::JSProxy::JSProxy):
392 - Class cretaed from JSGlobalThis, JSDOMWindowShell.
393 * runtime/JSType.h:
394 - GlobalThisType -> ProxyType
395
3962012-09-26 Michael Saboff <msaboff@apple.com>
397
398 Add ability for JSArray::unshiftCount to unshift in middle of an array
399 https://bugs.webkit.org/show_bug.cgi?id=97691
400
401 Reviewed by Filip Pizlo.
402
403 Changed JSArray::unshiftCount and unshiftCountSlowCase to handle unshifting from the middle of an
404 array. Depending on where the unshift point is, either the front part of the array will be moved
405 "left" or the back part will be moved right. Given that unshiftCount only works on contiguous
406 arrays it is safe to use memmove for the moves.
407
408 This change is worth 25% performance improvement on pdfjs. It doesn't seem to have any impact on
409 any other benchmarks.
410
411 * runtime/ArrayPrototype.cpp:
412 (JSC::unshift):
413 * runtime/JSArray.cpp:
414 (JSC::JSArray::unshiftCountSlowCase):
415 (JSC::JSArray::unshiftCount):
416 * runtime/JSArray.h:
417 (JSArray):
418
4192012-09-26 Sheriff Bot <webkit.review.bot@gmail.com>
420
421 Unreviewed, rolling out r129592.
422 http://trac.webkit.org/changeset/129592
423 https://bugs.webkit.org/show_bug.cgi?id=97670
424
425 Failures in Chromium security tests (Requested by schenney on
426 #webkit).
427
428 * runtime/JSGlobalObjectFunctions.cpp:
429 (JSC::globalFuncEval):
430
4312012-09-25 Gavin Barraclough <barraclough@apple.com>
432
433 REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms
434 https://bugs.webkit.org/show_bug.cgi?id=97529
435
436 Reviewed by Filip Pizlo.
437
438 A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers.
439
440 JSC currently throws an EvalError if you try to call eval with a this object that doesn't
441 match the given eval function. This does not match other browsers, which generally just
442 ignore the this value that was passed, and eval the string in the eval function's environment.
443
444 * runtime/JSGlobalObjectFunctions.cpp:
445 (JSC::globalFuncEval):
446 - Remove EvalError, ignore passed this value.
447
4482012-09-25 Filip Pizlo <fpizlo@apple.com>
449
450 DFG ArrayPush, ArrayPop don't handle clobbering or having a bad time correctly
451 https://bugs.webkit.org/show_bug.cgi?id=97535
452
453 Reviewed by Oliver Hunt.
454
455 * dfg/DFGAbstractState.cpp:
456 (JSC::DFG::AbstractState::execute):
457 * dfg/DFGByteCodeParser.cpp:
458 (JSC::DFG::ByteCodeParser::handleIntrinsic):
459 * dfg/DFGStructureCheckHoistingPhase.cpp:
460 (JSC::DFG::StructureCheckHoistingPhase::run):
461
4622012-09-25 Geoffrey Garen <ggaren@apple.com>
463
464 JSC should dump object size inference statistics
465 https://bugs.webkit.org/show_bug.cgi?id=97618
466
467 Reviewed by Filip Pizlo.
468
469 Added an option to dump object size inference statistics.
470
471 To see statistics on live objects:
472
473 jsc --showHeapStatistics=1
474
475 To see cumulative statistics on all objects ever allocated:
476
477 jsc --showHeapStatistics=1 --objectsAreImmortal=1
478
479 (This is useful for showing GC churn caused by over-allocation.)
480
481 To support this second mode, I refactored Zombies to separate out their
482 immortality feature so I could reuse it.
483
484 * heap/Heap.cpp:
485 (JSC::MarkObject): Helper for making things immortal. We have to checked
486 for being zapped because blocks start out in this state.
487
488 (JSC::StorageStatistics): Gather statistics by walking the heap. Ignore
489 arrays and hash tables for now because they're not our focus. (We'll
490 remove these exceptions in future.)
491
492 (JSC::Heap::collect): Moved zombify to the end so it wouldn't interfere
493 with statistics gathering.
494
495 (JSC::Heap::showStatistics):
496 (JSC::Heap::markAllObjects): Factored out helper, so statistics could
497 take advantage of immortal objects.
498
499 (Zombify): Don't mark immortal objects -- that's another class's job now.
500
501 (JSC::Zombify::operator()):
502 (JSC::Heap::zombifyDeadObjects): Take advantage of forEachDeadCell instead
503 of rolling our own.
504
505 * heap/Heap.h:
506 (Heap):
507 * heap/MarkedSpace.h:
508 (MarkedSpace):
509 (JSC::MarkedSpace::forEachDeadCell): Added, so clients don't have to do
510 the iteration logic themselves.
511
512 * runtime/Options.cpp:
513 (JSC::Options::initialize):
514 * runtime/Options.h: New options, listed above. Make sure to initialize
515 based on environment variable first, so we can override with specific settings.
516
5172012-09-25 Filip Pizlo <fpizlo@apple.com>
518
519 We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array
520 https://bugs.webkit.org/show_bug.cgi?id=97603
521 <rdar://problem/12370864>
522
523 Reviewed by Gavin Barraclough.
524
525 You changed the length behind our backs? No optimizations for you then!
526
527 * runtime/ArrayPrototype.cpp:
528 (JSC::shift):
529 (JSC::unshift):
530 * runtime/JSArray.cpp:
531 (JSC::JSArray::shiftCount):
532
5332012-09-25 Filip Pizlo <fpizlo@apple.com>
534
535 JSC bindings appear to sometimes ignore the possibility of arrays being in sparse mode
536 https://bugs.webkit.org/show_bug.cgi?id=95610
537
538 Reviewed by Oliver Hunt.
539
540 Add better support for quickly accessing the indexed storage from bindings.
541
542 * runtime/JSObject.h:
543 (JSC::JSObject::tryGetIndexQuickly):
544 (JSObject):
545 (JSC::JSObject::getDirectIndex):
546 (JSC::JSObject::getIndex):
547
5482012-09-25 Filip Pizlo <fpizlo@apple.com>
549
550 Structure check hoisting phase doesn't know about the side-effecting nature of Arrayify
551 https://bugs.webkit.org/show_bug.cgi?id=97537
552
553 Reviewed by Mark Hahnenberg.
554
555 No tests because if we use Arrayify then we also use PutByVal(BlankToXYZ), and the latter is
556 already known to be side-effecting. So this bug shouldn't have had any symptoms, as far as I
557 can tell.
558
559 * dfg/DFGStructureCheckHoistingPhase.cpp:
560 (JSC::DFG::StructureCheckHoistingPhase::run):
561
5622012-09-25 Gavin Barraclough <barraclough@apple.com>
563
564 Regression: put beyond vector length prefers prototype setters to sparse properties
565 https://bugs.webkit.org/show_bug.cgi?id=97593
566
567 Reviewed by Geoff Garen & Filip Pizlo.
568
569 * runtime/JSObject.cpp:
570 (JSC::JSObject::putByIndexBeyondVectorLength):
571 - Check for self properties in the sparse map - if present, don't examine the protochain.
572
5732012-09-24 Gavin Barraclough <barraclough@apple.com>
574
575 https://bugs.webkit.org/show_bug.cgi?id=97530
576 Regression, freeze applied to numeric properties of non-array objects
577
578 Reviewed by Filip Pizlo.
579
580 Object.freeze has a fast implementation in JSObject, but this hasn't been updated to take into account numeric properties in butterflies.
581 For now, just fall back to the generic implementation if the object has numeric properties.
582
583 * runtime/ObjectConstructor.cpp:
584 (JSC::objectConstructorFreeze):
585 - fallback if the object has a non-zero indexed property vector length.
586
5872012-09-24 Gavin Barraclough <barraclough@apple.com>
588
589 Bug in numeric accessors on global environment
590 https://bugs.webkit.org/show_bug.cgi?id=97526
591
592 Reviewed by Geoff Garen.
593
594 I've hit this assert in test262 in browser, but haven't yet worked out how to repro in a test case :-/
595 The sparsemap is failing to map back from the global object to the window shell.
596 A test case would need to resolve a numeric property name against the global environment.
597
598 (JSC::SparseArrayEntry::get):
599 (JSC::SparseArrayEntry::put):
600 - Add missing toThisObject calls.
601
6022012-09-24 Filip Pizlo <fpizlo@apple.com>
603
604 SerializedScriptValue isn't aware of indexed storage, but should be
605 https://bugs.webkit.org/show_bug.cgi?id=97515
606 <rdar://problem/12361874>
607
608 Reviewed by Sam Weinig.
609
610 Export a method that WebCore now uses.
611
612 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
613 * runtime/JSObject.h:
614 (JSObject):
615
6162012-09-24 Gavin Barraclough <barraclough@apple.com>
617
618 Remove JSObject::unwrappedGlobalObject(), JSObject::unwrappedObject()
619 https://bugs.webkit.org/show_bug.cgi?id=97519
620
621 Reviewed by Geoff Garen.
622
623 unwrappedGlobalObject() was only needed because globalObject() doesn't always return a helpful result -
624 specifically for WebCore's window shell the structure's globalObject is set to null. We can fix this by
625 simply keeping the structure up to date as the window navigates, obviating the need for this function.
626
627 The only other use of unwrappedObject() came from globalFuncEval(), and this can be trivially removed
628 by flipping the way we perform this globalObject check (which we may also be able to remove!) - instead
629 of getting the globalObject from the provided this value & comparing to the expected globalObject, we
630 can get the this value from the expected globalObject, and compare to that provided.
631
632 * runtime/JSGlobalObject.cpp:
633 - Call globalObject() instead of unwrappedGlobalObject().
634 * runtime/JSGlobalObjectFunctions.cpp:
635 (JSC::globalFuncEval):
636 - Changed to compare this object values, instead of globalObjects -
637 this means we only need to be able to map globalObject -> this,
638 and not vice versa.
639 * runtime/JSObject.cpp:
640 (JSC::JSObject::allowsAccessFrom):
641 (JSC::JSObject::createInheritorID):
642 - Call globalObject() instead of unwrappedGlobalObject().
643 * runtime/JSObject.h:
644 (JSObject):
645 - Removed unwrappedGlobalObject(), unwrappedObject().
646
6472012-09-24 Mark Lam <mark.lam@apple.com>
648
649 Deleting the classic interpreter and cleaning up some build options.
650 https://bugs.webkit.org/show_bug.cgi?id=96969.
651
652 Reviewed by Geoffrey Garen.
653
654 * bytecode/CodeBlock.cpp:
655 (JSC::CodeBlock::dump):
656 (JSC::CodeBlock::finalizeUnconditionally):
657 (JSC::CodeBlock::stronglyVisitStrongReferences):
658 (JSC):
659 * bytecode/Instruction.h:
660 (JSC::Instruction::Instruction):
661 * interpreter/AbstractPC.cpp:
662 (JSC::AbstractPC::AbstractPC):
663 * interpreter/AbstractPC.h:
664 (AbstractPC):
665 * interpreter/CallFrame.h:
666 (ExecState):
667 * interpreter/Interpreter.cpp:
668 (JSC):
669 (JSC::Interpreter::Interpreter):
670 (JSC::Interpreter::~Interpreter):
671 (JSC::Interpreter::initialize):
672 (JSC::Interpreter::isOpcode):
673 (JSC::Interpreter::unwindCallFrame):
674 (JSC::getLineNumberForCallFrame):
675 (JSC::getCallerInfo):
676 (JSC::getSourceURLFromCallFrame):
677 (JSC::Interpreter::execute):
678 (JSC::Interpreter::executeCall):
679 (JSC::Interpreter::executeConstruct):
680 (JSC::Interpreter::retrieveArgumentsFromVMCode):
681 (JSC::Interpreter::retrieveCallerFromVMCode):
682 (JSC::Interpreter::retrieveLastCaller):
683 * interpreter/Interpreter.h:
684 (JSC::Interpreter::getOpcodeID):
685 (Interpreter):
686 * jit/ExecutableAllocatorFixedVMPool.cpp:
687 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
688 * offlineasm/asm.rb:
689 * offlineasm/offsets.rb:
690 * runtime/Executable.cpp:
691 (JSC::EvalExecutable::compileInternal):
692 (JSC::ProgramExecutable::compileInternal):
693 (JSC::FunctionExecutable::compileForCallInternal):
694 (JSC::FunctionExecutable::compileForConstructInternal):
695 * runtime/Executable.h:
696 (JSC::NativeExecutable::create):
697 (NativeExecutable):
698 (JSC::NativeExecutable::finishCreation):
699 * runtime/JSGlobalData.cpp:
700 (JSC):
701 (JSC::JSGlobalData::JSGlobalData):
702 (JSC::JSGlobalData::getHostFunction):
703 * runtime/JSGlobalData.h:
704 (JSGlobalData):
705 (JSC::JSGlobalData::canUseJIT):
706 (JSC::JSGlobalData::canUseRegExpJIT):
707 * runtime/Options.cpp:
708 (JSC::Options::initialize):
709
7102012-09-24 Filip Pizlo <fpizlo@apple.com>
711
712 Nested try/finally should not confuse the finally unpopper in BytecodeGenerator::emitComplexJumpScopes
713 https://bugs.webkit.org/show_bug.cgi?id=97508
714 <rdar://problem/12361132>
715
716 Reviewed by Sam Weinig.
717
718 We're reusing some vector for multiple iterations of a loop, but we were forgetting to clear its
719 contents from one iteration to the next. Hence if you did multiple iterations of finally unpopping
720 (like in a nested try/finally and a jump out of both of them) then you'd get a corrupted try
721 context stack afterwards.
722
723 * bytecompiler/BytecodeGenerator.cpp:
724 (JSC::BytecodeGenerator::emitComplexJumpScopes):
725
7262012-09-24 Filip Pizlo <fpizlo@apple.com>
727
728 ValueToInt32 bool case does bad things to registers
729 https://bugs.webkit.org/show_bug.cgi?id=97505
730 <rdar://problem/12356331>
731
732 Reviewed by Mark Hahnenberg.
733
734 * dfg/DFGSpeculativeJIT.cpp:
735 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
736
7372012-09-24 Mark Lam <mark.lam@apple.com>
738
739 Add cloopDo instruction for debugging the llint C++ backend.
740 https://bugs.webkit.org/show_bug.cgi?id=97502.
741
742 Reviewed by Geoffrey Garen.
743
744 * offlineasm/cloop.rb:
745 * offlineasm/instructions.rb:
746 * offlineasm/parser.rb:
747
7482012-09-24 Filip Pizlo <fpizlo@apple.com>
749
750 JSArray::putByIndex asserts with readonly property on prototype
751 https://bugs.webkit.org/show_bug.cgi?id=97435
752 <rdar://problem/12357084>
753
754 Reviewed by Geoffrey Garen.
755
756 Boy, there were some problems:
757
758 - putDirectIndex() should know that it can set the index quickly even if it's a hole and we're
759 in SlowPut mode, since that's the whole point of PutDirect.
760
761 - We should have a fast path for putByIndex().
762
763 - The LiteralParser should not use push(), since that may throw if we're having a bad time.
764
765 * interpreter/Interpreter.cpp:
766 (JSC::eval):
767 * runtime/JSObject.h:
768 (JSC::JSObject::putByIndexInline):
769 (JSObject):
770 (JSC::JSObject::putDirectIndex):
771 * runtime/LiteralParser.cpp:
772 (JSC::::parse):
773
7742012-09-24 Mark Lam <mark.lam@apple.com>
775
776 Added a missing "if VALUE_PROFILER" around an access to ArrayProfile record.
777 https://bugs.webkit.org/show_bug.cgi?id=97496.
778
779 Reviewed by Filip Pizlo.
780
781 * llint/LowLevelInterpreter32_64.asm:
782 * llint/LowLevelInterpreter64.asm:
783
7842012-09-24 Geoffrey Garen <ggaren@apple.com>
785
786 Inlined activation tear-off in the DFG
787 https://bugs.webkit.org/show_bug.cgi?id=97487
788
789 Reviewed by Filip Pizlo.
790
791 * dfg/DFGOperations.cpp:
792 * dfg/DFGOperations.h: Activation tear-off is always inlined now, so I
793 removed its out-of-line implementation.
794
795 * dfg/DFGSpeculativeJIT32_64.cpp:
796 (JSC::DFG::SpeculativeJIT::compile):
797 * dfg/DFGSpeculativeJIT64.cpp:
798 (JSC::DFG::SpeculativeJIT::compile): Inlined the variable copy and update
799 of JSVariableObject::m_registers. This usually turns into < 10 instructions,
800 which is close to pure win as compared to the operation function call.
801
802 * runtime/JSActivation.h:
803 (JSActivation):
804 (JSC::JSActivation::registersOffset):
805 (JSC::JSActivation::tearOff):
806 (JSC::JSActivation::isTornOff):
807 (JSC):
808 (JSC::JSActivation::storageOffset):
809 (JSC::JSActivation::storage): Tiny bit of refactoring so the JIT can
810 share the pointer math helper functions we use internally.
811
8122012-09-24 Balazs Kilvady <kilvadyb@homejinni.com>
813
814 MIPS: store8 functions added to MacroAssembler.
815
816 MIPS store8 functions
817 https://bugs.webkit.org/show_bug.cgi?id=97243
818
819 Reviewed by Oliver Hunt.
820
821 Add MIPS store8 functions.
822
823 * assembler/MIPSAssembler.h:
824 (JSC::MIPSAssembler::lhu): New function.
825 (MIPSAssembler):
826 (JSC::MIPSAssembler::sb): New function.
827 (JSC::MIPSAssembler::sh): New function.
828 * assembler/MacroAssemblerMIPS.h:
829 (JSC::MacroAssemblerMIPS::store8): New function.
830 (MacroAssemblerMIPS):
831 (JSC::MacroAssemblerMIPS::store16): New function.
832
8332012-09-23 Geoffrey Garen <ggaren@apple.com>
834
835 PutScopedVar should not be marked as clobbering the world
836 https://bugs.webkit.org/show_bug.cgi?id=97416
837
838 Reviewed by Filip Pizlo.
839
840 No performance change.
841
842 PutScopedVar doesn't have arbitrary side-effects, so it shouldn't be marked
843 as such.
844
845 * dfg/DFGNodeType.h:
846 (DFG):
847
8482012-09-23 Geoffrey Garen <ggaren@apple.com>
849
850 I accidentally the whole 32-bit :(.
851
852 Unbreak the DFG in 32-bit with the 32-bit path I forgot in my last patch.
853
854 * dfg/DFGSpeculativeJIT32_64.cpp:
855 (JSC::DFG::SpeculativeJIT::compile):
856
8572012-09-23 Byungwoo Lee <bw80.lee@gmail.com>
858
859 Fix build warnings : -Wunused-parameter, -Wparentheses, -Wuninitialized.
860 https://bugs.webkit.org/show_bug.cgi?id=97306
861
862 Reviewed by Benjamin Poulain.
863
864 Fix build warning about -Wunused-parameter on MachineStackMarker.cpp,
865 LLIntSlowPaths.cpp, DatePrototype.cpp, Options.cpp by using
866 UNUSED_PARAM() macro or remove parameter name.
867
868 * heap/MachineStackMarker.cpp:
869 (JSC::pthreadSignalHandlerSuspendResume):
870 * llint/LLIntSlowPaths.cpp:
871 (JSC::LLInt::entryOSR):
872 * runtime/DatePrototype.cpp:
873 (JSC::formatLocaleDate):
874 * runtime/Options.cpp:
875 (JSC::computeNumberOfGCMarkers):
876
8772012-09-23 Gavin Barraclough <barraclough@apple.com>
878
879 Sorting a non-array creates propreties (spec-violation)
880 https://bugs.webkit.org/show_bug.cgi?id=25477
881
882 Reviewed by Oliver Hunt.
883
884 We're just calling get() to get properties, which is converting missing properties to
885 undefined. Hole values should be retained, and moved to the end of the array.
886
887 * runtime/ArrayPrototype.cpp:
888 (JSC::getOrHole):
889 - Helper function, returns JSValue() instead of undefined for missing properties.
890 (JSC::arrayProtoFuncSort):
891 - Implemented per 15.4.4.11, see comments above.
892
8932012-09-23 Geoffrey Garen <ggaren@apple.com>
894
895 CSE for access to closure variables (get_/put_scoped_var)
896 https://bugs.webkit.org/show_bug.cgi?id=97414
897
898 Reviewed by Oliver Hunt.
899
900 I separated loading a scope from loading its storage pointer, so we can
901 CSE the storage pointer load. Then, I copied the global var CSE and adjusted
902 it for closure vars.
903
904 * dfg/DFGAbstractState.cpp:
905 (JSC::DFG::AbstractState::execute): Renamed GetScopeChain => GetScope to
906 reflect renames from a few weeks ago.
907
908 Added a case for the storage pointer load, similar to object storage pointer load.
909
910 * dfg/DFGByteCodeParser.cpp:
911 (JSC::DFG::ByteCodeParser::parseBlock): Added an independent node for
912 the storage pointer.
913
914 * dfg/DFGCSEPhase.cpp:
915 (JSC::DFG::CSEPhase::scopedVarLoadElimination):
916 (CSEPhase):
917 (JSC::DFG::CSEPhase::scopedVarStoreElimination):
918 (JSC::DFG::CSEPhase::getScopeLoadElimination):
919 (JSC::DFG::CSEPhase::getScopeRegistersLoadElimination):
920 (JSC::DFG::CSEPhase::setLocalStoreElimination):
921 (JSC::DFG::CSEPhase::performNodeCSE): Copied globalVarLoad/StoreElimination
922 and adapted the same logic to closure vars.
923
924 * dfg/DFGNode.h:
925 (JSC::DFG::Node::hasScopeChainDepth):
926 (JSC::DFG::Node::scope):
927 (Node):
928 * dfg/DFGNodeType.h:
929 (DFG): GetScopedVar and GetGlobalVar are no longer MustGenerate. I'm not
930 sure why they ever were. But these are simple load operations so, if they're
931 unused, they're truly dead.
932
933 * dfg/DFGPredictionPropagationPhase.cpp:
934 (JSC::DFG::PredictionPropagationPhase::propagate):
935 * dfg/DFGSpeculativeJIT32_64.cpp:
936 (JSC::DFG::SpeculativeJIT::compile):
937 * dfg/DFGSpeculativeJIT64.cpp:
938 (JSC::DFG::SpeculativeJIT::compile): Updated for renames and split-out
939 node for getting the storage pointer.
940
9412012-09-21 Geoffrey Garen <ggaren@apple.com>
942
943 Unreviewed, rolled out a line I committed by accident.
944
945 * interpreter/Interpreter.cpp:
946 (JSC::Interpreter::execute):
947
9482012-09-21 Geoffrey Garen <ggaren@apple.com>
949
950 Optimized closures that capture arguments
951 https://bugs.webkit.org/show_bug.cgi?id=97358
952
953 Reviewed by Oliver Hunt.
954
955 Previously, the activation object was responsible for capturing all
956 arguments in a way that was convenient for the arguments object. Now,
957 we move all captured variables into a contiguous region in the stack,
958 allocate an activation for exactly that size, and make the arguments
959 object responsible for knowing all the places to which arguments could
960 have moved.
961
962 This seems like the right tradeoff because
963
964 (a) Closures are common and long-lived, so we want them to be small.
965
966 (b) Our primary strategy for optimizing the arguments object is to make
967 it go away. If you're allocating arguments objects, you're already having
968 a bad time.
969
970 (c) It's common to use either the arguments object or named argument
971 closure, but not both.
972
973 * bytecode/CodeBlock.cpp:
974 (JSC::CodeBlock::dump):
975 (JSC::CodeBlock::CodeBlock):
976 * bytecode/CodeBlock.h:
977 (JSC::CodeBlock::argumentsRegister):
978 (JSC::CodeBlock::activationRegister):
979 (JSC::CodeBlock::isCaptured):
980 (JSC::CodeBlock::argumentIndexAfterCapture): m_numCapturedVars is gone
981 now -- we have an explicit range instead.
982
983 * bytecompiler/BytecodeGenerator.cpp:
984 (JSC::BytecodeGenerator::BytecodeGenerator): Move captured arguments
985 into the captured region of local variables for space efficiency. Record
986 precise data about where they moved for the sake of the arguments object.
987
988 Some of this data was previously wrong, but it didn't cause any problems
989 because the arguments weren't actually moving.
990
991 * dfg/DFGByteCodeParser.cpp:
992 (JSC::DFG::ByteCodeParser::flushArgumentsAndCapturedVariables): Don't
993 assume that captured vars are in any particular location -- always ask
994 the CodeBlock. This is better encapsulation.
995
996 (JSC::DFG::ByteCodeParser::parseCodeBlock):
997 * dfg/DFGSpeculativeJIT32_64.cpp:
998 (JSC::DFG::SpeculativeJIT::compile):
999 * dfg/DFGSpeculativeJIT64.cpp:
1000 (JSC::DFG::SpeculativeJIT::compile): I rename things sometimes.
1001
1002 * runtime/Arguments.cpp:
1003 (JSC::Arguments::tearOff): Account for a particularly nasty edge case.
1004
1005 (JSC::Arguments::didTearOffActivation): Don't allocate our slow arguments
1006 data on tear-off. We need to allocate it eagerly instead, since we need
1007 to know about displaced, captured arguments during access before tear-off.
1008
1009 * runtime/Arguments.h:
1010 (JSC::Arguments::allocateSlowArguments):
1011 (JSC::Arguments::argument): Tell our slow arguments array where all arguments
1012 are, even if they are not captured. This simplifies some things, so we don't
1013 have to account explicitly for the full matrix of (not torn off, torn off)
1014 * (captured, not captured).
1015
1016 (JSC::Arguments::finishCreation): Allocate our slow arguments array eagerly
1017 because we need to know about displaced, captured arguments during access
1018 before tear-off.
1019
1020 * runtime/Executable.cpp:
1021 (JSC::FunctionExecutable::FunctionExecutable):
1022 (JSC::FunctionExecutable::compileForCallInternal):
1023 (JSC::FunctionExecutable::compileForConstructInternal):
1024 * runtime/Executable.h:
1025 (JSC::FunctionExecutable::parameterCount):
1026 (FunctionExecutable):
1027 * runtime/JSActivation.cpp:
1028 (JSC::JSActivation::visitChildren):
1029 * runtime/JSActivation.h:
1030 (JSActivation):
1031 (JSC::JSActivation::create):
1032 (JSC::JSActivation::JSActivation):
1033 (JSC::JSActivation::registerOffset):
1034 (JSC::JSActivation::tearOff):
1035 (JSC::JSActivation::allocationSize):
1036 (JSC::JSActivation::isValid): This is really the point of the patch. All
1037 the pointer math in Activations basically boils away, since we always
1038 copy a contiguous region of captured variables now.
1039
1040 * runtime/SymbolTable.h:
1041 (JSC::SlowArgument::SlowArgument):
1042 (SlowArgument):
1043 (SharedSymbolTable):
1044 (JSC::SharedSymbolTable::captureCount):
1045 (JSC::SharedSymbolTable::SharedSymbolTable): AllOfTheThings capture mode
1046 is gone now -- that's the point of the patch. indexIfCaptured gets renamed
1047 to index because we always have an index, even if not captured. (The only
1048 time when the index is meaningless is when we're Deleted.)
1049
10502012-09-21 Gavin Barraclough <barraclough@apple.com>
1051
1052 Eeeep - broke early boyer in bug#97382
1053 https://bugs.webkit.org/show_bug.cgi?id=97383
1054
1055 Rubber stamped by Sam Weinig.
1056
1057 missed a child3 -> child2!
1058
1059 * dfg/DFGSpeculativeJIT.cpp:
1060 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1061
10622012-09-21 Gavin Barraclough <barraclough@apple.com>
1063
1064 Unreviewed windows build fix.
1065
1066 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1067
10682012-09-21 Gavin Barraclough <barraclough@apple.com>
1069
1070 Pedantic test in Mozilla's JavaScript test suite fails. function-001.js function-001-n.js
1071 https://bugs.webkit.org/show_bug.cgi?id=27219
1072
1073 Reviewed by Sam Weinig.
1074
1075 These tests are just wrong.
1076 See ECMA 262 A.5, FunctionDelcaration does not require a semicolon.
1077
1078 * tests/mozilla/expected.html:
1079 * tests/mozilla/js1_2/function/function-001-n.js:
1080 * tests/mozilla/js1_3/Script/function-001-n.js:
1081 * tests/mozilla/js1_3/regress/function-001-n.js:
1082
10832012-09-21 Gavin Barraclough <barraclough@apple.com>
1084
1085 Remove redundant argument to op_instanceof
1086 https://bugs.webkit.org/show_bug.cgi?id=97382
1087
1088 Reviewed by Geoff Garen.
1089
1090 No longer needed after my last change.
1091
1092 * bytecode/CodeBlock.cpp:
1093 (JSC::CodeBlock::dump):
1094 * bytecode/Opcode.h:
1095 (JSC):
1096 (JSC::padOpcodeName):
1097 * bytecompiler/BytecodeGenerator.cpp:
1098 (JSC::BytecodeGenerator::emitInstanceOf):
1099 * bytecompiler/BytecodeGenerator.h:
1100 (BytecodeGenerator):
1101 * bytecompiler/NodesCodegen.cpp:
1102 (JSC::InstanceOfNode::emitBytecode):
1103 * dfg/DFGAbstractState.cpp:
1104 (JSC::DFG::AbstractState::execute):
1105 * dfg/DFGByteCodeParser.cpp:
1106 (JSC::DFG::ByteCodeParser::parseBlock):
1107 * dfg/DFGSpeculativeJIT.cpp:
1108 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
1109 * interpreter/Interpreter.cpp:
1110 (JSC::Interpreter::privateExecute):
1111 * jit/JITOpcodes.cpp:
1112 (JSC::JIT::emit_op_instanceof):
1113 (JSC::JIT::emitSlow_op_instanceof):
1114 * jit/JITOpcodes32_64.cpp:
1115 (JSC::JIT::emit_op_instanceof):
1116 (JSC::JIT::emitSlow_op_instanceof):
1117 * jit/JITStubs.cpp:
1118 (JSC::DEFINE_STUB_FUNCTION):
1119 * llint/LLIntSlowPaths.cpp:
1120 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1121 * llint/LowLevelInterpreter32_64.asm:
1122 * llint/LowLevelInterpreter64.asm:
1123
11242012-09-21 Gavin Barraclough <barraclough@apple.com>
1125
1126 Unreviewed windows build fix.
1127
1128 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
1129
11302012-09-21 Gavin Barraclough <barraclough@apple.com>
1131
1132 instanceof should not get the prototype for non-default HasInstance
1133 https://bugs.webkit.org/show_bug.cgi?id=68656
1134
1135 Reviewed by Oliver Hunt.
1136
1137 Instanceof is currently implemented as a sequance of three opcodes:
1138 check_has_instance
1139 get_by_id(prototype)
1140 op_instanceof
1141 There are three interesting types of base value that instanceof can be applied to:
1142 (A) Objects supporting default instanceof behaviour (functions, other than those created with bind)
1143 (B) Objects overriding the default instancecof behaviour with a custom one (API objects, bound functions)
1144 (C) Values that do not respond to the [[HasInstance]] trap.
1145 Currently check_has_instance handles case (C), leaving the op_instanceof opcode to handle (A) & (B). There are
1146 two problems with this apporach. Firstly, this is suboptimal for case (A), since we have to check for
1147 hasInstance support twice (once in check_has_instance, then for default behaviour in op_instanceof). Secondly,
1148 this means that in cases (B) we also perform the get_by_id, which is both suboptimal and an observable spec
1149 violation.
1150
1151 The fix here is to move handing of non-default instanceof (cases (B)) to the check_has_instance op, leaving
1152 op_instanceof to handle only cases (A).
1153
1154 * API/JSCallbackObject.h:
1155 (JSCallbackObject):
1156 * API/JSCallbackObjectFunctions.h:
1157 (JSC::::customHasInstance):
1158 * API/JSValueRef.cpp:
1159 (JSValueIsInstanceOfConstructor):
1160 - renamed hasInstance to customHasInstance
1161 * bytecode/CodeBlock.cpp:
1162 (JSC::CodeBlock::dump):
1163 - added additional parameters to check_has_instance opcode
1164 * bytecode/Opcode.h:
1165 (JSC):
1166 (JSC::padOpcodeName):
1167 - added additional parameters to check_has_instance opcode
1168 * bytecompiler/BytecodeGenerator.cpp:
1169 (JSC::BytecodeGenerator::emitCheckHasInstance):
1170 - added additional parameters to check_has_instance opcode
1171 * bytecompiler/BytecodeGenerator.h:
1172 (BytecodeGenerator):
1173 - added additional parameters to check_has_instance opcode
1174 * bytecompiler/NodesCodegen.cpp:
1175 (JSC::InstanceOfNode::emitBytecode):
1176 - added additional parameters to check_has_instance opcode
1177 * dfg/DFGByteCodeParser.cpp:
1178 (JSC::DFG::ByteCodeParser::parseBlock):
1179 - added additional parameters to check_has_instance opcode
1180 * interpreter/Interpreter.cpp:
1181 (JSC::isInvalidParamForIn):
1182 (JSC::Interpreter::privateExecute):
1183 - Add handling for non-default instanceof to op_check_has_instance
1184 * jit/JITInlineMethods.h:
1185 (JSC::JIT::emitArrayProfilingSiteForBytecodeIndex):
1186 - Fixed no-LLInt no_DFG build
1187 * jit/JITOpcodes.cpp:
1188 (JSC::JIT::emit_op_check_has_instance):
1189 (JSC::JIT::emitSlow_op_check_has_instance):
1190 - check for ImplementsDefaultHasInstance, handle additional arguments to op_check_has_instance.
1191 (JSC::JIT::emit_op_instanceof):
1192 (JSC::JIT::emitSlow_op_instanceof):
1193 - no need to check for ImplementsDefaultHasInstance.
1194 * jit/JITOpcodes32_64.cpp:
1195 (JSC::JIT::emit_op_check_has_instance):
1196 (JSC::JIT::emitSlow_op_check_has_instance):
1197 - check for ImplementsDefaultHasInstance, handle additional arguments to op_check_has_instance.
1198 (JSC::JIT::emit_op_instanceof):
1199 (JSC::JIT::emitSlow_op_instanceof):
1200 - no need to check for ImplementsDefaultHasInstance.
1201 * jit/JITStubs.cpp:
1202 (JSC::DEFINE_STUB_FUNCTION):
1203 * jit/JITStubs.h:
1204 - Add handling for non-default instanceof to op_check_has_instance
1205 * llint/LLIntSlowPaths.cpp:
1206 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1207 * llint/LowLevelInterpreter32_64.asm:
1208 * llint/LowLevelInterpreter64.asm:
1209 - move check for ImplementsDefaultHasInstance, handle additional arguments to op_check_has_instance.
1210 * runtime/ClassInfo.h:
1211 (MethodTable):
1212 (JSC):
1213 - renamed hasInstance to customHasInstance
1214 * runtime/CommonSlowPaths.h:
1215 (CommonSlowPaths):
1216 - removed opInstanceOfSlow (this was whittled down to one function call!)
1217 * runtime/JSBoundFunction.cpp:
1218 (JSC::JSBoundFunction::customHasInstance):
1219 * runtime/JSBoundFunction.h:
1220 (JSBoundFunction):
1221 - renamed hasInstance to customHasInstance, reimplemented.
1222 * runtime/JSCell.cpp:
1223 (JSC::JSCell::customHasInstance):
1224 * runtime/JSCell.h:
1225 (JSCell):
1226 * runtime/JSObject.cpp:
1227 (JSC::JSObject::hasInstance):
1228 (JSC):
1229 (JSC::JSObject::defaultHasInstance):
1230 * runtime/JSObject.h:
1231 (JSObject):
1232
12332012-09-21 Filip Pizlo <fpizlo@apple.com>
1234
1235 Unreviewed, fix ARM build.
1236
1237 * assembler/MacroAssemblerARMv7.h:
1238 (JSC::MacroAssemblerARMv7::store8):
1239 (MacroAssemblerARMv7):
1240 * offlineasm/armv7.rb:
1241
12422012-09-21 Filip Pizlo <fpizlo@apple.com>
1243
1244 REGRESSION (r128400): Opening Google Web Fonts page hangs or crashes
1245 https://bugs.webkit.org/show_bug.cgi?id=97328
1246
1247 Reviewed by Mark Hahnenberg.
1248
1249 It's a bad idea to emit stub code that reallocates property storage when we're in indexed
1250 storage mode. DFGRepatch.cpp knew this and had the appropriate check in one of the places,
1251 but it didn't have it in all of the places.
1252
1253 This change also adds some more handy disassembly support, which I used to find the bug.
1254
1255 * assembler/LinkBuffer.h:
1256 (JSC):
1257 * dfg/DFGRepatch.cpp:
1258 (JSC::DFG::generateProtoChainAccessStub):
1259 (JSC::DFG::tryCacheGetByID):
1260 (JSC::DFG::tryBuildGetByIDList):
1261 (JSC::DFG::emitPutReplaceStub):
1262 (JSC::DFG::emitPutTransitionStub):
1263 (JSC::DFG::tryCachePutByID):
1264 * jit/JITStubRoutine.h:
1265 (JSC):
1266
12672012-09-21 Filip Pizlo <fpizlo@apple.com>
1268
1269 DFG CSE assumes that a holy PutByVal does not interfere with GetArrayLength, when it clearly does
1270 https://bugs.webkit.org/show_bug.cgi?id=97373
1271
1272 Reviewed by Mark Hahnenberg.
1273
1274 * dfg/DFGCSEPhase.cpp:
1275 (JSC::DFG::CSEPhase::pureCSE):
1276 (JSC::DFG::CSEPhase::getArrayLengthElimination):
1277 (JSC::DFG::CSEPhase::putStructureStoreElimination):
1278 (JSC::DFG::CSEPhase::performNodeCSE):
1279 * dfg/DFGGraph.h:
1280 (Graph):
1281
12822012-09-21 Chris Rogers <crogers@google.com>
1283
1284 Add Web Audio support for deprecated/legacy APIs
1285 https://bugs.webkit.org/show_bug.cgi?id=97050
1286
1287 Reviewed by Eric Carlson.
1288
1289 * Configurations/FeatureDefines.xcconfig:
1290
12912012-09-21 Gavin Barraclough <barraclough@apple.com>
1292
1293 Global Math object should be configurable but isn't
1294 https://bugs.webkit.org/show_bug.cgi?id=55343
1295
1296 Reviewed by Oliver Hunt.
1297
1298 This has no performance impact.
1299
1300 * runtime/JSGlobalObject.cpp:
1301 (JSC::JSGlobalObject::reset):
1302 - Make 'Math' a regular property.
1303
13042012-09-21 Chao-ying Fu <fu@mips.com>
1305
1306 Add MIPS or32 function
1307 https://bugs.webkit.org/show_bug.cgi?id=97157
1308
1309 Reviewed by Gavin Barraclough.
1310
1311 Add a missing or32 function.
1312
1313 * assembler/MacroAssemblerMIPS.h:
1314 (JSC::MacroAssemblerMIPS::or32): New function.
1315 (MacroAssemblerMIPS):
1316
13172012-09-20 Filip Pizlo <fpizlo@apple.com>
1318
1319 CHECK_ARRAY_CONSISTENCY isn't being used or tested, so we should remove it
1320 https://bugs.webkit.org/show_bug.cgi?id=97260
1321
1322 Rubber stamped by Geoffrey Garen.
1323
1324 Supporting it will become difficult as we add more indexing types. It makes more
1325 sense to kill, especially since we don't appear to use it or test it, ever.
1326
1327 * runtime/ArrayConventions.h:
1328 (JSC):
1329 * runtime/ArrayPrototype.cpp:
1330 (JSC::arrayProtoFuncSplice):
1331 * runtime/ArrayStorage.h:
1332 (JSC::ArrayStorage::copyHeaderFromDuringGC):
1333 (ArrayStorage):
1334 * runtime/FunctionPrototype.cpp:
1335 (JSC::functionProtoFuncBind):
1336 * runtime/JSArray.cpp:
1337 (JSC::createArrayButterflyInDictionaryIndexingMode):
1338 (JSC::JSArray::setLength):
1339 (JSC::JSArray::pop):
1340 (JSC::JSArray::push):
1341 (JSC::JSArray::sortNumeric):
1342 (JSC::JSArray::sort):
1343 (JSC::JSArray::compactForSorting):
1344 * runtime/JSArray.h:
1345 (JSArray):
1346 (JSC::createArrayButterfly):
1347 (JSC::JSArray::tryCreateUninitialized):
1348 (JSC::constructArray):
1349 * runtime/JSObject.cpp:
1350 (JSC::JSObject::putByIndex):
1351 (JSC::JSObject::createArrayStorage):
1352 (JSC::JSObject::deletePropertyByIndex):
1353 (JSC):
1354 * runtime/JSObject.h:
1355 (JSC::JSObject::initializeIndex):
1356 (JSObject):
1357
13582012-09-20 Mark Lam <mark.lam@apple.com>
1359
1360 Fixed a missing semicolon in the C++ llint backend.
1361 https://bugs.webkit.org/show_bug.cgi?id=97252.
1362
1363 Reviewed by Geoff Garen.
1364
1365 * offlineasm/cloop.rb:
1366
13672012-09-20 Geoffrey Garen <ggaren@apple.com>
1368
1369 Refactored the interpreter and JIT so they don't dictate closure layout
1370 https://bugs.webkit.org/show_bug.cgi?id=97221
1371
1372 Reviewed by Oliver Hunt.
1373
1374 Capture may change the location of an argument for space efficiency. This
1375 patch removes static assumptions about argument location from the interpreter
1376 and JIT.
1377
1378 * bytecode/CodeBlock.h:
1379 (JSC::CodeBlock::argumentIndexAfterCapture):
1380 (JSC::ExecState::argumentAfterCapture): Factored out a helper function
1381 so the compiler could share this logic.
1382
1383 * bytecompiler/NodesCodegen.cpp:
1384 (JSC::BracketAccessorNode::emitBytecode): Don't emit optimized bracket
1385 access on arguments if a parameter has been captured by name. This case is
1386 rare and, where I've seen it in the wild, the optimization mostly failed
1387 anyway due to arguments escape, so I didn't feel like writing and testing
1388 five copies of the code that would handle it in the baseline engines.
1389
1390 The DFG can still synthesize this optimization even if we don't emit the
1391 optimized bytecode for it.
1392
1393 * dfg/DFGArgumentsSimplificationPhase.cpp:
1394 (JSC::DFG::ArgumentsSimplificationPhase::run):
1395 * dfg/DFGAssemblyHelpers.h:
1396 (JSC::DFG::AssemblyHelpers::symbolTableFor):
1397 (AssemblyHelpers): Use the right helper function to account for the fact
1398 that a parameter may have been captured by name and moved.
1399
1400 * dfg/DFGByteCodeParser.cpp:
1401 (JSC::DFG::ByteCodeParser::parseBlock): ASSERT that we haven't inlined
1402 a .apply on captured arguments. Once we do start inlining such things,
1403 we'll need to do a little bit of math here to get them right.
1404
1405 * dfg/DFGSpeculativeJIT32_64.cpp:
1406 (JSC::DFG::SpeculativeJIT::compile):
1407 * dfg/DFGSpeculativeJIT64.cpp:
1408 (JSC::DFG::SpeculativeJIT::compile): Added support for bracket access on
1409 an arguments object where arguments have also been captured by name. We
1410 load the true index of the argument from a side vector. Arguments elision
1411 is very powerful in the DFG, so I wanted to keep it working, even in this
1412 rare case.
1413
1414 * interpreter/Interpreter.cpp:
1415 (JSC::loadVarargs): Use the right helper function to account for the fact
1416 that a parameter may have been captured by name and moved.
1417
1418 * jit/JITCall.cpp:
1419 (JSC::JIT::compileLoadVarargs):
1420 * jit/JITCall32_64.cpp:
1421 (JSC::JIT::compileLoadVarargs): Don't use the inline copy loop if some
1422 of our arguments have moved, since it would copy stale values. (We still
1423 optimize the actual call, and elide the arguments object.)
1424
14252012-09-20 Gabor Rapcsanyi <rgabor@webkit.org>
1426
1427 [Qt] r129045 broke the ARM build
1428 https://bugs.webkit.org/show_bug.cgi?id=97195
1429
1430 Reviewed by Zoltan Herczeg.
1431
1432 Implementing missing store8 function.
1433
1434 * assembler/MacroAssemblerARM.h:
1435 (JSC::MacroAssemblerARM::store8):
1436 (MacroAssemblerARM):
1437
14382012-09-19 Geoffrey Garen <ggaren@apple.com>
1439
1440 OSR exit sometimes neglects to create the arguments object
1441 https://bugs.webkit.org/show_bug.cgi?id=97162
1442
1443 Reviewed by Filip Pizlo.
1444
1445 No performance change.
1446
1447 I don't know of any case where this is a real problem in TOT, but it
1448 will become a problem if we start compiling eval, with, or catch, and/or
1449 sometimes stop doing arguments optimizations in the bytecode.
1450
1451 * dfg/DFGArgumentsSimplificationPhase.cpp:
1452 (JSC::DFG::ArgumentsSimplificationPhase::run): Account for a
1453 CreateArguments that has transformed into PhantomArguments. We used to
1454 clear our reference to the CreateArguments node, but now we hold onto it,
1455 so we need to account for it transforming.
1456
1457 Don't replace a SetLocal(CreateArguments) with a SetLocal(JSValue())
1458 because that doesn't leave enough information behind for OSR exit to do
1459 the right thing. Instead, maintain our reference to CreateArguments, and
1460 rely on CreateArguments transforming into PhantomArguments after
1461 optimization. SetLocal(PhantomArguments) is efficient, and it's a marker
1462 for OSR exit to create the arguments object.
1463
1464 Don't ASSERT that all PhantomArguments are unreferenced because we now
1465 leave them in the graph as SetLocal(PhantomArguments), and that's harmless.
1466
1467 * dfg/DFGArgumentsSimplificationPhase.h:
1468 (NullableHashTraits):
1469 (JSC::DFG::NullableHashTraits::emptyValue): Export our special hash table
1470 for inline call frames so the OSR exit compiler can use it.
1471
1472 * dfg/DFGOSRExitCompiler32_64.cpp:
1473 (JSC::DFG::OSRExitCompiler::compileExit):
1474 * dfg/DFGOSRExitCompiler64.cpp:
1475 (JSC::DFG::OSRExitCompiler::compileExit): Don't load the 'arguments'
1476 register to decide if we need to create the arguments object. Optimization
1477 may have eliminated the initializing store to this register, in which
1478 case we'll load garbage. Instead, use the global knowledge that all call
1479 frames that optimized out 'arguments' now need to create it, and use a hash
1480 table to make sure we do so only once per call frame.
1481
1482 * dfg/DFGSpeculativeJIT64.cpp:
1483 (JSC::DFG::SpeculativeJIT::compile): SetLocal(PhantomArguments) is unique
1484 because we haven't just changed a value's format or elided a load or store;
1485 instead, we've replaced an object with JSValue(). We could try to account
1486 for this in a general way, but for now it's a special-case optimization,
1487 so we give it a specific OSR hint instead.
1488
14892012-09-19 Filip Pizlo <fpizlo@apple.com>
1490
1491 REGRESSION(r128802): It made some JS tests crash
1492 https://bugs.webkit.org/show_bug.cgi?id=97001
1493
1494 Reviewed by Mark Hahnenberg.
1495
1496 * runtime/JSGlobalObject.cpp:
1497 (JSC::JSGlobalObject::visitChildren):
1498
14992012-09-19 Filip Pizlo <fpizlo@apple.com>
1500
1501 DFG should not assume that a ByVal access is generic just because it was unprofiled
1502 https://bugs.webkit.org/show_bug.cgi?id=97088
1503
1504 Reviewed by Geoffrey Garen.
1505
1506 We were not disambiguating between "Undecided" in the sense that the array profile
1507 has no useful information versus "Undecided" in the sense that the array profile
1508 knows that the access has not executed. That's an important distinction, since
1509 the former form of "Undecided" means that we should consult value profiling, while
1510 the latter means that we should force exit unless the value profiling indicates
1511 that the access must be generic (base is not cell or property is not int).
1512
1513 * dfg/DFGAbstractState.cpp:
1514 (JSC::DFG::AbstractState::execute):
1515 * dfg/DFGArrayMode.cpp:
1516 (JSC::DFG::fromObserved):
1517 (JSC::DFG::refineArrayMode):
1518 (JSC::DFG::modeAlreadyChecked):
1519 (JSC::DFG::modeToString):
1520 * dfg/DFGArrayMode.h:
1521 (JSC::DFG::canCSEStorage):
1522 (JSC::DFG::modeIsSpecific):
1523 (JSC::DFG::modeSupportsLength):
1524 (JSC::DFG::benefitsFromStructureCheck):
1525
15262012-09-19 Filip Pizlo <fpizlo@apple.com>
1527
1528 DFG should not emit PutByVal hole case unless it has to
1529 https://bugs.webkit.org/show_bug.cgi?id=97080
1530
1531 Reviewed by Geoffrey Garen.
1532
1533 This causes us to generate less code for typical PutByVal's. But if profiling tells us
1534 that the hole case is being hit, we generate the same code as we would have generated
1535 before. This seems like a slight speed-up across the board.
1536
1537 * assembler/MacroAssemblerARMv7.h:
1538 (JSC::MacroAssemblerARMv7::store8):
1539 (MacroAssemblerARMv7):
1540 * assembler/MacroAssemblerX86.h:
1541 (MacroAssemblerX86):
1542 (JSC::MacroAssemblerX86::store8):
1543 * assembler/MacroAssemblerX86_64.h:
1544 (MacroAssemblerX86_64):
1545 (JSC::MacroAssemblerX86_64::store8):
1546 * assembler/X86Assembler.h:
1547 (X86Assembler):
1548 (JSC::X86Assembler::movb_i8m):
1549 * bytecode/ArrayProfile.h:
1550 (JSC::ArrayProfile::ArrayProfile):
1551 (JSC::ArrayProfile::addressOfMayStoreToHole):
1552 (JSC::ArrayProfile::mayStoreToHole):
1553 (ArrayProfile):
1554 * dfg/DFGArrayMode.cpp:
1555 (JSC::DFG::fromObserved):
1556 (JSC::DFG::modeAlreadyChecked):
1557 (JSC::DFG::modeToString):
1558 * dfg/DFGArrayMode.h:
1559 (DFG):
1560 (JSC::DFG::mayStoreToHole):
1561 * dfg/DFGSpeculativeJIT32_64.cpp:
1562 (JSC::DFG::SpeculativeJIT::compile):
1563 * dfg/DFGSpeculativeJIT64.cpp:
1564 (JSC::DFG::SpeculativeJIT::compile):
1565 * jit/JIT.h:
1566 (JIT):
1567 * jit/JITInlineMethods.h:
1568 (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase):
1569 (JSC):
1570 * jit/JITPropertyAccess.cpp:
1571 (JSC::JIT::emit_op_put_by_val):
1572 * jit/JITPropertyAccess32_64.cpp:
1573 (JSC::JIT::emit_op_put_by_val):
1574 * llint/LowLevelInterpreter32_64.asm:
1575 * llint/LowLevelInterpreter64.asm:
1576
15772012-09-18 Filip Pizlo <fpizlo@apple.com>
1578
1579 DFG should not call out to C++ every time that it tries to put to an object that doesn't yet have array storage
1580 https://bugs.webkit.org/show_bug.cgi?id=96983
1581
1582 Reviewed by Oliver Hunt.
1583
1584 Introduce more polymorphism into the DFG's array mode support. Use that to
1585 introduce the notion of effectul array modes, where the check for the mode
1586 will perform actions necessary to ensure that we have the mode we want, if
1587 the object is not already in that mode. Also added profiling support for
1588 checking if an object is of a type that would not allow us to create array
1589 storage (like a typed array or a string for example).
1590
1591 This is a ~2x speed-up on loops that transform an object that did not have
1592 indexed storage into one that does.
1593
1594 * JSCTypedArrayStubs.h:
1595 (JSC):
1596 * bytecode/ArrayProfile.cpp:
1597 (JSC::ArrayProfile::computeUpdatedPrediction):
1598 * bytecode/ArrayProfile.h:
1599 (JSC::ArrayProfile::ArrayProfile):
1600 (JSC::ArrayProfile::mayInterceptIndexedAccesses):
1601 (ArrayProfile):
1602 * dfg/DFGAbstractState.cpp:
1603 (JSC::DFG::AbstractState::execute):
1604 * dfg/DFGArrayMode.cpp:
1605 (JSC::DFG::fromObserved):
1606 (DFG):
1607 (JSC::DFG::modeAlreadyChecked):
1608 (JSC::DFG::modeToString):
1609 * dfg/DFGArrayMode.h:
1610 (DFG):
1611 (JSC::DFG::modeUsesButterfly):
1612 (JSC::DFG::isSlowPutAccess):
1613 (JSC::DFG::benefitsFromStructureCheck):
1614 (JSC::DFG::isEffectful):
1615 * dfg/DFGByteCodeParser.cpp:
1616 (JSC::DFG::ByteCodeParser::getArrayMode):
1617 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
1618 (JSC::DFG::ByteCodeParser::parseBlock):
1619 * dfg/DFGCSEPhase.cpp:
1620 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
1621 * dfg/DFGFixupPhase.cpp:
1622 (JSC::DFG::FixupPhase::fixupNode):
1623 (JSC::DFG::FixupPhase::checkArray):
1624 * dfg/DFGGraph.h:
1625 (JSC::DFG::Graph::byValIsPure):
1626 * dfg/DFGNode.h:
1627 (JSC::DFG::Node::hasArrayMode):
1628 * dfg/DFGNodeType.h:
1629 (DFG):
1630 * dfg/DFGOperations.cpp:
1631 * dfg/DFGOperations.h:
1632 * dfg/DFGPredictionPropagationPhase.cpp:
1633 (JSC::DFG::PredictionPropagationPhase::propagate):
1634 * dfg/DFGSpeculativeJIT.cpp:
1635 (JSC::DFG::SpeculativeJIT::checkArray):
1636 (JSC::DFG::SpeculativeJIT::arrayify):
1637 (DFG):
1638 * dfg/DFGSpeculativeJIT.h:
1639 (SpeculativeJIT):
1640 * dfg/DFGSpeculativeJIT32_64.cpp:
1641 (JSC::DFG::SpeculativeJIT::compile):
1642 * dfg/DFGSpeculativeJIT64.cpp:
1643 (JSC::DFG::SpeculativeJIT::compile):
1644 * runtime/Arguments.h:
1645 (Arguments):
1646 * runtime/JSNotAnObject.h:
1647 (JSNotAnObject):
1648 * runtime/JSObject.h:
1649 (JSObject):
1650 (JSC::JSObject::ensureArrayStorage):
1651 * runtime/JSString.h:
1652 (JSC::JSString::createStructure):
1653
16542012-09-18 Filip Pizlo <fpizlo@apple.com>
1655
1656 Include PhantomArguments in DFGDisassembly
1657 https://bugs.webkit.org/show_bug.cgi?id=97043
1658
1659 Reviewed by Geoffrey Garen.
1660
1661 * dfg/DFGNode.h:
1662 (JSC::DFG::Node::willHaveCodeGenOrOSR):
1663
16642012-09-18 Filip Pizlo <fpizlo@apple.com>
1665
1666 REGRESSION(r128802): It made some JS tests crash
1667 https://bugs.webkit.org/show_bug.cgi?id=97001
1668
1669 Reviewed by Mark Hahnenberg.
1670
1671 IndexingHeaderInlineMethods was incorrectly assuming that if the HasArrayStorage bit is clear, then that means that indexing payload capacity is zero.
1672
1673 * runtime/IndexingHeaderInlineMethods.h:
1674 (JSC::IndexingHeader::preCapacity):
1675 (JSC::IndexingHeader::indexingPayloadSizeInBytes):
1676
16772012-09-18 Mark Hahnenberg <mhahnenberg@apple.com>
1678
1679 Use WTF::HasTrivialDestructor instead of compiler-specific versions in JSC::NeedsDestructor
1680 https://bugs.webkit.org/show_bug.cgi?id=96980
1681
1682 Reviewed by Benjamin Poulain.
1683
1684 * runtime/JSCell.h:
1685 (JSC):
1686 (NeedsDestructor):
1687
16882012-09-18 Filip Pizlo <fpizlo@apple.com>
1689
1690 DFGOperations doesn't use NativeCallFrameTracer in enough places
1691 https://bugs.webkit.org/show_bug.cgi?id=96987
1692
1693 Reviewed by Mark Hahnenberg.
1694
1695 Anything that can GC should use it.
1696
1697 * dfg/DFGOperations.cpp:
1698
16992012-09-18 Mark Lam <mark.lam@apple.com>
1700
1701 Not reviewed. Attempt at greening the WinCairo bot. Touching
1702 LowLevelInterpreter.asm to trigger a rebuild of LLIntDesiredOffsets.
1703 https://bugs.webkit.org/show_bug.cgi?id=96992.
1704
1705 * llint/LowLevelInterpreter.asm:
1706
17072012-09-18 Peter Gal <galpeter@inf.u-szeged.hu>
1708
1709 [Qt] REGRESSION(r128790): It broke the ARM build
1710 https://bugs.webkit.org/show_bug.cgi?id=96968
1711
1712 Reviewed by Filip Pizlo.
1713
1714 Implement the missing or32 method in the MacroAssemblerARM.h.
1715
1716 * assembler/MacroAssemblerARM.h:
1717 (JSC::MacroAssemblerARM::or32):
1718 (MacroAssemblerARM):
1719
17202012-09-18 Mark Lam <mark.lam@apple.com>
1721
1722 Fix for WinCairo builds.
1723 https://bugs.webkit.org/show_bug.cgi?id=96992.
1724
1725 Reviewed by Filip Pizlo.
1726
1727 Adding additional vcproj build targets in LLIntDesiredOffsets.vcproj,
1728 LLIntOffsetsExtractor.vcproj, and LLIntAssembly.vcproj to match those
1729 in jsc.vcproj.
1730
1731 * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.vcproj:
1732 * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcproj:
1733 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcproj:
1734 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops: Added property svn:eol-style.
1735 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.vsprops: Added property svn:eol-style.
1736 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebugAll.vsprops: Added.
1737 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebugCairoCFLite.vsprops: Added.
1738 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.vsprops: Added.
1739 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.vsprops: Added property svn:eol-style.
1740 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorReleaseCairoCFLite.vsprops: Added.
1741 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorReleasePGO.vsprops: Added.
1742
17432012-09-18 Filip Pizlo <fpizlo@apple.com>
1744
1745 Unreviewed, fix sloppy English in comment.
1746
1747 * runtime/JSGlobalObject.cpp:
1748 (JSC):
1749
17502012-09-17 Csaba Osztrogonác <ossy@webkit.org>
1751
1752 Unreviewed, rolling out r128826 and r128813.
1753
1754 * API/JSCallbackConstructor.cpp:
1755 (JSC):
1756 (JSC::JSCallbackConstructor::JSCallbackConstructor):
1757 * API/JSCallbackConstructor.h:
1758 (JSCallbackConstructor):
1759 * API/JSCallbackObject.cpp:
1760 (JSC):
1761 (JSC::::createStructure):
1762 * API/JSCallbackObject.h:
1763 (JSC::JSCallbackObject::create):
1764 (JSCallbackObject):
1765 * API/JSClassRef.cpp:
1766 (OpaqueJSClass::prototype):
1767 * API/JSObjectRef.cpp:
1768 (JSObjectMake):
1769 (JSObjectGetPrivate):
1770 (JSObjectSetPrivate):
1771 (JSObjectGetPrivateProperty):
1772 (JSObjectSetPrivateProperty):
1773 (JSObjectDeletePrivateProperty):
1774 * API/JSValueRef.cpp:
1775 (JSValueIsObjectOfClass):
1776 * API/JSWeakObjectMapRefPrivate.cpp:
1777 * GNUmakefile.list.am:
1778 * JSCTypedArrayStubs.h:
1779 (JSC):
1780 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
1781 * JavaScriptCore.xcodeproj/project.pbxproj:
1782 * dfg/DFGSpeculativeJIT.h:
1783 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
1784 (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
1785 * heap/Heap.cpp:
1786 (JSC::Heap::isSafeToSweepStructures):
1787 (JSC):
1788 * heap/Heap.h:
1789 (JSC::Heap::allocatorForObjectWithDestructor):
1790 (Heap):
1791 (JSC::Heap::allocateWithDestructor):
1792 (JSC::Heap::allocateStructure):
1793 (JSC):
1794 * heap/IncrementalSweeper.cpp:
1795 (JSC::IncrementalSweeper::IncrementalSweeper):
1796 (JSC::IncrementalSweeper::sweepNextBlock):
1797 (JSC::IncrementalSweeper::startSweeping):
1798 (JSC::IncrementalSweeper::willFinishSweeping):
1799 (JSC::IncrementalSweeper::structuresCanBeSwept):
1800 (JSC):
1801 * heap/IncrementalSweeper.h:
1802 (IncrementalSweeper):
1803 * heap/MarkedAllocator.cpp:
1804 (JSC::MarkedAllocator::tryAllocateHelper):
1805 (JSC::MarkedAllocator::allocateBlock):
1806 * heap/MarkedAllocator.h:
1807 (JSC::MarkedAllocator::cellsNeedDestruction):
1808 (JSC::MarkedAllocator::onlyContainsStructures):
1809 (MarkedAllocator):
1810 (JSC::MarkedAllocator::MarkedAllocator):
1811 (JSC::MarkedAllocator::init):
1812 * heap/MarkedBlock.cpp:
1813 (JSC::MarkedBlock::create):
1814 (JSC::MarkedBlock::MarkedBlock):
1815 (JSC):
1816 (JSC::MarkedBlock::specializedSweep):
1817 (JSC::MarkedBlock::sweep):
1818 (JSC::MarkedBlock::sweepHelper):
1819 * heap/MarkedBlock.h:
1820 (JSC):
1821 (MarkedBlock):
1822 (JSC::MarkedBlock::cellsNeedDestruction):
1823 (JSC::MarkedBlock::onlyContainsStructures):
1824 * heap/MarkedSpace.cpp:
1825 (JSC::MarkedSpace::MarkedSpace):
1826 (JSC::MarkedSpace::resetAllocators):
1827 (JSC::MarkedSpace::canonicalizeCellLivenessData):
1828 (JSC::MarkedSpace::isPagedOut):
1829 (JSC::MarkedSpace::freeBlock):
1830 * heap/MarkedSpace.h:
1831 (MarkedSpace):
1832 (Subspace):
1833 (JSC::MarkedSpace::allocatorFor):
1834 (JSC::MarkedSpace::destructorAllocatorFor):
1835 (JSC::MarkedSpace::allocateWithDestructor):
1836 (JSC::MarkedSpace::allocateStructure):
1837 (JSC::MarkedSpace::forEachBlock):
1838 * heap/SlotVisitor.cpp:
1839 * jit/JIT.h:
1840 * jit/JITInlineMethods.h:
1841 (JSC::JIT::emitAllocateBasicJSObject):
1842 (JSC::JIT::emitAllocateJSFinalObject):
1843 (JSC::JIT::emitAllocateJSArray):
1844 * jsc.cpp:
1845 (GlobalObject::create):
1846 * runtime/Arguments.cpp:
1847 (JSC):
1848 * runtime/Arguments.h:
1849 (Arguments):
1850 (JSC::Arguments::Arguments):
1851 * runtime/ErrorPrototype.cpp:
1852 (JSC):
1853 * runtime/Executable.h:
1854 * runtime/InternalFunction.cpp:
1855 (JSC):
1856 (JSC::InternalFunction::InternalFunction):
1857 * runtime/InternalFunction.h:
1858 (InternalFunction):
1859 * runtime/JSCell.h:
1860 (JSC):
1861 (JSC::allocateCell):
1862 * runtime/JSDestructibleObject.h: Removed.
1863 * runtime/JSGlobalObject.cpp:
1864 (JSC::JSGlobalObject::reset):
1865 (JSC):
1866 * runtime/JSGlobalObject.h:
1867 (JSGlobalObject):
1868 (JSC::JSGlobalObject::createRareDataIfNeeded):
1869 (JSC::JSGlobalObject::create):
1870 * runtime/JSGlobalThis.h:
1871 (JSGlobalThis):
1872 (JSC::JSGlobalThis::JSGlobalThis):
1873 * runtime/JSPropertyNameIterator.h:
1874 * runtime/JSScope.cpp:
1875 (JSC):
1876 * runtime/JSString.h:
1877 (JSC):
1878 * runtime/JSWrapperObject.h:
1879 (JSWrapperObject):
1880 (JSC::JSWrapperObject::JSWrapperObject):
1881 * runtime/MathObject.cpp:
1882 (JSC):
1883 * runtime/NameInstance.h:
1884 (NameInstance):
1885 * runtime/RegExp.h:
1886 * runtime/RegExpObject.cpp:
1887 (JSC):
1888 * runtime/SparseArrayValueMap.h:
1889 * runtime/Structure.h:
1890 (JSC::Structure):
1891 (JSC::JSCell::classInfo):
1892 (JSC):
1893 * runtime/StructureChain.h:
1894 * runtime/SymbolTable.h:
1895 * testRegExp.cpp:
1896 (GlobalObject::create):
1897
18982012-09-17 Geoffrey Garen <ggaren@apple.com>
1899
1900 Refactored the arguments object so it doesn't dictate closure layout
1901 https://bugs.webkit.org/show_bug.cgi?id=96955
1902
1903 Reviewed by Oliver Hunt.
1904
1905 * bytecode/CodeBlock.h:
1906 (JSC::ExecState::argumentAfterCapture): Helper function for accessing an
1907 argument that has been moved for capture.
1908
1909 * bytecompiler/BytecodeGenerator.cpp:
1910 (JSC::BytecodeGenerator::BytecodeGenerator): Generate metadata for arguments
1911 that are captured. We don't move any arguments yet, but we do use this
1912 metadata to tell the arguments object if an argument is stored in the
1913 activation.
1914
1915 * dfg/DFGOperations.cpp:
1916 * dfg/DFGSpeculativeJIT.cpp:
1917 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1918 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
1919 * dfg/DFGSpeculativeJIT64.cpp:
1920 (JSC::DFG::SpeculativeJIT::compile): Updated for the arguments object not
1921 malloc'ing a separate backing store, and for a rename from deletedArguments
1922 to slowArguments.
1923
1924 * interpreter/CallFrame.h:
1925 (ExecState):
1926 * interpreter/Interpreter.cpp:
1927 (JSC::Interpreter::unwindCallFrame):
1928 (JSC::Interpreter::privateExecute):
1929 * jit/JITStubs.cpp:
1930 (JSC::DEFINE_STUB_FUNCTION):
1931 * llint/LLIntSlowPaths.cpp:
1932 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Updated for small interface changes.
1933
1934 * runtime/Arguments.cpp:
1935 (JSC::Arguments::visitChildren):
1936 (JSC::Arguments::copyToArguments):
1937 (JSC::Arguments::fillArgList):
1938 (JSC::Arguments::getOwnPropertySlotByIndex):
1939 (JSC::Arguments::createStrictModeCallerIfNecessary):
1940 (JSC::Arguments::createStrictModeCalleeIfNecessary):
1941 (JSC::Arguments::getOwnPropertySlot):
1942 (JSC::Arguments::getOwnPropertyDescriptor):
1943 (JSC::Arguments::getOwnPropertyNames):
1944 (JSC::Arguments::putByIndex):
1945 (JSC::Arguments::put):
1946 (JSC::Arguments::deletePropertyByIndex):
1947 (JSC::Arguments::deleteProperty):
1948 (JSC::Arguments::defineOwnProperty):
1949 (JSC::Arguments::tearOff): Moved all data inline into the object, for speed,
1950 and refactored all internal argument accesses to use helper functions, so
1951 we can change the implementation without changing lots of code.
1952
1953 (JSC::Arguments::didTearOffActivation): This function needs to account
1954 for arguments that were moved by the activation object. We do this accounting
1955 through a side vector that tells us where our arguments will be in the
1956 activation.
1957
1958 (JSC::Arguments::tearOffForInlineCallFrame):
1959 * runtime/Arguments.h:
1960 (Arguments):
1961 (JSC::Arguments::length):
1962 (JSC::Arguments::isTornOff):
1963 (JSC::Arguments::Arguments):
1964 (JSC::Arguments::allocateSlowArguments):
1965 (JSC::Arguments::tryDeleteArgument):
1966 (JSC::Arguments::trySetArgument):
1967 (JSC::Arguments::tryGetArgument):
1968 (JSC::Arguments::isDeletedArgument):
1969 (JSC::Arguments::isArgument):
1970 (JSC::Arguments::argument):
1971 (JSC::Arguments::finishCreation):
1972
1973 * runtime/JSActivation.h:
1974 (JSC::JSActivation::create):
1975 (JSActivation):
1976 (JSC::JSActivation::captureStart):
1977 (JSC::JSActivation::storageSize):
1978 (JSC::JSActivation::registerOffset):
1979 (JSC::JSActivation::isValid): The activation object is no longer responsible
1980 for copying extra arguments provided by the caller. The argumnents object
1981 does this instead. This means we can allocate and initialize an activation
1982 without worrying about the call frame's argument count.
1983
1984 * runtime/SymbolTable.h:
1985 (JSC::SlowArgument::SlowArgument):
1986 (SlowArgument):
1987 (JSC):
1988 (JSC::SharedSymbolTable::parameterCount):
1989 (SharedSymbolTable):
1990 (JSC::SharedSymbolTable::slowArguments):
1991 (JSC::SharedSymbolTable::setSlowArguments): Added data structures to back
1992 the algorithms above.
1993
19942012-09-17 Filip Pizlo <fpizlo@apple.com>
1995
1996 32-bit LLInt get_by_val does vector length checks incorrectly
1997 https://bugs.webkit.org/show_bug.cgi?id=96893
1998 <rdar://problem/12311678>
1999
2000 Reviewed by Mark Hahnenberg.
2001
2002 * llint/LowLevelInterpreter32_64.asm:
2003
20042012-09-17 Filip Pizlo <fpizlo@apple.com>
2005
2006 We don't have a bad enough time if an object's prototype chain crosses global objects
2007 https://bugs.webkit.org/show_bug.cgi?id=96962
2008
2009 Reviewed by Geoffrey Garen.
2010
2011 * runtime/JSGlobalObject.cpp:
2012 (JSC):
2013
20142012-09-17 Filip Pizlo <fpizlo@apple.com>
2015
2016 Unreviewed, fix a broken assertion in offlineasm.
2017
2018 * offlineasm/armv7.rb:
2019 * offlineasm/backends.rb:
2020
20212012-09-16 Mark Hahnenberg <mhahnenberg@apple.com>
2022
2023 Delayed structure sweep can leak structures without bound
2024 https://bugs.webkit.org/show_bug.cgi?id=96546
2025
2026 Reviewed by Gavin Barraclough.
2027
2028 This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
2029 allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
2030 those objects with destructors and with immortal structures, and those objects with destructors that don't have
2031 immortal structures. All of the objects of the third type (destructors without immortal structures) now
2032 inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores
2033 the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.
2034
2035 * API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor.
2036 (JSC):
2037 (JSC::JSCallbackConstructor::JSCallbackConstructor):
2038 * API/JSCallbackConstructor.h:
2039 (JSCallbackConstructor):
2040 * API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for
2041 JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer.
2042 (JSC):
2043 (JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add
2044 the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides
2045 to subclass this. We use this same technique for many other subclasses of JSGlobalObject.
2046 (JSC::::createStructure):
2047 * API/JSCallbackObject.h:
2048 (JSCallbackObject):
2049 (JSC):
2050 * API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead.
2051 (OpaqueJSClass::prototype):
2052 * API/JSObjectRef.cpp: Ditto.
2053 (JSObjectMake):
2054 (JSObjectGetPrivate):
2055 (JSObjectSetPrivate):
2056 (JSObjectGetPrivateProperty):
2057 (JSObjectSetPrivateProperty):
2058 (JSObjectDeletePrivateProperty):
2059 * API/JSValueRef.cpp: Ditto.
2060 (JSValueIsObjectOfClass):
2061 * API/JSWeakObjectMapRefPrivate.cpp: Ditto.
2062 * JSCTypedArrayStubs.h:
2063 (JSC):
2064 * JavaScriptCore.xcodeproj/project.pbxproj:
2065 * dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG.
2066 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
2067 (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
2068 * heap/Heap.cpp:
2069 (JSC):
2070 * heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function
2071 since it's always safe to sweep Structures now.
2072 (JSC::Heap::allocatorForObjectWithNormalDestructor):
2073 (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
2074 (Heap):
2075 (JSC::Heap::allocateWithNormalDestructor):
2076 (JSC):
2077 (JSC::Heap::allocateWithImmortalStructureDestructor):
2078 * heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the
2079 IncrementalSweeper since it's always safe to sweep Structures now.
2080 (JSC::IncrementalSweeper::IncrementalSweeper):
2081 (JSC::IncrementalSweeper::sweepNextBlock):
2082 (JSC::IncrementalSweeper::startSweeping):
2083 (JSC::IncrementalSweeper::willFinishSweeping):
2084 (JSC):
2085 * heap/IncrementalSweeper.h:
2086 (IncrementalSweeper):
2087 * heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add
2088 tracking of the specific destructor type of allocator.
2089 (JSC::MarkedAllocator::tryAllocateHelper):
2090 (JSC::MarkedAllocator::allocateBlock):
2091 * heap/MarkedAllocator.h:
2092 (JSC::MarkedAllocator::destructorType):
2093 (MarkedAllocator):
2094 (JSC::MarkedAllocator::MarkedAllocator):
2095 (JSC::MarkedAllocator::init):
2096 * heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping.
2097 We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls.
2098 (JSC::MarkedBlock::create):
2099 (JSC::MarkedBlock::MarkedBlock):
2100 (JSC):
2101 (JSC::MarkedBlock::specializedSweep):
2102 (JSC::MarkedBlock::sweep):
2103 (JSC::MarkedBlock::sweepHelper):
2104 * heap/MarkedBlock.h:
2105 (JSC):
2106 (JSC::MarkedBlock::allocator):
2107 (JSC::MarkedBlock::destructorType):
2108 * heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace.
2109 (JSC::MarkedSpace::MarkedSpace):
2110 (JSC::MarkedSpace::resetAllocators):
2111 (JSC::MarkedSpace::canonicalizeCellLivenessData):
2112 (JSC::MarkedSpace::isPagedOut):
2113 (JSC::MarkedSpace::freeBlock):
2114 * heap/MarkedSpace.h:
2115 (MarkedSpace):
2116 (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor):
2117 (JSC::MarkedSpace::normalDestructorAllocatorFor):
2118 (JSC::MarkedSpace::allocateWithImmortalStructureDestructor):
2119 (JSC::MarkedSpace::allocateWithNormalDestructor):
2120 (JSC::MarkedSpace::forEachBlock):
2121 * heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function.
2122 * jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT.
2123 * jit/JITInlineMethods.h:
2124 (JSC::JIT::emitAllocateBasicJSObject):
2125 (JSC::JIT::emitAllocateJSFinalObject):
2126 (JSC::JIT::emitAllocateJSArray):
2127 * jsc.cpp:
2128 (GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from
2129 JSDestructibleObject.
2130 * runtime/Arguments.cpp: Inherit from JSDestructibleObject.
2131 (JSC):
2132 * runtime/Arguments.h:
2133 (Arguments):
2134 (JSC::Arguments::Arguments):
2135 * runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor.
2136 (JSC):
2137 * runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures.
2138 (JSC):
2139 * runtime/InternalFunction.cpp: Inherit from JSDestructibleObject.
2140 (JSC):
2141 (JSC::InternalFunction::InternalFunction):
2142 * runtime/InternalFunction.h:
2143 (InternalFunction):
2144 * runtime/JSCell.h: Added the NEEDS_DESTRUCTOR macro to make it easier for classes to indicate that instead of being
2145 allocated in a destructor MarkedAllocator that they will handle their destruction themselves through the
2146 use of a finalizer.
2147 (JSC):
2148 (HasImmortalStructure): New template to help us determine at compile-time if a particular class
2149 should be allocated in the immortal structure MarkedAllocator. The default value is false. In order
2150 to be allocated in the immortal structure allocator, classes must specialize this template. Also added
2151 a macro to make it easier for classes to specialize the template.
2152 (JSC::allocateCell): Use the appropriate allocator depending on the destructor type.
2153 * runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be
2154 accessed safely when the object is being destroyed.
2155 (JSC):
2156 (JSDestructibleObject):
2157 (JSC::JSDestructibleObject::classInfo):
2158 (JSC::JSDestructibleObject::JSDestructibleObject):
2159 (JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe.
2160 * runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all
2161 of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well.
2162 (JSC::JSGlobalObject::reset):
2163 * runtime/JSGlobalObject.h:
2164 (JSGlobalObject):
2165 (JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one
2166 for the m_rareData field when it's created.
2167 (JSC::JSGlobalObject::create):
2168 (JSC):
2169 * runtime/JSGlobalThis.h: Inherit from JSDestructibleObject.
2170 (JSGlobalThis):
2171 (JSC::JSGlobalThis::JSGlobalThis):
2172 * runtime/JSPropertyNameIterator.h: Has an immortal Structure.
2173 (JSC):
2174 * runtime/JSScope.cpp:
2175 (JSC):
2176 * runtime/JSString.h: Has an immortal Structure.
2177 (JSC):
2178 * runtime/JSWrapperObject.h: Inherit from JSDestructibleObject.
2179 (JSWrapperObject):
2180 (JSC::JSWrapperObject::JSWrapperObject):
2181 * runtime/MathObject.cpp: Cleaning up some of the inheritance stuff.
2182 (JSC):
2183 * runtime/NameInstance.h: Inherit from JSDestructibleObject.
2184 (NameInstance):
2185 * runtime/RegExp.h: Has immortal Structure.
2186 (JSC):
2187 * runtime/RegExpObject.cpp: Inheritance cleanup.
2188 (JSC):
2189 * runtime/SparseArrayValueMap.h: Has immortal Structure.
2190 (JSC):
2191 * runtime/Structure.h: Has immortal Structure.
2192 (JSC):
2193 * runtime/StructureChain.h: Ditto.
2194 (JSC):
2195 * runtime/SymbolTable.h: Ditto.
2196 (SharedSymbolTable):
2197 (JSC):
2198
21992012-09-17 Filip Pizlo <fpizlo@apple.com>
2200
2201 If a prototype has indexed setters and its instances have indexed storage, then all put_by_val's should have a bad time
2202 https://bugs.webkit.org/show_bug.cgi?id=96596
2203
2204 Reviewed by Gavin Barraclough.
2205
2206 Added comprehensive support for accessors and read-only indexed properties on the
2207 prototype chain. This is done without any performance regression on benchmarks that
2208 we're aware of, by having the entire VM's strategy with respect to arrays tilted
2209 heavily in favor of:
2210
2211 - The prototype chain of JSArrays never having any accessors or read-only indexed
2212 properties. If that changes, you're going to have a bad time.
2213
2214 - Prototypes of non-JSArray objects either having no indexed accessors or read-only
2215 indexed properties, or, having those indexed accessor thingies inserted before
2216 any instance object (i.e. object with that prototype as its prototype) is created.
2217 If you add indexed accessors or read-only indexed properties to an object that is
2218 already used as a prototype, you're going to have a bad time.
2219
2220 See below for the exact definition of having a bad time.
2221
2222 Put another way, "fair" uses of indexed accessors and read-only indexed properties
2223 are:
2224
2225 - Put indexed accessors and read-only indexed properties on an object that is never
2226 used as a prototype. This will slow down accesses to that object, but will not
2227 have any effect on any other object.
2228
2229 - Put those indexed accessor thingies on an object before it is used as a prototype
2230 and then start instantiating objects that claim that object as their prototype.
2231 This will slightly slow down indexed stores to the instance objects, and greatly
2232 slow down all indexed accesses to the prototype, but will have no other effect.
2233
2234 In short, "fair" uses only affect the object itself and any instance objects. But
2235 if you start using indexed accessors in more eclectic ways, you're going to have
2236 a bad time.
2237
2238 Specifically, if an object that may be used as a prototype has an indexed accessor
2239 added, the VM performs a whole-heap scan to find all objects that belong to the
2240 same global object as the prototype you modified. If any of those objects has
2241 indexed storage, their indexed storage is put into slow-put mode, just as if their
2242 prototype chain had indexed accessors. This will happen even for objects that do
2243 not currently have indexed accessors in their prototype chain. As well, all JSArray
2244 allocations are caused to create arrays with slow-put storage, and all future
2245 allocations of indexed storage for non-JSArray objects are also flipped to slow-put
2246 mode. Note there are two aspects to having a bad time: (i) the whole-heap scan and
2247 (ii) the poisoning of all indexed storage in the entire global object. (i) is
2248 necessary for correctness. If we detect that an object that may be used as a
2249 prototype has had an indexed accessor or indexed read-only property inserted into
2250 it, then we need to ensure that henceforth all instances of that object inspect
2251 the prototype chain whenever an indexed hole is stored to. But by default, indexed
2252 stores do no such checking because doing so would be unnecessarily slow. So, we must
2253 find all instances of the affected object and flip them into a different array
2254 storage mode that omits all hole optimizations. Since prototypes never keep a list
2255 of instance objects, the only way to find those objects is a whole-heap scan. But
2256 (i) alone would be a potential disaster, if a program frequently allocated an
2257 object without indexed accessors, then allocated a bunch of objects that used that
2258 one as their prototype, and then added indexed accessors to the prototype. So, to
2259 prevent massive heap scan storms in such awkward programs, having a bad time also
2260 implies (ii): henceforth *all* objects belonging to that global object will use
2261 slow put indexed storage, so that we don't ever have to scan the heap again. Note
2262 that here we are using the global object as just an approximation of a program
2263 module; it may be worth investigating in the future if other approximations can be
2264 used instead.
2265
2266 * bytecode/ArrayProfile.h:
2267 (JSC):
2268 (JSC::arrayModeFromStructure):
2269 * dfg/DFGAbstractState.cpp:
2270 (JSC::DFG::AbstractState::execute):
2271 * dfg/DFGArrayMode.cpp:
2272 (JSC::DFG::fromObserved):
2273 (JSC::DFG::modeAlreadyChecked):
2274 (JSC::DFG::modeToString):
2275 * dfg/DFGArrayMode.h:
2276 (DFG):
2277 (JSC::DFG::isSlowPutAccess):
2278 * dfg/DFGSpeculativeJIT.cpp:
2279 (JSC::DFG::SpeculativeJIT::checkArray):
2280 * dfg/DFGSpeculativeJIT32_64.cpp:
2281 (JSC::DFG::SpeculativeJIT::compile):
2282 * dfg/DFGSpeculativeJIT64.cpp:
2283 (JSC::DFG::SpeculativeJIT::compile):
2284 * jit/JIT.h:
2285 * jit/JITInlineMethods.h:
2286 (JSC::JIT::emitAllocateJSArray):
2287 * jit/JITOpcodes.cpp:
2288 (JSC::JIT::emit_op_new_array):
2289 * runtime/ArrayPrototype.cpp:
2290 (JSC::ArrayPrototype::finishCreation):
2291 (JSC::arrayProtoFuncSort):
2292 * runtime/IndexingType.h:
2293 (JSC):
2294 (JSC::hasIndexedProperties):
2295 (JSC::hasIndexingHeader):
2296 (JSC::hasArrayStorage):
2297 (JSC::shouldUseSlowPut):
2298 * runtime/JSArray.cpp:
2299 (JSC::JSArray::pop):
2300 (JSC::JSArray::push):
2301 (JSC::JSArray::fillArgList):
2302 (JSC::JSArray::copyToArguments):
2303 * runtime/JSArray.h:
2304 (JSC::JSArray::createStructure):
2305 * runtime/JSGlobalObject.cpp:
2306 (JSC::JSGlobalObject::JSGlobalObject):
2307 (JSC::JSGlobalObject::reset):
2308 (JSC):
2309 (JSC::JSGlobalObject::haveABadTime):
2310 * runtime/JSGlobalObject.h:
2311 (JSGlobalObject):
2312 (JSC::JSGlobalObject::addressOfArrayStructure):
2313 (JSC::JSGlobalObject::havingABadTimeWatchpoint):
2314 (JSC::JSGlobalObject::isHavingABadTime):
2315 * runtime/JSObject.cpp:
2316 (JSC::JSObject::visitButterfly):
2317 (JSC::JSObject::getOwnPropertySlotByIndex):
2318 (JSC::JSObject::put):
2319 (JSC::JSObject::putByIndex):
2320 (JSC::JSObject::enterDictionaryIndexingMode):
2321 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2322 (JSC):
2323 (JSC::JSObject::createArrayStorage):
2324 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2325 (JSC::JSObject::switchToSlowPutArrayStorage):
2326 (JSC::JSObject::setPrototype):
2327 (JSC::JSObject::resetInheritorID):
2328 (JSC::JSObject::inheritorID):
2329 (JSC::JSObject::allowsAccessFrom):
2330 (JSC::JSObject::deletePropertyByIndex):
2331 (JSC::JSObject::getOwnPropertyNames):
2332 (JSC::JSObject::unwrappedGlobalObject):
2333 (JSC::JSObject::notifyUsedAsPrototype):
2334 (JSC::JSObject::createInheritorID):
2335 (JSC::JSObject::defineOwnIndexedProperty):
2336 (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2337 (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
2338 (JSC::JSObject::putByIndexBeyondVectorLength):
2339 (JSC::JSObject::putDirectIndexBeyondVectorLength):
2340 (JSC::JSObject::getNewVectorLength):
2341 (JSC::JSObject::getOwnPropertyDescriptor):
2342 * runtime/JSObject.h:
2343 (JSC::JSObject::mayBeUsedAsPrototype):
2344 (JSObject):
2345 (JSC::JSObject::mayInterceptIndexedAccesses):
2346 (JSC::JSObject::getArrayLength):
2347 (JSC::JSObject::getVectorLength):
2348 (JSC::JSObject::canGetIndexQuickly):
2349 (JSC::JSObject::getIndexQuickly):
2350 (JSC::JSObject::canSetIndexQuickly):
2351 (JSC::JSObject::setIndexQuickly):
2352 (JSC::JSObject::initializeIndex):
2353 (JSC::JSObject::completeInitialization):
2354 (JSC::JSObject::inSparseIndexingMode):
2355 (JSC::JSObject::arrayStorage):
2356 (JSC::JSObject::arrayStorageOrNull):
2357 (JSC::JSObject::ensureArrayStorage):
2358 (JSC):
2359 (JSC::JSValue::putByIndex):
2360 * runtime/JSValue.cpp:
2361 (JSC::JSValue::putToPrimitive):
2362 (JSC::JSValue::putToPrimitiveByIndex):
2363 (JSC):
2364 * runtime/JSValue.h:
2365 (JSValue):
2366 * runtime/ObjectPrototype.cpp:
2367 (JSC::ObjectPrototype::finishCreation):
2368 * runtime/SparseArrayValueMap.cpp:
2369 (JSC::SparseArrayValueMap::putEntry):
2370 (JSC::SparseArrayEntry::put):
2371 (JSC):
2372 * runtime/SparseArrayValueMap.h:
2373 (JSC):
2374 (SparseArrayEntry):
2375 * runtime/Structure.cpp:
2376 (JSC::Structure::anyObjectInChainMayInterceptIndexedAccesses):
2377 (JSC):
2378 (JSC::Structure::suggestedIndexingTransition):
2379 * runtime/Structure.h:
2380 (Structure):
2381 (JSC::Structure::mayInterceptIndexedAccesses):
2382 * runtime/StructureTransitionTable.h:
2383 (JSC::newIndexingType):
2384
23852012-09-17 Filip Pizlo <fpizlo@apple.com>
2386
2387 Array profiling has convergence issues
2388 https://bugs.webkit.org/show_bug.cgi?id=96891
2389
2390 Reviewed by Gavin Barraclough.
2391
2392 Now each array profiling site merges in the indexing type it observed into
2393 the m_observedArrayModes bitset. The ArrayProfile also uses this to detect
2394 cases where the structure must have gone polymorphic (if the bitset is
2395 polymorphic then the structure must be). This achieves something like the
2396 best of both worlds: on the one hand, we get a probabilistic structure that
2397 we can use to optimize the monomorphic structure case, but on the other hand,
2398 we get an accurate view of the set of types that were encountered.
2399
2400 * assembler/MacroAssemblerARMv7.h:
2401 (JSC::MacroAssemblerARMv7::or32):
2402 (MacroAssemblerARMv7):
2403 * assembler/MacroAssemblerX86.h:
2404 (JSC::MacroAssemblerX86::or32):
2405 (MacroAssemblerX86):
2406 * assembler/MacroAssemblerX86_64.h:
2407 (JSC::MacroAssemblerX86_64::or32):
2408 (MacroAssemblerX86_64):
2409 * assembler/X86Assembler.h:
2410 (X86Assembler):
2411 (JSC::X86Assembler::orl_rm):
2412 * bytecode/ArrayProfile.cpp:
2413 (JSC::ArrayProfile::computeUpdatedPrediction):
2414 * bytecode/ArrayProfile.h:
2415 (JSC::ArrayProfile::addressOfArrayModes):
2416 (JSC::ArrayProfile::structureIsPolymorphic):
2417 * jit/JIT.h:
2418 (JIT):
2419 * jit/JITInlineMethods.h:
2420 (JSC):
2421 (JSC::JIT::emitArrayProfilingSite):
2422 * jit/JITPropertyAccess.cpp:
2423 (JSC::JIT::emit_op_get_by_val):
2424 (JSC::JIT::emit_op_put_by_val):
2425 (JSC::JIT::privateCompilePatchGetArrayLength):
2426 * jit/JITPropertyAccess32_64.cpp:
2427 (JSC::JIT::emit_op_get_by_val):
2428 (JSC::JIT::emit_op_put_by_val):
2429 (JSC::JIT::privateCompilePatchGetArrayLength):
2430 * llint/LowLevelInterpreter.asm:
2431 * llint/LowLevelInterpreter32_64.asm:
2432 * llint/LowLevelInterpreter64.asm:
2433
24342012-09-17 Mark Lam <mark.lam@apple.com>
2435
2436 Not reviewed. Added svn:eol-style native to unbreak some build bots.
2437 https://bugs.webkit.org/show_bug.cgi?id=96175.
2438
2439 * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.vcproj: Added property svn:eol-style.
2440 * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcproj: Added property svn:eol-style.
2441 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcproj: Added property svn:eol-style.
2442
24432012-09-16 Mark Lam <mark.lam@apple.com>
2444
2445 Added MSVC project changes to enable building the llint.
2446 https://bugs.webkit.org/show_bug.cgi?id=96175.
2447
2448 Reviewed by Geoff Garen.
2449
2450 This only adds the ability to build the llint, but currently, only the
2451 C++ backend is supported. By default, the Windows port will remain
2452 running with the baseline JIT. The llint will not be enabled.
2453
2454 * JavaScriptCore.vcproj/JavaScriptCore.sln:
2455 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2456 * JavaScriptCore.vcproj/LLIntAssembly: Added.
2457 * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.make: Added.
2458 * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.vcproj: Added.
2459 * JavaScriptCore.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Added.
2460 * JavaScriptCore.vcproj/LLIntDesiredOffsets: Added.
2461 * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Added.
2462 * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcproj: Added.
2463 * JavaScriptCore.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Added.
2464 * JavaScriptCore.vcproj/LLIntOffsetsExtractor: Added.
2465 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcproj: Added.
2466 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops: Added.
2467 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.vsprops: Added.
2468 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.vsprops: Added.
2469
24702012-09-16 Filip Pizlo <fpizlo@apple.com>
2471
2472 JSObject.cpp and JSArray.cpp have inconsistent tests for the invalid array index case
2473 https://bugs.webkit.org/show_bug.cgi?id=96878
2474
2475 Reviewed by Sam Weinig.
2476
2477 Removed the uses of UNLIKELY() because I don't believe they are buying us anything,
2478 since we're already on the slow path. Also found other places where we're testing for
2479 the invalid array index case using unusual predicates rather than just using
2480 MAX_ARRAY_INDEX. With this change, I believe that all of our tests for invalid
2481 array indices (i.e. indices that should be treated as non-indexed properties)
2482 uniformly use MAX_ARRAY_INDEX and PropertyName::NotAnIndex.
2483
2484 * runtime/JSArray.cpp:
2485 (JSC::JSArray::push):
2486 * runtime/JSObject.cpp:
2487 (JSC::JSObject::putByIndex):
2488 (JSC::JSObject::defineOwnIndexedProperty):
2489
24902012-09-15 Filip Pizlo <fpizlo@apple.com>
2491
2492 Following the Butterfly refactoring, the comment for lastArraySize was not updated
2493 https://bugs.webkit.org/show_bug.cgi?id=96877
2494
2495 Reviewed by Sam Weinig.
2496
2497 * runtime/JSObject.cpp:
2498 (JSC):
2499
25002012-09-15 Mark Lam <mark.lam@apple.com>
2501
2502 Fixed JSLock to use the platform abstraction for Mutex instead of
2503 depending on pthreads.
2504 https://bugs.webkit.org/show_bug.cgi?id=96858.
2505
2506 Reviewed by Filip Pizlo.
2507
2508 This fixes a synchronization problem on the Windows port and makes
2509 it more reliable when running the layout tests.
2510
2511 * runtime/InitializeThreading.cpp:
2512 (JSC::initializeThreadingOnce):
2513 * runtime/JSLock.cpp:
2514 (JSC):
2515 (JSC::GlobalJSLock::GlobalJSLock):
2516 (JSC::GlobalJSLock::~GlobalJSLock):
2517 (JSC::GlobalJSLock::initialize):
2518 * runtime/JSLock.h:
2519 (GlobalJSLock):
2520 (JSLock):
2521
25222012-09-15 Filip Pizlo <fpizlo@apple.com>
2523
2524 Structure check hoisting fails to consider the possibility of conflicting checks on the source of the first assignment to the hoisted variable
2525 https://bugs.webkit.org/show_bug.cgi?id=96872
2526
2527 Reviewed by Oliver Hunt.
2528
2529 This does a few related things:
2530
2531 - It turns off the use of ForceOSRExit for sure-to-fail CheckStructures, because
2532 I noticed that this would sometimes happen for a ForwardCheckStructure. The
2533 problem is that ForceOSRExit exits backwards, not forwards. Since the code that
2534 led to those ForceOSRExit's being inserted was written out of paranoia rather
2535 than need, I removed it. Specifically, I removed the m_isValid = false code
2536 for CheckStructure/StructureTransitionWatchpoint in AbstractState.
2537
2538 - If a structure check causes a structure set to go empty, we don't want a
2539 PutStructure to revive the set. It should instead be smart enough to realize
2540 that an empty set implies that the code can't execute. This was the only "bug"
2541 that the use of m_isValid = false was preventing.
2542
2543 - Finally, the main change: structure check hoisting looks at the source of the
2544 SetLocals on structure-check-hoistable variables and ensures that the source
2545 is not checked with a conflicting structure. This is O(n^2) but it does not
2546 show up at all in performance tests.
2547
2548 The first two parts of this change were auxiliary bugs that were revealed by
2549 the structure check hoister doing bad things.
2550
2551 * dfg/DFGAbstractState.cpp:
2552 (JSC::DFG::AbstractState::initialize):
2553 (JSC::DFG::AbstractState::execute):
2554 * dfg/DFGStructureCheckHoistingPhase.cpp:
2555 (JSC::DFG::StructureCheckHoistingPhase::run):
2556
25572012-09-14 Filip Pizlo <fpizlo@apple.com>
2558
2559 All of the things in SparseArrayValueMap should be out-of-line
2560 https://bugs.webkit.org/show_bug.cgi?id=96854
2561
2562 Reviewed by Andy Estes.
2563
2564 Those inline methods were buying us nothing.
2565
2566 * GNUmakefile.list.am:
2567 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
2568 * JavaScriptCore.xcodeproj/project.pbxproj:
2569 * runtime/JSArray.cpp:
2570 * runtime/JSGlobalData.cpp:
2571 * runtime/JSObject.cpp:
2572 * runtime/RegExpMatchesArray.cpp:
2573 * runtime/SparseArrayValueMap.cpp:
2574 (JSC::SparseArrayValueMap::SparseArrayValueMap):
2575 (JSC):
2576 (JSC::SparseArrayValueMap::~SparseArrayValueMap):
2577 (JSC::SparseArrayValueMap::finishCreation):
2578 (JSC::SparseArrayValueMap::create):
2579 (JSC::SparseArrayValueMap::destroy):
2580 (JSC::SparseArrayValueMap::createStructure):
2581 (JSC::SparseArrayValueMap::add):
2582 (JSC::SparseArrayValueMap::putEntry):
2583 (JSC::SparseArrayValueMap::putDirect):
2584 (JSC::SparseArrayEntry::get):
2585 (JSC::SparseArrayEntry::getNonSparseMode):
2586 (JSC::SparseArrayValueMap::visitChildren):
2587 * runtime/SparseArrayValueMapInlineMethods.h: Removed.
2588
25892012-09-14 Mike West <mkwst@chromium.org>
2590
2591 JSC should throw a more descriptive exception when blocking 'eval' via CSP.
2592 https://bugs.webkit.org/show_bug.cgi?id=94331
2593
2594 Reviewed by Geoffrey Garen.
2595
2596 Unless explicitly whitelisted, the 'script-src' Content Security Policy
2597 directive blocks 'eval' and 'eval'-like constructs such as
2598 'new Function()'. When 'eval' is encountered in code, an 'EvalError' is
2599 thrown, but the associated message is poor: "Eval is disabled" doesn't
2600 give developers enough information about why their code isn't behaving
2601 as expected.
2602
2603 This patch adds an 'errorMessage' parameter to the JavaScriptCore method
2604 used to disable 'eval'; ContentSecurityPolicy has the opportunity to
2605 pass in a more detailed and descriptive error that contains more context
2606 for the developer.
2607
2608 * runtime/Executable.cpp:
2609 (JSC::EvalExecutable::compileInternal):
2610 Drop the hard-coded "Eval is disabled" error message in favor of
2611 reading the error message off the global object.
2612 * runtime/FunctionConstructor.cpp:
2613 (JSC::FunctionConstructor::getCallData):
2614 Drop the hard-coded "Function constructor is disabled" error message
2615 in favor of reading the error message off the global object.
2616 * runtime/JSGlobalObject.h:
2617 (JSGlobalObject):
2618 (JSC::JSGlobalObject::evalEnabled):
2619 Making this accessor method const.
2620 (JSC::JSGlobalObject::evalDisabledErrorMessage):
2621 Accessor for the error message set via 'setEvalDisabled'.
2622 (JSC::JSGlobalObject::setEvalEnabled):
2623 Adding an 'errorMessage' parameter which is stored on the global
2624 object, and used when exceptions are thrown.
2625
26262012-09-14 Filip Pizlo <fpizlo@apple.com>
2627
2628 bbc homepage crashes immediately
2629 https://bugs.webkit.org/show_bug.cgi?id=96812
2630 <rdar://problem/12081386>
2631
2632 Reviewed by Oliver Hunt.
2633
2634 If you use the old storage pointer to write to space you thought was newly allocated,
2635 you're going to have a bad time.
2636
2637 * runtime/JSArray.cpp:
2638 (JSC::JSArray::unshiftCount):
2639
26402012-09-14 Adam Barth <abarth@webkit.org>
2641
2642 Remove webkitPostMessage
2643 https://bugs.webkit.org/show_bug.cgi?id=96577
2644
2645 Reviewed by Ojan Vafai.
2646
2647 Add ENABLE_LEGACY_VENDOR_PREFIXES flag.
2648
2649 * Configurations/FeatureDefines.xcconfig:
2650
26512012-09-14 Tor Arne Vestbø <tor.arne.vestbo@nokia.com>
2652
2653 [Qt] Make force_static_libs_as_shared work on Mac OS
2654
2655 We had to move a few LIBS += around that were in the wrong place,
2656 and not caught when everything was just linked into the final
2657 QtWebKit library.
2658
2659 Reviewed by Simon Hausmann.
2660
2661 * jsc.pro: No need for AppKit, we get it from WTF.pri
2662
26632012-09-14 Kevin Funk <kevin.funk@kdab.com>
2664
2665 Fix interpreter build
2666 https://bugs.webkit.org/show_bug.cgi?id=96617
2667
2668 Reviewed by Simon Hausmann.
2669
2670 Make compile.
2671
2672 * interpreter/Interpreter.cpp:
2673
26742012-09-14 Parth Patel <parpatel@rim.com>
2675
2676 [BlackBerry] Switching from Slogger to Slogger2 requires changes in CMakeList of
2677 webkit in order to include libraries of slog2
2678 https://bugs.webkit.org/show_bug.cgi?id=96391
2679
2680 Reviewed by Yong Li.
2681
2682 Changes in Cmake files of JavaScriptCore of webkit to include slog2 libs in build
2683 files of webkit in response to switching from Slogger to Slogger2.
2684
2685 * shell/PlatformBlackBerry.cmake:
2686
26872012-09-14 Mark Hahnenberg <mhahnenberg@apple.com>
2688
2689 Remove the Zapped BlockState
2690 https://bugs.webkit.org/show_bug.cgi?id=96708
2691
2692 Reviewed by Geoffrey Garen.
2693
2694 The Zapped block state is rather confusing. It indicates that a block is in one of two different states that we
2695 can't tell the difference between:
2696
2697 1) I have run all destructors of things that are zapped, and I have not allocated any more objects. This block
2698 is ready for reclaiming if you so choose.
2699 2) I have run all the destructors of things that are zapped, but I have allocated more stuff since then, so it
2700 is not safe to reclaim this block.
2701
2702 This state adds a lot of complexity to our state transition model for MarkedBlocks. We should get rid of it.
2703 We can replace this state by making sure mark bits represent all of the liveness information we need when running
2704 our conservative stack scan. Instead of zapping the free list when canonicalizing cell liveness data prior to
2705 a conservative scan, we can instead mark all objects in the block except for those in the free list. This should
2706 incur no performance penalty since we're doing it on a very small O(1) number of blocks at the beginning of the collection.
2707
2708 For the time being we still need to use zapping to determine whether we have run an object's destructor or not.
2709
2710 * heap/MarkedAllocator.cpp:
2711 (JSC::MarkedAllocator::tryAllocateHelper): Renaming stuff.
2712 * heap/MarkedAllocator.h: Renamed zapFreeList to canonicalizeCellLivenessData to match.
2713 (MarkedAllocator):
2714 (JSC::MarkedAllocator::canonicalizeCellLivenessData): Same as old zapFreeList, but just call canonicalize instead.
2715 * heap/MarkedBlock.cpp:
2716 (JSC::MarkedBlock::specializedSweep): Remove the check for Zapped block stuff. Also change the block state to Marked
2717 instead of Zapped if we're not producing a FreeList since that's the only other state that really makes any sense.
2718 (JSC::MarkedBlock::sweepHelper): Remove Zapped related code.
2719 (SetAllMarksFunctor): Functor to set all the mark bits in the block since there's not a simple function to call on
2720 the Bitmap itself.
2721 (JSC::SetAllMarksFunctor::operator()):
2722 (JSC):
2723 (JSC::MarkedBlock::canonicalizeCellLivenessData): Remove all the stuff for Zapped. For FreeListed, set all the mark bits
2724 and then clear the ones for the objects in the FreeList. This ensures that only the things that were in the FreeList
2725 are considered to be dead by the conservative scan, just like if we were to have zapped the FreeList like before.
2726 * heap/MarkedBlock.h:
2727 (MarkedBlock):
2728 (JSC::MarkedBlock::clearMarked): Add function to clear individual mark bits, since we need that functionality now.
2729 (JSC):
2730 (JSC::MarkedBlock::isLive): Remove code for Zapped stuff. Marked handles all interesting cases now.
2731 (JSC::MarkedBlock::forEachCell): Add new iterator function that iterates over all cells in the block, regardless of
2732 whether they're live or a dead.
2733 * heap/MarkedSpace.cpp:
2734 (JSC::MarkedSpace::canonicalizeCellLivenessData): Change to call the renamed canonicalize function.
2735
27362012-09-13 Kevin Funk <kevin.funk@kdab.com>
2737
2738 Make compile with both OS(WINCE) and PLATFORM(QT) support
2739 https://bugs.webkit.org/show_bug.cgi?id=95536
2740
2741 Reviewed by Simon Hausmann.
2742
2743 Do not link against advapi32 on wince
2744
2745 * jsc.pro:
2746
27472012-09-13 Geoffrey Garen <ggaren@apple.com>
2748
2749 Refactored the DFG to make fewer assumptions about variable capture
2750 https://bugs.webkit.org/show_bug.cgi?id=96680
2751
2752 Reviewed by Gavin Barraclough.
2753
2754 A variable capture optimization patch I'm working on broke DFG
2755 correctness and the arguments simplification optimization phase, so I've
2756 refactored both to make fewer assumptions about variable capture.
2757
2758 * bytecode/CodeBlock.h:
2759 (JSC::CodeBlock::isCaptured): This is the new One True Way to find out
2760 if a variable was captured. This gives us a single point of maintenance
2761 as we chagne capture behavior.
2762
2763 * dfg/DFGAbstractState.cpp:
2764 (JSC::DFG::AbstractState::clobberCapturedVars): Don't assume that captured
2765 variables have any particular location. Instead, ask the One True Function.
2766
2767 * dfg/DFGArgumentsSimplificationPhase.cpp:
2768 (JSC::DFG::ArgumentsSimplificationPhase::run):
2769 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
2770 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize): Mechanical
2771 changes to separate being captured from being 'arguments'. What used
2772 to be
2773 if (captured)
2774 if (arguments)
2775 x
2776 y
2777 is now
2778 if (arguments)
2779 x
2780 y
2781 else if (captured)
2782 y
2783
2784 * dfg/DFGByteCodeParser.cpp:
2785 (JSC::DFG::ByteCodeParser::getLocal):
2786 (JSC::DFG::ByteCodeParser::setLocal):
2787 (JSC::DFG::ByteCodeParser::getArgument):
2788 (JSC::DFG::ByteCodeParser::setArgument):
2789 (JSC::DFG::ByteCodeParser::flushDirect):
2790 (JSC::DFG::ByteCodeParser::parseBlock):
2791 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2792 * dfg/DFGSpeculativeJIT.cpp:
2793 (JSC::DFG::SpeculativeJIT::compile): Use the One True Function.
2794
27952012-09-13 Benjamin Poulain <bpoulain@apple.com>
2796
2797 Improve the SourceProvider hierarchy
2798 https://bugs.webkit.org/show_bug.cgi?id=95635
2799
2800 Reviewed by Geoffrey Garen.
2801
2802 SourceProvider was designed to have subclasses magically handling the data without
2803 decoding all of it. The virtual methods length() and getRange() were based
2804 on these assumptions.
2805
2806 In practice, the magic was in our head, there is no implementation that takes
2807 advantage of that.
2808
2809 SourceProvider is modified to adopt WebCore's ScriptSourceProvider::source() and base
2810 everything on it.
2811 The code using SourceProvider is also simplified.
2812
2813 * interpreter/Interpreter.cpp:
2814 (JSC::appendSourceToError): Keep a reference to the string instead of querying it for
2815 each time it is used.
2816 * parser/Lexer.cpp:
2817 (JSC::::setCode):
2818 (JSC::::sourceCode):
2819 * parser/Parser.h:
2820 (JSC::parse):
2821 * parser/SourceCode.h:
2822 (JSC::SourceCode::SourceCode):
2823 (JSC::SourceCode::subExpression):
2824 * parser/SourceProvider.h:
2825 (SourceProvider):
2826 (JSC::SourceProvider::getRange):
2827
28282012-09-13 Filip Pizlo <fpizlo@apple.com>
2829
2830 DFG: Dead GetButterfly's shouldn't be subject to CSE
2831 https://bugs.webkit.org/show_bug.cgi?id=96707
2832 <rdar://problem/12296311>
2833
2834 Reviewed by Oliver Hunt.
2835
2836 There were a number of cases of this that creeped into the CSE: it would
2837 match something even though it was dead.
2838
2839 * dfg/DFGCSEPhase.cpp:
2840 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2841 (JSC::DFG::CSEPhase::checkArrayElimination):
2842 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
2843 (JSC::DFG::CSEPhase::getScopeChainLoadElimination):
2844 (JSC::DFG::CSEPhase::getLocalLoadElimination):
2845
28462012-09-13 Oliver Hunt <oliver@apple.com>
2847
2848 Make global const initialisation explicit in the bytecode
2849 https://bugs.webkit.org/show_bug.cgi?id=96711
2850
2851 Reviewed by Gavin Barraclough.
2852
2853 Added op_init_global_const to make initialisation of global const
2854 fields explicit. This will help us keep correct semantics in the
2855 upcoming variable resolution refactoring.
2856
2857 * bytecode/CodeBlock.cpp:
2858 (JSC::CodeBlock::dump):
2859 * bytecode/Opcode.h:
2860 (JSC):
2861 (JSC::padOpcodeName):
2862 * bytecompiler/BytecodeGenerator.cpp:
2863 (JSC::BytecodeGenerator::emitInitGlobalConst):
2864 (JSC):
2865 * bytecompiler/BytecodeGenerator.h:
2866 (BytecodeGenerator):
2867 * bytecompiler/NodesCodegen.cpp:
2868 (JSC::ConstDeclNode::emitCodeSingle):
2869 * dfg/DFGByteCodeParser.cpp:
2870 (JSC::DFG::ByteCodeParser::parseBlock):
2871 * dfg/DFGCapabilities.h:
2872 (JSC::DFG::canCompileOpcode):
2873 * interpreter/Interpreter.cpp:
2874 (JSC::Interpreter::privateExecute):
2875 * jit/JIT.cpp:
2876 (JSC::JIT::privateCompileMainPass):
2877 (JSC::JIT::privateCompileSlowCases):
2878 * llint/LowLevelInterpreter32_64.asm:
2879 * llint/LowLevelInterpreter64.asm:
2880
28812012-09-13 Mark Hahnenberg <mhahnenberg@apple.com>
2882
2883 Rename forEachCell to forEachLiveCell
2884 https://bugs.webkit.org/show_bug.cgi?id=96685
2885
2886 Reviewed by Oliver Hunt.
2887
2888 forEachCell actually only iterates over live cells. We should rename it to
2889 reflect what it actually does. This is also helpful because we want to add a new
2890 forEachCell that actually does iterate each and every cell in a MarkedBlock
2891 regardless of whether or not it is live.
2892
2893 * debugger/Debugger.cpp:
2894 (JSC::Debugger::recompileAllJSFunctions):
2895 * heap/Heap.cpp:
2896 (JSC::Heap::globalObjectCount):
2897 (JSC::Heap::objectTypeCounts):
2898 * heap/MarkedBlock.h:
2899 (MarkedBlock):
2900 (JSC::MarkedBlock::forEachLiveCell):
2901 * heap/MarkedSpace.h:
2902 (MarkedSpace):
2903 (JSC::MarkedSpace::forEachLiveCell):
2904 * runtime/JSGlobalData.cpp:
2905 (JSC::JSGlobalData::releaseExecutableMemory):
2906
29072012-09-13 Filip Pizlo <fpizlo@apple.com>
2908
2909 [Qt][Win] REGRESSION(r128400): It broke the build
2910 https://bugs.webkit.org/show_bug.cgi?id=96617
2911
2912 Reviewed by Simon Hausmann.
2913
2914 Changed "JSC::Array" to "JSC::ArrayClass" because it's not used often enough
2915 for the brevity to be beneficial, and because "Array" causes too much namespace
2916 pollution.
2917
2918 * runtime/IndexingType.h:
2919 (JSC):
2920 * runtime/JSArray.cpp:
2921 (JSC::JSArray::pop):
2922 (JSC::JSArray::push):
2923 (JSC::JSArray::sortNumeric):
2924 (JSC::JSArray::sort):
2925 (JSC::JSArray::fillArgList):
2926 (JSC::JSArray::copyToArguments):
2927 (JSC::JSArray::compactForSorting):
2928 * runtime/JSObject.cpp:
2929 (JSC::JSObject::getOwnPropertySlotByIndex):
2930 (JSC::JSObject::putByIndex):
2931 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
2932 (JSC::JSObject::deletePropertyByIndex):
2933 (JSC::JSObject::getOwnPropertyNames):
2934 (JSC::JSObject::putByIndexBeyondVectorLength):
2935 (JSC::JSObject::putDirectIndexBeyondVectorLength):
2936 (JSC::JSObject::getNewVectorLength):
2937 (JSC::JSObject::getOwnPropertyDescriptor):
2938 * runtime/JSObject.h:
2939 (JSC::JSObject::getArrayLength):
2940 (JSC::JSObject::getVectorLength):
2941 (JSC::JSObject::canGetIndexQuickly):
2942 (JSC::JSObject::canSetIndexQuickly):
2943 (JSC::JSObject::inSparseIndexingMode):
2944 (JSC::JSObject::ensureArrayStorage):
2945
29462012-09-13 Filip Pizlo <fpizlo@apple.com>
2947
2948 Testing whether indexing type is ArrayWithArrayStorage should not compare against ArrayWithArrayStorage
2949 https://bugs.webkit.org/show_bug.cgi?id=96611
2950
2951 Reviewed by Gavin Barraclough.
2952
2953 * dfg/DFGRepatch.cpp:
2954 (JSC::DFG::tryCacheGetByID):
2955 * dfg/DFGSpeculativeJIT.cpp:
2956 (JSC::DFG::SpeculativeJIT::checkArray):
2957 * jit/JITPropertyAccess.cpp:
2958 (JSC::JIT::privateCompilePatchGetArrayLength):
2959 * jit/JITPropertyAccess32_64.cpp:
2960 (JSC::JIT::privateCompilePatchGetArrayLength):
2961 * llint/LowLevelInterpreter32_64.asm:
2962 * llint/LowLevelInterpreter64.asm:
2963
29642012-09-09 Filip Pizlo <fpizlo@apple.com>
2965
2966 JSC should have property butterflies
2967 https://bugs.webkit.org/show_bug.cgi?id=91933
2968
2969 Reviewed by Geoffrey Garen.
2970
2971 This changes the JSC object model. Previously, all objects had fast lookup for
2972 named properties. Integer indexed properties were only fast if you used a
2973 JSArray. With this change, all objects have fast indexed properties. This is
2974 accomplished without any space overhead by using a bidirectional object layout,
2975 aka butterflies. Each JSObject has a m_butterfly pointer where previously it
2976 had a m_outOfLineStorage pointer. To the left of the location pointed to by
2977 m_butterfly, we place all named out-of-line properties. To the right, we place
2978 all indexed properties along with indexing meta-data. Though, some indexing
2979 meta-data is placed in the 8-byte word immediately left of the pointed-to
2980 location; this is in anticipation of the indexing meta-data being small enough
2981 in the common case that m_butterfly always points to the first indexed
2982 property.
2983
2984 This is performance neutral, except on tests that use indexed properties on
2985 plain objects, where the speed-up is in excess of an order of magnitude.
2986
2987 One notable aspect of what this change brings is that it allows indexing
2988 storage to morph over time. Currently this is only used to allow all non-array
2989 objects to start out without any indexed storage. But it could be used for
2990 some kinds of array type inference in the future.
2991
2992 * API/JSCallbackObject.h:
2993 (JSCallbackObject):
2994 * API/JSCallbackObjectFunctions.h:
2995 (JSC::::getOwnPropertySlotByIndex):
2996 (JSC):
2997 (JSC::::getOwnNonIndexPropertyNames):
2998 * API/JSObjectRef.cpp:
2999 * CMakeLists.txt:
3000 * GNUmakefile.list.am:
3001 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3002 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
3003 * JavaScriptCore.xcodeproj/project.pbxproj:
3004 * Target.pri:
3005 * bytecode/ArrayProfile.h:
3006 (JSC):
3007 (JSC::arrayModeFromStructure):
3008 * bytecompiler/BytecodeGenerator.cpp:
3009 (JSC::BytecodeGenerator::emitDirectPutById):
3010 * dfg/DFGAbstractState.cpp:
3011 (JSC::DFG::AbstractState::execute):
3012 * dfg/DFGAdjacencyList.h:
3013 (JSC::DFG::AdjacencyList::AdjacencyList):
3014 (AdjacencyList):
3015 * dfg/DFGArrayMode.cpp:
3016 (JSC::DFG::fromObserved):
3017 (JSC::DFG::modeAlreadyChecked):
3018 (JSC::DFG::modeToString):
3019 * dfg/DFGArrayMode.h:
3020 (DFG):
3021 (JSC::DFG::modeUsesButterfly):
3022 (JSC::DFG::modeIsJSArray):
3023 (JSC::DFG::isInBoundsAccess):
3024 (JSC::DFG::modeSupportsLength):
3025 * dfg/DFGByteCodeParser.cpp:
3026 (JSC::DFG::ByteCodeParser::handleGetByOffset):
3027 (JSC::DFG::ByteCodeParser::parseBlock):
3028 * dfg/DFGCSEPhase.cpp:
3029 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
3030 (JSC::DFG::CSEPhase::performNodeCSE):
3031 * dfg/DFGFixupPhase.cpp:
3032 (JSC::DFG::FixupPhase::fixupNode):
3033 (JSC::DFG::FixupPhase::addNode):
3034 (FixupPhase):
3035 (JSC::DFG::FixupPhase::checkArray):
3036 * dfg/DFGGraph.h:
3037 (JSC::DFG::Graph::byValIsPure):
3038 * dfg/DFGNode.h:
3039 (JSC::DFG::Node::Node):
3040 (Node):
3041 * dfg/DFGNodeType.h:
3042 (DFG):
3043 * dfg/DFGOperations.cpp:
3044 (JSC::DFG::putByVal):
3045 * dfg/DFGOperations.h:
3046 * dfg/DFGPredictionPropagationPhase.cpp:
3047 (JSC::DFG::PredictionPropagationPhase::propagate):
3048 * dfg/DFGRepatch.cpp:
3049 (JSC::DFG::generateProtoChainAccessStub):
3050 (JSC::DFG::tryCacheGetByID):
3051 (JSC::DFG::tryBuildGetByIDList):
3052 (JSC::DFG::emitPutReplaceStub):
3053 (JSC::DFG::emitPutTransitionStub):
3054 (JSC::DFG::tryBuildPutByIdList):
3055 * dfg/DFGSpeculativeJIT.cpp:
3056 (JSC::DFG::SpeculativeJIT::checkArray):
3057 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3058 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
3059 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3060 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3061 * dfg/DFGSpeculativeJIT.h:
3062 (JSC::DFG::SpeculativeJIT::callOperation):
3063 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
3064 * dfg/DFGSpeculativeJIT32_64.cpp:
3065 (JSC::DFG::SpeculativeJIT::cachedGetById):
3066 (JSC::DFG::SpeculativeJIT::cachedPutById):
3067 (JSC::DFG::SpeculativeJIT::compile):
3068 * dfg/DFGSpeculativeJIT64.cpp:
3069 (JSC::DFG::SpeculativeJIT::cachedGetById):
3070 (JSC::DFG::SpeculativeJIT::cachedPutById):
3071 (JSC::DFG::SpeculativeJIT::compile):
3072 * dfg/DFGStructureCheckHoistingPhase.cpp:
3073 (JSC::DFG::StructureCheckHoistingPhase::run):
3074 * heap/CopiedSpace.h:
3075 (CopiedSpace):
3076 * jit/JIT.h:
3077 * jit/JITInlineMethods.h:
3078 (JSC::JIT::emitAllocateBasicJSObject):
3079 (JSC::JIT::emitAllocateBasicStorage):
3080 (JSC::JIT::emitAllocateJSArray):
3081 * jit/JITOpcodes.cpp:
3082 (JSC::JIT::emit_op_new_array):
3083 (JSC::JIT::emitSlow_op_new_array):
3084 * jit/JITPropertyAccess.cpp:
3085 (JSC::JIT::emit_op_get_by_val):
3086 (JSC::JIT::compileGetDirectOffset):
3087 (JSC::JIT::emit_op_put_by_val):
3088 (JSC::JIT::compileGetByIdHotPath):
3089 (JSC::JIT::emit_op_put_by_id):
3090 (JSC::JIT::compilePutDirectOffset):
3091 (JSC::JIT::privateCompilePatchGetArrayLength):
3092 * jit/JITPropertyAccess32_64.cpp:
3093 (JSC::JIT::emit_op_get_by_val):
3094 (JSC::JIT::emit_op_put_by_val):
3095 (JSC::JIT::compileGetByIdHotPath):
3096 (JSC::JIT::emit_op_put_by_id):
3097 (JSC::JIT::compilePutDirectOffset):
3098 (JSC::JIT::compileGetDirectOffset):
3099 (JSC::JIT::privateCompilePatchGetArrayLength):
3100 * jit/JITStubs.cpp:
3101 (JSC::DEFINE_STUB_FUNCTION):
3102 * jsc.cpp:
3103 * llint/LLIntSlowPaths.cpp:
3104 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3105 * llint/LowLevelInterpreter.asm:
3106 * llint/LowLevelInterpreter32_64.asm:
3107 * llint/LowLevelInterpreter64.asm:
3108 * runtime/Arguments.cpp:
3109 (JSC::Arguments::deletePropertyByIndex):
3110 (JSC::Arguments::defineOwnProperty):
3111 * runtime/ArrayConstructor.cpp:
3112 * runtime/ArrayConventions.h: Added.
3113 (JSC):
3114 (JSC::isDenseEnoughForVector):
3115 (JSC::indexingHeaderForArray):
3116 (JSC::baseIndexingHeaderForArray):
3117 * runtime/ArrayPrototype.cpp:
3118 (JSC::ArrayPrototype::create):
3119 (JSC):
3120 (JSC::ArrayPrototype::ArrayPrototype):
3121 (JSC::arrayProtoFuncToString):
3122 (JSC::arrayProtoFuncJoin):
3123 (JSC::arrayProtoFuncSort):
3124 (JSC::arrayProtoFuncFilter):
3125 (JSC::arrayProtoFuncMap):
3126 (JSC::arrayProtoFuncEvery):
3127 (JSC::arrayProtoFuncForEach):
3128 (JSC::arrayProtoFuncSome):
3129 (JSC::arrayProtoFuncReduce):
3130 (JSC::arrayProtoFuncReduceRight):
3131 * runtime/ArrayPrototype.h:
3132 (ArrayPrototype):
3133 (JSC::ArrayPrototype::createStructure):
3134 * runtime/ArrayStorage.h: Added.
3135 (JSC):
3136 (ArrayStorage):
3137 (JSC::ArrayStorage::ArrayStorage):
3138 (JSC::ArrayStorage::from):
3139 (JSC::ArrayStorage::butterfly):
3140 (JSC::ArrayStorage::indexingHeader):
3141 (JSC::ArrayStorage::length):
3142 (JSC::ArrayStorage::setLength):
3143 (JSC::ArrayStorage::vectorLength):
3144 (JSC::ArrayStorage::setVectorLength):
3145 (JSC::ArrayStorage::copyHeaderFromDuringGC):
3146 (JSC::ArrayStorage::inSparseMode):
3147 (JSC::ArrayStorage::lengthOffset):
3148 (JSC::ArrayStorage::vectorLengthOffset):
3149 (JSC::ArrayStorage::numValuesInVectorOffset):
3150 (JSC::ArrayStorage::vectorOffset):
3151 (JSC::ArrayStorage::indexBiasOffset):
3152 (JSC::ArrayStorage::sparseMapOffset):
3153 (JSC::ArrayStorage::sizeFor):
3154 * runtime/Butterfly.h: Added.
3155 (JSC):
3156 (Butterfly):
3157 (JSC::Butterfly::Butterfly):
3158 (JSC::Butterfly::totalSize):
3159 (JSC::Butterfly::fromBase):
3160 (JSC::Butterfly::offsetOfIndexingHeader):
3161 (JSC::Butterfly::offsetOfPublicLength):
3162 (JSC::Butterfly::offsetOfVectorLength):
3163 (JSC::Butterfly::indexingHeader):
3164 (JSC::Butterfly::propertyStorage):
3165 (JSC::Butterfly::indexingPayload):
3166 (JSC::Butterfly::arrayStorage):
3167 (JSC::Butterfly::offsetOfPropertyStorage):
3168 (JSC::Butterfly::indexOfPropertyStorage):
3169 (JSC::Butterfly::base):
3170 * runtime/ButterflyInlineMethods.h: Added.
3171 (JSC):
3172 (JSC::Butterfly::createUninitialized):
3173 (JSC::Butterfly::create):
3174 (JSC::Butterfly::createUninitializedDuringCollection):
3175 (JSC::Butterfly::base):
3176 (JSC::Butterfly::growPropertyStorage):
3177 (JSC::Butterfly::growArrayRight):
3178 (JSC::Butterfly::resizeArray):
3179 (JSC::Butterfly::unshift):
3180 (JSC::Butterfly::shift):
3181 * runtime/ClassInfo.h:
3182 (MethodTable):
3183 (JSC):
3184 * runtime/IndexingHeader.h: Added.
3185 (JSC):
3186 (IndexingHeader):
3187 (JSC::IndexingHeader::offsetOfIndexingHeader):
3188 (JSC::IndexingHeader::offsetOfPublicLength):
3189 (JSC::IndexingHeader::offsetOfVectorLength):
3190 (JSC::IndexingHeader::IndexingHeader):
3191 (JSC::IndexingHeader::vectorLength):
3192 (JSC::IndexingHeader::setVectorLength):
3193 (JSC::IndexingHeader::publicLength):
3194 (JSC::IndexingHeader::setPublicLength):
3195 (JSC::IndexingHeader::from):
3196 (JSC::IndexingHeader::fromEndOf):
3197 (JSC::IndexingHeader::propertyStorage):
3198 (JSC::IndexingHeader::arrayStorage):
3199 (JSC::IndexingHeader::butterfly):
3200 * runtime/IndexingHeaderInlineMethods.h: Added.
3201 (JSC):
3202 (JSC::IndexingHeader::preCapacity):
3203 (JSC::IndexingHeader::indexingPayloadSizeInBytes):
3204 * runtime/IndexingType.h: Added.
3205 (JSC):
3206 (JSC::hasIndexingHeader):
3207 * runtime/JSActivation.cpp:
3208 (JSC::JSActivation::JSActivation):
3209 (JSC::JSActivation::visitChildren):
3210 (JSC::JSActivation::getOwnNonIndexPropertyNames):
3211 * runtime/JSActivation.h:
3212 (JSActivation):
3213 (JSC::JSActivation::tearOff):
3214 * runtime/JSArray.cpp:
3215 (JSC):
3216 (JSC::createArrayButterflyInDictionaryIndexingMode):
3217 (JSC::JSArray::setLengthWritable):
3218 (JSC::JSArray::defineOwnProperty):
3219 (JSC::JSArray::getOwnPropertySlot):
3220 (JSC::JSArray::getOwnPropertyDescriptor):
3221 (JSC::JSArray::put):
3222 (JSC::JSArray::deleteProperty):
3223 (JSC::JSArray::getOwnNonIndexPropertyNames):
3224 (JSC::JSArray::unshiftCountSlowCase):
3225 (JSC::JSArray::setLength):
3226 (JSC::JSArray::pop):
3227 (JSC::JSArray::push):
3228 (JSC::JSArray::shiftCount):
3229 (JSC::JSArray::unshiftCount):
3230 (JSC::JSArray::sortNumeric):
3231 (JSC::JSArray::sort):
3232 (JSC::JSArray::fillArgList):
3233 (JSC::JSArray::copyToArguments):
3234 (JSC::JSArray::compactForSorting):
3235 * runtime/JSArray.h:
3236 (JSC):
3237 (JSArray):
3238 (JSC::JSArray::JSArray):
3239 (JSC::JSArray::length):
3240 (JSC::JSArray::createStructure):
3241 (JSC::JSArray::isLengthWritable):
3242 (JSC::createArrayButterfly):
3243 (JSC::JSArray::create):
3244 (JSC::JSArray::tryCreateUninitialized):
3245 * runtime/JSBoundFunction.cpp:
3246 (JSC::boundFunctionCall):
3247 (JSC::boundFunctionConstruct):
3248 (JSC::JSBoundFunction::finishCreation):
3249 * runtime/JSCell.cpp:
3250 (JSC::JSCell::getOwnNonIndexPropertyNames):
3251 (JSC):
3252 * runtime/JSCell.h:
3253 (JSCell):
3254 * runtime/JSFunction.cpp:
3255 (JSC::JSFunction::getOwnPropertySlot):
3256 (JSC::JSFunction::getOwnPropertyDescriptor):
3257 (JSC::JSFunction::getOwnNonIndexPropertyNames):
3258 (JSC::JSFunction::defineOwnProperty):
3259 * runtime/JSFunction.h:
3260 (JSFunction):
3261 * runtime/JSGlobalData.cpp:
3262 (JSC::JSGlobalData::JSGlobalData):
3263 * runtime/JSGlobalData.h:
3264 (JSGlobalData):
3265 * runtime/JSGlobalObject.cpp:
3266 (JSC::JSGlobalObject::reset):
3267 * runtime/JSONObject.cpp:
3268 (JSC::Stringifier::Holder::appendNextProperty):
3269 (JSC::Walker::walk):
3270 * runtime/JSObject.cpp:
3271 (JSC):
3272 (JSC::JSObject::visitButterfly):
3273 (JSC::JSObject::visitChildren):
3274 (JSC::JSFinalObject::visitChildren):
3275 (JSC::JSObject::getOwnPropertySlotByIndex):
3276 (JSC::JSObject::put):
3277 (JSC::JSObject::putByIndex):
3278 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3279 (JSC::JSObject::enterDictionaryIndexingMode):
3280 (JSC::JSObject::createArrayStorage):
3281 (JSC::JSObject::createInitialArrayStorage):
3282 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
3283 (JSC::JSObject::putDirectAccessor):
3284 (JSC::JSObject::deleteProperty):
3285 (JSC::JSObject::deletePropertyByIndex):
3286 (JSC::JSObject::getOwnPropertyNames):
3287 (JSC::JSObject::getOwnNonIndexPropertyNames):
3288 (JSC::JSObject::preventExtensions):
3289 (JSC::JSObject::fillGetterPropertySlot):
3290 (JSC::JSObject::putIndexedDescriptor):
3291 (JSC::JSObject::defineOwnIndexedProperty):
3292 (JSC::JSObject::allocateSparseIndexMap):
3293 (JSC::JSObject::deallocateSparseIndexMap):
3294 (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3295 (JSC::JSObject::putByIndexBeyondVectorLength):
3296 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3297 (JSC::JSObject::putDirectIndexBeyondVectorLength):
3298 (JSC::JSObject::getNewVectorLength):
3299 (JSC::JSObject::increaseVectorLength):
3300 (JSC::JSObject::checkIndexingConsistency):
3301 (JSC::JSObject::growOutOfLineStorage):
3302 (JSC::JSObject::getOwnPropertyDescriptor):
3303 (JSC::putDescriptor):
3304 (JSC::JSObject::putDirectMayBeIndex):
3305 (JSC::JSObject::defineOwnNonIndexProperty):
3306 (JSC::JSObject::defineOwnProperty):
3307 (JSC::JSObject::getOwnPropertySlotSlow):
3308 * runtime/JSObject.h:
3309 (JSC::JSObject::getArrayLength):
3310 (JSObject):
3311 (JSC::JSObject::getVectorLength):
3312 (JSC::JSObject::putDirectIndex):
3313 (JSC::JSObject::canGetIndexQuickly):
3314 (JSC::JSObject::getIndexQuickly):
3315 (JSC::JSObject::canSetIndexQuickly):
3316 (JSC::JSObject::setIndexQuickly):
3317 (JSC::JSObject::initializeIndex):
3318 (JSC::JSObject::completeInitialization):
3319 (JSC::JSObject::inSparseIndexingMode):
3320 (JSC::JSObject::butterfly):
3321 (JSC::JSObject::outOfLineStorage):
3322 (JSC::JSObject::offsetForLocation):
3323 (JSC::JSObject::indexingShouldBeSparse):
3324 (JSC::JSObject::butterflyOffset):
3325 (JSC::JSObject::butterflyAddress):
3326 (JSC::JSObject::arrayStorage):
3327 (JSC::JSObject::arrayStorageOrZero):
3328 (JSC::JSObject::ensureArrayStorage):
3329 (JSC::JSObject::checkIndexingConsistency):
3330 (JSC::JSNonFinalObject::JSNonFinalObject):
3331 (JSC):
3332 (JSC::JSObject::setButterfly):
3333 (JSC::JSObject::setButterflyWithoutChangingStructure):
3334 (JSC::JSObject::JSObject):
3335 (JSC::JSObject::inlineGetOwnPropertySlot):
3336 (JSC::JSObject::putDirectInternal):
3337 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
3338 (JSC::JSObject::putDirectWithoutTransition):
3339 (JSC::offsetInButterfly):
3340 (JSC::offsetRelativeToPatchedStorage):
3341 (JSC::indexRelativeToBase):
3342 (JSC::offsetRelativeToBase):
3343 * runtime/JSPropertyNameIterator.cpp:
3344 (JSC::JSPropertyNameIterator::create):
3345 * runtime/JSSymbolTableObject.cpp:
3346 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3347 * runtime/JSSymbolTableObject.h:
3348 (JSSymbolTableObject):
3349 * runtime/JSTypeInfo.h:
3350 (JSC):
3351 (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero):
3352 (JSC::TypeInfo::overridesGetPropertyNames):
3353 * runtime/LiteralParser.cpp:
3354 (JSC::::parse):
3355 * runtime/ObjectConstructor.cpp:
3356 * runtime/ObjectPrototype.cpp:
3357 (JSC::ObjectPrototype::ObjectPrototype):
3358 (JSC):
3359 * runtime/ObjectPrototype.h:
3360 (ObjectPrototype):
3361 * runtime/PropertyOffset.h:
3362 (JSC::offsetInOutOfLineStorage):
3363 * runtime/PropertyStorage.h: Added.
3364 (JSC):
3365 * runtime/PutDirectIndexMode.h: Added.
3366 (JSC):
3367 * runtime/RegExpMatchesArray.cpp:
3368 (JSC::RegExpMatchesArray::RegExpMatchesArray):
3369 (JSC):
3370 (JSC::RegExpMatchesArray::create):
3371 (JSC::RegExpMatchesArray::finishCreation):
3372 * runtime/RegExpMatchesArray.h:
3373 (RegExpMatchesArray):
3374 (JSC::RegExpMatchesArray::createStructure):
3375 * runtime/RegExpObject.cpp:
3376 (JSC::RegExpObject::getOwnNonIndexPropertyNames):
3377 * runtime/RegExpObject.h:
3378 (RegExpObject):
3379 * runtime/Reject.h: Added.
3380 (JSC):
3381 (JSC::reject):
3382 * runtime/SparseArrayValueMap.cpp: Added.
3383 (JSC):
3384 * runtime/SparseArrayValueMap.h: Added.
3385 (JSC):
3386 (SparseArrayEntry):
3387 (JSC::SparseArrayEntry::SparseArrayEntry):
3388 (SparseArrayValueMap):
3389 (JSC::SparseArrayValueMap::sparseMode):
3390 (JSC::SparseArrayValueMap::setSparseMode):
3391 (JSC::SparseArrayValueMap::lengthIsReadOnly):
3392 (JSC::SparseArrayValueMap::setLengthIsReadOnly):
3393 (JSC::SparseArrayValueMap::find):
3394 (JSC::SparseArrayValueMap::remove):
3395 (JSC::SparseArrayValueMap::notFound):
3396 (JSC::SparseArrayValueMap::isEmpty):
3397 (JSC::SparseArrayValueMap::contains):
3398 (JSC::SparseArrayValueMap::size):
3399 (JSC::SparseArrayValueMap::begin):
3400 (JSC::SparseArrayValueMap::end):
3401 * runtime/SparseArrayValueMapInlineMethods.h: Added.
3402 (JSC):
3403 (JSC::SparseArrayValueMap::SparseArrayValueMap):
3404 (JSC::SparseArrayValueMap::~SparseArrayValueMap):
3405 (JSC::SparseArrayValueMap::finishCreation):
3406 (JSC::SparseArrayValueMap::create):
3407 (JSC::SparseArrayValueMap::destroy):
3408 (JSC::SparseArrayValueMap::createStructure):
3409 (JSC::SparseArrayValueMap::add):
3410 (JSC::SparseArrayValueMap::putEntry):
3411 (JSC::SparseArrayValueMap::putDirect):
3412 (JSC::SparseArrayEntry::get):
3413 (JSC::SparseArrayEntry::getNonSparseMode):
3414 (JSC::SparseArrayValueMap::visitChildren):
3415 * runtime/StorageBarrier.h: Removed.
3416 * runtime/StringObject.cpp:
3417 (JSC::StringObject::putByIndex):
3418 (JSC):
3419 (JSC::StringObject::deletePropertyByIndex):
3420 * runtime/StringObject.h:
3421 (StringObject):
3422 * runtime/StringPrototype.cpp:
3423 * runtime/Structure.cpp:
3424 (JSC::Structure::Structure):
3425 (JSC::Structure::materializePropertyMap):
3426 (JSC::Structure::nonPropertyTransition):
3427 (JSC):
3428 * runtime/Structure.h:
3429 (Structure):
3430 (JSC::Structure::indexingType):
3431 (JSC::Structure::indexingTypeIncludingHistory):
3432 (JSC::Structure::indexingTypeOffset):
3433 (JSC::Structure::create):
3434 * runtime/StructureTransitionTable.h:
3435 (JSC):
3436 (JSC::toAttributes):
3437 (JSC::newIndexingType):
3438 (JSC::StructureTransitionTable::Hash::hash):
3439 * tests/mozilla/js1_6/Array/regress-304828.js:
3440
34412012-09-12 Mark Lam <mark.lam@apple.com>
3442
3443 Refactor Opcodes to distinguish between core and extension opcodes.
3444 https://bugs.webkit.org/show_bug.cgi?id=96466.
3445
3446 Reviewed by Filip Pizlo.
3447
3448 * bytecode/Opcode.h:
3449 (JSC): Added FOR_EACH_CORE_OPCODE_ID() macro.
3450 * llint/LowLevelInterpreter.h:
3451 (JSC): Auto-generate llint opcode aliases using the
3452 FOR_EACH_CORE_OPCODE_ID() macro.
3453
34542012-09-11 Geoffrey Garen <ggaren@apple.com>
3455
3456 Second step to fixing the Windows build: Add new symbols.
3457
3458 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3459
34602012-09-11 Geoffrey Garen <ggaren@apple.com>
3461
3462 First step to fixing the Windows build: Remove old symbols.
3463
3464 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
3465
34662012-09-11 Geoffrey Garen <ggaren@apple.com>
3467
3468 Don't allocate a backing store just for a function's name
3469 https://bugs.webkit.org/show_bug.cgi?id=96468
3470
3471 Reviewed by Oliver Hunt.
3472
3473 Treat function.name like function.length etc., and use a custom getter.
3474 This saves space in closures.
3475
3476 * debugger/DebuggerCallFrame.cpp:
3477 (JSC::DebuggerCallFrame::functionName):
3478 * debugger/DebuggerCallFrame.h:
3479 (DebuggerCallFrame): Updated for interface change.
3480
3481 * runtime/Executable.h:
3482 (JSC::JSFunction::JSFunction): Do a little inlining.
3483
3484 * runtime/JSFunction.cpp:
3485 (JSC::JSFunction::finishCreation): Gone now. That's the point of the patch.
3486
3487 (JSC::JSFunction::name):
3488 (JSC::JSFunction::displayName):
3489 (JSC::JSFunction::nameGetter):
3490 (JSC::JSFunction::getOwnPropertySlot):
3491 (JSC::JSFunction::getOwnPropertyDescriptor):
3492 (JSC::JSFunction::getOwnPropertyNames):
3493 (JSC::JSFunction::put):
3494 (JSC::JSFunction::deleteProperty):
3495 (JSC::JSFunction::defineOwnProperty): Added custom accessors for .name
3496 just like .length and others.
3497
3498 * runtime/JSFunction.h:
3499 (JSC::JSFunction::create):
3500 (JSFunction): Updated for interface changes.
3501
35022012-09-11 Mark Hahnenberg <mhahnenberg@apple.com>
3503
3504 IncrementalSweeper should not sweep/free Zapped blocks
3505 https://bugs.webkit.org/show_bug.cgi?id=96464
3506
3507 Reviewed by Filip Pizlo.
3508
3509 This is not beneficial in terms of performance because there isn't any way a block can emerge
3510 in the Zapped state from a call to Heap::collect() unless we run an eager sweep on it, in which
3511 case we've already run all the destructors we possibly can. This also causes bugs since we don't
3512 take zapped-ness into account when determining whether or not a block is empty to free it. The
3513 incremental sweeper can then accidentally free blocks that it thinks are empty but are in fact
3514 zapped with still-live objects in them.
3515
3516 * heap/MarkedBlock.h:
3517 (JSC::MarkedBlock::needsSweeping): It is only valid to sweep a block if it is in the Marked state.
3518
35192012-09-11 Geoffrey Garen <ggaren@apple.com>
3520
3521 JSActivation should inline allocate its registers, and eliminate
3522 'arguments' registers in the common case
3523 https://bugs.webkit.org/show_bug.cgi?id=96427
3524
3525 Reviewed by Filip Pizlo.
3526
3527 This cuts the size class for simple closures down to 64 bytes.
3528
3529 * bytecompiler/BytecodeGenerator.cpp:
3530 (JSC::BytecodeGenerator::BytecodeGenerator): Set the usesNonStrictEval
3531 flag, which is new. Use a more specific test for whether a function
3532 uses 'arguments', so we can avoid allocating, initializing, and tearing
3533 off those registers in the common case. Distinguish between capturing
3534 arguments and not, so we can avoid allocating space for arguments in
3535 the torn-off object.
3536
3537 We can make this even more general in the future, with some bytecode
3538 generator refactoring.
3539
3540 (JSC::BytecodeGenerator::resolve): Updated for new interface.
3541
3542 * bytecompiler/BytecodeGenerator.h:
3543 (BytecodeGenerator):
3544 (JSC::BytecodeGenerator::symbolTable): Updated some types.
3545
3546 * heap/Heap.cpp:
3547 (JSC::Heap::isValidAllocation): Allow large allocations, now that they
3548 are both supported and used.
3549
3550 * heap/Heap.h:
3551 (Heap): Added a new form of allocateCell that specifies the full size
3552 of the allocation, to allow for extra space on the end.
3553
3554 * interpreter/CallFrame.h:
3555 (JSC::ExecState::argumentOffset):
3556 (JSC::ExecState::argumentOffsetIncludingThis):
3557 * interpreter/Interpreter.cpp:
3558 (JSC::Interpreter::unwindCallFrame): Refactored this code to be more
3559 specific about tearing off 'arguments' vs activations. This is something
3560 I forgot in my last patch, and it is required now that we can have
3561 acitvations without 'arguments' registers.
3562
3563 * runtime/Arguments.h:
3564 (JSC::Arguments::setRegisters): No need for setRegisters anymore because
3565 the activation object's storage doesn't change.
3566
3567 * runtime/JSActivation.cpp:
3568 (JSC::JSActivation::JSActivation): Initialize our storage manually because
3569 it's not declared to the C++ compiler.
3570
3571 (JSC::JSActivation::visitChildren): No copyAndAppend because our storage
3572 is not out-of-line anymore.
3573
3574 (JSC::JSActivation::symbolTableGet):
3575 (JSC::JSActivation::symbolTablePut):
3576 (JSC::JSActivation::getOwnPropertyNames):
3577 (JSC::JSActivation::symbolTablePutWithAttributes):
3578 (JSC::JSActivation::getOwnPropertySlot):
3579 (JSC::JSActivation::getOwnPropertyDescriptor):
3580 (JSC::JSActivation::argumentsGetter): Refactored isTornOff() testing to
3581 avoid using a data member and to avoid hard-coding any offset assumptions.
3582
3583 * runtime/JSActivation.h:
3584 (JSC):
3585 (JSActivation):
3586 (JSC::JSActivation::create):
3587 (JSC::JSActivation::isDynamicScope):
3588 (JSC::JSActivation::captureStart):
3589 (JSC::JSActivation::storageSize):
3590 (JSC::JSActivation::storageSizeInBytes):
3591 (JSC::JSActivation::registerOffset):
3592 (JSC::JSActivation::tearOff):
3593 (JSC::JSActivation::isTornOff):
3594 (JSC::JSActivation::storage):
3595 (JSC::JSActivation::allocationSize):
3596 (JSC::JSActivation::isValid): New helper functions for doing the math
3597 on our inline storage. Note that in the "AllOfTheThings" tear-off case,
3598 the number of things is not known at compile time, so we store the
3599 number in the argument count register. We can't just copy the raw contents
3600 of the register beacuse we need a value that is safe for precise marking,
3601 and the value in the register file has an invalid tag.
3602
3603 * runtime/JSCell.h:
3604 (JSC::allocateCell): New function for allocating with extra storage
3605 on the end.
3606
3607 * runtime/JSSymbolTableObject.h:
3608 (JSC::JSSymbolTableObject::JSSymbolTableObject):
3609 (JSC::JSSymbolTableObject::finishCreation):
3610 * runtime/JSVariableObject.h:
3611 (JSC::JSVariableObject::JSVariableObject):
3612 (JSVariableObject): Make it easier for subclasses to use their symbol
3613 tables during construction, by passing the table as a constructor argument.
3614
3615 * runtime/SymbolTable.h:
3616 (JSC::SharedSymbolTable::usesNonStrictEval):
3617 (JSC::SharedSymbolTable::setUsesNonStrictEval):
3618 (SharedSymbolTable):
3619 (JSC::SharedSymbolTable::captureMode):
3620 (JSC::SharedSymbolTable::setCaptureMode):
3621 (JSC::SharedSymbolTable::captureStart):
3622 (JSC::SharedSymbolTable::setCaptureStart):
3623 (JSC::SharedSymbolTable::captureEnd):
3624 (JSC::SharedSymbolTable::setCaptureEnd):
3625 (JSC::SharedSymbolTable::parameterCountIncludingThis):
3626 (JSC::SharedSymbolTable::setParameterCountIncludingThis):
3627 (JSC::SharedSymbolTable::SharedSymbolTable): Added data members to more
3628 precisely describe what kind of capture is in play, and to avoid having
3629 data members in the activation. We expect N activations per symbol table,
3630 so this can be a big savings in heavy closure usage.
3631
36322012-09-11 Ryuan Choi <ryuan.choi@samsung.com>
3633
3634 Fix build break with LLINT on 32bit machine after r128219
3635 https://bugs.webkit.org/show_bug.cgi?id=96461
3636
3637 Unreviewed build fix.
3638
3639 * llint/LowLevelInterpreter32_64.asm: Fixed typo.
3640
36412012-09-11 Michael Saboff <msaboff@apple.com>
3642
3643 Build fixed for http://trac.webkit.org/changeset/128243
3644
3645 Rubber stamped by Stephanie Lewis.
3646
3647 Added missing include file needed by 96422.
3648
3649 * icu/unicode/unorm2.h: Added.
3650
36512012-09-11 Michael Saboff <msaboff@apple.com>
3652
3653 Build fixed for http://trac.webkit.org/changeset/128243
3654
3655 Rubber stamped by Stephanie Lewis.
3656
3657 Added missing include file needed by 96422.
3658
3659 * icu/unicode/ptypes.h: Added.
3660
36612012-09-11 Michael Saboff <msaboff@apple.com>
3662
3663 Update ICU header files to more recent version
3664 https://bugs.webkit.org/show_bug.cgi?id=96422
3665
3666 Reviewed by Geoff Garen.
3667
3668 Updated ICU header files to 4.6.1. Modifications made as part of the merge are:
3669 platform.h - Changed ifndef / define / endif for U_HAVE_UINT8_T, U_HAVE_UINT16_T, U_HAVE_UINT32_T,
3670 U_HAVE_UINT64_T, U_IS_BIG_ENDIAN and U_ENABLE_TRACING to match the existing platform.h
3671 putil.h (line 132) - Changes defined(U_WINDOWS) to defined(WIN32) || defined(OS2) to match existing putil.h
3672 ustring.h (line 945) - Wrapped macro argument cs with { (const UChar *)cs } to match existing ustring.h
3673 utypes.h (line 545) - Changed defined(U_WINDOWS) to defined(WIN32) to match existing utypes.h
3674
3675 * icu/unicode/localpointer.h: Added.
3676 * icu/unicode/parseerr.h:
3677 * icu/unicode/platform.h:
3678 * icu/unicode/putil.h:
3679 * icu/unicode/uchar.h:
3680 * icu/unicode/ucnv.h:
3681 * icu/unicode/ucnv_err.h:
3682 * icu/unicode/ucol.h:
3683 * icu/unicode/uconfig.h:
3684 * icu/unicode/uenum.h:
3685 * icu/unicode/uiter.h:
3686 * icu/unicode/uloc.h:
3687 * icu/unicode/umachine.h:
3688 * icu/unicode/unorm.h:
3689 * icu/unicode/urename.h:
3690 * icu/unicode/uscript.h:
3691 * icu/unicode/uset.h:
3692 * icu/unicode/ustring.h:
3693 * icu/unicode/utf.h:
3694 * icu/unicode/utf16.h:
3695 * icu/unicode/utf8.h:
3696 * icu/unicode/utypes.h:
3697 * icu/unicode/uvernum.h: Added.
3698 * icu/unicode/uversion.h:
3699
37002012-09-11 Matt Lilek <mrl@apple.com>
3701
3702 OS X port should compile with newer versions of clang
3703 https://bugs.webkit.org/show_bug.cgi?id=96434
3704
3705 m_identIsVarDecl is unused - remove it.
3706
3707 Reviewed by Anders Carlsson.
3708
3709 * parser/NodeConstructors.h:
3710 (JSC::ForInNode::ForInNode):
3711 * parser/Nodes.h:
3712 (ForInNode):
3713
37142012-09-11 Filip Pizlo <fpizlo@apple.com>
3715
3716 LLInt should optimize and profile array length accesses
3717 https://bugs.webkit.org/show_bug.cgi?id=96417
3718
3719 Reviewed by Oliver Hunt.
3720
3721 This fixes the following hole in our array profiling strategy, where the array
3722 is large (more than 1000 elements):
3723
3724 for (var i = 0; i < array.length; ++i) ...
3725
3726 The peeled use of array.length (in the array prologue) will execute only once
3727 before DFG optimization kicks in from the loop's OSR point. Since it executed
3728 only once, it executed in the LLInt. And prior to this patch, the LLInt did
3729 not profile array.length accesses - so the DFG will assume, based on the lack
3730 of profiling, that the access is in fact not an access to the JSArray length
3731 property. That could then impede our ability to hoist the array structure
3732 check, and may make us pessimistic in other ways as well, since the generic
3733 GetById used for the array length access will be viewed as a side-effecting
3734 operation.
3735
3736 * bytecode/CodeBlock.cpp:
3737 (JSC::CodeBlock::printGetByIdCacheStatus):
3738 (JSC::CodeBlock::finalizeUnconditionally):
3739 * bytecode/GetByIdStatus.cpp:
3740 (JSC::GetByIdStatus::computeFromLLInt):
3741 * dfg/DFGByteCodeParser.cpp:
3742 (JSC::DFG::ByteCodeParser::parseBlock):
3743 * dfg/DFGCapabilities.h:
3744 (JSC::DFG::canCompileOpcode):
3745 * dfg/DFGFixupPhase.cpp:
3746 (JSC::DFG::FixupPhase::fixupNode):
3747 * jit/JIT.cpp:
3748 (JSC::JIT::privateCompileMainPass):
3749 (JSC::JIT::privateCompileSlowCases):
3750 * llint/LLIntSlowPaths.cpp:
3751 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3752 * llint/LowLevelInterpreter.asm:
3753 * llint/LowLevelInterpreter32_64.asm:
3754 * llint/LowLevelInterpreter64.asm:
3755
37562012-09-11 Raphael Kubo da Costa <rakuco@webkit.org>
3757
3758 [EFL] Rewrite the EFL-related Find modules
3759 https://bugs.webkit.org/show_bug.cgi?id=95237
3760
3761 Reviewed by Kenneth Rohde Christiansen.
3762
3763 * CMakeLists.txt: Stop setting the LINK_FLAGS property.
3764 * PlatformEfl.cmake: Ditto.
3765 * shell/PlatformEfl.cmake: Ditto.
3766
37672012-09-11 Raphael Kubo da Costa <rakuco@webkit.org>
3768
3769 [EFL] Unreviewed build fix after r128065.
3770
3771 * CMakeLists.txt: Link against WTF for FastMalloc symbols, which
3772 are needed when building with SYSTEM_MALLOC off.
3773
37742012-09-10 Mark Hahnenberg <mhahnenberg@apple.com>
3775
3776 Remove m_classInfo from JSCell
3777 https://bugs.webkit.org/show_bug.cgi?id=96311
3778
3779 Reviewed by Oliver Hunt.
3780
3781 Now that no one is using the ClassInfo in JSCell, we can remove it for the greater good. This is a 1.5% win on v8v7 and
3782 a 1.7% win on kraken, and is an overall performance progression.
3783
3784 * dfg/DFGSpeculativeJIT.h:
3785 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): Had to rearrange the order of when we take things off the free list
3786 and when we store the Structure in the object because we would clobber the free list otherwise. This made it not okay for
3787 the structure argument and the scratch register to alias one another. Also removed the store of the ClassInfo pointer in the
3788 object. Yay!
3789 (SpeculativeJIT):
3790 * dfg/DFGSpeculativeJIT32_64.cpp: Since it's no longer okay for for the scratch register and structure register to alias
3791 one another as stated above, had to add an extra temporary for passing the Structure.
3792 (JSC::DFG::SpeculativeJIT::compile):
3793 * dfg/DFGSpeculativeJIT64.cpp: Ditto.
3794 (JSC::DFG::SpeculativeJIT::compile):
3795 * jit/JITInlineMethods.h:
3796 (JSC::JIT::emitAllocateBasicJSObject): Similar changes to DFG's inline allocation except that it removed the object from
3797 the free list first, so no changes were necessary there.
3798 * llint/LowLevelInterpreter.asm: Change the constants for amount of inline storage to match PropertyOffset.h and remove
3799 the store of the ClassInfo pointer during inline allocation.
3800 * llint/LowLevelInterpreter32_64.asm:
3801 * llint/LowLevelInterpreter64.asm:
3802 * runtime/JSCell.h: Remove the m_classInfo field and associated methods.
3803 (JSCell):
3804 * runtime/JSObject.h:
3805 (JSObject):
3806 * runtime/PropertyOffset.h: Expand the number of inline storage properties to take up the extra space that we're freeing
3807 with the removal of the ClassInfo pointer.
3808 (JSC):
3809 * runtime/Structure.h:
3810 (JSC):
3811 (JSC::JSCell::JSCell):
3812 (JSC::JSCell::finishCreation):
3813
38142012-09-10 Geoffrey Garen <ggaren@apple.com>
3815
3816 Added large allocation support to MarkedSpace
3817 https://bugs.webkit.org/show_bug.cgi?id=96214
3818
3819 Originally reviewed by Oliver Hunt, then I added a design revision by
3820 suggested by Phil Pizlo.
3821
3822 I expanded the imprecise size classes to cover up to 32KB, then added
3823 an mmap-based allocator for everything bigger. There's a lot of tuning
3824 we could do in these size classes, but currently they're almost
3825 completely unused, so I haven't done any tuning.
3826
3827 Subtle point: the large allocator is a degenerate case of our free list
3828 logic. Its list only ever contains zero or one items.
3829
3830 * heap/Heap.h:
3831 (JSC::Heap::allocateStructure): Pipe in size information.
3832
3833 * heap/MarkedAllocator.cpp:
3834 (JSC::MarkedAllocator::tryAllocateHelper): Handle the case where we
3835 find a free item in the sweep list but the item isn't big enough. This
3836 can happen in the large allocator because it mixes sizes.
3837
3838 (JSC::MarkedAllocator::tryAllocate):
3839 (JSC::MarkedAllocator::allocateSlowCase): More piping.
3840
3841 (JSC::MarkedAllocator::allocateBlock): Handle the oversize case.
3842
3843 (JSC::MarkedAllocator::addBlock): I moved the call to didAddBlock here
3844 because it made more sense.
3845
3846 * heap/MarkedAllocator.h:
3847 (MarkedAllocator):
3848 (JSC::MarkedAllocator::allocate):
3849 * heap/MarkedSpace.cpp:
3850 (JSC::MarkedSpace::MarkedSpace):
3851 (JSC::MarkedSpace::resetAllocators):
3852 (JSC::MarkedSpace::canonicalizeCellLivenessData):
3853 (JSC::MarkedSpace::isPagedOut):
3854 (JSC::MarkedSpace::freeBlock):
3855 * heap/MarkedSpace.h:
3856 (MarkedSpace):
3857 (JSC::MarkedSpace::allocatorFor):
3858 (JSC::MarkedSpace::destructorAllocatorFor):
3859 (JSC::MarkedSpace::allocateWithoutDestructor):
3860 (JSC::MarkedSpace::allocateWithDestructor):
3861 (JSC::MarkedSpace::allocateStructure):
3862 (JSC::MarkedSpace::forEachBlock):
3863 * runtime/Structure.h:
3864 (JSC::Structure): More piping.
3865
38662012-09-10 Geoffrey Garen <ggaren@apple.com>
3867
3868 Try to fix the Windows (32-bit) build.
3869
3870 * jit/JITOpcodes.cpp:
3871 (JSC::JIT::emit_op_tear_off_arguments):
3872 * jit/JITOpcodes32_64.cpp:
3873 (JSC::JIT::emit_op_tear_off_arguments): Get operands 1 and 2, not 1 and 1. :(
3874
3875 Also took this opportunity to rename to indicate that these values are
3876 not destinations anymore.
3877
38782012-09-10 Geoffrey Garen <ggaren@apple.com>
3879
3880 DFG misses arguments tear-off for function.arguments if 'arguments' is used
3881 https://bugs.webkit.org/show_bug.cgi?id=96227
3882
3883 Reviewed by Gavin Barraclough.
3884
3885 We've decided not to allow function.arguments to alias the local
3886 'arguments' object, or a local var or function named 'arguments'.
3887 Aliasing complicates the implementation (cf, this bug) and can produce
3888 surprising behavior for web programmers.
3889
3890 Eliminating the aliasing has the side-effect of fixing this bug.
3891
3892 The compatibilty story: function.arguments is deprecated, was never
3893 specified, and throws an exception in strict mode, so we expect it to
3894 disappear over time. Firefox does not alias to 'arguments'; Chrome
3895 does, but not if you use eval or with; IE does; Safari did.
3896
3897 * dfg/DFGByteCodeParser.cpp: Noticed a little cleanup while verifying
3898 this code. Use the CodeBlock method for better encapsulation.
3899
3900 * interpreter/Interpreter.cpp:
3901 (JSC::Interpreter::retrieveArgumentsFromVMCode): Behavior change: don't
3902 alias.
3903
3904 * tests/mozilla/js1_4/Functions/function-001.js:
3905 (TestFunction_4): Updated test expectations for changed behavior.
3906
39072012-09-10 Filip Pizlo <fpizlo@apple.com>
3908
3909 offlineasm has some impossible to implement, and unused, instructions
3910 https://bugs.webkit.org/show_bug.cgi?id=96310
3911
3912 Reviewed by Mark Hahnenberg.
3913
3914 * offlineasm/armv7.rb:
3915 * offlineasm/instructions.rb:
3916 * offlineasm/x86.rb:
3917
39182012-09-09 Geoffrey Garen <ggaren@apple.com>
3919
3920 Refactored op_tear_off* to support activations that don't allocate space for 'arguments'
3921 https://bugs.webkit.org/show_bug.cgi?id=96231
3922
3923 Reviewed by Gavin Barraclough.
3924
3925 This is a step toward smaller activations.
3926
3927 As a side-effect, this patch eliminates a load and branch from the hot path
3928 of activation tear-off by moving it to the cold path of arguments tear-off. Our
3929 optimizing assumptions are that activations are common and that reifying the
3930 arguments object is less common.
3931
3932 * bytecode/CodeBlock.cpp:
3933 (JSC::CodeBlock::dump):
3934 * bytecode/Opcode.h:
3935 (JSC::padOpcodeName): Updated for new opcode lengths.
3936
3937 * bytecompiler/BytecodeGenerator.cpp:
3938 (JSC::BytecodeGenerator::BytecodeGenerator):
3939 (JSC::BytecodeGenerator::addConstantValue): Added support for JSValue()
3940 in the bytecode, which we use when we have 'arguments' but no activation.
3941
3942 (JSC::BytecodeGenerator::emitReturn): Always emit tear_off_arguments
3943 if we've allocated the arguments registers. This allows tear_off_activation
3944 not to worry about the arguments object anymore.
3945
3946 Also, pass the activation and arguments values directly to these opcodes
3947 instead of requiring the opcodes to infer the values through special
3948 registers. This gives us more flexibility to move or eliminate registers.
3949
3950 * dfg/DFGArgumentsSimplificationPhase.cpp:
3951 (JSC::DFG::ArgumentsSimplificationPhase::run):
3952 * dfg/DFGByteCodeParser.cpp:
3953 (JSC::DFG::ByteCodeParser::parseBlock):
3954 * dfg/DFGNode.h:
3955 (Node): Updated for new opcode lengths.
3956
3957 * dfg/DFGOperations.cpp: Activation tear-off doesn't worry about the
3958 arguments object anymore. If 'arguments' is in use and reified, it's
3959 responsible for aliasing back to the activation object in tear_off_arguments.
3960
3961 * dfg/DFGOperations.h:
3962 * dfg/DFGSpeculativeJIT.h:
3963 (JSC::DFG::SpeculativeJIT::callOperation):
3964 (SpeculativeJIT):
3965 * dfg/DFGSpeculativeJIT32_64.cpp:
3966 (JSC::DFG::SpeculativeJIT::compile):
3967 * dfg/DFGSpeculativeJIT64.cpp:
3968 (JSC::DFG::SpeculativeJIT::compile): Don't pass the arguments object to
3969 activation tear-off; do pass the activation object to arguments tear-off.
3970
3971 * interpreter/Interpreter.cpp:
3972 (JSC::Interpreter::privateExecute): Ditto.
3973
3974 * jit/JITOpcodes.cpp:
3975 (JSC::JIT::emit_op_tear_off_activation):
3976 (JSC::JIT::emit_op_tear_off_arguments):
3977 * jit/JITOpcodes32_64.cpp:
3978 (JSC::JIT::emit_op_tear_off_activation):
3979 (JSC::JIT::emit_op_tear_off_arguments):
3980 * jit/JITStubs.cpp:
3981 (JSC::DEFINE_STUB_FUNCTION):
3982 * llint/LLIntSlowPaths.cpp:
3983 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3984 * llint/LowLevelInterpreter32_64.asm:
3985 * llint/LowLevelInterpreter64.asm: Same change in a few more execution engines.
3986
39872012-09-10 Patrick Gansterer <paroga@webkit.org>
3988
3989 [JSC] Use StringBuilder::appendNumber() instead of String::number()
3990 https://bugs.webkit.org/show_bug.cgi?id=96236
3991
3992 Reviewed by Benjamin Poulain.
3993
3994 * API/JSContextRef.cpp:
3995 (JSContextCreateBacktrace):
3996
39972012-09-06 Mark Hahnenberg <mhahnenberg@apple.com>
3998
3999 Combine MarkStack and SlotVisitor into single class
4000 https://bugs.webkit.org/show_bug.cgi?id=96043
4001
4002 Reviewed by Geoff Garen.
4003
4004 Move all of MarkStack into SlotVisitor. The remaining stuff in MarkStack.cpp actually has to do
4005 with MarkStack management/allocation. Cleaned up a few of the header files while I was at it.
4006
4007 * CMakeLists.txt:
4008 * GNUmakefile.list.am:
4009 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
4010 * JavaScriptCore.xcodeproj/project.pbxproj:
4011 * Target.pri:
4012 * bytecode/CodeBlock.cpp:
4013 * dfg/DFGCommon.h:
4014 * heap/GCThreadSharedData.cpp:
4015 * heap/GCThreadSharedData.h:
4016 (GCThreadSharedData):
4017 * heap/HeapRootVisitor.h:
4018 * heap/MarkStack.cpp:
4019 (JSC):
4020 * heap/MarkStack.h:
4021 (JSC):
4022 (MarkStackSegment):
4023 (JSC::MarkStackSegment::data):
4024 (JSC::MarkStackSegment::capacityFromSize):
4025 (JSC::MarkStackSegment::sizeFromCapacity):
4026 (MarkStackSegmentAllocator):
4027 (MarkStackArray):
4028 * heap/MarkStackInlineMethods.h:
4029 (JSC::MarkStackArray::postIncTop):
4030 (JSC):
4031 (JSC::MarkStackArray::preDecTop):
4032 (JSC::MarkStackArray::setTopForFullSegment):
4033 (JSC::MarkStackArray::setTopForEmptySegment):
4034 (JSC::MarkStackArray::top):
4035 (JSC::MarkStackArray::validatePrevious):
4036 (JSC::MarkStackArray::append):
4037 (JSC::MarkStackArray::canRemoveLast):
4038 (JSC::MarkStackArray::removeLast):
4039 (JSC::MarkStackArray::isEmpty):
4040 (JSC::MarkStackArray::size):
4041 * heap/SlotVisitor.cpp: Added.
4042 (JSC):
4043 (JSC::SlotVisitor::SlotVisitor):
4044 (JSC::SlotVisitor::~SlotVisitor):
4045 (JSC::SlotVisitor::setup):
4046 (JSC::SlotVisitor::reset):
4047 (JSC::SlotVisitor::append):
4048 (JSC::visitChildren):
4049 (JSC::SlotVisitor::donateKnownParallel):
4050 (JSC::SlotVisitor::drain):
4051 (JSC::SlotVisitor::drainFromShared):
4052 (JSC::SlotVisitor::mergeOpaqueRoots):
4053 (JSC::SlotVisitor::startCopying):
4054 (JSC::SlotVisitor::allocateNewSpaceSlow):
4055 (JSC::SlotVisitor::allocateNewSpaceOrPin):
4056 (JSC::JSString::tryHashConstLock):
4057 (JSC::JSString::releaseHashConstLock):
4058 (JSC::JSString::shouldTryHashConst):
4059 (JSC::SlotVisitor::internalAppend):
4060 (JSC::SlotVisitor::copyAndAppend):
4061 (JSC::SlotVisitor::doneCopying):
4062 (JSC::SlotVisitor::harvestWeakReferences):
4063 (JSC::SlotVisitor::finalizeUnconditionalFinalizers):
4064 (JSC::SlotVisitor::validate):
4065 * heap/SlotVisitor.h:
4066 (JSC):
4067 (SlotVisitor):
4068 (JSC::SlotVisitor::sharedData):
4069 (JSC::SlotVisitor::isEmpty):
4070 (JSC::SlotVisitor::visitCount):
4071 (JSC::SlotVisitor::resetChildCount):
4072 (JSC::SlotVisitor::childCount):
4073 (JSC::SlotVisitor::incrementChildCount):
4074 (ParallelModeEnabler):
4075 (JSC::ParallelModeEnabler::ParallelModeEnabler):
4076 (JSC::ParallelModeEnabler::~ParallelModeEnabler):
4077 * heap/SlotVisitorInlineMethods.h:
4078 (JSC::SlotVisitor::append):
4079 (JSC):
4080 (JSC::SlotVisitor::appendUnbarrieredPointer):
4081 (JSC::SlotVisitor::appendUnbarrieredValue):
4082 (JSC::SlotVisitor::internalAppend):
4083 (JSC::SlotVisitor::addWeakReferenceHarvester):
4084 (JSC::SlotVisitor::addUnconditionalFinalizer):
4085 (JSC::SlotVisitor::addOpaqueRoot):
4086 (JSC::SlotVisitor::containsOpaqueRoot):
4087 (JSC::SlotVisitor::opaqueRootCount):
4088 (JSC::SlotVisitor::mergeOpaqueRootsIfNecessary):
4089 (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable):
4090 (JSC::SlotVisitor::donate):
4091 (JSC::SlotVisitor::donateAndDrain):
4092 * jit/JITWriteBarrier.h:
4093 (JSC::SlotVisitor::append):
4094 * jit/JumpReplacementWatchpoint.cpp:
4095 * runtime/JSCell.h:
4096 * runtime/Structure.h:
4097 (JSC::SlotVisitor::internalAppend):
4098 * runtime/WriteBarrier.h:
4099 (JSC):
4100 (JSC::SlotVisitor::append):
4101 (JSC::SlotVisitor::appendValues):
4102 * yarr/YarrJIT.cpp:
4103
41042012-09-10 Hojong Han <hojong.han@samsung.com>
4105
4106 [EFL] JIT memory usage is not retrieved
4107 https://bugs.webkit.org/show_bug.cgi?id=96095
4108
4109 Reviewed by Geoffrey Garen.
4110
4111 Fill JITBytes for EFL port.
4112
4113 * runtime/MemoryStatistics.cpp:
4114 (JSC::globalMemoryStatistics):
4115
41162012-09-10 Thiago Marcos P. Santos <thiago.santos@intel.com>
4117
4118 [CMake][EFL] Enable the LLInt
4119 https://bugs.webkit.org/show_bug.cgi?id=92682
4120
4121 Reviewed by Csaba Osztrogonác.
4122
4123 Generate the headers needed by LLint when LLint is enabled.
4124
4125 * CMakeLists.txt:
4126
41272012-09-10 Carlos Garcia Campos <cgarcia@igalia.com>
4128
4129 Unreviewed. Fix make distcheck.
4130
4131 * GNUmakefile.list.am: Add missing files.
4132
41332012-09-09 Mark Lam <mark.lam@apple.com>
4134
4135 Fixed a few llint C++ interpreter bugs.
4136 https://bugs.webkit.org/show_bug.cgi?id=96127.
4137
4138 Reviewed by Geoffrey Garen.
4139
4140 * llint/LLIntCLoop.h:
4141 CLoop::execute()'s bootstrapOpcodeId does not need a default
4142 value. There is no case when this function is called without
4143 that parameter being specified.
4144 * llint/LowLevelInterpreter.asm:
4145 Moved the dispatchAfterCall() call to where it is needed.
4146 For the C_LOOP back-end, it generates unreachable code.
4147 * llint/LowLevelInterpreter.cpp:
4148 #include <wtf/Assertions.h> because LLIntAssembly.h needs it.
4149 (JSC):
4150 Fixed bug in SIGN_BIT32() macro.
4151 Placate a MSVC warning for t0, and t1 being uninitialized.
4152 (JSC::CLoop::execute):
4153 The bootstrapOpcodeId arg should always be specified.
4154 MSVC doesn't like UNUSED_PARAM() for labels. Switch to using
4155 the new UNUSED_LABEL() macro.
4156 * offlineasm/cloop.rb:
4157 * offlineasm/generate_offset_extractor.rb:
4158 Resolved a compiler warning found via MSVC.
4159
41602012-09-09 Patrick Gansterer <paroga@webkit.org>
4161
4162 Add StringBuilder::appendNumber() and use it
4163 https://bugs.webkit.org/show_bug.cgi?id=96030
4164
4165 Reviewed by Eric Seidel.
4166
4167 Also fix a bunch of append() vs. appendLiteral() issues in the surrounding code.
4168
4169 * API/JSContextRef.cpp:
4170 (JSContextCreateBacktrace):
4171 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
4172 * interpreter/Interpreter.h:
4173 (JSC::StackFrame::toString):
4174
41752012-09-09 Patrick Gansterer <paroga@webkit.org>
4176
4177 Make the String initialization on the function side of String::number()
4178 https://bugs.webkit.org/show_bug.cgi?id=95940
4179
4180 Reviewed by Benjamin Poulain.
4181
4182 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
4183
41842012-09-09 Geoffrey Garen <ggaren@apple.com>
4185
4186 Rolled out <http://trac.webkit.org/changeset/127939> because it broke
4187 fast/js/named-function-expression.html.
4188
4189 Refactored bytecode generator initialization to support moving captured vars around
4190 https://bugs.webkit.org/show_bug.cgi?id=96159
4191
4192 Reviewed by Gavin Barraclough.
4193
41942012-09-08 Csaba Osztrogonác <ossy@webkit.org>
4195
4196 LLInt buildfix for case sensitive filesystems
4197 https://bugs.webkit.org/show_bug.cgi?id=96099
4198
4199 Reviewed by Michael Saboff.
4200
4201 * llint/LowLevelInterpreter.cpp: Fix filenames.
4202
42032012-09-07 Benjamin Poulain <bpoulain@apple.com>
4204
4205 Rename the ustring() accessor to string()
4206 https://bugs.webkit.org/show_bug.cgi?id=95919
4207
4208 Reviewed by Geoffrey Garen.
4209
4210 Rename ustring() to string() to make the accessor name more logical after
4211 r127191.
4212
4213 * API/JSBase.cpp:
4214 (JSEvaluateScript):
4215 (JSCheckScriptSyntax):
4216 * API/JSObjectRef.cpp:
4217 (JSObjectMakeFunctionWithCallback):
4218 (JSObjectMakeFunction):
4219 (JSObjectCopyPropertyNames):
4220 * API/JSProfilerPrivate.cpp:
4221 (JSStartProfiling):
4222 (JSEndProfiling):
4223 * API/JSValueRef.cpp:
4224 (JSValueMakeString):
4225 (JSValueMakeFromJSONString):
4226 * API/OpaqueJSString.cpp:
4227 (OpaqueJSString::string):
4228 * API/OpaqueJSString.h:
4229 (OpaqueJSString):
4230 * bytecode/CodeBlock.cpp:
4231 (JSC::idName):
4232 (JSC::CodeBlock::dump):
4233 * bytecompiler/BytecodeGenerator.cpp:
4234 (JSC::BytecodeGenerator::emitLoad):
4235 (JSC::BytecodeGenerator::addStringConstant):
4236 * bytecompiler/NodesCodegen.cpp:
4237 (JSC::RegExpNode::emitBytecode):
4238 (JSC::processClauseList):
4239 * dfg/DFGGraph.cpp:
4240 (JSC::DFG::Graph::dump):
4241 * interpreter/Interpreter.cpp:
4242 (JSC::Interpreter::privateExecute):
4243 * jit/JITStubs.cpp:
4244 (JSC::DEFINE_STUB_FUNCTION):
4245 * jsc.cpp:
4246 (GlobalObject::addFunction):
4247 (GlobalObject::addConstructableFunction):
4248 * llint/LLIntSlowPaths.cpp:
4249 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
4250 * parser/ASTBuilder.h:
4251 (JSC::ASTBuilder::createRegExp):
4252 * parser/Parser.cpp:
4253 (JSC::::parsePrimaryExpression):
4254 * parser/Parser.h:
4255 (JSC::Scope::declareVariable):
4256 (JSC::Scope::declareParameter):
4257 (JSC::Scope::useVariable):
4258 * parser/SyntaxChecker.h:
4259 (JSC::SyntaxChecker::createRegExp):
4260 * runtime/ExceptionHelpers.cpp:
4261 (JSC::createUndefinedVariableError):
4262 * runtime/Executable.cpp:
4263 (JSC::FunctionExecutable::paramString):
4264 * runtime/Executable.h:
4265 (JSC::FunctionExecutable::finishCreation):
4266 * runtime/FunctionPrototype.cpp:
4267 (JSC::FunctionPrototype::addFunctionProperties):
4268 * runtime/Identifier.h:
4269 (JSC::Identifier::string):
4270 * runtime/JSFunction.cpp:
4271 (JSC::JSFunction::calculatedDisplayName):
4272 * runtime/JSGlobalObject.cpp:
4273 (JSC::JSGlobalObject::reset):
4274 * runtime/JSONObject.cpp:
4275 (JSC::PropertyNameForFunctionCall::value):
4276 (JSC::Stringifier::Holder::appendNextProperty):
4277 (JSC::Walker::walk):
4278 * runtime/JSPropertyNameIterator.h:
4279 (JSC::JSPropertyNameIterator::finishCreation):
4280 * runtime/JSScope.cpp:
4281 (JSC::JSScope::resolveBase):
4282 * runtime/JSString.h:
4283 (JSC::inlineJSValueNotStringtoString):
4284 * runtime/LiteralParser.cpp:
4285 (JSC::::parse):
4286 * runtime/ObjectConstructor.cpp:
4287 (JSC::ObjectConstructor::finishCreation):
4288 (JSC::objectConstructorGetOwnPropertyNames):
4289 (JSC::objectConstructorKeys):
4290 * runtime/RegExpConstructor.cpp:
4291 (JSC::RegExpConstructor::finishCreation):
4292
42932012-09-07 Gavin Barraclough <barraclough@apple.com>
4294
4295 CALLFRAME_OFFSET and EXCEPTION_OFFSET are same in ctiTrampoline on ARM Thumb2
4296 https://bugs.webkit.org/show_bug.cgi?id=82013
4297
4298 Reviewed by Geoff Garen.
4299
4300 Neither of these values need to be stored. At all.
4301
4302 * jit/JITStubs.cpp:
4303 (JSC):
4304 (JSC::ctiTrampoline):
4305 (JSC::JITThunks::JITThunks):
4306 - Nothing to see here. Move along.
4307
43082012-09-07 Sheriff Bot <webkit.review.bot@gmail.com>
4309
4310 Unreviewed, rolling out r127938.
4311 http://trac.webkit.org/changeset/127938
4312 https://bugs.webkit.org/show_bug.cgi?id=96166
4313
4314 It broke the build (Requested by smfr on #webkit).
4315
4316 * llint/LowLevelInterpreter.cpp:
4317 (JSC):
4318 (JSC::CLoop::execute):
4319 * offlineasm/cloop.rb:
4320
43212012-09-07 Geoffrey Garen <ggaren@apple.com>
4322
4323 Refactored bytecode generator initialization to support moving captured vars around
4324 https://bugs.webkit.org/show_bug.cgi?id=96159
4325
4326 Reviewed by Gavin Barraclough.
4327
4328 This patch separates the stages of allocating registers, declaring identifiers
4329 in the symbol table, and initializing registers, so you can change
4330 allocation decisions without breaking the world.
4331
4332 * bytecompiler/BytecodeGenerator.cpp:
4333 (JSC::BytecodeGenerator::BytecodeGenerator): Call a set of helper functions
4334 instead of inlining all the code, to help clarity.
4335
4336 (JSC::BytecodeGenerator::allocateCapturedVars):
4337 (JSC::BytecodeGenerator::allocateUncapturedVars):
4338 (JSC::BytecodeGenerator::allocateActivationVar):
4339 (JSC::BytecodeGenerator::allocateArgumentsVars):
4340 (JSC::BytecodeGenerator::allocateCalleeVarUndeclared):
4341 (JSC::BytecodeGenerator::declareParameters):
4342 (JSC::BytecodeGenerator::declareCallee):
4343 (JSC::BytecodeGenerator::initCalleeVar):
4344 (JSC::BytecodeGenerator::initArgumentsVars):
4345 (JSC::BytecodeGenerator::initActivationVar):
4346 (JSC::BytecodeGenerator::initThisParameter):
4347 (JSC::BytecodeGenerator::initFunctionDeclarations):
4348 (JSC::BytecodeGenerator::declareParameter):
4349 (JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
4350 (JSC::BytecodeGenerator::createActivationIfNecessary): Factored these
4351 helper functions out from pre-existing code.
4352
4353 * bytecompiler/BytecodeGenerator.h:
4354 (BytecodeGenerator):
4355 * parser/ASTBuilder.h:
4356 (JSC::ASTBuilder::createFuncDeclStatement):
4357 (JSC::ASTBuilder::addVar):
4358 * parser/Nodes.h:
4359 (JSC::DeclarationStacks::VarDeclaration::VarDeclaration):
4360 (VarDeclaration):
4361 (JSC::DeclarationStacks::FunctionDeclaration::FunctionDeclaration):
4362 (FunctionDeclaration): Declaration stacks get a little more data now,
4363 to support allocating registers before putting things in the symbol
4364 table. I'm convinced that we should eventually just expand the symbol
4365 table to understand these things.
4366
43672012-09-07 Mark Lam <mark.lam@apple.com>
4368
4369 Fix a llint C++ interpreter bugs.
4370 https://bugs.webkit.org/show_bug.cgi?id=96127.
4371
4372 Reviewed by Filip Pizlo.
4373
4374 * llint/LowLevelInterpreter.cpp:
4375 (JSC):
4376 (JSC::CLoop::execute):
4377 * offlineasm/cloop.rb:
4378
43792012-09-07 Gavin Barraclough <barraclough@apple.com>
4380
4381 Object.prototype.__define{G,S}etter__ with non-callable second parameter should throw TypeError instead of SyntaxError
4382 https://bugs.webkit.org/show_bug.cgi?id=93873
4383
4384 Reviewed by Sam Weinig.
4385
4386 * runtime/ObjectPrototype.cpp:
4387 (JSC::objectProtoFuncDefineGetter):
4388 - throw TypeError instead of SyntaxError
4389 (JSC::objectProtoFuncDefineSetter):
4390 - throw TypeError instead of SyntaxError
4391
43922012-09-06 Mark Hahnenberg <mhahnenberg@apple.com>
4393
4394 JSC should have a zombie mode
4395 https://bugs.webkit.org/show_bug.cgi?id=96047
4396
4397 Reviewed by Geoffrey Garen.
4398
4399 To aid clients of JSC while they are debugging memory issues, we should add a zombie
4400 mode that scribbles into objects in the MarkedSpace after they are found to be dead
4401 to prevent a sort of "use after free" situation. As a first cut we should support a
4402 mode that just scribbles on objects prior to their being reused (i.e. while they are
4403 "zombies") and a mode in which, in addition to scribbling on zombies, once an object
4404 has been marked its mark bit will never be cleared, thus giving us "immortal" zombies.
4405
4406 These two modes will be enabled through the use of environment variables. For now these
4407 will be "JSZombieEnabled" and "JSImmortalZombieEnabled". Setting them to any value will
4408 result in the use of the appropriate mode.
4409
4410 * heap/Heap.cpp:
4411 (JSC::Heap::collect): Zombifies dead objects at the end of collection if zombie mode is enabled.
4412 (ZombifyCellFunctor):
4413 (JSC::ZombifyCellFunctor::ZombifyCellFunctor): Sets marked bits for dead objects if in immortal mode and writes 0xbbadbeef into them.
4414 (JSC::ZombifyCellFunctor::operator()):
4415 (JSC):
4416 (ZombifyBlockFunctor):
4417 (JSC::ZombifyBlockFunctor::operator()):
4418 (JSC::Heap::zombifyDeadObjects): Eagerly sweeps so that we don't write garbage into an object before it
4419 is finalized/destroyed.
4420 * heap/Heap.h:
4421 (Heap):
4422 * heap/MarkedBlock.h:
4423 (MarkedBlock):
4424 (JSC::MarkedBlock::forEachDeadCell): Used to iterate over dead cells at the end of collection if zombie mode is enabled.
4425 (JSC):
4426 * runtime/Options.cpp:
4427 (JSC::Options::initialize):
4428 * runtime/Options.h:
4429 (JSC):
4430
44312012-09-05 Geoffrey Garen <ggaren@apple.com>
4432
4433 Rolled back in <http://trac.webkit.org/changeset/127698> with a fix for
4434 fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html, which
4435 is to make sure that function declarations don't put their names in scope.
4436
4437 Reviewed by Gavin Barraclough.
4438
4439 Named functions should not allocate scope objects for their names
4440 https://bugs.webkit.org/show_bug.cgi?id=95659
4441
4442 Reviewed by Oliver Hunt.
4443
44442012-09-06 Michael Saboff <msaboff@apple.com>
4445
4446 16 bit JSRopeString up converts an 8 bit fibers to 16 bits during resolution
4447 https://bugs.webkit.org/show_bug.cgi?id=95810
4448
4449 Reviewed by Benjamin Poulain.
4450
4451 Added 8 bit path that copies the contents of an 8 bit fiber to the 16 bit buffer
4452 when resolving a 16 bit rope.
4453
4454 * runtime/JSString.cpp:
4455 (JSC::JSRopeString::resolveRopeSlowCase):
4456
44572012-09-06 Gavin Barraclough <barraclough@apple.com>
4458
4459 JS test suite puts incorrect limitations on Function.toString()
4460 https://bugs.webkit.org/show_bug.cgi?id=3975
4461
4462 Reviewed by Geoff Garen.
4463
4464 The result of function toString is implementation defined;
4465 these test cases were looking for specific whitespace formatting
4466 that matches mozilla's, and for redundant braces to be inserted
4467 around if/else blocks. Stop that.
4468
4469 * tests/mozilla/expected.html:
4470 * tests/mozilla/js1_2/function/tostring-1.js:
4471 (simplify):
4472 - reduce whitespace differences
4473 * tests/mozilla/js1_2/function/tostring-2.js:
4474 (simplify):
4475 - reduce whitespace differences
4476 (TestOr):
4477 (TestAnd):
4478 - added braces to match expected output
4479
44802012-09-06 Yuqiang Xian <yuqiang.xian@intel.com>
4481
4482 Performance regressions on 32-bit platforms with revisions 125637 and 126387
4483 https://bugs.webkit.org/show_bug.cgi?id=95953
4484
4485 Reviewed by Filip Pizlo.
4486
4487 * jit/JITPropertyAccess32_64.cpp:
4488 (JSC::JIT::emit_op_get_by_val): Fix the typo.
4489
44902012-09-05 Geoffrey Garen <ggaren@apple.com>
4491
4492 Rolled out <http://trac.webkit.org/changeset/127698> because it broke
4493 fast/dom/HTMLScriptElement/script-reexecution-pretty-diff.html
4494
4495 Named functions should not allocate scope objects for their names
4496 https://bugs.webkit.org/show_bug.cgi?id=95659
4497
4498 Reviewed by Oliver Hunt.
4499
45002012-09-06 Mark Lam <mark.lam@apple.com>
4501
4502 Renamed useYarrJIT() option to useRegExpJIT(). Also fixed regression in
4503 which inadvertantly allows the ASM llint to use the baseline JIT when
4504 useRegExpJIT() is true.
4505 https://bugs.webkit.org/show_bug.cgi?id=95918.
4506
4507 Reviewed by Geoffrey Garen.
4508
4509 * runtime/JSGlobalData.cpp:
4510 (JSC::enableAssembler):
4511 (JSC::JSGlobalData::JSGlobalData):
4512 * runtime/JSGlobalData.h:
4513 (JSC::JSGlobalData::canUseJIT):
4514 (JSC::JSGlobalData::canUseRegExpJIT):
4515 (JSGlobalData):
4516 * runtime/Options.cpp:
4517 (JSC::Options::initialize):
4518 * runtime/Options.h:
4519 (JSC):
4520
45212012-09-06 Patrick Gansterer <paroga@webkit.org>
4522
4523 Build fix for Interpreter after r127698.
4524
4525 * interpreter/Interpreter.cpp:
4526 (JSC::Interpreter::privateExecute):
4527
45282012-09-05 Geoffrey Garen <ggaren@apple.com>
4529
4530 Named functions should not allocate scope objects for their names
4531 https://bugs.webkit.org/show_bug.cgi?id=95659
4532
4533 Reviewed by Oliver Hunt.
4534
4535 In most cases, we can merge a function expression's name into its symbol
4536 table. This reduces memory footprint per closure from three objects
4537 (function + activation + name scope) to two (function + activation),
4538 speeds up closure allocation, and speeds up recursive calls.
4539
4540 In the case of a named function expression that contains a non-strict
4541 eval, the rules are so bat-poop crazy that I don't know how to model
4542 them without an extra object. Since functions now default to not having
4543 such an object, this case needs to allocate the object on function
4544 entry.
4545
4546 Therefore, this patch makes the slow case a bit slower so the fast case
4547 can be faster and more memory-efficient. (Note that the slow case already
4548 allocates an activation on entry, and until recently also allocated a
4549 scope chain node on entry, so adding one allocation on entry shouldn't
4550 break the bank.)
4551
4552 * bytecode/CodeBlock.cpp:
4553 (JSC::CodeBlock::CodeBlock): Caught a missed initializer. No behavior change.
4554
4555 * bytecompiler/BytecodeGenerator.cpp:
4556 (JSC::BytecodeGenerator::BytecodeGenerator): Put the callee in static scope
4557 during compilation so it doesn't need to be in dynamic scope at runtime.
4558
4559 (JSC::BytecodeGenerator::resolveCallee):
4560 (JSC::BytecodeGenerator::addCallee): Helper functions for either statically
4561 resolving the callee or adding a dynamic scope that will resolve to it,
4562 depending on whether you're in the fast path.
4563
4564 We move the callee into a var location if it's captured because activations
4565 prefer to have contiguous ranges of captured variables.
4566
4567 * bytecompiler/BytecodeGenerator.h:
4568 (JSC::BytecodeGenerator::registerFor):
4569 (BytecodeGenerator):
4570
4571 * dfg/DFGOperations.cpp:
4572 * interpreter/Interpreter.cpp:
4573 (JSC::Interpreter::privateExecute):
4574 * jit/JITStubs.cpp:
4575 (JSC::DEFINE_STUB_FUNCTION):
4576 * llint/LLIntSlowPaths.cpp:
4577 (JSC::LLInt::LLINT_SLOW_PATH_DECL): This is the point of the patch: remove
4578 one allocation in the case of a named function expression.
4579
4580 * parser/Parser.cpp:
4581 (JSC::::Parser):
4582 * parser/Parser.h:
4583 (JSC::Scope::declareCallee):
4584 (Scope):
4585 (Parser):
4586 (JSC::parse):
4587 * runtime/Executable.cpp:
4588 (JSC::EvalExecutable::compileInternal):
4589 (JSC::ProgramExecutable::checkSyntax):
4590 (JSC::ProgramExecutable::compileInternal):
4591 (JSC::FunctionExecutable::produceCodeBlockFor):
4592 (JSC::FunctionExecutable::fromGlobalCode): Pipe the callee's name through
4593 the parser so we get accurate information on whether the callee was captured.
4594
4595 (JSC::FunctionExecutable::FunctionExecutable):
4596 (JSC::EvalExecutable::compileInternal):
4597 (JSC::ProgramExecutable::checkSyntax):
4598 (JSC::ProgramExecutable::compileInternal):
4599 (JSC::FunctionExecutable::produceCodeBlockFor):
4600 (JSC::FunctionExecutable::fromGlobalCode):
4601 * runtime/Executable.h:
4602 (JSC::FunctionExecutable::create):
4603 (FunctionExecutable):
4604 (JSC::FunctionExecutable::finishCreation): I had to refactor function
4605 creation to support the following function constructor quirk: the function
4606 gets a name, but its name is not in lexical scope.
4607
4608 To simplify this, FunctionExecutable now automatically extracts all the
4609 data it needs from the parsed node. The special "fromGlobalCode" path
4610 used by the function constructor creates an anonymous function, and then
4611 quirkily sets the value used by the .name property to be non-null, even
4612 though the parsed name is null.
4613
4614 * runtime/JSNameScope.h:
4615 (JSC::JSNameScope::create):
4616 (JSC::JSNameScope::JSNameScope): Added support for explicitly specifying
4617 your container scope. The compiler uses this for named function expressions.
4618
46192012-09-05 Gavin Barraclough <barraclough@apple.com>
4620
4621 a = data[a]++; sets the wrong key in data
4622 https://bugs.webkit.org/show_bug.cgi?id=91270
4623
4624 Reviewed by Oliver Hunt.
4625
4626 Postfix inc/dec is unsafely using finalDestination, can trample base/subscript prior to the result being put.
4627
4628 * bytecompiler/NodesCodegen.cpp:
4629 (JSC::PostfixNode::emitResolve):
4630 - Remove redundant parens.
4631 (JSC::PostfixNode::emitBracket):
4632 (JSC::PostfixNode::emitDot):
4633 - Refactored to use tempDestination instead of finalDestination.
4634 (JSC::PrefixNode::emitBracket):
4635 (JSC::PrefixNode::emitDot):
4636 - Should be using emitPreIncOrDec.
4637
46382012-09-05 Gavin Barraclough <barraclough@apple.com>
4639
4640 Bug, assignment within subscript of prefix/postfix increment of bracket access
4641 https://bugs.webkit.org/show_bug.cgi?id=95913
4642
4643 Reviewed by Oliver Hunt.
4644
4645 javascript:alert((function(){ var a = { x:1 }; var b = { x:1 }; a[a=b,"x"]++; return a.x; })())
4646
4647 * bytecompiler/NodesCodegen.cpp:
4648 (JSC::PostfixNode::emitBracket):
4649 (JSC::PrefixNode::emitBracket):
4650 - Should check for assigments in the subscript when loading the base.
4651 * parser/Nodes.h:
4652 (JSC::BracketAccessorNode::subscriptHasAssignments):
4653 (BracketAccessorNode):
4654 - Used by emitBracket methods.
4655
46562012-09-05 Gavin Barraclough <barraclough@apple.com>
4657
4658 Merge prefix/postfix nodes
4659 https://bugs.webkit.org/show_bug.cgi?id=95898
4660
4661 Reviewed by Geoff Garen.
4662
4663 Simplify the AST.
4664 This will also mean we have access to m_subscriptHasAssignments when generating a prefix/postfix op applied to a bracket access.
4665
4666 * bytecompiler/NodesCodegen.cpp:
4667 (JSC::PostfixNode::emitResolve):
4668 - was PostfixResolveNode::emitBytecode
4669 (JSC::PostfixNode::emitBracket):
4670 - was PostfixBracketNode::emitBytecode
4671 (JSC::PostfixNode::emitDot):
4672 - was PostfixDotNode::emitBytecode
4673 (JSC::PostfixNode::emitBytecode):
4674 - was PostfixErrorNode::emitBytecode, call resolve/bracket/dot version as appropriate.
4675 (JSC::PrefixNode::emitResolve):
4676 - was PrefixResolveNode::emitBytecode
4677 (JSC::PrefixNode::emitBracket):
4678 - was PrefixBracketNode::emitBytecode
4679 (JSC::PrefixNode::emitDot):
4680 - was PrefixDotNode::emitBytecode
4681 (JSC::PrefixNode::emitBytecode):
4682 - was PrefixErrorNode::emitBytecode, call resolve/bracket/dot version as appropriate.
4683 * parser/ASTBuilder.h:
4684 (JSC::ASTBuilder::makePrefixNode):
4685 - Just makes a PrefixNode!
4686 (JSC::ASTBuilder::makePostfixNode):
4687 - Just makes a PostfixNode!
4688 * parser/NodeConstructors.h:
4689 (JSC::PostfixNode::PostfixNode):
4690 - Added, merge of PostfixResolveNode/PostfixBracketNode/PostfixDotNode/PostfixErrorNode.
4691 (JSC::PrefixNode::PrefixNode):
4692 - Added, merge of PrefixResolveNode/PrefixBracketNode/PrefixDotNode/PrefixErrorNode.
4693 * parser/Nodes.h:
4694 (PostfixNode):
4695 - Added, merge of PostfixResolveNode/PostfixBracketNode/PostfixDotNode/PostfixErrorNode.
4696 (PrefixNode):
4697 - Added, merge of PrefixResolveNode/PrefixBracketNode/PrefixDotNode/PrefixErrorNode.
4698
46992012-09-05 Mark Hahnenberg <mhahnenberg@apple.com>
4700
4701 Remove use of JSCell::classInfoOffset() from tryCacheGetByID
4702 https://bugs.webkit.org/show_bug.cgi?id=95860
4703
4704 Reviewed by Oliver Hunt.
4705
4706 We should just do the indirection through the Structure instead.
4707
4708 * dfg/DFGRepatch.cpp:
4709 (JSC::DFG::tryCacheGetByID):
4710
47112012-09-05 Geoffrey Garen <ggaren@apple.com>
4712
4713 Throw exceptions when assigning to const in strict mode
4714 https://bugs.webkit.org/show_bug.cgi?id=95894
4715
4716 Reviewed by Oliver Hunt.
4717
4718 Currently, this never happens; but it will start happening once the
4719 callee is a local const register. In this patch, there's no change in
4720 behavior.
4721
4722 * bytecompiler/BytecodeGenerator.cpp:
4723 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): Helper function
4724 for doing the throwing.
4725 * bytecompiler/BytecodeGenerator.h:
4726
4727 * bytecompiler/NodesCodegen.cpp:
4728 (JSC::PostfixResolveNode::emitBytecode):
4729 (JSC::PrefixResolveNode::emitBytecode):
4730 (JSC::ReadModifyResolveNode::emitBytecode):
4731 (JSC::AssignResolveNode::emitBytecode): Call the helper function.
4732
47332012-09-05 Geoffrey Garen <ggaren@apple.com>
4734
4735 Refactored callee access in the DFG to support it in the general case
4736 https://bugs.webkit.org/show_bug.cgi?id=95887
4737
4738 Reviewed by Phil Pizlo and Gavin Barraclough.
4739
4740 To support named function expressions, the DFG needs to understand the
4741 callee register being used in arbitrary expressions, and not just
4742 create_this.
4743
4744 * dfg/DFGByteCodeParser.cpp:
4745 (JSC::DFG::ByteCodeParser::getDirect):
4746 (JSC::DFG::ByteCodeParser::getCallee): Remap access to the callee register
4747 into a GetCallee node. Otherwise, we get confused and think we have a
4748 negatively indexed argument.
4749
4750 (ByteCodeParser):
4751 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): Inlining also
4752 needs to remap, but to the callee in the inline frame, and not the caller's
4753 callee.
4754
4755 (JSC::DFG::ByteCodeParser::parseBlock): Since we support the callee in
4756 the general case now, there's no need to handle it in a special way for
4757 create_this.
4758
47592012-09-05 Mark Hahnenberg <mhahnenberg@apple.com>
4760
4761 Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
4762 https://bugs.webkit.org/show_bug.cgi?id=95821
4763
4764 Reviewed by Oliver Hunt.
4765
4766 We can replace the load of the ClassInfo from the object with a load from the Structure.
4767
4768 * dfg/DFGThunks.cpp:
4769 (JSC::DFG::virtualForThunkGenerator):
4770
47712012-09-05 Benjamin Poulain <bpoulain@apple.com>
4772
4773 Fix the uses of String::operator+=() for Mac
4774 https://bugs.webkit.org/show_bug.cgi?id=95818
4775
4776 Reviewed by Dan Bernstein.
4777
4778 * jsc.cpp:
4779 (functionJSCStack): Use StringBuilder to create the stack dump, it is faster
4780 and avoid String::operator+=().
4781
4782 * parser/Parser.h:
4783 (JSC::Parser::updateErrorMessageSpecialCase):
4784 (JSC::Parser::updateErrorMessage):
4785 (JSC::Parser::updateErrorWithNameAndMessage):
4786 Use the String operators (and makeString) to concatenate the strings.
4787
47882012-09-05 Gabor Rapcsanyi <rgabor@webkit.org>
4789
4790 DFG JIT doesn't work properly on ARM hardfp
4791 https://bugs.webkit.org/show_bug.cgi?id=95684
4792
4793 Reviewed by Filip Pizlo.
4794
4795 Add hardfp support to DFG JIT. The patch is created with the
4796 help of Zoltan Herczeg.
4797
4798 * dfg/DFGCCallHelpers.h:
4799 (CCallHelpers):
4800 (JSC::DFG::CCallHelpers::setupArguments):
4801 * dfg/DFGFPRInfo.h:
4802 (FPRInfo):
4803 * dfg/DFGSpeculativeJIT.h:
4804 (SpeculativeJIT):
4805 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
4806 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
4807
48082012-09-04 Mark Lam <mark.lam@apple.com>
4809
4810 Allow the YarrJIT to use the assembler even when useJIT() is false.
4811 Introduce the useYarrJIT() option.
4812 https://bugs.webkit.org/show_bug.cgi?id=95809.
4813
4814 Reviewed by Geoffrey Garen.
4815
4816 * runtime/JSGlobalData.cpp:
4817 (JSC::enableAssembler):
4818 * runtime/Options.cpp:
4819 (JSC::Options::initialize):
4820 * runtime/Options.h:
4821 (JSC):
4822
48232012-09-04 Gavin Barraclough <barraclough@apple.com>
4824
4825 inc/dec behave incorrectly operating on a resolved const
4826 https://bugs.webkit.org/show_bug.cgi?id=95815
4827
4828 Reviewed by Geoff Garen.
4829
4830 There are two bugs here.
4831
4832 (1) When the value being incremented is const, and the result is ignored, we assume this cannot be observed, and emit no code.
4833 However if the value being incremented is not a primitive & has a valueOf conversion, then this should be being called.
4834
4835 (2) In the case of a pre-increment of a const value where the result is not ignored, we'll move +/-1 to the destination, then
4836 add the resolved const value being incremented to this. This is problematic if the destination is a local, and the const
4837 value being incremented has a valueOf conversion that throws - the destination will be modified erroneously. Instead, we
4838 need to use a temporary location.
4839
4840 * bytecompiler/NodesCodegen.cpp:
4841 (JSC::PostfixResolveNode::emitBytecode):
4842 (JSC::PrefixResolveNode::emitBytecode):
4843 - always at least perform a toNumber conversion, use tempDestination when reducing inc/dec to an add +/-1.
4844
48452012-09-04 Filip Pizlo <fpizlo@apple.com>
4846
4847 DFG GetByVal for JSArrays shouldn't OSR exit every time that the index is out of bound
4848 https://bugs.webkit.org/show_bug.cgi?id=95717
4849
4850 Reviewed by Oliver Hunt.
4851
4852 Rolling back in after fixing the negative index case.
4853
4854 Make GetByVal for JSArrayOutOfBounds do meaningful things. The profiling was already
4855 there so we should just use it!
4856
4857 * bytecode/DFGExitProfile.h:
4858 (JSC::DFG::exitKindToString):
4859 * dfg/DFGAbstractState.cpp:
4860 (JSC::DFG::AbstractState::execute):
4861 * dfg/DFGOperations.cpp:
4862 * dfg/DFGOperations.h:
4863 * dfg/DFGSpeculativeJIT.h:
4864 (JSC::DFG::SpeculativeJIT::callOperation):
4865 * dfg/DFGSpeculativeJIT32_64.cpp:
4866 (JSC::DFG::SpeculativeJIT::compile):
4867 * dfg/DFGSpeculativeJIT64.cpp:
4868 (JSC::DFG::SpeculativeJIT::compile):
4869
48702012-09-04 Sheriff Bot <webkit.review.bot@gmail.com>
4871
4872 Unreviewed, rolling out r127503.
4873 http://trac.webkit.org/changeset/127503
4874 https://bugs.webkit.org/show_bug.cgi?id=95788
4875
4876 broke some tests (fast/js/dfg-negative-array-index, fast/js
4877 /dfg-put-by-val-setter-then-get-by-val) (Requested by thorton
4878 on #webkit).
4879
4880 * bytecode/DFGExitProfile.h:
4881 (JSC::DFG::exitKindToString):
4882 * dfg/DFGAbstractState.cpp:
4883 (JSC::DFG::AbstractState::execute):
4884 * dfg/DFGOperations.cpp:
4885 * dfg/DFGOperations.h:
4886 * dfg/DFGSpeculativeJIT.h:
4887 (JSC::DFG::SpeculativeJIT::callOperation):
4888 * dfg/DFGSpeculativeJIT32_64.cpp:
4889 (JSC::DFG::SpeculativeJIT::compile):
4890 * dfg/DFGSpeculativeJIT64.cpp:
4891 (JSC::DFG::SpeculativeJIT::compile):
4892
48932012-09-04 Benjamin Poulain <bpoulain@apple.com>
4894
4895 Improve JSC use of Strings after the UString->String change
4896 https://bugs.webkit.org/show_bug.cgi?id=95633
4897
4898 Reviewed by Geoffrey Garen.
4899
4900 This patch improve the use of strings in the JSC runtime.
4901
4902 The initialization of Identifier is left for future patches.
4903
4904 The improvements are the following:
4905 -5% faster to raise one of the modified exception.
4906 -3 times faster to execute Boolean::toString()
4907
4908 Most of the changes are just about using the new methods
4909 for string literals.
4910
4911 With the changes, the binary on x86_64 gets 176 bytes smaller.
4912
4913 * API/JSCallbackObjectFunctions.h:
4914 (JSC::::staticFunctionGetter):
4915 (JSC::::callbackGetter):
4916 * API/JSContextRef.cpp:
4917 (JSContextCreateBacktrace):
4918 * API/JSObjectRef.cpp:
4919 (JSObjectMakeFunctionWithCallback):
4920 * bytecode/CodeBlock.cpp:
4921 (JSC::valueToSourceString):
4922 (JSC::CodeBlock::nameForRegister):
4923 * interpreter/Interpreter.cpp:
4924 (JSC::Interpreter::addStackTraceIfNecessary):
4925 * runtime/ArrayConstructor.cpp:
4926 (JSC::constructArrayWithSizeQuirk):
4927 * runtime/ArrayPrototype.cpp:
4928 (JSC::shift):
4929 (JSC::unshift):
4930 (JSC::arrayProtoFuncPop):
4931 (JSC::arrayProtoFuncReverse):
4932 * runtime/BooleanPrototype.cpp:
4933 (JSC::booleanProtoFuncToString): Instead of instanciating new strings, reuse the
4934 keywords available in SmallStrings. Avoiding the creation of the JSString and StringImpl
4935 makes the method significantly faster.
4936
4937 * runtime/DateConversion.cpp:
4938 (JSC::formatDateTime):
4939 * runtime/DatePrototype.cpp:
4940 (JSC::formatLocaleDate):
4941 (JSC::formateDateInstance):
4942 (JSC::dateProtoFuncToISOString):
4943 Change the way we use snprintf() for clarity and performance.
4944
4945 Instead of allocating one extra byte to put a zero "just in case", we use the size returned
4946 by snprintf().
4947 To prevent any overflow from a programming mistake, we explicitely test for overflow and
4948 return an empty string.
4949
4950 (JSC::dateProtoFuncToJSON):
4951 * runtime/Error.cpp:
4952 (JSC::createNotEnoughArgumentsError):
4953 (JSC::throwTypeError):
4954 (JSC::throwSyntaxError):
4955 * runtime/Error.h:
4956 (JSC::StrictModeTypeErrorFunction::create):
4957 * runtime/ErrorPrototype.cpp:
4958 (JSC::ErrorPrototype::finishCreation):
4959 (JSC::errorProtoFuncToString):
4960 Using a null String is correct because (8) uses jsString(), (9) tests for a length of 0.
4961
4962 * runtime/ExceptionHelpers.cpp:
4963 (JSC::InterruptedExecutionError::defaultValue):
4964 (JSC::TerminatedExecutionError::defaultValue):
4965 (JSC::createStackOverflowError):
4966 (JSC::createOutOfMemoryError):
4967 * runtime/Executable.cpp:
4968 (JSC::EvalExecutable::compileInternal):
4969 (JSC::FunctionExecutable::paramString):
4970 * runtime/FunctionConstructor.cpp:
4971 (JSC::constructFunction):
4972 (JSC::constructFunctionSkippingEvalEnabledCheck):
4973 * runtime/FunctionPrototype.h:
4974 (JSC::FunctionPrototype::create):
4975 Using a null String for the name is correct because InternalFunction uses jsString()
4976 to create the name value.
4977
4978 * runtime/InternalFunction.cpp:
4979 (JSC::InternalFunction::finishCreation):
4980 There is no need to create an empty string for a null string, jsString() handle both
4981 cases as empty JSString.
4982
4983 * runtime/JSArray.cpp:
4984 (JSC::reject):
4985 (JSC::SparseArrayValueMap::put):
4986 (JSC::JSArray::put):
4987 (JSC::JSArray::putByIndexBeyondVectorLength):
4988 (JSC::JSArray::putDirectIndexBeyondVectorLength):
4989 (JSC::JSArray::setLength):
4990 (JSC::JSArray::pop):
4991 (JSC::JSArray::push):
4992 * runtime/JSFunction.cpp:
4993 (JSC::JSFunction::finishCreation): Same issue as InternalFunction::finishCreation.
4994
4995 (JSC::JSFunction::callerGetter):
4996 (JSC::JSFunction::defineOwnProperty):
4997 * runtime/JSGlobalData.cpp:
4998 (JSC::enableAssembler): Use CFSTR() instead of CFStringCreateWithCString().
4999 CFStringCreateWithCString() copy the content and may choose to decode the data.
5000 CFSTR() is much more efficient.
5001
5002 * runtime/JSGlobalObject.cpp:
5003 (JSC::JSGlobalObject::reset):
5004 JSFunction uses jsString() to create the name, we can use null strings instead
5005 of creating empty strings.
5006
5007 (JSC::JSGlobalObject::createThrowTypeError): ditto.
5008 * runtime/JSGlobalObjectFunctions.cpp:
5009 (JSC::encode):
5010 (JSC::decode):
5011 (JSC::globalFuncEval):
5012 * runtime/JSONObject.cpp:
5013 (JSC::Stringifier::appendStringifiedValue):
5014 (JSC::Stringifier::Holder::appendNextProperty):
5015 (JSC::JSONProtoFuncParse):
5016 (JSC::JSONProtoFuncStringify):
5017 * runtime/JSObject.cpp:
5018 (JSC::JSObject::put):
5019 (JSC::JSObject::defaultValue):
5020 (JSC::JSObject::hasInstance):
5021 (JSC::JSObject::defineOwnProperty):
5022 * runtime/JSString.cpp:
5023 Return an empty JSString to avoid the creation of a temporary empty String.
5024
5025 (JSC::JSRopeString::getIndexSlowCase):
5026 * runtime/JSString.h:
5027 (JSC): Remove the versions of jsNontrivialString() taking a char*. All the callers
5028 have been replaced by calls using ASCIILiteral.
5029
5030 * runtime/JSValue.cpp:
5031 (JSC::JSValue::putToPrimitive):
5032 * runtime/LiteralParser.cpp:
5033 (JSC::::Lexer::lex):
5034 (JSC::::Lexer::lexString):
5035 (JSC::::Lexer::lexNumber):
5036 (JSC::::parse):
5037 * runtime/LiteralParser.h:
5038 (JSC::LiteralParser::getErrorMessage):
5039 * runtime/NumberPrototype.cpp:
5040 (JSC::numberProtoFuncToExponential):
5041 (JSC::numberProtoFuncToFixed):
5042 (JSC::numberProtoFuncToPrecision):
5043 (JSC::numberProtoFuncToString):
5044 * runtime/ObjectConstructor.cpp:
5045 (JSC::objectConstructorGetPrototypeOf):
5046 (JSC::objectConstructorGetOwnPropertyDescriptor):
5047 (JSC::objectConstructorGetOwnPropertyNames):
5048 (JSC::objectConstructorKeys):
5049 (JSC::toPropertyDescriptor):
5050 (JSC::objectConstructorDefineProperty):
5051 (JSC::objectConstructorDefineProperties):
5052 (JSC::objectConstructorCreate):
5053 (JSC::objectConstructorSeal):
5054 (JSC::objectConstructorFreeze):
5055 (JSC::objectConstructorPreventExtensions):
5056 (JSC::objectConstructorIsSealed):
5057 (JSC::objectConstructorIsFrozen):
5058 (JSC::objectConstructorIsExtensible):
5059 * runtime/ObjectPrototype.cpp:
5060 (JSC::objectProtoFuncDefineGetter):
5061 (JSC::objectProtoFuncDefineSetter):
5062 (JSC::objectProtoFuncToString):
5063 * runtime/RegExpConstructor.cpp:
5064 (JSC::constructRegExp):
5065 * runtime/RegExpObject.cpp:
5066 (JSC::reject):
5067 (JSC::regExpObjectSource):
5068 * runtime/RegExpPrototype.cpp:
5069 (JSC::regExpProtoFuncCompile):
5070 * runtime/StringObject.cpp:
5071 (JSC::StringObject::defineOwnProperty):
5072 * runtime/StringPrototype.cpp:
5073 (JSC::jsSpliceSubstrings):
5074 (JSC::jsSpliceSubstringsWithSeparators):
5075
50762012-09-04 Filip Pizlo <fpizlo@apple.com>
5077
5078 DFG GetByVal for JSArrays shouldn't OSR exit every time that the index is out of bound
5079 https://bugs.webkit.org/show_bug.cgi?id=95717
5080
5081 Reviewed by Oliver Hunt.
5082
5083 Make GetByVal for JSArrayOutOfBounds do meaningful things. The profiling was already
5084 there so we should just use it!
5085
5086 * bytecode/DFGExitProfile.h:
5087 (JSC::DFG::exitKindToString):
5088 * dfg/DFGAbstractState.cpp:
5089 (JSC::DFG::AbstractState::execute):
5090 * dfg/DFGOperations.cpp:
5091 * dfg/DFGOperations.h:
5092 * dfg/DFGSpeculativeJIT.h:
5093 (JSC::DFG::SpeculativeJIT::callOperation):
5094 * dfg/DFGSpeculativeJIT32_64.cpp:
5095 (JSC::DFG::SpeculativeJIT::compile):
5096 * dfg/DFGSpeculativeJIT64.cpp:
5097 (JSC::DFG::SpeculativeJIT::compile):
5098
50992012-09-04 Zoltan Horvath <zoltan@webkit.org>
5100
5101 Extend the coverage of the Custom Allocation Framework in WTF and in JavaScriptCore
5102 https://bugs.webkit.org/show_bug.cgi?id=95737
5103
5104 Reviewed by Eric Seidel.
5105
5106 Add WTF_MAKE_FAST_ALLOCATED macro to the following class declarations because these are instantiated by operator new.
5107
5108 * wtf/CryptographicallyRandomNumber.cpp: CryptographicallyRandomNumber is instantiated at wtf/CryptographicallyRandomNumber.cpp:162.
5109
5110 * heap/MachineStackMarker.cpp:
5111 (MachineThreads::Thread): Thread is instantiated at heap/MachineStackMarker.cpp:196.
5112 * jit/ExecutableAllocatorFixedVMPool.cpp:
5113 (FixedVMPoolExecutableAllocator): FixedVMPoolExecutableAllocator is instantiated at jit/ExecutableAllocatorFixedVMPool.cpp:111
5114 * parser/SourceProviderCache.h:
5115 (SourceProviderCache): SourceProviderCache is instantiated at parser/SourceProvider.h:49.
5116 * parser/SourceProviderCacheItem.h:
5117 (SourceProviderCacheItem): SourceProviderCacheItem is instantiated at parser/Parser.cpp:843.
5118 * runtime/GCActivityCallback.h:
5119 (GCActivityCallback): GCActivityCallback is instantiated at runtime/GCActivityCallback.h:96.
5120 * tools/CodeProfile.h:
5121 (CodeProfile): CodeProfile is instantiated at JavaScriptCore/tools/CodeProfiling.cpp:140.
5122
51232012-09-04 Mark Hahnenberg <mhahnenberg@apple.com>
5124
5125 Remove uses of ClassInfo from SpeculativeJIT::compileObjectOrOtherLogicalNot
5126 https://bugs.webkit.org/show_bug.cgi?id=95510
5127
5128 Reviewed by Oliver Hunt.
5129
5130 More refactoring to get rid of ClassInfo checks in the DFG.
5131
5132 * dfg/DFGAbstractState.cpp:
5133 (JSC::DFG::AbstractState::execute):
5134 * dfg/DFGSpeculativeJIT.h:
5135 (SpeculativeJIT):
5136 * dfg/DFGSpeculativeJIT32_64.cpp:
5137 (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
5138 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
5139 * dfg/DFGSpeculativeJIT64.cpp:
5140 (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
5141 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
5142
51432012-09-03 Patrick Gansterer <paroga@webkit.org>
5144
5145 Unreviewed. Build fix for ENABLE(CLASSIC_INTERPRETER) after r127393.
5146
5147 * interpreter/Interpreter.h:
5148
51492012-09-02 Geoffrey Garen <ggaren@apple.com>
5150
5151 Fixed failures seen on Linux bots.
5152
5153 * jit/JITOpcodes.cpp:
5154 (JSC::JIT::emit_op_push_with_scope):
5155 * jit/JITOpcodes32_64.cpp:
5156 (JSC::JIT::emit_op_push_with_scope):
5157 * jit/JITStubs.cpp:
5158 (JSC::DEFINE_STUB_FUNCTION):
5159 * jit/JITStubs.h: push_*_scope doesn't have a destination operand anymore.
5160 Accordingly, update these places in the baseline JIT, which I missed in my last patch.
5161
51622012-09-02 Geoffrey Garen <ggaren@apple.com>
5163
5164 Refactored scope chain opcodes to support optimization for named function expressions
5165 https://bugs.webkit.org/show_bug.cgi?id=95658
5166
5167 Reviewed by Sam Weinig.
5168
5169 Renamed
5170 push_scope => push_with_scope
5171 push_new_scope => push_name_scope
5172 to clarify the difference between them.
5173
5174 Changed push_with_scope and push_name_scope not to save the new scope in
5175 a temporary register, since doing so made optimization harder.
5176
5177 (The old behavior was a hold-over from when the scope chain wasn't
5178 a GC object, and wouldn't be marked otherwise. Now, the scope chain is
5179 marked because it is a GC object pointed to by the call frame.)
5180
5181 Changed push_name_scope to accept an operand specifying the attributes
5182 for the named property, instead of assuming DontDelete, because a named
5183 function expression needs ReadOnly|DontDelete.
5184
5185 * bytecompiler/BytecodeGenerator.cpp:
5186 (JSC::BytecodeGenerator::highestUsedRegister): Removed this function,
5187 which used to be related to preserving saved scope object temporaries,
5188 because it had no callers.
5189
51902012-09-01 Geoffrey Garen <ggaren@apple.com>
5191
5192 Rolled back out a piece of <http://trac.webkit.org/changeset/127293>
5193 because it broke inspector tests on Windows.
5194
5195 Shrink activation objects by half
5196 https://bugs.webkit.org/show_bug.cgi?id=95591
5197
5198 Reviewed by Sam Weinig.
5199
52002012-09-01 Mark Lam <mark.lam@apple.com>
5201
5202 LLInt C loop backend.
5203 https://bugs.webkit.org/show_bug.cgi?id=91052.
5204
5205 Reviewed by Filip Pizlo.
5206
5207 * JavaScriptCore.xcodeproj/project.pbxproj:
5208 * bytecode/CodeBlock.cpp:
5209 (JSC::CodeBlock::dump):
5210 (JSC::CodeBlock::bytecodeOffset):
5211 * interpreter/Interpreter.cpp:
5212 (JSC::Interpreter::execute):
5213 (JSC::Interpreter::executeCall):
5214 (JSC::Interpreter::executeConstruct):
5215 (JSC):
5216 * interpreter/Interpreter.h:
5217 * jit/JITStubs.h:
5218 (JITStackFrame):
5219 (JSC):
5220 * llint/LLIntCLoop.cpp: Added.
5221 (JSC):
5222 (LLInt):
5223 (JSC::LLInt::CLoop::initialize):
5224 (JSC::LLInt::CLoop::catchRoutineFor):
5225 (JSC::LLInt::CLoop::hostCodeEntryFor):
5226 (JSC::LLInt::CLoop::jsCodeEntryWithArityCheckFor):
5227 (JSC::LLInt::CLoop::jsCodeEntryFor):
5228 * llint/LLIntCLoop.h: Added.
5229 (JSC):
5230 (LLInt):
5231 (CLoop):
5232 * llint/LLIntData.cpp:
5233 (JSC::LLInt::initialize):
5234 * llint/LLIntData.h:
5235 (JSC):
5236 * llint/LLIntOfflineAsmConfig.h:
5237 * llint/LLIntOpcode.h:
5238 * llint/LLIntThunks.cpp:
5239 (LLInt):
5240 * llint/LowLevelInterpreter.asm:
5241 * llint/LowLevelInterpreter.cpp:
5242 (LLInt):
5243 (JSC::LLInt::Ints2Double):
5244 (JSC):
5245 (JSC::CLoop::execute):
5246 * llint/LowLevelInterpreter.h:
5247 (JSC):
5248 * llint/LowLevelInterpreter32_64.asm:
5249 * llint/LowLevelInterpreter64.asm:
5250 * offlineasm/asm.rb:
5251 * offlineasm/backends.rb:
5252 * offlineasm/cloop.rb: Added.
5253 * offlineasm/instructions.rb:
5254 * runtime/Executable.h:
5255 (ExecutableBase):
5256 (JSC::ExecutableBase::hostCodeEntryFor):
5257 (JSC::ExecutableBase::jsCodeEntryFor):
5258 (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
5259 (JSC::ExecutableBase::catchRoutineFor):
5260 (NativeExecutable):
5261 * runtime/JSValue.h:
5262 (JSC):
5263 (LLInt):
5264 (JSValue):
5265 * runtime/JSValueInlineMethods.h:
5266 (JSC):
5267 (JSC::JSValue::JSValue):
5268 * runtime/Options.cpp:
5269 (JSC::Options::initialize):
5270
52712012-09-01 Geoffrey Garen <ggaren@apple.com>
5272
5273 Rolled back in a piece of <http://trac.webkit.org/changeset/127293>.
5274
5275 Shrink activation objects by half
5276 https://bugs.webkit.org/show_bug.cgi?id=95591
5277
5278 Reviewed by Sam Weinig.
5279
5280 * runtime/JSActivation.h:
5281 (JSActivation):
5282
52832012-09-01 Geoffrey Garen <ggaren@apple.com>
5284
5285 Rolled back in a piece of <http://trac.webkit.org/changeset/127293>.
5286
5287 Shrink activation objects by half
5288 https://bugs.webkit.org/show_bug.cgi?id=95591
5289
5290 Reviewed by Sam Weinig.
5291
5292 * runtime/JSActivation.cpp:
5293 (JSC::JSActivation::JSActivation):
5294 * runtime/JSGlobalObject.cpp:
5295 (JSC::JSGlobalObject::JSGlobalObject):
5296 (JSC::JSGlobalObject::setGlobalThis):
5297 (JSC):
5298 (JSC::JSGlobalObject::visitChildren):
5299 * runtime/JSGlobalObject.h:
5300 (JSGlobalObject):
5301 (JSC::JSScope::globalThis):
5302 (JSC):
5303 (JSC::JSGlobalObject::globalThis):
5304 * runtime/JSNameScope.h:
5305 (JSC::JSNameScope::JSNameScope):
5306 * runtime/JSScope.cpp:
5307 (JSC::JSScope::visitChildren):
5308 * runtime/JSScope.h:
5309 (JSScope):
5310 (JSC::JSScope::JSScope):
5311 (JSC::JSScope::globalObject):
5312 (JSC::JSScope::globalData):
5313 * runtime/JSSegmentedVariableObject.h:
5314 (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
5315 * runtime/JSSymbolTableObject.h:
5316 (JSC::JSSymbolTableObject::JSSymbolTableObject):
5317 * runtime/JSVariableObject.h:
5318 (JSC::JSVariableObject::JSVariableObject):
5319 * runtime/JSWithScope.h:
5320 (JSC::JSWithScope::JSWithScope):
5321 * runtime/StrictEvalActivation.cpp:
5322 (JSC::StrictEvalActivation::StrictEvalActivation):
5323
53242012-09-01 Geoffrey Garen <ggaren@apple.com>
5325
5326 Rolled back out a piece of <http://trac.webkit.org/changeset/127293>
5327 because it broke Window inspector tests.
5328
5329 Shrink activation objects by half
5330 https://bugs.webkit.org/show_bug.cgi?id=95591
5331
5332 Reviewed by Sam Weinig.
5333
5334 * runtime/JSActivation.h:
5335 (JSActivation):
5336
53372012-08-31 Filip Pizlo <fpizlo@apple.com>
5338
5339 Unreviewed, attempt to fix Windows, take two.
5340
5341 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
5342
53432012-08-31 Filip Pizlo <fpizlo@apple.com>
5344
5345 Unreviewed, attempt to fix Windows.
5346
5347 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
5348
53492012-08-31 Filip Pizlo <fpizlo@apple.com>
5350
5351 JSArray::putDirectIndex should by default behave like JSObject::putDirect
5352 https://bugs.webkit.org/show_bug.cgi?id=95630
5353
5354 Reviewed by Gavin Barraclough.
5355
5356 * interpreter/Interpreter.cpp:
5357 (JSC::Interpreter::privateExecute):
5358 * jit/JITStubs.cpp:
5359 (JSC::DEFINE_STUB_FUNCTION):
5360 * jsc.cpp:
5361 (GlobalObject::finishCreation):
5362 * llint/LLIntSlowPaths.cpp:
5363 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
5364 * runtime/JSArray.cpp:
5365 (JSC::SparseArrayValueMap::putDirect):
5366 (JSC::JSArray::defineOwnNumericProperty):
5367 (JSC::JSArray::putDirectIndexBeyondVectorLength):
5368 * runtime/JSArray.h:
5369 (SparseArrayValueMap):
5370 (JSArray):
5371 (JSC::JSArray::putDirectIndex):
5372 * runtime/JSONObject.cpp:
5373 (JSC::Walker::walk):
5374 * runtime/RegExpMatchesArray.cpp:
5375 (JSC::RegExpMatchesArray::reifyAllProperties):
5376 (JSC::RegExpMatchesArray::reifyMatchProperty):
5377 * runtime/StringPrototype.cpp:
5378 (JSC::splitStringByOneCharacterImpl):
5379 (JSC::stringProtoFuncSplit):
5380
53812012-08-31 Geoffrey Garen <ggaren@apple.com>
5382
5383 Rolled back in a piece of <http://trac.webkit.org/changeset/127293>.
5384
5385 Shrink activation objects by half
5386 https://bugs.webkit.org/show_bug.cgi?id=95591
5387
5388 Reviewed by Sam Weinig.
5389
5390 * runtime/JSGlobalData.cpp:
5391 (JSC::JSGlobalData::JSGlobalData):
5392 * runtime/JSGlobalData.h:
5393 (JSGlobalData):
5394 * runtime/JSNameScope.h:
5395 (JSC::JSNameScope::JSNameScope):
5396 * runtime/JSWithScope.h:
5397 (JSC::JSWithScope::JSWithScope):
5398 * runtime/StrictEvalActivation.cpp:
5399 (JSC::StrictEvalActivation::StrictEvalActivation):
5400
54012012-08-31 Geoffrey Garen <ggaren@apple.com>
5402
5403 Rolled back in a piece of <http://trac.webkit.org/changeset/127293>.
5404
5405 Shrink activation objects by half
5406 https://bugs.webkit.org/show_bug.cgi?id=95591
5407
5408 Reviewed by Sam Weinig.
5409
5410 * dfg/DFGAbstractState.cpp:
5411 (JSC::DFG::AbstractState::execute):
5412 * jit/JITOpcodes.cpp:
5413 (JSC::JIT::emit_op_resolve_global_dynamic):
5414 * llint/LowLevelInterpreter32_64.asm:
5415 * llint/LowLevelInterpreter64.asm:
5416 * runtime/JSActivation.cpp:
5417 (JSC::JSActivation::JSActivation):
5418 * runtime/JSGlobalData.cpp:
5419 (JSC::JSGlobalData::JSGlobalData):
5420 * runtime/JSGlobalData.h:
5421 (JSGlobalData):
5422 * runtime/JSGlobalObject.cpp:
5423 (JSC::JSGlobalObject::reset):
5424 (JSC::JSGlobalObject::visitChildren):
5425 * runtime/JSGlobalObject.h:
5426 (JSGlobalObject):
5427 (JSC::JSGlobalObject::withScopeStructure):
5428 (JSC::JSGlobalObject::strictEvalActivationStructure):
5429 (JSC::JSGlobalObject::activationStructure):
5430 (JSC::JSGlobalObject::nameScopeStructure):
5431
54322012-08-31 Mark Hahnenberg <mhahnenberg@apple.com>
5433
5434 Remove use of ClassInfo in SpeculativeJIT::emitBranch
5435 https://bugs.webkit.org/show_bug.cgi?id=95623
5436
5437 Reviewed by Filip Pizlo.
5438
5439 * dfg/DFGAbstractState.cpp:
5440 (JSC::DFG::AbstractState::execute):
5441 * dfg/DFGSpeculativeJIT.h:
5442 (SpeculativeJIT):
5443 * dfg/DFGSpeculativeJIT32_64.cpp:
5444 (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
5445 (JSC::DFG::SpeculativeJIT::emitBranch):
5446 * dfg/DFGSpeculativeJIT64.cpp:
5447 (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
5448 (JSC::DFG::SpeculativeJIT::emitBranch):
5449
54502012-08-31 Geoffrey Garen <ggaren@apple.com>
5451
5452 Rolled back in a piece of <http://trac.webkit.org/changeset/127293>.
5453
5454 Shrink activation objects by half
5455 https://bugs.webkit.org/show_bug.cgi?id=95591
5456
5457 Reviewed by Sam Weinig.
5458
5459 * heap/MarkedBlock.cpp:
5460 (JSC::MarkedBlock::MarkedBlock):
5461 * heap/MarkedBlock.h:
5462 (MarkedBlock):
5463 (JSC::MarkedBlock::globalData):
5464 (JSC):
5465 * heap/WeakSet.cpp:
5466 (JSC::WeakSet::addAllocator):
5467 * heap/WeakSet.h:
5468 (WeakSet):
5469 (JSC::WeakSet::WeakSet):
5470 (JSC::WeakSet::globalData):
5471 * runtime/JSGlobalData.h:
5472 (JSC::WeakSet::heap):
5473 (JSC):
5474
54752012-08-31 Mark Lam <mark.lam@apple.com>
5476
5477 Refactor LLInt and supporting code in preparation for the C Loop backend.
5478 https://bugs.webkit.org/show_bug.cgi?id=95531.
5479
5480 Reviewed by Filip Pizlo.
5481
5482 * bytecode/GetByIdStatus.cpp:
5483 (JSC::GetByIdStatus::computeFromLLInt):
5484 * bytecode/PutByIdStatus.cpp:
5485 (JSC::PutByIdStatus::computeFromLLInt):
5486 * jit/JITExceptions.cpp:
5487 (JSC::genericThrow): Use ExecutableBase::catchRoutineFor() to fetch
5488 fetch the catch routine for a thrown exception. This will allow
5489 us to redefine that for the C loop later, and still keep this
5490 code readable.
5491 * llint/LLIntOfflineAsmConfig.h: Moved ASM macros to
5492 LowLevelInterpreter.cpp which is the only place they are used. This
5493 will make it more convenient to redefine them for the C loop later.
5494 * llint/LLIntSlowPaths.cpp:
5495 (JSC::LLInt::setUpCall): Use ExecutableBase's hostCodeEntry()
5496 jsCodeEntryFor(), and jsCodeWithArityCheckEntryFor() for computing
5497 the entry points to functions being called.
5498 * llint/LLIntSlowPaths.h:
5499 (SlowPathReturnType):
5500 (JSC::LLInt::encodeResult):
5501 (LLInt):
5502 (JSC::LLInt::decodeResult): Added. Needed by LLInt C Loop later.
5503 * llint/LowLevelInterpreter.asm:
5504 * llint/LowLevelInterpreter.cpp:
5505 * llint/LowLevelInterpreter32_64.asm:
5506 * llint/LowLevelInterpreter64.asm:
5507 * offlineasm/asm.rb: Disambiguate between opcodes and other labels.
5508 * offlineasm/config.rb:
5509 * runtime/Executable.h:
5510 (JSC::ExecutableBase::hostCodeEntryFor): Added.
5511 (ExecutableBase):
5512 (JSC::ExecutableBase::jsCodeEntryFor): Added.
5513 (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor): Added.
5514 (JSC::ExecutableBase::catchRoutineFor): Added.
5515 * runtime/JSValueInlineMethods.h:
5516 (JSC):
5517
55182012-08-31 Tony Chang <tony@chromium.org>
5519
5520 Remove ENABLE_CSS3_FLEXBOX compile time flag
5521 https://bugs.webkit.org/show_bug.cgi?id=95382
5522
5523 Reviewed by Ojan Vafai.
5524
5525 Everyone is already enabling this by default and the spec has stablized.
5526
5527 * Configurations/FeatureDefines.xcconfig:
5528
55292012-08-31 Geoffrey Garen <ggaren@apple.com>
5530
5531 Not reviewed.
5532
5533 Rolled out http://trac.webkit.org/changeset/127293 because it broke
5534 inspector tests on Windows.
5535
5536 Shrink activation objects by half
5537 https://bugs.webkit.org/show_bug.cgi?id=95591
5538
5539 Reviewed by Sam Weinig.
5540
55412012-08-31 Geoffrey Garen <ggaren@apple.com>
5542
5543 Shrink activation objects by half
5544 https://bugs.webkit.org/show_bug.cgi?id=95591
5545
5546 Reviewed by Sam Weinig.
5547
5548 Removed the global object, global data, and global this pointers from
5549 JSScope, and changed an int to a bitfield. This gets the JSActivation
5550 class down to 64 bytes, which in practice cuts it in half by getting it
5551 out of the 128 byte size class.
5552
5553 Now, it's one extra indirection to get these pointers. These pointers
5554 aren't accessed by JIT code, so I thought there would be no cost to the
5555 extra indirection. However, some C++-heavy SunSpider tests regressed a
5556 bit in an early version of the patch, which added even more indirection.
5557 This suggests that calls to exec->globalData() and/or exec->lexicalGlobalObject()
5558 are common and probably duplicated in lots of places, and could stand
5559 further optimization in C++.
5560
5561 * dfg/DFGAbstractState.cpp:
5562 (JSC::DFG::AbstractState::execute): Test against the specific activation
5563 for our global object, since there's no VM-shared activation structure
5564 anymore. This is guaranteed to have the same success rate as the old test
5565 because activation scope is fixed at compile time.
5566
5567 * heap/MarkedBlock.cpp:
5568 (JSC::MarkedBlock::MarkedBlock):
5569 * heap/MarkedBlock.h:
5570 (JSC::MarkedBlock::globalData):
5571 * heap/WeakSet.cpp:
5572 (JSC::WeakSet::addAllocator):
5573 * heap/WeakSet.h:
5574 (WeakSet):
5575 (JSC::WeakSet::WeakSet):
5576 (JSC::WeakSet::globalData): Store a JSGlobalData* instead of a Heap*
5577 because JSGlobalData->Heap is just a constant fold in the addressing
5578 mode, while Heap->JSGlobalData is an extra pointer dereference. (These
5579 objects should eventually just merge.)
5580
5581 * jit/JITOpcodes.cpp:
5582 (JSC::JIT::emit_op_resolve_global_dynamic): See DFGAbstractState.cpp.
5583
5584 * llint/LowLevelInterpreter32_64.asm:
5585 * llint/LowLevelInterpreter64.asm: Load the activation structure from
5586 the code block instead of the global data because the structure is not
5587 VM-shared anymore. (See DFGAbstractState.cpp.)
5588
5589 * runtime/JSActivation.cpp:
5590 (JSC::JSActivation::JSActivation):
5591 * runtime/JSActivation.h:
5592 (JSActivation): This is the point of the patch: Remove the data.
5593
5594 * runtime/JSGlobalData.cpp:
5595 (JSC::JSGlobalData::JSGlobalData):
5596 * runtime/JSGlobalData.h:
5597 (JSGlobalData): No longer VM-shared. (See DFGAbstractState.cpp.)
5598
5599 (JSC::WeakSet::heap): (See WeakSet.h.)
5600
5601 * runtime/JSGlobalObject.cpp:
5602 (JSC::JSGlobalObject::JSGlobalObject):
5603 (JSC::JSGlobalObject::setGlobalThis):
5604 (JSC::JSGlobalObject::reset):
5605 (JSC::JSGlobalObject::visitChildren):
5606 * runtime/JSGlobalObject.h:
5607 (JSGlobalObject):
5608 (JSC::JSGlobalObject::withScopeStructure):
5609 (JSC::JSGlobalObject::strictEvalActivationStructure):
5610 (JSC::JSGlobalObject::activationStructure):
5611 (JSC::JSGlobalObject::nameScopeStructure):
5612 (JSC::JSScope::globalThis):
5613 (JSC::JSGlobalObject::globalThis): Data that used to be in the JSScope
5614 class goes here now, so it's not duplicated across all activations.
5615
5616 * runtime/JSNameScope.h:
5617 (JSC::JSNameScope::JSNameScope):
5618 * runtime/JSScope.cpp:
5619 (JSC::JSScope::visitChildren): This is the point of the patch: Remove the data.
5620
5621 * runtime/JSScope.h:
5622 (JSScope):
5623 (JSC::JSScope::JSScope):
5624 (JSC::JSScope::globalObject):
5625 (JSC::JSScope::globalData):
5626 * runtime/JSSegmentedVariableObject.h:
5627 (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
5628 * runtime/JSSymbolTableObject.h:
5629 (JSC::JSSymbolTableObject::JSSymbolTableObject):
5630 * runtime/JSVariableObject.h:
5631 (JSC::JSVariableObject::JSVariableObject):
5632 * runtime/JSWithScope.h:
5633 (JSC::JSWithScope::JSWithScope):
5634 * runtime/StrictEvalActivation.cpp:
5635 (JSC::StrictEvalActivation::StrictEvalActivation): Simplified now that
5636 we don't need to pass so much data to JSScope.
5637
56382012-08-31 Patrick Gansterer <paroga@webkit.org>
5639
5640 Build fix for WinCE after r127191.
5641
5642 * bytecode/JumpTable.h:
5643
56442012-08-30 Filip Pizlo <fpizlo@apple.com>
5645
5646 ASSERTION FAILURE in JSC::JSGlobalData::float32ArrayDescriptor when running fast/js/dfg-float64array.html
5647 https://bugs.webkit.org/show_bug.cgi?id=95398
5648
5649 Reviewed by Mark Hahnenberg.
5650
5651 Trying to get the build failure to be a bit more informative.
5652
5653 * runtime/JSGlobalData.h:
5654 (JSGlobalData):
5655
56562012-08-30 Geoffrey Garen <ggaren@apple.com>
5657
5658 Try to fix the Qt build: add some #includes that, for some reason, only the Qt linker requires.
5659
5660 * runtime/BooleanObject.cpp:
5661 * runtime/ErrorInstance.cpp:
5662 * runtime/NameInstance.cpp:
5663
56642012-08-30 Geoffrey Garen <ggaren@apple.com>
5665
5666 Fix the Qt build: Removed a now-dead variable.
5667
5668 * interpreter/Interpreter.cpp:
5669 (JSC::Interpreter::execute):
5670
56712012-08-30 Benjamin Poulain <bpoulain@apple.com>
5672
5673 Ambiguous operator[] after r127191 on some compiler
5674 https://bugs.webkit.org/show_bug.cgi?id=95509
5675
5676 Reviewed by Simon Fraser.
5677
5678 On some compilers, the operator[] conflicts with the Obj-C++ operators. This attempts to solve
5679 the issue.
5680
5681 * runtime/JSString.h:
5682 (JSC::jsSingleCharacterSubstring):
5683 (JSC::jsString):
5684 (JSC::jsSubstring8):
5685 (JSC::jsSubstring):
5686 (JSC::jsOwnedString):
5687
56882012-08-30 Geoffrey Garen <ggaren@apple.com>
5689
5690 Try to fix the Qt build: Remove the inline keyword at the declaration
5691 site.
5692
5693 The Qt compiler seems to be confused, complaining about these functions
5694 not being defined in a translation unit, even though no generated code
5695 in the unit calls these functions. Maybe removing the keyword at the
5696 declaration site will change its mind.
5697
5698 This shouldn't change the inlining decision at all: the definition is
5699 still inline.
5700
5701 * interpreter/CallFrame.h:
5702 (ExecState):
5703
57042012-08-30 Geoffrey Garen <ggaren@apple.com>
5705
5706 Undo Qt build fix guess, since it breaks other builds.
5707
5708 * runtime/JSArray.h:
5709
57102012-08-30 Geoffrey Garen <ggaren@apple.com>
5711
5712 Try to fix the Qt build: add an #include to JSArray.h, since
5713 it's included by some of the files Qt complains about, and
5714 some of is functions call the functions Qt complains about.
5715
5716 * runtime/JSArray.h:
5717
57182012-08-30 Geoffrey Garen <ggaren@apple.com>
5719
5720 Second step toward fixing the Windows build: Add new symbols.
5721
5722 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
5723
57242012-08-30 Geoffrey Garen <ggaren@apple.com>
5725
5726 Try to fix the Qt build: add an #include.
5727
5728 * bytecode/GetByIdStatus.cpp:
5729
57302012-08-30 Geoffrey Garen <ggaren@apple.com>
5731
5732 First step toward fixing the Windows build: Remove old symbols.
5733
5734 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
5735
57362012-08-30 Geoffrey Garen <ggaren@apple.com>
5737
5738 Use one object instead of two for closures, eliminating ScopeChainNode
5739 https://bugs.webkit.org/show_bug.cgi?id=95501
5740
5741 Reviewed by Filip Pizlo.
5742
5743 This patch removes ScopeChainNode, and moves all the data and related
5744 functions that used to be in ScopeChainNode into JSScope.
5745
5746 Most of this patch is mechanical changes to use a JSScope* where we used
5747 to use a ScopeChainNode*. I've only specifically commented about items
5748 that were non-mechanical.
5749
5750 * runtime/Completion.cpp:
5751 (JSC::evaluate):
5752 * runtime/Completion.h: Don't require an explicit scope chain argument
5753 when evaluating code. Clients never wanted anything other than the
5754 global scope, and other arbitrary scopes probably wouldn't work
5755 correctly, anyway.
5756
5757 * runtime/JSScope.cpp:
5758 * runtime/JSScope.h:
5759 (JSC::JSScope::JSScope): JSScope now requires the data we used to pass to
5760 ScopeChainNode, so it can link itself into the scope chain correctly.
5761
5762 * runtime/JSWithScope.h:
5763 (JSC::JSWithScope::create):
5764 (JSC::JSWithScope::JSWithScope): JSWithScope gets an extra constructor
5765 for specifically supplying your own scope chain. The DOM needs this
5766 interface for setting up the scope chain for certain event handlers.
5767 Other clients always just push the JSWithScope to the head of the current
5768 scope chain.
5769
57702012-08-30 Mark Lam <mark.lam@apple.com>
5771
5772 Render unto #ifdef's that which belong to them.
5773 https://bugs.webkit.org/show_bug.cgi?id=95482.
5774
5775 Reviewed by Filip Pizlo.
5776
5777 Refining / disambiguating between #ifdefs and adding some. For
5778 example, ENABLE(JIT) is conflated with ENABLE(LLINT) in some places.
5779 Also, we need to add ENABLE(COMPUTED_GOTO_OPCODES) to indicate that we
5780 want interpreted opcodes to use COMPUTED GOTOs apart from ENABLE(LLINT)
5781 and ENABLE(COMPUTED_GOTO_CLASSIC_INTERPRETER). Also cleaned up #ifdefs
5782 in certain places which were previously incorrect.
5783
5784 * bytecode/CodeBlock.cpp:
5785 (JSC):
5786 (JSC::CodeBlock::bytecodeOffset):
5787 * bytecode/CodeBlock.h:
5788 (CodeBlock):
5789 * bytecode/Opcode.h:
5790 (JSC::padOpcodeName):
5791 * config.h:
5792 * dfg/DFGOperations.cpp:
5793 * interpreter/AbstractPC.cpp:
5794 (JSC::AbstractPC::AbstractPC):
5795 * interpreter/CallFrame.h:
5796 (ExecState):
5797 * interpreter/Interpreter.cpp:
5798 (JSC::Interpreter::~Interpreter):
5799 (JSC::Interpreter::initialize):
5800 (JSC::Interpreter::isOpcode):
5801 (JSC::Interpreter::unwindCallFrame):
5802 (JSC::getLineNumberForCallFrame):
5803 (JSC::getCallerInfo):
5804 (JSC::Interpreter::execute):
5805 (JSC::Interpreter::executeCall):
5806 (JSC::Interpreter::executeConstruct):
5807 (JSC::Interpreter::privateExecute):
5808 * interpreter/Interpreter.h:
5809 (JSC::Interpreter::getOpcode):
5810 (JSC::Interpreter::getOpcodeID):
5811 (Interpreter):
5812 * jit/HostCallReturnValue.h:
5813 * jit/JITCode.h:
5814 (JITCode):
5815 * jit/JITExceptions.cpp:
5816 * jit/JITExceptions.h:
5817 * jit/JSInterfaceJIT.h:
5818 * llint/LLIntData.h:
5819 (JSC::LLInt::getOpcode):
5820 * llint/LLIntEntrypoints.cpp:
5821 (JSC::LLInt::getFunctionEntrypoint):
5822 (JSC::LLInt::getEvalEntrypoint):
5823 (JSC::LLInt::getProgramEntrypoint):
5824 * llint/LLIntOffsetsExtractor.cpp:
5825 (JSC::LLIntOffsetsExtractor::dummy):
5826 * llint/LLIntSlowPaths.cpp:
5827 (LLInt):
5828 * runtime/JSGlobalData.cpp:
5829 (JSC):
5830
58312012-08-30 JungJik Lee <jungjik.lee@samsung.com>
5832
5833 [EFL][WK2] Add WebMemorySampler feature.
5834 https://bugs.webkit.org/show_bug.cgi?id=91214
5835
5836 Reviewed by Kenneth Rohde Christiansen.
5837
5838 WebMemorySampler collects Javascript stack and JIT memory usage in globalMemoryStatistics.
5839
5840 * PlatformEfl.cmake:
5841
58422012-08-30 Benjamin Poulain <bpoulain@apple.com>
5843
5844 Replace JSC::UString by WTF::String
5845 https://bugs.webkit.org/show_bug.cgi?id=95271
5846
5847 Reviewed by Geoffrey Garen.
5848
5849 Having JSC::UString and WTF::String increase the complexity of working on WebKit, and
5850 add useless conversions in the bindings. It also cause some code bloat.
5851
5852 The performance advantages of UString have been ported over in previous patches. This patch
5853 is the last step: getting rid of UString.
5854
5855 In addition to the simplified code, this also reduce the binary size by 15kb on x86_64.
5856
5857 * API/OpaqueJSString.cpp:
5858 (OpaqueJSString::ustring):
5859 * runtime/Identifier.h:
5860 (JSC::Identifier::ustring):
5861 To avoid changing everything at once, the function named ustring() were kept as is. They
5862 will be renamed in a follow up patch.
5863
5864 * runtime/JSString.h:
5865 (JSC::JSString::string):
5866 (JSC::JSValue::toWTFString):
5867 (JSC::inlineJSValueNotStringtoString):
5868 (JSC::JSValue::toWTFStringInline):
5869 Since JSValue::toString() already exist (and return the JSString), the direct accessor is renamed
5870 to ::toWTFString(). We may change ::string() to ::jsString() and ::toWTFString() to ::toString()
5871 in the future.
5872
5873 * runtime/StringPrototype.cpp:
5874 (JSC::substituteBackreferencesSlow): Replace the use of UString::getCharacters<>() by String::getCharactersWithUpconvert<>().
5875
58762012-08-24 Mark Hahnenberg <mhahnenberg@apple.com>
5877
5878 Remove uses of ClassInfo in StrictEq and CompareEq in the DFG
5879 https://bugs.webkit.org/show_bug.cgi?id=93401
5880
5881 Reviewed by Filip Pizlo.
5882
5883 Another incremental step in removing the dependence on ClassInfo pointers in object headers.
5884
5885 * bytecode/SpeculatedType.h:
5886 (JSC::isCellOrOtherSpeculation):
5887 (JSC):
5888 * dfg/DFGAbstractState.cpp: Updated the CFA to reflect the changes to the backend.
5889 (JSC::DFG::AbstractState::execute):
5890 * dfg/DFGNode.h:
5891 (Node):
5892 (JSC::DFG::Node::shouldSpeculateString): Added this new function since it was conspicuously absent.
5893 (JSC::DFG::Node::shouldSpeculateNonStringCellOrOther): Also add this function for use in the CFA.
5894 * dfg/DFGSpeculativeJIT.cpp: Refactored how we handle CompareEq and CompareStrictEq in the DFG. We now just
5895 check for Strings by comparing the object's Structure to the global Structure for strings. We only
5896 check for MasqueradesAsUndefined if the watchpoint has fired. These changes allow us to remove our
5897 uses of the ClassInfo pointer for compiling these nodes.
5898 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
5899 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
5900 (JSC::DFG::SpeculativeJIT::compare):
5901 (JSC::DFG::SpeculativeJIT::compileStrictEq):
5902 * dfg/DFGSpeculativeJIT.h:
5903 (SpeculativeJIT):
5904 * dfg/DFGSpeculativeJIT32_64.cpp: Same changes for 32 bit as for 64 bit.
5905 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
5906 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
5907 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
5908 * dfg/DFGSpeculativeJIT64.cpp:
5909 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
5910 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
5911 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
5912
59132012-08-30 Yong Li <yoli@rim.com>
5914
5915 [BlackBerry] Implement IncrementalSweeper for PLATFORM(BLACKBERRY)
5916 https://bugs.webkit.org/show_bug.cgi?id=95469
5917
5918 Reviewed by Rob Buis.
5919
5920 RIM PR# 200595.
5921 Share most code with USE(CF) and implement timer-related methods
5922 for PLATFORM(BLACKBERRY).
5923
5924 * heap/IncrementalSweeper.cpp:
5925 (JSC):
5926 (JSC::IncrementalSweeper::IncrementalSweeper):
5927 (JSC::IncrementalSweeper::create):
5928 (JSC::IncrementalSweeper::scheduleTimer):
5929 (JSC::IncrementalSweeper::cancelTimer):
5930 (JSC::IncrementalSweeper::doSweep):
5931 * heap/IncrementalSweeper.h:
5932 (IncrementalSweeper):
5933
59342012-08-30 Mark Lam <mark.lam@apple.com>
5935
5936 Fix broken classic intrpreter build.
5937 https://bugs.webkit.org/show_bug.cgi?id=95484.
5938
5939 Reviewed by Filip Pizlo.
5940
5941 * interpreter/Interpreter.cpp:
5942 (JSC::Interpreter::privateExecute):
5943
59442012-08-30 Byungwoo Lee <bw80.lee@samsung.com>
5945
5946 Build warning : -Wsign-compare on DFGByteCodeParser.cpp.
5947 https://bugs.webkit.org/show_bug.cgi?id=95418
5948
5949 Reviewed by Filip Pizlo.
5950
5951 There is a build warning '-Wsign-compare' on
5952 findArgumentPositionForLocal() in DFGByteCodeParser.cpp.
5953
5954 For removing this warning, casting statement is added explicitly.
5955
5956 * dfg/DFGByteCodeParser.cpp:
5957 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
5958 (JSC::DFG::ByteCodeParser::findArgumentPosition):
5959
59602012-08-30 Yong Li <yoli@rim.com>
5961
5962 [BlackBerry] Set timer client on platform timer used in HeapTimer
5963 https://bugs.webkit.org/show_bug.cgi?id=95464
5964
5965 Reviewed by Rob Buis.
5966
5967 Otherwise the timer won't work.
5968
5969 * heap/HeapTimer.cpp:
5970 (JSC::HeapTimer::HeapTimer):
5971
59722012-08-30 Julien BRIANCEAU <jbrianceau@nds.com>
5973
5974 [sh4] Add missing implementation for JavaScriptCore JIT
5975 https://bugs.webkit.org/show_bug.cgi?id=95452
5976
5977 Reviewed by Oliver Hunt.
5978
5979 * assembler/MacroAssemblerSH4.h:
5980 (JSC::MacroAssemblerSH4::isCompactPtrAlignedAddressOffset):
5981 (MacroAssemblerSH4):
5982 (JSC::MacroAssemblerSH4::add32):
5983 (JSC::MacroAssemblerSH4::convertibleLoadPtr):
5984 * assembler/SH4Assembler.h:
5985 (JSC::SH4Assembler::labelIgnoringWatchpoints):
5986 (SH4Assembler):
5987 (JSC::SH4Assembler::replaceWithLoad):
5988 (JSC::SH4Assembler::replaceWithAddressComputation):
5989
59902012-08-30 Charles Wei <charles.wei@torchmobile.com.cn>
5991
5992 [BlackBerry] Eliminate build warnings
5993 https://bugs.webkit.org/show_bug.cgi?id=95338
5994
5995 Reviewed by Filip Pizlo.
5996
5997 static_cast to the same type to eliminate the build time warnings.
5998
5999 * assembler/AssemblerBufferWithConstantPool.h:
6000 (JSC::AssemblerBufferWithConstantPool::flushWithoutBarrier):
6001 * assembler/MacroAssemblerARM.h:
6002 (JSC::MacroAssemblerARM::branch32):
6003
60042012-08-29 Mark Hahnenberg <mhahnenberg@apple.com>
6005
6006 Remove use of ClassInfo from compileGetByValOnArguments and compileGetArgumentsLength
6007 https://bugs.webkit.org/show_bug.cgi?id=95131
6008
6009 Reviewed by Filip Pizlo.
6010
6011 * dfg/DFGSpeculativeJIT.cpp:
6012 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): We don't need this speculation check. We can replace it
6013 with an assert to guarantee this.
6014
60152012-08-29 Mark Lam <mark.lam@apple.com>
6016
6017 Refactoring LLInt::Data.
6018 https://bugs.webkit.org/show_bug.cgi?id=95316.
6019
6020 Reviewed by Geoff Garen.
6021
6022 This change allows its opcodeMap to be easily queried from any function
6023 without needing to go through a GlobalData object. It also introduces
6024 the LLInt::getCodePtr() methods that will be used by the LLInt C loop
6025 later to redefine how llint symbols (opcodes and trampoline glue
6026 labels) get resolved.
6027
6028 * assembler/MacroAssemblerCodeRef.h:
6029 (MacroAssemblerCodePtr):
6030 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
6031 (MacroAssemblerCodeRef):
6032 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
6033 * bytecode/CodeBlock.cpp:
6034 (JSC::CodeBlock::adjustPCIfAtCallSite):
6035 (JSC::CodeBlock::bytecodeOffset):
6036 * bytecode/Opcode.h:
6037 Remove the 'const' to simplify things and avoid having to do
6038 additional casts and #ifdefs in many places.
6039 * bytecode/ResolveGlobalStatus.cpp:
6040 (JSC::computeForLLInt):
6041 * bytecompiler/BytecodeGenerator.cpp:
6042 (JSC::BytecodeGenerator::generate):
6043 * interpreter/Interpreter.cpp:
6044 (JSC::Interpreter::initialize):
6045 * interpreter/Interpreter.h:
6046 (Interpreter):
6047 * jit/JITExceptions.cpp:
6048 (JSC::genericThrow):
6049 * llint/LLIntData.cpp:
6050 (LLInt):
6051 (JSC::LLInt::initialize):
6052 * llint/LLIntData.h:
6053 (JSC):
6054 (LLInt):
6055 (Data):
6056 (JSC::LLInt::exceptionInstructions):
6057 (JSC::LLInt::opcodeMap):
6058 (JSC::LLInt::getOpcode):
6059 (JSC::LLInt::getCodePtr):
6060 (JSC::LLInt::Data::performAssertions):
6061 * llint/LLIntExceptions.cpp:
6062 (JSC::LLInt::returnToThrowForThrownException):
6063 (JSC::LLInt::returnToThrow):
6064 (JSC::LLInt::callToThrow):
6065 * llint/LLIntSlowPaths.cpp:
6066 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
6067 (JSC::LLInt::handleHostCall):
6068 * runtime/InitializeThreading.cpp:
6069 (JSC::initializeThreadingOnce): Initialize the singleton LLInt data.
6070 * runtime/JSGlobalData.cpp:
6071 (JSC::JSGlobalData::JSGlobalData):
6072 * runtime/JSGlobalData.h:
6073 (JSGlobalData): Removed the now unneeded LLInt::Data instance in
6074 JSGlobalData.
6075 * runtime/JSValue.h:
6076 (JSValue):
6077
60782012-08-29 Gavin Barraclough <barraclough@apple.com>
6079
6080 PutById uses DataLabel32, not DataLabelCompact
6081 https://bugs.webkit.org/show_bug.cgi?id=95245
6082
6083 Reviewed by Geoff Garen.
6084
6085 JIT::resetPatchPutById calls the the wrong thing on x86-64 – this is moot right now,
6086 since they currently both do the same thing, but if we were to ever make compact mean
6087 8-bit this could be a real problem. Also, relying on the object still being in eax
6088 on entry to the transition stub isn't very robust - added nonArgGPR1 to at least make
6089 this explicit.
6090
6091 * jit/JITPropertyAccess.cpp:
6092 (JSC::JIT::emitSlow_op_put_by_id):
6093 - copy regT0 to nonArgGPR1
6094 (JSC::JIT::privateCompilePutByIdTransition):
6095 - DataLabelCompact -> DataLabel32
6096 (JSC::JIT::resetPatchPutById):
6097 - reload regT0 from nonArgGPR1
6098 * jit/JSInterfaceJIT.h:
6099 (JSInterfaceJIT):
6100 - added nonArgGPR1
6101
61022012-08-28 Yong Li <yoli@rim.com>
6103
6104 ExecutableAllocator should be destructed after Heap
6105 https://bugs.webkit.org/show_bug.cgi?id=95244
6106
6107 Reviewed by Rob Buis.
6108
6109 RIM PR# 199364.
6110 Make ExecutableAllocator the first member in JSGlobalData.
6111 Existing Web Worker tests can show the issue.
6112
6113 * runtime/JSGlobalData.cpp:
6114 (JSC::JSGlobalData::JSGlobalData):
6115 * runtime/JSGlobalData.h:
6116 (JSGlobalData):
6117
61182012-08-29 Geoffrey Garen <ggaren@apple.com>
6119
6120 Try to fix the Windows build.
6121
6122 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export!
6123
61242012-08-28 Geoffrey Garen <ggaren@apple.com>
6125
6126 Introduced JSWithScope, making all scope objects subclasses of JSScope
6127 https://bugs.webkit.org/show_bug.cgi?id=95295
6128
6129 Reviewed by Filip Pizlo.
6130
6131 This is a step toward removing ScopeChainNode. With a uniform representation
6132 for objects in the scope chain, we can move data from ScopeChainNode
6133 into JSScope.
6134
6135 * CMakeLists.txt:
6136 * GNUmakefile.list.am:
6137 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
6138 * JavaScriptCore.xcodeproj/project.pbxproj:
6139 * Target.pri: Build!
6140
6141 * interpreter/Interpreter.cpp:
6142 (JSC::Interpreter::privateExecute):
6143 * jit/JITStubs.cpp:
6144 (JSC::DEFINE_STUB_FUNCTION):
6145 * llint/LLIntSlowPaths.cpp:
6146 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Use an explicit JSWithScope object
6147 for 'with' statements. Since 'with' can put any object in the scope
6148 chain, we'll need an adapter object to hold the data ScopeChainNode
6149 currently holds.
6150
6151 (JSGlobalData): Support for JSWithScope.
6152
6153 * runtime/JSScope.cpp:
6154 (JSC::JSScope::objectAtScope):
6155 * runtime/JSScope.h: Check for and unwrap JSWithScope.
6156
6157 * runtime/JSType.h: Support for JSWithScope.
6158
6159 * runtime/StrictEvalActivation.cpp:
6160 (JSC::StrictEvalActivation::StrictEvalActivation):
6161 * runtime/StrictEvalActivation.h:
6162 (StrictEvalActivation): Inherit from JSScope, to make the scope chain uniform.
6163
6164 * runtime/JSWithScope.cpp: Added.
6165 (JSC::JSWithScope::visitChildren):
6166 * runtime/JSWithScope.h: Added.
6167 (JSWithScope):
6168 (JSC::JSWithScope::create):
6169 (JSC::JSWithScope::object):
6170 (JSC::JSWithScope::createStructure):
6171 (JSC::JSWithScope::JSWithScope): New adapter object. Since this object
6172 is never exposed to scripts, it doesn't need any meaningful implementation
6173 of property access or other callbacks.
6174
61752012-08-29 Patrick Gansterer <paroga@webkit.org>
6176
6177 Unreviewed. Build fix for !ENABLE(JIT) after r126962.
6178
6179 * interpreter/Interpreter.cpp:
6180 (JSC::Interpreter::privateExecute):
6181
61822012-08-28 Geoffrey Garen <ggaren@apple.com>
6183
6184 Added JSScope::objectInScope(), and refactored callers to use it
6185 https://bugs.webkit.org/show_bug.cgi?id=95281
6186
6187 Reviewed by Gavin Barraclough.
6188
6189 This is a step toward removing ScopeChainNode. We need a layer of
6190 indirection so that 'with' scopes can proxy for an object.
6191 JSScope::objectInScope() will be that layer.
6192
6193 * bytecode/EvalCodeCache.h:
6194 (JSC::EvalCodeCache::tryGet):
6195 (JSC::EvalCodeCache::getSlow):
6196 * bytecompiler/BytecodeGenerator.cpp:
6197 (JSC::BytecodeGenerator::resolve):
6198 (JSC::BytecodeGenerator::resolveConstDecl): . vs ->
6199
6200 * interpreter/Interpreter.cpp:
6201 (JSC::Interpreter::unwindCallFrame):
6202 (JSC::Interpreter::execute):
6203 * runtime/JSScope.cpp:
6204 (JSC::JSScope::resolve):
6205 (JSC::JSScope::resolveSkip):
6206 (JSC::JSScope::resolveGlobalDynamic):
6207 (JSC::JSScope::resolveBase):
6208 (JSC::JSScope::resolveWithBase):
6209 (JSC::JSScope::resolveWithThis): Added JSScope::objectAtScope() calls.
6210
6211 * runtime/JSScope.h:
6212 (JSScope):
6213 (JSC::JSScope::objectAtScope):
6214 (JSC):
6215 (ScopeChainIterator):
6216 (JSC::ScopeChainIterator::ScopeChainIterator):
6217 (JSC::ScopeChainIterator::get):
6218 (JSC::ScopeChainIterator::operator->):
6219 (JSC::ScopeChainIterator::operator++):
6220 (JSC::ScopeChainIterator::operator==):
6221 (JSC::ScopeChainIterator::operator!=):
6222 (JSC::ScopeChainNode::begin):
6223 (JSC::ScopeChainNode::end): I moved ScopeChainIterator to this file
6224 to resolve a circular #include problem. Eventually, I'll probably rename
6225 it to JSScope::iterator, so I think it belongs here.
6226
6227 * runtime/ScopeChain.cpp:
6228 (JSC::ScopeChainNode::print):
6229 (JSC::ScopeChainNode::localDepth): . vs ->
6230
6231 * runtime/ScopeChain.h:
6232 (ScopeChainNode): I made the 'object' data member private because it's
6233 no longer safe to access -- you need to call JSScope::objectAtScope()
6234 instead.
6235
6236 The JITs need to be friends because of the private declaration.
6237
6238 Subtly, JIT/LLInt code is correct without any changes because JIT/LLInt
6239 code never compiles direct access to a with scope.
6240
62412012-08-28 Mark Lam <mark.lam@apple.com>
6242
6243 Adding support for adding LLInt opcode extensions. This will be needed
6244 by the LLInt C loop interpreter later.
6245 https://bugs.webkit.org/show_bug.cgi?id=95277.
6246
6247 Reviewed by Geoffrey Garen.
6248
6249 * JavaScriptCore.xcodeproj/project.pbxproj:
6250 * bytecode/Opcode.h:
6251 * llint/LLIntOpcode.h: Added.
6252 * llint/LowLevelInterpreter.h:
6253
62542012-08-28 Gavin Barraclough <barraclough@apple.com>
6255
6256 Rolled out r126928, this broke stuff :'-(
6257
6258 * jit/JITPropertyAccess.cpp:
6259 (JSC::JIT::privateCompilePutByIdTransition):
6260 (JSC::JIT::resetPatchPutById):
6261
62622012-08-28 Gavin Barraclough <barraclough@apple.com>
6263
6264 PutById uses DataLabel32, not DataLabelCompact
6265 https://bugs.webkit.org/show_bug.cgi?id=95245
6266
6267 Reviewed by Geoff Garen.
6268
6269 JIT::resetPatchPutById calls the the wrong thing on x86-64 – this is moot right now,
6270 since they currently both do the same thing, but if we were to ever make compact mean
6271 8-bit this could be a real problem. Also, don't rely on the object still being in eax
6272 on entry to the transition stub – this isn't very robust.
6273
6274 * jit/JITPropertyAccess.cpp:
6275 (JSC::JIT::privateCompilePutByIdTransition):
6276 - DataLabelCompact -> DataLabel32
6277 (JSC::JIT::resetPatchPutById):
6278 - reload regT0 from the stack
6279
62802012-08-28 Sheriff Bot <webkit.review.bot@gmail.com>
6281
6282 Unreviewed, rolling out r126914.
6283 http://trac.webkit.org/changeset/126914
6284 https://bugs.webkit.org/show_bug.cgi?id=95239
6285
6286 it breaks everything and fixes nothing (Requested by pizlo on
6287 #webkit).
6288
6289 * API/JSCallbackObject.h:
6290 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
6291 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
6292 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
6293 * API/JSCallbackObjectFunctions.h:
6294 (JSC::::getOwnPropertyNames):
6295 * API/JSClassRef.cpp:
6296 (OpaqueJSClass::~OpaqueJSClass):
6297 (OpaqueJSClassContextData::OpaqueJSClassContextData):
6298 (OpaqueJSClass::contextData):
6299 * bytecode/CodeBlock.cpp:
6300 (JSC::CodeBlock::dump):
6301 (JSC::EvalCodeCache::visitAggregate):
6302 (JSC::CodeBlock::nameForRegister):
6303 * bytecode/JumpTable.h:
6304 (JSC::StringJumpTable::offsetForValue):
6305 (JSC::StringJumpTable::ctiForValue):
6306 * bytecode/LazyOperandValueProfile.cpp:
6307 (JSC::LazyOperandValueProfileParser::getIfPresent):
6308 * bytecode/SamplingTool.cpp:
6309 (JSC::SamplingTool::dump):
6310 * bytecompiler/BytecodeGenerator.cpp:
6311 (JSC::BytecodeGenerator::addVar):
6312 (JSC::BytecodeGenerator::addGlobalVar):
6313 (JSC::BytecodeGenerator::addConstant):
6314 (JSC::BytecodeGenerator::addConstantValue):
6315 (JSC::BytecodeGenerator::emitLoad):
6316 (JSC::BytecodeGenerator::addStringConstant):
6317 (JSC::BytecodeGenerator::emitLazyNewFunction):
6318 * bytecompiler/NodesCodegen.cpp:
6319 (JSC::PropertyListNode::emitBytecode):
6320 * debugger/Debugger.cpp:
6321 * dfg/DFGArgumentsSimplificationPhase.cpp:
6322 (JSC::DFG::ArgumentsSimplificationPhase::run):
6323 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
6324 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
6325 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
6326 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
6327 * dfg/DFGAssemblyHelpers.cpp:
6328 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
6329 * dfg/DFGByteCodeCache.h:
6330 (JSC::DFG::ByteCodeCache::~ByteCodeCache):
6331 (JSC::DFG::ByteCodeCache::get):
6332 * dfg/DFGByteCodeParser.cpp:
6333 (JSC::DFG::ByteCodeParser::cellConstant):
6334 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
6335 * dfg/DFGStructureCheckHoistingPhase.cpp:
6336 (JSC::DFG::StructureCheckHoistingPhase::run):
6337 (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
6338 (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
6339 * heap/Heap.cpp:
6340 (JSC::Heap::markProtectedObjects):
6341 * heap/Heap.h:
6342 (JSC::Heap::forEachProtectedCell):
6343 * heap/JITStubRoutineSet.cpp:
6344 (JSC::JITStubRoutineSet::markSlow):
6345 (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
6346 * heap/MarkStack.cpp:
6347 (JSC::MarkStack::internalAppend):
6348 * heap/Weak.h:
6349 (JSC::weakRemove):
6350 * jit/JIT.cpp:
6351 (JSC::JIT::privateCompile):
6352 * jit/JITStubs.cpp:
6353 (JSC::JITThunks::ctiStub):
6354 * parser/Parser.cpp:
6355 (JSC::::parseStrictObjectLiteral):
6356 * profiler/Profile.cpp:
6357 (JSC::functionNameCountPairComparator):
6358 (JSC::Profile::debugPrintDataSampleStyle):
6359 * runtime/Identifier.cpp:
6360 (JSC::Identifier::add):
6361 * runtime/JSActivation.cpp:
6362 (JSC::JSActivation::getOwnPropertyNames):
6363 (JSC::JSActivation::symbolTablePutWithAttributes):
6364 * runtime/JSArray.cpp:
6365 (JSC::SparseArrayValueMap::put):
6366 (JSC::SparseArrayValueMap::putDirect):
6367 (JSC::SparseArrayValueMap::visitChildren):
6368 (JSC::JSArray::enterDictionaryMode):
6369 (JSC::JSArray::defineOwnNumericProperty):
6370 (JSC::JSArray::getOwnPropertySlotByIndex):
6371 (JSC::JSArray::getOwnPropertyDescriptor):
6372 (JSC::JSArray::putByIndexBeyondVectorLength):
6373 (JSC::JSArray::putDirectIndexBeyondVectorLength):
6374 (JSC::JSArray::deletePropertyByIndex):
6375 (JSC::JSArray::getOwnPropertyNames):
6376 (JSC::JSArray::setLength):
6377 (JSC::JSArray::sort):
6378 (JSC::JSArray::compactForSorting):
6379 (JSC::JSArray::checkConsistency):
6380 * runtime/JSSymbolTableObject.cpp:
6381 (JSC::JSSymbolTableObject::getOwnPropertyNames):
6382 * runtime/JSSymbolTableObject.h:
6383 (JSC::symbolTableGet):
6384 (JSC::symbolTablePut):
6385 (JSC::symbolTablePutWithAttributes):
6386 * runtime/RegExpCache.cpp:
6387 (JSC::RegExpCache::invalidateCode):
6388 * runtime/WeakGCMap.h:
6389 (JSC::WeakGCMap::clear):
6390 (JSC::WeakGCMap::set):
6391 * tools/ProfileTreeNode.h:
6392 (JSC::ProfileTreeNode::sampleChild):
6393 (JSC::ProfileTreeNode::childCount):
6394 (JSC::ProfileTreeNode::dumpInternal):
6395 (JSC::ProfileTreeNode::compareEntries):
6396
63972012-08-28 Filip Pizlo <fpizlo@apple.com>
6398
6399 LLInt should not rely on ordering of global labels
6400 https://bugs.webkit.org/show_bug.cgi?id=95221
6401
6402 Reviewed by Oliver Hunt.
6403
6404 * llint/LowLevelInterpreter.asm:
6405 * llint/LowLevelInterpreter32_64.asm:
6406 * llint/LowLevelInterpreter64.asm:
6407
64082012-08-28 Caio Marcelo de Oliveira Filho <caio.oliveira@openbossa.org>
6409
6410 Rename first/second to key/value in HashMap iterators
6411 https://bugs.webkit.org/show_bug.cgi?id=82784
6412
6413 Reviewed by Eric Seidel.
6414
6415 * API/JSCallbackObject.h:
6416 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
6417 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
6418 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
6419 * API/JSCallbackObjectFunctions.h:
6420 (JSC::::getOwnPropertyNames):
6421 * API/JSClassRef.cpp:
6422 (OpaqueJSClass::~OpaqueJSClass):
6423 (OpaqueJSClassContextData::OpaqueJSClassContextData):
6424 (OpaqueJSClass::contextData):
6425 * bytecode/CodeBlock.cpp:
6426 (JSC::CodeBlock::dump):
6427 (JSC::EvalCodeCache::visitAggregate):
6428 (JSC::CodeBlock::nameForRegister):
6429 * bytecode/JumpTable.h:
6430 (JSC::StringJumpTable::offsetForValue):
6431 (JSC::StringJumpTable::ctiForValue):
6432 * bytecode/LazyOperandValueProfile.cpp:
6433 (JSC::LazyOperandValueProfileParser::getIfPresent):
6434 * bytecode/SamplingTool.cpp:
6435 (JSC::SamplingTool::dump):
6436 * bytecompiler/BytecodeGenerator.cpp:
6437 (JSC::BytecodeGenerator::addVar):
6438 (JSC::BytecodeGenerator::addGlobalVar):
6439 (JSC::BytecodeGenerator::addConstant):
6440 (JSC::BytecodeGenerator::addConstantValue):
6441 (JSC::BytecodeGenerator::emitLoad):
6442 (JSC::BytecodeGenerator::addStringConstant):
6443 (JSC::BytecodeGenerator::emitLazyNewFunction):
6444 * bytecompiler/NodesCodegen.cpp:
6445 (JSC::PropertyListNode::emitBytecode):
6446 * debugger/Debugger.cpp:
6447 * dfg/DFGArgumentsSimplificationPhase.cpp:
6448 (JSC::DFG::ArgumentsSimplificationPhase::run):
6449 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
6450 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
6451 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
6452 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
6453 * dfg/DFGAssemblyHelpers.cpp:
6454 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
6455 * dfg/DFGByteCodeCache.h:
6456 (JSC::DFG::ByteCodeCache::~ByteCodeCache):
6457 (JSC::DFG::ByteCodeCache::get):
6458 * dfg/DFGByteCodeParser.cpp:
6459 (JSC::DFG::ByteCodeParser::cellConstant):
6460 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
6461 * dfg/DFGStructureCheckHoistingPhase.cpp:
6462 (JSC::DFG::StructureCheckHoistingPhase::run):
6463 (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
6464 (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
6465 * heap/Heap.cpp:
6466 (JSC::Heap::markProtectedObjects):
6467 * heap/Heap.h:
6468 (JSC::Heap::forEachProtectedCell):
6469 * heap/JITStubRoutineSet.cpp:
6470 (JSC::JITStubRoutineSet::markSlow):
6471 (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
6472 * heap/MarkStack.cpp:
6473 (JSC::MarkStack::internalAppend):
6474 * heap/Weak.h:
6475 (JSC::weakRemove):
6476 * jit/JIT.cpp:
6477 (JSC::JIT::privateCompile):
6478 * jit/JITStubs.cpp:
6479 (JSC::JITThunks::ctiStub):
6480 * parser/Parser.cpp:
6481 (JSC::::parseStrictObjectLiteral):
6482 * profiler/Profile.cpp:
6483 (JSC::functionNameCountPairComparator):
6484 (JSC::Profile::debugPrintDataSampleStyle):
6485 * runtime/Identifier.cpp:
6486 (JSC::Identifier::add):
6487 * runtime/JSActivation.cpp:
6488 (JSC::JSActivation::getOwnPropertyNames):
6489 (JSC::JSActivation::symbolTablePutWithAttributes):
6490 * runtime/JSArray.cpp:
6491 (JSC::SparseArrayValueMap::put):
6492 (JSC::SparseArrayValueMap::putDirect):
6493 (JSC::SparseArrayValueMap::visitChildren):
6494 (JSC::JSArray::enterDictionaryMode):
6495 (JSC::JSArray::defineOwnNumericProperty):
6496 (JSC::JSArray::getOwnPropertySlotByIndex):
6497 (JSC::JSArray::getOwnPropertyDescriptor):
6498 (JSC::JSArray::putByIndexBeyondVectorLength):
6499 (JSC::JSArray::putDirectIndexBeyondVectorLength):
6500 (JSC::JSArray::deletePropertyByIndex):
6501 (JSC::JSArray::getOwnPropertyNames):
6502 (JSC::JSArray::setLength):
6503 (JSC::JSArray::sort):
6504 (JSC::JSArray::compactForSorting):
6505 (JSC::JSArray::checkConsistency):
6506 * runtime/JSSymbolTableObject.cpp:
6507 (JSC::JSSymbolTableObject::getOwnPropertyNames):
6508 * runtime/JSSymbolTableObject.h:
6509 (JSC::symbolTableGet):
6510 (JSC::symbolTablePut):
6511 (JSC::symbolTablePutWithAttributes):
6512 * runtime/RegExpCache.cpp:
6513 (JSC::RegExpCache::invalidateCode):
6514 * runtime/WeakGCMap.h:
6515 (JSC::WeakGCMap::clear):
6516 (JSC::WeakGCMap::set):
6517 * tools/ProfileTreeNode.h:
6518 (JSC::ProfileTreeNode::sampleChild):
6519 (JSC::ProfileTreeNode::childCount):
6520 (JSC::ProfileTreeNode::dumpInternal):
6521 (JSC::ProfileTreeNode::compareEntries):
6522
65232012-08-28 Geoffrey Garen <ggaren@apple.com>
6524
6525 GCC warning in JSActivation is causing Mac EWS errors
6526 https://bugs.webkit.org/show_bug.cgi?id=95103
6527
6528 Reviewed by Sam Weinig.
6529
6530 Try to fix a strict aliasing violation by using bitwise_cast. The
6531 union in the cast should signal to the compiler that aliasing between
6532 types is happening.
6533
6534 * runtime/JSActivation.cpp:
6535 (JSC::JSActivation::visitChildren):
6536
65372012-08-28 Geoffrey Garen <ggaren@apple.com>
6538
6539 Build fix: svn add two files I forgot in my last patch.
6540
65412012-08-27 Geoffrey Garen <ggaren@apple.com>
6542
6543 Refactored and consolidated variable resolution functions
6544 https://bugs.webkit.org/show_bug.cgi?id=95166
6545
6546 Reviewed by Filip Pizlo.
6547
6548 This patch does a few things:
6549
6550 (1) Introduces a new class, JSScope, which is the base class for all
6551 objects that represent a scope in the scope chain.
6552
6553 (2) Refactors and consolidates duplicate implementations of variable
6554 resolution into the JSScope class.
6555
6556 (3) Renames JSStaticScopeObject to JSNameScope because, as distinct from
6557 something like a 'let' scope, JSStaticScopeObject only has storage for a
6558 single name.
6559
6560 These changes makes logical sense to me as-is. I will also use them in an
6561 upcoming optimization.
6562
6563 * CMakeLists.txt:
6564 * GNUmakefile.list.am:
6565 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
6566 * JavaScriptCore.xcodeproj/project.pbxproj:
6567 * Target.pri: Build!
6568
6569 * bytecode/CodeBlock.cpp:
6570 (JSC): Build fix for LLInt-only builds.
6571
6572 * bytecode/GlobalResolveInfo.h:
6573 (GlobalResolveInfo): Use PropertyOffset to be consistent with other parts
6574 of the engine.
6575
6576 * bytecompiler/NodesCodegen.cpp:
6577 * dfg/DFGOperations.cpp: Use the shared code in JSScope instead of rolling
6578 our own.
6579
6580 * interpreter/Interpreter.cpp:
6581 (JSC::Interpreter::execute):
6582 (JSC::Interpreter::createExceptionScope):
6583 (JSC::Interpreter::privateExecute):
6584 * interpreter/Interpreter.h: Use the shared code in JSScope instead of rolling
6585 our own.
6586
6587 * jit/JITStubs.cpp:
6588 (JSC::DEFINE_STUB_FUNCTION): Use the shared code in JSScope instead of rolling
6589 our own.
6590
6591 * llint/LLIntSlowPaths.cpp:
6592 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
6593 (LLInt): Use the shared code in JSScope instead of rolling our own. Note
6594 that one of these slow paths calls the wrong helper function. I left it
6595 that way to avoid a behavior change in a refactoring patch.
6596
6597 * parser/Nodes.cpp: Updated for rename.
6598
6599 * runtime/CommonSlowPaths.h:
6600 (CommonSlowPaths): Removed resolve slow paths because were duplicative.
6601
6602 * runtime/JSGlobalData.cpp:
6603 (JSC::JSGlobalData::JSGlobalData):
6604 * runtime/JSGlobalData.h:
6605 (JSGlobalData): Updated for renames.
6606
6607 * runtime/JSNameScope.cpp: Copied from Source/JavaScriptCore/runtime/JSStaticScopeObject.cpp.
6608 (JSC):
6609 (JSC::JSNameScope::visitChildren):
6610 (JSC::JSNameScope::toThisObject):
6611 (JSC::JSNameScope::put):
6612 (JSC::JSNameScope::getOwnPropertySlot):
6613 * runtime/JSNameScope.h: Copied from Source/JavaScriptCore/runtime/JSStaticScopeObject.h.
6614 (JSC):
6615 (JSC::JSNameScope::create):
6616 (JSC::JSNameScope::createStructure):
6617 (JSNameScope):
6618 (JSC::JSNameScope::JSNameScope):
6619 (JSC::JSNameScope::isDynamicScope): Used do-webcore-rename script here.
6620 It is fabulous!
6621
6622 * runtime/JSObject.h:
6623 (JSObject):
6624 (JSC::JSObject::isNameScopeObject): More rename.
6625
6626 * runtime/JSScope.cpp: Added.
6627 (JSC):
6628 (JSC::JSScope::isDynamicScope):
6629 (JSC::JSScope::resolve):
6630 (JSC::JSScope::resolveSkip):
6631 (JSC::JSScope::resolveGlobal):
6632 (JSC::JSScope::resolveGlobalDynamic):
6633 (JSC::JSScope::resolveBase):
6634 (JSC::JSScope::resolveWithBase):
6635 (JSC::JSScope::resolveWithThis):
6636 * runtime/JSScope.h: Added.
6637 (JSC):
6638 (JSScope):
6639 (JSC::JSScope::JSScope): All the code here is a port from the
6640 Interpreter.cpp implementations of this functionality.
6641
6642 * runtime/JSStaticScopeObject.cpp: Removed.
6643 * runtime/JSStaticScopeObject.h: Removed.
6644
6645 * runtime/JSSymbolTableObject.cpp:
6646 (JSC):
6647 * runtime/JSSymbolTableObject.h:
6648 (JSSymbolTableObject):
6649 * runtime/JSType.h: Updated for rename.
6650
6651 * runtime/Operations.h:
6652 (JSC::resolveBase): Removed because it was duplicative.
6653
66542012-08-28 Alban Browaeys <prahal@yahoo.com>
6655
6656 [GTK] LLint build fails with -g -02
6657 https://bugs.webkit.org/show_bug.cgi?id=90098
6658
6659 Reviewed by Filip Pizlo.
6660
6661 Avoid duplicate offsets for llint, discarding them.
6662
6663 * offlineasm/offsets.rb:
6664
66652012-08-27 Sheriff Bot <webkit.review.bot@gmail.com>
6666
6667 Unreviewed, rolling out r126836.
6668 http://trac.webkit.org/changeset/126836
6669 https://bugs.webkit.org/show_bug.cgi?id=95163
6670
6671 Broke all Apple ports, EFL, and Qt. (Requested by tkent on
6672 #webkit).
6673
6674 * API/JSCallbackObject.h:
6675 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
6676 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
6677 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
6678 * API/JSCallbackObjectFunctions.h:
6679 (JSC::::getOwnPropertyNames):
6680 * API/JSClassRef.cpp:
6681 (OpaqueJSClass::~OpaqueJSClass):
6682 (OpaqueJSClassContextData::OpaqueJSClassContextData):
6683 (OpaqueJSClass::contextData):
6684 * bytecode/CodeBlock.cpp:
6685 (JSC::CodeBlock::dump):
6686 (JSC::EvalCodeCache::visitAggregate):
6687 (JSC::CodeBlock::nameForRegister):
6688 * bytecode/JumpTable.h:
6689 (JSC::StringJumpTable::offsetForValue):
6690 (JSC::StringJumpTable::ctiForValue):
6691 * bytecode/LazyOperandValueProfile.cpp:
6692 (JSC::LazyOperandValueProfileParser::getIfPresent):
6693 * bytecode/SamplingTool.cpp:
6694 (JSC::SamplingTool::dump):
6695 * bytecompiler/BytecodeGenerator.cpp:
6696 (JSC::BytecodeGenerator::addVar):
6697 (JSC::BytecodeGenerator::addGlobalVar):
6698 (JSC::BytecodeGenerator::addConstant):
6699 (JSC::BytecodeGenerator::addConstantValue):
6700 (JSC::BytecodeGenerator::emitLoad):
6701 (JSC::BytecodeGenerator::addStringConstant):
6702 (JSC::BytecodeGenerator::emitLazyNewFunction):
6703 * bytecompiler/NodesCodegen.cpp:
6704 (JSC::PropertyListNode::emitBytecode):
6705 * debugger/Debugger.cpp:
6706 * dfg/DFGArgumentsSimplificationPhase.cpp:
6707 (JSC::DFG::ArgumentsSimplificationPhase::run):
6708 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
6709 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
6710 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
6711 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
6712 * dfg/DFGAssemblyHelpers.cpp:
6713 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
6714 * dfg/DFGByteCodeCache.h:
6715 (JSC::DFG::ByteCodeCache::~ByteCodeCache):
6716 (JSC::DFG::ByteCodeCache::get):
6717 * dfg/DFGByteCodeParser.cpp:
6718 (JSC::DFG::ByteCodeParser::cellConstant):
6719 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
6720 * dfg/DFGStructureCheckHoistingPhase.cpp:
6721 (JSC::DFG::StructureCheckHoistingPhase::run):
6722 (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
6723 (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
6724 * heap/Heap.cpp:
6725 (JSC::Heap::markProtectedObjects):
6726 * heap/Heap.h:
6727 (JSC::Heap::forEachProtectedCell):
6728 * heap/JITStubRoutineSet.cpp:
6729 (JSC::JITStubRoutineSet::markSlow):
6730 (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
6731 * heap/MarkStack.cpp:
6732 (JSC::MarkStack::internalAppend):
6733 * heap/Weak.h:
6734 (JSC::weakRemove):
6735 * jit/JIT.cpp:
6736 (JSC::JIT::privateCompile):
6737 * jit/JITStubs.cpp:
6738 (JSC::JITThunks::ctiStub):
6739 * parser/Parser.cpp:
6740 (JSC::::parseStrictObjectLiteral):
6741 * profiler/Profile.cpp:
6742 (JSC::functionNameCountPairComparator):
6743 (JSC::Profile::debugPrintDataSampleStyle):
6744 * runtime/Identifier.cpp:
6745 (JSC::Identifier::add):
6746 * runtime/JSActivation.cpp:
6747 (JSC::JSActivation::getOwnPropertyNames):
6748 (JSC::JSActivation::symbolTablePutWithAttributes):
6749 * runtime/JSArray.cpp:
6750 (JSC::SparseArrayValueMap::put):
6751 (JSC::SparseArrayValueMap::putDirect):
6752 (JSC::SparseArrayValueMap::visitChildren):
6753 (JSC::JSArray::enterDictionaryMode):
6754 (JSC::JSArray::defineOwnNumericProperty):
6755 (JSC::JSArray::getOwnPropertySlotByIndex):
6756 (JSC::JSArray::getOwnPropertyDescriptor):
6757 (JSC::JSArray::putByIndexBeyondVectorLength):
6758 (JSC::JSArray::putDirectIndexBeyondVectorLength):
6759 (JSC::JSArray::deletePropertyByIndex):
6760 (JSC::JSArray::getOwnPropertyNames):
6761 (JSC::JSArray::setLength):
6762 (JSC::JSArray::sort):
6763 (JSC::JSArray::compactForSorting):
6764 (JSC::JSArray::checkConsistency):
6765 * runtime/JSSymbolTableObject.cpp:
6766 (JSC::JSSymbolTableObject::getOwnPropertyNames):
6767 * runtime/JSSymbolTableObject.h:
6768 (JSC::symbolTableGet):
6769 (JSC::symbolTablePut):
6770 (JSC::symbolTablePutWithAttributes):
6771 * runtime/RegExpCache.cpp:
6772 (JSC::RegExpCache::invalidateCode):
6773 * runtime/WeakGCMap.h:
6774 (JSC::WeakGCMap::clear):
6775 (JSC::WeakGCMap::set):
6776 * tools/ProfileTreeNode.h:
6777 (JSC::ProfileTreeNode::sampleChild):
6778 (JSC::ProfileTreeNode::childCount):
6779 (JSC::ProfileTreeNode::dumpInternal):
6780 (JSC::ProfileTreeNode::compareEntries):
6781
67822012-08-27 Caio Marcelo de Oliveira Filho <caio.oliveira@openbossa.org>
6783
6784 Rename first/second to key/value in HashMap iterators
6785 https://bugs.webkit.org/show_bug.cgi?id=82784
6786
6787 Reviewed by Eric Seidel.
6788
6789 * API/JSCallbackObject.h:
6790 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
6791 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
6792 (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
6793 * API/JSCallbackObjectFunctions.h:
6794 (JSC::::getOwnPropertyNames):
6795 * API/JSClassRef.cpp:
6796 (OpaqueJSClass::~OpaqueJSClass):
6797 (OpaqueJSClassContextData::OpaqueJSClassContextData):
6798 (OpaqueJSClass::contextData):
6799 * bytecode/CodeBlock.cpp:
6800 (JSC::CodeBlock::dump):
6801 (JSC::EvalCodeCache::visitAggregate):
6802 (JSC::CodeBlock::nameForRegister):
6803 * bytecode/JumpTable.h:
6804 (JSC::StringJumpTable::offsetForValue):
6805 (JSC::StringJumpTable::ctiForValue):
6806 * bytecode/LazyOperandValueProfile.cpp:
6807 (JSC::LazyOperandValueProfileParser::getIfPresent):
6808 * bytecode/SamplingTool.cpp:
6809 (JSC::SamplingTool::dump):
6810 * bytecompiler/BytecodeGenerator.cpp:
6811 (JSC::BytecodeGenerator::addVar):
6812 (JSC::BytecodeGenerator::addGlobalVar):
6813 (JSC::BytecodeGenerator::addConstant):
6814 (JSC::BytecodeGenerator::addConstantValue):
6815 (JSC::BytecodeGenerator::emitLoad):
6816 (JSC::BytecodeGenerator::addStringConstant):
6817 (JSC::BytecodeGenerator::emitLazyNewFunction):
6818 * bytecompiler/NodesCodegen.cpp:
6819 (JSC::PropertyListNode::emitBytecode):
6820 * debugger/Debugger.cpp:
6821 * dfg/DFGArgumentsSimplificationPhase.cpp:
6822 (JSC::DFG::ArgumentsSimplificationPhase::run):
6823 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
6824 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
6825 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
6826 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
6827 * dfg/DFGAssemblyHelpers.cpp:
6828 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
6829 * dfg/DFGByteCodeCache.h:
6830 (JSC::DFG::ByteCodeCache::~ByteCodeCache):
6831 (JSC::DFG::ByteCodeCache::get):
6832 * dfg/DFGByteCodeParser.cpp:
6833 (JSC::DFG::ByteCodeParser::cellConstant):
6834 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
6835 * dfg/DFGStructureCheckHoistingPhase.cpp:
6836 (JSC::DFG::StructureCheckHoistingPhase::run):
6837 (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
6838 (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
6839 * heap/Heap.cpp:
6840 (JSC::Heap::markProtectedObjects):
6841 * heap/Heap.h:
6842 (JSC::Heap::forEachProtectedCell):
6843 * heap/JITStubRoutineSet.cpp:
6844 (JSC::JITStubRoutineSet::markSlow):
6845 (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
6846 * heap/MarkStack.cpp:
6847 (JSC::MarkStack::internalAppend):
6848 * heap/Weak.h:
6849 (JSC::weakRemove):
6850 * jit/JIT.cpp:
6851 (JSC::JIT::privateCompile):
6852 * jit/JITStubs.cpp:
6853 (JSC::JITThunks::ctiStub):
6854 * parser/Parser.cpp:
6855 (JSC::::parseStrictObjectLiteral):
6856 * profiler/Profile.cpp:
6857 (JSC::functionNameCountPairComparator):
6858 (JSC::Profile::debugPrintDataSampleStyle):
6859 * runtime/Identifier.cpp:
6860 (JSC::Identifier::add):
6861 * runtime/JSActivation.cpp:
6862 (JSC::JSActivation::getOwnPropertyNames):
6863 (JSC::JSActivation::symbolTablePutWithAttributes):
6864 * runtime/JSArray.cpp:
6865 (JSC::SparseArrayValueMap::put):
6866 (JSC::SparseArrayValueMap::putDirect):
6867 (JSC::SparseArrayValueMap::visitChildren):
6868 (JSC::JSArray::enterDictionaryMode):
6869 (JSC::JSArray::defineOwnNumericProperty):
6870 (JSC::JSArray::getOwnPropertySlotByIndex):
6871 (JSC::JSArray::getOwnPropertyDescriptor):
6872 (JSC::JSArray::putByIndexBeyondVectorLength):
6873 (JSC::JSArray::putDirectIndexBeyondVectorLength):
6874 (JSC::JSArray::deletePropertyByIndex):
6875 (JSC::JSArray::getOwnPropertyNames):
6876 (JSC::JSArray::setLength):
6877 (JSC::JSArray::sort):
6878 (JSC::JSArray::compactForSorting):
6879 (JSC::JSArray::checkConsistency):
6880 * runtime/JSSymbolTableObject.cpp:
6881 (JSC::JSSymbolTableObject::getOwnPropertyNames):
6882 * runtime/JSSymbolTableObject.h:
6883 (JSC::symbolTableGet):
6884 (JSC::symbolTablePut):
6885 (JSC::symbolTablePutWithAttributes):
6886 * runtime/RegExpCache.cpp:
6887 (JSC::RegExpCache::invalidateCode):
6888 * runtime/WeakGCMap.h:
6889 (JSC::WeakGCMap::clear):
6890 (JSC::WeakGCMap::set):
6891 * tools/ProfileTreeNode.h:
6892 (JSC::ProfileTreeNode::sampleChild):
6893 (JSC::ProfileTreeNode::childCount):
6894 (JSC::ProfileTreeNode::dumpInternal):
6895 (JSC::ProfileTreeNode::compareEntries):
6896
68972012-08-27 Filip Pizlo <fpizlo@apple.com>
6898
6899 Structure check hoisting should abstain if the OSR entry's must-handle value for the respective variable has a different structure
6900 https://bugs.webkit.org/show_bug.cgi?id=95141
6901 <rdar://problem/12170401>
6902
6903 Reviewed by Mark Hahnenberg.
6904
6905 * dfg/DFGStructureCheckHoistingPhase.cpp:
6906 (JSC::DFG::StructureCheckHoistingPhase::run):
6907
69082012-08-27 Mark Hahnenberg <mhahnenberg@apple.com>
6909
6910 Remove use of ClassInfo from SpeculativeJIT::compileGetByValOnArguments
6911 https://bugs.webkit.org/show_bug.cgi?id=95131
6912
6913 Reviewed by Filip Pizlo.
6914
6915 * dfg/DFGSpeculativeJIT.cpp:
6916 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): We don't need this speculation check. We can replace it
6917 with an assert to guarantee this.
6918
69192012-08-27 Oliver Hunt <oliver@apple.com>
6920
6921 Remove opcode definition autogen for now
6922 https://bugs.webkit.org/show_bug.cgi?id=95148
6923
6924 Reviewed by Mark Hahnenberg.
6925
6926 This isn't worth doing at the moment.
6927
6928 * DerivedSources.make:
6929 * JavaScriptCore.xcodeproj/project.pbxproj:
6930 * bytecode/Opcode.h:
6931 (JSC):
6932 (JSC::padOpcodeName):
6933 * bytecode/OpcodeDefinitions.h: Removed.
6934 * bytecode/opcodes: Removed.
6935 * opcode_definition_generator.py: Removed.
6936 * opcode_generator.py: Removed.
6937 * opcode_parser.py: Removed.
6938
69392012-08-27 Mark Hahnenberg <mhahnenberg@apple.com>
6940
6941 Remove uses of TypedArray ClassInfo from SpeculativeJIT::checkArgumentTypes
6942 https://bugs.webkit.org/show_bug.cgi?id=95112
6943
6944 Reviewed by Filip Pizlo.
6945
6946 Removing these checks since we no longer need them.
6947
6948 * dfg/DFGAbstractState.cpp:
6949 (JSC::DFG::AbstractState::initialize):
6950 * dfg/DFGSpeculativeJIT.cpp:
6951 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
6952
69532012-08-27 Benjamin Poulain <benjamin@webkit.org>
6954
6955 Add ECMAScript Number to String conversion to WTF::String
6956 https://bugs.webkit.org/show_bug.cgi?id=95016
6957
6958 Reviewed by Geoffrey Garen.
6959
6960 Rename UString::number(double) to UString::numberToStringECMAScript(double) to
6961 differenciate it from the fixed-width conversion performed by String::number().
6962
6963 * parser/ParserArena.h:
6964 (JSC::IdentifierArena::makeNumericIdentifier):
6965 * runtime/JSONObject.cpp:
6966 (JSC::Stringifier::appendStringifiedValue):
6967 * runtime/NumberPrototype.cpp:
6968 (JSC::numberProtoFuncToExponential):
6969 (JSC::numberProtoFuncToFixed):
6970 (JSC::numberProtoFuncToPrecision):
6971 (JSC::numberProtoFuncToString):
6972 * runtime/NumericStrings.h:
6973 (JSC::NumericStrings::add):
6974 * runtime/UString.cpp:
6975 (JSC::UString::numberToStringECMAScript):
6976 * runtime/UString.h:
6977 (UString):
6978
69792012-08-27 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com>
6980
6981 Rename RegisterProtocolHandler API to NavigatorContentUtils
6982 https://bugs.webkit.org/show_bug.cgi?id=94920
6983
6984 Reviewed by Adam Barth.
6985
6986 ENABLE_REGISTER_PROTOCOL_HANDLER is renamed to ENABLE_NAVIGATOR_CONTENT_UTILS.
6987
6988 * Configurations/FeatureDefines.xcconfig:
6989
69902012-08-26 Filip Pizlo <fpizlo@apple.com>
6991
6992 Unreviewed, fix for builds without VALUE_PROFILING. I had forgotten that shouldEmitProfiling()
6993 is designed to return true if DFG_JIT is disabled. I should be using canBeOptimized() instead.
6994
6995 * jit/JITCall.cpp:
6996 (JSC::JIT::compileOpCall):
6997 * jit/JITCall32_64.cpp:
6998 (JSC::JIT::compileOpCall):
6999
70002012-08-26 Geoffrey Garen <ggaren@apple.com>
7001
7002 Don't allocate space for arguments and call frame if arguments aren't captured
7003 https://bugs.webkit.org/show_bug.cgi?id=95024
7004
7005 Reviewed by Phil Pizlo.
7006
7007 27% on v8-real-earley.
7008
7009 * runtime/JSActivation.h:
7010 (JSC::JSActivation::registerOffset): The offset is zero if we're skipping
7011 the arguments and call frame because "offset" means space reserved for
7012 those things.
7013
7014 (JSC::JSActivation::tearOff): Don't copy the scope chain and callee. We
7015 don't need them for anything, and we're no longer guaranteed to have
7016 space for them.
7017
70182012-08-26 Geoffrey Garen <ggaren@apple.com>
7019
7020 Removed the NULL checks from visitChildren functions
7021 https://bugs.webkit.org/show_bug.cgi?id=95021
7022
7023 Reviewed by Oliver Hunt.
7024
7025 As of http://trac.webkit.org/changeset/126624, all values are NULL-checked
7026 during GC, so explicit NULL checks aren't needed anymore.
7027
70282011-08-26 Geoffrey Garen <ggaren@apple.com>
7029
7030 Removed a JSC-specific hack from the web inspector
7031 https://bugs.webkit.org/show_bug.cgi?id=95033
7032
7033 Reviewed by Filip Pizlo.
7034
7035 Added support for what the web inspector really wanted instead.
7036
7037 * runtime/JSActivation.cpp:
7038 (JSC::JSActivation::symbolTableGet):
7039 (JSC::JSActivation::symbolTablePut): Added some explanation for these
7040 checks, which were non-obvious to me.
7041
7042 (JSC::JSActivation::getOwnPropertySlot): It's impossible to access the
7043 arguments property of an activation after it's been torn off, since the
7044 only way to tear off an activation is to instantiate a new function,
7045 which has its own arguments property in scope. However, the inspector
7046 get special access to activations, and may try to perform this access,
7047 so we need a special guard to maintain coherence and avoid crashing in
7048 case the activation optimized out the arguments property.
7049
7050 * runtime/JSActivation.cpp:
7051 (JSC::JSActivation::symbolTableGet):
7052 (JSC::JSActivation::symbolTablePut):
7053 (JSC::JSActivation::getOwnPropertyNames):
7054 (JSC::JSActivation::getOwnPropertyDescriptor): Provide getOwnPropertyNames
7055 and getOwnPropertyDescriptor implementations, to meet the web inspector's
7056 needs. (User code can never call these.)
7057
70582012-08-24 Filip Pizlo <fpizlo@apple.com>
7059
7060 Finally inlining should correctly track the catch context
7061 https://bugs.webkit.org/show_bug.cgi?id=94986
7062 <rdar://problem/11753784>
7063
7064 Reviewed by Sam Weinig.
7065
7066 This fixes two behaviors:
7067
7068 1) Throwing from a finally block. Previously, we would seem to reenter the finally
7069 block - though only once.
7070
7071 2) Executing a finally block from some nested context, for example due to a
7072 'continue', 'break', or 'return' in the try. This would execute the finally
7073 block in the context of of the try block, which could lead to either scope depth
7074 mismatches or reexecutions of the finally block on throw, similarly to (1) but
7075 for different reasons.
7076
7077 * bytecompiler/BytecodeGenerator.cpp:
7078 (JSC):
7079 (JSC::BytecodeGenerator::pushFinallyContext):
7080 (JSC::BytecodeGenerator::emitComplexJumpScopes):
7081 (JSC::BytecodeGenerator::pushTry):
7082 (JSC::BytecodeGenerator::popTryAndEmitCatch):
7083 * bytecompiler/BytecodeGenerator.h:
7084 (FinallyContext):
7085 (TryData):
7086 (JSC):
7087 (TryContext):
7088 (TryRange):
7089 (BytecodeGenerator):
7090 * bytecompiler/NodesCodegen.cpp:
7091 (JSC::TryNode::emitBytecode):
7092
70932012-08-26 Filip Pizlo <fpizlo@apple.com>
7094
7095 Array type checks and storage accesses should be uniformly represented and available to CSE
7096 https://bugs.webkit.org/show_bug.cgi?id=95013
7097
7098 Reviewed by Oliver Hunt.
7099
7100 This uniformly breaks up all array accesses into up to three parts:
7101
7102 1) The type check, using a newly introduced CheckArray node, in addition to possibly
7103 a CheckStructure node. We were already inserting the CheckStructure prior to this
7104 patch. The CheckArray node will be automatically eliminated if the thing it was
7105 checking for had already been checked for, either intentionally (a CheckStructure
7106 inserted based on the array profile of this access) or accidentally (some checks,
7107 typically a CheckStructure, inserted for some unrelated operations). The
7108 CheckArray node may not be inserted if the array type is non-specific (Generic or
7109 ForceExit).
7110
7111 2) The storage load using GetIndexedPropertyStorage. Previously, this only worked for
7112 GetByVal. Now it works for all array accesses. The storage load may not be
7113 inserted if the mode of array access does not permit CSE of storage loads (like
7114 non-specific modes or Arguments).
7115
7116 3) The access itself: one of GetByVal, PutByVal, PutByValAlias, ArrayPush, ArrayPop,
7117 GetArrayLength, StringCharAt, or StringCharCodeAt.
7118
7119 This means that the type check can be subjected to CSE even if the CFA isn't smart
7120 enough to reason about it (yet!). It also means that the storage load can always be
7121 subjected to CSE; previously CSE on storage load only worked for array loads and not
7122 other forms of access. Finally, it removes the bizarre behavior that
7123 GetIndexedPropertyStorage previously had: previously, it was responsible for the type
7124 check in some cases, but not others; this made reasoning about the CFA really
7125 confusing.
7126
7127 This change also disables late refinement of array mode, since I decided that
7128 supporting that feature is both confusing and likely unprofitable. The array modes are
7129 now locked in in the first fixup run after prediction propagation. Of course,
7130 refinements from Generic to something else would not have been a problem; we could
7131 reenable those if we thought we really needed to.
7132
7133 * dfg/DFGAbstractState.cpp:
7134 (JSC::DFG::AbstractState::execute):
7135 * dfg/DFGArgumentsSimplificationPhase.cpp:
7136 (JSC::DFG::ArgumentsSimplificationPhase::run):
7137 * dfg/DFGArrayMode.cpp:
7138 (JSC::DFG::fromStructure):
7139 (DFG):
7140 (JSC::DFG::refineArrayMode):
7141 * dfg/DFGArrayMode.h:
7142 (DFG):
7143 (JSC::DFG::modeIsJSArray):
7144 (JSC::DFG::lengthNeedsStorage):
7145 (JSC::DFG::modeIsSpecific):
7146 (JSC::DFG::modeSupportsLength):
7147 * dfg/DFGByteCodeParser.cpp:
7148 (JSC::DFG::ByteCodeParser::ByteCodeParser):
7149 (JSC::DFG::ByteCodeParser::getArrayMode):
7150 (ByteCodeParser):
7151 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
7152 (JSC::DFG::ByteCodeParser::handleIntrinsic):
7153 (JSC::DFG::ByteCodeParser::parseBlock):
7154 * dfg/DFGCFGSimplificationPhase.cpp:
7155 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
7156 * dfg/DFGCSEPhase.cpp:
7157 (JSC::DFG::CSEPhase::CSEPhase):
7158 (JSC::DFG::CSEPhase::checkStructureElimination):
7159 (CSEPhase):
7160 (JSC::DFG::CSEPhase::checkArrayElimination):
7161 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
7162 (JSC::DFG::CSEPhase::performNodeCSE):
7163 (JSC::DFG::performCSE):
7164 * dfg/DFGCSEPhase.h:
7165 (DFG):
7166 * dfg/DFGCommon.h:
7167 * dfg/DFGConstantFoldingPhase.cpp:
7168 (JSC::DFG::ConstantFoldingPhase::foldConstants):
7169 * dfg/DFGDriver.cpp:
7170 (JSC::DFG::compile):
7171 * dfg/DFGFixupPhase.cpp:
7172 (JSC::DFG::FixupPhase::fixupNode):
7173 (JSC::DFG::FixupPhase::checkArray):
7174 (FixupPhase):
7175 (JSC::DFG::FixupPhase::blessArrayOperation):
7176 * dfg/DFGGraph.cpp:
7177 (JSC::DFG::Graph::Graph):
7178 (DFG):
7179 (JSC::DFG::Graph::dump):
7180 (JSC::DFG::Graph::collectGarbage):
7181 * dfg/DFGGraph.h:
7182 (Graph):
7183 (JSC::DFG::Graph::vote):
7184 (JSC::DFG::Graph::substitute):
7185 * dfg/DFGNode.h:
7186 (JSC::DFG::Node::hasArrayMode):
7187 (JSC::DFG::Node::setArrayMode):
7188 * dfg/DFGNodeType.h:
7189 (DFG):
7190 * dfg/DFGOperations.cpp:
7191 * dfg/DFGPhase.h:
7192 (DFG):
7193 * dfg/DFGPredictionPropagationPhase.cpp:
7194 (JSC::DFG::PredictionPropagationPhase::propagate):
7195 (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
7196 * dfg/DFGSpeculativeJIT.cpp:
7197 (JSC::DFG::SpeculativeJIT::checkArray):
7198 (JSC::DFG::SpeculativeJIT::useChildren):
7199 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
7200 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
7201 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
7202 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
7203 * dfg/DFGSpeculativeJIT.h:
7204 (SpeculativeJIT):
7205 * dfg/DFGSpeculativeJIT32_64.cpp:
7206 (JSC::DFG::SpeculativeJIT::compile):
7207 * dfg/DFGSpeculativeJIT64.cpp:
7208 (JSC::DFG::SpeculativeJIT::compile):
7209 * dfg/DFGStructureCheckHoistingPhase.cpp:
7210 (JSC::DFG::StructureCheckHoistingPhase::run):
7211
72122012-08-26 Filip Pizlo <fpizlo@apple.com>
7213
7214 DFGGraph.h has a bogus comment about the nature of StorageAccessData
7215 https://bugs.webkit.org/show_bug.cgi?id=95035
7216
7217 Reviewed by Oliver Hunt.
7218
7219 The comment is both wrong (storage access instructions don't reference CheckStructure)
7220 and highly redundant: of course it's the case that two structures may have the same
7221 identifier. Our interference analyses currently don't care about this and make the
7222 conservative assumptions when necessary (same identifier, same object -> must be same
7223 property; same identifier, may be same object -> may be the same property). Better to
7224 remove the bogus comment since the code that operates over this data structure is
7225 fairly self-explanatory already.
7226
7227 * dfg/DFGGraph.h:
7228 (StorageAccessData):
7229
72302012-08-25 Geoffrey Garen <ggaren@apple.com>
7231
7232 Try a little harder to fix the Linux build.
7233
7234 * runtime/JSActivation.cpp:
7235 * runtime/JSActivation.h:
7236
72372012-08-25 Geoffrey Garen <ggaren@apple.com>
7238
7239 Try to fix the Linux build.
7240
7241 * runtime/JSActivation.cpp:
7242
72432012-08-25 Geoffrey Garen <ggaren@apple.com>
7244
7245 Don't use malloc / destructors for activation objects
7246 https://bugs.webkit.org/show_bug.cgi?id=94897
7247
7248 Reviewed by Oliver Hunt.
7249
7250 65% faster on v8-real-earley.
7251
7252 Lots of boilerplate here, but the jist is this:
7253
7254 (1) Use CopiedSpace instead of malloc to allocate the activation's
7255 backing store.
7256
7257 (2) Use MarkedSpace instead of ref-counting to allocate the symbol table.
7258
7259 (3) ==> No more destructor.
7260
7261 * bytecode/CodeBlock.cpp:
7262 (JSC::CodeBlock::CodeBlock):
7263 (JSC::CodeBlock::stronglyVisitStrongReferences):
7264 * bytecode/CodeBlock.h:
7265 (JSC::CodeBlock::symbolTable):
7266 (CodeBlock):
7267 (JSC::GlobalCodeBlock::GlobalCodeBlock):
7268 (JSC::FunctionCodeBlock::FunctionCodeBlock):
7269 (FunctionCodeBlock): SymbolTable is a GC object now, so it gets a write
7270 barrier and visit calls instead of ref-counting. I changed all CodeBlocks
7271 to use shared symbol tables because the distinction between shared and
7272 unshared hurt my head.
7273
7274 * bytecompiler/BytecodeGenerator.cpp:
7275 (JSC::BytecodeGenerator::resolve):
7276 (JSC::BytecodeGenerator::resolveConstDecl):
7277 (JSC::BytecodeGenerator::emitPutStaticVar):
7278 * dfg/DFGByteCodeParser.cpp:
7279 (JSC::DFG::ByteCodeParser::parseBlock):
7280 * dfg/DFGSpeculativeJIT32_64.cpp:
7281 (JSC::DFG::SpeculativeJIT::compile):
7282 * dfg/DFGSpeculativeJIT64.cpp:
7283 (JSC::DFG::SpeculativeJIT::compile): Sometimes, a period just wants
7284 to be an arrow. And then C++ is there to accommodate.
7285
7286 * jit/JITDriver.h:
7287 (JSC::jitCompileFunctionIfAppropriate):
7288 * runtime/Arguments.h:
7289 (ArgumentsData):
7290 (JSC::Arguments::setRegisters):
7291 (Arguments):
7292 (JSC::Arguments::argument):
7293 (JSC::Arguments::finishCreation):
7294 * runtime/Executable.cpp:
7295 (JSC::FunctionExecutable::FunctionExecutable):
7296 (JSC::ProgramExecutable::compileInternal):
7297 (JSC::FunctionExecutable::compileForCallInternal):
7298 (JSC::FunctionExecutable::compileForConstructInternal):
7299 (JSC::FunctionExecutable::visitChildren):
7300 * runtime/Executable.h:
7301 (JSC::FunctionExecutable::symbolTable):
7302 (FunctionExecutable):
7303 * runtime/ExecutionHarness.h:
7304 (JSC::prepareFunctionForExecution): I changed from WriteBarrier to
7305 WriteBarrierBase so activations could reuse StorageBarrier and PropertyStorage.
7306
7307 * runtime/JSActivation.cpp:
7308 (JSC::JSActivation::JSActivation):
7309 (JSC::JSActivation::finishCreation): Allocate the symbol table here,
7310 after we're fully constructed, to avoid GC during initialization.
7311
7312 (JSC::JSActivation::visitChildren):
7313 (JSC::JSActivation::symbolTableGet):
7314 (JSC::JSActivation::symbolTablePut):
7315 (JSC::JSActivation::getOwnPropertyNames):
7316 (JSC::JSActivation::symbolTablePutWithAttributes):
7317 * runtime/JSActivation.h:
7318 (JSC::JSActivation::create):
7319 (JSActivation):
7320 (JSC::JSActivation::registerOffset):
7321 (JSC):
7322 (JSC::JSActivation::registerArraySize):
7323 (JSC::JSActivation::registerArraySizeInBytes):
7324 (JSC::JSActivation::tearOff): Tear-off zero-initializes all uncopied
7325 registers. This makes it safe to copyAndAppend the full buffer in
7326 visitChildren, without any extra checks.
7327
7328 * runtime/JSCell.h:
7329 (JSCell): Moved a shared default set of flags into this base class, so
7330 I could use it in a few places.
7331
7332 * runtime/JSGlobalData.cpp:
7333 (JSC::JSGlobalData::JSGlobalData):
7334 * runtime/JSGlobalData.h:
7335 (JSGlobalData): New structure for symbol tables.
7336
7337 * runtime/JSGlobalObject.cpp:
7338 (JSC::JSGlobalObject::JSGlobalObject):
7339 (JSC::JSGlobalObject::addStaticGlobals):
7340 * runtime/JSGlobalObject.h:
7341 (JSGlobalObject):
7342 (JSC::JSGlobalObject::symbolTableHasProperty): We don't need an inline
7343 symbol table -- JSSymbolTableObject will GC allocate one for us.
7344
7345 * runtime/JSObject.h:
7346 (JSObject):
7347 * runtime/JSSegmentedVariableObject.h:
7348 (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
7349 * runtime/JSStaticScopeObject.cpp:
7350 (JSC):
7351 (JSC::JSStaticScopeObject::visitChildren): NULL check our register store
7352 because finishCreation allocates an object now, so we may get marked
7353 before we've assigned to our register store.
7354
7355 * runtime/JSStaticScopeObject.h:
7356 (JSC::JSStaticScopeObject::finishCreation):
7357 (JSC::JSStaticScopeObject::JSStaticScopeObject):
7358 (JSStaticScopeObject): No more destructor for this object, either, since
7359 it no longer embeds a hash table.
7360
7361 * runtime/JSSymbolTableObject.cpp:
7362 (JSC::JSSymbolTableObject::visitChildren):
7363 (JSC::JSSymbolTableObject::deleteProperty):
7364 (JSC::JSSymbolTableObject::getOwnPropertyNames):
7365 * runtime/JSSymbolTableObject.h:
7366 (JSC::JSSymbolTableObject::symbolTable):
7367 (JSSymbolTableObject):
7368 (JSC::JSSymbolTableObject::JSSymbolTableObject):
7369 (JSC::JSSymbolTableObject::finishCreation):
7370 (JSC::symbolTableGet):
7371 (JSC::symbolTablePut):
7372 (JSC::symbolTablePutWithAttributes): SymbolTableObject allocates a symbol
7373 table automatically if one isn't provided. (Activations provide their
7374 own, which they get from compiled code.)
7375
7376 * runtime/JSVariableObject.cpp:
7377 (JSC):
7378 * runtime/JSVariableObject.h:
7379 (JSC::JSVariableObject::registerAt):
7380 (JSC::JSVariableObject::addressOfRegisters):
7381 (JSVariableObject):
7382 (JSC::JSVariableObject::JSVariableObject):
7383 (JSC::JSVariableObject::finishCreation): Removed a bunch of obsolete code.
7384 Activations manage their registers directly now.
7385
7386 * runtime/StorageBarrier.h:
7387 (StorageBarrier):
7388 (JSC::StorageBarrier::operator!):
7389
7390 * runtime/SymbolTable.cpp:
7391 (JSC):
7392 (JSC::SharedSymbolTable::destroy):
7393 * runtime/SymbolTable.h:
7394 (JSC::SharedSymbolTable::create):
7395 (SharedSymbolTable):
7396 (JSC::SharedSymbolTable::createStructure):
7397 (JSC::SharedSymbolTable::SharedSymbolTable): Boilerplat code to
7398 make shared symbol table GC-allocated.
7399
74002012-08-25 Filip Pizlo <fpizlo@apple.com>
7401
7402 op_call should have ArrayProfiling for the benefit of array intrinsics
7403 https://bugs.webkit.org/show_bug.cgi?id=95014
7404
7405 Reviewed by Sam Weinig.
7406
7407 This is a performance-neutral change that just adds the profiling but does not
7408 use it, yet. If in the future we wanted to make this kind of profiling cheaper
7409 we could move it into specialized thunks for the relevant array intrinsics, but
7410 I figure that if this much simpler change gives us what we need without any
7411 discernable performance penalty then that's for the best.
7412
7413 * bytecompiler/BytecodeGenerator.cpp:
7414 (JSC::BytecodeGenerator::emitCall):
7415 * jit/JITCall.cpp:
7416 (JSC::JIT::compileOpCall):
7417 * jit/JITCall32_64.cpp:
7418 (JSC::JIT::compileOpCall):
7419 * llint/LowLevelInterpreter.asm:
7420 * llint/LowLevelInterpreter32_64.asm:
7421 * llint/LowLevelInterpreter64.asm:
7422
74232012-08-25 Filip Pizlo <fpizlo@apple.com>
7424
7425 The redundant phi elimination phase is not used and should be removed
7426 https://bugs.webkit.org/show_bug.cgi?id=95006
7427
7428 Reviewed by Dan Bernstein.
7429
7430 Just removing dead code.
7431
7432 * CMakeLists.txt:
7433 * GNUmakefile.list.am:
7434 * JavaScriptCore.xcodeproj/project.pbxproj:
7435 * Target.pri:
7436 * dfg/DFGDriver.cpp:
7437 * dfg/DFGRedundantPhiEliminationPhase.cpp: Removed.
7438 * dfg/DFGRedundantPhiEliminationPhase.h: Removed.
7439
74402012-08-24 Benjamin Poulain <bpoulain@apple.com>
7441
7442 Unify Number to StringImpl conversion
7443 https://bugs.webkit.org/show_bug.cgi?id=94879
7444
7445 Reviewed by Geoffrey Garen.
7446
7447 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
7448 * runtime/UString.cpp:
7449 * runtime/UString.h:
7450 (JSC::UString::number):
7451 Update UString to directly use the common NumberToString implementation.
7452
74532012-08-24 Oliver Hunt <oliver@apple.com>
7454
7455 Always null check cells before marking
7456 https://bugs.webkit.org/show_bug.cgi?id=94968
7457
7458 Reviewed by Geoffrey Garen.
7459
7460 Originally we tried to minimise null checks by only null checking values
7461 that we knew could be null, however given that we can't ever guarantee
7462 when a GC will happen, we're better off just always assuming that a null
7463 check will be necessary. This results in a much less fragile code base
7464 as we can add GC allocations to object initialisers without having to
7465 subsequently worry about whether the object we are initialising will need
7466 to add a bunch of null checks in its visitChildren implementation.
7467
7468 * heap/MarkStack.cpp:
7469 (JSC::MarkStack::internalAppend):
7470 * heap/MarkStackInlineMethods.h:
7471 (JSC::MarkStack::append):
7472 (JSC::MarkStack::appendUnbarrieredPointer):
7473 * runtime/Structure.h:
7474 (JSC::MarkStack::internalAppend):
7475
74762012-08-23 Oliver Hunt <oliver@apple.com>
7477
7478 Autogenerate Opcode definitions
7479 https://bugs.webkit.org/show_bug.cgi?id=94840
7480
7481 Reviewed by Gavin Barraclough.
7482
7483 Start the process of autogenerating the code emission for the bytecode.
7484 We'll just start with automatic generation of the list of Opcodes as that
7485 requires the actual definition of the opcodes, and the logic for parsing
7486 them.
7487
7488 Due to some rather annoying dependency cycles, this initial version has
7489 the OpcodeDefinitions.h file checked into the tree, although with some
7490 work I hope to be able to fix that.
7491
7492 * DerivedSources.make:
7493 * JavaScriptCore.xcodeproj/project.pbxproj:
7494 * bytecode/Opcode.h:
7495 Include OpcodeDefinitions.h as our definitive source of info
7496 about the opcodes.
7497 * bytecode/OpcodeDefinitions.h: Added.
7498 Autogenerated file
7499 * bytecode/opcodes: Added.
7500 The new opcode definition file
7501 * opcode_definition_generator.py: Added.
7502 (generateOpcodeDefinition):
7503 (generate):
7504 Module that generates the content for OpcodeDefinitions.h
7505 * opcode_generator.py: Added.
7506 (printUsage):
7507 (main):
7508 Driver script
7509 * opcode_parser.py: Added.
7510 Simple parser for the opcode definitions.
7511
75122011-08-23 Geoffrey Garen <ggaren@apple.com>
7513
7514 Unreviewed, rolling out r126505.
7515 http://trac.webkit.org/changeset/126505
7516 https://bugs.webkit.org/show_bug.cgi?id=94840
7517
7518 Caused testapi to crash on launch
7519
7520 * DerivedSources.make:
7521 * JavaScriptCore.xcodeproj/project.pbxproj:
7522 * bytecode/Opcode.h:
7523 (JSC):
7524 (JSC::padOpcodeName):
7525 * bytecode/OpcodeDefinitions.h: Removed.
7526 * bytecode/opcodes: Removed.
7527 * opcode_definition_generator.py: Removed.
7528 * opcode_generator.py: Removed.
7529 * opcode_parser.py: Removed.
7530
75312012-08-23 Oliver Hunt <oliver@apple.com>
7532
7533 Autogenerate Opcode definitions
7534 https://bugs.webkit.org/show_bug.cgi?id=94840
7535
7536 Reviewed by Gavin Barraclough.
7537
7538 Start the process of autogenerating the code emission for the bytecode.
7539 We'll just start with automatic generation of the list of Opcodes as that
7540 requires the actual definition of the opcodes, and the logic for parsing
7541 them.
7542
7543 Due to some rather annoying dependency cycles, this initial version has
7544 the OpcodeDefinitions.h file checked into the tree, although with some
7545 work I hope to be able to fix that.
7546
7547 * DerivedSources.make:
7548 * JavaScriptCore.xcodeproj/project.pbxproj:
7549 * bytecode/Opcode.h:
7550 Include OpcodeDefinitions.h as our definitive source of info
7551 about the opcodes.
7552 * bytecode/OpcodeDefinitions.h: Added.
7553 Autogenerated file
7554 * bytecode/opcodes: Added.
7555 The new opcode definition file
7556 * opcode_definition_generator.py: Added.
7557 (generateOpcodeDefinition):
7558 (generate):
7559 Module that generates the content for OpcodeDefinitions.h
7560 * opcode_generator.py: Added.
7561 (printUsage):
7562 (main):
7563 Driver script
7564 * opcode_parser.py: Added.
7565 Simple parser for the opcode definitions.
7566
75672012-08-23 Mark Hahnenberg <mhahnenberg@apple.com>
7568
7569 Change behavior of MasqueradesAsUndefined to better accommodate DFG changes
7570 https://bugs.webkit.org/show_bug.cgi?id=93884
7571
7572 Reviewed by Filip Pizlo.
7573
7574 With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of
7575 MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines,
7576 we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined
7577 objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject).
7578 For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not
7579 masquerade as undefined within frame B, but it will continue to masquerade in frame A.
7580
7581 There are two primary changes that are taking place here. One is to thread the ExecState* through
7582 JSValue::toBoolean and JSCell::toBoolean so that JSCell::toBoolean can check the object's
7583 JSGlobalObject to compare it to the lexical JSGlobalObject of the currently running code. If the two
7584 are distinct, then the object cannot MasqueradeAsUndefined.
7585
7586 The other change is to perform this comparison of JSGlobalObjects everywhere where the MasqueradesAsUndefined
7587 flag in the Structure is checked. For C++ code, this check has been factored into its own function in
7588 Structure::masqueradesAsUndefined. We only perform this check in the DFG if the current JSGlobalObject has
7589 had a MasqueradesAsUndefined object allocated within its context. This conditional compilation is managed
7590 through the use of a WatchpointSet in each JSGlobalObject and alternate create() functions for JS DOM wrappers
7591 that are MasqueradesAsUndefined.
7592
7593 * API/JSValueRef.cpp:
7594 (JSValueToBoolean):
7595 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
7596 * bytecode/Watchpoint.h:
7597 (WatchpointSet):
7598 * debugger/DebuggerCallFrame.h:
7599 (JSC::DebuggerCallFrame::callFrame):
7600 * dfg/DFGAbstractState.cpp:
7601 (JSC::DFG::AbstractState::execute):
7602 * dfg/DFGCFGSimplificationPhase.cpp:
7603 (JSC::DFG::CFGSimplificationPhase::run):
7604 * dfg/DFGOperations.cpp:
7605 * dfg/DFGOperations.h:
7606 * dfg/DFGSpeculativeJIT32_64.cpp:
7607 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
7608 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
7609 (JSC::DFG::SpeculativeJIT::compile):
7610 * dfg/DFGSpeculativeJIT64.cpp:
7611 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
7612 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
7613 (JSC::DFG::SpeculativeJIT::compile):
7614 * interpreter/Interpreter.cpp:
7615 (JSC::Interpreter::privateExecute):
7616 * jit/JITOpcodes.cpp:
7617 (JSC::JIT::emit_op_is_undefined):
7618 (JSC::JIT::emit_op_jeq_null):
7619 (JSC::JIT::emit_op_jneq_null):
7620 (JSC::JIT::emit_op_eq_null):
7621 (JSC::JIT::emit_op_neq_null):
7622 * jit/JITOpcodes32_64.cpp:
7623 (JSC::JIT::emit_op_is_undefined):
7624 (JSC::JIT::emit_op_jeq_null):
7625 (JSC::JIT::emit_op_jneq_null):
7626 (JSC::JIT::emit_op_eq_null):
7627 (JSC::JIT::emit_op_neq_null):
7628 * jit/JITStubs.cpp:
7629 (JSC::DEFINE_STUB_FUNCTION):
7630 * llint/LLIntSlowPaths.cpp:
7631 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
7632 * llint/LowLevelInterpreter32_64.asm:
7633 * llint/LowLevelInterpreter64.asm:
7634 * runtime/ArrayPrototype.cpp:
7635 (JSC::arrayProtoFuncFilter):
7636 (JSC::arrayProtoFuncEvery):
7637 (JSC::arrayProtoFuncSome):
7638 * runtime/BooleanConstructor.cpp:
7639 (JSC::constructBoolean):
7640 (JSC::callBooleanConstructor):
7641 * runtime/JSCell.h:
7642 (JSCell):
7643 * runtime/JSGlobalObject.cpp:
7644 (JSC::JSGlobalObject::JSGlobalObject):
7645 * runtime/JSGlobalObject.h:
7646 (JSGlobalObject):
7647 (JSC::JSGlobalObject::masqueradesAsUndefinedWatchpoint):
7648 * runtime/JSString.h:
7649 (JSC::JSCell::toBoolean):
7650 (JSC::JSValue::toBoolean):
7651 * runtime/JSValue.h:
7652 * runtime/ObjectConstructor.cpp:
7653 (JSC::toPropertyDescriptor):
7654 * runtime/Operations.cpp:
7655 (JSC::jsTypeStringForValue):
7656 (JSC::jsIsObjectType):
7657 * runtime/Operations.h:
7658 (JSC):
7659 (JSC::JSValue::equalSlowCaseInline):
7660 * runtime/RegExpConstructor.cpp:
7661 (JSC::setRegExpConstructorMultiline):
7662 * runtime/RegExpPrototype.cpp:
7663 (JSC::regExpProtoFuncToString):
7664 * runtime/Structure.h:
7665 (Structure):
7666 (JSC::Structure::globalObjectOffset):
7667 (JSC::Structure::masqueradesAsUndefined):
7668 (JSC):
7669
76702012-08-23 Mark Rowe <mrowe@apple.com>
7671
7672 Make JavaScriptCore build with the latest version of clang.
7673
7674 Reviewed by Dan Bernstein.
7675
7676 * heap/MachineStackMarker.cpp:
7677 (JSC::MachineThreads::MachineThreads): The m_heap member is only used within
7678 assertions, so guard its initialization with !ASSERT_DISABLED.
7679 * heap/MachineStackMarker.h:
7680 (MachineThreads): Ditto for its declaration.
7681 * jit/JITStubCall.h:
7682 (JSC::JITStubCall::JITStubCall): The m_returnType member is only used within
7683 assertions or if we're using JSVALUE32_64, so guard its uses with the appropriate
7684 #if.
7685 (JITStubCall): Ditto.
7686
76872012-08-23 Christophe Dumez <christophe.dumez@intel.com>
7688
7689 Serialization of JavaScript values does not appear to respect new HTML5 Structured Clone semantics
7690 https://bugs.webkit.org/show_bug.cgi?id=65292
7691
7692 Reviewed by Oliver Hunt.
7693
7694 Add function to construct a StringObject from a JSValue.
7695 Similar functions already exist for NumberObject and
7696 BooleanObject for example.
7697
7698 Export several symbols so address linking errors in
7699 WebCore.
7700
7701 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
7702 * runtime/BooleanObject.h:
7703 (BooleanObject):
7704 * runtime/NumberObject.h:
7705 (NumberObject):
7706 (JSC):
7707 * runtime/StringObject.cpp:
7708 (JSC::constructString):
7709 (JSC):
7710 * runtime/StringObject.h:
7711 (JSC):
7712
77132012-08-22 Filip Pizlo <fpizlo@apple.com>
7714
7715 Array accesses should remember what kind of array they are predicted to access
7716 https://bugs.webkit.org/show_bug.cgi?id=94448
7717
7718 Reviewed by Gavin Barraclough.
7719
7720 Introduced the notion of DFG::Array::Mode, stored in node.arrayMode(), which allows nodes
7721 to remember how they decided to access arrays. This permits the bytecode parser to "lock in"
7722 the mode of access if it has profiling at its disposal, and it also allows the prediction
7723 propagator to do a fixup of the array mode later in the optimization fixpoint.
7724
7725 This patch adds a healthy amount of new capability (specifically the ability of the parser
7726 to lock in an array mode regardless of type predictions) and it also blows away a lot of
7727 messy code.
7728
7729 * CMakeLists.txt:
7730 * GNUmakefile.list.am:
7731 * JavaScriptCore.xcodeproj/project.pbxproj:
7732 * Target.pri:
7733 * dfg/DFGAbstractState.cpp:
7734 (JSC::DFG::AbstractState::execute):
7735 * dfg/DFGArgumentsSimplificationPhase.cpp:
7736 (JSC::DFG::ArgumentsSimplificationPhase::run):
7737 * dfg/DFGArrayMode.cpp: Added.
7738 (DFG):
7739 (JSC::DFG::fromObserved):
7740 (JSC::DFG::refineArrayMode):
7741 (JSC::DFG::modeAlreadyChecked):
7742 (JSC::DFG::modeToString):
7743 * dfg/DFGArrayMode.h: Added.
7744 (DFG):
7745 (JSC::DFG::canCSEStorage):
7746 (JSC::DFG::modeForPut):
7747 (JSC::DFG::modesCompatibleForStorageLoad):
7748 (JSC::DFG::modeSupportsLength):
7749 * dfg/DFGByteCodeParser.cpp:
7750 (ByteCodeParser):
7751 (JSC::DFG::ByteCodeParser::getArrayModeWithoutOSRExit):
7752 (JSC::DFG::ByteCodeParser::getArrayMode):
7753 (JSC::DFG::ByteCodeParser::handleIntrinsic):
7754 (JSC::DFG::ByteCodeParser::parseBlock):
7755 * dfg/DFGCSEPhase.cpp:
7756 (JSC::DFG::CSEPhase::getByValLoadElimination):
7757 (JSC::DFG::CSEPhase::checkStructureLoadElimination):
7758 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
7759 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
7760 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
7761 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
7762 (JSC::DFG::CSEPhase::performNodeCSE):
7763 * dfg/DFGFixupPhase.cpp:
7764 (JSC::DFG::FixupPhase::fixupNode):
7765 * dfg/DFGGraph.cpp:
7766 (JSC::DFG::Graph::dump):
7767 * dfg/DFGGraph.h:
7768 (JSC::DFG::Graph::byValIsPure):
7769 (JSC::DFG::Graph::clobbersWorld):
7770 * dfg/DFGNode.h:
7771 (JSC::DFG::Node::hasArrayMode):
7772 (Node):
7773 (JSC::DFG::Node::arrayMode):
7774 (JSC::DFG::Node::setArrayMode):
7775 * dfg/DFGNodeType.h:
7776 (DFG):
7777 * dfg/DFGPredictionPropagationPhase.cpp:
7778 (JSC::DFG::PredictionPropagationPhase::propagate):
7779 * dfg/DFGSpeculativeJIT.cpp:
7780 (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
7781 (DFG):
7782 (JSC::DFG::SpeculativeJIT::speculateArray):
7783 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
7784 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
7785 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
7786 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
7787 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
7788 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
7789 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
7790 * dfg/DFGSpeculativeJIT.h:
7791 (SpeculativeJIT):
7792 * dfg/DFGSpeculativeJIT32_64.cpp:
7793 (JSC::DFG::SpeculativeJIT::compile):
7794 * dfg/DFGSpeculativeJIT64.cpp:
7795 (JSC::DFG::SpeculativeJIT::compile):
7796 * dfg/DFGStructureCheckHoistingPhase.cpp:
7797 (JSC::DFG::StructureCheckHoistingPhase::run):
7798
77992012-08-22 Geoffrey Garen <ggaren@apple.com>
7800
7801 ThreadRestrictionVerifier should be opt-in, not opt-out
7802 https://bugs.webkit.org/show_bug.cgi?id=94761
7803
7804 Reviewed by Mark Hahnenberg.
7805
7806 Removed explicit calls to disable the verifier, since it's off by default now.
7807
7808 * parser/SourceProvider.h:
7809 (JSC::SourceProvider::SourceProvider):
7810 (SourceProvider):
7811 * runtime/SymbolTable.h:
7812 (JSC::SharedSymbolTable::SharedSymbolTable):
7813
78142012-08-22 Mark Hahnenberg <mhahnenberg@apple.com>
7815
7816 Separate MarkStackThreadSharedData from MarkStack
7817 https://bugs.webkit.org/show_bug.cgi?id=94294
7818
7819 Reviewed by Filip Pizlo.
7820
7821 MarkStackThreadSharedData is soon going to have data to allow for a parallel copying
7822 mode too, so to separate our concerns we should split it out into its own set of files
7823 and rename it to GCThreadSharedData. For now this is purely a cosmetic refactoring.
7824
7825 * CMakeLists.txt:
7826 * GNUmakefile.list.am:
7827 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
7828 * JavaScriptCore.xcodeproj/project.pbxproj:
7829 * Target.pri:
7830 * heap/GCThreadSharedData.cpp: Added.
7831 (JSC):
7832 (JSC::GCThreadSharedData::resetChildren):
7833 (JSC::GCThreadSharedData::childVisitCount):
7834 (JSC::GCThreadSharedData::markingThreadMain):
7835 (JSC::GCThreadSharedData::markingThreadStartFunc):
7836 (JSC::GCThreadSharedData::GCThreadSharedData):
7837 (JSC::GCThreadSharedData::~GCThreadSharedData):
7838 (JSC::GCThreadSharedData::reset):
7839 * heap/GCThreadSharedData.h: Added.
7840 (JSC):
7841 (GCThreadSharedData):
7842 * heap/Heap.h:
7843 (Heap):
7844 * heap/ListableHandler.h:
7845 (ListableHandler):
7846 * heap/MarkStack.cpp:
7847 (JSC::MarkStack::MarkStack):
7848 (JSC::MarkStack::~MarkStack):
7849 * heap/MarkStack.h:
7850 (JSC):
7851 (MarkStack):
7852 (JSC::MarkStack::sharedData):
7853 * heap/MarkStackInlineMethods.h: Added.
7854 (JSC):
7855 (JSC::MarkStack::append):
7856 (JSC::MarkStack::appendUnbarrieredPointer):
7857 (JSC::MarkStack::appendUnbarrieredValue):
7858 (JSC::MarkStack::internalAppend):
7859 (JSC::MarkStack::addWeakReferenceHarvester):
7860 (JSC::MarkStack::addUnconditionalFinalizer):
7861 (JSC::MarkStack::addOpaqueRoot):
7862 (JSC::MarkStack::containsOpaqueRoot):
7863 (JSC::MarkStack::opaqueRootCount):
7864 * heap/SlotVisitor.h:
7865 (JSC):
7866 (SlotVisitor):
7867 (JSC::SlotVisitor::SlotVisitor):
7868
78692012-08-22 Gabor Ballabas <gaborb@inf.u-szeged.hu>
7870
7871 Fix JSC build when DFG-JIT is disabled
7872 https://bugs.webkit.org/show_bug.cgi?id=94694
7873
7874 Reviewed by Csaba Osztrogonác.
7875
7876 Adding an appropriate guard for fixing the build.
7877
7878 * bytecode/ResolveGlobalStatus.cpp:
7879 (JSC):
7880
78812012-08-21 Mark Lam <mark.lam@apple.com>
7882
7883 Introducing the VMInspector for VM debugging use.
7884 https://bugs.webkit.org/show_bug.cgi?id=94613.
7885
7886 Reviewed by Filip Pizlo.
7887
7888 Adding some utility functions for debugging the VM. This code is
7889 presently #ifdef'd out by default.
7890
7891 * CMakeLists.txt:
7892 * GNUmakefile.list.am:
7893 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
7894 * JavaScriptCore.xcodeproj/project.pbxproj:
7895 * interpreter/CallFrame.h:
7896 (ExecState):
7897 * interpreter/VMInspector.cpp: Added.
7898 (JSC):
7899 (JSC::VMInspector::getTypeName):
7900 (JSC::VMInspector::dumpFrame0):
7901 (JSC::VMInspector::dumpFrame):
7902 (JSC::VMInspector::countFrames):
7903 * interpreter/VMInspector.h: Added.
7904 (JSC):
7905 (VMInspector):
7906
79072012-08-21 Filip Pizlo <fpizlo@apple.com>
7908
7909 A patchable GetById right after a watchpoint should have the appropriate nop padding
7910 https://bugs.webkit.org/show_bug.cgi?id=94635
7911
7912 Reviewed by Mark Hahnenberg.
7913
7914 * assembler/AbstractMacroAssembler.h:
7915 (JSC::AbstractMacroAssembler::padBeforePatch):
7916 (AbstractMacroAssembler):
7917 * assembler/MacroAssemblerARMv7.h:
7918 (JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch):
7919 (JSC::MacroAssemblerARMv7::moveWithPatch):
7920 (JSC::MacroAssemblerARMv7::patchableJump):
7921 * assembler/MacroAssemblerX86.h:
7922 (JSC::MacroAssemblerX86::moveWithPatch):
7923 (JSC::MacroAssemblerX86::branchPtrWithPatch):
7924 (JSC::MacroAssemblerX86::storePtrWithPatch):
7925 * assembler/MacroAssemblerX86Common.h:
7926 (JSC::MacroAssemblerX86Common::load32WithAddressOffsetPatch):
7927 (JSC::MacroAssemblerX86Common::load32WithCompactAddressOffsetPatch):
7928 (JSC::MacroAssemblerX86Common::loadCompactWithAddressOffsetPatch):
7929 (JSC::MacroAssemblerX86Common::store32WithAddressOffsetPatch):
7930 * assembler/MacroAssemblerX86_64.h:
7931 (JSC::MacroAssemblerX86_64::loadPtrWithAddressOffsetPatch):
7932 (JSC::MacroAssemblerX86_64::loadPtrWithCompactAddressOffsetPatch):
7933 (JSC::MacroAssemblerX86_64::storePtrWithAddressOffsetPatch):
7934 (JSC::MacroAssemblerX86_64::moveWithPatch):
7935 * jit/JumpReplacementWatchpoint.cpp:
7936 (JSC::JumpReplacementWatchpoint::fireInternal):
7937
79382012-08-20 Mark Lam <mark.lam@apple.com>
7939
7940 Fix broken non-JIT build.
7941 https://bugs.webkit.org/show_bug.cgi?id=94564.
7942
7943 Reviewed by Filip Pizlo.
7944
7945 Added some UNUSED_PARAM() macros to make the compiler happy.
7946
7947 * runtime/Executable.cpp:
7948 (JSC::EvalExecutable::compileInternal):
7949 (JSC::ProgramExecutable::compileInternal):
7950 (JSC::FunctionExecutable::compileForCallInternal):
7951 (JSC::FunctionExecutable::compileForConstructInternal):
7952
79532012-08-20 Mark Lam <mark.lam@apple.com>
7954
7955 Fixed erroneous line number for LLint frame when throwing exceptions.
7956 https://bugs.webkit.org/show_bug.cgi?id=94051.
7957
7958 Reviewed by Filip Pizlo.
7959
7960 For LLInt frames, before throwing an exception, adjust the PC from the
7961 return PC back to the call PC if we are indeed at a call site.
7962
7963 * bytecode/CodeBlock.cpp:
7964 (JSC::CodeBlock::adjustPCIfAtCallSite):
7965 (JSC):
7966 (JSC::CodeBlock::bytecodeOffset):
7967 * bytecode/CodeBlock.h:
7968 (CodeBlock):
7969 * llint/LLIntExceptions.cpp:
7970 (JSC::LLInt::fixupPCforExceptionIfNeeded):
7971 (LLInt):
7972 (JSC::LLInt::interpreterThrowInCaller):
7973 (JSC::LLInt::returnToThrow):
7974 (JSC::LLInt::callToThrow):
7975
79762012-08-20 Filip Pizlo <fpizlo@apple.com>
7977
7978 fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html on 32-bit
7979 https://bugs.webkit.org/show_bug.cgi?id=94538
7980
7981 Reviewed by Mark Hahnenberg.
7982
7983 * dfg/DFGSpeculativeJIT32_64.cpp:
7984 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
7985
79862012-08-20 Filip Pizlo <fpizlo@apple.com>
7987
7988 fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html crashes on 32-bit
7989 https://bugs.webkit.org/show_bug.cgi?id=94026
7990
7991 Reviewed by Mark Hahnenberg.
7992
7993 * dfg/DFGSpeculativeJIT32_64.cpp:
7994 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
7995
79962012-08-19 Filip Pizlo <fpizlo@apple.com>
7997
7998 The relationship between abstract values and structure transition watchpoints should be rationalized
7999 https://bugs.webkit.org/show_bug.cgi?id=94205
8000
8001 Reviewed by Geoffrey Garen.
8002
8003 This patch does a number of things related to the handling of the abstract values
8004 arrising from values with structures known to be watchpointable:
8005
8006 - This rationalizes the relationship between the structure that we know an object
8007 to have *right now* based on having executed a check against that structure, and
8008 the structure that we know the object could have *in the future* based on a type
8009 check executed in the past over a structure that was watchpointable.
8010
8011 - We use the above to assert that structure transition watchpoints are being used
8012 soundly.
8013
8014 - We use the above to strength reduce CheckStructure into StructureTransitionWatchpoint
8015 whenever possible.
8016
8017 - This rationalizes the handling of CFA over constants that appeared in the bytecode.
8018 If at compile-time the constant has a watchpointable structure, then we can prove
8019 what structures it may have in the future. The analysis uses this to both assert
8020 that structure transition watchpoints are being used correctly, and to find
8021 opportunities for using them more aggressively.
8022
8023 The net effect of all of these changes is that OSR entry should work more smoothly.
8024 It may also be a slight win due to strength reductions, though most of those strength
8025 reductions would have already been done by the parser and the structure check hoister.
8026
8027 * GNUmakefile.list.am:
8028 * JavaScriptCore.xcodeproj/project.pbxproj:
8029 * dfg/DFGAbstractState.cpp:
8030 (JSC::DFG::AbstractState::beginBasicBlock):
8031 (JSC::DFG::AbstractState::execute):
8032 * dfg/DFGAbstractValue.h:
8033 (DFG):
8034 (JSC::DFG::AbstractValue::clear):
8035 (JSC::DFG::AbstractValue::isClear):
8036 (JSC::DFG::AbstractValue::makeTop):
8037 (JSC::DFG::AbstractValue::clobberStructures):
8038 (JSC::DFG::AbstractValue::isTop):
8039 (JSC::DFG::AbstractValue::setFuturePossibleStructure):
8040 (AbstractValue):
8041 (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
8042 (JSC::DFG::AbstractValue::setMostSpecific):
8043 (JSC::DFG::AbstractValue::set):
8044 (JSC::DFG::AbstractValue::operator==):
8045 (JSC::DFG::AbstractValue::merge):
8046 (JSC::DFG::AbstractValue::filter):
8047 (JSC::DFG::AbstractValue::filterValueByType):
8048 (JSC::DFG::AbstractValue::validateType):
8049 (JSC::DFG::AbstractValue::validate):
8050 (JSC::DFG::AbstractValue::checkConsistency):
8051 (JSC::DFG::AbstractValue::dump):
8052 * dfg/DFGArgumentsSimplificationPhase.cpp:
8053 (JSC::DFG::ArgumentsSimplificationPhase::run):
8054 * dfg/DFGCSEPhase.cpp:
8055 (JSC::DFG::CSEPhase::checkStructureLoadElimination):
8056 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
8057 (JSC::DFG::CSEPhase::performNodeCSE):
8058 * dfg/DFGConstantFoldingPhase.cpp:
8059 (JSC::DFG::ConstantFoldingPhase::foldConstants):
8060 * dfg/DFGNode.h:
8061 (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
8062 (Node):
8063 (JSC::DFG::Node::hasStructure):
8064 * dfg/DFGNodeType.h:
8065 (DFG):
8066 * dfg/DFGOSREntry.cpp:
8067 (JSC::DFG::prepareOSREntry):
8068 * dfg/DFGPredictionPropagationPhase.cpp:
8069 (JSC::DFG::PredictionPropagationPhase::propagate):
8070 * dfg/DFGSpeculativeJIT.cpp:
8071 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
8072 (JSC::DFG::SpeculativeJIT::forwardSpeculationWatchpoint):
8073 (DFG):
8074 (JSC::DFG::SpeculativeJIT::speculationWatchpointWithConditionalDirection):
8075 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
8076 (JSC::DFG::SpeculativeJIT::speculateArray):
8077 * dfg/DFGSpeculativeJIT.h:
8078 (SpeculativeJIT):
8079 * dfg/DFGSpeculativeJIT32_64.cpp:
8080 (JSC::DFG::SpeculativeJIT::compile):
8081 * dfg/DFGSpeculativeJIT64.cpp:
8082 (JSC::DFG::SpeculativeJIT::compile):
8083 * dfg/DFGStructureAbstractValue.h: Added.
8084 (DFG):
8085 (StructureAbstractValue):
8086 (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
8087 (JSC::DFG::StructureAbstractValue::clear):
8088 (JSC::DFG::StructureAbstractValue::makeTop):
8089 (JSC::DFG::StructureAbstractValue::top):
8090 (JSC::DFG::StructureAbstractValue::add):
8091 (JSC::DFG::StructureAbstractValue::addAll):
8092 (JSC::DFG::StructureAbstractValue::contains):
8093 (JSC::DFG::StructureAbstractValue::isSubsetOf):
8094 (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
8095 (JSC::DFG::StructureAbstractValue::isSupersetOf):
8096 (JSC::DFG::StructureAbstractValue::filter):
8097 (JSC::DFG::StructureAbstractValue::isClear):
8098 (JSC::DFG::StructureAbstractValue::isTop):
8099 (JSC::DFG::StructureAbstractValue::isClearOrTop):
8100 (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
8101 (JSC::DFG::StructureAbstractValue::size):
8102 (JSC::DFG::StructureAbstractValue::at):
8103 (JSC::DFG::StructureAbstractValue::operator[]):
8104 (JSC::DFG::StructureAbstractValue::last):
8105 (JSC::DFG::StructureAbstractValue::speculationFromStructures):
8106 (JSC::DFG::StructureAbstractValue::hasSingleton):
8107 (JSC::DFG::StructureAbstractValue::singleton):
8108 (JSC::DFG::StructureAbstractValue::operator==):
8109 (JSC::DFG::StructureAbstractValue::dump):
8110 (JSC::DFG::StructureAbstractValue::topValue):
8111 * dfg/DFGStructureCheckHoistingPhase.cpp:
8112 (JSC::DFG::StructureCheckHoistingPhase::run):
8113
81142012-08-17 Filip Pizlo <fpizlo@apple.com>
8115
8116 The current state of the call frame should be taken into account in the DFG for both predictions and proofs
8117 https://bugs.webkit.org/show_bug.cgi?id=94412
8118
8119 Reviewed by Geoffrey Garen.
8120
8121 This ensures that no matter how smart the DFG gets, it'll always know through
8122 which entrypoint OSR will try to enter, and with which values it will attempt
8123 to do so. For prologue OSR, this has no effect other than adding the current
8124 arguments to the argument predictions. For loop OSR, this makes our treatment
8125 of the loop slightly more conservative - just conservative enough to ensure
8126 that OSR succeeds.
8127
8128 * bytecode/CodeBlock.cpp:
8129 (JSC::ProgramCodeBlock::compileOptimized):
8130 (JSC::EvalCodeBlock::compileOptimized):
8131 (JSC::FunctionCodeBlock::compileOptimized):
8132 * bytecode/CodeBlock.h:
8133 (CodeBlock):
8134 (ProgramCodeBlock):
8135 (EvalCodeBlock):
8136 (FunctionCodeBlock):
8137 * dfg/DFGAbstractState.cpp:
8138 (JSC::DFG::AbstractState::initialize):
8139 * dfg/DFGAbstractValue.h:
8140 (JSC::DFG::AbstractValue::setMostSpecific):
8141 (AbstractValue):
8142 * dfg/DFGByteCodeParser.cpp:
8143 (JSC::DFG::ByteCodeParser::fixVariableAccessPredictions):
8144 (JSC::DFG::ByteCodeParser::parse):
8145 * dfg/DFGDriver.cpp:
8146 (JSC::DFG::compile):
8147 (JSC::DFG::tryCompile):
8148 (JSC::DFG::tryCompileFunction):
8149 * dfg/DFGDriver.h:
8150 (DFG):
8151 (JSC::DFG::tryCompile):
8152 (JSC::DFG::tryCompileFunction):
8153 * dfg/DFGGraph.h:
8154 (JSC::DFG::Graph::Graph):
8155 (Graph):
8156 * jit/JITDriver.h:
8157 (JSC::jitCompileIfAppropriate):
8158 (JSC::jitCompileFunctionIfAppropriate):
8159 * jit/JITStubs.cpp:
8160 (JSC::DEFINE_STUB_FUNCTION):
8161 * runtime/Executable.cpp:
8162 (JSC::EvalExecutable::compileOptimized):
8163 (JSC::EvalExecutable::compileInternal):
8164 (JSC::ProgramExecutable::compileOptimized):
8165 (JSC::ProgramExecutable::compileInternal):
8166 (JSC::FunctionExecutable::compileOptimizedForCall):
8167 (JSC::FunctionExecutable::compileOptimizedForConstruct):
8168 (JSC::FunctionExecutable::compileForCallInternal):
8169 (JSC::FunctionExecutable::compileForConstructInternal):
8170 * runtime/Executable.h:
8171 (EvalExecutable):
8172 (ProgramExecutable):
8173 (FunctionExecutable):
8174 (JSC::FunctionExecutable::compileOptimizedFor):
8175 * runtime/ExecutionHarness.h:
8176 (JSC::prepareForExecution):
8177 (JSC::prepareFunctionForExecution):
8178
81792012-08-17 Filip Pizlo <fpizlo@apple.com>
8180
8181 DFG CSE should be more honest about when it changed the IR
8182 https://bugs.webkit.org/show_bug.cgi?id=94408
8183
8184 Reviewed by Geoffrey Garen.
8185
8186 The CSE phase now always returns true if it changed the IR.
8187
8188 * dfg/DFGCSEPhase.cpp:
8189 (JSC::DFG::CSEPhase::setReplacement):
8190 (JSC::DFG::CSEPhase::eliminate):
8191 (JSC::DFG::CSEPhase::performNodeCSE):
8192
81932012-08-17 Filip Pizlo <fpizlo@apple.com>
8194
8195 DFG is still too pessimistic about what constitutes a side-effect on array accesses
8196 https://bugs.webkit.org/show_bug.cgi?id=94309
8197
8198 Reviewed by Geoffrey Garen.
8199
8200 This change means that even if structure transition watchpoints are not used for
8201 hoisting of clobbered structure checks, we still retain good performance on the
8202 benchmarks we care about. That's important, since butterflies will likely make
8203 most array structures not watchpointable.
8204
8205 * dfg/DFGAbstractState.cpp:
8206 (JSC::DFG::AbstractState::execute):
8207 * dfg/DFGStructureCheckHoistingPhase.cpp:
8208 (JSC::DFG::StructureCheckHoistingPhase::run):
8209
82102012-08-17 Milian Wolff <milian.wolff@kdab.com>
8211
8212 [Qt] QNX build fails due to ctype usage in system headers
8213 https://bugs.webkit.org/show_bug.cgi?id=93849
8214
8215 Reviewed by Simon Hausmann.
8216
8217 Move the check for whether DisallowCType should be active or not
8218 to the DisallowCType.h header. This way, we can update the list
8219 of platforms or OSes which do not work with this header in a
8220 central place. All users can now safely include the header
8221 and do not need to place custom guards around it.
8222
8223 * config.h:
8224
82252012-08-16 Simon Hausmann <simon.hausmann@nokia.com>
8226
8227 [Qt] Replace use of internal Weak smart pointer with JSWeakObjectMap
8228 https://bugs.webkit.org/show_bug.cgi?id=93872
8229
8230 Reviewed by Kenneth Rohde Christiansen.
8231
8232 * Target.pri: Add missing JSWeakObjectMap file to build.
8233
82342012-08-16 Filip Pizlo <fpizlo@apple.com>
8235
8236 Structure check hoisting should be less expensive
8237 https://bugs.webkit.org/show_bug.cgi?id=94201
8238
8239 Reviewed by Mark Hahnenberg.
8240
8241 This appears like a broad win on short-running programs.
8242
8243 * dfg/DFGArgumentsSimplificationPhase.cpp:
8244 (JSC::DFG::ArgumentsSimplificationPhase::run):
8245 * dfg/DFGCSEPhase.cpp:
8246 (JSC::DFG::CSEPhase::performNodeCSE):
8247 * dfg/DFGDriver.cpp:
8248 (JSC::DFG::compile):
8249 * dfg/DFGGraph.h:
8250 (JSC::DFG::Graph::compareAndSwap):
8251 (Graph):
8252 (JSC::DFG::Graph::substitute):
8253 (JSC::DFG::Graph::substituteGetLocal):
8254 * dfg/DFGStructureCheckHoistingPhase.cpp:
8255 (JSC::DFG::StructureCheckHoistingPhase::run):
8256
82572012-08-16 Filip Pizlo <fpizlo@apple.com>
8258
8259 All op_resolve_global instructions should end up in the list of global resolve instructions
8260 https://bugs.webkit.org/show_bug.cgi?id=94247
8261 <rdar://problem/12103500>
8262
8263 Reviewed by Mark Hahnenberg.
8264
8265 * bytecompiler/BytecodeGenerator.cpp:
8266 (JSC::BytecodeGenerator::emitResolveWithBase):
8267
82682012-08-15 Bruno de Oliveira Abinader <bruno.abinader@basyskom.com>
8269
8270 [css3-text] Add CSS3 Text decoration compile flag
8271 https://bugs.webkit.org/show_bug.cgi?id=93863
8272
8273 Reviewed by Julien Chaffraix.
8274
8275 This patch handles the compile flag implementation, which will come disabled by
8276 default, thus not exposing the CSS3 text decoration features to the web, unless
8277 when explicitly enabling it with "--css3-text-decoration" build parameter.
8278
8279 * Configurations/FeatureDefines.xcconfig:
8280
82812012-08-15 Sheriff Bot <webkit.review.bot@gmail.com>
8282
8283 Unreviewed, rolling out r125687.
8284 http://trac.webkit.org/changeset/125687
8285 https://bugs.webkit.org/show_bug.cgi?id=94147
8286
8287 It broke the whole world (Requested by Ossy_night on #webkit).
8288
8289 * API/JSValueRef.cpp:
8290 (JSValueToBoolean):
8291 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
8292 * bytecode/Watchpoint.h:
8293 (WatchpointSet):
8294 * debugger/DebuggerCallFrame.h:
8295 * dfg/DFGAbstractState.cpp:
8296 (JSC::DFG::AbstractState::execute):
8297 * dfg/DFGCFGSimplificationPhase.cpp:
8298 (JSC::DFG::CFGSimplificationPhase::run):
8299 * dfg/DFGOperations.cpp:
8300 * dfg/DFGOperations.h:
8301 * dfg/DFGSpeculativeJIT32_64.cpp:
8302 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
8303 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
8304 (JSC::DFG::SpeculativeJIT::compile):
8305 * dfg/DFGSpeculativeJIT64.cpp:
8306 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
8307 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
8308 (JSC::DFG::SpeculativeJIT::compile):
8309 * interpreter/Interpreter.cpp:
8310 (JSC::Interpreter::privateExecute):
8311 * jit/JITOpcodes.cpp:
8312 (JSC::JIT::emit_op_is_undefined):
8313 (JSC::JIT::emit_op_jeq_null):
8314 (JSC::JIT::emit_op_jneq_null):
8315 (JSC::JIT::emit_op_eq_null):
8316 (JSC::JIT::emit_op_neq_null):
8317 * jit/JITOpcodes32_64.cpp:
8318 (JSC::JIT::emit_op_is_undefined):
8319 (JSC::JIT::emit_op_jeq_null):
8320 (JSC::JIT::emit_op_jneq_null):
8321 (JSC::JIT::emit_op_eq_null):
8322 (JSC::JIT::emit_op_neq_null):
8323 * jit/JITStubs.cpp:
8324 (JSC::DEFINE_STUB_FUNCTION):
8325 * llint/LLIntSlowPaths.cpp:
8326 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
8327 * llint/LowLevelInterpreter32_64.asm:
8328 * llint/LowLevelInterpreter64.asm:
8329 * runtime/ArrayPrototype.cpp:
8330 (JSC::arrayProtoFuncFilter):
8331 (JSC::arrayProtoFuncEvery):
8332 (JSC::arrayProtoFuncSome):
8333 * runtime/BooleanConstructor.cpp:
8334 (JSC::constructBoolean):
8335 (JSC::callBooleanConstructor):
8336 * runtime/JSCell.h:
8337 (JSCell):
8338 * runtime/JSGlobalObject.cpp:
8339 (JSC::JSGlobalObject::JSGlobalObject):
8340 * runtime/JSGlobalObject.h:
8341 (JSGlobalObject):
8342 * runtime/JSString.h:
8343 (JSC::JSCell::toBoolean):
8344 (JSC::JSValue::toBoolean):
8345 * runtime/JSValue.h:
8346 * runtime/ObjectConstructor.cpp:
8347 (JSC::toPropertyDescriptor):
8348 * runtime/Operations.cpp:
8349 (JSC::jsTypeStringForValue):
8350 (JSC::jsIsObjectType):
8351 * runtime/Operations.h:
8352 (JSC):
8353 (JSC::JSValue::equalSlowCaseInline):
8354 * runtime/RegExpConstructor.cpp:
8355 (JSC::setRegExpConstructorMultiline):
8356 * runtime/RegExpPrototype.cpp:
8357 (JSC::regExpProtoFuncToString):
8358 * runtime/Structure.h:
8359
83602012-08-15 Gabor Ballabas <gaborb@inf.u-szeged.hu>
8361
8362 Buildfix after r125541
8363 https://bugs.webkit.org/show_bug.cgi?id=94097
8364
8365 Reviewed by Filip Pizlo.
8366
8367 r125541 has broken the traditional ARM port build of JSC.
8368
8369 * assembler/MacroAssemblerARM.h:
8370 (JSC::MacroAssemblerARM::neg32):
8371 (JSC::MacroAssemblerARM::xor32):
8372
83732012-08-14 Mark Hahnenberg <mhahnenberg@apple.com>
8374
8375 Change behavior of MasqueradesAsUndefined to better accommodate DFG changes
8376 https://bugs.webkit.org/show_bug.cgi?id=93884
8377
8378 Reviewed by Geoffrey Garen.
8379
8380 With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of
8381 MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines,
8382 we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined
8383 objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject).
8384 For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not
8385 masquerade as undefined within frame B, but it will continue to masquerade in frame A.
8386
8387 There are two primary changes that are taking place here. One is to thread the ExecState* through
8388 JSValue::toBoolean and JSCell::toBoolean so that JSCell::toBoolean can check the object's
8389 JSGlobalObject to compare it to the lexical JSGlobalObject of the currently running code. If the two
8390 are distinct, then the object cannot MasqueradeAsUndefined.
8391
8392 The other change is to perform this comparison of JSGlobalObjects everywhere where the MasqueradesAsUndefined
8393 flag in the Structure is checked. For C++ code, this check has been factored into its own function in
8394 Structure::masqueradesAsUndefined. We only perform this check in the DFG if the current JSGlobalObject has
8395 had a MasqueradesAsUndefined object allocated within its context. This conditional compilation is managed
8396 through the use of a WatchpointSet in each JSGlobalObject and alternate create() functions for JS DOM wrappers
8397 that are MasqueradesAsUndefined.
8398
8399 * API/JSValueRef.cpp:
8400 (JSValueToBoolean):
8401 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
8402 * bytecode/Watchpoint.h:
8403 (WatchpointSet):
8404 * debugger/DebuggerCallFrame.h:
8405 (JSC::DebuggerCallFrame::callFrame):
8406 * dfg/DFGAbstractState.cpp:
8407 (JSC::DFG::AbstractState::execute):
8408 * dfg/DFGCFGSimplificationPhase.cpp:
8409 (JSC::DFG::CFGSimplificationPhase::run):
8410 * dfg/DFGOperations.cpp:
8411 * dfg/DFGOperations.h:
8412 * dfg/DFGSpeculativeJIT32_64.cpp:
8413 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
8414 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
8415 (JSC::DFG::SpeculativeJIT::compile):
8416 * dfg/DFGSpeculativeJIT64.cpp:
8417 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
8418 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
8419 (JSC::DFG::SpeculativeJIT::compile):
8420 * interpreter/Interpreter.cpp:
8421 (JSC::Interpreter::privateExecute):
8422 * jit/JITOpcodes.cpp:
8423 (JSC::JIT::emit_op_is_undefined):
8424 (JSC::JIT::emit_op_jeq_null):
8425 (JSC::JIT::emit_op_jneq_null):
8426 (JSC::JIT::emit_op_eq_null):
8427 (JSC::JIT::emit_op_neq_null):
8428 * jit/JITOpcodes32_64.cpp:
8429 (JSC::JIT::emit_op_is_undefined):
8430 (JSC::JIT::emit_op_jeq_null):
8431 (JSC::JIT::emit_op_jneq_null):
8432 (JSC::JIT::emit_op_eq_null):
8433 (JSC::JIT::emit_op_neq_null):
8434 * jit/JITStubs.cpp:
8435 (JSC::DEFINE_STUB_FUNCTION):
8436 * llint/LLIntSlowPaths.cpp:
8437 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
8438 * llint/LowLevelInterpreter32_64.asm:
8439 * llint/LowLevelInterpreter64.asm:
8440 * runtime/ArrayPrototype.cpp:
8441 (JSC::arrayProtoFuncFilter):
8442 (JSC::arrayProtoFuncEvery):
8443 (JSC::arrayProtoFuncSome):
8444 * runtime/BooleanConstructor.cpp:
8445 (JSC::constructBoolean):
8446 (JSC::callBooleanConstructor):
8447 * runtime/JSCell.h:
8448 (JSCell):
8449 * runtime/JSGlobalObject.cpp:
8450 (JSC::JSGlobalObject::JSGlobalObject):
8451 * runtime/JSGlobalObject.h:
8452 (JSGlobalObject):
8453 (JSC::JSGlobalObject::masqueradesAsUndefinedWatchpoint):
8454 * runtime/JSString.h:
8455 (JSC::JSCell::toBoolean):
8456 (JSC::JSValue::toBoolean):
8457 * runtime/JSValue.h:
8458 * runtime/ObjectConstructor.cpp:
8459 (JSC::toPropertyDescriptor):
8460 * runtime/Operations.cpp:
8461 (JSC::jsTypeStringForValue):
8462 (JSC::jsIsObjectType):
8463 * runtime/Operations.h:
8464 (JSC):
8465 (JSC::JSValue::equalSlowCaseInline):
8466 * runtime/RegExpConstructor.cpp:
8467 (JSC::setRegExpConstructorMultiline):
8468 * runtime/RegExpPrototype.cpp:
8469 (JSC::regExpProtoFuncToString):
8470 * runtime/Structure.h:
8471 (Structure):
8472 (JSC::Structure::globalObjectOffset):
8473 (JSC::Structure::masqueradesAsUndefined):
8474 (JSC):
8475
84762012-08-14 Filip Pizlo <fpizlo@apple.com>
8477
8478 Unreviewed, build fix for !ENABLE(DFG_JIT)
8479
8480 * jit/JITPropertyAccess.cpp:
8481 (JSC::JIT::emit_op_get_by_val):
8482 (JSC::JIT::emit_op_put_by_val):
8483 (JSC::JIT::privateCompilePatchGetArrayLength):
8484 * jit/JITPropertyAccess32_64.cpp:
8485 (JSC::JIT::emit_op_get_by_val):
8486 (JSC::JIT::emit_op_put_by_val):
8487 (JSC::JIT::privateCompilePatchGetArrayLength):
8488 * llint/LowLevelInterpreter32_64.asm:
8489 * llint/LowLevelInterpreter64.asm:
8490
84912012-08-13 Filip Pizlo <fpizlo@apple.com>
8492
8493 Array checks should use the structure, not the class info
8494 https://bugs.webkit.org/show_bug.cgi?id=93150
8495
8496 Reviewed by Mark Hahnenberg.
8497
8498 This changes all array checks used in array accesses (get, put, get length,
8499 push, pop) to use the structure, not the class info. Additionally, these
8500 checks in the LLInt and baseline JIT record the structure in an ArrayProfile,
8501 so that the DFG can know exactly what structure to check for.
8502
8503 * CMakeLists.txt:
8504 * GNUmakefile.list.am:
8505 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
8506 * JavaScriptCore.xcodeproj/project.pbxproj:
8507 * Target.pri:
8508 * bytecode/ArrayProfile.cpp: Added.
8509 (JSC):
8510 (JSC::ArrayProfile::computeUpdatedPrediction):
8511 * bytecode/ArrayProfile.h: Added.
8512 (JSC):
8513 (JSC::arrayModeFromStructure):
8514 (ArrayProfile):
8515 (JSC::ArrayProfile::ArrayProfile):
8516 (JSC::ArrayProfile::bytecodeOffset):
8517 (JSC::ArrayProfile::addressOfLastSeenStructure):
8518 (JSC::ArrayProfile::observeStructure):
8519 (JSC::ArrayProfile::expectedStructure):
8520 (JSC::ArrayProfile::structureIsPolymorphic):
8521 (JSC::ArrayProfile::hasDefiniteStructure):
8522 (JSC::ArrayProfile::observedArrayModes):
8523 * bytecode/CodeBlock.cpp:
8524 (JSC::CodeBlock::dump):
8525 (JSC::CodeBlock::getArrayProfile):
8526 (JSC):
8527 (JSC::CodeBlock::getOrAddArrayProfile):
8528 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
8529 * bytecode/CodeBlock.h:
8530 (JSC::CodeBlock::executionEntryCount):
8531 (JSC::CodeBlock::numberOfArrayProfiles):
8532 (JSC::CodeBlock::arrayProfiles):
8533 (JSC::CodeBlock::addArrayProfile):
8534 (CodeBlock):
8535 * bytecode/Instruction.h:
8536 (JSC):
8537 (JSC::Instruction::Instruction):
8538 * bytecode/Opcode.h:
8539 (JSC):
8540 (JSC::padOpcodeName):
8541 * bytecompiler/BytecodeGenerator.cpp:
8542 (JSC::BytecodeGenerator::emitGetArgumentByVal):
8543 (JSC::BytecodeGenerator::emitGetByVal):
8544 (JSC::BytecodeGenerator::emitPutByVal):
8545 * dfg/DFGAbstractState.cpp:
8546 (JSC::DFG::AbstractState::initialize):
8547 (JSC::DFG::AbstractState::execute):
8548 * dfg/DFGAbstractValue.h:
8549 (JSC::DFG::StructureAbstractValue::hasSingleton):
8550 (StructureAbstractValue):
8551 (JSC::DFG::StructureAbstractValue::singleton):
8552 * dfg/DFGArgumentsSimplificationPhase.cpp:
8553 (JSC::DFG::ArgumentsSimplificationPhase::run):
8554 * dfg/DFGByteCodeParser.cpp:
8555 (JSC::DFG::ByteCodeParser::parseBlock):
8556 * dfg/DFGFixupPhase.cpp:
8557 (JSC::DFG::FixupPhase::fixupNode):
8558 * dfg/DFGSpeculativeJIT.cpp:
8559 (JSC::DFG::SpeculativeJIT::speculateArray):
8560 (DFG):
8561 (JSC::DFG::SpeculativeJIT::compile):
8562 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
8563 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
8564 * dfg/DFGSpeculativeJIT.h:
8565 (SpeculativeJIT):
8566 * dfg/DFGSpeculativeJIT32_64.cpp:
8567 (JSC::DFG::SpeculativeJIT::compile):
8568 * dfg/DFGSpeculativeJIT64.cpp:
8569 (JSC::DFG::SpeculativeJIT::compile):
8570 * dfg/DFGStructureCheckHoistingPhase.cpp:
8571 (JSC::DFG::StructureCheckHoistingPhase::run):
8572 * jit/JITPropertyAccess.cpp:
8573 (JSC::JIT::emit_op_get_by_val):
8574 (JSC::JIT::emit_op_put_by_val):
8575 (JSC::JIT::privateCompilePatchGetArrayLength):
8576 * jit/JITPropertyAccess32_64.cpp:
8577 (JSC::JIT::emit_op_get_by_val):
8578 (JSC::JIT::emit_op_put_by_val):
8579 (JSC::JIT::privateCompilePatchGetArrayLength):
8580 * llint/LLIntOffsetsExtractor.cpp:
8581 * llint/LowLevelInterpreter32_64.asm:
8582 * llint/LowLevelInterpreter64.asm:
8583 * runtime/Structure.h:
8584 (Structure):
8585 (JSC::Structure::classInfoOffset):
8586
85872012-08-14 Gabor Ballabas <gaborb@inf.u-szeged.hu>
8588
8589 Rename functions in the ARM port of DFG-JIT for better code readability.
8590 https://bugs.webkit.org/show_bug.cgi?id=93609
8591
8592 Reviewed by Zoltan Herczeg.
8593
8594 Rename functions in the ARM port of DFG-JIT for better code
8595 readability, and for following the WebKit coding style
8596 wherever it is possible.
8597
8598 * assembler/ARMAssembler.cpp:
8599 (JSC::ARMAssembler::genInt):
8600 (JSC::ARMAssembler::getImm):
8601 (JSC::ARMAssembler::moveImm):
8602 (JSC::ARMAssembler::encodeComplexImm):
8603 (JSC::ARMAssembler::dataTransfer32):
8604 (JSC::ARMAssembler::baseIndexTransfer32):
8605 (JSC::ARMAssembler::dataTransfer16):
8606 (JSC::ARMAssembler::baseIndexTransfer16):
8607 (JSC::ARMAssembler::dataTransferFloat):
8608 (JSC::ARMAssembler::baseIndexTransferFloat):
8609 * assembler/ARMAssembler.h:
8610 (JSC::ARMAssembler::bitAnd):
8611 (JSC::ARMAssembler::bitAnds):
8612 (JSC::ARMAssembler::eor):
8613 (JSC::ARMAssembler::eors):
8614 (JSC::ARMAssembler::sub):
8615 (JSC::ARMAssembler::subs):
8616 (JSC::ARMAssembler::rsb):
8617 (JSC::ARMAssembler::rsbs):
8618 (JSC::ARMAssembler::add):
8619 (JSC::ARMAssembler::adds):
8620 (JSC::ARMAssembler::adc):
8621 (JSC::ARMAssembler::adcs):
8622 (JSC::ARMAssembler::sbc):
8623 (JSC::ARMAssembler::sbcs):
8624 (JSC::ARMAssembler::rsc):
8625 (JSC::ARMAssembler::rscs):
8626 (JSC::ARMAssembler::tst):
8627 (JSC::ARMAssembler::teq):
8628 (JSC::ARMAssembler::cmp):
8629 (JSC::ARMAssembler::cmn):
8630 (JSC::ARMAssembler::orr):
8631 (JSC::ARMAssembler::orrs):
8632 (JSC::ARMAssembler::mov):
8633 (JSC::ARMAssembler::movw):
8634 (JSC::ARMAssembler::movt):
8635 (JSC::ARMAssembler::movs):
8636 (JSC::ARMAssembler::bic):
8637 (JSC::ARMAssembler::bics):
8638 (JSC::ARMAssembler::mvn):
8639 (JSC::ARMAssembler::mvns):
8640 (JSC::ARMAssembler::mul):
8641 (JSC::ARMAssembler::muls):
8642 (JSC::ARMAssembler::mull):
8643 (JSC::ARMAssembler::vmov_f64):
8644 (JSC::ARMAssembler::vadd_f64):
8645 (JSC::ARMAssembler::vdiv_f64):
8646 (JSC::ARMAssembler::vsub_f64):
8647 (JSC::ARMAssembler::vmul_f64):
8648 (JSC::ARMAssembler::vcmp_f64):
8649 (JSC::ARMAssembler::vsqrt_f64):
8650 (JSC::ARMAssembler::vabs_f64):
8651 (JSC::ARMAssembler::vneg_f64):
8652 (JSC::ARMAssembler::ldrImmediate):
8653 (JSC::ARMAssembler::ldrUniqueImmediate):
8654 (JSC::ARMAssembler::dtrUp):
8655 (JSC::ARMAssembler::dtrUpRegister):
8656 (JSC::ARMAssembler::dtrDown):
8657 (JSC::ARMAssembler::dtrDownRegister):
8658 (JSC::ARMAssembler::halfDtrUp):
8659 (JSC::ARMAssembler::halfDtrUpRegister):
8660 (JSC::ARMAssembler::halfDtrDown):
8661 (JSC::ARMAssembler::halfDtrDownRegister):
8662 (JSC::ARMAssembler::doubleDtrUp):
8663 (JSC::ARMAssembler::doubleDtrDown):
8664 (JSC::ARMAssembler::push):
8665 (JSC::ARMAssembler::pop):
8666 (JSC::ARMAssembler::poke):
8667 (JSC::ARMAssembler::peek):
8668 (JSC::ARMAssembler::vmov_vfp64):
8669 (JSC::ARMAssembler::vmov_arm64):
8670 (JSC::ARMAssembler::vmov_vfp32):
8671 (JSC::ARMAssembler::vmov_arm32):
8672 (JSC::ARMAssembler::vcvt_f64_s32):
8673 (JSC::ARMAssembler::vcvt_s32_f64):
8674 (JSC::ARMAssembler::vcvt_u32_f64):
8675 (JSC::ARMAssembler::vcvt_f64_f32):
8676 (JSC::ARMAssembler::vcvt_f32_f64):
8677 (JSC::ARMAssembler::clz):
8678 (JSC::ARMAssembler::lslRegister):
8679 (JSC::ARMAssembler::lsrRegister):
8680 (JSC::ARMAssembler::asrRegister):
8681 (JSC::ARMAssembler::align):
8682 (JSC::ARMAssembler::loadBranchTarget):
8683 (JSC::ARMAssembler::vmov):
8684 * assembler/MacroAssemblerARM.cpp:
8685 (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
8686 * assembler/MacroAssemblerARM.h:
8687 (JSC::MacroAssemblerARM::add32):
8688 (JSC::MacroAssemblerARM::and32):
8689 (JSC::MacroAssemblerARM::lshift32):
8690 (JSC::MacroAssemblerARM::mul32):
8691 (JSC::MacroAssemblerARM::or32):
8692 (JSC::MacroAssemblerARM::rshift32):
8693 (JSC::MacroAssemblerARM::urshift32):
8694 (JSC::MacroAssemblerARM::sub32):
8695 (JSC::MacroAssemblerARM::xor32):
8696 (JSC::MacroAssemblerARM::countLeadingZeros32):
8697 (JSC::MacroAssemblerARM::convertibleLoadPtr):
8698 (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
8699 (JSC::MacroAssemblerARM::load32WithCompactAddressOffsetPatch):
8700 (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
8701 (JSC::MacroAssemblerARM::store32):
8702 (JSC::MacroAssemblerARM::pop):
8703 (JSC::MacroAssemblerARM::push):
8704 (JSC::MacroAssemblerARM::move):
8705 (JSC::MacroAssemblerARM::swap):
8706 (JSC::MacroAssemblerARM::branch32):
8707 (JSC::MacroAssemblerARM::branchTest32):
8708 (JSC::MacroAssemblerARM::mull32):
8709 (JSC::MacroAssemblerARM::branchSub32):
8710 (JSC::MacroAssemblerARM::compare32):
8711 (JSC::MacroAssemblerARM::test32):
8712 (JSC::MacroAssemblerARM::load32):
8713 (JSC::MacroAssemblerARM::relativeTableJump):
8714 (JSC::MacroAssemblerARM::moveWithPatch):
8715 (JSC::MacroAssemblerARM::loadDouble):
8716 (JSC::MacroAssemblerARM::moveDouble):
8717 (JSC::MacroAssemblerARM::addDouble):
8718 (JSC::MacroAssemblerARM::divDouble):
8719 (JSC::MacroAssemblerARM::subDouble):
8720 (JSC::MacroAssemblerARM::mulDouble):
8721 (JSC::MacroAssemblerARM::sqrtDouble):
8722 (JSC::MacroAssemblerARM::absDouble):
8723 (JSC::MacroAssemblerARM::negateDouble):
8724 (JSC::MacroAssemblerARM::convertInt32ToDouble):
8725 (JSC::MacroAssemblerARM::convertFloatToDouble):
8726 (JSC::MacroAssemblerARM::convertDoubleToFloat):
8727 (JSC::MacroAssemblerARM::branchDouble):
8728 (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
8729 (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32):
8730 (JSC::MacroAssemblerARM::truncateDoubleToInt32):
8731 (JSC::MacroAssemblerARM::truncateDoubleToUint32):
8732 (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
8733 (JSC::MacroAssemblerARM::branchDoubleNonZero):
8734 (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
8735
87362012-08-13 Simon Hausmann <simon.hausmann@nokia.com>
8737
8738 Unreviewed, rolling out r125444.
8739 http://trac.webkit.org/changeset/125444
8740 https://bugs.webkit.org/show_bug.cgi?id=93872
8741
8742 Broke some tests
8743
8744 * Target.pri:
8745
87462012-08-13 Simon Hausmann <simon.hausmann@nokia.com>
8747
8748 [Qt] Replace use of internal Weak smart pointer with JSWeakObjectMap
8749 https://bugs.webkit.org/show_bug.cgi?id=93872
8750
8751 Reviewed by Kenneth Rohde Christiansen.
8752
8753 * Target.pri: Add missing JSWeakObjectMap file to build.
8754
87552012-08-13 Raphael Kubo da Costa <rakuco@webkit.org>
8756
8757 [CMake] Remove glib-related Find modules and write single new one instead.
8758 https://bugs.webkit.org/show_bug.cgi?id=93786
8759
8760 Reviewed by Rob Buis.
8761
8762 * shell/PlatformEfl.cmake: Use GLIB_* instead of Glib_*.
8763
87642012-08-12 Allan Sandfeld Jensen <allan.jensen@nokia.com>
8765
8766 Doesn't build with ENABLE_JIT=0
8767 https://bugs.webkit.org/show_bug.cgi?id=85042
8768
8769 Reviewed by Eric Seidel.
8770
8771 Include headers without which CallFrame.h does not build, and
8772 fix gcc warning about comparing unsigned int with 0.
8773
8774 * dfg/DFGDriver.cpp:
8775 * interpreter/Interpreter.cpp:
8776 (JSC::Interpreter::isOpcode):
8777
87782012-08-10 Yong Li <yoli@rim.com>
8779
8780 [BlackBerry] GCActivityCallback should always schedule GC even allocated bytes is a small number
8781 https://bugs.webkit.org/show_bug.cgi?id=93650
8782
8783 Reviewed by Rob Buis.
8784
8785 Even a small number of allocated JS objects could hold expensive resources.
8786
8787 * runtime/GCActivityCallbackBlackBerry.cpp:
8788 (JSC::DefaultGCActivityCallback::didAllocate):
8789
87902012-08-09 Yong Li <yoli@rim.com>
8791
8792 [QNX] Implement getCPUTime() for OS(QNX)
8793 https://bugs.webkit.org/show_bug.cgi?id=93516
8794
8795 Reviewed by George Staikos.
8796
8797 Implement getCPUTime() with CLOCK_THREAD_CPUTIME_ID so it will tell
8798 exactly how long the current thread has spent without being impacted
8799 by other things.
8800
8801 * runtime/TimeoutChecker.cpp:
8802 (JSC::getCPUTime):
8803
88042012-08-08 Shane Stephens <shanestephens@google.com>
8805
8806 Compile flag for CSS Hierarchies
8807 https://bugs.webkit.org/show_bug.cgi?id=92433
8808
8809 Reviewed by Tony Chang.
8810
8811 * Configurations/FeatureDefines.xcconfig:
8812
88132012-08-08 Benjamin Poulain <bpoulain@apple.com>
8814
8815 Use char* instead of LChar* for the public interface of String construction from literals
8816 https://bugs.webkit.org/show_bug.cgi?id=93402
8817
8818 Reviewed by Michael Saboff.
8819
8820 Update JSC' Identifier to use StringImpl::createFromLiteral with a char*.
8821
8822 * runtime/Identifier.cpp:
8823 (JSC::IdentifierASCIIStringTranslator::translate):
8824
88252012-08-08 Patrick Gansterer <paroga@webkit.org>
8826
8827 Remove ce_time.(cpp|h) from list of source files
8828 https://bugs.webkit.org/show_bug.cgi?id=93446
8829
8830 Reviewed by Simon Hausmann.
8831
8832 r125004 removed the last dependency on functions defined in ce_time.cpp.
8833
8834 * Target.pri:
8835
88362012-08-08 Patrick Gansterer <paroga@webkit.org>
8837
8838 [WIN] Use GetTimeZoneInformation() for getting the timezone name
8839 https://bugs.webkit.org/show_bug.cgi?id=91936
8840
8841 Reviewed by Ryosuke Niwa.
8842
8843 The MS CRT implementation of strftime calls the same functions in the background.
8844 Using them directly avoids the overhead of parsing the format string and removes
8845 the dependency on strftime() for WinCE where this function does not exist.
8846
8847 * runtime/DateConversion.cpp:
8848 (JSC::formatTime):
8849
88502012-08-07 Gabor Ballabas <gaborb@inf.u-szeged.hu>
8851
8852 Refactor magic numbers in the ARM port of DFG-JIT
8853 https://bugs.webkit.org/show_bug.cgi?id=93348
8854
8855 Reviewed by Eric Seidel.
8856
8857 Introduce new names for hard-coded magic numbers.
8858 Refactor constant with confusing names to more descriptive ones.
8859
8860 * assembler/ARMAssembler.cpp:
8861 (JSC::ARMAssembler::patchConstantPoolLoad):
8862 (JSC::ARMAssembler::getOp2):
8863 (JSC::ARMAssembler::genInt):
8864 (JSC::ARMAssembler::getImm):
8865 (JSC::ARMAssembler::moveImm):
8866 (JSC::ARMAssembler::encodeComplexImm):
8867 (JSC::ARMAssembler::dataTransfer32):
8868 (JSC::ARMAssembler::dataTransfer16):
8869 (JSC::ARMAssembler::dataTransferFloat):
8870 (JSC::ARMAssembler::executableCopy):
8871 * assembler/ARMAssembler.h:
8872 (JSC::ARMAssembler::emitInstruction):
8873 (JSC::ARMAssembler::ands_r):
8874 (JSC::ARMAssembler::eors_r):
8875 (JSC::ARMAssembler::subs_r):
8876 (JSC::ARMAssembler::rsbs_r):
8877 (JSC::ARMAssembler::adds_r):
8878 (JSC::ARMAssembler::adcs_r):
8879 (JSC::ARMAssembler::sbcs_r):
8880 (JSC::ARMAssembler::rscs_r):
8881 (JSC::ARMAssembler::tst_r):
8882 (JSC::ARMAssembler::teq_r):
8883 (JSC::ARMAssembler::cmp_r):
8884 (JSC::ARMAssembler::cmn_r):
8885 (JSC::ARMAssembler::orrs_r):
8886 (JSC::ARMAssembler::movs_r):
8887 (JSC::ARMAssembler::bics_r):
8888 (JSC::ARMAssembler::mvns_r):
8889 (JSC::ARMAssembler::muls_r):
8890 (JSC::ARMAssembler::ldr_imm):
8891 (JSC::ARMAssembler::ldr_un_imm):
8892 (JSC::ARMAssembler::dtr_u):
8893 (JSC::ARMAssembler::dtr_ur):
8894 (JSC::ARMAssembler::dtr_dr):
8895 (JSC::ARMAssembler::dtrh_u):
8896 (JSC::ARMAssembler::dtrh_ur):
8897 (JSC::ARMAssembler::fdtr_u):
8898 (JSC::ARMAssembler::push_r):
8899 (JSC::ARMAssembler::pop_r):
8900 (JSC::ARMAssembler::getLdrImmAddress):
8901 (JSC::ARMAssembler::getLdrImmAddressOnPool):
8902 (JSC::ARMAssembler::patchConstantPoolLoad):
8903 (JSC::ARMAssembler::repatchCompact):
8904 (JSC::ARMAssembler::replaceWithJump):
8905 (JSC::ARMAssembler::replaceWithLoad):
8906 (JSC::ARMAssembler::replaceWithAddressComputation):
8907 (JSC::ARMAssembler::getOp2Byte):
8908 (JSC::ARMAssembler::getOp2Half):
8909 (JSC::ARMAssembler::getImm16Op2):
8910 (JSC::ARMAssembler::placeConstantPoolBarrier):
8911 (JSC::ARMAssembler::getConditionalField):
8912 * assembler/MacroAssemblerARM.cpp:
8913 (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
8914 * assembler/MacroAssemblerARM.h:
8915 (JSC::MacroAssemblerARM::and32):
8916 (JSC::MacroAssemblerARM::branch32):
8917 (JSC::MacroAssemblerARM::branchTest32):
8918 (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
8919
89202012-08-07 Benjamin Poulain <benjamin@webkit.org>
8921
8922 Use the initialization from literal for JSC's Identifiers
8923 https://bugs.webkit.org/show_bug.cgi?id=93193
8924
8925 Reviewed by Geoffrey Garen.
8926
8927 This patches modify Identifier ot take advantage of the new initialization from literal.
8928
8929 In addition to the memory savings (~600bytes per instance), this gives us a 2% speed
8930 improvement on CommonIdentifiers on average.
8931
8932 * runtime/CommonIdentifiers.cpp:
8933 (JSC::CommonIdentifiers::CommonIdentifiers):
8934 Null and empty strings are forbidden for literal initialization. Use the most efficient constructors
8935 instead of a literal.
8936
8937 * runtime/Identifier.cpp:
8938 (IdentifierASCIIStringTranslator):
8939 Rename IdentifierCStringTranslator to IdentifierASCIIStringTranslator to make the text encoding
8940 explicit.
8941 (JSC::IdentifierASCIIStringTranslator::hash):
8942 (JSC::IdentifierASCIIStringTranslator::equal):
8943 (JSC::IdentifierASCIIStringTranslator::translate): Use the fast initialization from literal.
8944 (JSC::Identifier::add):
8945 * runtime/Identifier.h:
8946 (JSC::Identifier::Identifier):
8947
89482012-08-07 Simon Hausmann <simon.hausmann@nokia.com>
8949
8950 [Qt][Win] Remove pthreads linkage
8951
8952 Reviewed by Csaba Osztrogonác.
8953
8954 After r124823 linkage to pthreads is not needed anymore for the Windows
8955 build.
8956
8957 * JavaScriptCore.pri:
8958
89592012-08-07 Gabor Ballabas <gaborb@inf.u-szeged.hu>
8960
8961 Refactor emit*Inst functions and introduce toARMWord functions in DFG-JIT's traditional ARM port
8962 https://bugs.webkit.org/show_bug.cgi?id=93266
8963
8964 Reviewed by Csaba Osztrogonác.
8965
8966 First part of a bigger refactoring issue trying to make traditional
8967 ARM DFG-JIT port easier to read and understand.
8968
8969
8970 * assembler/ARMAssembler.h:
8971 (JSC::ARMAssembler::emitInstruction):
8972 (JSC::ARMAssembler::emitDoublePrecisionInstruction):
8973 (JSC::ARMAssembler::emitSinglePrecisionInstruction):
8974 (JSC::ARMAssembler::and_r):
8975 (JSC::ARMAssembler::ands_r):
8976 (JSC::ARMAssembler::eor_r):
8977 (JSC::ARMAssembler::eors_r):
8978 (JSC::ARMAssembler::sub_r):
8979 (JSC::ARMAssembler::subs_r):
8980 (JSC::ARMAssembler::rsb_r):
8981 (JSC::ARMAssembler::rsbs_r):
8982 (JSC::ARMAssembler::add_r):
8983 (JSC::ARMAssembler::adds_r):
8984 (JSC::ARMAssembler::adc_r):
8985 (JSC::ARMAssembler::adcs_r):
8986 (JSC::ARMAssembler::sbc_r):
8987 (JSC::ARMAssembler::sbcs_r):
8988 (JSC::ARMAssembler::rsc_r):
8989 (JSC::ARMAssembler::rscs_r):
8990 (JSC::ARMAssembler::tst_r):
8991 (JSC::ARMAssembler::teq_r):
8992 (JSC::ARMAssembler::cmp_r):
8993 (JSC::ARMAssembler::cmn_r):
8994 (JSC::ARMAssembler::orr_r):
8995 (JSC::ARMAssembler::orrs_r):
8996 (JSC::ARMAssembler::mov_r):
8997 (JSC::ARMAssembler::movw_r):
8998 (JSC::ARMAssembler::movt_r):
8999 (JSC::ARMAssembler::movs_r):
9000 (JSC::ARMAssembler::bic_r):
9001 (JSC::ARMAssembler::bics_r):
9002 (JSC::ARMAssembler::mvn_r):
9003 (JSC::ARMAssembler::mvns_r):
9004 (JSC::ARMAssembler::mul_r):
9005 (JSC::ARMAssembler::muls_r):
9006 (JSC::ARMAssembler::mull_r):
9007 (JSC::ARMAssembler::vmov_f64_r):
9008 (JSC::ARMAssembler::vadd_f64_r):
9009 (JSC::ARMAssembler::vdiv_f64_r):
9010 (JSC::ARMAssembler::vsub_f64_r):
9011 (JSC::ARMAssembler::vmul_f64_r):
9012 (JSC::ARMAssembler::vcmp_f64_r):
9013 (JSC::ARMAssembler::vsqrt_f64_r):
9014 (JSC::ARMAssembler::vabs_f64_r):
9015 (JSC::ARMAssembler::vneg_f64_r):
9016 (JSC::ARMAssembler::ldr_imm):
9017 (JSC::ARMAssembler::ldr_un_imm):
9018 (JSC::ARMAssembler::dtr_u):
9019 (JSC::ARMAssembler::dtr_ur):
9020 (JSC::ARMAssembler::dtr_d):
9021 (JSC::ARMAssembler::dtr_dr):
9022 (JSC::ARMAssembler::dtrh_u):
9023 (JSC::ARMAssembler::dtrh_ur):
9024 (JSC::ARMAssembler::dtrh_d):
9025 (JSC::ARMAssembler::dtrh_dr):
9026 (JSC::ARMAssembler::fdtr_u):
9027 (JSC::ARMAssembler::fdtr_d):
9028 (JSC::ARMAssembler::push_r):
9029 (JSC::ARMAssembler::pop_r):
9030 (JSC::ARMAssembler::vmov_vfp64_r):
9031 (JSC::ARMAssembler::vmov_arm64_r):
9032 (JSC::ARMAssembler::vmov_vfp32_r):
9033 (JSC::ARMAssembler::vmov_arm32_r):
9034 (JSC::ARMAssembler::vcvt_f64_s32_r):
9035 (JSC::ARMAssembler::vcvt_s32_f64_r):
9036 (JSC::ARMAssembler::vcvt_u32_f64_r):
9037 (JSC::ARMAssembler::vcvt_f64_f32_r):
9038 (JSC::ARMAssembler::vcvt_f32_f64_r):
9039 (JSC::ARMAssembler::vmrs_apsr):
9040 (JSC::ARMAssembler::clz_r):
9041 (JSC::ARMAssembler::bx):
9042 (JSC::ARMAssembler::blx):
9043 (JSC::ARMAssembler::linkJump):
9044 (JSC::ARMAssembler::toARMWord):
9045 (ARMAssembler):
9046
90472012-08-06 Patrick Gansterer <paroga@webkit.org>
9048
9049 [WIN] Remove dependency on pthread from MachineStackMarker
9050 https://bugs.webkit.org/show_bug.cgi?id=68429
9051
9052 Reviewed by Geoffrey Garen.
9053
9054 Windows has no support for calling a destructor for thread specific data.
9055 Since we need more control over creating and deleting thread specific keys
9056 we can not simply extend WTF::ThreadSpecific with this functionality.
9057
9058 All thread specific keys created via the new API get stored in a list.
9059 After a thread function finished we iterate over this list and call
9060 the registered destructor for every item if needed.
9061
9062 * heap/MachineStackMarker.cpp: Use the new functions instead of pthread directly.
9063 (JSC::MachineThreads::~MachineThreads):
9064 (JSC::MachineThreads::makeUsableFromMultipleThreads):
9065 (JSC::MachineThreads::addCurrentThread):
9066 * heap/MachineStackMarker.h:
9067 (MachineThreads):
9068
90692012-08-06 Patrick Gansterer <paroga@webkit.org>
9070
9071 Unify JSC date and time formating functions
9072 https://bugs.webkit.org/show_bug.cgi?id=92282
9073
9074 Reviewed by Geoffrey Garen.
9075
9076 Replace the existing functions for formating GregorianDateTime
9077 with one single function. This removes some code duplications
9078 in DatePrototype and is a preperation to fix encoding issues,
9079 since we can add UChar* values to the resulting string now.
9080
9081 * runtime/DateConstructor.cpp:
9082 (JSC::callDate):
9083 * runtime/DateConversion.cpp:
9084 (JSC::formatDateTime):
9085 * runtime/DateConversion.h:
9086 (JSC):
9087 * runtime/DatePrototype.cpp:
9088 (JSC::formateDateInstance):
9089 (JSC::dateProtoFuncToString):
9090 (JSC::dateProtoFuncToUTCString):
9091 (JSC::dateProtoFuncToDateString):
9092 (JSC::dateProtoFuncToTimeString):
9093 (JSC::dateProtoFuncToGMTString):
9094
90952012-08-06 Carlos Garcia Campos <cgarcia@igalia.com>
9096
9097 Unreviewed. Fix make distcheck.
9098
9099 * GNUmakefile.list.am: Add missing header file.
9100
91012012-08-05 Peter Wang <peter.wang@torchmobile.com.cn>
9102
9103 Web Inspector: [JSC] implement setting breakpoints by line:column
9104 https://bugs.webkit.org/show_bug.cgi?id=53003
9105
9106 Reviewed by Geoffrey Garen.
9107
9108 Add a counter to Lexer to record the column info of each Token. Add a column parameter to
9109 op_debug, cti_op_debug, and _llint_op_debug byte-code command.
9110
9111 * bytecode/CodeBlock.cpp:
9112 (JSC::CodeBlock::dump):
9113 * bytecode/Opcode.h:
9114 (JSC):
9115 (JSC::padOpcodeName):
9116 * bytecompiler/BytecodeGenerator.cpp:
9117 (JSC::BytecodeGenerator::resolve):
9118 (JSC::BytecodeGenerator::emitDebugHook):
9119 * bytecompiler/BytecodeGenerator.h:
9120 (BytecodeGenerator):
9121 * bytecompiler/NodesCodegen.cpp:
9122 (JSC::ArrayNode::toArgumentList):
9123 (JSC::ApplyFunctionCallDotNode::emitBytecode):
9124 (JSC::ConstStatementNode::emitBytecode):
9125 (JSC::EmptyStatementNode::emitBytecode):
9126 (JSC::DebuggerStatementNode::emitBytecode):
9127 (JSC::ExprStatementNode::emitBytecode):
9128 (JSC::VarStatementNode::emitBytecode):
9129 (JSC::IfNode::emitBytecode):
9130 (JSC::IfElseNode::emitBytecode):
9131 (JSC::DoWhileNode::emitBytecode):
9132 (JSC::WhileNode::emitBytecode):
9133 (JSC::ForNode::emitBytecode):
9134 (JSC::ForInNode::emitBytecode):
9135 (JSC::ContinueNode::emitBytecode):
9136 (JSC::BreakNode::emitBytecode):
9137 (JSC::ReturnNode::emitBytecode):
9138 (JSC::WithNode::emitBytecode):
9139 (JSC::SwitchNode::emitBytecode):
9140 (JSC::LabelNode::emitBytecode):
9141 (JSC::ThrowNode::emitBytecode):
9142 (JSC::TryNode::emitBytecode):
9143 (JSC::ProgramNode::emitBytecode):
9144 (JSC::EvalNode::emitBytecode):
9145 (JSC::FunctionBodyNode::emitBytecode):
9146 * debugger/Debugger.h:
9147 * interpreter/Interpreter.cpp:
9148 (JSC::Interpreter::unwindCallFrame):
9149 (JSC::Interpreter::throwException):
9150 (JSC::Interpreter::debug):
9151 (JSC::Interpreter::privateExecute):
9152 * interpreter/Interpreter.h:
9153 (Interpreter):
9154 * jit/JITOpcodes.cpp:
9155 (JSC::JIT::emit_op_debug):
9156 * jit/JITOpcodes32_64.cpp:
9157 (JSC::JIT::emit_op_debug):
9158 * jit/JITStubs.cpp:
9159 (JSC::DEFINE_STUB_FUNCTION):
9160 * llint/LLIntSlowPaths.cpp:
9161 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
9162 * llint/LowLevelInterpreter.asm:
9163 * parser/ASTBuilder.h:
9164 (ASTBuilder):
9165 (JSC::ASTBuilder::createCommaExpr):
9166 (JSC::ASTBuilder::createLogicalNot):
9167 (JSC::ASTBuilder::createUnaryPlus):
9168 (JSC::ASTBuilder::createVoid):
9169 (JSC::ASTBuilder::thisExpr):
9170 (JSC::ASTBuilder::createResolve):
9171 (JSC::ASTBuilder::createObjectLiteral):
9172 (JSC::ASTBuilder::createArray):
9173 (JSC::ASTBuilder::createNumberExpr):
9174 (JSC::ASTBuilder::createString):
9175 (JSC::ASTBuilder::createBoolean):
9176 (JSC::ASTBuilder::createNull):
9177 (JSC::ASTBuilder::createBracketAccess):
9178 (JSC::ASTBuilder::createDotAccess):
9179 (JSC::ASTBuilder::createRegExp):
9180 (JSC::ASTBuilder::createNewExpr):
9181 (JSC::ASTBuilder::createConditionalExpr):
9182 (JSC::ASTBuilder::createAssignResolve):
9183 (JSC::ASTBuilder::createFunctionExpr):
9184 (JSC::ASTBuilder::createFunctionBody):
9185 (JSC::ASTBuilder::createGetterOrSetterProperty):
9186 (JSC::ASTBuilder::createArgumentsList):
9187 (JSC::ASTBuilder::createPropertyList):
9188 (JSC::ASTBuilder::createFuncDeclStatement):
9189 (JSC::ASTBuilder::createBlockStatement):
9190 (JSC::ASTBuilder::createExprStatement):
9191 (JSC::ASTBuilder::createIfStatement):
9192 (JSC::ASTBuilder::createForLoop):
9193 (JSC::ASTBuilder::createForInLoop):
9194 (JSC::ASTBuilder::createEmptyStatement):
9195 (JSC::ASTBuilder::createVarStatement):
9196 (JSC::ASTBuilder::createReturnStatement):
9197 (JSC::ASTBuilder::createBreakStatement):
9198 (JSC::ASTBuilder::createContinueStatement):
9199 (JSC::ASTBuilder::createTryStatement):
9200 (JSC::ASTBuilder::createSwitchStatement):
9201 (JSC::ASTBuilder::createWhileStatement):
9202 (JSC::ASTBuilder::createDoWhileStatement):
9203 (JSC::ASTBuilder::createLabelStatement):
9204 (JSC::ASTBuilder::createWithStatement):
9205 (JSC::ASTBuilder::createThrowStatement):
9206 (JSC::ASTBuilder::createDebugger):
9207 (JSC::ASTBuilder::createConstStatement):
9208 (JSC::ASTBuilder::appendConstDecl):
9209 (JSC::ASTBuilder::combineCommaNodes):
9210 (JSC::ASTBuilder::appendBinaryOperation):
9211 (JSC::ASTBuilder::createAssignment):
9212 (JSC::ASTBuilder::createNumber):
9213 (JSC::ASTBuilder::makeTypeOfNode):
9214 (JSC::ASTBuilder::makeDeleteNode):
9215 (JSC::ASTBuilder::makeNegateNode):
9216 (JSC::ASTBuilder::makeBitwiseNotNode):
9217 (JSC::ASTBuilder::makeMultNode):
9218 (JSC::ASTBuilder::makeDivNode):
9219 (JSC::ASTBuilder::makeModNode):
9220 (JSC::ASTBuilder::makeAddNode):
9221 (JSC::ASTBuilder::makeSubNode):
9222 (JSC::ASTBuilder::makeLeftShiftNode):
9223 (JSC::ASTBuilder::makeRightShiftNode):
9224 (JSC::ASTBuilder::makeURightShiftNode):
9225 (JSC::ASTBuilder::makeBitOrNode):
9226 (JSC::ASTBuilder::makeBitAndNode):
9227 (JSC::ASTBuilder::makeBitXOrNode):
9228 (JSC::ASTBuilder::makeFunctionCallNode):
9229 (JSC::ASTBuilder::makeBinaryNode):
9230 (JSC::ASTBuilder::makeAssignNode):
9231 (JSC::ASTBuilder::makePrefixNode):
9232 (JSC::ASTBuilder::makePostfixNode):
9233 * parser/Lexer.cpp:
9234 (JSC::::setCode):
9235 (JSC::::internalShift):
9236 (JSC::::shift):
9237 (JSC::::lex):
9238 * parser/Lexer.h:
9239 (Lexer):
9240 (JSC::Lexer::currentColumnNumber):
9241 (JSC::::lexExpectIdentifier):
9242 * parser/NodeConstructors.h:
9243 (JSC::Node::Node):
9244 (JSC::ExpressionNode::ExpressionNode):
9245 (JSC::StatementNode::StatementNode):
9246 (JSC::NullNode::NullNode):
9247 (JSC::BooleanNode::BooleanNode):
9248 (JSC::NumberNode::NumberNode):
9249 (JSC::StringNode::StringNode):
9250 (JSC::RegExpNode::RegExpNode):
9251 (JSC::ThisNode::ThisNode):
9252 (JSC::ResolveNode::ResolveNode):
9253 (JSC::ArrayNode::ArrayNode):
9254 (JSC::PropertyListNode::PropertyListNode):
9255 (JSC::ObjectLiteralNode::ObjectLiteralNode):
9256 (JSC::BracketAccessorNode::BracketAccessorNode):
9257 (JSC::DotAccessorNode::DotAccessorNode):
9258 (JSC::ArgumentListNode::ArgumentListNode):
9259 (JSC::NewExprNode::NewExprNode):
9260 (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
9261 (JSC::FunctionCallValueNode::FunctionCallValueNode):
9262 (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
9263 (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
9264 (JSC::FunctionCallDotNode::FunctionCallDotNode):
9265 (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
9266 (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
9267 (JSC::PrePostResolveNode::PrePostResolveNode):
9268 (JSC::PostfixResolveNode::PostfixResolveNode):
9269 (JSC::PostfixBracketNode::PostfixBracketNode):
9270 (JSC::PostfixDotNode::PostfixDotNode):
9271 (JSC::PostfixErrorNode::PostfixErrorNode):
9272 (JSC::DeleteResolveNode::DeleteResolveNode):
9273 (JSC::DeleteBracketNode::DeleteBracketNode):
9274 (JSC::DeleteDotNode::DeleteDotNode):
9275 (JSC::DeleteValueNode::DeleteValueNode):
9276 (JSC::VoidNode::VoidNode):
9277 (JSC::TypeOfResolveNode::TypeOfResolveNode):
9278 (JSC::TypeOfValueNode::TypeOfValueNode):
9279 (JSC::PrefixResolveNode::PrefixResolveNode):
9280 (JSC::PrefixBracketNode::PrefixBracketNode):
9281 (JSC::PrefixDotNode::PrefixDotNode):
9282 (JSC::PrefixErrorNode::PrefixErrorNode):
9283 (JSC::UnaryOpNode::UnaryOpNode):
9284 (JSC::UnaryPlusNode::UnaryPlusNode):
9285 (JSC::NegateNode::NegateNode):
9286 (JSC::BitwiseNotNode::BitwiseNotNode):
9287 (JSC::LogicalNotNode::LogicalNotNode):
9288 (JSC::BinaryOpNode::BinaryOpNode):
9289 (JSC::MultNode::MultNode):
9290 (JSC::DivNode::DivNode):
9291 (JSC::ModNode::ModNode):
9292 (JSC::AddNode::AddNode):
9293 (JSC::SubNode::SubNode):
9294 (JSC::LeftShiftNode::LeftShiftNode):
9295 (JSC::RightShiftNode::RightShiftNode):
9296 (JSC::UnsignedRightShiftNode::UnsignedRightShiftNode):
9297 (JSC::LessNode::LessNode):
9298 (JSC::GreaterNode::GreaterNode):
9299 (JSC::LessEqNode::LessEqNode):
9300 (JSC::GreaterEqNode::GreaterEqNode):
9301 (JSC::ThrowableBinaryOpNode::ThrowableBinaryOpNode):
9302 (JSC::InstanceOfNode::InstanceOfNode):
9303 (JSC::InNode::InNode):
9304 (JSC::EqualNode::EqualNode):
9305 (JSC::NotEqualNode::NotEqualNode):
9306 (JSC::StrictEqualNode::StrictEqualNode):
9307 (JSC::NotStrictEqualNode::NotStrictEqualNode):
9308 (JSC::BitAndNode::BitAndNode):
9309 (JSC::BitOrNode::BitOrNode):
9310 (JSC::BitXOrNode::BitXOrNode):
9311 (JSC::LogicalOpNode::LogicalOpNode):
9312 (JSC::ConditionalNode::ConditionalNode):
9313 (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
9314 (JSC::AssignResolveNode::AssignResolveNode):
9315 (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
9316 (JSC::AssignBracketNode::AssignBracketNode):
9317 (JSC::AssignDotNode::AssignDotNode):
9318 (JSC::ReadModifyDotNode::ReadModifyDotNode):
9319 (JSC::AssignErrorNode::AssignErrorNode):
9320 (JSC::CommaNode::CommaNode):
9321 (JSC::ConstStatementNode::ConstStatementNode):
9322 (JSC::EmptyStatementNode::EmptyStatementNode):
9323 (JSC::DebuggerStatementNode::DebuggerStatementNode):
9324 (JSC::ExprStatementNode::ExprStatementNode):
9325 (JSC::VarStatementNode::VarStatementNode):
9326 (JSC::IfNode::IfNode):
9327 (JSC::IfElseNode::IfElseNode):
9328 (JSC::DoWhileNode::DoWhileNode):
9329 (JSC::WhileNode::WhileNode):
9330 (JSC::ForNode::ForNode):
9331 (JSC::ContinueNode::ContinueNode):
9332 (JSC::BreakNode::BreakNode):
9333 (JSC::ReturnNode::ReturnNode):
9334 (JSC::WithNode::WithNode):
9335 (JSC::LabelNode::LabelNode):
9336 (JSC::ThrowNode::ThrowNode):
9337 (JSC::TryNode::TryNode):
9338 (JSC::FuncExprNode::FuncExprNode):
9339 (JSC::FuncDeclNode::FuncDeclNode):
9340 (JSC::SwitchNode::SwitchNode):
9341 (JSC::ConstDeclNode::ConstDeclNode):
9342 (JSC::BlockNode::BlockNode):
9343 (JSC::ForInNode::ForInNode):
9344 * parser/Nodes.cpp:
9345 (JSC::StatementNode::setLoc):
9346 (JSC):
9347 (JSC::ScopeNode::ScopeNode):
9348 (JSC::ProgramNode::ProgramNode):
9349 (JSC::ProgramNode::create):
9350 (JSC::EvalNode::EvalNode):
9351 (JSC::EvalNode::create):
9352 (JSC::FunctionBodyNode::FunctionBodyNode):
9353 (JSC::FunctionBodyNode::create):
9354 * parser/Nodes.h:
9355 (Node):
9356 (JSC::Node::columnNo):
9357 (ExpressionNode):
9358 (StatementNode):
9359 (JSC::StatementNode::column):
9360 (NullNode):
9361 (BooleanNode):
9362 (NumberNode):
9363 (StringNode):
9364 (RegExpNode):
9365 (ThisNode):
9366 (ResolveNode):
9367 (ArrayNode):
9368 (PropertyListNode):
9369 (ObjectLiteralNode):
9370 (BracketAccessorNode):
9371 (DotAccessorNode):
9372 (ArgumentListNode):
9373 (NewExprNode):
9374 (EvalFunctionCallNode):
9375 (FunctionCallValueNode):
9376 (FunctionCallResolveNode):
9377 (FunctionCallBracketNode):
9378 (FunctionCallDotNode):
9379 (CallFunctionCallDotNode):
9380 (ApplyFunctionCallDotNode):
9381 (PrePostResolveNode):
9382 (PostfixResolveNode):
9383 (PostfixBracketNode):
9384 (PostfixDotNode):
9385 (PostfixErrorNode):
9386 (DeleteResolveNode):
9387 (DeleteBracketNode):
9388 (DeleteDotNode):
9389 (DeleteValueNode):
9390 (VoidNode):
9391 (TypeOfResolveNode):
9392 (TypeOfValueNode):
9393 (PrefixResolveNode):
9394 (PrefixBracketNode):
9395 (PrefixDotNode):
9396 (PrefixErrorNode):
9397 (UnaryOpNode):
9398 (UnaryPlusNode):
9399 (NegateNode):
9400 (BitwiseNotNode):
9401 (LogicalNotNode):
9402 (BinaryOpNode):
9403 (MultNode):
9404 (DivNode):
9405 (ModNode):
9406 (AddNode):
9407 (SubNode):
9408 (LeftShiftNode):
9409 (RightShiftNode):
9410 (UnsignedRightShiftNode):
9411 (LessNode):
9412 (GreaterNode):
9413 (LessEqNode):
9414 (GreaterEqNode):
9415 (ThrowableBinaryOpNode):
9416 (InstanceOfNode):
9417 (InNode):
9418 (EqualNode):
9419 (NotEqualNode):
9420 (StrictEqualNode):
9421 (NotStrictEqualNode):
9422 (BitAndNode):
9423 (BitOrNode):
9424 (BitXOrNode):
9425 (LogicalOpNode):
9426 (ConditionalNode):
9427 (ReadModifyResolveNode):
9428 (AssignResolveNode):
9429 (ReadModifyBracketNode):
9430 (AssignBracketNode):
9431 (AssignDotNode):
9432 (ReadModifyDotNode):
9433 (AssignErrorNode):
9434 (CommaNode):
9435 (ConstDeclNode):
9436 (ConstStatementNode):
9437 (BlockNode):
9438 (EmptyStatementNode):
9439 (DebuggerStatementNode):
9440 (ExprStatementNode):
9441 (VarStatementNode):
9442 (IfNode):
9443 (IfElseNode):
9444 (DoWhileNode):
9445 (WhileNode):
9446 (ForNode):
9447 (ForInNode):
9448 (ContinueNode):
9449 (BreakNode):
9450 (ReturnNode):
9451 (WithNode):
9452 (LabelNode):
9453 (ThrowNode):
9454 (TryNode):
9455 (ScopeNode):
9456 (ProgramNode):
9457 (EvalNode):
9458 (FunctionBodyNode):
9459 (FuncExprNode):
9460 (FuncDeclNode):
9461 (SwitchNode):
9462 * parser/Parser.cpp:
9463 (JSC::::parseSourceElements):
9464 (JSC::::parseVarDeclaration):
9465 (JSC::::parseConstDeclaration):
9466 (JSC::::parseDoWhileStatement):
9467 (JSC::::parseWhileStatement):
9468 (JSC::::parseVarDeclarationList):
9469 (JSC::::parseConstDeclarationList):
9470 (JSC::::parseForStatement):
9471 (JSC::::parseBreakStatement):
9472 (JSC::::parseContinueStatement):
9473 (JSC::::parseReturnStatement):
9474 (JSC::::parseThrowStatement):
9475 (JSC::::parseWithStatement):
9476 (JSC::::parseSwitchStatement):
9477 (JSC::::parseTryStatement):
9478 (JSC::::parseDebuggerStatement):
9479 (JSC::::parseBlockStatement):
9480 (JSC::::parseStatement):
9481 (JSC::::parseFunctionBody):
9482 (JSC::::parseFunctionInfo):
9483 (JSC::::parseFunctionDeclaration):
9484 (JSC::::parseExpressionOrLabelStatement):
9485 (JSC::::parseExpressionStatement):
9486 (JSC::::parseIfStatement):
9487 (JSC::::parseExpression):
9488 (JSC::::parseAssignmentExpression):
9489 (JSC::::parseConditionalExpression):
9490 (JSC::::parseBinaryExpression):
9491 (JSC::::parseProperty):
9492 (JSC::::parseObjectLiteral):
9493 (JSC::::parseStrictObjectLiteral):
9494 (JSC::::parseArrayLiteral):
9495 (JSC::::parsePrimaryExpression):
9496 (JSC::::parseArguments):
9497 (JSC::::parseMemberExpression):
9498 (JSC::::parseUnaryExpression):
9499 * parser/Parser.h:
9500 (JSC::Parser::next):
9501 (JSC::Parser::nextExpectIdentifier):
9502 (JSC::Parser::tokenStart):
9503 (JSC::Parser::tokenLine):
9504 (JSC::Parser::tokenEnd):
9505 (JSC::Parser::tokenLocation):
9506 (Parser):
9507 (JSC::Parser::getTokenName):
9508 (JSC::::parse):
9509 * parser/ParserTokens.h:
9510 (JSC::JSTokenLocation::JSTokenLocation):
9511 (JSTokenLocation):
9512 (JSToken):
9513 * parser/SourceProviderCacheItem.h:
9514 (JSC::SourceProviderCacheItem::closeBraceToken):
9515 * parser/SyntaxChecker.h:
9516 (JSC::SyntaxChecker::makeFunctionCallNode):
9517 (JSC::SyntaxChecker::createCommaExpr):
9518 (JSC::SyntaxChecker::makeAssignNode):
9519 (JSC::SyntaxChecker::makePrefixNode):
9520 (JSC::SyntaxChecker::makePostfixNode):
9521 (JSC::SyntaxChecker::makeTypeOfNode):
9522 (JSC::SyntaxChecker::makeDeleteNode):
9523 (JSC::SyntaxChecker::makeNegateNode):
9524 (JSC::SyntaxChecker::makeBitwiseNotNode):
9525 (JSC::SyntaxChecker::createLogicalNot):
9526 (JSC::SyntaxChecker::createUnaryPlus):
9527 (JSC::SyntaxChecker::createVoid):
9528 (JSC::SyntaxChecker::thisExpr):
9529 (JSC::SyntaxChecker::createResolve):
9530 (JSC::SyntaxChecker::createObjectLiteral):
9531 (JSC::SyntaxChecker::createArray):
9532 (JSC::SyntaxChecker::createNumberExpr):
9533 (JSC::SyntaxChecker::createString):
9534 (JSC::SyntaxChecker::createBoolean):
9535 (JSC::SyntaxChecker::createNull):
9536 (JSC::SyntaxChecker::createBracketAccess):
9537 (JSC::SyntaxChecker::createDotAccess):
9538 (JSC::SyntaxChecker::createRegExp):
9539 (JSC::SyntaxChecker::createNewExpr):
9540 (JSC::SyntaxChecker::createConditionalExpr):
9541 (JSC::SyntaxChecker::createAssignResolve):
9542 (JSC::SyntaxChecker::createFunctionExpr):
9543 (JSC::SyntaxChecker::createFunctionBody):
9544 (JSC::SyntaxChecker::createArgumentsList):
9545 (JSC::SyntaxChecker::createPropertyList):
9546 (JSC::SyntaxChecker::createFuncDeclStatement):
9547 (JSC::SyntaxChecker::createBlockStatement):
9548 (JSC::SyntaxChecker::createExprStatement):
9549 (JSC::SyntaxChecker::createIfStatement):
9550 (JSC::SyntaxChecker::createForLoop):
9551 (JSC::SyntaxChecker::createForInLoop):
9552 (JSC::SyntaxChecker::createEmptyStatement):
9553 (JSC::SyntaxChecker::createVarStatement):
9554 (JSC::SyntaxChecker::createReturnStatement):
9555 (JSC::SyntaxChecker::createBreakStatement):
9556 (JSC::SyntaxChecker::createContinueStatement):
9557 (JSC::SyntaxChecker::createTryStatement):
9558 (JSC::SyntaxChecker::createSwitchStatement):
9559 (JSC::SyntaxChecker::createWhileStatement):
9560 (JSC::SyntaxChecker::createWithStatement):
9561 (JSC::SyntaxChecker::createDoWhileStatement):
9562 (JSC::SyntaxChecker::createLabelStatement):
9563 (JSC::SyntaxChecker::createThrowStatement):
9564 (JSC::SyntaxChecker::createDebugger):
9565 (JSC::SyntaxChecker::createConstStatement):
9566 (JSC::SyntaxChecker::appendConstDecl):
9567 (JSC::SyntaxChecker::createGetterOrSetterProperty):
9568 (JSC::SyntaxChecker::combineCommaNodes):
9569 (JSC::SyntaxChecker::operatorStackPop):
9570
95712012-08-03 Filip Pizlo <fpizlo@apple.com>
9572
9573 Crashes in dfgBuildPutByIdList when clicking on just about anything on Google Maps
9574 https://bugs.webkit.org/show_bug.cgi?id=92691
9575
9576 Reviewed by Mark Hahnenberg.
9577
9578 The state of the stubs was changing after we determined the type (by virtue of the slow path
9579 function that was called), since the get or put (in this case put) could cause arbitrary
9580 side effects. Perhaps a full-blown fix would be to eliminate our reliance of the slow path
9581 function to determine what to do, but an easier fix for now is to have the slow path give up
9582 if its assumptions were invalidated by a side effect.
9583
9584 * dfg/DFGOperations.cpp:
9585 * jit/JITStubs.cpp:
9586 (JSC::DEFINE_STUB_FUNCTION):
9587
95882012-08-03 Filip Pizlo <fpizlo@apple.com>
9589
9590 DFG handling of get_by_id should always inject a ForceOSRExit node if there is no prediction
9591 https://bugs.webkit.org/show_bug.cgi?id=93162
9592
9593 Reviewed by Mark Hahnenberg.
9594
9595 This simplifies the DFG IR by ensuring that all nodes that use value profiles will be preceded
9596 by a ForceOSRExit if the value profile had no data.
9597
9598 * dfg/DFGByteCodeParser.cpp:
9599 (JSC::DFG::ByteCodeParser::parseBlock):
9600
96012012-08-03 Filip Pizlo <fpizlo@apple.com>
9602
9603 DFG::StructureCheckHoistingPhase keeps a Node& around for too long
9604 https://bugs.webkit.org/show_bug.cgi?id=93157
9605
9606 Reviewed by Mark Hahnenberg.
9607
9608 * dfg/DFGStructureCheckHoistingPhase.cpp:
9609 (JSC::DFG::StructureCheckHoistingPhase::run):
9610
96112012-08-02 Patrick Gansterer <paroga@webkit.org>
9612
9613 Move getLocalTime() as static inline function to DateMath
9614 https://bugs.webkit.org/show_bug.cgi?id=92955
9615
9616 Reviewed by Ryosuke Niwa.
9617
9618 getCurrentLocalTime() and getLocalTime() has been superseded with the
9619 GregorianDateTime class. So we can move it into DateMath.cpp as an static inline
9620 function. This allows us to remove the dependecy on time() and localtime()
9621 for Windows CE, where this functions require the ce_time library to work.
9622
9623 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
9624
96252012-08-02 Filip Pizlo <fpizlo@apple.com>
9626
9627 ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes
9628 https://bugs.webkit.org/show_bug.cgi?id=91074
9629
9630 Reviewed by Mark Hahnenberg.
9631
9632 Fixes a bug where the speculative JIT was performing an unnecessary speculation that the
9633 CFA had proven shouldn't be performed, leading to asserts that a node should not have
9634 exit sites. This is a debug-only assert with no release symptom - we were just emitting
9635 a check that was not reachable.
9636
9637 Also found, and fixed, a bug where structure check hoisting was slightly confusing the
9638 CFA by inserting GetLocal's into the graph. CSE would clean the GetLocal's up, which
9639 would make the backend happy - but the CFA would produce subtly wrong results.
9640
9641 * bytecode/SpeculatedType.h:
9642 (JSC::isOtherOrEmptySpeculation):
9643 (JSC):
9644 * dfg/DFGDriver.cpp:
9645 (JSC::DFG::compile):
9646 * dfg/DFGGraph.cpp:
9647 (JSC::DFG::Graph::dump):
9648 * dfg/DFGSpeculativeJIT64.cpp:
9649 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
9650 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
9651
96522012-08-02 Filip Pizlo <fpizlo@apple.com>
9653
9654 Unreviewed, build fix for DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE).
9655
9656 * dfg/DFGStructureCheckHoistingPhase.cpp:
9657 (JSC::DFG::StructureCheckHoistingPhase::run):
9658
96592012-08-01 Mark Hahnenberg <mhahnenberg@apple.com>
9660
9661 Remove all uses of ClassInfo for JSStrings in JIT code
9662 https://bugs.webkit.org/show_bug.cgi?id=92935
9663
9664 Reviewed by Geoffrey Garen.
9665
9666 This is the first step in removing our dependence on in-object ClassInfo pointers
9667 in JIT code. Most of the changes are to check the Structure, which is unique for
9668 JSString primitives.
9669
9670 * bytecode/SpeculatedType.cpp:
9671 (JSC::speculationFromClassInfo):
9672 (JSC::speculationFromStructure): Changed to check the TypeInfo in the Structure
9673 since there wasn't a JSGlobalData immediately available to grab the JSString
9674 Structure out of.
9675 * dfg/DFGSpeculativeJIT.cpp:
9676 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
9677 * dfg/DFGSpeculativeJIT32_64.cpp:
9678 (JSC::DFG::SpeculativeJIT::compile):
9679 * dfg/DFGSpeculativeJIT64.cpp:
9680 (JSC::DFG::SpeculativeJIT::compile):
9681 * jit/JITInlineMethods.h:
9682 (JSC::JIT::emitLoadCharacterString):
9683 * jit/JITOpcodes.cpp:
9684 (JSC::JIT::privateCompileCTIMachineTrampolines):
9685 (JSC::JIT::emit_op_to_primitive):
9686 (JSC::JIT::emit_op_convert_this):
9687 * jit/JITOpcodes32_64.cpp:
9688 (JSC::JIT::privateCompileCTIMachineTrampolines):
9689 (JSC::JIT::emit_op_to_primitive):
9690 (JSC::JIT::emitSlow_op_eq):
9691 (JSC::JIT::emitSlow_op_neq):
9692 (JSC::JIT::compileOpStrictEq):
9693 (JSC::JIT::emit_op_convert_this):
9694 * jit/JITPropertyAccess.cpp:
9695 (JSC::JIT::stringGetByValStubGenerator):
9696 (JSC::JIT::emitSlow_op_get_by_val):
9697 * jit/JITPropertyAccess32_64.cpp:
9698 (JSC::JIT::stringGetByValStubGenerator):
9699 (JSC::JIT::emitSlow_op_get_by_val):
9700 * jit/SpecializedThunkJIT.h:
9701 (JSC::SpecializedThunkJIT::loadJSStringArgument):
9702 * jit/ThunkGenerators.cpp:
9703 (JSC::stringCharLoad):
9704 (JSC::charCodeAtThunkGenerator):
9705 (JSC::charAtThunkGenerator):
9706
97072012-08-02 Filip Pizlo <fpizlo@apple.com>
9708
9709 Unreviewed, missed a style goof in the previous patch: "NodeIndex nodeIndex"
9710 in a method signature is painfully redundant.
9711
9712 * dfg/DFGSpeculativeJIT.h:
9713 (SpeculativeJIT):
9714
97152012-08-02 Filip Pizlo <fpizlo@apple.com>
9716
9717 DFGSpeculativeJIT.h has too many inline method bodies
9718 https://bugs.webkit.org/show_bug.cgi?id=92957
9719
9720 Reviewed by Antti Koivisto.
9721
9722 * dfg/DFGSpeculativeJIT.cpp:
9723 (JSC::DFG::SpeculativeJIT::speculationCheck):
9724 (DFG):
9725 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
9726 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
9727 (JSC::DFG::SpeculativeJIT::speculationCheckWithConditionalDirection):
9728 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
9729 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecutionWithConditionalDirection):
9730 * dfg/DFGSpeculativeJIT.h:
9731 (SpeculativeJIT):
9732
97332012-08-01 Sheriff Bot <webkit.review.bot@gmail.com>
9734
9735 Unreviewed, rolling out r124406.
9736 http://trac.webkit.org/changeset/124406
9737 https://bugs.webkit.org/show_bug.cgi?id=92951
9738
9739 it set the Mac bots on fire (Requested by pizlo on #webkit).
9740
9741 * bytecode/Opcode.h:
9742 (JSC):
9743 (JSC::padOpcodeName):
9744 * bytecompiler/BytecodeGenerator.cpp:
9745 (JSC::BytecodeGenerator::emitDebugHook):
9746 * bytecompiler/BytecodeGenerator.h:
9747 (BytecodeGenerator):
9748 * bytecompiler/NodesCodegen.cpp:
9749 (JSC::ArrayNode::toArgumentList):
9750 (JSC::ApplyFunctionCallDotNode::emitBytecode):
9751 (JSC::ConditionalNode::emitBytecode):
9752 (JSC::ConstStatementNode::emitBytecode):
9753 (JSC::EmptyStatementNode::emitBytecode):
9754 (JSC::DebuggerStatementNode::emitBytecode):
9755 (JSC::ExprStatementNode::emitBytecode):
9756 (JSC::VarStatementNode::emitBytecode):
9757 (JSC::IfNode::emitBytecode):
9758 (JSC::IfElseNode::emitBytecode):
9759 (JSC::DoWhileNode::emitBytecode):
9760 (JSC::WhileNode::emitBytecode):
9761 (JSC::ForNode::emitBytecode):
9762 (JSC::ForInNode::emitBytecode):
9763 (JSC::ContinueNode::emitBytecode):
9764 (JSC::BreakNode::emitBytecode):
9765 (JSC::ReturnNode::emitBytecode):
9766 (JSC::WithNode::emitBytecode):
9767 (JSC::SwitchNode::emitBytecode):
9768 (JSC::LabelNode::emitBytecode):
9769 (JSC::ThrowNode::emitBytecode):
9770 (JSC::TryNode::emitBytecode):
9771 (JSC::ProgramNode::emitBytecode):
9772 (JSC::EvalNode::emitBytecode):
9773 (JSC::FunctionBodyNode::emitBytecode):
9774 * debugger/Debugger.h:
9775 * interpreter/Interpreter.cpp:
9776 (JSC::Interpreter::unwindCallFrame):
9777 (JSC::Interpreter::throwException):
9778 (JSC::Interpreter::debug):
9779 * interpreter/Interpreter.h:
9780 (Interpreter):
9781 * jit/JITOpcodes.cpp:
9782 (JSC::JIT::emit_op_debug):
9783 * jit/JITOpcodes32_64.cpp:
9784 (JSC::JIT::emit_op_debug):
9785 * jit/JITStubs.cpp:
9786 (JSC::DEFINE_STUB_FUNCTION):
9787 * llint/LLIntSlowPaths.cpp:
9788 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
9789 * parser/ASTBuilder.h:
9790 (ASTBuilder):
9791 (JSC::ASTBuilder::createCommaExpr):
9792 (JSC::ASTBuilder::createLogicalNot):
9793 (JSC::ASTBuilder::createUnaryPlus):
9794 (JSC::ASTBuilder::createVoid):
9795 (JSC::ASTBuilder::thisExpr):
9796 (JSC::ASTBuilder::createResolve):
9797 (JSC::ASTBuilder::createObjectLiteral):
9798 (JSC::ASTBuilder::createArray):
9799 (JSC::ASTBuilder::createNumberExpr):
9800 (JSC::ASTBuilder::createString):
9801 (JSC::ASTBuilder::createBoolean):
9802 (JSC::ASTBuilder::createNull):
9803 (JSC::ASTBuilder::createBracketAccess):
9804 (JSC::ASTBuilder::createDotAccess):
9805 (JSC::ASTBuilder::createRegExp):
9806 (JSC::ASTBuilder::createNewExpr):
9807 (JSC::ASTBuilder::createConditionalExpr):
9808 (JSC::ASTBuilder::createAssignResolve):
9809 (JSC::ASTBuilder::createFunctionExpr):
9810 (JSC::ASTBuilder::createFunctionBody):
9811 (JSC::ASTBuilder::createGetterOrSetterProperty):
9812 (JSC::ASTBuilder::createArgumentsList):
9813 (JSC::ASTBuilder::createPropertyList):
9814 (JSC::ASTBuilder::createFuncDeclStatement):
9815 (JSC::ASTBuilder::createBlockStatement):
9816 (JSC::ASTBuilder::createExprStatement):
9817 (JSC::ASTBuilder::createIfStatement):
9818 (JSC::ASTBuilder::createForLoop):
9819 (JSC::ASTBuilder::createForInLoop):
9820 (JSC::ASTBuilder::createEmptyStatement):
9821 (JSC::ASTBuilder::createVarStatement):
9822 (JSC::ASTBuilder::createReturnStatement):
9823 (JSC::ASTBuilder::createBreakStatement):
9824 (JSC::ASTBuilder::createContinueStatement):
9825 (JSC::ASTBuilder::createTryStatement):
9826 (JSC::ASTBuilder::createSwitchStatement):
9827 (JSC::ASTBuilder::createWhileStatement):
9828 (JSC::ASTBuilder::createDoWhileStatement):
9829 (JSC::ASTBuilder::createLabelStatement):
9830 (JSC::ASTBuilder::createWithStatement):
9831 (JSC::ASTBuilder::createThrowStatement):
9832 (JSC::ASTBuilder::createDebugger):
9833 (JSC::ASTBuilder::createConstStatement):
9834 (JSC::ASTBuilder::appendConstDecl):
9835 (JSC::ASTBuilder::combineCommaNodes):
9836 (JSC::ASTBuilder::appendBinaryOperation):
9837 (JSC::ASTBuilder::createAssignment):
9838 (JSC::ASTBuilder::createNumber):
9839 (JSC::ASTBuilder::makeTypeOfNode):
9840 (JSC::ASTBuilder::makeDeleteNode):
9841 (JSC::ASTBuilder::makeNegateNode):
9842 (JSC::ASTBuilder::makeBitwiseNotNode):
9843 (JSC::ASTBuilder::makeMultNode):
9844 (JSC::ASTBuilder::makeDivNode):
9845 (JSC::ASTBuilder::makeModNode):
9846 (JSC::ASTBuilder::makeAddNode):
9847 (JSC::ASTBuilder::makeSubNode):
9848 (JSC::ASTBuilder::makeLeftShiftNode):
9849 (JSC::ASTBuilder::makeRightShiftNode):
9850 (JSC::ASTBuilder::makeURightShiftNode):
9851 (JSC::ASTBuilder::makeBitOrNode):
9852 (JSC::ASTBuilder::makeBitAndNode):
9853 (JSC::ASTBuilder::makeBitXOrNode):
9854 (JSC::ASTBuilder::makeFunctionCallNode):
9855 (JSC::ASTBuilder::makeBinaryNode):
9856 (JSC::ASTBuilder::makeAssignNode):
9857 (JSC::ASTBuilder::makePrefixNode):
9858 (JSC::ASTBuilder::makePostfixNode):
9859 * parser/Lexer.cpp:
9860 (JSC::::setCode):
9861 (JSC::::internalShift):
9862 (JSC::::shift):
9863 (JSC::::lex):
9864 * parser/Lexer.h:
9865 (Lexer):
9866 (JSC::::lexExpectIdentifier):
9867 * parser/NodeConstructors.h:
9868 (JSC::Node::Node):
9869 (JSC::ExpressionNode::ExpressionNode):
9870 (JSC::StatementNode::StatementNode):
9871 (JSC::NullNode::NullNode):
9872 (JSC::BooleanNode::BooleanNode):
9873 (JSC::NumberNode::NumberNode):
9874 (JSC::StringNode::StringNode):
9875 (JSC::RegExpNode::RegExpNode):
9876 (JSC::ThisNode::ThisNode):
9877 (JSC::ResolveNode::ResolveNode):
9878 (JSC::ArrayNode::ArrayNode):
9879 (JSC::PropertyListNode::PropertyListNode):
9880 (JSC::ObjectLiteralNode::ObjectLiteralNode):
9881 (JSC::BracketAccessorNode::BracketAccessorNode):
9882 (JSC::DotAccessorNode::DotAccessorNode):
9883 (JSC::ArgumentListNode::ArgumentListNode):
9884 (JSC::NewExprNode::NewExprNode):
9885 (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
9886 (JSC::FunctionCallValueNode::FunctionCallValueNode):
9887 (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
9888 (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
9889 (JSC::FunctionCallDotNode::FunctionCallDotNode):
9890 (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
9891 (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
9892 (JSC::PrePostResolveNode::PrePostResolveNode):
9893 (JSC::PostfixResolveNode::PostfixResolveNode):
9894 (JSC::PostfixBracketNode::PostfixBracketNode):
9895 (JSC::PostfixDotNode::PostfixDotNode):
9896 (JSC::PostfixErrorNode::PostfixErrorNode):
9897 (JSC::DeleteResolveNode::DeleteResolveNode):
9898 (JSC::DeleteBracketNode::DeleteBracketNode):
9899 (JSC::DeleteDotNode::DeleteDotNode):
9900 (JSC::DeleteValueNode::DeleteValueNode):
9901 (JSC::VoidNode::VoidNode):
9902 (JSC::TypeOfResolveNode::TypeOfResolveNode):
9903 (JSC::TypeOfValueNode::TypeOfValueNode):
9904 (JSC::PrefixResolveNode::PrefixResolveNode):
9905 (JSC::PrefixBracketNode::PrefixBracketNode):
9906 (JSC::PrefixDotNode::PrefixDotNode):
9907 (JSC::PrefixErrorNode::PrefixErrorNode):
9908 (JSC::UnaryOpNode::UnaryOpNode):
9909 (JSC::UnaryPlusNode::UnaryPlusNode):
9910 (JSC::NegateNode::NegateNode):
9911 (JSC::BitwiseNotNode::BitwiseNotNode):
9912 (JSC::LogicalNotNode::LogicalNotNode):
9913 (JSC::BinaryOpNode::BinaryOpNode):
9914 (JSC::MultNode::MultNode):
9915 (JSC::DivNode::DivNode):
9916 (JSC::ModNode::ModNode):
9917 (JSC::AddNode::AddNode):
9918 (JSC::SubNode::SubNode):
9919 (JSC::LeftShiftNode::LeftShiftNode):
9920 (JSC::RightShiftNode::RightShiftNode):
9921 (JSC::UnsignedRightShiftNode::UnsignedRightShiftNode):
9922 (JSC::LessNode::LessNode):
9923 (JSC::GreaterNode::GreaterNode):
9924 (JSC::LessEqNode::LessEqNode):
9925 (JSC::GreaterEqNode::GreaterEqNode):
9926 (JSC::ThrowableBinaryOpNode::ThrowableBinaryOpNode):
9927 (JSC::InstanceOfNode::InstanceOfNode):
9928 (JSC::InNode::InNode):
9929 (JSC::EqualNode::EqualNode):
9930 (JSC::NotEqualNode::NotEqualNode):
9931 (JSC::StrictEqualNode::StrictEqualNode):
9932 (JSC::NotStrictEqualNode::NotStrictEqualNode):
9933 (JSC::BitAndNode::BitAndNode):
9934 (JSC::BitOrNode::BitOrNode):
9935 (JSC::BitXOrNode::BitXOrNode):
9936 (JSC::LogicalOpNode::LogicalOpNode):
9937 (JSC::ConditionalNode::ConditionalNode):
9938 (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
9939 (JSC::AssignResolveNode::AssignResolveNode):
9940 (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
9941 (JSC::AssignBracketNode::AssignBracketNode):
9942 (JSC::AssignDotNode::AssignDotNode):
9943 (JSC::ReadModifyDotNode::ReadModifyDotNode):
9944 (JSC::AssignErrorNode::AssignErrorNode):
9945 (JSC::CommaNode::CommaNode):
9946 (JSC::ConstStatementNode::ConstStatementNode):
9947 (JSC::EmptyStatementNode::EmptyStatementNode):
9948 (JSC::DebuggerStatementNode::DebuggerStatementNode):
9949 (JSC::ExprStatementNode::ExprStatementNode):
9950 (JSC::VarStatementNode::VarStatementNode):
9951 (JSC::IfNode::IfNode):
9952 (JSC::IfElseNode::IfElseNode):
9953 (JSC::DoWhileNode::DoWhileNode):
9954 (JSC::WhileNode::WhileNode):
9955 (JSC::ForNode::ForNode):
9956 (JSC::ContinueNode::ContinueNode):
9957 (JSC::BreakNode::BreakNode):
9958 (JSC::ReturnNode::ReturnNode):
9959 (JSC::WithNode::WithNode):
9960 (JSC::LabelNode::LabelNode):
9961 (JSC::ThrowNode::ThrowNode):
9962 (JSC::TryNode::TryNode):
9963 (JSC::FuncExprNode::FuncExprNode):
9964 (JSC::FuncDeclNode::FuncDeclNode):
9965 (JSC::SwitchNode::SwitchNode):
9966 (JSC::ConstDeclNode::ConstDeclNode):
9967 (JSC::BlockNode::BlockNode):
9968 (JSC::ForInNode::ForInNode):
9969 * parser/Nodes.cpp:
9970 (JSC):
9971 (JSC::StatementNode::setLoc):
9972 (JSC::ScopeNode::ScopeNode):
9973 (JSC::ProgramNode::ProgramNode):
9974 (JSC::ProgramNode::create):
9975 (JSC::EvalNode::EvalNode):
9976 (JSC::EvalNode::create):
9977 (JSC::FunctionBodyNode::FunctionBodyNode):
9978 (JSC::FunctionBodyNode::create):
9979 * parser/Nodes.h:
9980 (Node):
9981 (ExpressionNode):
9982 (StatementNode):
9983 (NullNode):
9984 (BooleanNode):
9985 (NumberNode):
9986 (StringNode):
9987 (RegExpNode):
9988 (ThisNode):
9989 (ResolveNode):
9990 (ArrayNode):
9991 (PropertyListNode):
9992 (ObjectLiteralNode):
9993 (BracketAccessorNode):
9994 (DotAccessorNode):
9995 (ArgumentListNode):
9996 (NewExprNode):
9997 (EvalFunctionCallNode):
9998 (FunctionCallValueNode):
9999 (FunctionCallResolveNode):
10000 (FunctionCallBracketNode):
10001 (FunctionCallDotNode):
10002 (CallFunctionCallDotNode):
10003 (ApplyFunctionCallDotNode):
10004 (PrePostResolveNode):
10005 (PostfixResolveNode):
10006 (PostfixBracketNode):
10007 (PostfixDotNode):
10008 (PostfixErrorNode):
10009 (DeleteResolveNode):
10010 (DeleteBracketNode):
10011 (DeleteDotNode):
10012 (DeleteValueNode):
10013 (VoidNode):
10014 (TypeOfResolveNode):
10015 (TypeOfValueNode):
10016 (PrefixResolveNode):
10017 (PrefixBracketNode):
10018 (PrefixDotNode):
10019 (PrefixErrorNode):
10020 (UnaryOpNode):
10021 (UnaryPlusNode):
10022 (NegateNode):
10023 (BitwiseNotNode):
10024 (LogicalNotNode):
10025 (BinaryOpNode):
10026 (MultNode):
10027 (DivNode):
10028 (ModNode):
10029 (AddNode):
10030 (SubNode):
10031 (LeftShiftNode):
10032 (RightShiftNode):
10033 (UnsignedRightShiftNode):
10034 (LessNode):
10035 (GreaterNode):
10036 (LessEqNode):
10037 (GreaterEqNode):
10038 (ThrowableBinaryOpNode):
10039 (InstanceOfNode):
10040 (InNode):
10041 (EqualNode):
10042 (NotEqualNode):
10043 (StrictEqualNode):
10044 (NotStrictEqualNode):
10045 (BitAndNode):
10046 (BitOrNode):
10047 (BitXOrNode):
10048 (LogicalOpNode):
10049 (ConditionalNode):
10050 (ReadModifyResolveNode):
10051 (AssignResolveNode):
10052 (ReadModifyBracketNode):
10053 (AssignBracketNode):
10054 (AssignDotNode):
10055 (ReadModifyDotNode):
10056 (AssignErrorNode):
10057 (CommaNode):
10058 (ConstDeclNode):
10059 (ConstStatementNode):
10060 (BlockNode):
10061 (EmptyStatementNode):
10062 (DebuggerStatementNode):
10063 (ExprStatementNode):
10064 (VarStatementNode):
10065 (IfNode):
10066 (IfElseNode):
10067 (DoWhileNode):
10068 (WhileNode):
10069 (ForNode):
10070 (ForInNode):
10071 (ContinueNode):
10072 (BreakNode):
10073 (ReturnNode):
10074 (WithNode):
10075 (LabelNode):
10076 (ThrowNode):
10077 (TryNode):
10078 (ScopeNode):
10079 (ProgramNode):
10080 (EvalNode):
10081 (FunctionBodyNode):
10082 (FuncExprNode):
10083 (FuncDeclNode):
10084 (SwitchNode):
10085 * parser/Parser.cpp:
10086 (JSC::::parseSourceElements):
10087 (JSC::::parseVarDeclaration):
10088 (JSC::::parseConstDeclaration):
10089 (JSC::::parseDoWhileStatement):
10090 (JSC::::parseWhileStatement):
10091 (JSC::::parseVarDeclarationList):
10092 (JSC::::parseConstDeclarationList):
10093 (JSC::::parseForStatement):
10094 (JSC::::parseBreakStatement):
10095 (JSC::::parseContinueStatement):
10096 (JSC::::parseReturnStatement):
10097 (JSC::::parseThrowStatement):
10098 (JSC::::parseWithStatement):
10099 (JSC::::parseSwitchStatement):
10100 (JSC::::parseTryStatement):
10101 (JSC::::parseDebuggerStatement):
10102 (JSC::::parseBlockStatement):
10103 (JSC::::parseStatement):
10104 (JSC::::parseFunctionBody):
10105 (JSC::::parseFunctionInfo):
10106 (JSC::::parseFunctionDeclaration):
10107 (JSC::::parseExpressionOrLabelStatement):
10108 (JSC::::parseExpressionStatement):
10109 (JSC::::parseIfStatement):
10110 (JSC::::parseExpression):
10111 (JSC::::parseAssignmentExpression):
10112 (JSC::::parseConditionalExpression):
10113 (JSC::::parseBinaryExpression):
10114 (JSC::::parseProperty):
10115 (JSC::::parseObjectLiteral):
10116 (JSC::::parseStrictObjectLiteral):
10117 (JSC::::parseArrayLiteral):
10118 (JSC::::parsePrimaryExpression):
10119 (JSC::::parseArguments):
10120 (JSC::::parseMemberExpression):
10121 (JSC::::parseUnaryExpression):
10122 * parser/Parser.h:
10123 (JSC::Parser::next):
10124 (JSC::Parser::nextExpectIdentifier):
10125 (JSC::Parser::tokenStart):
10126 (JSC::Parser::tokenLine):
10127 (JSC::Parser::tokenEnd):
10128 (JSC::Parser::getTokenName):
10129 (JSC::::parse):
10130 * parser/ParserTokens.h:
10131 (JSC::JSTokenInfo::JSTokenInfo):
10132 (JSTokenInfo):
10133 (JSToken):
10134 * parser/SourceProviderCacheItem.h:
10135 (JSC::SourceProviderCacheItem::closeBraceToken):
10136 * parser/SyntaxChecker.h:
10137 (JSC::SyntaxChecker::makeFunctionCallNode):
10138 (JSC::SyntaxChecker::createCommaExpr):
10139 (JSC::SyntaxChecker::makeAssignNode):
10140 (JSC::SyntaxChecker::makePrefixNode):
10141 (JSC::SyntaxChecker::makePostfixNode):
10142 (JSC::SyntaxChecker::makeTypeOfNode):
10143 (JSC::SyntaxChecker::makeDeleteNode):
10144 (JSC::SyntaxChecker::makeNegateNode):
10145 (JSC::SyntaxChecker::makeBitwiseNotNode):
10146 (JSC::SyntaxChecker::createLogicalNot):
10147 (JSC::SyntaxChecker::createUnaryPlus):
10148 (JSC::SyntaxChecker::createVoid):
10149 (JSC::SyntaxChecker::thisExpr):
10150 (JSC::SyntaxChecker::createResolve):
10151 (JSC::SyntaxChecker::createObjectLiteral):
10152 (JSC::SyntaxChecker::createArray):
10153 (JSC::SyntaxChecker::createNumberExpr):
10154 (JSC::SyntaxChecker::createString):
10155 (JSC::SyntaxChecker::createBoolean):
10156 (JSC::SyntaxChecker::createNull):
10157 (JSC::SyntaxChecker::createBracketAccess):
10158 (JSC::SyntaxChecker::createDotAccess):
10159 (JSC::SyntaxChecker::createRegExp):
10160 (JSC::SyntaxChecker::createNewExpr):
10161 (JSC::SyntaxChecker::createConditionalExpr):
10162 (JSC::SyntaxChecker::createAssignResolve):
10163 (JSC::SyntaxChecker::createFunctionExpr):
10164 (JSC::SyntaxChecker::createFunctionBody):
10165 (JSC::SyntaxChecker::createArgumentsList):
10166 (JSC::SyntaxChecker::createPropertyList):
10167 (JSC::SyntaxChecker::createFuncDeclStatement):
10168 (JSC::SyntaxChecker::createBlockStatement):
10169 (JSC::SyntaxChecker::createExprStatement):
10170 (JSC::SyntaxChecker::createIfStatement):
10171 (JSC::SyntaxChecker::createForLoop):
10172 (JSC::SyntaxChecker::createForInLoop):
10173 (JSC::SyntaxChecker::createEmptyStatement):
10174 (JSC::SyntaxChecker::createVarStatement):
10175 (JSC::SyntaxChecker::createReturnStatement):
10176 (JSC::SyntaxChecker::createBreakStatement):
10177 (JSC::SyntaxChecker::createContinueStatement):
10178 (JSC::SyntaxChecker::createTryStatement):
10179 (JSC::SyntaxChecker::createSwitchStatement):
10180 (JSC::SyntaxChecker::createWhileStatement):
10181 (JSC::SyntaxChecker::createWithStatement):
10182 (JSC::SyntaxChecker::createDoWhileStatement):
10183 (JSC::SyntaxChecker::createLabelStatement):
10184 (JSC::SyntaxChecker::createThrowStatement):
10185 (JSC::SyntaxChecker::createDebugger):
10186 (JSC::SyntaxChecker::createConstStatement):
10187 (JSC::SyntaxChecker::appendConstDecl):
10188 (JSC::SyntaxChecker::createGetterOrSetterProperty):
10189 (JSC::SyntaxChecker::combineCommaNodes):
10190 (JSC::SyntaxChecker::operatorStackPop):
10191
101922012-08-01 Peter Wang <peter.wang@torchmobile.com.cn>
10193
10194 Web Inspector: [JSC] implement setting breakpoints by line:column
10195 https://bugs.webkit.org/show_bug.cgi?id=53003
10196
10197 Reviewed by Geoffrey Garen.
10198
10199 Add a counter in lexer to record the column of each token. Debugger will use column info
10200 in "Pretty Print" debug mode of Inspector.
10201
10202 * bytecode/Opcode.h:
10203 (JSC):
10204 (JSC::padOpcodeName):
10205 * bytecompiler/BytecodeGenerator.cpp:
10206 (JSC::BytecodeGenerator::emitDebugHook):
10207 * bytecompiler/BytecodeGenerator.h:
10208 (BytecodeGenerator):
10209 * bytecompiler/NodesCodegen.cpp:
10210 (JSC::ArrayNode::toArgumentList):
10211 (JSC::ApplyFunctionCallDotNode::emitBytecode):
10212 (JSC::ConditionalNode::emitBytecode):
10213 (JSC::ConstStatementNode::emitBytecode):
10214 (JSC::EmptyStatementNode::emitBytecode):
10215 (JSC::DebuggerStatementNode::emitBytecode):
10216 (JSC::ExprStatementNode::emitBytecode):
10217 (JSC::VarStatementNode::emitBytecode):
10218 (JSC::IfNode::emitBytecode):
10219 (JSC::IfElseNode::emitBytecode):
10220 (JSC::DoWhileNode::emitBytecode):
10221 (JSC::WhileNode::emitBytecode):
10222 (JSC::ForNode::emitBytecode):
10223 (JSC::ForInNode::emitBytecode):
10224 (JSC::ContinueNode::emitBytecode):
10225 (JSC::BreakNode::emitBytecode):
10226 (JSC::ReturnNode::emitBytecode):
10227 (JSC::WithNode::emitBytecode):
10228 (JSC::SwitchNode::emitBytecode):
10229 (JSC::LabelNode::emitBytecode):
10230 (JSC::ThrowNode::emitBytecode):
10231 (JSC::TryNode::emitBytecode):
10232 (JSC::ProgramNode::emitBytecode):
10233 (JSC::EvalNode::emitBytecode):
10234 (JSC::FunctionBodyNode::emitBytecode):
10235 * debugger/Debugger.h:
10236 * interpreter/Interpreter.cpp:
10237 (JSC::Interpreter::unwindCallFrame):
10238 (JSC::Interpreter::throwException):
10239 (JSC::Interpreter::debug):
10240 * interpreter/Interpreter.h:
10241 (Interpreter):
10242 * jit/JITOpcodes.cpp:
10243 (JSC::JIT::emit_op_debug):
10244 * jit/JITOpcodes32_64.cpp:
10245 (JSC::JIT::emit_op_debug):
10246 * jit/JITStubs.cpp:
10247 (JSC::DEFINE_STUB_FUNCTION):
10248 * llint/LLIntSlowPaths.cpp:
10249 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
10250 * parser/ASTBuilder.h:
10251 (ASTBuilder):
10252 (JSC::ASTBuilder::createCommaExpr):
10253 (JSC::ASTBuilder::createLogicalNot):
10254 (JSC::ASTBuilder::createUnaryPlus):
10255 (JSC::ASTBuilder::createVoid):
10256 (JSC::ASTBuilder::thisExpr):
10257 (JSC::ASTBuilder::createResolve):
10258 (JSC::ASTBuilder::createObjectLiteral):
10259 (JSC::ASTBuilder::createArray):
10260 (JSC::ASTBuilder::createNumberExpr):
10261 (JSC::ASTBuilder::createString):
10262 (JSC::ASTBuilder::createBoolean):
10263 (JSC::ASTBuilder::createNull):
10264 (JSC::ASTBuilder::createBracketAccess):
10265 (JSC::ASTBuilder::createDotAccess):
10266 (JSC::ASTBuilder::createRegExp):
10267 (JSC::ASTBuilder::createNewExpr):
10268 (JSC::ASTBuilder::createConditionalExpr):
10269 (JSC::ASTBuilder::createAssignResolve):
10270 (JSC::ASTBuilder::createFunctionExpr):
10271 (JSC::ASTBuilder::createFunctionBody):
10272 (JSC::ASTBuilder::createGetterOrSetterProperty):
10273 (JSC::ASTBuilder::createArgumentsList):
10274 (JSC::ASTBuilder::createPropertyList):
10275 (JSC::ASTBuilder::createFuncDeclStatement):
10276 (JSC::ASTBuilder::createBlockStatement):
10277 (JSC::ASTBuilder::createExprStatement):
10278 (JSC::ASTBuilder::createIfStatement):
10279 (JSC::ASTBuilder::createForLoop):
10280 (JSC::ASTBuilder::createForInLoop):
10281 (JSC::ASTBuilder::createEmptyStatement):
10282 (JSC::ASTBuilder::createVarStatement):
10283 (JSC::ASTBuilder::createReturnStatement):
10284 (JSC::ASTBuilder::createBreakStatement):
10285 (JSC::ASTBuilder::createContinueStatement):
10286 (JSC::ASTBuilder::createTryStatement):
10287 (JSC::ASTBuilder::createSwitchStatement):
10288 (JSC::ASTBuilder::createWhileStatement):
10289 (JSC::ASTBuilder::createDoWhileStatement):
10290 (JSC::ASTBuilder::createLabelStatement):
10291 (JSC::ASTBuilder::createWithStatement):
10292 (JSC::ASTBuilder::createThrowStatement):
10293 (JSC::ASTBuilder::createDebugger):
10294 (JSC::ASTBuilder::createConstStatement):
10295 (JSC::ASTBuilder::appendConstDecl):
10296 (JSC::ASTBuilder::combineCommaNodes):
10297 (JSC::ASTBuilder::appendBinaryOperation):
10298 (JSC::ASTBuilder::createAssignment):
10299 (JSC::ASTBuilder::createNumber):
10300 (JSC::ASTBuilder::makeTypeOfNode):
10301 (JSC::ASTBuilder::makeDeleteNode):
10302 (JSC::ASTBuilder::makeNegateNode):
10303 (JSC::ASTBuilder::makeBitwiseNotNode):
10304 (JSC::ASTBuilder::makeMultNode):
10305 (JSC::ASTBuilder::makeDivNode):
10306 (JSC::ASTBuilder::makeModNode):
10307 (JSC::ASTBuilder::makeAddNode):
10308 (JSC::ASTBuilder::makeSubNode):
10309 (JSC::ASTBuilder::makeLeftShiftNode):
10310 (JSC::ASTBuilder::makeRightShiftNode):
10311 (JSC::ASTBuilder::makeURightShiftNode):
10312 (JSC::ASTBuilder::makeBitOrNode):
10313 (JSC::ASTBuilder::makeBitAndNode):
10314 (JSC::ASTBuilder::makeBitXOrNode):
10315 (JSC::ASTBuilder::makeFunctionCallNode):
10316 (JSC::ASTBuilder::makeBinaryNode):
10317 (JSC::ASTBuilder::makeAssignNode):
10318 (JSC::ASTBuilder::makePrefixNode):
10319 (JSC::ASTBuilder::makePostfixNode):
10320 * parser/Lexer.cpp:
10321 (JSC::::setCode):
10322 (JSC::::internalShift):
10323 (JSC::::shift):
10324 (JSC::::lex):
10325 * parser/Lexer.h:
10326 (Lexer):
10327 (JSC::Lexer::currentColumnNumber):
10328 (JSC::::lexExpectIdentifier):
10329 * parser/NodeConstructors.h:
10330 (JSC::Node::Node):
10331 (JSC::ExpressionNode::ExpressionNode):
10332 (JSC::StatementNode::StatementNode):
10333 (JSC::NullNode::NullNode):
10334 (JSC::BooleanNode::BooleanNode):
10335 (JSC::NumberNode::NumberNode):
10336 (JSC::StringNode::StringNode):
10337 (JSC::RegExpNode::RegExpNode):
10338 (JSC::ThisNode::ThisNode):
10339 (JSC::ResolveNode::ResolveNode):
10340 (JSC::ArrayNode::ArrayNode):
10341 (JSC::PropertyListNode::PropertyListNode):
10342 (JSC::ObjectLiteralNode::ObjectLiteralNode):
10343 (JSC::BracketAccessorNode::BracketAccessorNode):
10344 (JSC::DotAccessorNode::DotAccessorNode):
10345 (JSC::ArgumentListNode::ArgumentListNode):
10346 (JSC::NewExprNode::NewExprNode):
10347 (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
10348 (JSC::FunctionCallValueNode::FunctionCallValueNode):
10349 (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
10350 (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
10351 (JSC::FunctionCallDotNode::FunctionCallDotNode):
10352 (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
10353 (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
10354 (JSC::PrePostResolveNode::PrePostResolveNode):
10355 (JSC::PostfixResolveNode::PostfixResolveNode):
10356 (JSC::PostfixBracketNode::PostfixBracketNode):
10357 (JSC::PostfixDotNode::PostfixDotNode):
10358 (JSC::PostfixErrorNode::PostfixErrorNode):
10359 (JSC::DeleteResolveNode::DeleteResolveNode):
10360 (JSC::DeleteBracketNode::DeleteBracketNode):
10361 (JSC::DeleteDotNode::DeleteDotNode):
10362 (JSC::DeleteValueNode::DeleteValueNode):
10363 (JSC::VoidNode::VoidNode):
10364 (JSC::TypeOfResolveNode::TypeOfResolveNode):
10365 (JSC::TypeOfValueNode::TypeOfValueNode):
10366 (JSC::PrefixResolveNode::PrefixResolveNode):
10367 (JSC::PrefixBracketNode::PrefixBracketNode):
10368 (JSC::PrefixDotNode::PrefixDotNode):
10369 (JSC::PrefixErrorNode::PrefixErrorNode):
10370 (JSC::UnaryOpNode::UnaryOpNode):
10371 (JSC::UnaryPlusNode::UnaryPlusNode):
10372 (JSC::NegateNode::NegateNode):
10373 (JSC::BitwiseNotNode::BitwiseNotNode):
10374 (JSC::LogicalNotNode::LogicalNotNode):
10375 (JSC::BinaryOpNode::BinaryOpNode):
10376 (JSC::MultNode::MultNode):
10377 (JSC::DivNode::DivNode):
10378 (JSC::ModNode::ModNode):
10379 (JSC::AddNode::AddNode):
10380 (JSC::SubNode::SubNode):
10381 (JSC::LeftShiftNode::LeftShiftNode):
10382 (JSC::RightShiftNode::RightShiftNode):
10383 (JSC::UnsignedRightShiftNode::UnsignedRightShiftNode):
10384 (JSC::LessNode::LessNode):
10385 (JSC::GreaterNode::GreaterNode):
10386 (JSC::LessEqNode::LessEqNode):
10387 (JSC::GreaterEqNode::GreaterEqNode):
10388 (JSC::ThrowableBinaryOpNode::ThrowableBinaryOpNode):
10389 (JSC::InstanceOfNode::InstanceOfNode):
10390 (JSC::InNode::InNode):
10391 (JSC::EqualNode::EqualNode):
10392 (JSC::NotEqualNode::NotEqualNode):
10393 (JSC::StrictEqualNode::StrictEqualNode):
10394 (JSC::NotStrictEqualNode::NotStrictEqualNode):
10395 (JSC::BitAndNode::BitAndNode):
10396 (JSC::BitOrNode::BitOrNode):
10397 (JSC::BitXOrNode::BitXOrNode):
10398 (JSC::LogicalOpNode::LogicalOpNode):
10399 (JSC::ConditionalNode::ConditionalNode):
10400 (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
10401 (JSC::AssignResolveNode::AssignResolveNode):
10402 (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
10403 (JSC::AssignBracketNode::AssignBracketNode):
10404 (JSC::AssignDotNode::AssignDotNode):
10405 (JSC::ReadModifyDotNode::ReadModifyDotNode):
10406 (JSC::AssignErrorNode::AssignErrorNode):
10407 (JSC::CommaNode::CommaNode):
10408 (JSC::ConstStatementNode::ConstStatementNode):
10409 (JSC::EmptyStatementNode::EmptyStatementNode):
10410 (JSC::DebuggerStatementNode::DebuggerStatementNode):
10411 (JSC::ExprStatementNode::ExprStatementNode):
10412 (JSC::VarStatementNode::VarStatementNode):
10413 (JSC::IfNode::IfNode):
10414 (JSC::IfElseNode::IfElseNode):
10415 (JSC::DoWhileNode::DoWhileNode):
10416 (JSC::WhileNode::WhileNode):
10417 (JSC::ForNode::ForNode):
10418 (JSC::ContinueNode::ContinueNode):
10419 (JSC::BreakNode::BreakNode):
10420 (JSC::ReturnNode::ReturnNode):
10421 (JSC::WithNode::WithNode):
10422 (JSC::LabelNode::LabelNode):
10423 (JSC::ThrowNode::ThrowNode):
10424 (JSC::TryNode::TryNode):
10425 (JSC::FuncExprNode::FuncExprNode):
10426 (JSC::FuncDeclNode::FuncDeclNode):
10427 (JSC::SwitchNode::SwitchNode):
10428 (JSC::ConstDeclNode::ConstDeclNode):
10429 (JSC::BlockNode::BlockNode):
10430 (JSC::ForInNode::ForInNode):
10431 * parser/Nodes.cpp:
10432 (JSC::StatementNode::setLoc):
10433 (JSC):
10434 (JSC::ScopeNode::ScopeNode):
10435 (JSC::ProgramNode::ProgramNode):
10436 (JSC::ProgramNode::create):
10437 (JSC::EvalNode::EvalNode):
10438 (JSC::EvalNode::create):
10439 (JSC::FunctionBodyNode::FunctionBodyNode):
10440 (JSC::FunctionBodyNode::create):
10441 * parser/Nodes.h:
10442 (Node):
10443 (JSC::Node::columnNo):
10444 (ExpressionNode):
10445 (StatementNode):
10446 (JSC::StatementNode::column):
10447 (NullNode):
10448 (BooleanNode):
10449 (NumberNode):
10450 (StringNode):
10451 (RegExpNode):
10452 (ThisNode):
10453 (ResolveNode):
10454 (ArrayNode):
10455 (PropertyListNode):
10456 (ObjectLiteralNode):
10457 (BracketAccessorNode):
10458 (DotAccessorNode):
10459 (ArgumentListNode):
10460 (NewExprNode):
10461 (EvalFunctionCallNode):
10462 (FunctionCallValueNode):
10463 (FunctionCallResolveNode):
10464 (FunctionCallBracketNode):
10465 (FunctionCallDotNode):
10466 (CallFunctionCallDotNode):
10467 (ApplyFunctionCallDotNode):
10468 (PrePostResolveNode):
10469 (PostfixResolveNode):
10470 (PostfixBracketNode):
10471 (PostfixDotNode):
10472 (PostfixErrorNode):
10473 (DeleteResolveNode):
10474 (DeleteBracketNode):
10475 (DeleteDotNode):
10476 (DeleteValueNode):
10477 (VoidNode):
10478 (TypeOfResolveNode):
10479 (TypeOfValueNode):
10480 (PrefixResolveNode):
10481 (PrefixBracketNode):
10482 (PrefixDotNode):
10483 (PrefixErrorNode):
10484 (UnaryOpNode):
10485 (UnaryPlusNode):
10486 (NegateNode):
10487 (BitwiseNotNode):
10488 (LogicalNotNode):
10489 (BinaryOpNode):
10490 (MultNode):
10491 (DivNode):
10492 (ModNode):
10493 (AddNode):
10494 (SubNode):
10495 (LeftShiftNode):
10496 (RightShiftNode):
10497 (UnsignedRightShiftNode):
10498 (LessNode):
10499 (GreaterNode):
10500 (LessEqNode):
10501 (GreaterEqNode):
10502 (ThrowableBinaryOpNode):
10503 (InstanceOfNode):
10504 (InNode):
10505 (EqualNode):
10506 (NotEqualNode):
10507 (StrictEqualNode):
10508 (NotStrictEqualNode):
10509 (BitAndNode):
10510 (BitOrNode):
10511 (BitXOrNode):
10512 (LogicalOpNode):
10513 (ConditionalNode):
10514 (ReadModifyResolveNode):
10515 (AssignResolveNode):
10516 (ReadModifyBracketNode):
10517 (AssignBracketNode):
10518 (AssignDotNode):
10519 (ReadModifyDotNode):
10520 (AssignErrorNode):
10521 (CommaNode):
10522 (ConstDeclNode):
10523 (ConstStatementNode):
10524 (BlockNode):
10525 (EmptyStatementNode):
10526 (DebuggerStatementNode):
10527 (ExprStatementNode):
10528 (VarStatementNode):
10529 (IfNode):
10530 (IfElseNode):
10531 (DoWhileNode):
10532 (WhileNode):
10533 (ForNode):
10534 (ForInNode):
10535 (ContinueNode):
10536 (BreakNode):
10537 (ReturnNode):
10538 (WithNode):
10539 (LabelNode):
10540 (ThrowNode):
10541 (TryNode):
10542 (ScopeNode):
10543 (ProgramNode):
10544 (EvalNode):
10545 (FunctionBodyNode):
10546 (FuncExprNode):
10547 (FuncDeclNode):
10548 (SwitchNode):
10549 * parser/Parser.cpp:
10550 (JSC::::parseSourceElements):
10551 (JSC::::parseVarDeclaration):
10552 (JSC::::parseConstDeclaration):
10553 (JSC::::parseDoWhileStatement):
10554 (JSC::::parseWhileStatement):
10555 (JSC::::parseVarDeclarationList):
10556 (JSC::::parseConstDeclarationList):
10557 (JSC::::parseForStatement):
10558 (JSC::::parseBreakStatement):
10559 (JSC::::parseContinueStatement):
10560 (JSC::::parseReturnStatement):
10561 (JSC::::parseThrowStatement):
10562 (JSC::::parseWithStatement):
10563 (JSC::::parseSwitchStatement):
10564 (JSC::::parseTryStatement):
10565 (JSC::::parseDebuggerStatement):
10566 (JSC::::parseBlockStatement):
10567 (JSC::::parseStatement):
10568 (JSC::::parseFunctionBody):
10569 (JSC::::parseFunctionInfo):
10570 (JSC::::parseFunctionDeclaration):
10571 (JSC::::parseExpressionOrLabelStatement):
10572 (JSC::::parseExpressionStatement):
10573 (JSC::::parseIfStatement):
10574 (JSC::::parseExpression):
10575 (JSC::::parseAssignmentExpression):
10576 (JSC::::parseConditionalExpression):
10577 (JSC::::parseBinaryExpression):
10578 (JSC::::parseProperty):
10579 (JSC::::parseObjectLiteral):
10580 (JSC::::parseStrictObjectLiteral):
10581 (JSC::::parseArrayLiteral):
10582 (JSC::::parsePrimaryExpression):
10583 (JSC::::parseArguments):
10584 (JSC::::parseMemberExpression):
10585 (JSC::::parseUnaryExpression):
10586 * parser/Parser.h:
10587 (JSC::Parser::next):
10588 (JSC::Parser::nextExpectIdentifier):
10589 (JSC::Parser::tokenStart):
10590 (JSC::Parser::tokenLine):
10591 (JSC::Parser::tokenEnd):
10592 (JSC::Parser::tokenLocation):
10593 (Parser):
10594 (JSC::Parser::getTokenName):
10595 (JSC::::parse):
10596 * parser/ParserTokens.h:
10597 (JSC::JSTokenLocation::JSTokenLocation):
10598 (JSTokenLocation):
10599 (JSToken):
10600 * parser/SourceProviderCacheItem.h:
10601 (JSC::SourceProviderCacheItem::closeBraceToken):
10602 * parser/SyntaxChecker.h:
10603 (JSC::SyntaxChecker::makeFunctionCallNode):
10604 (JSC::SyntaxChecker::createCommaExpr):
10605 (JSC::SyntaxChecker::makeAssignNode):
10606 (JSC::SyntaxChecker::makePrefixNode):
10607 (JSC::SyntaxChecker::makePostfixNode):
10608 (JSC::SyntaxChecker::makeTypeOfNode):
10609 (JSC::SyntaxChecker::makeDeleteNode):
10610 (JSC::SyntaxChecker::makeNegateNode):
10611 (JSC::SyntaxChecker::makeBitwiseNotNode):
10612 (JSC::SyntaxChecker::createLogicalNot):
10613 (JSC::SyntaxChecker::createUnaryPlus):
10614 (JSC::SyntaxChecker::createVoid):
10615 (JSC::SyntaxChecker::thisExpr):
10616 (JSC::SyntaxChecker::createResolve):
10617 (JSC::SyntaxChecker::createObjectLiteral):
10618 (JSC::SyntaxChecker::createArray):
10619 (JSC::SyntaxChecker::createNumberExpr):
10620 (JSC::SyntaxChecker::createString):
10621 (JSC::SyntaxChecker::createBoolean):
10622 (JSC::SyntaxChecker::createNull):
10623 (JSC::SyntaxChecker::createBracketAccess):
10624 (JSC::SyntaxChecker::createDotAccess):
10625 (JSC::SyntaxChecker::createRegExp):
10626 (JSC::SyntaxChecker::createNewExpr):
10627 (JSC::SyntaxChecker::createConditionalExpr):
10628 (JSC::SyntaxChecker::createAssignResolve):
10629 (JSC::SyntaxChecker::createFunctionExpr):
10630 (JSC::SyntaxChecker::createFunctionBody):
10631 (JSC::SyntaxChecker::createArgumentsList):
10632 (JSC::SyntaxChecker::createPropertyList):
10633 (JSC::SyntaxChecker::createFuncDeclStatement):
10634 (JSC::SyntaxChecker::createBlockStatement):
10635 (JSC::SyntaxChecker::createExprStatement):
10636 (JSC::SyntaxChecker::createIfStatement):
10637 (JSC::SyntaxChecker::createForLoop):
10638 (JSC::SyntaxChecker::createForInLoop):
10639 (JSC::SyntaxChecker::createEmptyStatement):
10640 (JSC::SyntaxChecker::createVarStatement):
10641 (JSC::SyntaxChecker::createReturnStatement):
10642 (JSC::SyntaxChecker::createBreakStatement):
10643 (JSC::SyntaxChecker::createContinueStatement):
10644 (JSC::SyntaxChecker::createTryStatement):
10645 (JSC::SyntaxChecker::createSwitchStatement):
10646 (JSC::SyntaxChecker::createWhileStatement):
10647 (JSC::SyntaxChecker::createWithStatement):
10648 (JSC::SyntaxChecker::createDoWhileStatement):
10649 (JSC::SyntaxChecker::createLabelStatement):
10650 (JSC::SyntaxChecker::createThrowStatement):
10651 (JSC::SyntaxChecker::createDebugger):
10652 (JSC::SyntaxChecker::createConstStatement):
10653 (JSC::SyntaxChecker::appendConstDecl):
10654 (JSC::SyntaxChecker::createGetterOrSetterProperty):
10655 (JSC::SyntaxChecker::combineCommaNodes):
10656 (JSC::SyntaxChecker::operatorStackPop):
10657
106582012-08-01 Filip Pizlo <fpizlo@apple.com>
10659
10660 DFG should hoist structure checks
10661 https://bugs.webkit.org/show_bug.cgi?id=92696
10662
10663 Reviewed by Gavin Barraclough.
10664
10665 This hoists structure checks in the same way that we would hoist array checks, but with added
10666 complexity to cope with the fact that the structure of an object may change. This is handled
10667 by performing a side effects analysis over the region in which the respective variable is
10668 live. If a structure clobbering side effect may happen then we either hoist the structure
10669 checks and fall back on structure transition watchpoints (if the watchpoint set is still
10670 valid), or we avoid hoisting altogether.
10671
10672 Doing this required teaching the CFA that we may have an expectation that an object has a
10673 particular structure even after structure clobbering happens, in the sense that structure
10674 proofs that were cobbered can be revived using watchpoints. CFA must know about this so that
10675 OSR entry may know about it, since we cannot allow entry to happen if the variable has a
10676 clobbered structure proof, will have a watchpoint to revive the proof, and the variable in
10677 the baseline JIT has a completely unrelated structure.
10678
10679 This is mostly performance neutral.
10680
10681 * CMakeLists.txt:
10682 * GNUmakefile.list.am:
10683 * JavaScriptCore.xcodeproj/project.pbxproj:
10684 * Target.pri:
10685 * bytecode/ValueRecovery.h:
10686 (JSC::ValueRecovery::isSet):
10687 (JSC::ValueRecovery::operator!):
10688 (ValueRecovery):
10689 * dfg/DFGAbstractState.cpp:
10690 (JSC::DFG::AbstractState::execute):
10691 (JSC::DFG::AbstractState::clobberWorld):
10692 (DFG):
10693 (JSC::DFG::AbstractState::clobberCapturedVars):
10694 * dfg/DFGAbstractState.h:
10695 (AbstractState):
10696 * dfg/DFGAbstractValue.h:
10697 (JSC::DFG::AbstractValue::clear):
10698 (JSC::DFG::AbstractValue::isClear):
10699 (JSC::DFG::AbstractValue::makeTop):
10700 (JSC::DFG::AbstractValue::isTop):
10701 (JSC::DFG::AbstractValue::set):
10702 (JSC::DFG::AbstractValue::operator==):
10703 (JSC::DFG::AbstractValue::merge):
10704 (JSC::DFG::AbstractValue::filter):
10705 (JSC::DFG::AbstractValue::validate):
10706 (JSC::DFG::AbstractValue::validateForEntry):
10707 (AbstractValue):
10708 (JSC::DFG::AbstractValue::checkConsistency):
10709 (JSC::DFG::AbstractValue::dump):
10710 * dfg/DFGByteCodeParser.cpp:
10711 (JSC::DFG::ByteCodeParser::setLocal):
10712 (JSC::DFG::ByteCodeParser::getArgument):
10713 (JSC::DFG::ByteCodeParser::setArgument):
10714 (JSC::DFG::ByteCodeParser::parseBlock):
10715 (JSC::DFG::ByteCodeParser::fixVariableAccessSpeculations):
10716 * dfg/DFGCSEPhase.cpp:
10717 (JSC::DFG::CSEPhase::checkStructureLoadElimination):
10718 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
10719 (JSC::DFG::CSEPhase::putStructureStoreElimination):
10720 (JSC::DFG::CSEPhase::getLocalLoadElimination):
10721 (JSC::DFG::CSEPhase::performNodeCSE):
10722 * dfg/DFGDriver.cpp:
10723 (JSC::DFG::compile):
10724 * dfg/DFGGraph.cpp:
10725 (JSC::DFG::Graph::dump):
10726 * dfg/DFGGraph.h:
10727 (JSC::DFG::Graph::vote):
10728 (Graph):
10729 * dfg/DFGNode.h:
10730 (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
10731 (Node):
10732 (JSC::DFG::Node::hasStructureSet):
10733 * dfg/DFGNodeType.h:
10734 (DFG):
10735 * dfg/DFGOSREntry.cpp:
10736 (JSC::DFG::prepareOSREntry):
10737 * dfg/DFGPredictionPropagationPhase.cpp:
10738 (JSC::DFG::PredictionPropagationPhase::propagate):
10739 (PredictionPropagationPhase):
10740 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
10741 * dfg/DFGSpeculativeJIT.h:
10742 (SpeculativeJIT):
10743 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
10744 (JSC::DFG::SpeculativeJIT::speculationCheckWithConditionalDirection):
10745 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecutionWithConditionalDirection):
10746 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
10747 (JSC::DFG::SpeculateCellOperand::gpr):
10748 (SpeculateCellOperand):
10749 * dfg/DFGSpeculativeJIT32_64.cpp:
10750 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10751 (JSC::DFG::SpeculativeJIT::compile):
10752 * dfg/DFGSpeculativeJIT64.cpp:
10753 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10754 (JSC::DFG::SpeculativeJIT::compile):
10755 * dfg/DFGStructureCheckHoistingPhase.cpp: Added.
10756 (DFG):
10757 (StructureCheckHoistingPhase):
10758 (JSC::DFG::StructureCheckHoistingPhase::StructureCheckHoistingPhase):
10759 (JSC::DFG::StructureCheckHoistingPhase::run):
10760 (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
10761 (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
10762 (JSC::DFG::StructureCheckHoistingPhase::clobber):
10763 (CheckData):
10764 (JSC::DFG::StructureCheckHoistingPhase::CheckData::CheckData):
10765 (JSC::DFG::performStructureCheckHoisting):
10766 * dfg/DFGStructureCheckHoistingPhase.h: Added.
10767 (DFG):
10768 * dfg/DFGVariableAccessData.h:
10769 (VariableAccessData):
10770 (JSC::DFG::VariableAccessData::VariableAccessData):
10771 (JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed):
10772 (JSC::DFG::VariableAccessData::structureCheckHoistingFailed):
10773 (JSC::DFG::VariableAccessData::clearVotes):
10774 (JSC::DFG::VariableAccessData::vote):
10775 (JSC::DFG::VariableAccessData::voteRatio):
10776 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
10777 * runtime/Options.h:
10778 (JSC):
10779
107802012-08-01 Filip Pizlo <fpizlo@apple.com>
10781
10782 DFG should distinguish between PutByVal's that clobber the world and ones that don't
10783 https://bugs.webkit.org/show_bug.cgi?id=92923
10784
10785 Reviewed by Mark Hahnenberg.
10786
10787 This is performance-neutral. I also confirmed that it's neutral if we make the
10788 clobbering variant (PutByValSafe) clobber all knowledge of what is an array,
10789 which should feed nicely into work on removing uses of ClassInfo.
10790
10791 * bytecode/DFGExitProfile.h:
10792 * dfg/DFGAbstractState.cpp:
10793 (JSC::DFG::AbstractState::execute):
10794 * dfg/DFGByteCodeParser.cpp:
10795 (JSC::DFG::ByteCodeParser::parseBlock):
10796 * dfg/DFGCSEPhase.cpp:
10797 (JSC::DFG::CSEPhase::getByValLoadElimination):
10798 (JSC::DFG::CSEPhase::checkStructureLoadElimination):
10799 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
10800 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
10801 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
10802 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
10803 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
10804 (JSC::DFG::CSEPhase::performNodeCSE):
10805 * dfg/DFGFixupPhase.cpp:
10806 (JSC::DFG::FixupPhase::fixupNode):
10807 * dfg/DFGGraph.h:
10808 (JSC::DFG::Graph::byValIsPure):
10809 (JSC::DFG::Graph::clobbersWorld):
10810 * dfg/DFGNodeType.h:
10811 (DFG):
10812 * dfg/DFGPredictionPropagationPhase.cpp:
10813 (JSC::DFG::PredictionPropagationPhase::propagate):
10814 * dfg/DFGSpeculativeJIT32_64.cpp:
10815 (JSC::DFG::SpeculativeJIT::compile):
10816 * dfg/DFGSpeculativeJIT64.cpp:
10817 (JSC::DFG::SpeculativeJIT::compile):
10818
108192012-08-01 Jian Li <jianli@chromium.org>
10820
10821 Add new CSS property "-webkit-widget-region" to expose dashboard region support for other port
10822 https://bugs.webkit.org/show_bug.cgi?id=90298
10823
10824 Reviewed by Adam Barth.
10825
10826 * Configurations/FeatureDefines.xcconfig: Add ENABLE_WIDGET_REGION define.
10827
108282012-08-01 Patrick Gansterer <paroga@webkit.org>
10829
10830 Replace WTF::getCurrentLocalTime() with GregorianDateTime::setToCurrentLocalTime()
10831 https://bugs.webkit.org/show_bug.cgi?id=92286
10832
10833 Reviewed by Geoffrey Garen.
10834
10835 Add a method to GregorianDateTime to set its values to the current locale time.
10836 Replacing all occurrences of getCurrentLocalTime with the new function allows
10837 us to remove getCurrentLocalTime in a next step.
10838
10839 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
10840
108412012-08-01 Mark Hahnenberg <mhahnenberg@apple.com>
10842
10843 C++ code should get ClassInfo from the Structure
10844 https://bugs.webkit.org/show_bug.cgi?id=92892
10845
10846 Reviewed by Geoffrey Garen.
10847
10848 In our march to remove ClassInfo from our JSCell object headers, we can switch
10849 C++ code over to grabbing the ClassInfo from the Structure since it is finally
10850 safe to do so now that Structure access is safe during finalization/destruction.
10851 The remaining JIT code changes can be done in a separate patch.
10852
10853 * heap/MarkedBlock.cpp:
10854 (JSC::MarkedBlock::callDestructor): We don't want to clear the Structure any more
10855 since the Structure should still be valid at this point.
10856 * heap/WeakSetInlines.h:
10857 (JSC::WeakBlock::finalize): Ditto.
10858 * runtime/JSCell.h:
10859 (JSC):
10860 * runtime/Structure.h:
10861 (JSC::JSCell::classInfo): Move JSCell's classInfo() to Structure.h so it can be
10862 inline. Use a different method of getting the JSCell's Structure based on
10863 whether we're in GC_VALIDATION mode or not, since always using get() will cause
10864 infinite recursion in GC_VALIDATION mode.
10865 (JSC):
10866
108672012-07-31 Mark Hahnenberg <mhahnenberg@apple.com>
10868
10869 MarkedBlock::sweep() should sweep another block if it can't sweep a Structure block
10870 https://bugs.webkit.org/show_bug.cgi?id=92819
10871
10872 Reviewed by Geoffrey Garen.
10873
10874 If we are forced to allocate a new block for Structures because we are unable to safely
10875 sweep our pre-existing Structure blocks, we should sweep another random block so that we
10876 can start sweeping Structure blocks sooner.
10877
10878 * heap/IncrementalSweeper.cpp:
10879 (JSC::IncrementalSweeper::doSweep): Change to use sweepNextBlock.
10880 (JSC):
10881 (JSC::IncrementalSweeper::sweepNextBlock):
10882 * heap/IncrementalSweeper.h:
10883 (IncrementalSweeper):
10884 * heap/MarkedAllocator.cpp:
10885 (JSC::MarkedAllocator::tryAllocateHelper): When we can't safely sweep
10886 our Structure blocks, call sweepNextBlock instead.
10887
108882012-07-31 Sam Weinig <sam@webkit.org>
10889
10890 Fix the Windows build.
10891
10892 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
10893
108942012-07-31 Geoffrey Garen <ggaren@apple.com>
10895
10896 Maybe fix the GCC build.
10897
10898 * heap/HeapBlock.h:
10899 (HeapBlock): Accommodate incorrect parsing in GCC.
10900
109012012-07-31 Sam Weinig <sam@webkit.org>
10902
10903 Stop masking 8 bits off of the visited link hash. We need all the bits!
10904 https://bugs.webkit.org/show_bug.cgi?id=92799
10905
10906 Reviewed by Anders Carlsson.
10907
10908 * runtime/Identifier.cpp:
10909 (JSC::IdentifierCStringTranslator::hash):
10910 (JSC::IdentifierLCharFromUCharTranslator::hash):
10911 * runtime/Identifier.h:
10912 (JSC::IdentifierCharBufferTranslator::hash):
10913 Update for new function names.
10914
109152012-07-31 Geoffrey Garen <ggaren@apple.com>
10916
10917 Maybe break the Windows build.
10918
10919 Reviewed by Anders Carlsson.
10920
10921 Formally objected to by Sam Weinig.
10922
10923 * heap/HeapBlock.h:
10924 (HeapBlock): Try to slightly improve this because we don't want Windows to control our lives.
10925
109262012-07-30 Mark Hahnenberg <mhahnenberg@apple.com>
10927
10928 Structures should be swept after all other objects
10929 https://bugs.webkit.org/show_bug.cgi?id=92679
10930
10931 Reviewed by Filip Pizlo.
10932
10933 In order to get rid of ClassInfo from our objects, we need to be able to safely get the
10934 ClassInfo during the destruction of objects. We'd like to get the ClassInfo out of the
10935 Structure, but currently it is not safe to do so because the order of destruction of objects
10936 is not guaranteed to sweep objects before their corresponding Structure. We can fix this by
10937 sweeping Structures after everything else.
10938
10939 * heap/Heap.cpp:
10940 (JSC::Heap::isSafeToSweepStructures): Add a function that checks if it is safe to sweep Structures.
10941 If the Heap's IncrementalSweeper member is null, that means we're shutting down this VM and it is
10942 safe to sweep structures since we'll always do Structures last anyways due to the ordering of
10943 MarkedSpace::forEachBlock.
10944 (JSC):
10945 (JSC::Heap::didStartVMShutdown): Add this intermediate function to the Heap that ~JSGlobalData now
10946 calls rather than calling the two HeapTimer objects individually. This allows the Heap to null out
10947 these pointers after it has invalidated them to prevent accidental use-after-free in the sweep()
10948 calls during lastChanceToFinalize().
10949 * heap/Heap.h:
10950 (Heap):
10951 * heap/HeapTimer.h:
10952 (HeapTimer):
10953 * heap/IncrementalSweeper.cpp:
10954 (JSC::IncrementalSweeper::structuresCanBeSwept): Determines if it is currently safe to sweep Structures.
10955 This decision is based on whether we have gotten to the end of the vector of blocks that need sweeping
10956 the first time.
10957 (JSC):
10958 (JSC::IncrementalSweeper::doSweep): We add a second pass over the vector to sweep Structures after we
10959 make our first pass. We now null out the slots as we sweep them so that we can quickly find the
10960 Structures during the second pass.
10961 (JSC::IncrementalSweeper::startSweeping): Initialize our new Structure sweeping index.
10962 (JSC::IncrementalSweeper::willFinishSweeping): Callback that is called by MarkedSpace::sweep to notify
10963 the IncrementalSweeper that we are going to sweep all of the remaining blocks in the Heap so it can
10964 assume that everything is taken care of in the correct order. Since MarkedSpace::forEachBlock
10965 iterates over the Structure blocks after all other blocks, the ordering property for sweeping Structures holds.
10966 (JSC::IncrementalSweeper::IncrementalSweeper): Initialize Structure sweeping index.
10967 * heap/IncrementalSweeper.h: Add declarations for new stuff.
10968 (IncrementalSweeper):
10969 * heap/MarkedAllocator.cpp:
10970 (JSC::MarkedAllocator::tryAllocateHelper): We now check if the current block only contains structures and
10971 if so and it isn't safe to sweep Structures according to the Heap, we just return early instead of doing
10972 the normal lazy sweep. If this proves to be too much of a waste in the future we can add an extra clause that
10973 will sweep some number of other blocks in place of the current block to mitigate the cost of the floating
10974 Structure garbage.
10975 (JSC::MarkedAllocator::addBlock):
10976 * heap/MarkedAllocator.h:
10977 (JSC::MarkedAllocator::zapFreeList): When we zap the free list in the MarkedAllocator, the current block is no
10978 longer valid to allocate from, so we set the current block to null.
10979 * heap/MarkedBlock.cpp:
10980 (JSC::MarkedBlock::sweepHelper): Added a couple assertions to make sure that we weren't trying to sweep Structures
10981 at an unsafe time.
10982 * heap/MarkedSpace.cpp:
10983 (JSC::MarkedSpace::sweep): Notify the IncrementalSweeper that the MarkedSpace will finish all currently remaining sweeping.
10984 (JSC):
10985 * heap/MarkedSpace.h:
10986 (JSC):
10987 * runtime/JSGlobalData.cpp:
10988 (JSC::JSGlobalData::~JSGlobalData): Call the new Heap::didStartVMShutdown.
10989
109902012-07-31 Geoffrey Garen <ggaren@apple.com>
10991
10992 Fix all the other builds I just broke. Maybe fix the Windows build.
10993
10994 * heap/HeapBlock.h:
10995 (HeapBlock): WTF?
10996
109972012-07-31 Geoffrey Garen <ggaren@apple.com>
10998
10999 Maybe fix the Windows build.
11000
11001 * heap/HeapBlock.h:
11002 (HeapBlock): WTF?
11003
110042012-07-31 Geoffrey Garen <ggaren@apple.com>
11005
11006 Maybe fix the Windows build.
11007
11008 * heap/HeapBlock.h:
11009 (HeapBlock): WTF?
11010
110112012-07-31 Geoffrey Garen <ggaren@apple.com>
11012
11013 Removed some public data and casting from the Heap
11014 https://bugs.webkit.org/show_bug.cgi?id=92777
11015
11016 Reviewed by Oliver Hunt.
11017
11018 * heap/BlockAllocator.cpp:
11019 (JSC::BlockAllocator::releaseFreeBlocks):
11020 (JSC::BlockAllocator::blockFreeingThreadMain): Use the DeadBlock class
11021 since HeapBlock is a template, and not a class, now. Call destroy()
11022 instead of monkeying around with DeadBlock's internal data because
11023 encapsulation is good.
11024
11025 * heap/BlockAllocator.h:
11026 (DeadBlock): Added a class to represent a dead block, since HeapBlock is
11027 a template now, and can't be instantiated directly.
11028
11029 (JSC::DeadBlock::DeadBlock):
11030 (JSC::DeadBlock::create):
11031 (BlockAllocator):
11032 (JSC::BlockAllocator::allocate):
11033 (JSC::BlockAllocator::deallocate): Use the DeadBlock class because
11034 encapsulation is good.
11035
11036 * heap/CopiedBlock.h:
11037 (CopiedBlock::destroy): No need for a destroy() function, since we
11038 inherit one now.
11039
11040 (JSC::CopiedBlock::CopiedBlock):
11041 (JSC::CopiedBlock::payloadEnd):
11042 (JSC::CopiedBlock::capacity): Updated for some encapsulation inside
11043 HeapBlock.
11044
11045 * heap/CopiedSpace.cpp:
11046 (JSC::CopiedSpace::~CopiedSpace):
11047 (JSC::CopiedSpace::doneCopying):
11048 (JSC::CopiedSpace::size):
11049 (JSC::CopiedSpace::capacity):
11050 (JSC::isBlockListPagedOut): Removed a bunch of casting. This is no longer
11051 necessary, now that our list and its nodes have the right type.
11052
11053 * heap/CopiedSpace.h: Use the right type in our data structures because
11054 it improves clarity.
11055
11056 * heap/CopiedSpaceInlineMethods.h:
11057 (JSC::CopiedSpace::startedCopying): Use swap to avoid duplicating it.
11058
11059 * heap/HeapBlock.h:
11060 (HeapBlock): Made this a class template so we can return the right type
11061 in linked list operations. Made our data private because encapsulation
11062 is good.
11063
11064 (JSC::HeapBlock::destroy): Since we know our type, we can also eliminate
11065 duplicate destroy() functions in our subclasses.
11066
11067 (JSC::HeapBlock::allocation): Added an accessor so we can hide our data.
11068 By using const, this accessor prevents clients from accidentally deleting
11069 our allocation.
11070
11071 * heap/MarkedAllocator.cpp:
11072 (JSC::MarkedAllocator::isPagedOut):
11073 (JSC::MarkedAllocator::tryAllocateHelper):
11074 (JSC::MarkedAllocator::removeBlock): Removed a bunch of casting. This is
11075 no longer necessary, now that our list and its nodes have the right type.
11076
11077 * heap/MarkedAllocator.h:
11078 (MarkedAllocator):
11079 (JSC::MarkedAllocator::reset):
11080 (JSC::MarkedAllocator::forEachBlock): Use the right type, do less casting.
11081
11082 * heap/MarkedBlock.cpp:
11083 (JSC::MarkedBlock::destroy): Removed this function because our parent
11084 class provides it for us now.
11085
11086 (JSC::MarkedBlock::MarkedBlock):
11087 * heap/MarkedBlock.h:
11088 (MarkedBlock):
11089 (JSC::MarkedBlock::capacity): Updated for encapsulation.
11090
110912012-07-31 Filip Pizlo <fpizlo@apple.com>
11092
11093 DFG OSR exit profiling has unusual oversights
11094 https://bugs.webkit.org/show_bug.cgi?id=92728
11095
11096 Reviewed by Geoffrey Garen.
11097
11098 * dfg/DFGOSRExit.cpp:
11099 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
11100 * dfg/DFGSpeculativeJIT.h:
11101 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
11102 * dfg/DFGSpeculativeJIT32_64.cpp:
11103 (JSC::DFG::SpeculativeJIT::compile):
11104 * dfg/DFGSpeculativeJIT64.cpp:
11105 (JSC::DFG::SpeculativeJIT::compile):
11106
111072012-07-31 Chao-ying Fu <fu@mips.com>
11108
11109 Add MIPS add32 function
11110 https://bugs.webkit.org/show_bug.cgi?id=91522
11111
11112 Reviewed by Oliver Hunt.
11113
11114 Add isCompactPtrAlignedAddressOffset.
11115 Add a new version of add32 that accepts AbsoluteAddress as inputs.
11116
11117 * assembler/MacroAssemblerMIPS.h:
11118 (JSC::MacroAssemblerMIPS::isCompactPtrAlignedAddressOffset): New.
11119 (MacroAssemblerMIPS):
11120 (JSC::MacroAssemblerMIPS::add32): Support AbsoluteAddress as inputs.
11121
111222012-07-30 Sheriff Bot <webkit.review.bot@gmail.com>
11123
11124 Unreviewed, rolling out r124123.
11125 http://trac.webkit.org/changeset/124123
11126 https://bugs.webkit.org/show_bug.cgi?id=92700
11127
11128 ASSERT crashes terminate webkit Layout tests (Requested by
11129 msaboff on #webkit).
11130
11131 * heap/Heap.cpp:
11132 * heap/Heap.h:
11133 (Heap):
11134 * heap/IncrementalSweeper.cpp:
11135 (JSC::IncrementalSweeper::doSweep):
11136 (JSC::IncrementalSweeper::startSweeping):
11137 (JSC::IncrementalSweeper::IncrementalSweeper):
11138 (JSC):
11139 * heap/IncrementalSweeper.h:
11140 (IncrementalSweeper):
11141 * heap/MarkedAllocator.cpp:
11142 (JSC::MarkedAllocator::tryAllocateHelper):
11143 (JSC::MarkedAllocator::addBlock):
11144 * heap/MarkedAllocator.h:
11145 (JSC::MarkedAllocator::zapFreeList):
11146 * heap/MarkedBlock.cpp:
11147 (JSC::MarkedBlock::sweepHelper):
11148 * heap/MarkedSpace.cpp:
11149 * heap/MarkedSpace.h:
11150 (JSC::MarkedSpace::sweep):
11151 (JSC):
11152 * runtime/JSGlobalData.cpp:
11153 (JSC::JSGlobalData::~JSGlobalData):
11154
111552012-07-30 Mark Hahnenberg <mhahnenberg@apple.com>
11156
11157 Structures should be swept after all other objects
11158 https://bugs.webkit.org/show_bug.cgi?id=92679
11159
11160 Reviewed by Filip Pizlo.
11161
11162 In order to get rid of ClassInfo from our objects, we need to be able to safely get the
11163 ClassInfo during the destruction of objects. We'd like to get the ClassInfo out of the
11164 Structure, but currently it is not safe to do so because the order of destruction of objects
11165 is not guaranteed to sweep objects before their corresponding Structure. We can fix this by
11166 sweeping Structures after everything else.
11167
11168 * heap/Heap.cpp:
11169 (JSC::Heap::isSafeToSweepStructures): Add a function that checks if it is safe to sweep Structures.
11170 If the Heap's IncrementalSweeper member is null, that means we're shutting down this VM and it is
11171 safe to sweep structures since we'll always do Structures last anyways due to the ordering of
11172 MarkedSpace::forEachBlock.
11173 (JSC):
11174 (JSC::Heap::didStartVMShutdown): Add this intermediate function to the Heap that ~JSGlobalData now
11175 calls rather than calling the two HeapTimer objects individually. This allows the Heap to null out
11176 these pointers after it has invalidated them to prevent accidental use-after-free in the sweep()
11177 calls during lastChanceToFinalize().
11178 * heap/Heap.h:
11179 (Heap):
11180 * heap/HeapTimer.h:
11181 (HeapTimer):
11182 * heap/IncrementalSweeper.cpp:
11183 (JSC::IncrementalSweeper::structuresCanBeSwept): Determines if it is currently safe to sweep Structures.
11184 This decision is based on whether we have gotten to the end of the vector of blocks that need sweeping
11185 the first time.
11186 (JSC):
11187 (JSC::IncrementalSweeper::doSweep): We add a second pass over the vector to sweep Structures after we
11188 make our first pass. We now null out the slots as we sweep them so that we can quickly find the
11189 Structures during the second pass.
11190 (JSC::IncrementalSweeper::startSweeping): Initialize our new Structure sweeping index.
11191 (JSC::IncrementalSweeper::willFinishSweeping): Callback that is called by MarkedSpace::sweep to notify
11192 the IncrementalSweeper that we are going to sweep all of the remaining blocks in the Heap so it can
11193 assume that everything is taken care of in the correct order. Since MarkedSpace::forEachBlock
11194 iterates over the Structure blocks after all other blocks, the ordering property for sweeping Structures holds.
11195 (JSC::IncrementalSweeper::IncrementalSweeper): Initialize Structure sweeping index.
11196 * heap/IncrementalSweeper.h: Add declarations for new stuff.
11197 (IncrementalSweeper):
11198 * heap/MarkedAllocator.cpp:
11199 (JSC::MarkedAllocator::tryAllocateHelper): We now check if the current block only contains structures and
11200 if so and it isn't safe to sweep Structures according to the Heap, we just return early instead of doing
11201 the normal lazy sweep. If this proves to be too much of a waste in the future we can add an extra clause that
11202 will sweep some number of other blocks in place of the current block to mitigate the cost of the floating
11203 Structure garbage.
11204 (JSC::MarkedAllocator::addBlock):
11205 * heap/MarkedAllocator.h:
11206 (JSC::MarkedAllocator::zapFreeList): When we zap the free list in the MarkedAllocator, the current block is no
11207 longer valid to allocate from, so we set the current block to null.
11208 * heap/MarkedBlock.cpp:
11209 (JSC::MarkedBlock::sweepHelper): Added a couple assertions to make sure that we weren't trying to sweep Structures
11210 at an unsafe time.
11211 * heap/MarkedSpace.cpp:
11212 (JSC::MarkedSpace::sweep): Notify the IncrementalSweeper that the MarkedSpace will finish all currently remaining sweeping.
11213 (JSC):
11214 * heap/MarkedSpace.h:
11215 (JSC):
11216 * runtime/JSGlobalData.cpp:
11217 (JSC::JSGlobalData::~JSGlobalData): Call the new Heap::didStartVMShutdown.
11218
112192012-07-29 Filip Pizlo <fpizlo@apple.com>
11220
11221 PropertyNameArray::m_shouldCache is only assigned and never used
11222 https://bugs.webkit.org/show_bug.cgi?id=92598
11223
11224 Reviewed by Dan Bernstein.
11225
11226 * runtime/PropertyNameArray.h:
11227 (JSC::PropertyNameArray::PropertyNameArray):
11228 (PropertyNameArray):
11229
112302012-07-29 Rik Cabanier <cabanier@adobe.com>
11231
11232 Add ENABLE_CSS_COMPOSITING flag
11233 https://bugs.webkit.org/show_bug.cgi?id=92553
11234
11235 Reviewed by Dirk Schulze.
11236
11237 Adds compiler flag CSS_COMPOSITING to build systems to enable CSS blending and compositing. See spec https://dvcs.w3.org/hg/FXTF/rawfile/tip/compositing/index.html
11238
11239 * Configurations/FeatureDefines.xcconfig:
11240
112412012-07-27 Mark Hahnenberg <mhahnenberg@apple.com>
11242
11243 Split functionality of MarkedAllocator::m_currentBlock
11244 https://bugs.webkit.org/show_bug.cgi?id=92550
11245
11246 Reviewed by Filip Pizlo.
11247
11248 MarkedAllocator::m_currentBlock serves two purposes right now; it indicates the block that is currently
11249 being used for allocation and the beginning of the list of blocks that need to be swept. We should split
11250 these two functionalities into two separate fields.
11251
11252 * heap/MarkedAllocator.cpp:
11253 (JSC::MarkedAllocator::tryAllocateHelper): Use m_blocksToSweep instead of m_currentBlock as the
11254 initializer/reference of the loop. Only change m_currentBlock when we know what the result will be.
11255 (JSC::MarkedAllocator::addBlock): When we add a new block we know that both m_blocksToSweep and
11256 m_currentBlock are null. In order to preserve the invariant that m_currentBlock <= m_blocksToSweep,
11257 we assign both of them to point to the new block.
11258 (JSC::MarkedAllocator::removeBlock): We need a separate check to see if the block we're removing is
11259 m_blocksToSweep and if so, advance it to the next block in the list.
11260 * heap/MarkedAllocator.h:
11261 (MarkedAllocator): Initialize m_blocksToSweep.
11262 (JSC::MarkedAllocator::MarkedAllocator):
11263 (JSC::MarkedAllocator::reset): We set m_blocksToSweep to be the head of our list. This function is called
11264 at the end of a collection, so all of the blocks in our allocator need to be swept. We need to sweep a
11265 block before we can start allocating, so m_currentBlock is set to null. We also set the freeList to
11266 the empty FreeList to emphasize the fact that we can't start allocating until we do some sweeping.
11267
112682012-07-27 Mark Hahnenberg <mhahnenberg@apple.com>
11269
11270 Increase inline storage for JSFinalObjects by one
11271 https://bugs.webkit.org/show_bug.cgi?id=92526
11272
11273 Reviewed by Geoffrey Garen.
11274
11275 Now that we've removed the inheritorID from objects, we can increase our inline storage for JSFinalObjects on
11276 64-bit platforms by 1.
11277
11278 * llint/LowLevelInterpreter.asm: Change the constant.
11279 * runtime/PropertyOffset.h: Change the constant.
11280 (JSC):
11281
112822012-07-27 Jer Noble <jer.noble@apple.com>
11283
11284 Support a rational time class for use by media elements.
11285 https://bugs.webkit.org/show_bug.cgi?id=88787
11286
11287 Re-export WTF::MediaTime from JavaScriptCore.
11288
11289 Reviewed by Eric Carlson.
11290
11291 * JavaScriptCore.order:
11292 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
11293
112942012-07-26 Filip Pizlo <fpizlo@apple.com>
11295
11296 JSObject::reallocateStorageIfNecessary is neither used nor defined
11297 https://bugs.webkit.org/show_bug.cgi?id=92417
11298
11299 Reviewed by Mark Rowe.
11300
11301 * runtime/JSObject.h:
11302 (JSObject):
11303
113042012-07-26 Mark Hahnenberg <mhahnenberg@apple.com>
11305
11306 Allocate Structures in a separate part of the Heap
11307 https://bugs.webkit.org/show_bug.cgi?id=92420
11308
11309 Reviewed by Filip Pizlo.
11310
11311 To fix our issue with destruction/finalization of Structures before their objects, we can move Structures to a separate
11312 part of the Heap that will be swept after all other objects. This first patch will just be separating Structures
11313 out into their own separate MarkedAllocator. Everything else will behave identically.
11314
11315 * heap/Heap.h: New function to allocate Structures in the Heap.
11316 (Heap):
11317 (JSC):
11318 (JSC::Heap::allocateStructure):
11319 * heap/MarkedAllocator.cpp: Pass whether or not we're allocated Structures to the MarkedBlock.
11320 (JSC::MarkedAllocator::allocateBlock):
11321 * heap/MarkedAllocator.h: Add tracking for whether or not we're allocating only Structures.
11322 (JSC::MarkedAllocator::onlyContainsStructures):
11323 (MarkedAllocator):
11324 (JSC::MarkedAllocator::MarkedAllocator):
11325 (JSC::MarkedAllocator::init):
11326 * heap/MarkedBlock.cpp: Add tracking for whether or not we're allocating only Structures. We need this to be able to
11327 distinguish the various MarkedBlock types in MarkedSpace::allocatorFor(MarkedBlock*).
11328 (JSC::MarkedBlock::create):
11329 (JSC::MarkedBlock::MarkedBlock):
11330 * heap/MarkedBlock.h:
11331 (MarkedBlock):
11332 (JSC::MarkedBlock::onlyContainsStructures):
11333 (JSC):
11334 * heap/MarkedSpace.cpp: Include the new Structure allocator in all the places that all the other allocators are used/modified.
11335 (JSC::MarkedSpace::MarkedSpace):
11336 (JSC::MarkedSpace::resetAllocators):
11337 (JSC::MarkedSpace::canonicalizeCellLivenessData):
11338 (JSC::MarkedSpace::isPagedOut):
11339 * heap/MarkedSpace.h: Add new MarkedAllocator just for Structures.
11340 (MarkedSpace):
11341 (JSC::MarkedSpace::allocatorFor):
11342 (JSC::MarkedSpace::allocateStructure):
11343 (JSC):
11344 (JSC::MarkedSpace::forEachBlock):
11345 * runtime/Structure.h: Move all of the functions that call allocateCell<Structure> down below the explicit template specialization
11346 for allocateCell<Structure>. The new inline specialization for allocateCell directly calls the allocateStructure() function in the
11347 Heap.
11348 (Structure):
11349 (JSC::Structure):
11350 (JSC):
11351 (JSC::Structure::create):
11352 (JSC::Structure::createStructure):
11353
113542012-07-26 Filip Pizlo <fpizlo@apple.com>
11355
11356 JSArray has methods that are neither used nor defined
11357 https://bugs.webkit.org/show_bug.cgi?id=92416
11358
11359 Reviewed by Simon Fraser.
11360
11361 * runtime/JSArray.h:
11362 (JSArray):
11363
113642012-07-26 Zoltan Herczeg <zherczeg@webkit.org>
11365
11366 [Qt][ARM]ARMAssembler needs buildfix afert r123417
11367 https://bugs.webkit.org/show_bug.cgi?id=92086
11368
11369 Reviewed by Csaba Osztrogonác.
11370
11371 The ARM implementation of this should be optimized code path
11372 is covered by a non-optimized code path. This patch fixes this,
11373 and adds a new function which returns with the offset range.
11374
11375 * assembler/ARMAssembler.h:
11376 (JSC::ARMAssembler::readPointer):
11377 (ARMAssembler):
11378 (JSC::ARMAssembler::repatchInt32):
11379 (JSC::ARMAssembler::repatchCompact):
11380 * assembler/MacroAssemblerARM.h:
11381 (MacroAssemblerARM):
11382 (JSC::MacroAssemblerARM::isCompactPtrAlignedAddressOffset):
11383 (JSC::MacroAssemblerARM::load32WithCompactAddressOffsetPatch):
11384
113852012-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
11386
11387 Build fix for 32-bit after r123682
11388
11389 * runtime/JSObject.h: Need to pad out JSObjects on 32-bit so that they're the correct size since
11390 we only removed one 4-byte word and we need to be 8-byte aligned.
11391 (JSObject):
11392
113932012-07-25 Filip Pizlo <fpizlo@apple.com>
11394
11395 JSC GC object copying APIs should allow for greater flexibility
11396 https://bugs.webkit.org/show_bug.cgi?id=92316
11397
11398 Reviewed by Mark Hahnenberg.
11399
11400 It's now the case that visitChildren() methods can directly pin and allocate in new space during copying.
11401 They can also do the copying and marking themselves. This new API is only used for JSObjects for now.
11402
11403 * JavaScriptCore.xcodeproj/project.pbxproj:
11404 * heap/MarkStack.cpp:
11405 (JSC::SlotVisitor::allocateNewSpaceSlow):
11406 (JSC::SlotVisitor::allocateNewSpaceOrPin):
11407 (JSC):
11408 (JSC::SlotVisitor::copyAndAppend):
11409 * heap/MarkStack.h:
11410 (MarkStack):
11411 (JSC::MarkStack::appendUnbarrieredValue):
11412 (JSC):
11413 * heap/SlotVisitor.h:
11414 * heap/SlotVisitorInlineMethods.h: Added.
11415 (JSC):
11416 (JSC::SlotVisitor::checkIfShouldCopyAndPinOtherwise):
11417 (JSC::SlotVisitor::allocateNewSpace):
11418 * runtime/JSObject.cpp:
11419 (JSC::JSObject::visitOutOfLineStorage):
11420 (JSC):
11421 (JSC::JSObject::visitChildren):
11422 (JSC::JSFinalObject::visitChildren):
11423 * runtime/JSObject.h:
11424 (JSObject):
11425
114262012-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
11427
11428 Remove JSObject::m_inheritorID
11429 https://bugs.webkit.org/show_bug.cgi?id=88378
11430
11431 Reviewed by Filip Pizlo.
11432
11433 This is rarely used, and not performance critical (the commonly accessed copy is cached on JSFunction),
11434 and most objects don't need an inheritorID (this value is only used if the object is used as a prototype).
11435 Instead use a private named value in the object's property storage.
11436
11437 * dfg/DFGSpeculativeJIT.h:
11438 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): No need m_inheritorID to initialize!
11439 * jit/JITInlineMethods.h:
11440 (JSC::JIT::emitAllocateBasicJSObject): No need m_inheritorID to initialize!
11441 * llint/LowLevelInterpreter.asm: No need m_inheritorID to initialize!
11442 * runtime/JSGlobalData.h:
11443 (JSGlobalData): Added private name 'm_inheritorIDKey'.
11444 * runtime/JSGlobalThis.cpp:
11445 (JSC::JSGlobalThis::setUnwrappedObject): resetInheritorID is now passed a JSGlobalData&.
11446 * runtime/JSObject.cpp:
11447 (JSC::JSObject::visitChildren): No m_inheritorID to be marked.
11448 (JSC::JSFinalObject::visitChildren): No m_inheritorID to be marked.
11449 (JSC::JSObject::createInheritorID): Store the newly created inheritorID in the property map. Make sure
11450 it's got the DontEnum attribute!!
11451 * runtime/JSObject.h:
11452 (JSObject):
11453 (JSC::JSObject::resetInheritorID): Remove the inheritorID from property storage.
11454 (JSC):
11455 (JSC::JSObject::inheritorID): Read the inheritorID from property storage.
11456
114572012-07-25 Caio Marcelo de Oliveira Filho <caio.oliveira@openbossa.org>
11458
11459 Create a specialized pair for use in HashMap iterators
11460 https://bugs.webkit.org/show_bug.cgi?id=92137
11461
11462 Reviewed by Ryosuke Niwa.
11463
11464 Update a couple of sites that relied on the fact that "contents" of iterators were
11465 std::pairs.
11466
11467 * profiler/Profile.cpp:
11468 (JSC): This code kept a vector of the pairs that were the "contents" of the iterators. This
11469 is changed to use a KeyValuePair. We make use HashCount's ValueType (which represents only
11470 the key) to get the proper key parameter for KeyValuePair.
11471 * tools/ProfileTreeNode.h:
11472 (ProfileTreeNode): Use HashMap::ValueType to declare the type of the contents of the hash
11473 instead of declaring it manually. This will make use of the new KeyValuePair.
11474
114752012-07-25 Patrick Gansterer <paroga@webkit.org>
11476
11477 REGRESSION(r123505): Date.getYear() returns the same as Date.getFullYear()
11478 https://bugs.webkit.org/show_bug.cgi?id=92218
11479
11480 Reviewed by Csaba Osztrogonác.
11481
11482 * runtime/DatePrototype.cpp:
11483 (JSC::dateProtoFuncGetYear): Added the missing offset of 1900 to the return value.
11484
114852012-07-24 Filip Pizlo <fpizlo@apple.com>
11486
11487 REGRESSION(r123417): It made tests assert/crash on 32 bit
11488 https://bugs.webkit.org/show_bug.cgi?id=92088
11489
11490 Reviewed by Mark Hahnenberg.
11491
11492 The pointer arithmetic was wrong, because negative numbers are hard to think about.
11493
11494 * dfg/DFGRepatch.cpp:
11495 (JSC::DFG::emitPutTransitionStub):
11496 * dfg/DFGSpeculativeJIT.cpp:
11497 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
11498
114992012-07-24 Patrick Gansterer <paroga@webkit.org>
11500
11501 Store the full year in GregorianDateTime
11502 https://bugs.webkit.org/show_bug.cgi?id=92067
11503
11504 Reviewed by Geoffrey Garen.
11505
11506 Use the full year instead of the offset from year 1900
11507 for the year member variable of GregorianDateTime.
11508
11509 * runtime/DateConstructor.cpp:
11510 (JSC::constructDate):
11511 (JSC::dateUTC):
11512 * runtime/DateConversion.cpp:
11513 (JSC::formatDate):
11514 (JSC::formatDateUTCVariant):
11515 * runtime/DatePrototype.cpp:
11516 (JSC::formatLocaleDate):
11517 (JSC::fillStructuresUsingDateArgs):
11518 (JSC::dateProtoFuncToISOString):
11519 (JSC::dateProtoFuncGetFullYear):
11520 (JSC::dateProtoFuncGetUTCFullYear):
11521 (JSC::dateProtoFuncSetYear):
11522 * runtime/JSDateMath.cpp:
11523 (JSC::gregorianDateTimeToMS):
11524 (JSC::msToGregorianDateTime):
11525
115262012-07-24 Patrick Gansterer <paroga@webkit.org>
11527
11528 [WIN] Build fix after r123417.
11529
11530 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
11531
115322012-07-23 Patrick Gansterer <paroga@webkit.org>
11533
11534 Move GregorianDateTime from JSC to WTF namespace
11535 https://bugs.webkit.org/show_bug.cgi?id=91948
11536
11537 Reviewed by Geoffrey Garen.
11538
11539 Moving GregorianDateTime into the WTF namespace allows us to us to
11540 use it in WebCore too. The new class has the same behaviour as the
11541 old struct. Only the unused timeZone member has been removed.
11542
11543 * runtime/DateConstructor.cpp:
11544 * runtime/DateConversion.cpp:
11545 * runtime/DateConversion.h:
11546 * runtime/DateInstance.h:
11547 * runtime/DatePrototype.cpp:
11548 * runtime/JSDateMath.cpp:
11549 * runtime/JSDateMath.h:
11550
115512012-07-23 Filip Pizlo <fpizlo@apple.com>
11552
11553 Property storage should grow in reverse address direction, to support butterflies
11554 https://bugs.webkit.org/show_bug.cgi?id=91788
11555
11556 Reviewed by Geoffrey Garen.
11557
11558 Changes property storage to grow to the left, and changes the property storage pointer to point
11559 one 8-byte word (i.e. JSValue) to the right of the first value in the storage.
11560
11561 Also improved debug support somewhat, by adding a describe() function to the jsc command-line,
11562 and a slow mode of object access in LLInt.
11563
11564 * assembler/ARMv7Assembler.h:
11565 (JSC::ARMv7Assembler::repatchCompact):
11566 * assembler/MacroAssemblerARMv7.h:
11567 (MacroAssemblerARMv7):
11568 (JSC::MacroAssemblerARMv7::isCompactPtrAlignedAddressOffset):
11569 (JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch):
11570 * assembler/MacroAssemblerX86Common.h:
11571 (JSC::MacroAssemblerX86Common::isCompactPtrAlignedAddressOffset):
11572 (JSC::MacroAssemblerX86Common::repatchCompact):
11573 * assembler/X86Assembler.h:
11574 (JSC::X86Assembler::repatchCompact):
11575 * bytecode/CodeBlock.cpp:
11576 (JSC::dumpStructure):
11577 * bytecode/GetByIdStatus.h:
11578 (JSC::GetByIdStatus::GetByIdStatus):
11579 * dfg/DFGOperations.cpp:
11580 * dfg/DFGOperations.h:
11581 * dfg/DFGRepatch.cpp:
11582 (JSC::DFG::tryCacheGetByID):
11583 (JSC::DFG::emitPutTransitionStub):
11584 * dfg/DFGSpeculativeJIT.cpp:
11585 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
11586 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
11587 * dfg/DFGSpeculativeJIT.h:
11588 (JSC::DFG::SpeculativeJIT::callOperation):
11589 * dfg/DFGSpeculativeJIT32_64.cpp:
11590 (JSC::DFG::SpeculativeJIT::compile):
11591 * dfg/DFGSpeculativeJIT64.cpp:
11592 (JSC::DFG::SpeculativeJIT::compile):
11593 * heap/ConservativeRoots.cpp:
11594 (JSC::ConservativeRoots::genericAddPointer):
11595 * heap/CopiedSpace.h:
11596 (CopiedSpace):
11597 * heap/CopiedSpaceInlineMethods.h:
11598 (JSC::CopiedSpace::pinIfNecessary):
11599 (JSC):
11600 * jit/JITPropertyAccess.cpp:
11601 (JSC::JIT::compileGetDirectOffset):
11602 * jit/JITPropertyAccess32_64.cpp:
11603 (JSC::JIT::compileGetDirectOffset):
11604 * jit/JITStubs.cpp:
11605 (JSC::JITThunks::tryCacheGetByID):
11606 * jsc.cpp:
11607 (GlobalObject::finishCreation):
11608 (functionDescribe):
11609 * llint/LLIntCommon.h:
11610 * llint/LLIntSlowPaths.cpp:
11611 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
11612 * llint/LowLevelInterpreter32_64.asm:
11613 * llint/LowLevelInterpreter64.asm:
11614 * runtime/JSObject.cpp:
11615 (JSC::JSObject::visitChildren):
11616 (JSC::JSFinalObject::visitChildren):
11617 (JSC::JSObject::growOutOfLineStorage):
11618 * runtime/JSObject.h:
11619 (JSC::JSObject::getDirectLocation):
11620 (JSC::JSObject::offsetForLocation):
11621 * runtime/JSValue.h:
11622 (JSValue):
11623 * runtime/PropertyOffset.h:
11624 (JSC::offsetInOutOfLineStorage):
11625
116262012-07-23 Filip Pizlo <fpizlo@apple.com>
11627
11628 DFG is too aggressive in performing the specific value optimization on loads
11629 https://bugs.webkit.org/show_bug.cgi?id=92034
11630
11631 Reviewed by Mark Hahnenberg.
11632
11633 This ensures that we don't do optimizations based on a structure having a specific
11634 value, if there is no way to detect that the value is despecified. This is the
11635 case for dictionaries, since despecifying a value in a dictionary does not lead to
11636 a transition and so cannot be caught by either structure checks or structure
11637 transition watchpoints.
11638
11639 * bytecode/GetByIdStatus.cpp:
11640 (JSC::GetByIdStatus::computeFromLLInt):
11641 (JSC::GetByIdStatus::computeForChain):
11642 (JSC::GetByIdStatus::computeFor):
11643 * bytecode/ResolveGlobalStatus.cpp:
11644 (JSC::computeForStructure):
11645
116462012-07-23 Filip Pizlo <fpizlo@apple.com>
11647
11648 REGRESSION(r123169): It made fast/js/dfg-inline-arguments-use-from-uninlined-code.html fail on 32 bit platforms
11649 https://bugs.webkit.org/show_bug.cgi?id=92002
11650
11651 Reviewed by Mark Hahnenberg.
11652
11653 In the process of changing the nature of local variable typing, I forgot to modify one of the places where
11654 we glue the DFG's notion of variable prediction to the runtime's notion of variable tagging.
11655
11656 * dfg/DFGSpeculativeJIT.cpp:
11657 (JSC::DFG::SpeculativeJIT::compile):
11658
116592012-07-23 Simon Fraser <simon.fraser@apple.com>
11660
11661 Part 2 of: Implement sticky positioning
11662 https://bugs.webkit.org/show_bug.cgi?id=90046
11663
11664 Reviewed by Ojan Vafai.
11665
11666 Turn on ENABLE_CSS_STICKY_POSITION.
11667
11668 * Configurations/FeatureDefines.xcconfig:
11669
116702012-07-23 Patrick Gansterer <paroga@webkit.org>
11671
11672 Move JSC::parseDate() from DateConversion to JSDateMath
11673 https://bugs.webkit.org/show_bug.cgi?id=91982
11674
11675 Reviewed by Geoffrey Garen.
11676
11677 Moveing this function into the other files removes the dependency
11678 on JSC spcific classes in DateConversion.{cpp|h}.
11679
11680 * runtime/DateConversion.cpp:
11681 * runtime/DateConversion.h:
11682 (JSC):
11683 * runtime/JSDateMath.cpp:
11684 (JSC::parseDate):
11685 (JSC):
11686 * runtime/JSDateMath.h:
11687 (JSC):
11688
116892012-07-23 Simon Fraser <simon.fraser@apple.com>
11690
11691 Part 1 of: Implement sticky positioning
11692 https://bugs.webkit.org/show_bug.cgi?id=90046
11693
11694 Reviewed by Ojan Vafai.
11695
11696 Add ENABLE_CSS_STICKY_POSITION, defaulting to off initially.
11697
11698 Sort the ENABLE_CSS lines in the file. Make sure all the flags
11699 are in FEATURE_DEFINES.
11700
11701 * Configurations/FeatureDefines.xcconfig:
11702
117032012-07-23 Yong Li <yoli@rim.com>
11704
11705 [BlackBerry] Implement GCActivityCallback with platform timer
11706 https://bugs.webkit.org/show_bug.cgi?id=90175
11707
11708 Reviewed by Rob Buis.
11709
11710 Use JSLock when performing GC to avoid assertions.
11711
11712 * runtime/GCActivityCallbackBlackBerry.cpp:
11713 (JSC::DefaultGCActivityCallback::doWork):
11714
117152012-07-23 Kent Tamura <tkent@chromium.org>
11716
11717 Rename ENABLE_METER_TAG and ENABLE_PROGRESS_TAG to ENABLE_METER_ELEMENT and ENABLE_PROGRESS_ELEMENT respectively
11718 https://bugs.webkit.org/show_bug.cgi?id=91941
11719
11720 Reviewed by Kentaro Hara.
11721
11722 A flag name for an elmement should be ENABLE_*_ELEMENT.
11723
11724 * Configurations/FeatureDefines.xcconfig:
11725
117262012-07-22 Kent Tamura <tkent@chromium.org>
11727
11728 Rename ENABLE_DETAILS to ENABLE_DETAILS_ELEMENT
11729 https://bugs.webkit.org/show_bug.cgi?id=91928
11730
11731 Reviewed by Kentaro Hara.
11732
11733 A flag name for an elmement should be ENABLE_*_ELEMENT.
11734
11735 * Configurations/FeatureDefines.xcconfig:
11736
117372012-07-21 Patrick Gansterer <paroga@webkit.org>
11738
11739 [WIN] Use GetDateFormat and GetTimeFormat instead of strftime
11740 https://bugs.webkit.org/show_bug.cgi?id=83436
11741
11742 Reviewed by Brent Fulgham.
11743
11744 The MS CRT implementation of strftime calls the same two functions.
11745 Using them directly avoids the overhead of parsing the format string and removes
11746 the dependency on strftime() for WinCE where this function does not exist.
11747
11748 * runtime/DatePrototype.cpp:
11749 (JSC::formatLocaleDate):
11750
117512012-07-20 Kent Tamura <tkent@chromium.org>
11752
11753 Rename ENABLE_DATALIST to ENABLE_DATALIST_ELEMENT
11754 https://bugs.webkit.org/show_bug.cgi?id=91846
11755
11756 Reviewed by Kentaro Hara.
11757
11758 A flag name for an elmement should be ENABLE_*_ELEMENT.
11759
11760 * Configurations/FeatureDefines.xcconfig:
11761
117622012-07-20 Han Shen <shenhan@google.com>
11763
11764 [Chromium] Compilation fails under gcc 4.7
11765 https://bugs.webkit.org/show_bug.cgi?id=90227
11766
11767 Reviewed by Tony Chang.
11768
11769 Disable warnings about c++0x compatibility in gcc newer than 4.6.
11770
11771 * JavaScriptCore.gyp/JavaScriptCore.gyp:
11772
117732012-07-18 Filip Pizlo <fpizlo@apple.com>
11774
11775 DFG cell checks should be hoisted
11776 https://bugs.webkit.org/show_bug.cgi?id=91717
11777
11778 Reviewed by Geoffrey Garen.
11779
11780 The DFG has always had the policy of hoisting array and integer checks to
11781 the point of variable assignment. Eventually, we added doubles and booleans
11782 to the mix. But cells should really be part of this as well, particularly
11783 for 32-bit where accessing a known-type variable is dramatically cheaper
11784 than accessing a variable whose types is only predicted but otherwise
11785 unproven.
11786
11787 This appears to be a definite speed-up for V8 on 32-bit, a possible speed-up
11788 for Kraken, and a possible slow-down for V8 on 64-bit (around 0.2% if at
11789 all). Any slow-downs can, and should, be addressed by making the hoisting
11790 logic cognizant of variables that are never used in a manner that requires
11791 type checks, and by sinking argument checks to the point(s) of first use.
11792
11793 To make this work I had to change some OSR machinery, and special-case the
11794 type predictions of the 'this' argument for constructors. OSR exit normally
11795 assumes that arguments are boxed, which happens to be true because the
11796 type prediction used for check hoisting is LUB'd with the type of the
11797 argument that was passed in - so either the arguments are always stored to
11798 with the full tag+payload, or if only the payload is stored then the tag
11799 matches whatever the caller would have set. But not so with the 'this'
11800 argument for constructors, which is not initialized by the caller. We
11801 could make this more precise by having argument types for OSR be inferred
11802 using similar machinery to other locals, but I figured that for this patch
11803 I should use the surgical fix.
11804
11805 * assembler/MacroAssemblerX86_64.h:
11806 (JSC::MacroAssemblerX86_64::branchTestPtr):
11807 (MacroAssemblerX86_64):
11808 * assembler/X86Assembler.h:
11809 (JSC::X86Assembler::testq_rm):
11810 (X86Assembler):
11811 * dfg/DFGAbstractState.cpp:
11812 (JSC::DFG::AbstractState::initialize):
11813 (JSC::DFG::AbstractState::execute):
11814 * dfg/DFGDriver.cpp:
11815 (JSC::DFG::compile):
11816 * dfg/DFGGraph.h:
11817 (JSC::DFG::Graph::isCreatedThisArgument):
11818 (Graph):
11819 * dfg/DFGSpeculativeJIT.cpp:
11820 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
11821 * dfg/DFGSpeculativeJIT32_64.cpp:
11822 (JSC::DFG::SpeculativeJIT::compile):
11823 * dfg/DFGSpeculativeJIT64.cpp:
11824 (JSC::DFG::SpeculativeJIT::compile):
11825 * dfg/DFGValueSource.h:
11826 (JSC::DFG::ValueSource::forSpeculation):
11827
118282012-07-19 Filip Pizlo <fpizlo@apple.com>
11829
11830 Fast path of storage resize should be removed from property storage reallocation, since it is only useful for arrays
11831 https://bugs.webkit.org/show_bug.cgi?id=91796
11832
11833 Reviewed by Geoffrey Garen.
11834
11835 * dfg/DFGRepatch.cpp:
11836 (JSC::DFG::emitPutTransitionStub):
11837 * dfg/DFGSpeculativeJIT.cpp:
11838 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
11839 * runtime/JSObject.cpp:
11840 (JSC::JSObject::growOutOfLineStorage):
11841
118422012-07-19 Mark Lam <mark.lam@apple.com>
11843
11844 Bug fixes and enhancements for OfflineASM annotation system.
11845 https://bugs.webkit.org/show_bug.cgi?id=91690
11846
11847 Reviewed by Filip Pizlo.
11848
11849 * offlineasm/armv7.rb: added default handling of Instruction lower().
11850 * offlineasm/asm.rb: added more support for annotations and more pretty printing.
11851 * offlineasm/ast.rb: added more support for annotations.
11852 * offlineasm/config.rb: added $preferredCommentStartColumn, simplified $enableInstrAnnotations.
11853 * offlineasm/parser.rb: added more support for annotations.
11854 * offlineasm/transform.rb: added more support for annotations.
11855 * offlineasm/x86.rb: added default handling of Instruction lower().
11856
118572012-07-19 Patrick Gansterer <paroga@webkit.org>
11858
11859 [WIN] Fix compilation of JSGlobalData.h with ENABLE(DFG_JIT)
11860 https://bugs.webkit.org/show_bug.cgi?id=91243
11861
11862 Reviewed by Geoffrey Garen.
11863
11864 Disable MSVC warning 4200 "zero-sized array in struct/union" for JSC::ScratchBuffer.
11865
11866 * runtime/JSGlobalData.h:
11867 (JSC):
11868
118692012-07-19 Mark Lam <mark.lam@apple.com>
11870
11871 Fixed broken ENABLE_JIT=0 build.
11872 https://bugs.webkit.org/show_bug.cgi?id=91725
11873
11874 Reviewed by Oliver Hunt.
11875
11876 * bytecode/Watchpoint.cpp:
11877 * heap/JITStubRoutineSet.h:
11878 (JSC):
11879 (JITStubRoutineSet):
11880 (JSC::JITStubRoutineSet::JITStubRoutineSet):
11881 (JSC::JITStubRoutineSet::~JITStubRoutineSet):
11882 (JSC::JITStubRoutineSet::add):
11883 (JSC::JITStubRoutineSet::clearMarks):
11884 (JSC::JITStubRoutineSet::mark):
11885 (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
11886 (JSC::JITStubRoutineSet::traceMarkedStubRoutines):
11887
118882012-07-19 Kristóf Kosztyó <kkristof@inf.u-szeged.hu>
11889
11890 [Qt] Unreviewed buildfix after r123042.
11891
11892 * interpreter/Interpreter.cpp:
11893 (JSC::Interpreter::dumpRegisters):
11894
118952012-07-18 Filip Pizlo <fpizlo@apple.com>
11896
11897 DFG should emit inline code for property storage (re)allocation
11898 https://bugs.webkit.org/show_bug.cgi?id=91597
11899
11900 Reviewed by Oliver Hunt.
11901
11902 This adds two new ops to the DFG IR: AllocatePropertyStorage and
11903 ReallocatePropertyStorage. It enables these to interact properly with
11904 CSE so that a GetPropertyStorage on something for which we have
11905 obviously done a (Re)AllocatePropertyStorage will result in the
11906 GetPropertyStorage being eliminated. Other than that, the code
11907 emitted for these ops is identical to the code we were emitting in
11908 the corresponding PutById stub.
11909
11910 * dfg/DFGAbstractState.cpp:
11911 (JSC::DFG::AbstractState::execute):
11912 * dfg/DFGByteCodeParser.cpp:
11913 (JSC::DFG::ByteCodeParser::parseBlock):
11914 * dfg/DFGCSEPhase.cpp:
11915 (JSC::DFG::CSEPhase::putStructureStoreElimination):
11916 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
11917 * dfg/DFGNode.h:
11918 (JSC::DFG::Node::hasStructureTransitionData):
11919 * dfg/DFGNodeType.h:
11920 (DFG):
11921 * dfg/DFGOperations.cpp:
11922 * dfg/DFGOperations.h:
11923 * dfg/DFGPredictionPropagationPhase.cpp:
11924 (JSC::DFG::PredictionPropagationPhase::propagate):
11925 * dfg/DFGSpeculativeJIT.cpp:
11926 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
11927 (DFG):
11928 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
11929 * dfg/DFGSpeculativeJIT.h:
11930 (JSC::DFG::SpeculativeJIT::callOperation):
11931 (SpeculativeJIT):
11932 * dfg/DFGSpeculativeJIT32_64.cpp:
11933 (JSC::DFG::SpeculativeJIT::compile):
11934 * dfg/DFGSpeculativeJIT64.cpp:
11935 (JSC::DFG::SpeculativeJIT::compile):
11936 * runtime/Structure.cpp:
11937 (JSC::nextOutOfLineStorageCapacity):
11938 * runtime/Structure.h:
11939 (JSC):
11940
119412012-07-16 Oliver Hunt <oliver@apple.com>
11942
11943 dumpCallFrame is broken in ToT
11944 https://bugs.webkit.org/show_bug.cgi?id=91444
11945
11946 Reviewed by Gavin Barraclough.
11947
11948 Various changes have been made to the SF calling convention, but
11949 dumpCallFrame has not been updated to reflect these changes.
11950 That resulted in both bogus information, as well as numerous
11951 assertions of sadness.
11952
11953 This patch makes dumpCallFrame actually work again and adds the
11954 wonderful feature of telling you the name of the variable that a
11955 register reflects, or what value it contains.
11956
11957 * bytecode/CodeBlock.cpp:
11958 (JSC::CodeBlock::nameForRegister):
11959 A really innefficient mechanism for finding the name of a local register.
11960 This should only ever be used by debug code so this should be okay.
11961 * bytecode/CodeBlock.h:
11962 (CodeBlock):
11963 * bytecompiler/BytecodeGenerator.cpp:
11964 (JSC::BytecodeGenerator::generate):
11965 Debug builds no longer throw away a functions symbol table, this allows
11966 us to actually perform a register# to name mapping
11967 * dfg/DFGJITCompiler.cpp:
11968 (JSC::DFG::JITCompiler::link):
11969 We weren't propogating the bytecode offset here leading to assertions
11970 in debug builds when dumping bytecode of DFG compiled code.
11971 * interpreter/Interpreter.cpp:
11972 (JSC):
11973 (JSC::Interpreter::dumpRegisters):
11974 Rework to actually be correct.
11975 (JSC::getCallerInfo):
11976 Return the byteocde offset as well now, given we have to determine it
11977 anyway.
11978 (JSC::Interpreter::getStackTrace):
11979 (JSC::Interpreter::retrieveCallerFromVMCode):
11980 * interpreter/Interpreter.h:
11981 (Interpreter):
11982 * jsc.cpp:
11983 (GlobalObject::finishCreation):
11984 (functionDumpCallFrame):
11985 Give debug builds of JSC a method for calling dumpCallFrame so we can
11986 inspect a callframe without requiring us to break in a debugger.
11987
119882012-07-18 Filip Pizlo <fpizlo@apple.com>
11989
11990 DFG 32-bit PutById transition stub storage reallocation case copies the first pointer of each JSValue instead of the whole JSValue
11991 https://bugs.webkit.org/show_bug.cgi?id=91599
11992
11993 Reviewed by Geoffrey Garen.
11994
11995 * dfg/DFGRepatch.cpp:
11996 (JSC::DFG::emitPutTransitionStub):
11997
119982012-07-17 Filip Pizlo <fpizlo@apple.com>
11999
12000 DFG 32-bit PutById transition stub passes the payload/tag arguments to a DFG operation in the wrong order
12001 https://bugs.webkit.org/show_bug.cgi?id=91576
12002
12003 Reviewed by Gavin Barraclough.
12004
12005 * dfg/DFGRepatch.cpp:
12006 (JSC::DFG::emitPutTransitionStub):
12007
120082012-07-17 Filip Pizlo <fpizlo@apple.com>
12009
12010 [Qt] REGRESSION(r122768, r122771): They broke jquery/data.html and inspector/elements/edit-dom-actions.html
12011 https://bugs.webkit.org/show_bug.cgi?id=91476
12012
12013 Reviewed by Mark Hahnenberg.
12014
12015 The 32-bit repatching code was not correctly adapted to the new world where there may not always
12016 be an available scratch register. Fixed it by ensuring that the scratch register we select does
12017 not overlap with the value tag.
12018
12019 * dfg/DFGRepatch.cpp:
12020 (JSC::DFG::generateProtoChainAccessStub):
12021 (JSC::DFG::tryCacheGetByID):
12022 (JSC::DFG::tryBuildGetByIDList):
12023 (JSC::DFG::emitPutReplaceStub):
12024
120252012-07-17 Gabor Rapcsanyi <rgabor@webkit.org>
12026
12027 Unreviewed buildfix from Zoltan Herczeg after 122768.
12028
12029 * dfg/DFGCCallHelpers.h:
12030 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
12031 (CCallHelpers):
12032
120332012-07-17 David Barr <davidbarr@chromium.org>
12034
12035 Introduce ENABLE_CSS_IMAGE_ORIENTATION compile flag
12036 https://bugs.webkit.org/show_bug.cgi?id=89055
12037
12038 Reviewed by Kent Tamura.
12039
12040 The css3-images module is at candidate recommendation.
12041 http://www.w3.org/TR/2012/CR-css3-images-20120417/#the-image-orientation
12042
12043 Add a configuration option for CSS image-orientation support, disabling it by default.
12044
12045 * Configurations/FeatureDefines.xcconfig:
12046
120472012-07-16 Filip Pizlo <fpizlo@apple.com>
12048
12049 Unreviewed, roll out 122790 because it broke the Windows build. I'm not
12050 sure what to do with exported symbols that are predicated on NDEBUG.
12051
12052 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
12053 * bytecode/CodeBlock.cpp:
12054 (JSC):
12055 * bytecode/CodeBlock.h:
12056 (CodeBlock):
12057 * bytecompiler/BytecodeGenerator.cpp:
12058 (JSC::BytecodeGenerator::generate):
12059 * dfg/DFGJITCompiler.cpp:
12060 (JSC::DFG::JITCompiler::link):
12061 * interpreter/Interpreter.cpp:
12062 (JSC):
12063 (JSC::Interpreter::dumpRegisters):
12064 (JSC::getCallerInfo):
12065 (JSC::Interpreter::getStackTrace):
12066 (JSC::Interpreter::retrieveCallerFromVMCode):
12067 * interpreter/Interpreter.h:
12068 (Interpreter):
12069 * jsc.cpp:
12070 (GlobalObject::finishCreation):
12071
120722012-07-16 Oliver Hunt <oliver@apple.com>
12073
12074 dumpCallFrame is broken in ToT
12075 https://bugs.webkit.org/show_bug.cgi?id=91444
12076
12077 Reviewed by Gavin Barraclough.
12078
12079 Various changes have been made to the SF calling convention, but
12080 dumpCallFrame has not been updated to reflect these changes.
12081 That resulted in both bogus information, as well as numerous
12082 assertions of sadness.
12083
12084 This patch makes dumpCallFrame actually work again and adds the
12085 wonderful feature of telling you the name of the variable that a
12086 register reflects, or what value it contains.
12087
12088 * bytecode/CodeBlock.cpp:
12089 (JSC::CodeBlock::nameForRegister):
12090 A really innefficient mechanism for finding the name of a local register.
12091 This should only ever be used by debug code so this should be okay.
12092 * bytecode/CodeBlock.h:
12093 (CodeBlock):
12094 * bytecompiler/BytecodeGenerator.cpp:
12095 (JSC::BytecodeGenerator::generate):
12096 Debug builds no longer throw away a functions symbol table, this allows
12097 us to actually perform a register# to name mapping
12098 * dfg/DFGJITCompiler.cpp:
12099 (JSC::DFG::JITCompiler::link):
12100 We weren't propogating the bytecode offset here leading to assertions
12101 in debug builds when dumping bytecode of DFG compiled code.
12102 * interpreter/Interpreter.cpp:
12103 (JSC):
12104 (JSC::Interpreter::dumpRegisters):
12105 Rework to actually be correct.
12106 (JSC::getCallerInfo):
12107 Return the byteocde offset as well now, given we have to determine it
12108 anyway.
12109 (JSC::Interpreter::getStackTrace):
12110 (JSC::Interpreter::retrieveCallerFromVMCode):
12111 * interpreter/Interpreter.h:
12112 (Interpreter):
12113 * jsc.cpp:
12114 (GlobalObject::finishCreation):
12115 (functionDumpCallFrame):
12116 Give debug builds of JSC a method for calling dumpCallFrame so we can
12117 inspect a callframe without requiring us to break in a debugger.
12118
121192012-07-16 Filip Pizlo <fpizlo@apple.com>
12120
12121 Unreviewed, adding forgotten files.
12122
12123 * dfg/DFGRegisterSet.h: Added.
12124 (DFG):
12125 (RegisterSet):
12126 (JSC::DFG::RegisterSet::RegisterSet):
12127 (JSC::DFG::RegisterSet::asPOD):
12128 (JSC::DFG::RegisterSet::copyInfo):
12129 (JSC::DFG::RegisterSet::set):
12130 (JSC::DFG::RegisterSet::setGPRByIndex):
12131 (JSC::DFG::RegisterSet::clear):
12132 (JSC::DFG::RegisterSet::get):
12133 (JSC::DFG::RegisterSet::getGPRByIndex):
12134 (JSC::DFG::RegisterSet::getFreeGPR):
12135 (JSC::DFG::RegisterSet::setFPRByIndex):
12136 (JSC::DFG::RegisterSet::getFPRByIndex):
12137 (JSC::DFG::RegisterSet::setByIndex):
12138 (JSC::DFG::RegisterSet::getByIndex):
12139 (JSC::DFG::RegisterSet::numberOfSetGPRs):
12140 (JSC::DFG::RegisterSet::numberOfSetFPRs):
12141 (JSC::DFG::RegisterSet::numberOfSetRegisters):
12142 (JSC::DFG::RegisterSet::setBit):
12143 (JSC::DFG::RegisterSet::clearBit):
12144 (JSC::DFG::RegisterSet::getBit):
12145 * dfg/DFGScratchRegisterAllocator.h: Added.
12146 (DFG):
12147 (ScratchRegisterAllocator):
12148 (JSC::DFG::ScratchRegisterAllocator::ScratchRegisterAllocator):
12149 (JSC::DFG::ScratchRegisterAllocator::lock):
12150 (JSC::DFG::ScratchRegisterAllocator::allocateScratch):
12151 (JSC::DFG::ScratchRegisterAllocator::allocateScratchGPR):
12152 (JSC::DFG::ScratchRegisterAllocator::allocateScratchFPR):
12153 (JSC::DFG::ScratchRegisterAllocator::didReuseRegisters):
12154 (JSC::DFG::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
12155 (JSC::DFG::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
12156 (JSC::DFG::ScratchRegisterAllocator::desiredScratchBufferSize):
12157 (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
12158 (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
12159
121602012-07-15 Filip Pizlo <fpizlo@apple.com>
12161
12162 DFG PutById transition should handle storage allocation, and inline it
12163 https://bugs.webkit.org/show_bug.cgi?id=91337
12164
12165 Reviewed by Oliver Hunt.
12166
12167 This enables the patching of DFG PutById to handle the out-of-line storage
12168 allocation case. Furthermore, it inlines out-of-line storage allocation (and
12169 reallocation) into the generated stubs.
12170
12171 To do this, this patch adds the ability to store the relevant register
12172 allocation state (i.e. the set of in-use registers) in the structure stub
12173 info so that the stub generation code can more flexibly select scratch
12174 registers: sometimes it needs none, sometimes one - or sometimes up to
12175 three. Moreover, to make the stub generation register allocation simple and
12176 maintainable, this patch introduces a reusable scratch register allocator
12177 class. This register allocator understands that some registers are in use by
12178 the main path code and so must be spilled as necessary, other registers are
12179 locked for use in the stub itself and so cannot even be spilled, while still
12180 others may be allocated for scratch purposes. A scratch register that is
12181 used must be spilled. If a register is locked, it cannot be used as a
12182 scratch register. If a register is used, it can be used as a scratch
12183 register so long as it is spilled.
12184
12185 This is a sub-1% speed-up on V8 and neutral elsewhere.
12186
12187 * GNUmakefile.list.am:
12188 * JavaScriptCore.xcodeproj/project.pbxproj:
12189 * assembler/MacroAssemblerCodeRef.h:
12190 (FunctionPtr):
12191 (JSC::FunctionPtr::FunctionPtr):
12192 * bytecode/StructureStubInfo.h:
12193 * dfg/DFGCCallHelpers.h:
12194 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
12195 (CCallHelpers):
12196 * dfg/DFGGPRInfo.h:
12197 * dfg/DFGJITCompiler.cpp:
12198 (JSC::DFG::JITCompiler::link):
12199 * dfg/DFGJITCompiler.h:
12200 (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
12201 (PropertyAccessRecord):
12202 * dfg/DFGOperations.cpp:
12203 * dfg/DFGOperations.h:
12204 * dfg/DFGRegisterBank.h:
12205 (JSC::DFG::RegisterBank::isInUse):
12206 (RegisterBank):
12207 * dfg/DFGRegisterSet.h: Added.
12208 (DFG):
12209 (RegisterSet):
12210 (JSC::DFG::RegisterSet::RegisterSet):
12211 (JSC::DFG::RegisterSet::asPOD):
12212 (JSC::DFG::RegisterSet::copyInfo):
12213 (JSC::DFG::RegisterSet::set):
12214 (JSC::DFG::RegisterSet::setGPRByIndex):
12215 (JSC::DFG::RegisterSet::clear):
12216 (JSC::DFG::RegisterSet::get):
12217 (JSC::DFG::RegisterSet::getGPRByIndex):
12218 (JSC::DFG::RegisterSet::getFreeGPR):
12219 (JSC::DFG::RegisterSet::setFPRByIndex):
12220 (JSC::DFG::RegisterSet::getFPRByIndex):
12221 (JSC::DFG::RegisterSet::setByIndex):
12222 (JSC::DFG::RegisterSet::getByIndex):
12223 (JSC::DFG::RegisterSet::numberOfSetGPRs):
12224 (JSC::DFG::RegisterSet::numberOfSetFPRs):
12225 (JSC::DFG::RegisterSet::numberOfSetRegisters):
12226 (JSC::DFG::RegisterSet::setBit):
12227 (JSC::DFG::RegisterSet::clearBit):
12228 (JSC::DFG::RegisterSet::getBit):
12229 * dfg/DFGRepatch.cpp:
12230 (JSC::DFG::generateProtoChainAccessStub):
12231 (JSC::DFG::tryCacheGetByID):
12232 (JSC::DFG::tryBuildGetByIDList):
12233 (JSC::DFG::emitPutReplaceStub):
12234 (JSC::DFG::emitPutTransitionStub):
12235 (JSC::DFG::tryCachePutByID):
12236 (JSC::DFG::tryBuildPutByIdList):
12237 * dfg/DFGScratchRegisterAllocator.h: Added.
12238 (DFG):
12239 (ScratchRegisterAllocator):
12240 (JSC::DFG::ScratchRegisterAllocator::ScratchRegisterAllocator):
12241 (JSC::DFG::ScratchRegisterAllocator::lock):
12242 (JSC::DFG::ScratchRegisterAllocator::allocateScratch):
12243 (JSC::DFG::ScratchRegisterAllocator::allocateScratchGPR):
12244 (JSC::DFG::ScratchRegisterAllocator::allocateScratchFPR):
12245 (JSC::DFG::ScratchRegisterAllocator::didReuseRegisters):
12246 (JSC::DFG::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
12247 (JSC::DFG::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
12248 (JSC::DFG::ScratchRegisterAllocator::desiredScratchBufferSize):
12249 (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
12250 (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
12251 * dfg/DFGSpeculativeJIT.h:
12252 (SpeculativeJIT):
12253 (JSC::DFG::SpeculativeJIT::usedRegisters):
12254 * dfg/DFGSpeculativeJIT32_64.cpp:
12255 (JSC::DFG::SpeculativeJIT::cachedGetById):
12256 (JSC::DFG::SpeculativeJIT::cachedPutById):
12257 (JSC::DFG::SpeculativeJIT::compile):
12258 * dfg/DFGSpeculativeJIT64.cpp:
12259 (JSC::DFG::SpeculativeJIT::cachedGetById):
12260 (JSC::DFG::SpeculativeJIT::cachedPutById):
12261 (JSC::DFG::SpeculativeJIT::compile):
12262 * heap/CopiedAllocator.h:
12263 (CopiedAllocator):
12264 (JSC::CopiedAllocator::fastPathShouldSucceed):
12265 (JSC):
12266
122672012-07-16 Patrick Gansterer <paroga@webkit.org>
12268
12269 Add dfg switch to create_jit_stubs script
12270 https://bugs.webkit.org/show_bug.cgi?id=91256
12271
12272 Reviewed by Geoffrey Garen.
12273
12274 * create_jit_stubs: Add a switch to enable or disable the generation of
12275 stub functions in #if ENABLE(DFG_JIT) conditions.
12276
122772012-07-16 Gabor Rapcsanyi <rgabor@webkit.org>
12278
12279 Unreviewed buildfix after r122729. Typo fix.
12280
12281 * assembler/MacroAssemblerARM.h:
12282 (JSC::MacroAssemblerARM::add32):
12283
122842012-07-16 Gabor Rapcsanyi <rgabor@webkit.org>
12285
12286 Unreviewed buildfix from Zoltan Herczeg after r122677.
12287 Implement missing add32 function to MacroAssemblerARM.
12288
12289 * assembler/MacroAssemblerARM.h:
12290 (JSC::MacroAssemblerARM::add32):
12291 (MacroAssemblerARM):
12292
122932012-07-14 Filip Pizlo <fpizlo@apple.com>
12294
12295 DFG PutByVal opcodes should accept more than 3 operands
12296 https://bugs.webkit.org/show_bug.cgi?id=91332
12297
12298 Reviewed by Oliver Hunt.
12299
12300 Turned PutByVal/PutByValAlias into var-arg nodes, so that we can give them
12301 4 or more operands in the future.
12302
12303 * dfg/DFGAbstractState.cpp:
12304 (JSC::DFG::AbstractState::execute):
12305 * dfg/DFGByteCodeParser.cpp:
12306 (JSC::DFG::ByteCodeParser::parseBlock):
12307 * dfg/DFGCSEPhase.cpp:
12308 (JSC::DFG::CSEPhase::getByValLoadElimination):
12309 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
12310 (JSC::DFG::CSEPhase::performNodeCSE):
12311 * dfg/DFGFixupPhase.cpp:
12312 (JSC::DFG::FixupPhase::fixupNode):
12313 (JSC::DFG::FixupPhase::fixDoubleEdge):
12314 * dfg/DFGGraph.h:
12315 (JSC::DFG::Graph::byValIsPure):
12316 (JSC::DFG::Graph::varArgNumChildren):
12317 (Graph):
12318 (JSC::DFG::Graph::numChildren):
12319 (JSC::DFG::Graph::varArgChild):
12320 (JSC::DFG::Graph::child):
12321 * dfg/DFGNodeType.h:
12322 (DFG):
12323 * dfg/DFGPredictionPropagationPhase.cpp:
12324 (JSC::DFG::PredictionPropagationPhase::propagate):
12325 * dfg/DFGSpeculativeJIT.cpp:
12326 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
12327 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
12328 * dfg/DFGSpeculativeJIT32_64.cpp:
12329 (JSC::DFG::SpeculativeJIT::compile):
12330 * dfg/DFGSpeculativeJIT64.cpp:
12331 (JSC::DFG::SpeculativeJIT::compile):
12332
123332012-07-14 Filip Pizlo <fpizlo@apple.com>
12334
12335 Rationalize and optimize storage allocation
12336 https://bugs.webkit.org/show_bug.cgi?id=91303
12337
12338 Reviewed by Oliver Hunt.
12339
12340 This implements a backwards bump allocator for copied space storage
12341 allocation, shown in pseudo-code below:
12342
12343 pointer bump(size) {
12344 pointer tmp = allocator->remaining;
12345 tmp -= size;
12346 if (tmp < 0)
12347 fail;
12348 allocator->remaining = tmp;
12349 return allocator->payloadEnd - tmp - size;
12350 }
12351
12352 The advantage of this allocator is that it:
12353
12354 - Only requires one comparison in the common case where size is known to
12355 not be huge, and this comparison can be done by checking the sign bit
12356 of the subtraction.
12357
12358 - Can be implemented even when only one register is available. This
12359 register is reused for both temporary storage during allocation and
12360 for the result.
12361
12362 - Preserves the behavior that memory in a block is filled in from lowest
12363 address to highest address, which allows for a cheap reallocation fast
12364 path.
12365
12366 - Is resilient against the block used for allocation being the last one
12367 in virtual memory, thereby otherwise leading to the risk of overflow
12368 in the bump pointer, despite only doing one branch.
12369
12370 In order to implement this allocator using the smallest possible chunk
12371 of code, I refactored the copied space code so that all of the allocation
12372 logic is in CopiedAllocator, and all of the state is in either
12373 CopiedBlock or CopiedAllocator. This should make changing the allocation
12374 fast path easier in the future.
12375
12376 In order to do this, I needed to add some new assembler support,
12377 particularly for various forms of add(address, register) and negPtr().
12378
12379 This is performance neutral. The purpose of this change is to facilitate
12380 further inlining of storage allocation without having to reserve
12381 additional registers or emit too much code.
12382
12383 * assembler/MacroAssembler.h:
12384 (JSC::MacroAssembler::addPtr):
12385 (MacroAssembler):
12386 (JSC::MacroAssembler::negPtr):
12387 * assembler/MacroAssemblerARMv7.h:
12388 (MacroAssemblerARMv7):
12389 (JSC::MacroAssemblerARMv7::add32):
12390 * assembler/MacroAssemblerX86.h:
12391 (JSC::MacroAssemblerX86::add32):
12392 (MacroAssemblerX86):
12393 * assembler/MacroAssemblerX86_64.h:
12394 (MacroAssemblerX86_64):
12395 (JSC::MacroAssemblerX86_64::addPtr):
12396 (JSC::MacroAssemblerX86_64::negPtr):
12397 * assembler/X86Assembler.h:
12398 (X86Assembler):
12399 (JSC::X86Assembler::addl_mr):
12400 (JSC::X86Assembler::addq_mr):
12401 (JSC::X86Assembler::negq_r):
12402 * heap/CopiedAllocator.h:
12403 (CopiedAllocator):
12404 (JSC::CopiedAllocator::isValid):
12405 (JSC::CopiedAllocator::CopiedAllocator):
12406 (JSC::CopiedAllocator::tryAllocate):
12407 (JSC):
12408 (JSC::CopiedAllocator::tryReallocate):
12409 (JSC::CopiedAllocator::forceAllocate):
12410 (JSC::CopiedAllocator::resetCurrentBlock):
12411 (JSC::CopiedAllocator::setCurrentBlock):
12412 (JSC::CopiedAllocator::currentCapacity):
12413 * heap/CopiedBlock.h:
12414 (CopiedBlock):
12415 (JSC::CopiedBlock::create):
12416 (JSC::CopiedBlock::zeroFillWilderness):
12417 (JSC::CopiedBlock::CopiedBlock):
12418 (JSC::CopiedBlock::payloadEnd):
12419 (JSC):
12420 (JSC::CopiedBlock::payloadCapacity):
12421 (JSC::CopiedBlock::data):
12422 (JSC::CopiedBlock::dataEnd):
12423 (JSC::CopiedBlock::dataSize):
12424 (JSC::CopiedBlock::wilderness):
12425 (JSC::CopiedBlock::wildernessEnd):
12426 (JSC::CopiedBlock::wildernessSize):
12427 (JSC::CopiedBlock::size):
12428 * heap/CopiedSpace.cpp:
12429 (JSC::CopiedSpace::tryAllocateSlowCase):
12430 (JSC::CopiedSpace::tryAllocateOversize):
12431 (JSC::CopiedSpace::tryReallocate):
12432 (JSC::CopiedSpace::doneFillingBlock):
12433 (JSC::CopiedSpace::doneCopying):
12434 * heap/CopiedSpace.h:
12435 (CopiedSpace):
12436 * heap/CopiedSpaceInlineMethods.h:
12437 (JSC::CopiedSpace::startedCopying):
12438 (JSC::CopiedSpace::allocateBlockForCopyingPhase):
12439 (JSC::CopiedSpace::allocateBlock):
12440 (JSC::CopiedSpace::tryAllocate):
12441 (JSC):
12442 * heap/MarkStack.cpp:
12443 (JSC::SlotVisitor::startCopying):
12444 (JSC::SlotVisitor::allocateNewSpace):
12445 (JSC::SlotVisitor::doneCopying):
12446 * heap/SlotVisitor.h:
12447 (JSC::SlotVisitor::SlotVisitor):
12448 * jit/JIT.h:
12449 * jit/JITInlineMethods.h:
12450 (JSC::JIT::emitAllocateBasicStorage):
12451 (JSC::JIT::emitAllocateJSArray):
12452
124532012-07-13 Mark Lam <mark.lam@apple.com>
12454
12455 OfflineASM Pretty printing and commenting enhancements.
12456 https://bugs.webkit.org/show_bug.cgi?id=91281
12457
12458 Reviewed by Filip Pizlo.
12459
12460 Added some minor pretty printing in the OfflineASM.
12461 Also added infrastruture for adding multiple types of comments and
12462 annotations with the ability to enable/disable them in the generated
12463 output as desired.
12464
12465 * GNUmakefile.list.am: add new file config.rb.
12466 * llint/LLIntOfflineAsmConfig.h:
12467 Added OFFLINE_ASM_BEGIN, OFFLINE_ASM_END, and OFFLINE_ASM_LOCAL_LABEL macros.
12468 This will allow us to redefine these for other backends later.
12469 * llint/LowLevelInterpreter32_64.asm:
12470 Add a small example of instruction annotations for now.
12471 * llint/LowLevelInterpreter64.asm:
12472 Add a small example of instruction annotations for now.
12473 * offlineasm/armv7.rb: Added handling of annotations.
12474 * offlineasm/asm.rb:
12475 Added machinery to dump the new comments and annotations.
12476 Also added some indentations to make the output a little prettier.
12477 * offlineasm/ast.rb: Added annotation field in class Instruction.
12478 * offlineasm/backends.rb:
12479 * offlineasm/config.rb: Added.
12480 Currently only contains commenting options. This file is meant to be
12481 a centralized place for build config values much like config.h for
12482 JavaScriptCore.
12483 * offlineasm/generate_offset_extractor.rb:
12484 * offlineasm/instructions.rb:
12485 * offlineasm/offsets.rb:
12486 * offlineasm/opt.rb:
12487 * offlineasm/parser.rb: Parse and record annotations.
12488 * offlineasm/registers.rb:
12489 * offlineasm/self_hash.rb:
12490 * offlineasm/settings.rb:
12491 * offlineasm/transform.rb:
12492 * offlineasm/x86.rb: Added handling of annotations.
12493
124942012-07-13 Filip Pizlo <fpizlo@apple.com>
12495
12496 ASSERTION FAILED: use.useKind() != DoubleUse
12497 https://bugs.webkit.org/show_bug.cgi?id=91082
12498
12499 Reviewed by Geoffrey Garen.
12500
12501 The implementation of Branch() was unwisely relying on register allocation state
12502 to decide what speculations to perform. That's never correct.
12503
12504 * dfg/DFGSpeculativeJIT32_64.cpp:
12505 (JSC::DFG::SpeculativeJIT::compile):
12506 * dfg/DFGSpeculativeJIT64.cpp:
12507 (JSC::DFG::SpeculativeJIT::compile):
12508
125092012-07-13 Sheriff Bot <webkit.review.bot@gmail.com>
12510
12511 Unreviewed, rolling out r122640.
12512 http://trac.webkit.org/changeset/122640
12513 https://bugs.webkit.org/show_bug.cgi?id=91298
12514
12515 LLInt apparently does not expect to mark these (Requested by
12516 olliej on #webkit).
12517
12518 * bytecode/CodeBlock.cpp:
12519 (JSC::CodeBlock::visitStructures):
12520 (JSC::CodeBlock::stronglyVisitStrongReferences):
12521
125222012-07-13 Oliver Hunt <oliver@apple.com>
12523
12524 LLInt fails to mark structures stored in the bytecode
12525 https://bugs.webkit.org/show_bug.cgi?id=91296
12526
12527 Reviewed by Geoffrey Garen.
12528
12529 LLInt stores structures in the bytecode, so we need to visit the appropriate
12530 instructions as we would if we were running in the classic interpreter.
12531 This requires adding additional checks for the LLInt specific opcodes, and
12532 the lint specific variants of operand ordering.
12533
12534 * bytecode/CodeBlock.cpp:
12535 (JSC::CodeBlock::visitStructures):
12536 (JSC::CodeBlock::stronglyVisitStrongReferences):
12537
125382012-07-13 Yong Li <yoli@rim.com>
12539
12540 [BlackBerry] Implement GCActivityCallback with platform timer
12541 https://bugs.webkit.org/show_bug.cgi?id=90175
12542
12543 Reviewed by Rob Buis.
12544
12545 Implement GCActivityCallback and HeapTimer for BlackBerry port.
12546
12547 * heap/HeapTimer.cpp:
12548 (JSC):
12549 (JSC::HeapTimer::HeapTimer):
12550 (JSC::HeapTimer::~HeapTimer):
12551 (JSC::HeapTimer::timerDidFire):
12552 (JSC::HeapTimer::synchronize):
12553 (JSC::HeapTimer::invalidate):
12554 (JSC::HeapTimer::didStartVMShutdown):
12555 * heap/HeapTimer.h:
12556 (HeapTimer):
12557 * runtime/GCActivityCallbackBlackBerry.cpp:
12558 (JSC):
12559 (JSC::DefaultGCActivityCallback::doWork):
12560 (JSC::DefaultGCActivityCallback::didAllocate):
12561 (JSC::DefaultGCActivityCallback::willCollect):
12562 (JSC::DefaultGCActivityCallback::cancel):
12563
125642012-07-13 Patrick Gansterer <paroga@webkit.org>
12565
12566 [WIN] Fix compilation of DFGRepatch.cpp
12567 https://bugs.webkit.org/show_bug.cgi?id=91241
12568
12569 Reviewed by Geoffrey Garen.
12570
12571 Use intptr_t instead of uintptr_t when calling CodeLocationCommon::dataLabelPtrAtOffset(int)
12572 to fix MSVC "unary minus operator applied to unsigned type, result still unsigned" warning.
12573
12574 * dfg/DFGRepatch.cpp:
12575 (JSC::DFG::dfgResetGetByID):
12576 (JSC::DFG::dfgResetPutByID):
12577
125782012-07-13 Patrick Gansterer <paroga@webkit.org>
12579
12580 Fix ARM_TRADITIONAL JIT for COMPILER(MSVC) and COMPILER(RVCT) after r121885
12581 https://bugs.webkit.org/show_bug.cgi?id=91238
12582
12583 Reviewed by Zoltan Herczeg.
12584
12585 r121885 changed the assembler instruction only for COMPILER(GCC).
12586 Use the same instructions for the other compilers too.
12587
12588 * jit/JITStubs.cpp:
12589 (JSC::ctiTrampoline):
12590 (JSC::ctiTrampolineEnd):
12591 (JSC::ctiVMThrowTrampoline):
12592
125932012-07-12 Filip Pizlo <fpizlo@apple.com>
12594
12595 DFG property access stubs should use structure transition watchpoints
12596 https://bugs.webkit.org/show_bug.cgi?id=91135
12597
12598 Reviewed by Geoffrey Garen.
12599
12600 This adds a Watchpoint subclass that will clear a structure stub (i.e.
12601 a property access stub) when fired. The DFG stub generation code now
12602 uses this optimization.
12603
12604 * CMakeLists.txt:
12605 * GNUmakefile.list.am:
12606 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
12607 * JavaScriptCore.xcodeproj/project.pbxproj:
12608 * Target.pri:
12609 * bytecode/CodeBlock.cpp:
12610 (JSC):
12611 (JSC::CodeBlock::finalizeUnconditionally):
12612 (JSC::CodeBlock::resetStub):
12613 (JSC::CodeBlock::resetStubInternal):
12614 * bytecode/CodeBlock.h:
12615 (JSC):
12616 (CodeBlock):
12617 * bytecode/StructureStubClearingWatchpoint.cpp: Added.
12618 (JSC):
12619 (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint):
12620 (JSC::StructureStubClearingWatchpoint::push):
12621 (JSC::StructureStubClearingWatchpoint::fireInternal):
12622 (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo):
12623 (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
12624 (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
12625 * bytecode/StructureStubClearingWatchpoint.h: Added.
12626 (JSC):
12627 (StructureStubClearingWatchpoint):
12628 (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
12629 (WatchpointsOnStructureStubInfo):
12630 (JSC::WatchpointsOnStructureStubInfo::WatchpointsOnStructureStubInfo):
12631 (JSC::WatchpointsOnStructureStubInfo::codeBlock):
12632 (JSC::WatchpointsOnStructureStubInfo::stubInfo):
12633 * bytecode/StructureStubInfo.h:
12634 (JSC::StructureStubInfo::reset):
12635 (JSC::StructureStubInfo::addWatchpoint):
12636 (StructureStubInfo):
12637 * dfg/DFGRepatch.cpp:
12638 (JSC::DFG::addStructureTransitionCheck):
12639 (DFG):
12640 (JSC::DFG::generateProtoChainAccessStub):
12641 (JSC::DFG::emitPutTransitionStub):
12642 * jit/JumpReplacementWatchpoint.h:
12643
126442012-07-12 Filip Pizlo <fpizlo@apple.com>
12645
12646 DFG CFA may get overzealous in loops that have code that must exit
12647 https://bugs.webkit.org/show_bug.cgi?id=91188
12648
12649 Reviewed by Gavin Barraclough.
12650
12651 Ensure that if the CFA assumes that an operation must exit, then it will always exit
12652 no matter what happens after. That's necessary to preserve soundness.
12653
12654 Remove a broken fixup done by the DFG simplifier, where it was trying to say that the
12655 variable-at-head was the first access in the second block in the merge, if the first
12656 block did not read the variable. That's totally wrong, if the first block was in fact
12657 doing a phantom read. I removed that fixup and instead hardened the rest of the
12658 compiler.
12659
12660 * dfg/DFGAbstractState.cpp:
12661 (JSC::DFG::AbstractState::endBasicBlock):
12662 * dfg/DFGBasicBlock.h:
12663 (JSC::DFG::BasicBlock::BasicBlock):
12664 (BasicBlock):
12665 * dfg/DFGCFAPhase.cpp:
12666 (JSC::DFG::CFAPhase::performBlockCFA):
12667 * dfg/DFGCFGSimplificationPhase.cpp:
12668 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
12669 * dfg/DFGConstantFoldingPhase.cpp:
12670 (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
12671 (JSC::DFG::ConstantFoldingPhase::run):
12672 (ConstantFoldingPhase):
12673 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12674 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
12675 * dfg/DFGVariableEventStream.cpp:
12676 (JSC::DFG::VariableEventStream::reconstruct):
12677
126782012-07-12 Allan Sandfeld Jensen <allan.jensen@nokia.com>
12679
12680 [Qt] Implement MemoryUsageSupport
12681 https://bugs.webkit.org/show_bug.cgi?id=91094
12682
12683 Reviewed by Adam Barth.
12684
12685 Compile in MemoryStatistics so we can make use of the interface.
12686
12687 * Target.pri:
12688
126892012-07-12 Csaba Osztrogonác <ossy@webkit.org>
12690
12691 Remove dead code after r122392.
12692 https://bugs.webkit.org/show_bug.cgi?id=91049
12693
12694 Reviewed by Filip Pizlo.
12695
12696 * dfg/DFGSpeculativeJIT64.cpp:
12697 (JSC::DFG::SpeculativeJIT::emitCall):
12698
126992012-07-11 Adenilson Cavalcanti <cavalcantii@gmail.com>
12700
12701 Build fix + remove dead code
12702 https://bugs.webkit.org/show_bug.cgi?id=91039
12703
12704 Reviewed by Filip Pizlo.
12705
12706 An unused variable was breaking compilation (thanks to warnings being treated as errors).
12707
12708 * dfg/DFGSpeculativeJIT32_64.cpp:
12709 (JSC::DFG::SpeculativeJIT::emitCall):
12710
127112012-07-11 Mark Rowe <mrowe@apple.com>
12712
12713 <http://webkit.org/b/91024> Build against the latest SDK when targeting older OS X versions.
12714
12715 Reviewed by Dan Bernstein.
12716
12717 The deployment target is already set to the version that we're targeting, and it's that setting
12718 which determines which functionality from the SDK is available to us.
12719
12720 * Configurations/Base.xcconfig:
12721
127222012-07-11 Filip Pizlo <fpizlo@apple.com>
12723
12724 DFG should have fast virtual calls
12725 https://bugs.webkit.org/show_bug.cgi?id=90924
12726
12727 Reviewed by Gavin Barraclough.
12728
12729 Implements virtual call support in the style of the old JIT, with the
12730 caveat that we still use the same slow path for both InternalFunction
12731 calls and JSFunction calls. Also rationalized the way that our
12732 CodeOrigin indices tie into exception checks (previously it was a
12733 strange one-to-one mapping with fairly limited assertions; now it's a
12734 one-to-many mapping for CodeOrigins to exception checks, respectively).
12735 I also took the opportunity to clean up
12736 CallLinkInfo::callReturnLocation, which previously was either a Call or
12737 a NearCall. Now it's just a NearCall. As well, exceptions during slow
12738 path call resolution are now handled by returning an exception throwing
12739 thunk rather than returning null. And finally, I made a few things
12740 public that were previously private-with-lots-of-friends, because I
12741 truly despise the thought of listing each thunk generating function as
12742 a friend of JSValue and friends.
12743
12744 * bytecode/CallLinkInfo.cpp:
12745 (JSC::CallLinkInfo::unlink):
12746 * bytecode/CallLinkInfo.h:
12747 (CallLinkInfo):
12748 * bytecode/CodeOrigin.h:
12749 (JSC::CodeOrigin::CodeOrigin):
12750 (JSC::CodeOrigin::isSet):
12751 * dfg/DFGAssemblyHelpers.h:
12752 (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
12753 * dfg/DFGCCallHelpers.h:
12754 (JSC::DFG::CCallHelpers::CCallHelpers):
12755 * dfg/DFGGPRInfo.h:
12756 (GPRInfo):
12757 * dfg/DFGJITCompiler.cpp:
12758 (JSC::DFG::JITCompiler::link):
12759 (JSC::DFG::JITCompiler::compileFunction):
12760 * dfg/DFGJITCompiler.h:
12761 (JSC::DFG::CallBeginToken::CallBeginToken):
12762 (JSC::DFG::CallBeginToken::~CallBeginToken):
12763 (CallBeginToken):
12764 (JSC::DFG::CallBeginToken::set):
12765 (JSC::DFG::CallBeginToken::registerWithExceptionCheck):
12766 (JSC::DFG::CallBeginToken::codeOrigin):
12767 (JSC::DFG::CallExceptionRecord::CallExceptionRecord):
12768 (CallExceptionRecord):
12769 (JSC::DFG::JITCompiler::currentCodeOriginIndex):
12770 (JITCompiler):
12771 (JSC::DFG::JITCompiler::beginCall):
12772 (JSC::DFG::JITCompiler::notifyCall):
12773 (JSC::DFG::JITCompiler::prepareForExceptionCheck):
12774 (JSC::DFG::JITCompiler::addExceptionCheck):
12775 (JSC::DFG::JITCompiler::addFastExceptionCheck):
12776 * dfg/DFGOperations.cpp:
12777 * dfg/DFGRepatch.cpp:
12778 (JSC::DFG::dfgLinkFor):
12779 * dfg/DFGSpeculativeJIT.h:
12780 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
12781 * dfg/DFGSpeculativeJIT32_64.cpp:
12782 (JSC::DFG::SpeculativeJIT::emitCall):
12783 * dfg/DFGSpeculativeJIT64.cpp:
12784 (JSC::DFG::SpeculativeJIT::emitCall):
12785 * dfg/DFGThunks.cpp:
12786 (JSC::DFG::emitPointerValidation):
12787 (DFG):
12788 (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
12789 (JSC::DFG::slowPathFor):
12790 (JSC::DFG::linkForThunkGenerator):
12791 (JSC::DFG::linkCallThunkGenerator):
12792 (JSC::DFG::linkConstructThunkGenerator):
12793 (JSC::DFG::virtualForThunkGenerator):
12794 (JSC::DFG::virtualCallThunkGenerator):
12795 (JSC::DFG::virtualConstructThunkGenerator):
12796 * dfg/DFGThunks.h:
12797 (DFG):
12798 * jit/JIT.cpp:
12799 (JSC::JIT::privateCompile):
12800 (JSC::JIT::linkFor):
12801 * runtime/Executable.h:
12802 (ExecutableBase):
12803 (JSC::ExecutableBase::offsetOfJITCodeFor):
12804 (JSC::ExecutableBase::offsetOfNumParametersFor):
12805 * runtime/JSValue.h:
12806 (JSValue):
12807
128082012-07-11 Filip Pizlo <fpizlo@apple.com>
12809
12810 Accidentally used the wrong license (3-clause instead of 2-clause) in some
12811 files I just committed.
12812
12813 Rubber stamped by Oliver Hunt.
12814
12815 * bytecode/Watchpoint.cpp:
12816 * bytecode/Watchpoint.h:
12817 * jit/JumpReplacementWatchpoint.cpp:
12818 * jit/JumpReplacementWatchpoint.h:
12819
128202012-07-11 Filip Pizlo <fpizlo@apple.com>
12821
12822 Watchpoints and jump replacement should be decoupled
12823 https://bugs.webkit.org/show_bug.cgi?id=91016
12824
12825 Reviewed by Oliver Hunt.
12826
12827 * CMakeLists.txt:
12828 * GNUmakefile.list.am:
12829 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
12830 * JavaScriptCore.xcodeproj/project.pbxproj:
12831 * Target.pri:
12832 * assembler/AbstractMacroAssembler.h:
12833 (JSC):
12834 (Label):
12835 * bytecode/CodeBlock.h:
12836 (JSC::CodeBlock::appendWatchpoint):
12837 (JSC::CodeBlock::watchpoint):
12838 (DFGData):
12839 * bytecode/Watchpoint.cpp:
12840 (JSC):
12841 * bytecode/Watchpoint.h:
12842 (JSC::Watchpoint::Watchpoint):
12843 (Watchpoint):
12844 (JSC::Watchpoint::fire):
12845 * dfg/DFGSpeculativeJIT.h:
12846 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
12847 * jit/JumpReplacementWatchpoint.cpp: Added.
12848 (JSC):
12849 (JSC::JumpReplacementWatchpoint::correctLabels):
12850 (JSC::JumpReplacementWatchpoint::fireInternal):
12851 * jit/JumpReplacementWatchpoint.h: Added.
12852 (JSC):
12853 (JumpReplacementWatchpoint):
12854 (JSC::JumpReplacementWatchpoint::JumpReplacementWatchpoint):
12855 (JSC::JumpReplacementWatchpoint::setDestination):
12856
128572012-07-11 Kevin Ollivier <kevino@theolliviers.com>
12858
12859 [wx] Unreviewed build fix. Don't try to build udis86_itab.c since it's included by
12860 another file.
12861
12862 * wscript:
12863
128642012-07-11 Chao-ying Fu <fu@mips.com>
12865
12866 Add MIPS convertibleLoadPtr and other functions
12867 https://bugs.webkit.org/show_bug.cgi?id=90714
12868
12869 Reviewed by Oliver Hunt.
12870
12871 * assembler/MIPSAssembler.h:
12872 (JSC::MIPSAssembler::labelIgnoringWatchpoints):
12873 (MIPSAssembler):
12874 (JSC::MIPSAssembler::replaceWithLoad):
12875 (JSC::MIPSAssembler::replaceWithAddressComputation):
12876 * assembler/MacroAssemblerMIPS.h:
12877 (JSC::MacroAssemblerMIPS::convertibleLoadPtr):
12878 (MacroAssemblerMIPS):
12879
128802012-07-11 Anders Carlsson <andersca@apple.com>
12881
12882 Add -Wtautological-compare and -Wsign-compare warning flags
12883 https://bugs.webkit.org/show_bug.cgi?id=90994
12884
12885 Reviewed by Mark Rowe.
12886
12887 * Configurations/Base.xcconfig:
12888
128892012-07-11 Benjamin Poulain <bpoulain@apple.com>
12890
12891 Simplify the copying of JSC ARMv7's LinkRecord
12892 https://bugs.webkit.org/show_bug.cgi?id=90930
12893
12894 Reviewed by Filip Pizlo.
12895
12896 The class LinkRecord is used by value everywhere in ARMv7Assembler. The compiler uses
12897 memmove() to move the objects.
12898
12899 The problem is memmove() is overkill for this object, moving the value can be done with
12900 3 load-store. This patch adds an operator= to the class doing more efficient copying.
12901 This reduces the link time by 19%.
12902
12903 * assembler/ARMv7Assembler.h:
12904 (JSC::ARMv7Assembler::LinkRecord::LinkRecord):
12905 (JSC::ARMv7Assembler::LinkRecord::operator=):
12906 (JSC::ARMv7Assembler::LinkRecord::from):
12907 (JSC::ARMv7Assembler::LinkRecord::setFrom):
12908 (JSC::ARMv7Assembler::LinkRecord::to):
12909 (JSC::ARMv7Assembler::LinkRecord::type):
12910 (JSC::ARMv7Assembler::LinkRecord::linkType):
12911 (JSC::ARMv7Assembler::LinkRecord::setLinkType):
12912 (JSC::ARMv7Assembler::LinkRecord::condition):
12913
129142012-07-11 Andy Wingo <wingo@igalia.com>
12915
12916 jsc: Parse options before creating global data
12917 https://bugs.webkit.org/show_bug.cgi?id=90975
12918
12919 Reviewed by Filip Pizlo.
12920
12921 This patch moves the options parsing in "jsc" before the creation
12922 of the JSGlobalData, so that --useJIT=no has a chance to take
12923 effect.
12924
12925 * jsc.cpp:
12926 (CommandLine::parseArguments): Refactor to be a class, and take
12927 argc and argv as constructor arguments.
12928 (jscmain): Move arg parsing before JSGlobalData creation.
12929
129302012-07-10 Filip Pizlo <fpizlo@apple.com>
12931
12932 REGRESSION(r122166): It made 170 tests crash on 32 bit platforms
12933 https://bugs.webkit.org/show_bug.cgi?id=90852
12934
12935 Reviewed by Zoltan Herczeg.
12936
12937 If we can't use the range filter, we should still make sure that the
12938 address is remotely sane, otherwise the hashtables will assert.
12939
12940 * jit/JITStubRoutine.h:
12941 (JSC::JITStubRoutine::passesFilter):
12942
129432012-07-10 Filip Pizlo <fpizlo@apple.com>
12944
12945 DFG recompilation heuristics should be based on count, not rate
12946 https://bugs.webkit.org/show_bug.cgi?id=90146
12947
12948 Reviewed by Oliver Hunt.
12949
12950 Rolling r121511 back in after fixing the DFG's interpretation of op_div
12951 profiling, with Gavin's rubber stamp.
12952
12953 This removes a bunch of code that was previously trying to prevent spurious
12954 reoptimizations if a large enough majority of executions of a code block did
12955 not result in OSR exit. It turns out that this code was purely harmful. This
12956 patch removes all of that logic and replaces it with a dead-simple
12957 heuristic: if you exit more than N times (where N is an exponential function
12958 of the number of times the code block has already been recompiled) then we
12959 will recompile.
12960
12961 This appears to be a broad ~1% win on many benchmarks large and small.
12962
12963 * bytecode/CodeBlock.cpp:
12964 (JSC::CodeBlock::CodeBlock):
12965 * bytecode/CodeBlock.h:
12966 (JSC::CodeBlock::couldTakeSpecialFastCase):
12967 (CodeBlock):
12968 (JSC::CodeBlock::osrExitCounter):
12969 (JSC::CodeBlock::countOSRExit):
12970 (JSC::CodeBlock::addressOfOSRExitCounter):
12971 (JSC::CodeBlock::offsetOfOSRExitCounter):
12972 (JSC::CodeBlock::adjustedExitCountThreshold):
12973 (JSC::CodeBlock::exitCountThresholdForReoptimization):
12974 (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
12975 (JSC::CodeBlock::shouldReoptimizeNow):
12976 (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
12977 * bytecode/ExecutionCounter.cpp:
12978 (JSC::ExecutionCounter::setThreshold):
12979 * bytecode/ExecutionCounter.h:
12980 (ExecutionCounter):
12981 (JSC::ExecutionCounter::clippedThreshold):
12982 * dfg/DFGByteCodeParser.cpp:
12983 (JSC::DFG::ByteCodeParser::makeDivSafe):
12984 * dfg/DFGJITCompiler.cpp:
12985 (JSC::DFG::JITCompiler::compileBody):
12986 * dfg/DFGOSRExit.cpp:
12987 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
12988 * dfg/DFGOSRExitCompiler.cpp:
12989 (JSC::DFG::OSRExitCompiler::handleExitCounts):
12990 * dfg/DFGOperations.cpp:
12991 * jit/JITStubs.cpp:
12992 (JSC::DEFINE_STUB_FUNCTION):
12993 * runtime/Options.h:
12994 (JSC):
12995
129962012-07-09 Matt Falkenhagen <falken@chromium.org>
12997
12998 Add ENABLE_DIALOG_ELEMENT and skeleton files
12999 https://bugs.webkit.org/show_bug.cgi?id=90521
13000
13001 Reviewed by Kent Tamura.
13002
13003 * Configurations/FeatureDefines.xcconfig:
13004
130052012-07-09 Filip Pizlo <fpizlo@apple.com>
13006
13007 Unreviewed, roll out http://trac.webkit.org/changeset/121511
13008 It made in-browser V8v7 10% slower.
13009
13010 * bytecode/CodeBlock.cpp:
13011 (JSC::CodeBlock::CodeBlock):
13012 * bytecode/CodeBlock.h:
13013 (CodeBlock):
13014 (JSC::CodeBlock::countSpeculationSuccess):
13015 (JSC::CodeBlock::countSpeculationFailure):
13016 (JSC::CodeBlock::speculativeSuccessCounter):
13017 (JSC::CodeBlock::speculativeFailCounter):
13018 (JSC::CodeBlock::forcedOSRExitCounter):
13019 (JSC::CodeBlock::addressOfSpeculativeSuccessCounter):
13020 (JSC::CodeBlock::addressOfSpeculativeFailCounter):
13021 (JSC::CodeBlock::addressOfForcedOSRExitCounter):
13022 (JSC::CodeBlock::offsetOfSpeculativeSuccessCounter):
13023 (JSC::CodeBlock::offsetOfSpeculativeFailCounter):
13024 (JSC::CodeBlock::offsetOfForcedOSRExitCounter):
13025 (JSC::CodeBlock::largeFailCountThreshold):
13026 (JSC::CodeBlock::largeFailCountThresholdForLoop):
13027 (JSC::CodeBlock::shouldReoptimizeNow):
13028 (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
13029 * bytecode/ExecutionCounter.cpp:
13030 (JSC::ExecutionCounter::setThreshold):
13031 * bytecode/ExecutionCounter.h:
13032 (ExecutionCounter):
13033 * dfg/DFGJITCompiler.cpp:
13034 (JSC::DFG::JITCompiler::compileBody):
13035 * dfg/DFGOSRExit.cpp:
13036 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
13037 * dfg/DFGOSRExitCompiler.cpp:
13038 (JSC::DFG::OSRExitCompiler::handleExitCounts):
13039 * dfg/DFGOperations.cpp:
13040 * jit/JITStubs.cpp:
13041 (JSC::DEFINE_STUB_FUNCTION):
13042 * runtime/Options.h:
13043 (JSC):
13044
130452012-07-09 Filip Pizlo <fpizlo@apple.com>
13046
13047 DFG may get stuck in an infinite fix point if it constant folds a mispredicted node
13048 https://bugs.webkit.org/show_bug.cgi?id=90829
13049 <rdar://problem/11823843>
13050
13051 Reviewed by Oliver Hunt.
13052
13053 If a node is shown to have been mispredicted during CFA, then don't allow constant
13054 folding to make the graph even more degenerate. Instead, pull back on constant folding
13055 and allow the normal OSR machinery to fix our profiling so that a future recompilation
13056 doesn't see the same mistake.
13057
13058 * dfg/DFGAbstractState.cpp:
13059 (JSC::DFG::AbstractState::execute):
13060 * dfg/DFGAbstractState.h:
13061 (JSC::DFG::AbstractState::trySetConstant):
13062 (AbstractState):
13063 * dfg/DFGPhase.h:
13064 (JSC::DFG::Phase::name):
13065 (Phase):
13066 (JSC::DFG::runAndLog):
13067 (DFG):
13068 (JSC::DFG::runPhase):
13069
130702012-07-09 Filip Pizlo <fpizlo@apple.com>
13071
13072 It should be possible to jettison JIT stub routines even if they are currently running
13073 https://bugs.webkit.org/show_bug.cgi?id=90731
13074
13075 Reviewed by Gavin Barraclough.
13076
13077 This gives the GC awareness of all JIT-generated stubs for inline caches. That
13078 means that if you want to delete a JIT-generated stub, you don't have to worry
13079 about whether or not it is currently running: if there is a chance that it might
13080 be, the GC will kindly defer deletion until non-running-ness is proved.
13081
13082 * CMakeLists.txt:
13083 * GNUmakefile.list.am:
13084 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
13085 * JavaScriptCore.xcodeproj/project.pbxproj:
13086 * Target.pri:
13087 * bytecode/Instruction.h:
13088 (JSC):
13089 (PolymorphicStubInfo):
13090 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
13091 (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
13092 * bytecode/PolymorphicPutByIdList.cpp:
13093 (JSC::PutByIdAccess::fromStructureStubInfo):
13094 * bytecode/PolymorphicPutByIdList.h:
13095 (JSC::PutByIdAccess::transition):
13096 (JSC::PutByIdAccess::replace):
13097 (JSC::PutByIdAccess::stubRoutine):
13098 (PutByIdAccess):
13099 (JSC::PolymorphicPutByIdList::currentSlowPathTarget):
13100 * bytecode/StructureStubInfo.h:
13101 (JSC::StructureStubInfo::reset):
13102 * dfg/DFGRepatch.cpp:
13103 (JSC::DFG::generateProtoChainAccessStub):
13104 (JSC::DFG::tryCacheGetByID):
13105 (JSC::DFG::tryBuildGetByIDList):
13106 (JSC::DFG::tryBuildGetByIDProtoList):
13107 (JSC::DFG::emitPutReplaceStub):
13108 (JSC::DFG::emitPutTransitionStub):
13109 (JSC::DFG::tryCachePutByID):
13110 (JSC::DFG::tryBuildPutByIdList):
13111 * heap/ConservativeRoots.cpp:
13112 (JSC):
13113 (DummyMarkHook):
13114 (JSC::DummyMarkHook::mark):
13115 (JSC::ConservativeRoots::add):
13116 (CompositeMarkHook):
13117 (JSC::CompositeMarkHook::CompositeMarkHook):
13118 (JSC::CompositeMarkHook::mark):
13119 * heap/ConservativeRoots.h:
13120 (JSC):
13121 (ConservativeRoots):
13122 * heap/Heap.cpp:
13123 (JSC::Heap::markRoots):
13124 (JSC::Heap::deleteUnmarkedCompiledCode):
13125 * heap/Heap.h:
13126 (JSC):
13127 (Heap):
13128 * heap/JITStubRoutineSet.cpp: Added.
13129 (JSC):
13130 (JSC::JITStubRoutineSet::JITStubRoutineSet):
13131 (JSC::JITStubRoutineSet::~JITStubRoutineSet):
13132 (JSC::JITStubRoutineSet::add):
13133 (JSC::JITStubRoutineSet::clearMarks):
13134 (JSC::JITStubRoutineSet::markSlow):
13135 (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
13136 (JSC::JITStubRoutineSet::traceMarkedStubRoutines):
13137 * heap/JITStubRoutineSet.h: Added.
13138 (JSC):
13139 (JITStubRoutineSet):
13140 (JSC::JITStubRoutineSet::mark):
13141 * heap/MachineStackMarker.h:
13142 (JSC):
13143 * interpreter/RegisterFile.cpp:
13144 (JSC::RegisterFile::gatherConservativeRoots):
13145 * interpreter/RegisterFile.h:
13146 (JSC):
13147 * jit/ExecutableAllocator.cpp:
13148 (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
13149 * jit/ExecutableAllocator.h:
13150 (JSC):
13151 * jit/ExecutableAllocatorFixedVMPool.cpp:
13152 (JSC):
13153 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
13154 * jit/GCAwareJITStubRoutine.cpp: Added.
13155 (JSC):
13156 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
13157 (JSC::GCAwareJITStubRoutine::~GCAwareJITStubRoutine):
13158 (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
13159 (JSC::GCAwareJITStubRoutine::deleteFromGC):
13160 (JSC::GCAwareJITStubRoutine::markRequiredObjectsInternal):
13161 (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject):
13162 (JSC::MarkingGCAwareJITStubRoutineWithOneObject::~MarkingGCAwareJITStubRoutineWithOneObject):
13163 (JSC::MarkingGCAwareJITStubRoutineWithOneObject::markRequiredObjectsInternal):
13164 (JSC::createJITStubRoutine):
13165 * jit/GCAwareJITStubRoutine.h: Added.
13166 (JSC):
13167 (GCAwareJITStubRoutine):
13168 (JSC::GCAwareJITStubRoutine::markRequiredObjects):
13169 (MarkingGCAwareJITStubRoutineWithOneObject):
13170 * jit/JITPropertyAccess.cpp:
13171 (JSC::JIT::privateCompilePutByIdTransition):
13172 (JSC::JIT::privateCompilePatchGetArrayLength):
13173 (JSC::JIT::privateCompileGetByIdProto):
13174 (JSC::JIT::privateCompileGetByIdSelfList):
13175 (JSC::JIT::privateCompileGetByIdProtoList):
13176 (JSC::JIT::privateCompileGetByIdChainList):
13177 (JSC::JIT::privateCompileGetByIdChain):
13178 * jit/JITPropertyAccess32_64.cpp:
13179 (JSC::JIT::privateCompilePutByIdTransition):
13180 (JSC::JIT::privateCompilePatchGetArrayLength):
13181 (JSC::JIT::privateCompileGetByIdProto):
13182 (JSC::JIT::privateCompileGetByIdSelfList):
13183 (JSC::JIT::privateCompileGetByIdProtoList):
13184 (JSC::JIT::privateCompileGetByIdChainList):
13185 (JSC::JIT::privateCompileGetByIdChain):
13186 * jit/JITStubRoutine.cpp: Added.
13187 (JSC):
13188 (JSC::JITStubRoutine::~JITStubRoutine):
13189 (JSC::JITStubRoutine::observeZeroRefCount):
13190 * jit/JITStubRoutine.h: Added.
13191 (JSC):
13192 (JITStubRoutine):
13193 (JSC::JITStubRoutine::JITStubRoutine):
13194 (JSC::JITStubRoutine::createSelfManagedRoutine):
13195 (JSC::JITStubRoutine::code):
13196 (JSC::JITStubRoutine::asCodePtr):
13197 (JSC::JITStubRoutine::ref):
13198 (JSC::JITStubRoutine::deref):
13199 (JSC::JITStubRoutine::startAddress):
13200 (JSC::JITStubRoutine::endAddress):
13201 (JSC::JITStubRoutine::addressStep):
13202 (JSC::JITStubRoutine::canPerformRangeFilter):
13203 (JSC::JITStubRoutine::filteringStartAddress):
13204 (JSC::JITStubRoutine::filteringExtentSize):
13205 (JSC::JITStubRoutine::passesFilter):
13206 * jit/JITStubs.cpp:
13207 (JSC::DEFINE_STUB_FUNCTION):
13208 (JSC::getPolymorphicAccessStructureListSlot):
13209
132102012-07-09 Sheriff Bot <webkit.review.bot@gmail.com>
13211
13212 Unreviewed, rolling out r122107.
13213 http://trac.webkit.org/changeset/122107
13214 https://bugs.webkit.org/show_bug.cgi?id=90794
13215
13216 Build failure on Mac debug bots (Requested by falken_ on
13217 #webkit).
13218
13219 * Configurations/FeatureDefines.xcconfig:
13220
132212012-07-09 Matt Falkenhagen <falken@chromium.org>
13222
13223 Add ENABLE_DIALOG_ELEMENT and skeleton files
13224 https://bugs.webkit.org/show_bug.cgi?id=90521
13225
13226 Reviewed by Kent Tamura.
13227
13228 * Configurations/FeatureDefines.xcconfig:
13229
132302012-07-08 Ryosuke Niwa <rniwa@webkit.org>
13231
13232 gcc build fix after r121925.
13233
13234 * runtime/JSObject.h:
13235 (JSC::JSFinalObject::finishCreation):
13236
132372012-07-08 Zoltan Herczeg <zherczeg@webkit.org>
13238
13239 [Qt][ARM] Implementing missing macro assembler instructions after r121925
13240 https://bugs.webkit.org/show_bug.cgi?id=90657
13241
13242 Reviewed by Csaba Osztrogonác.
13243
13244 Implementing convertibleLoadPtr, replaceWithLoad and
13245 replaceWithAddressComputation.
13246
13247 * assembler/ARMAssembler.h:
13248 (JSC::ARMAssembler::replaceWithLoad):
13249 (ARMAssembler):
13250 (JSC::ARMAssembler::replaceWithAddressComputation):
13251 * assembler/MacroAssemblerARM.h:
13252 (JSC::MacroAssemblerARM::convertibleLoadPtr):
13253 (MacroAssemblerARM):
13254
132552012-07-06 Filip Pizlo <fpizlo@apple.com>
13256
13257 WebKit Version 5.1.7 (6534.57.2, r121935): Double-click no longer works on OpenStreetMap
13258 https://bugs.webkit.org/show_bug.cgi?id=90703
13259
13260 Reviewed by Michael Saboff.
13261
13262 It turns out that in my object model refactoring, I managed to fix get_by_pname in all
13263 execution engines except 64-bit baseline JIT.
13264
13265 * jit/JITPropertyAccess.cpp:
13266 (JSC::JIT::emit_op_get_by_pname):
13267
132682012-07-06 Pravin D <pravind.2k4@gmail.com>
13269
13270 Build Error on Qt Linux build
13271 https://bugs.webkit.org/show_bug.cgi?id=90699
13272
13273 Reviewed by Laszlo Gombos.
13274
13275 * parser/Parser.cpp:
13276 (JSC::::parseForStatement):
13277 Removed unused boolean variable as this was causing build error on Qt Linux.
13278
132792012-07-06 Nuno Lopes <nlopes@apple.com>
13280
13281 Fix build with recent clang.
13282 https://bugs.webkit.org/show_bug.cgi?id=90634
13283
13284 Reviewed by Oliver Hunt.
13285
13286 * jit/SpecializedThunkJIT.h:
13287 (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
13288 (SpecializedThunkJIT):
13289 * jit/ThunkGenerators.cpp:
13290 (JSC::charCodeAtThunkGenerator):
13291 (JSC::charAtThunkGenerator):
13292 (JSC::fromCharCodeThunkGenerator):
13293 (JSC::sqrtThunkGenerator):
13294 (JSC::floorThunkGenerator):
13295 (JSC::ceilThunkGenerator):
13296 (JSC::roundThunkGenerator):
13297 (JSC::expThunkGenerator):
13298 (JSC::logThunkGenerator):
13299 (JSC::absThunkGenerator):
13300 (JSC::powThunkGenerator):
13301 * parser/ASTBuilder.h:
13302 (JSC::ASTBuilder::createAssignResolve):
13303 (JSC::ASTBuilder::createForLoop):
13304 (JSC::ASTBuilder::createForInLoop):
13305 (JSC::ASTBuilder::makeAssignNode):
13306 (JSC::ASTBuilder::makePrefixNode):
13307 (JSC::ASTBuilder::makePostfixNode):
13308 * parser/NodeConstructors.h:
13309 (JSC::PostfixErrorNode::PostfixErrorNode):
13310 (JSC::PrefixErrorNode::PrefixErrorNode):
13311 (JSC::AssignResolveNode::AssignResolveNode):
13312 (JSC::AssignErrorNode::AssignErrorNode):
13313 (JSC::ForNode::ForNode):
13314 (JSC::ForInNode::ForInNode):
13315 * parser/Nodes.h:
13316 (FunctionCallResolveNode):
13317 (PostfixErrorNode):
13318 (PrefixErrorNode):
13319 (ReadModifyResolveNode):
13320 (AssignResolveNode):
13321 (AssignErrorNode):
13322 (ForNode):
13323 (ForInNode):
13324 * parser/Parser.cpp:
13325 (JSC::::parseVarDeclarationList):
13326 (JSC::::parseForStatement):
13327 * parser/SyntaxChecker.h:
13328 (JSC::SyntaxChecker::createAssignResolve):
13329 (JSC::SyntaxChecker::createForLoop):
13330
133312012-07-06 Zoltan Herczeg <zherczeg@webkit.org>
13332
13333 [Qt][ARM] REGRESSION(r121885): It broke 30 jsc tests, 500+ layout tests
13334 https://bugs.webkit.org/show_bug.cgi?id=90656
13335
13336 Reviewed by Csaba Osztrogonác.
13337
13338 Typo fixes.
13339
13340 * assembler/MacroAssemblerARM.cpp:
13341 (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
13342 Rename getOp2Byte() -> getOp2Half()
13343 * assembler/MacroAssemblerARMv7.h:
13344 (JSC::MacroAssemblerARMv7::convertibleLoadPtr):
13345 Add a necessary space.
13346 * jit/JITStubs.cpp:
13347 (JSC):
13348 Revert INLINE_ARM_FUNCTION macro.
13349
133502012-07-05 Filip Pizlo <fpizlo@apple.com>
13351
13352 REGRESSION(r121925): It broke 5 sputnik tests on x86 platforms
13353 https://bugs.webkit.org/show_bug.cgi?id=90658
13354
13355 Reviewed by Zoltan Herczeg.
13356
13357 Under the new object model, out-of-line property accesses such as those
13358 in ResolveGlobal must account for the fact that the offset to the Kth
13359 property is represented by K + inlineStorageCapacity. Hence, the property
13360 loads in ResolveGlobal must have an additional -inlineStorageCapacity *
13361 sizeof(JSValue) offset.
13362
13363 * dfg/DFGSpeculativeJIT32_64.cpp:
13364 (JSC::DFG::SpeculativeJIT::compile):
13365
133662012-07-05 Csaba Osztrogonác <ossy@webkit.org>
13367
13368 [Qt] Unreviewed 64 bit buildfix after r121925.
13369
13370 * bytecode/PutByIdStatus.cpp:
13371 (JSC::PutByIdStatus::computeFromLLInt):
13372
133732012-07-05 Michael Saboff <msaboff@apple.com>
13374
13375 JSString::tryHashConstLock() fails to get exclusive lock
13376 https://bugs.webkit.org/show_bug.cgi?id=90639
13377
13378 Reviewed by Oliver Hunt.
13379
13380 Added check that the string is already locked even before compare and swap.
13381
13382 * heap/MarkStack.cpp:
13383 (JSC::JSString::tryHashConstLock):
13384
133852012-07-04 Filip Pizlo <fpizlo@apple.com>
13386
13387 Inline property storage should not be wasted when it is exhausted
13388 https://bugs.webkit.org/show_bug.cgi?id=90347
13389
13390 Reviewed by Gavin Barraclough.
13391
13392 Previously, if we switched an object from using inline storage to out-of-line
13393 storage, we would abandon the inline storage. This would have two main implications:
13394 (i) all accesses to the object, even for properties that were previously in inline
13395 storage, must now take an extra indirection; and (ii) we waste a non-trivial amount
13396 of space since we must allocate additional out-of-line storage to hold properties
13397 that would have fit in the inline storage. There's also the copying cost when
13398 switching to out-of-line storage - we must copy all inline properties into ouf-of-line
13399 storage.
13400
13401 This patch changes the way that object property storage works so that we can use both
13402 inline and out-of-line storage concurrently. This is accomplished by introducing a
13403 new notion of property offset. This PropertyOffset is a 32-bit signed integer and it
13404 behaves as follows:
13405
13406 offset == -1: invalid offset, indicating a property that does not exist.
13407
13408 0 <= offset <= inlineStorageCapacity: offset into inline storage.
13409
13410 inlineStorageCapacity < offset: offset into out-of-line storage.
13411
13412 Because non-final objects don't have inline storage, the only valid PropertyOffsets
13413 for those objects' properties are -1 or > inlineStorageCapacity.
13414
13415 This now means that the decision to use inline or out-of-line storage for an access is
13416 made based on the offset, rather than the structure. It also means that any access
13417 where the offset is a variable must have an extra branch, unless the type of the
13418 object is also known (if it's known to be a non-final object then we can just assert
13419 that the offset is >= inlineStorageCapacity).
13420
13421 This looks like a big Kraken speed-up and a slight V8 speed-up.
13422
13423 * GNUmakefile.list.am:
13424 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
13425 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
13426 * JavaScriptCore.xcodeproj/project.pbxproj:
13427 * assembler/ARMv7Assembler.h:
13428 (ARMv7Assembler):
13429 (JSC::ARMv7Assembler::ldrWide8BitImmediate):
13430 (JSC::ARMv7Assembler::replaceWithLoad):
13431 (JSC::ARMv7Assembler::replaceWithAddressComputation):
13432 * assembler/AbstractMacroAssembler.h:
13433 (AbstractMacroAssembler):
13434 (ConvertibleLoadLabel):
13435 (JSC::AbstractMacroAssembler::ConvertibleLoadLabel::ConvertibleLoadLabel):
13436 (JSC::AbstractMacroAssembler::ConvertibleLoadLabel::isSet):
13437 (JSC::AbstractMacroAssembler::labelIgnoringWatchpoints):
13438 (JSC::AbstractMacroAssembler::replaceWithLoad):
13439 (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
13440 * assembler/CodeLocation.h:
13441 (JSC):
13442 (CodeLocationCommon):
13443 (CodeLocationConvertibleLoad):
13444 (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
13445 (JSC::CodeLocationCommon::convertibleLoadAtOffset):
13446 * assembler/LinkBuffer.cpp:
13447 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
13448 * assembler/LinkBuffer.h:
13449 (LinkBuffer):
13450 (JSC::LinkBuffer::locationOf):
13451 * assembler/MacroAssemblerARMv7.h:
13452 (MacroAssemblerARMv7):
13453 (JSC::MacroAssemblerARMv7::convertibleLoadPtr):
13454 * assembler/MacroAssemblerX86.h:
13455 (JSC::MacroAssemblerX86::convertibleLoadPtr):
13456 (MacroAssemblerX86):
13457 * assembler/MacroAssemblerX86_64.h:
13458 (JSC::MacroAssemblerX86_64::convertibleLoadPtr):
13459 (MacroAssemblerX86_64):
13460 * assembler/RepatchBuffer.h:
13461 (RepatchBuffer):
13462 (JSC::RepatchBuffer::replaceWithLoad):
13463 (JSC::RepatchBuffer::replaceWithAddressComputation):
13464 (JSC::RepatchBuffer::setLoadInstructionIsActive):
13465 * assembler/X86Assembler.h:
13466 (JSC::X86Assembler::replaceWithLoad):
13467 (X86Assembler):
13468 (JSC::X86Assembler::replaceWithAddressComputation):
13469 * bytecode/CodeBlock.cpp:
13470 (JSC::CodeBlock::printGetByIdOp):
13471 (JSC::CodeBlock::dump):
13472 (JSC::CodeBlock::finalizeUnconditionally):
13473 * bytecode/GetByIdStatus.cpp:
13474 (JSC::GetByIdStatus::computeFromLLInt):
13475 (JSC::GetByIdStatus::computeForChain):
13476 (JSC::GetByIdStatus::computeFor):
13477 * bytecode/GetByIdStatus.h:
13478 (JSC::GetByIdStatus::GetByIdStatus):
13479 (JSC::GetByIdStatus::offset):
13480 (GetByIdStatus):
13481 * bytecode/Opcode.h:
13482 (JSC):
13483 (JSC::padOpcodeName):
13484 * bytecode/PutByIdStatus.cpp:
13485 (JSC::PutByIdStatus::computeFromLLInt):
13486 (JSC::PutByIdStatus::computeFor):
13487 * bytecode/PutByIdStatus.h:
13488 (JSC::PutByIdStatus::PutByIdStatus):
13489 (JSC::PutByIdStatus::offset):
13490 (PutByIdStatus):
13491 * bytecode/ResolveGlobalStatus.cpp:
13492 (JSC):
13493 (JSC::computeForStructure):
13494 * bytecode/ResolveGlobalStatus.h:
13495 (JSC::ResolveGlobalStatus::ResolveGlobalStatus):
13496 (JSC::ResolveGlobalStatus::offset):
13497 (ResolveGlobalStatus):
13498 * bytecode/StructureSet.h:
13499 (StructureSet):
13500 * bytecode/StructureStubInfo.h:
13501 * dfg/DFGByteCodeParser.cpp:
13502 (ByteCodeParser):
13503 (JSC::DFG::ByteCodeParser::handleGetByOffset):
13504 (JSC::DFG::ByteCodeParser::handleGetById):
13505 (JSC::DFG::ByteCodeParser::parseBlock):
13506 * dfg/DFGCapabilities.h:
13507 (JSC::DFG::canCompileOpcode):
13508 * dfg/DFGJITCompiler.cpp:
13509 (JSC::DFG::JITCompiler::link):
13510 * dfg/DFGJITCompiler.h:
13511 (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
13512 (PropertyAccessRecord):
13513 * dfg/DFGRepatch.cpp:
13514 (JSC::DFG::dfgRepatchByIdSelfAccess):
13515 (JSC::DFG::generateProtoChainAccessStub):
13516 (JSC::DFG::tryCacheGetByID):
13517 (JSC::DFG::tryBuildGetByIDList):
13518 (JSC::DFG::tryBuildGetByIDProtoList):
13519 (JSC::DFG::emitPutReplaceStub):
13520 (JSC::DFG::emitPutTransitionStub):
13521 (JSC::DFG::tryCachePutByID):
13522 (JSC::DFG::tryBuildPutByIdList):
13523 * dfg/DFGSpeculativeJIT.h:
13524 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
13525 * dfg/DFGSpeculativeJIT32_64.cpp:
13526 (JSC::DFG::SpeculativeJIT::cachedGetById):
13527 (JSC::DFG::SpeculativeJIT::cachedPutById):
13528 (JSC::DFG::SpeculativeJIT::compile):
13529 * dfg/DFGSpeculativeJIT64.cpp:
13530 (JSC::DFG::SpeculativeJIT::cachedGetById):
13531 (JSC::DFG::SpeculativeJIT::cachedPutById):
13532 (JSC::DFG::SpeculativeJIT::compile):
13533 * heap/MarkStack.cpp:
13534 (JSC::visitChildren):
13535 * interpreter/Interpreter.cpp:
13536 (JSC::Interpreter::tryCacheGetByID):
13537 (JSC::Interpreter::privateExecute):
13538 * jit/JIT.cpp:
13539 (JSC::JIT::privateCompileMainPass):
13540 (JSC::JIT::privateCompileSlowCases):
13541 (JSC::PropertyStubCompilationInfo::copyToStubInfo):
13542 * jit/JIT.h:
13543 (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
13544 (JSC::JIT::compileGetByIdProto):
13545 (JSC::JIT::compileGetByIdSelfList):
13546 (JSC::JIT::compileGetByIdProtoList):
13547 (JSC::JIT::compileGetByIdChainList):
13548 (JSC::JIT::compileGetByIdChain):
13549 (JSC::JIT::compilePutByIdTransition):
13550 (JIT):
13551 * jit/JITInlineMethods.h:
13552 (JSC::JIT::emitAllocateBasicJSObject):
13553 * jit/JITOpcodes.cpp:
13554 (JSC::JIT::emit_op_resolve_global):
13555 * jit/JITOpcodes32_64.cpp:
13556 (JSC::JIT::emit_op_resolve_global):
13557 * jit/JITPropertyAccess.cpp:
13558 (JSC::JIT::compileGetDirectOffset):
13559 (JSC::JIT::emit_op_method_check):
13560 (JSC::JIT::compileGetByIdHotPath):
13561 (JSC::JIT::emit_op_put_by_id):
13562 (JSC::JIT::compilePutDirectOffset):
13563 (JSC::JIT::privateCompilePutByIdTransition):
13564 (JSC::JIT::patchGetByIdSelf):
13565 (JSC::JIT::patchPutByIdReplace):
13566 (JSC::JIT::privateCompileGetByIdProto):
13567 (JSC::JIT::privateCompileGetByIdSelfList):
13568 (JSC::JIT::privateCompileGetByIdProtoList):
13569 (JSC::JIT::privateCompileGetByIdChainList):
13570 (JSC::JIT::privateCompileGetByIdChain):
13571 * jit/JITPropertyAccess32_64.cpp:
13572 (JSC::JIT::emit_op_method_check):
13573 (JSC::JIT::compileGetByIdHotPath):
13574 (JSC::JIT::emit_op_put_by_id):
13575 (JSC::JIT::compilePutDirectOffset):
13576 (JSC::JIT::compileGetDirectOffset):
13577 (JSC::JIT::privateCompilePutByIdTransition):
13578 (JSC::JIT::patchGetByIdSelf):
13579 (JSC::JIT::patchPutByIdReplace):
13580 (JSC::JIT::privateCompileGetByIdProto):
13581 (JSC::JIT::privateCompileGetByIdSelfList):
13582 (JSC::JIT::privateCompileGetByIdProtoList):
13583 (JSC::JIT::privateCompileGetByIdChainList):
13584 (JSC::JIT::privateCompileGetByIdChain):
13585 (JSC::JIT::emit_op_get_by_pname):
13586 * jit/JITStubs.cpp:
13587 (JSC::JITThunks::tryCacheGetByID):
13588 (JSC::DEFINE_STUB_FUNCTION):
13589 * llint/LLIntSlowPaths.cpp:
13590 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
13591 * llint/LowLevelInterpreter.asm:
13592 * llint/LowLevelInterpreter32_64.asm:
13593 * llint/LowLevelInterpreter64.asm:
13594 * offlineasm/x86.rb:
13595 * runtime/JSGlobalObject.h:
13596 (JSGlobalObject):
13597 (JSC::JSGlobalObject::functionNameOffset):
13598 * runtime/JSObject.cpp:
13599 (JSC::JSObject::visitChildren):
13600 (JSC):
13601 (JSC::JSFinalObject::visitChildren):
13602 (JSC::JSObject::put):
13603 (JSC::JSObject::deleteProperty):
13604 (JSC::JSObject::getPropertySpecificValue):
13605 (JSC::JSObject::removeDirect):
13606 (JSC::JSObject::growOutOfLineStorage):
13607 (JSC::JSObject::getOwnPropertyDescriptor):
13608 * runtime/JSObject.h:
13609 (JSObject):
13610 (JSC::JSObject::getDirect):
13611 (JSC::JSObject::getDirectLocation):
13612 (JSC::JSObject::hasInlineStorage):
13613 (JSC::JSObject::inlineStorageUnsafe):
13614 (JSC::JSObject::inlineStorage):
13615 (JSC::JSObject::outOfLineStorage):
13616 (JSC::JSObject::locationForOffset):
13617 (JSC::JSObject::offsetForLocation):
13618 (JSC::JSObject::getDirectOffset):
13619 (JSC::JSObject::putDirectOffset):
13620 (JSC::JSObject::putUndefinedAtDirectOffset):
13621 (JSC::JSObject::addressOfOutOfLineStorage):
13622 (JSC::JSObject::finishCreation):
13623 (JSC::JSNonFinalObject::JSNonFinalObject):
13624 (JSC::JSNonFinalObject::finishCreation):
13625 (JSFinalObject):
13626 (JSC::JSFinalObject::finishCreation):
13627 (JSC::JSFinalObject::JSFinalObject):
13628 (JSC::JSObject::offsetOfOutOfLineStorage):
13629 (JSC::JSObject::setOutOfLineStorage):
13630 (JSC::JSObject::JSObject):
13631 (JSC):
13632 (JSC::JSCell::fastGetOwnProperty):
13633 (JSC::JSObject::putDirectInternal):
13634 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
13635 (JSC::JSObject::putDirectWithoutTransition):
13636 (JSC::offsetRelativeToPatchedStorage):
13637 (JSC::indexRelativeToBase):
13638 (JSC::offsetRelativeToBase):
13639 * runtime/JSPropertyNameIterator.cpp:
13640 (JSC::JSPropertyNameIterator::create):
13641 * runtime/JSPropertyNameIterator.h:
13642 (JSPropertyNameIterator):
13643 (JSC::JSPropertyNameIterator::getOffset):
13644 (JSC::JSPropertyNameIterator::finishCreation):
13645 * runtime/JSValue.cpp:
13646 (JSC::JSValue::putToPrimitive):
13647 * runtime/Operations.h:
13648 (JSC::normalizePrototypeChain):
13649 * runtime/Options.cpp:
13650 (JSC):
13651 (JSC::Options::initialize):
13652 * runtime/PropertyMapHashTable.h:
13653 (PropertyMapEntry):
13654 (JSC::PropertyMapEntry::PropertyMapEntry):
13655 (PropertyTable):
13656 (JSC::PropertyTable::PropertyTable):
13657 (JSC::PropertyTable::getDeletedOffset):
13658 (JSC::PropertyTable::addDeletedOffset):
13659 (JSC::PropertyTable::nextOffset):
13660 (JSC):
13661 (JSC::PropertyTable::sizeInMemory):
13662 * runtime/PropertyOffset.h: Added.
13663 (JSC):
13664 (JSC::checkOffset):
13665 (JSC::validateOffset):
13666 (JSC::isValidOffset):
13667 (JSC::isInlineOffset):
13668 (JSC::isOutOfLineOffset):
13669 (JSC::offsetInInlineStorage):
13670 (JSC::offsetInOutOfLineStorage):
13671 (JSC::offsetInRespectiveStorage):
13672 (JSC::numberOfOutOfLineSlotsForLastOffset):
13673 (JSC::numberOfSlotsForLastOffset):
13674 (JSC::nextPropertyOffsetFor):
13675 (JSC::firstPropertyOffsetFor):
13676 * runtime/PropertySlot.h:
13677 (JSC::PropertySlot::cachedOffset):
13678 (JSC::PropertySlot::setValue):
13679 (JSC::PropertySlot::setCacheableGetterSlot):
13680 (JSC::PropertySlot::clearOffset):
13681 * runtime/PutPropertySlot.h:
13682 (JSC::PutPropertySlot::setExistingProperty):
13683 (JSC::PutPropertySlot::setNewProperty):
13684 (JSC::PutPropertySlot::cachedOffset):
13685 (PutPropertySlot):
13686 * runtime/Structure.cpp:
13687 (JSC::Structure::Structure):
13688 (JSC::Structure::materializePropertyMap):
13689 (JSC::nextOutOfLineStorageCapacity):
13690 (JSC::Structure::growOutOfLineCapacity):
13691 (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
13692 (JSC::Structure::addPropertyTransitionToExistingStructure):
13693 (JSC::Structure::addPropertyTransition):
13694 (JSC::Structure::removePropertyTransition):
13695 (JSC::Structure::flattenDictionaryStructure):
13696 (JSC::Structure::addPropertyWithoutTransition):
13697 (JSC::Structure::removePropertyWithoutTransition):
13698 (JSC::Structure::copyPropertyTableForPinning):
13699 (JSC::Structure::get):
13700 (JSC::Structure::putSpecificValue):
13701 (JSC::Structure::remove):
13702 * runtime/Structure.h:
13703 (Structure):
13704 (JSC::Structure::putWillGrowOutOfLineStorage):
13705 (JSC::Structure::previousID):
13706 (JSC::Structure::outOfLineCapacity):
13707 (JSC::Structure::outOfLineSizeForKnownFinalObject):
13708 (JSC::Structure::outOfLineSizeForKnownNonFinalObject):
13709 (JSC::Structure::outOfLineSize):
13710 (JSC::Structure::hasInlineStorage):
13711 (JSC::Structure::inlineCapacity):
13712 (JSC::Structure::inlineSizeForKnownFinalObject):
13713 (JSC::Structure::inlineSize):
13714 (JSC::Structure::totalStorageSize):
13715 (JSC::Structure::totalStorageCapacity):
13716 (JSC::Structure::firstValidOffset):
13717 (JSC::Structure::lastValidOffset):
13718 (JSC::Structure::isValidOffset):
13719 (JSC::Structure::isEmpty):
13720 (JSC::Structure::transitionCount):
13721 (JSC::Structure::get):
13722
137232012-07-05 Oliver Hunt <oliver@apple.com>
13724
13725 JSObjectCallAsFunction should thisConvert the provided thisObject
13726 https://bugs.webkit.org/show_bug.cgi?id=90628
13727
13728 Reviewed by Gavin Barraclough.
13729
13730 Perform this conversion on the provided this object.
13731
13732 * API/JSObjectRef.cpp:
13733 (JSObjectCallAsFunction):
13734
137352012-07-05 Zoltan Herczeg <zherczeg@webkit.org>
13736
13737 [Qt] Unreviewed buildfix after r121886. Typo fix.
13738
13739 * assembler/MacroAssemblerARM.cpp:
13740 (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
13741
137422012-07-05 Zoltan Herczeg <zherczeg@webkit.org>
13743
13744 Port DFG JIT to traditional ARM
13745 https://bugs.webkit.org/show_bug.cgi?id=90198
13746
13747 Reviewed by Filip Pizlo.
13748
13749 This patch contains the macro assembler part of the
13750 DFG JIT support on ARM systems with fixed 32 bit instruction
13751 width. A large amount of old code was refactored, and the ARMv4
13752 or lower support is removed from the macro assembler.
13753
13754 Sunspider is improved by 8%, and V8 is 92%.
13755
13756 * assembler/ARMAssembler.cpp:
13757 (JSC::ARMAssembler::dataTransfer32):
13758 (JSC::ARMAssembler::baseIndexTransfer32):
13759 (JSC):
13760 (JSC::ARMAssembler::dataTransfer16):
13761 (JSC::ARMAssembler::baseIndexTransfer16):
13762 (JSC::ARMAssembler::dataTransferFloat):
13763 (JSC::ARMAssembler::baseIndexTransferFloat):
13764 (JSC::ARMAssembler::executableCopy):
13765 * assembler/ARMAssembler.h:
13766 (JSC::ARMAssembler::ARMAssembler):
13767 (JSC::ARMAssembler::emitInst):
13768 (JSC::ARMAssembler::vmov_f64_r):
13769 (ARMAssembler):
13770 (JSC::ARMAssembler::vabs_f64_r):
13771 (JSC::ARMAssembler::vneg_f64_r):
13772 (JSC::ARMAssembler::ldr_imm):
13773 (JSC::ARMAssembler::ldr_un_imm):
13774 (JSC::ARMAssembler::dtr_u):
13775 (JSC::ARMAssembler::dtr_ur):
13776 (JSC::ARMAssembler::dtr_d):
13777 (JSC::ARMAssembler::dtr_dr):
13778 (JSC::ARMAssembler::dtrh_u):
13779 (JSC::ARMAssembler::dtrh_ur):
13780 (JSC::ARMAssembler::dtrh_d):
13781 (JSC::ARMAssembler::dtrh_dr):
13782 (JSC::ARMAssembler::fdtr_u):
13783 (JSC::ARMAssembler::fdtr_d):
13784 (JSC::ARMAssembler::push_r):
13785 (JSC::ARMAssembler::pop_r):
13786 (JSC::ARMAssembler::poke_r):
13787 (JSC::ARMAssembler::peek_r):
13788 (JSC::ARMAssembler::vmov_vfp64_r):
13789 (JSC::ARMAssembler::vmov_arm64_r):
13790 (JSC::ARMAssembler::vmov_vfp32_r):
13791 (JSC::ARMAssembler::vmov_arm32_r):
13792 (JSC::ARMAssembler::vcvt_u32_f64_r):
13793 (JSC::ARMAssembler::vcvt_f64_f32_r):
13794 (JSC::ARMAssembler::vcvt_f32_f64_r):
13795 (JSC::ARMAssembler::clz_r):
13796 (JSC::ARMAssembler::bkpt):
13797 (JSC::ARMAssembler::bx):
13798 (JSC::ARMAssembler::blx):
13799 (JSC::ARMAssembler::labelIgnoringWatchpoints):
13800 (JSC::ARMAssembler::labelForWatchpoint):
13801 (JSC::ARMAssembler::label):
13802 (JSC::ARMAssembler::getLdrImmAddress):
13803 (JSC::ARMAssembler::replaceWithJump):
13804 (JSC::ARMAssembler::maxJumpReplacementSize):
13805 (JSC::ARMAssembler::getOp2Byte):
13806 (JSC::ARMAssembler::getOp2Half):
13807 (JSC::ARMAssembler::RM):
13808 (JSC::ARMAssembler::RS):
13809 (JSC::ARMAssembler::RD):
13810 (JSC::ARMAssembler::RN):
13811 * assembler/AssemblerBufferWithConstantPool.h:
13812 (JSC::AssemblerBufferWithConstantPool::ensureSpaceForAnyInstruction):
13813 * assembler/MacroAssemblerARM.cpp:
13814 (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
13815 * assembler/MacroAssemblerARM.h:
13816 (JSC::MacroAssemblerARM::add32):
13817 (MacroAssemblerARM):
13818 (JSC::MacroAssemblerARM::and32):
13819 (JSC::MacroAssemblerARM::lshift32):
13820 (JSC::MacroAssemblerARM::mul32):
13821 (JSC::MacroAssemblerARM::neg32):
13822 (JSC::MacroAssemblerARM::rshift32):
13823 (JSC::MacroAssemblerARM::urshift32):
13824 (JSC::MacroAssemblerARM::xor32):
13825 (JSC::MacroAssemblerARM::load8):
13826 (JSC::MacroAssemblerARM::load8Signed):
13827 (JSC::MacroAssemblerARM::load16):
13828 (JSC::MacroAssemblerARM::load16Signed):
13829 (JSC::MacroAssemblerARM::load32):
13830 (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
13831 (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
13832 (JSC::MacroAssemblerARM::store8):
13833 (JSC::MacroAssemblerARM::store16):
13834 (JSC::MacroAssemblerARM::store32):
13835 (JSC::MacroAssemblerARM::move):
13836 (JSC::MacroAssemblerARM::jump):
13837 (JSC::MacroAssemblerARM::branchAdd32):
13838 (JSC::MacroAssemblerARM::mull32):
13839 (JSC::MacroAssemblerARM::branchMul32):
13840 (JSC::MacroAssemblerARM::nearCall):
13841 (JSC::MacroAssemblerARM::compare32):
13842 (JSC::MacroAssemblerARM::test32):
13843 (JSC::MacroAssemblerARM::sub32):
13844 (JSC::MacroAssemblerARM::call):
13845 (JSC::MacroAssemblerARM::loadFloat):
13846 (JSC::MacroAssemblerARM::loadDouble):
13847 (JSC::MacroAssemblerARM::storeFloat):
13848 (JSC::MacroAssemblerARM::storeDouble):
13849 (JSC::MacroAssemblerARM::moveDouble):
13850 (JSC::MacroAssemblerARM::addDouble):
13851 (JSC::MacroAssemblerARM::divDouble):
13852 (JSC::MacroAssemblerARM::subDouble):
13853 (JSC::MacroAssemblerARM::mulDouble):
13854 (JSC::MacroAssemblerARM::absDouble):
13855 (JSC::MacroAssemblerARM::negateDouble):
13856 (JSC::MacroAssemblerARM::convertInt32ToDouble):
13857 (JSC::MacroAssemblerARM::convertFloatToDouble):
13858 (JSC::MacroAssemblerARM::convertDoubleToFloat):
13859 (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
13860 (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32):
13861 (JSC::MacroAssemblerARM::truncateDoubleToInt32):
13862 (JSC::MacroAssemblerARM::truncateDoubleToUint32):
13863 (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
13864 (JSC::MacroAssemblerARM::branchDoubleNonZero):
13865 (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
13866 (JSC::MacroAssemblerARM::invert):
13867 (JSC::MacroAssemblerARM::replaceWithJump):
13868 (JSC::MacroAssemblerARM::maxJumpReplacementSize):
13869 (JSC::MacroAssemblerARM::call32):
13870 * assembler/SH4Assembler.h:
13871 (JSC::SH4Assembler::label):
13872 * dfg/DFGAssemblyHelpers.h:
13873 (JSC::DFG::AssemblyHelpers::debugCall):
13874 (JSC::DFG::AssemblyHelpers::boxDouble):
13875 (JSC::DFG::AssemblyHelpers::unboxDouble):
13876 * dfg/DFGCCallHelpers.h:
13877 (CCallHelpers):
13878 (JSC::DFG::CCallHelpers::setupArguments):
13879 * dfg/DFGFPRInfo.h:
13880 (DFG):
13881 * dfg/DFGGPRInfo.h:
13882 (DFG):
13883 (GPRInfo):
13884 * dfg/DFGOperations.cpp:
13885 (JSC):
13886 * dfg/DFGSpeculativeJIT.h:
13887 (SpeculativeJIT):
13888 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
13889 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
13890 * jit/JITStubs.cpp:
13891 (JSC):
13892 * jit/JITStubs.h:
13893 (JITStackFrame):
13894 * jit/JSInterfaceJIT.h:
13895 (JSInterfaceJIT):
13896
138972012-07-04 Anthony Scian <ascian@rim.com>
13898
13899 Web Inspector [JSC]: Implement ScriptCallStack::stackTrace
13900 https://bugs.webkit.org/show_bug.cgi?id=40118
13901
13902 Reviewed by Yong Li.
13903
13904 Added member functions to expose function name, urlString, and line #.
13905 Refactored toString to make use of these member functions to reduce
13906 duplicated code for future maintenance.
13907
13908 Manually tested refactoring of toString by tracing thrown exceptions.
13909
13910 * interpreter/Interpreter.h:
13911 (JSC::StackFrame::toString):
13912 (JSC::StackFrame::friendlySourceURL):
13913 (JSC::StackFrame::friendlyFunctionName):
13914 (JSC::StackFrame::friendlyLineNumber):
13915
139162012-07-04 Andy Wingo <wingo@igalia.com>
13917
13918 [GTK] Enable parallel GC
13919 https://bugs.webkit.org/show_bug.cgi?id=90568
13920
13921 Reviewed by Martin Robinson.
13922
13923 * runtime/Options.cpp: Include <algorithm.h> for std::min.
13924
139252012-07-04 John Mellor <johnme@chromium.org>
13926
13927 Text Autosizing: Add compile flag and runtime setting
13928 https://bugs.webkit.org/show_bug.cgi?id=87394
13929
13930 This patch renames Font Boosting to Text Autosizing.
13931
13932 Reviewed by Adam Barth.
13933
13934 * Configurations/FeatureDefines.xcconfig:
13935
139362012-07-03 Michael Saboff <msaboff@apple.com>
13937
13938 Enh: Hash Const JSString in Backing Stores to Save Memory
13939 https://bugs.webkit.org/show_bug.cgi?id=86024
13940
13941 Reviewed by Oliver Hunt.
13942
13943 During garbage collection, each marking thread keeps a HashMap of
13944 strings. While visiting via MarkStack::copyAndAppend(), we check to
13945 see if the string we are visiting is already in the HashMap. If not
13946 we add it. If so, we change the reference to the current string we're
13947 visiting to the prior string.
13948
13949 To reduce the performance impact of this change, two throttles have
13950 ben added. 1) We only try hash consting if a significant number of new
13951 strings have been created since the last hash const. Currently this is
13952 set at 100 strings. 2) If a string is unique at the end of a marking
13953 it will not be checked during further GC phases. In some cases this
13954 won't catch all duplicates, but we are trying to catch the growth of
13955 duplicate strings.
13956
13957 * heap/Heap.cpp:
13958 (JSC::Heap::markRoots):
13959 * heap/MarkStack.cpp:
13960 (JSC::MarkStackThreadSharedData::resetChildren):
13961 (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
13962 (JSC::MarkStackThreadSharedData::reset):
13963 (JSC::MarkStack::setup): Check to see if enough strings have been created
13964 to hash const.
13965 (JSC::MarkStack::reset): Added call to clear m_uniqueStrings.
13966 (JSC::JSString::tryHashConstLock): New method to lock JSString for
13967 hash consting.
13968 (JSC::JSString::releaseHashConstLock): New unlock method.
13969 (JSC::JSString::shouldTryHashConst): Set of checks to see if we should
13970 try to hash const the string.
13971 (JSC::MarkStack::internalAppend): New method that performs the hash consting.
13972 (JSC::SlotVisitor::copyAndAppend): Changed to call the new hash
13973 consting internalAppend().
13974 * heap/MarkStack.h:
13975 (MarkStackThreadSharedData):
13976 (MarkStack):
13977 * runtime/JSGlobalData.cpp:
13978 (JSC::JSGlobalData::JSGlobalData):
13979 * runtime/JSGlobalData.h:
13980 (JSGlobalData):
13981 (JSC::JSGlobalData::haveEnoughNewStringsToHashConst):
13982 (JSC::JSGlobalData::resetNewStringsSinceLastHashConst):
13983 * runtime/JSString.h:
13984 (JSString): Changed from using bool flags to using an unsigned
13985 m_flags field. This works better with the weakCompareAndSwap in
13986 JSString::tryHashConstLock(). Changed the 8bitness setting and
13987 checking to use new accessors.
13988 (JSC::JSString::JSString):
13989 (JSC::JSString::finishCreation):
13990 (JSC::JSString::is8Bit): Updated for new m_flags.
13991 (JSC::JSString::setIs8Bit): New setter.
13992 New hash const flags accessors:
13993 (JSC::JSString::isHashConstSingleton):
13994 (JSC::JSString::clearHashConstSingleton):
13995 (JSC::JSString::setHashConstSingleton):
13996 (JSC::JSRopeString::finishCreation):
13997 (JSC::JSRopeString::append):
13998
139992012-07-03 Tony Chang <tony@chromium.org>
14000
14001 [chromium] Unreviewed, update .gitignore to handle VS2010 files.
14002
14003 * JavaScriptCore.gyp/.gitignore:
14004
140052012-07-03 Mark Lam <mark.lam@apple.com>
14006
14007 Add ability to symbolically set and dump JSC VM options.
14008 See comments in runtime/Options.h for details on how the options work.
14009 https://bugs.webkit.org/show_bug.cgi?id=90420
14010
14011 Reviewed by Filip Pizlo.
14012
14013 * assembler/LinkBuffer.cpp:
14014 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
14015 * assembler/LinkBuffer.h:
14016 (JSC):
14017 * bytecode/CodeBlock.cpp:
14018 (JSC::CodeBlock::shouldOptimizeNow):
14019 * bytecode/CodeBlock.h:
14020 (JSC::CodeBlock::likelyToTakeSlowCase):
14021 (JSC::CodeBlock::couldTakeSlowCase):
14022 (JSC::CodeBlock::likelyToTakeSpecialFastCase):
14023 (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
14024 (JSC::CodeBlock::likelyToTakeAnySlowCase):
14025 (JSC::CodeBlock::jitAfterWarmUp):
14026 (JSC::CodeBlock::jitSoon):
14027 (JSC::CodeBlock::reoptimizationRetryCounter):
14028 (JSC::CodeBlock::countReoptimization):
14029 (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
14030 (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
14031 (JSC::CodeBlock::optimizeSoon):
14032 (JSC::CodeBlock::exitCountThresholdForReoptimization):
14033 (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
14034 * bytecode/ExecutionCounter.h:
14035 (JSC::ExecutionCounter::clippedThreshold):
14036 * dfg/DFGByteCodeParser.cpp:
14037 (JSC::DFG::ByteCodeParser::handleInlining):
14038 * dfg/DFGCapabilities.h:
14039 (JSC::DFG::mightCompileEval):
14040 (JSC::DFG::mightCompileProgram):
14041 (JSC::DFG::mightCompileFunctionForCall):
14042 (JSC::DFG::mightCompileFunctionForConstruct):
14043 (JSC::DFG::mightInlineFunctionForCall):
14044 (JSC::DFG::mightInlineFunctionForConstruct):
14045 * dfg/DFGCommon.h:
14046 (JSC::DFG::shouldShowDisassembly):
14047 * dfg/DFGDriver.cpp:
14048 (JSC::DFG::compile):
14049 * dfg/DFGOSRExit.cpp:
14050 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
14051 * dfg/DFGVariableAccessData.h:
14052 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
14053 * heap/MarkStack.cpp:
14054 (JSC::MarkStackSegmentAllocator::allocate):
14055 (JSC::MarkStackSegmentAllocator::shrinkReserve):
14056 (JSC::MarkStackArray::MarkStackArray):
14057 (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
14058 (JSC::SlotVisitor::donateKnownParallel):
14059 (JSC::SlotVisitor::drain):
14060 (JSC::SlotVisitor::drainFromShared):
14061 * heap/MarkStack.h:
14062 (JSC::MarkStack::mergeOpaqueRootsIfProfitable):
14063 (JSC::MarkStack::addOpaqueRoot):
14064 * heap/SlotVisitor.h:
14065 (JSC::SlotVisitor::donate):
14066 * jit/JIT.cpp:
14067 (JSC::JIT::emitOptimizationCheck):
14068 * jsc.cpp:
14069 (printUsageStatement):
14070 (parseArguments):
14071 * runtime/InitializeThreading.cpp:
14072 (JSC::initializeThreadingOnce):
14073 * runtime/JSGlobalData.cpp:
14074 (JSC::enableAssembler):
14075 * runtime/JSGlobalObject.cpp:
14076 (JSC::JSGlobalObject::JSGlobalObject):
14077 * runtime/Options.cpp:
14078 (JSC):
14079 (JSC::overrideOptionWithHeuristic):
14080 (JSC::Options::initialize):
14081 (JSC::Options::setOption):
14082 (JSC::Options::dumpAllOptions):
14083 (JSC::Options::dumpOption):
14084 * runtime/Options.h:
14085 (JSC):
14086 (Options):
14087 (EntryInfo):
14088
140892012-07-03 Jocelyn Turcotte <jocelyn.turcotte@nokia.com> Joel Dillon <joel.dillon@codethink.co.uk>
14090
14091 [Qt][Win] Fix broken QtWebKit5.lib linking
14092 https://bugs.webkit.org/show_bug.cgi?id=88321
14093
14094 Reviewed by Kenneth Rohde Christiansen.
14095
14096 The goal is to have different ports build systems define STATICALLY_LINKED_WITH_WTF
14097 when building JavaScriptCore, if both are packaged in the same DLL, instead
14098 of relying on the code to handle this.
14099 The effects of BUILDING_* and STATICALLY_LINKED_WITH_* are currently the same
14100 except for a check in Source/JavaScriptCore/config.h.
14101
14102 Keeping the old way for the WX port as requested by the port's contributors.
14103 For non-Windows ports there is no difference between IMPORT and EXPORT, no
14104 change is needed.
14105
14106 * API/JSBase.h:
14107 JS symbols shouldn't be included by WTF objects anymore. Remove the export when BUILDING_WTF.
14108 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
14109 Make sure that JavaScriptCore uses import symbols of WTF for the Win port.
14110 * runtime/JSExportMacros.h:
14111
141122012-07-02 Filip Pizlo <fpizlo@apple.com>
14113
14114 DFG OSR exit value recoveries should be computed lazily
14115 https://bugs.webkit.org/show_bug.cgi?id=82155
14116
14117 Reviewed by Gavin Barraclough.
14118
14119 This change aims to reduce one aspect of DFG compile times: the fact
14120 that we currently compute the value recoveries for each local and
14121 argument on every speculation check. We compile many speculation checks,
14122 so this can add up quick. The strategy that this change takes is to
14123 have the DFG save just enough information about how the compiler is
14124 choosing to represent state, that the DFG::OSRExitCompiler can reify
14125 the value recoveries lazily.
14126
14127 This appears to be an 0.3% SunSpider speed-up and is neutral elsewhere.
14128
14129 I also took the opportunity to fix the sampling regions profiler (it
14130 was missing an export macro) and to put in more sampling regions in
14131 the DFG (which are disabled so long as ENABLE(SAMPLING_REGIONS) is
14132 false).
14133
14134 * CMakeLists.txt:
14135 * GNUmakefile.list.am:
14136 * JavaScriptCore.xcodeproj/project.pbxproj:
14137 * Target.pri:
14138 * bytecode/CodeBlock.cpp:
14139 (JSC):
14140 (JSC::CodeBlock::shrinkDFGDataToFit):
14141 * bytecode/CodeBlock.h:
14142 (CodeBlock):
14143 (JSC::CodeBlock::minifiedDFG):
14144 (JSC::CodeBlock::variableEventStream):
14145 (DFGData):
14146 * bytecode/Operands.h:
14147 (JSC::Operands::hasOperand):
14148 (Operands):
14149 (JSC::Operands::size):
14150 (JSC::Operands::at):
14151 (JSC::Operands::operator[]):
14152 (JSC::Operands::isArgument):
14153 (JSC::Operands::isVariable):
14154 (JSC::Operands::argumentForIndex):
14155 (JSC::Operands::variableForIndex):
14156 (JSC::Operands::operandForIndex):
14157 (JSC):
14158 (JSC::dumpOperands):
14159 * bytecode/SamplingTool.h:
14160 (SamplingRegion):
14161 * dfg/DFGByteCodeParser.cpp:
14162 (JSC::DFG::parse):
14163 * dfg/DFGCFAPhase.cpp:
14164 (JSC::DFG::performCFA):
14165 * dfg/DFGCSEPhase.cpp:
14166 (JSC::DFG::performCSE):
14167 * dfg/DFGFixupPhase.cpp:
14168 (JSC::DFG::performFixup):
14169 * dfg/DFGGenerationInfo.h:
14170 (JSC::DFG::GenerationInfo::GenerationInfo):
14171 (JSC::DFG::GenerationInfo::initConstant):
14172 (JSC::DFG::GenerationInfo::initInteger):
14173 (JSC::DFG::GenerationInfo::initJSValue):
14174 (JSC::DFG::GenerationInfo::initCell):
14175 (JSC::DFG::GenerationInfo::initBoolean):
14176 (JSC::DFG::GenerationInfo::initDouble):
14177 (JSC::DFG::GenerationInfo::initStorage):
14178 (GenerationInfo):
14179 (JSC::DFG::GenerationInfo::noticeOSRBirth):
14180 (JSC::DFG::GenerationInfo::use):
14181 (JSC::DFG::GenerationInfo::spill):
14182 (JSC::DFG::GenerationInfo::setSpilled):
14183 (JSC::DFG::GenerationInfo::fillJSValue):
14184 (JSC::DFG::GenerationInfo::fillCell):
14185 (JSC::DFG::GenerationInfo::fillInteger):
14186 (JSC::DFG::GenerationInfo::fillBoolean):
14187 (JSC::DFG::GenerationInfo::fillDouble):
14188 (JSC::DFG::GenerationInfo::fillStorage):
14189 (JSC::DFG::GenerationInfo::appendFill):
14190 (JSC::DFG::GenerationInfo::appendSpill):
14191 * dfg/DFGJITCompiler.cpp:
14192 (JSC::DFG::JITCompiler::link):
14193 (JSC::DFG::JITCompiler::compile):
14194 (JSC::DFG::JITCompiler::compileFunction):
14195 * dfg/DFGMinifiedGraph.h: Added.
14196 (DFG):
14197 (MinifiedGraph):
14198 (JSC::DFG::MinifiedGraph::MinifiedGraph):
14199 (JSC::DFG::MinifiedGraph::at):
14200 (JSC::DFG::MinifiedGraph::append):
14201 (JSC::DFG::MinifiedGraph::prepareAndShrink):
14202 (JSC::DFG::MinifiedGraph::setOriginalGraphSize):
14203 (JSC::DFG::MinifiedGraph::originalGraphSize):
14204 * dfg/DFGMinifiedNode.cpp: Added.
14205 (DFG):
14206 (JSC::DFG::MinifiedNode::fromNode):
14207 * dfg/DFGMinifiedNode.h: Added.
14208 (DFG):
14209 (JSC::DFG::belongsInMinifiedGraph):
14210 (MinifiedNode):
14211 (JSC::DFG::MinifiedNode::MinifiedNode):
14212 (JSC::DFG::MinifiedNode::index):
14213 (JSC::DFG::MinifiedNode::op):
14214 (JSC::DFG::MinifiedNode::hasChild1):
14215 (JSC::DFG::MinifiedNode::child1):
14216 (JSC::DFG::MinifiedNode::hasConstant):
14217 (JSC::DFG::MinifiedNode::hasConstantNumber):
14218 (JSC::DFG::MinifiedNode::constantNumber):
14219 (JSC::DFG::MinifiedNode::hasWeakConstant):
14220 (JSC::DFG::MinifiedNode::weakConstant):
14221 (JSC::DFG::MinifiedNode::getIndex):
14222 (JSC::DFG::MinifiedNode::compareByNodeIndex):
14223 (JSC::DFG::MinifiedNode::hasChild):
14224 * dfg/DFGNode.h:
14225 (Node):
14226 * dfg/DFGOSRExit.cpp:
14227 (JSC::DFG::OSRExit::OSRExit):
14228 * dfg/DFGOSRExit.h:
14229 (OSRExit):
14230 * dfg/DFGOSRExitCompiler.cpp:
14231 * dfg/DFGOSRExitCompiler.h:
14232 (OSRExitCompiler):
14233 * dfg/DFGOSRExitCompiler32_64.cpp:
14234 (JSC::DFG::OSRExitCompiler::compileExit):
14235 * dfg/DFGOSRExitCompiler64.cpp:
14236 (JSC::DFG::OSRExitCompiler::compileExit):
14237 * dfg/DFGPredictionPropagationPhase.cpp:
14238 (JSC::DFG::performPredictionPropagation):
14239 * dfg/DFGRedundantPhiEliminationPhase.cpp:
14240 (JSC::DFG::performRedundantPhiElimination):
14241 * dfg/DFGSpeculativeJIT.cpp:
14242 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
14243 (DFG):
14244 (JSC::DFG::SpeculativeJIT::fillStorage):
14245 (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
14246 (JSC::DFG::SpeculativeJIT::compileMovHint):
14247 (JSC::DFG::SpeculativeJIT::compile):
14248 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
14249 * dfg/DFGSpeculativeJIT.h:
14250 (DFG):
14251 (JSC::DFG::SpeculativeJIT::use):
14252 (SpeculativeJIT):
14253 (JSC::DFG::SpeculativeJIT::spill):
14254 (JSC::DFG::SpeculativeJIT::speculationCheck):
14255 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
14256 (JSC::DFG::SpeculativeJIT::recordSetLocal):
14257 * dfg/DFGSpeculativeJIT32_64.cpp:
14258 (JSC::DFG::SpeculativeJIT::fillInteger):
14259 (JSC::DFG::SpeculativeJIT::fillDouble):
14260 (JSC::DFG::SpeculativeJIT::fillJSValue):
14261 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
14262 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
14263 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
14264 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
14265 (JSC::DFG::SpeculativeJIT::compile):
14266 * dfg/DFGSpeculativeJIT64.cpp:
14267 (JSC::DFG::SpeculativeJIT::fillInteger):
14268 (JSC::DFG::SpeculativeJIT::fillDouble):
14269 (JSC::DFG::SpeculativeJIT::fillJSValue):
14270 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
14271 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
14272 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
14273 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
14274 (JSC::DFG::SpeculativeJIT::compile):
14275 * dfg/DFGValueRecoveryOverride.h: Added.
14276 (DFG):
14277 (ValueRecoveryOverride):
14278 (JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride):
14279 * dfg/DFGValueSource.cpp: Added.
14280 (DFG):
14281 (JSC::DFG::ValueSource::dump):
14282 * dfg/DFGValueSource.h: Added.
14283 (DFG):
14284 (JSC::DFG::dataFormatToValueSourceKind):
14285 (JSC::DFG::valueSourceKindToDataFormat):
14286 (JSC::DFG::isInRegisterFile):
14287 (ValueSource):
14288 (JSC::DFG::ValueSource::ValueSource):
14289 (JSC::DFG::ValueSource::forPrediction):
14290 (JSC::DFG::ValueSource::forDataFormat):
14291 (JSC::DFG::ValueSource::isSet):
14292 (JSC::DFG::ValueSource::kind):
14293 (JSC::DFG::ValueSource::isInRegisterFile):
14294 (JSC::DFG::ValueSource::dataFormat):
14295 (JSC::DFG::ValueSource::valueRecovery):
14296 (JSC::DFG::ValueSource::nodeIndex):
14297 (JSC::DFG::ValueSource::nodeIndexFromKind):
14298 (JSC::DFG::ValueSource::kindFromNodeIndex):
14299 * dfg/DFGVariableEvent.cpp: Added.
14300 (DFG):
14301 (JSC::DFG::VariableEvent::dump):
14302 (JSC::DFG::VariableEvent::dumpFillInfo):
14303 (JSC::DFG::VariableEvent::dumpSpillInfo):
14304 * dfg/DFGVariableEvent.h: Added.
14305 (DFG):
14306 (VariableEvent):
14307 (JSC::DFG::VariableEvent::VariableEvent):
14308 (JSC::DFG::VariableEvent::reset):
14309 (JSC::DFG::VariableEvent::fillGPR):
14310 (JSC::DFG::VariableEvent::fillPair):
14311 (JSC::DFG::VariableEvent::fillFPR):
14312 (JSC::DFG::VariableEvent::spill):
14313 (JSC::DFG::VariableEvent::death):
14314 (JSC::DFG::VariableEvent::setLocal):
14315 (JSC::DFG::VariableEvent::movHint):
14316 (JSC::DFG::VariableEvent::kind):
14317 (JSC::DFG::VariableEvent::nodeIndex):
14318 (JSC::DFG::VariableEvent::dataFormat):
14319 (JSC::DFG::VariableEvent::gpr):
14320 (JSC::DFG::VariableEvent::tagGPR):
14321 (JSC::DFG::VariableEvent::payloadGPR):
14322 (JSC::DFG::VariableEvent::fpr):
14323 (JSC::DFG::VariableEvent::virtualRegister):
14324 (JSC::DFG::VariableEvent::operand):
14325 (JSC::DFG::VariableEvent::variableRepresentation):
14326 * dfg/DFGVariableEventStream.cpp: Added.
14327 (DFG):
14328 (JSC::DFG::VariableEventStream::logEvent):
14329 (MinifiedGenerationInfo):
14330 (JSC::DFG::MinifiedGenerationInfo::MinifiedGenerationInfo):
14331 (JSC::DFG::MinifiedGenerationInfo::update):
14332 (JSC::DFG::VariableEventStream::reconstruct):
14333 * dfg/DFGVariableEventStream.h: Added.
14334 (DFG):
14335 (VariableEventStream):
14336 (JSC::DFG::VariableEventStream::appendAndLog):
14337 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
14338 (JSC::DFG::performVirtualRegisterAllocation):
14339
143402012-07-02 Filip Pizlo <fpizlo@apple.com>
14341
14342 DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate()
14343 https://bugs.webkit.org/show_bug.cgi?id=90407
14344
14345 Reviewed by Mark Hahnenberg.
14346
14347 * dfg/DFGArgumentsSimplificationPhase.cpp:
14348 (JSC::DFG::ArgumentsSimplificationPhase::run):
14349
143502012-07-02 Gavin Barraclough <barraclough@apple.com>
14351
14352 Array.prototype.pop should throw if property is not configurable
14353 https://bugs.webkit.org/show_bug.cgi?id=75788
14354
14355 Rubber Stamped by Oliver Hunt.
14356
14357 No real bug here any more, but the error we throw sometimes has a misleading message.
14358
14359 * runtime/JSArray.cpp:
14360 (JSC::JSArray::pop):
14361
143622012-06-29 Filip Pizlo <fpizlo@apple.com>
14363
14364 JSObject wastes too much memory on unused property slots
14365 https://bugs.webkit.org/show_bug.cgi?id=90255
14366
14367 Reviewed by Mark Hahnenberg.
14368
14369 Rolling back in after applying a simple fix: it appears that
14370 JSObject::setStructureAndReallocateStorageIfNecessary() was allocating more
14371 property storage than necessary. Fixing this appears to resolve the crash.
14372
14373 This does a few things:
14374
14375 - JSNonFinalObject no longer has inline property storage.
14376
14377 - Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
14378 or 2x the inline storage for JSFinalObject.
14379
14380 - Property storage is only reallocated if it needs to be. Previously, we
14381 would reallocate the property storage on any transition where the original
14382 structure said shouldGrowProperyStorage(), but this led to spurious
14383 reallocations when doing transitionless property adds and there are
14384 deleted property slots available. That in turn led to crashes, because we
14385 would switch to out-of-line storage even if the capacity matched the
14386 criteria for inline storage.
14387
14388 - Inline JSFunction allocation is killed off because we don't have a good
14389 way of inlining property storage allocation. This didn't hurt performance.
14390 Killing off code is better than fixing it if that code wasn't doing any
14391 good.
14392
14393 This looks like a 1% progression on V8.
14394
14395 * interpreter/Interpreter.cpp:
14396 (JSC::Interpreter::privateExecute):
14397 * jit/JIT.cpp:
14398 (JSC::JIT::privateCompileSlowCases):
14399 * jit/JIT.h:
14400 * jit/JITInlineMethods.h:
14401 (JSC::JIT::emitAllocateBasicJSObject):
14402 (JSC):
14403 * jit/JITOpcodes.cpp:
14404 (JSC::JIT::emit_op_new_func):
14405 (JSC):
14406 (JSC::JIT::emit_op_new_func_exp):
14407 * runtime/JSFunction.cpp:
14408 (JSC::JSFunction::finishCreation):
14409 * runtime/JSObject.h:
14410 (JSC::JSObject::isUsingInlineStorage):
14411 (JSObject):
14412 (JSC::JSObject::finishCreation):
14413 (JSC):
14414 (JSC::JSNonFinalObject::hasInlineStorage):
14415 (JSNonFinalObject):
14416 (JSC::JSNonFinalObject::JSNonFinalObject):
14417 (JSC::JSNonFinalObject::finishCreation):
14418 (JSC::JSFinalObject::hasInlineStorage):
14419 (JSC::JSFinalObject::finishCreation):
14420 (JSC::JSObject::offsetOfInlineStorage):
14421 (JSC::JSObject::setPropertyStorage):
14422 (JSC::Structure::inlineStorageCapacity):
14423 (JSC::Structure::isUsingInlineStorage):
14424 (JSC::JSObject::putDirectInternal):
14425 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
14426 (JSC::JSObject::putDirectWithoutTransition):
14427 * runtime/Structure.cpp:
14428 (JSC::Structure::Structure):
14429 (JSC::nextPropertyStorageCapacity):
14430 (JSC):
14431 (JSC::Structure::growPropertyStorageCapacity):
14432 (JSC::Structure::suggestedNewPropertyStorageSize):
14433 * runtime/Structure.h:
14434 (JSC::Structure::putWillGrowPropertyStorage):
14435 (Structure):
14436
144372012-06-29 Filip Pizlo <fpizlo@apple.com>
14438
14439 Webkit crashes in DFG on Google Docs when creating a new document
14440 https://bugs.webkit.org/show_bug.cgi?id=90209
14441
14442 Reviewed by Gavin Barraclough.
14443
14444 Don't attempt to short-circuit Phantom(GetLocal) if the GetLocal is for a
14445 captured variable.
14446
14447 * dfg/DFGCFGSimplificationPhase.cpp:
14448 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
14449
144502012-06-30 Zan Dobersek <zandobersek@gmail.com>
14451
14452 Unreviewed, rolling out r121605.
14453 http://trac.webkit.org/changeset/121605
14454 https://bugs.webkit.org/show_bug.cgi?id=90336
14455
14456 Changes caused flaky crashes in sputnik/Unicode tests on Apple
14457 WK1 and GTK Linux builders
14458
14459 * interpreter/Interpreter.cpp:
14460 (JSC::Interpreter::privateExecute):
14461 * jit/JIT.cpp:
14462 (JSC::JIT::privateCompileSlowCases):
14463 * jit/JIT.h:
14464 * jit/JITInlineMethods.h:
14465 (JSC::JIT::emitAllocateBasicJSObject):
14466 (JSC::JIT::emitAllocateJSFinalObject):
14467 (JSC):
14468 (JSC::JIT::emitAllocateJSFunction):
14469 * jit/JITOpcodes.cpp:
14470 (JSC::JIT::emit_op_new_func):
14471 (JSC::JIT::emitSlow_op_new_func):
14472 (JSC):
14473 (JSC::JIT::emit_op_new_func_exp):
14474 (JSC::JIT::emitSlow_op_new_func_exp):
14475 * runtime/JSFunction.cpp:
14476 (JSC::JSFunction::finishCreation):
14477 * runtime/JSObject.h:
14478 (JSC::JSObject::isUsingInlineStorage):
14479 (JSObject):
14480 (JSC::JSObject::finishCreation):
14481 (JSC):
14482 (JSNonFinalObject):
14483 (JSC::JSNonFinalObject::JSNonFinalObject):
14484 (JSC::JSNonFinalObject::finishCreation):
14485 (JSFinalObject):
14486 (JSC::JSFinalObject::finishCreation):
14487 (JSC::JSObject::offsetOfInlineStorage):
14488 (JSC::JSObject::setPropertyStorage):
14489 (JSC::Structure::isUsingInlineStorage):
14490 (JSC::JSObject::putDirectInternal):
14491 (JSC::JSObject::putDirectWithoutTransition):
14492 (JSC::JSObject::transitionTo):
14493 * runtime/Structure.cpp:
14494 (JSC::Structure::Structure):
14495 (JSC):
14496 (JSC::Structure::growPropertyStorageCapacity):
14497 (JSC::Structure::suggestedNewPropertyStorageSize):
14498 * runtime/Structure.h:
14499 (JSC::Structure::shouldGrowPropertyStorage):
14500 (JSC::Structure::propertyStorageSize):
14501
145022012-06-29 Mark Hahnenberg <mhahnenberg@apple.com>
14503
14504 Remove warning about protected values when the Heap is being destroyed
14505 https://bugs.webkit.org/show_bug.cgi?id=90302
14506
14507 Reviewed by Geoffrey Garen.
14508
14509 Having to do book-keeping about whether values allocated from a certain
14510 VM are or are not protected makes the JSC API much more difficult to use
14511 correctly. Clients should be able to throw an entire VM away and not have
14512 to worry about unprotecting all of the values that they protected earlier.
14513
14514 * heap/Heap.cpp:
14515 (JSC::Heap::lastChanceToFinalize):
14516
145172012-06-29 Filip Pizlo <fpizlo@apple.com>
14518
14519 JSObject wastes too much memory on unused property slots
14520 https://bugs.webkit.org/show_bug.cgi?id=90255
14521
14522 Reviewed by Mark Hahnenberg.
14523
14524 This does a few things:
14525
14526 - JSNonFinalObject no longer has inline property storage.
14527
14528 - Initial out-of-line property storage size is 4 slots for JSNonFinalObject,
14529 or 2x the inline storage for JSFinalObject.
14530
14531 - Property storage is only reallocated if it needs to be. Previously, we
14532 would reallocate the property storage on any transition where the original
14533 structure said shouldGrowProperyStorage(), but this led to spurious
14534 reallocations when doing transitionless property adds and there are
14535 deleted property slots available. That in turn led to crashes, because we
14536 would switch to out-of-line storage even if the capacity matched the
14537 criteria for inline storage.
14538
14539 - Inline JSFunction allocation is killed off because we don't have a good
14540 way of inlining property storage allocation. This didn't hurt performance.
14541 Killing off code is better than fixing it if that code wasn't doing any
14542 good.
14543
14544 This looks like a 1% progression on V8.
14545
14546 * interpreter/Interpreter.cpp:
14547 (JSC::Interpreter::privateExecute):
14548 * jit/JIT.cpp:
14549 (JSC::JIT::privateCompileSlowCases):
14550 * jit/JIT.h:
14551 * jit/JITInlineMethods.h:
14552 (JSC::JIT::emitAllocateBasicJSObject):
14553 (JSC):
14554 * jit/JITOpcodes.cpp:
14555 (JSC::JIT::emit_op_new_func):
14556 (JSC):
14557 (JSC::JIT::emit_op_new_func_exp):
14558 * runtime/JSFunction.cpp:
14559 (JSC::JSFunction::finishCreation):
14560 * runtime/JSObject.h:
14561 (JSC::JSObject::isUsingInlineStorage):
14562 (JSObject):
14563 (JSC::JSObject::finishCreation):
14564 (JSC):
14565 (JSC::JSNonFinalObject::hasInlineStorage):
14566 (JSNonFinalObject):
14567 (JSC::JSNonFinalObject::JSNonFinalObject):
14568 (JSC::JSNonFinalObject::finishCreation):
14569 (JSC::JSFinalObject::hasInlineStorage):
14570 (JSC::JSFinalObject::finishCreation):
14571 (JSC::JSObject::offsetOfInlineStorage):
14572 (JSC::JSObject::setPropertyStorage):
14573 (JSC::Structure::inlineStorageCapacity):
14574 (JSC::Structure::isUsingInlineStorage):
14575 (JSC::JSObject::putDirectInternal):
14576 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
14577 (JSC::JSObject::putDirectWithoutTransition):
14578 * runtime/Structure.cpp:
14579 (JSC::Structure::Structure):
14580 (JSC::nextPropertyStorageCapacity):
14581 (JSC):
14582 (JSC::Structure::growPropertyStorageCapacity):
14583 (JSC::Structure::suggestedNewPropertyStorageSize):
14584 * runtime/Structure.h:
14585 (JSC::Structure::putWillGrowPropertyStorage):
14586 (Structure):
14587
145882012-06-28 Filip Pizlo <fpizlo@apple.com>
14589
14590 DFG recompilation heuristics should be based on count, not rate
14591 https://bugs.webkit.org/show_bug.cgi?id=90146
14592
14593 Reviewed by Oliver Hunt.
14594
14595 This removes a bunch of code that was previously trying to prevent spurious
14596 reoptimizations if a large enough majority of executions of a code block did
14597 not result in OSR exit. It turns out that this code was purely harmful. This
14598 patch removes all of that logic and replaces it with a dead-simple
14599 heuristic: if you exit more than N times (where N is an exponential function
14600 of the number of times the code block has already been recompiled) then we
14601 will recompile.
14602
14603 This appears to be a broad ~1% win on many benchmarks large and small.
14604
14605 * bytecode/CodeBlock.cpp:
14606 (JSC::CodeBlock::CodeBlock):
14607 * bytecode/CodeBlock.h:
14608 (JSC::CodeBlock::osrExitCounter):
14609 (JSC::CodeBlock::countOSRExit):
14610 (CodeBlock):
14611 (JSC::CodeBlock::addressOfOSRExitCounter):
14612 (JSC::CodeBlock::offsetOfOSRExitCounter):
14613 (JSC::CodeBlock::adjustedExitCountThreshold):
14614 (JSC::CodeBlock::exitCountThresholdForReoptimization):
14615 (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
14616 (JSC::CodeBlock::shouldReoptimizeNow):
14617 (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
14618 * bytecode/ExecutionCounter.cpp:
14619 (JSC::ExecutionCounter::setThreshold):
14620 * bytecode/ExecutionCounter.h:
14621 (ExecutionCounter):
14622 (JSC::ExecutionCounter::clippedThreshold):
14623 * dfg/DFGJITCompiler.cpp:
14624 (JSC::DFG::JITCompiler::compileBody):
14625 * dfg/DFGOSRExit.cpp:
14626 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
14627 * dfg/DFGOSRExitCompiler.cpp:
14628 (JSC::DFG::OSRExitCompiler::handleExitCounts):
14629 * dfg/DFGOperations.cpp:
14630 * jit/JITStubs.cpp:
14631 (JSC::DEFINE_STUB_FUNCTION):
14632 * runtime/Options.cpp:
14633 (Options):
14634 (JSC::Options::initializeOptions):
14635 * runtime/Options.h:
14636 (Options):
14637
146382012-06-28 Mark Lam <mark.lam@apple.com>
14639
14640 Adding a commenting utility to record BytecodeGenerator comments
14641 with opcodes that are emitted. Presently, the comments can only
14642 be constant strings. Adding comments for opcodes is optional.
14643 If a comment is added, the comment will be printed following the
14644 opcode when CodeBlock::dump() is called.
14645
14646 This utility is disabled by default, and is only meant for VM
14647 development purposes. It should not be enabled for product builds.
14648
14649 To enable this utility, set ENABLE_BYTECODE_COMMENTS in CodeBlock.h
14650 to 1.
14651
14652 https://bugs.webkit.org/show_bug.cgi?id=90095
14653
14654 Reviewed by Geoffrey Garen.
14655
14656 * GNUmakefile.list.am:
14657 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
14658 * JavaScriptCore.xcodeproj/project.pbxproj:
14659 * bytecode/CodeBlock.cpp:
14660 (JSC::CodeBlock::dumpBytecodeCommentAndNewLine): Dumps the comment.
14661 (JSC):
14662 (JSC::CodeBlock::printUnaryOp): Add comment dumps.
14663 (JSC::CodeBlock::printBinaryOp): Add comment dumps.
14664 (JSC::CodeBlock::printConditionalJump): Add comment dumps.
14665 (JSC::CodeBlock::printCallOp): Add comment dumps.
14666 (JSC::CodeBlock::printPutByIdOp): Add comment dumps.
14667 (JSC::CodeBlock::dump): Add comment dumps.
14668 (JSC::CodeBlock::CodeBlock):
14669 (JSC::CodeBlock::commentForBytecodeOffset):
14670 Finds the comment for an opcode if available.
14671 (JSC::CodeBlock::dumpBytecodeComments):
14672 For debugging whether comments are collected.
14673 It is not being called anywhere.
14674 * bytecode/CodeBlock.h:
14675 (CodeBlock):
14676 (JSC::CodeBlock::bytecodeComments):
14677 * bytecode/Comment.h: Added.
14678 (JSC):
14679 (Comment):
14680 * bytecompiler/BytecodeGenerator.cpp:
14681 (JSC::BytecodeGenerator::BytecodeGenerator):
14682 (JSC::BytecodeGenerator::emitOpcode): Calls emitComment().
14683 (JSC):
14684 (JSC::BytecodeGenerator::emitComment): Adds comment to CodeBlock.
14685 (JSC::BytecodeGenerator::prependComment):
14686 Registers a comment for emitComemnt() to use later.
14687 * bytecompiler/BytecodeGenerator.h:
14688 (BytecodeGenerator):
14689 (JSC::BytecodeGenerator::emitComment):
14690 (JSC::BytecodeGenerator::prependComment):
14691 These are inlined versions of these functions that nullify them
14692 when ENABLE_BYTECODE_COMMENTS is 0.
14693 (JSC::BytecodeGenerator::comments):
14694
146952012-06-28 Oliver Hunt <oliver@apple.com>
14696
14697 32bit DFG incorrectly claims an fpr is fillable even if it has not been proven double
14698 https://bugs.webkit.org/show_bug.cgi?id=90127
14699
14700 Reviewed by Filip Pizlo.
14701
14702 The 32-bit version of fillSpeculateDouble doesn't handle Number->fpr loads
14703 correctly. This patch fixes this by killing the fill info in the GenerationInfo
14704 when the spillFormat doesn't guarantee the value is a double.
14705
14706 * dfg/DFGSpeculativeJIT32_64.cpp:
14707 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
14708
147092012-06-28 Kent Tamura <tkent@chromium.org>
14710
14711 Classify form control states by their owner forms
14712 https://bugs.webkit.org/show_bug.cgi?id=89950
14713
14714 Reviewed by Hajime Morita.
14715
14716 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
14717 Expose WTF::StringBuilder::canShrink()
14718
147192012-06-27 Michael Saboff <msaboff@apple.com>
14720
14721 [Win] jscore-tests flakey
14722 https://bugs.webkit.org/show_bug.cgi?id=88118
14723
14724 Reviewed by Jessie Berlin.
14725
14726 jsDriver.pl on windows intermittently doesn't get the returned value from jsc,
14727 instead it gets 126. Added a new option to jsc (-x) which prints the exit
14728 code before exiting. jsDriver.pl uses this option on Windows and parses the
14729 exit code output for the exit code, removing it before comparing the actual
14730 and expected outputs. Filed a follow on "FIXME" defect:
14731 [WIN] Intermittent failure for jsc return value to propagate through jsDriver.pl
14732 https://bugs.webkit.org/show_bug.cgi?id=90119
14733
14734 * jsc.cpp:
14735 (CommandLine::CommandLine):
14736 (CommandLine):
14737 (printUsageStatement):
14738 (parseArguments):
14739 (jscmain):
14740 * tests/mozilla/jsDriver.pl:
14741 (execute_tests):
14742
147432012-06-27 Sheriff Bot <webkit.review.bot@gmail.com>
14744
14745 Unreviewed, rolling out r121359.
14746 http://trac.webkit.org/changeset/121359
14747 https://bugs.webkit.org/show_bug.cgi?id=90115
14748
14749 Broke many inspector tests (Requested by jpfau on #webkit).
14750
14751 * interpreter/Interpreter.h:
14752 (JSC::StackFrame::toString):
14753
147542012-06-27 Filip Pizlo <fpizlo@apple.com>
14755
14756 Javascript SHA-512 gives wrong hash on second and subsequent runs unless Web Inspector Javascript Debugging is on
14757 https://bugs.webkit.org/show_bug.cgi?id=90053
14758 <rdar://problem/11764613>
14759
14760 Reviewed by Mark Hahnenberg.
14761
14762 The problem is that the code was assuming that the recovery should be Undefined if the source of
14763 the SetLocal was !shouldGenerate(). But that's wrong, since the DFG optimizer may skip around a
14764 UInt32ToNumber node (hence making it !shouldGenerate()) and keep the source of that node alive.
14765 In that case we should base the recovery on the source of the UInt32ToNumber. The logic for this
14766 was already in place but the fast check for !shouldGenerate() broke it.
14767
14768 * dfg/DFGSpeculativeJIT.cpp:
14769 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
14770
147712012-06-27 Filip Pizlo <fpizlo@apple.com>
14772
14773 DFG disassembly should be easier to read
14774 https://bugs.webkit.org/show_bug.cgi?id=90106
14775
14776 Reviewed by Mark Hahnenberg.
14777
14778 Did a few things:
14779
14780 - Options::showDFGDisassembly now shows OSR exit disassembly as well.
14781
14782 - Phi node dumping doesn't attempt to do line wrapping since it just made the dump harder
14783 to read.
14784
14785 - DFG graph disassembly view shows a few additional node types that turn out to be
14786 essential for understanding OSR exits.
14787
14788 Put together, these changes reinforce the philosophy that anything needed for computing
14789 OSR exit is just as important as the machine code itself. Of course, we still don't take
14790 that philosophy to its full extreme - for example Phantom nodes are not dumped. We may
14791 revisit that in the future.
14792
14793 * assembler/LinkBuffer.cpp:
14794 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
14795 * assembler/LinkBuffer.h:
14796 (JSC):
14797 * dfg/DFGDisassembler.cpp:
14798 (JSC::DFG::Disassembler::dump):
14799 * dfg/DFGGraph.cpp:
14800 (JSC::DFG::Graph::dumpBlockHeader):
14801 * dfg/DFGNode.h:
14802 (JSC::DFG::Node::willHaveCodeGenOrOSR):
14803 * dfg/DFGOSRExitCompiler.cpp:
14804 * jit/JIT.cpp:
14805 (JSC::JIT::privateCompile):
14806
148072012-06-25 Mark Hahnenberg <mhahnenberg@apple.com>
14808
14809 JSLock should be per-JSGlobalData
14810 https://bugs.webkit.org/show_bug.cgi?id=89123
14811
14812 Reviewed by Geoffrey Garen.
14813
14814 * API/APIShims.h:
14815 (APIEntryShimWithoutLock):
14816 (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to
14817 determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the
14818 HeapTimer class because timerDidFire could run after somebody has started to tear down that particular
14819 JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after
14820 its destruction has begun.
14821 (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
14822 (JSC::APIEntryShim::APIEntryShim):
14823 (APIEntryShim):
14824 (JSC::APIEntryShim::~APIEntryShim):
14825 (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
14826 Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
14827 and before we've released it, which can only done in APIEntryShim.
14828 (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
14829 * API/JSContextRef.cpp:
14830 (JSGlobalContextCreate):
14831 (JSGlobalContextCreateInGroup):
14832 (JSGlobalContextRelease):
14833 (JSContextCreateBacktrace):
14834 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
14835 * heap/CopiedSpace.cpp:
14836 (JSC::CopiedSpace::tryAllocateSlowCase):
14837 * heap/Heap.cpp:
14838 (JSC::Heap::protect):
14839 (JSC::Heap::unprotect):
14840 (JSC::Heap::collect):
14841 (JSC::Heap::setActivityCallback):
14842 (JSC::Heap::activityCallback):
14843 (JSC::Heap::sweeper):
14844 * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they
14845 are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
14846 and the IncrementalSweeper to make sure they're the last things that get initialized during construction to
14847 prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
14848 (Heap):
14849 * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
14850 (JSC::HeapTimer::~HeapTimer):
14851 (JSC::HeapTimer::invalidate):
14852 (JSC):
14853 (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread
14854 that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the
14855 HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
14856 (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
14857 out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
14858 but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case
14859 we were interrupted between releasing our mutex and trying to grab the APILock.
14860 * heap/HeapTimer.h:
14861 (HeapTimer):
14862 * heap/IncrementalSweeper.cpp:
14863 (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles
14864 all of that for us.
14865 (JSC::IncrementalSweeper::create):
14866 * heap/IncrementalSweeper.h:
14867 (IncrementalSweeper):
14868 * heap/MarkedAllocator.cpp:
14869 (JSC::MarkedAllocator::allocateSlowCase):
14870 * heap/WeakBlock.cpp:
14871 (JSC::WeakBlock::reap):
14872 * jsc.cpp:
14873 (functionGC):
14874 (functionReleaseExecutableMemory):
14875 (jscmain):
14876 * runtime/Completion.cpp:
14877 (JSC::checkSyntax):
14878 (JSC::evaluate):
14879 * runtime/GCActivityCallback.h:
14880 (DefaultGCActivityCallback):
14881 (JSC::DefaultGCActivityCallback::create):
14882 * runtime/JSGlobalData.cpp:
14883 (JSC::JSGlobalData::JSGlobalData):
14884 (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
14885 that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity
14886 it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the
14887 APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
14888 (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
14889 (JSC::JSGlobalData::sharedInstanceInternal):
14890 * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and
14891 de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
14892 (JSGlobalData):
14893 (JSC::JSGlobalData::apiLock):
14894 * runtime/JSGlobalObject.cpp:
14895 (JSC::JSGlobalObject::~JSGlobalObject):
14896 (JSC::JSGlobalObject::init):
14897 * runtime/JSLock.cpp:
14898 (JSC):
14899 (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
14900 (JSC::GlobalJSLock::~GlobalJSLock):
14901 (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that
14902 it can successfully unlock it later without it disappearing from underneath it.
14903 (JSC::JSLockHolder::~JSLockHolder):
14904 (JSC::JSLock::JSLock):
14905 (JSC::JSLock::~JSLock):
14906 (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for
14907 actually waiting for long periods.
14908 (JSC::JSLock::unlock):
14909 (JSC::JSLock::currentThreadIsHoldingLock):
14910 (JSC::JSLock::dropAllLocks):
14911 (JSC::JSLock::dropAllLocksUnconditionally):
14912 (JSC::JSLock::grabAllLocks):
14913 (JSC::JSLock::DropAllLocks::DropAllLocks):
14914 (JSC::JSLock::DropAllLocks::~DropAllLocks):
14915 * runtime/JSLock.h:
14916 (JSC):
14917 (GlobalJSLock):
14918 (JSLockHolder):
14919 (JSLock):
14920 (DropAllLocks):
14921 * runtime/WeakGCMap.h:
14922 (JSC::WeakGCMap::set):
14923 * testRegExp.cpp:
14924 (realMain):
14925
149262012-06-27 Filip Pizlo <fpizlo@apple.com>
14927
14928 x86 disassembler confuses immediates with addresses
14929 https://bugs.webkit.org/show_bug.cgi?id=90099
14930
14931 Reviewed by Mark Hahnenberg.
14932
14933 Prepend "$" to immediates to disambiguate between immediates and addresses. This is in
14934 accordance with the gas and AT&T syntax.
14935
14936 * disassembler/udis86/udis86_syn-att.c:
14937 (gen_operand):
14938
149392012-06-27 Filip Pizlo <fpizlo@apple.com>
14940
14941 Add a comment clarifying Options::showDisassembly versus Options::showDFGDisassembly.
14942
14943 Rubber stamped by Mark Hahnenberg.
14944
14945 * runtime/Options.cpp:
14946 (JSC::Options::initializeOptions):
14947
149482012-06-27 Anthony Scian <ascian@rim.com>
14949
14950 Web Inspector [JSC]: Implement ScriptCallStack::stackTrace
14951 https://bugs.webkit.org/show_bug.cgi?id=40118
14952
14953 Reviewed by Yong Li.
14954
14955 Added member functions to expose function name, urlString, and line #.
14956 Refactored toString to make use of these member functions to reduce
14957 duplicated code for future maintenance.
14958
14959 Manually tested refactoring of toString by tracing thrown exceptions.
14960
14961 * interpreter/Interpreter.h:
14962 (StackFrame):
14963 (JSC::StackFrame::toString):
14964 (JSC::StackFrame::friendlySourceURL):
14965 (JSC::StackFrame::friendlyFunctionName):
14966 (JSC::StackFrame::friendlyLineNumber):
14967
149682012-06-27 Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
14969
14970 [Qt] Remove redundant c++11 warning suppression code
14971
14972 This is already handled in default_post.
14973
14974 Reviewed by Tor Arne Vestbø.
14975
14976 * Target.pri:
14977
149782012-06-26 Tor Arne Vestbø <tor.arne.vestbo@nokia.com>
14979
14980 [Qt] Add missing heades to HEADERS
14981
14982 For JavaScriptCore there aren't any Qt specific files, so we include all
14983 headers for easy editing in Qt Creator.
14984
14985 Reviewed by Simon Hausmann.
14986
14987 * Target.pri:
14988
149892012-06-26 Dominic Cooney <dominicc@chromium.org>
14990
14991 [Chromium] Remove unused build scripts and empty folders for JavaScriptCore w/ gyp
14992 https://bugs.webkit.org/show_bug.cgi?id=90029
14993
14994 Reviewed by Adam Barth.
14995
14996 * gyp: Removed.
14997 * gyp/generate-derived-sources.sh: Removed.
14998 * gyp/generate-dtrace-header.sh: Removed.
14999 * gyp/run-if-exists.sh: Removed.
15000 * gyp/update-info-plist.sh: Removed.
15001
150022012-06-26 Geoffrey Garen <ggaren@apple.com>
15003
15004 Reduced (but did not eliminate) use of "berzerker GC"
15005 https://bugs.webkit.org/show_bug.cgi?id=89237
15006
15007 Reviewed by Gavin Barraclough.
15008
15009 (PART 2)
15010
15011 This part turns off "berzerker GC" and turns on incremental shrinking.
15012
15013 * heap/IncrementalSweeper.cpp:
15014 (JSC::IncrementalSweeper::doSweep): Free or shrink after sweeping to
15015 maintain the behavior we used to get from the occasional berzerker GC,
15016 which would run all finalizers and then free or shrink all blocks
15017 synchronously.
15018
15019 * heap/MarkedBlock.h:
15020 (JSC::MarkedBlock::needsSweeping): Sweep zapped blocks, too. It's always
15021 safe to sweep a zapped block (that's the point of zapping), and it's
15022 sometimes profitable. For example, consider this case: Block A does some
15023 allocation (transitioning Block A from Marked to FreeListed), then GC
15024 happens (transitioning Block A to Zapped), then all objects in Block A
15025 are free, then the incremental sweeper visits Block A. If we skipped
15026 Zapped blocks, we'd skip Block A, even though it would be profitable to
15027 run its destructors and free its memory.
15028
15029 * runtime/GCActivityCallback.cpp:
15030 (JSC::DefaultGCActivityCallback::doWork): Don't sweep eagerly; we'll do
15031 this incrementally.
15032
150332012-06-26 Filip Pizlo <fpizlo@apple.com>
15034
15035 DFG PutByValAlias is too aggressive
15036 https://bugs.webkit.org/show_bug.cgi?id=90026
15037 <rdar://problem/11751830>
15038
15039 Reviewed by Gavin Barraclough.
15040
15041 For CSE on normal arrays, we now treat PutByVal as impure. This does not appear to affect
15042 performance by much.
15043
15044 For CSE on typed arrays, we fix PutByValAlias by making GetByVal speculate that the access
15045 is within bounds. This also has the effect of making our out-of-bounds handling consistent
15046 with WebCore.
15047
15048 * dfg/DFGCSEPhase.cpp:
15049 (JSC::DFG::CSEPhase::performNodeCSE):
15050 * dfg/DFGGraph.h:
15051 (JSC::DFG::Graph::byValIsPure):
15052 (JSC::DFG::Graph::clobbersWorld):
15053 * dfg/DFGNodeType.h:
15054 (DFG):
15055 * dfg/DFGSpeculativeJIT.cpp:
15056 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
15057 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
15058
150592012-06-26 Yong Li <yoli@rim.com>
15060
15061 [BlackBerry] Add JSC statistics into about:memory
15062 https://bugs.webkit.org/show_bug.cgi?id=89779
15063
15064 Reviewed by Rob Buis.
15065
15066 Fix non-JIT build on BlackBerry broken by r121196.
15067
15068 * runtime/MemoryStatistics.cpp:
15069 (JSC::globalMemoryStatistics):
15070
150712012-06-25 Filip Pizlo <fpizlo@apple.com>
15072
15073 DFG::operationNewArray is unnecessarily slow, and may use the wrong array
15074 prototype when inlined
15075 https://bugs.webkit.org/show_bug.cgi?id=89821
15076
15077 Reviewed by Geoffrey Garen.
15078
15079 Fixes all array allocations to use the right structure, and hence the right prototype. Adds
15080 inlining of new Array(...) with a non-zero number of arguments. Optimizes allocations of
15081 empty arrays.
15082
15083 * dfg/DFGAbstractState.cpp:
15084 (JSC::DFG::AbstractState::execute):
15085 * dfg/DFGByteCodeParser.cpp:
15086 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
15087 * dfg/DFGCCallHelpers.h:
15088 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
15089 (CCallHelpers):
15090 * dfg/DFGNodeType.h:
15091 (DFG):
15092 * dfg/DFGOperations.cpp:
15093 * dfg/DFGOperations.h:
15094 * dfg/DFGPredictionPropagationPhase.cpp:
15095 (JSC::DFG::PredictionPropagationPhase::propagate):
15096 * dfg/DFGSpeculativeJIT.h:
15097 (JSC::DFG::SpeculativeJIT::callOperation):
15098 * dfg/DFGSpeculativeJIT32_64.cpp:
15099 (JSC::DFG::SpeculativeJIT::compile):
15100 * dfg/DFGSpeculativeJIT64.cpp:
15101 (JSC::DFG::SpeculativeJIT::compile):
15102 * runtime/JSArray.h:
15103 (JSC):
15104 (JSC::constructArray):
15105 * runtime/JSGlobalObject.h:
15106 (JSC):
15107 (JSC::constructArray):
15108
151092012-06-26 Filip Pizlo <fpizlo@apple.com>
15110
15111 New fast/js/dfg-store-unexpected-value-into-argument-and-osr-exit.html fails on 32 bit
15112 https://bugs.webkit.org/show_bug.cgi?id=89953
15113
15114 Reviewed by Zoltan Herczeg.
15115
15116 DFG 32-bit JIT was confused about the difference between a predicted type and a
15117 proven type. This is easy to get confused about, since a local that is predicted int32
15118 almost always means that the local must be an int32 since speculations are hoisted to
15119 stores to locals. But that is less likely to be the case for arguments, where there is
15120 an additional least-upper-bounding step: any store to an argument with a weird type
15121 may force the argument to be any type.
15122
15123 This patch basically duplicates the functionality in DFGSpeculativeJIT64.cpp for
15124 GetLocal: the decision of whether to load a local as an int32 (or as an array, or as
15125 a boolean) is made based on the AbstractValue::m_type, which is a type proof, rather
15126 than the VariableAccessData::prediction(), which is a predicted type.
15127
15128 * dfg/DFGSpeculativeJIT32_64.cpp:
15129 (JSC::DFG::SpeculativeJIT::compile):
15130
151312012-06-25 Filip Pizlo <fpizlo@apple.com>
15132
15133 JSC should try to make profiling deterministic because otherwise reproducing failures is
15134 nearly impossible
15135 https://bugs.webkit.org/show_bug.cgi?id=89940
15136
15137 Rubber stamped by Gavin Barraclough.
15138
15139 This rolls out the part of http://trac.webkit.org/changeset/121215 that introduced randomness
15140 into the system. Now, instead of randomizing the tier-up threshold, we always set it to an
15141 artificially low (and statically predetermined!) value. This gives most of the benefit of
15142 threshold randomization without actually making the system behave completely differently on
15143 each invocation.
15144
15145 * bytecode/ExecutionCounter.cpp:
15146 (JSC::ExecutionCounter::setThreshold):
15147 * runtime/Options.cpp:
15148 (Options):
15149 (JSC::Options::initializeOptions):
15150 * runtime/Options.h:
15151 (Options):
15152
151532012-06-22 Filip Pizlo <fpizlo@apple.com>
15154
15155 Value profiling should use tier-up threshold randomization to get more coverage
15156 https://bugs.webkit.org/show_bug.cgi?id=89802
15157
15158 Reviewed by Gavin Barraclough.
15159
15160 This patch causes both LLInt and Baseline JIT code to take the OSR slow path several
15161 times before actually doing OSR. If we take the OSR slow path before the execution
15162 count threshold is reached, then we just call CodeBlock::updateAllPredictions() to
15163 compute the current latest least-upper-bound SpecType of all values seen in each
15164 ValueProfile.
15165
15166 * bytecode/CodeBlock.cpp:
15167 (JSC::CodeBlock::stronglyVisitStrongReferences):
15168 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
15169 (JSC):
15170 (JSC::CodeBlock::updateAllPredictions):
15171 (JSC::CodeBlock::shouldOptimizeNow):
15172 * bytecode/CodeBlock.h:
15173 (JSC::CodeBlock::llintExecuteCounter):
15174 (JSC::CodeBlock::jitExecuteCounter):
15175 (CodeBlock):
15176 (JSC::CodeBlock::updateAllPredictions):
15177 * bytecode/ExecutionCounter.cpp:
15178 (JSC::ExecutionCounter::setThreshold):
15179 (JSC::ExecutionCounter::status):
15180 (JSC):
15181 * bytecode/ExecutionCounter.h:
15182 (JSC::ExecutionCounter::count):
15183 (ExecutionCounter):
15184 * dfg/DFGAbstractState.cpp:
15185 (JSC::DFG::AbstractState::execute):
15186 * dfg/DFGOperations.cpp:
15187 * dfg/DFGSpeculativeJIT.cpp:
15188 (JSC::DFG::SpeculativeJIT::compile):
15189 * jit/JITStubs.cpp:
15190 (JSC::DEFINE_STUB_FUNCTION):
15191 * llint/LLIntSlowPaths.cpp:
15192 (JSC::LLInt::jitCompileAndSetHeuristics):
15193 (JSC::LLInt::entryOSR):
15194 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
15195 * runtime/JSGlobalObject.cpp:
15196 (JSC::JSGlobalObject::JSGlobalObject):
15197 (JSC):
15198 * runtime/JSGlobalObject.h:
15199 (JSGlobalObject):
15200 (JSC::JSGlobalObject::weakRandomInteger):
15201 * runtime/Options.cpp:
15202 (Options):
15203 (JSC::Options::initializeOptions):
15204 * runtime/Options.h:
15205 (Options):
15206 * runtime/WeakRandom.h:
15207 (WeakRandom):
15208 (JSC::WeakRandom::seedUnsafe):
15209
152102012-06-25 Yong Li <yoli@rim.com>
15211
15212 [BlackBerry] Add JSC statistics into about:memory
15213 https://bugs.webkit.org/show_bug.cgi?id=89779
15214
15215 Reviewed by Rob Buis.
15216
15217 Add MemoryStatistics.cpp into build, and fill JITBytes for BlackBerry port.
15218
15219 * PlatformBlackBerry.cmake:
15220 * runtime/MemoryStatistics.cpp:
15221 (JSC::globalMemoryStatistics):
15222
152232012-06-23 Sheriff Bot <webkit.review.bot@gmail.com>
15224
15225 Unreviewed, rolling out r121058.
15226 http://trac.webkit.org/changeset/121058
15227 https://bugs.webkit.org/show_bug.cgi?id=89809
15228
15229 Patch causes plugins tests to crash in GTK debug builds
15230 (Requested by zdobersek on #webkit).
15231
15232 * API/APIShims.h:
15233 (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
15234 (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
15235 (APIEntryShimWithoutLock):
15236 (JSC::APIEntryShim::APIEntryShim):
15237 (APIEntryShim):
15238 (JSC::APICallbackShim::~APICallbackShim):
15239 * API/JSContextRef.cpp:
15240 (JSGlobalContextCreate):
15241 (JSGlobalContextCreateInGroup):
15242 (JSGlobalContextRelease):
15243 (JSContextCreateBacktrace):
15244 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
15245 * heap/CopiedSpace.cpp:
15246 (JSC::CopiedSpace::tryAllocateSlowCase):
15247 * heap/Heap.cpp:
15248 (JSC::Heap::protect):
15249 (JSC::Heap::unprotect):
15250 (JSC::Heap::collect):
15251 (JSC::Heap::setActivityCallback):
15252 (JSC::Heap::activityCallback):
15253 (JSC::Heap::sweeper):
15254 * heap/Heap.h:
15255 (Heap):
15256 * heap/HeapTimer.cpp:
15257 (JSC::HeapTimer::~HeapTimer):
15258 (JSC::HeapTimer::invalidate):
15259 (JSC::HeapTimer::timerDidFire):
15260 (JSC):
15261 * heap/HeapTimer.h:
15262 (HeapTimer):
15263 * heap/IncrementalSweeper.cpp:
15264 (JSC::IncrementalSweeper::doWork):
15265 (JSC::IncrementalSweeper::create):
15266 * heap/IncrementalSweeper.h:
15267 (IncrementalSweeper):
15268 * heap/MarkedAllocator.cpp:
15269 (JSC::MarkedAllocator::allocateSlowCase):
15270 * heap/WeakBlock.cpp:
15271 (JSC::WeakBlock::reap):
15272 * jsc.cpp:
15273 (functionGC):
15274 (functionReleaseExecutableMemory):
15275 (jscmain):
15276 * runtime/Completion.cpp:
15277 (JSC::checkSyntax):
15278 (JSC::evaluate):
15279 * runtime/GCActivityCallback.h:
15280 (DefaultGCActivityCallback):
15281 (JSC::DefaultGCActivityCallback::create):
15282 * runtime/JSGlobalData.cpp:
15283 (JSC::JSGlobalData::JSGlobalData):
15284 (JSC::JSGlobalData::~JSGlobalData):
15285 (JSC::JSGlobalData::sharedInstance):
15286 (JSC::JSGlobalData::sharedInstanceInternal):
15287 * runtime/JSGlobalData.h:
15288 (JSGlobalData):
15289 * runtime/JSGlobalObject.cpp:
15290 (JSC::JSGlobalObject::~JSGlobalObject):
15291 (JSC::JSGlobalObject::init):
15292 * runtime/JSLock.cpp:
15293 (JSC):
15294 (JSC::createJSLockCount):
15295 (JSC::JSLock::lockCount):
15296 (JSC::setLockCount):
15297 (JSC::JSLock::JSLock):
15298 (JSC::JSLock::lock):
15299 (JSC::JSLock::unlock):
15300 (JSC::JSLock::currentThreadIsHoldingLock):
15301 (JSC::JSLock::DropAllLocks::DropAllLocks):
15302 (JSC::JSLock::DropAllLocks::~DropAllLocks):
15303 * runtime/JSLock.h:
15304 (JSC):
15305 (JSLock):
15306 (JSC::JSLock::JSLock):
15307 (JSC::JSLock::~JSLock):
15308 (DropAllLocks):
15309 * runtime/WeakGCMap.h:
15310 (JSC::WeakGCMap::set):
15311 * testRegExp.cpp:
15312 (realMain):
15313
153142012-06-22 Alexandru Chiculita <achicu@adobe.com>
15315
15316 [CSS Shaders] Re-enable the CSS Shaders compile time flag on Safari Mac
15317 https://bugs.webkit.org/show_bug.cgi?id=89781
15318
15319 Reviewed by Dean Jackson.
15320
15321 Added ENABLE_CSS_SHADERS flag as enabled by default on Safari for Mac.
15322
15323 * Configurations/FeatureDefines.xcconfig:
15324
153252012-06-22 Filip Pizlo <fpizlo@apple.com>
15326
15327 DFG tier-up should happen in prologues, not epilogues
15328 https://bugs.webkit.org/show_bug.cgi?id=89752
15329
15330 Reviewed by Geoffrey Garen.
15331
15332 This change has two outcomes:
15333
15334 1) Slightly reduces the likelihood that a function will be optimized both
15335 standalone and via inlining. Previously, if you had a call sequence like foo()
15336 calls bar() exactly once, and nobody else calls bar(), then bar() would get
15337 optimized first (because it returns first) and then foo() gets optimized. If foo()
15338 can inline bar() then that means that bar() gets optimized twice. But now, if we
15339 optimize in prologues, then foo() will be optimized first. If it inlines bar(),
15340 that means that there will no longer be any calls to bar().
15341
15342 2) It lets us kill some code in JITStubs. Epilogue tier-up was very different from
15343 loop tier-up, since epilogue tier-up should not attempt OSR. But prologue tier-up
15344 requires OSR (albeit really easy OSR since it's the top of the compilation unit),
15345 so it becomes just like loop tier-up. As a result, we now have one optimization
15346 hook (cti_optimize) instead of two (cti_optimize_from_loop and
15347 cti_optimize_from_ret).
15348
15349 As a consequence of not having an optimization check in epilogues, the OSR exit
15350 code must now trigger reoptimization itself instead of just signaling the epilogue
15351 check to fire.
15352
15353 This also adds the ability to count the number of DFG compilations, which was
15354 useful for debugging this patch and might be useful for other things in the future.
15355
15356 * bytecode/CodeBlock.cpp:
15357 (JSC::CodeBlock::reoptimize):
15358 (JSC):
15359 * bytecode/CodeBlock.h:
15360 (CodeBlock):
15361 * dfg/DFGByteCodeParser.cpp:
15362 (JSC::DFG::ByteCodeParser::parseCodeBlock):
15363 * dfg/DFGDriver.cpp:
15364 (DFG):
15365 (JSC::DFG::getNumCompilations):
15366 (JSC::DFG::compile):
15367 * dfg/DFGDriver.h:
15368 (DFG):
15369 * dfg/DFGOSRExitCompiler.cpp:
15370 (JSC::DFG::OSRExitCompiler::handleExitCounts):
15371 * dfg/DFGOperations.cpp:
15372 * dfg/DFGOperations.h:
15373 * jit/JIT.cpp:
15374 (JSC::JIT::emitOptimizationCheck):
15375 * jit/JIT.h:
15376 * jit/JITCall32_64.cpp:
15377 (JSC::JIT::emit_op_ret):
15378 (JSC::JIT::emit_op_ret_object_or_this):
15379 * jit/JITOpcodes.cpp:
15380 (JSC::JIT::emit_op_ret):
15381 (JSC::JIT::emit_op_ret_object_or_this):
15382 (JSC::JIT::emit_op_enter):
15383 * jit/JITOpcodes32_64.cpp:
15384 (JSC::JIT::emit_op_enter):
15385 * jit/JITStubs.cpp:
15386 (JSC::DEFINE_STUB_FUNCTION):
15387 * jit/JITStubs.h:
15388
153892012-06-20 Mark Hahnenberg <mhahnenberg@apple.com>
15390
15391 JSLock should be per-JSGlobalData
15392 https://bugs.webkit.org/show_bug.cgi?id=89123
15393
15394 Reviewed by Gavin Barraclough.
15395
15396 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
15397 * API/APIShims.h:
15398 (APIEntryShimWithoutLock):
15399 (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to
15400 determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the
15401 HeapTimer class because timerDidFire could run after somebody has started to tear down that particular
15402 JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after
15403 its destruction has begun.
15404 (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock): Now derefs if it also refed.
15405 (JSC::APIEntryShim::APIEntryShim):
15406 (APIEntryShim):
15407 (JSC::APIEntryShim::~APIEntryShim):
15408 (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
15409 Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
15410 and before we've released it, which can only done in APIEntryShim.
15411 (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
15412 * API/JSContextRef.cpp:
15413 (JSGlobalContextCreate):
15414 (JSGlobalContextCreateInGroup):
15415 (JSGlobalContextRelease):
15416 (JSContextCreateBacktrace):
15417 * heap/CopiedSpace.cpp:
15418 (JSC::CopiedSpace::tryAllocateSlowCase):
15419 * heap/Heap.cpp:
15420 (JSC::Heap::protect):
15421 (JSC::Heap::unprotect):
15422 (JSC::Heap::collect):
15423 (JSC::Heap::setActivityCallback):
15424 (JSC::Heap::activityCallback):
15425 (JSC::Heap::sweeper):
15426 * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they
15427 are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
15428 and the IncrementalSweeper to make sure they're the last things that get initialized during construction to
15429 prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
15430 (Heap):
15431 * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
15432 (JSC::HeapTimer::~HeapTimer):
15433 (JSC::HeapTimer::invalidate):
15434 (JSC):
15435 (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread
15436 that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the
15437 HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
15438 (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
15439 out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
15440 but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case
15441 we were interrupted between releasing our mutex and trying to grab the APILock.
15442 * heap/HeapTimer.h:
15443 (HeapTimer):
15444 * heap/IncrementalSweeper.cpp:
15445 (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles
15446 all of that for us.
15447 (JSC::IncrementalSweeper::create):
15448 * heap/IncrementalSweeper.h:
15449 (IncrementalSweeper):
15450 * heap/MarkedAllocator.cpp:
15451 (JSC::MarkedAllocator::allocateSlowCase):
15452 * heap/WeakBlock.cpp:
15453 (JSC::WeakBlock::reap):
15454 * jsc.cpp:
15455 (functionGC):
15456 (functionReleaseExecutableMemory):
15457 (jscmain):
15458 * runtime/Completion.cpp:
15459 (JSC::checkSyntax):
15460 (JSC::evaluate):
15461 * runtime/GCActivityCallback.h:
15462 (DefaultGCActivityCallback):
15463 (JSC::DefaultGCActivityCallback::create):
15464 * runtime/JSGlobalData.cpp:
15465 (JSC::JSGlobalData::JSGlobalData):
15466 (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
15467 that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity
15468 it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the
15469 APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
15470 (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
15471 (JSC::JSGlobalData::sharedInstanceInternal):
15472 * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and
15473 de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
15474 (JSGlobalData):
15475 (JSC::JSGlobalData::apiLock):
15476 * runtime/JSGlobalObject.cpp:
15477 (JSC::JSGlobalObject::~JSGlobalObject):
15478 (JSC::JSGlobalObject::init):
15479 * runtime/JSLock.cpp:
15480 (JSC):
15481 (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
15482 (JSC::GlobalJSLock::~GlobalJSLock):
15483 (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that
15484 it can successfully unlock it later without it disappearing from underneath it.
15485 (JSC::JSLockHolder::~JSLockHolder):
15486 (JSC::JSLock::JSLock):
15487 (JSC::JSLock::~JSLock):
15488 (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for
15489 actually waiting for long periods.
15490 (JSC::JSLock::unlock):
15491 (JSC::JSLock::currentThreadIsHoldingLock):
15492 (JSC::JSLock::dropAllLocks):
15493 (JSC::JSLock::dropAllLocksUnconditionally):
15494 (JSC::JSLock::grabAllLocks):
15495 (JSC::JSLock::DropAllLocks::DropAllLocks):
15496 (JSC::JSLock::DropAllLocks::~DropAllLocks):
15497 * runtime/JSLock.h:
15498 (JSC):
15499 (GlobalJSLock):
15500 (JSLockHolder):
15501 (JSLock):
15502 (DropAllLocks):
15503 * runtime/WeakGCMap.h:
15504 (JSC::WeakGCMap::set):
15505 * testRegExp.cpp:
15506 (realMain):
15507
155082012-06-22 Peter Beverloo <peter@chromium.org>
15509
15510 [Chromium] Disable c++0x compatibility warnings in JavaScriptCore.gyp when building for Android
15511 https://bugs.webkit.org/show_bug.cgi?id=88853
15512
15513 Reviewed by Steve Block.
15514
15515 The Android exclusions were necessary to fix a gyp generation error, as
15516 the gcc_version variable wasn't being defined for Android. Remove these
15517 exceptions when Chromium is able to define the gcc_version variable.
15518
15519 * JavaScriptCore.gyp/JavaScriptCore.gyp:
15520
155212012-06-21 Filip Pizlo <fpizlo@apple.com>
15522
15523 op_resolve_global should not prevent DFG inlining
15524 https://bugs.webkit.org/show_bug.cgi?id=89726
15525
15526 Reviewed by Gavin Barraclough.
15527
15528 * bytecode/CodeBlock.cpp:
15529 (JSC::CodeBlock::CodeBlock):
15530 (JSC::CodeBlock::shrinkToFit):
15531 * bytecode/GlobalResolveInfo.h:
15532 (JSC::GlobalResolveInfo::GlobalResolveInfo):
15533 (GlobalResolveInfo):
15534 * dfg/DFGByteCodeParser.cpp:
15535 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
15536 * dfg/DFGCapabilities.h:
15537 (JSC::DFG::canInlineOpcode):
15538 * dfg/DFGOperations.cpp:
15539 * dfg/DFGOperations.h:
15540 * dfg/DFGSpeculativeJIT.h:
15541 (JSC::DFG::SpeculativeJIT::callOperation):
15542 * dfg/DFGSpeculativeJIT32_64.cpp:
15543 (JSC::DFG::SpeculativeJIT::compile):
15544 * dfg/DFGSpeculativeJIT64.cpp:
15545 (JSC::DFG::SpeculativeJIT::compile):
15546
155472012-06-20 Filip Pizlo <fpizlo@apple.com>
15548
15549 DFG should inline 'new Array()'
15550 https://bugs.webkit.org/show_bug.cgi?id=89632
15551
15552 Reviewed by Geoffrey Garen.
15553
15554 This adds support for treating InternalFunction like intrinsics. The code
15555 to do so is actually quite clean, so I don't feel bad about perpetuating
15556 the InternalFunction vs. JSFunction-with-NativeExecutable dichotomy.
15557
15558 Currently this newfound power is only used to inline 'new Array()'.
15559
15560 * dfg/DFGByteCodeParser.cpp:
15561 (ByteCodeParser):
15562 (JSC::DFG::ByteCodeParser::handleCall):
15563 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
15564 (DFG):
15565 * dfg/DFGGraph.h:
15566 (JSC::DFG::Graph::isInternalFunctionConstant):
15567 (JSC::DFG::Graph::valueOfInternalFunctionConstant):
15568
155692012-06-21 Mark Hahnenberg <mhahnenberg@apple.com>
15570
15571 Adding copyrights to new files.
15572
15573 * heap/HeapTimer.cpp:
15574 * heap/HeapTimer.h:
15575 * heap/IncrementalSweeper.cpp:
15576 * heap/IncrementalSweeper.h:
15577
155782012-06-21 Arnaud Renevier <arno@renevier.net>
15579
15580 make sure headers are included only once per file
15581 https://bugs.webkit.org/show_bug.cgi?id=88922
15582
15583 Reviewed by Alexey Proskuryakov.
15584
15585 * bytecode/CodeBlock.h:
15586 * heap/MachineStackMarker.cpp:
15587 * runtime/JSVariableObject.h:
15588
155892012-06-21 Ryuan Choi <ryuan.choi@gmail.com>
15590
15591 [EFL][WK2] Make WebKit2/Efl headers and resources installable.
15592 https://bugs.webkit.org/show_bug.cgi?id=88207
15593
15594 Reviewed by Chang Shu.
15595
15596 * shell/CMakeLists.txt: Use ${EXEC_INSTALL_DIR} instead of hardcoding "bin"
15597
155982012-06-20 Geoffrey Garen <ggaren@apple.com>
15599
15600 Reduced (but did not eliminate) use of "berzerker GC"
15601 https://bugs.webkit.org/show_bug.cgi?id=89237
15602
15603 Reviewed by Gavin Barraclough.
15604
15605 (PART 1)
15606
15607 This patch turned out to be crashy, so I'm landing the non-crashy bits
15608 first.
15609
15610 This part is pre-requisite refactoring. I didn't actually turn off
15611 "berzerker GC" or turn on incremental shrinking.
15612
15613 * heap/MarkedAllocator.cpp:
15614 (JSC::MarkedAllocator::removeBlock): Make sure to clear the free list when
15615 we throw away the block we're currently allocating out of. Otherwise, we'll
15616 allocate out of a stale free list.
15617
15618 * heap/MarkedSpace.cpp:
15619 (JSC::Free::Free):
15620 (JSC::Free::operator()):
15621 (JSC::Free::returnValue): Refactored this functor to use a shared helper
15622 function, so we can share our implementation with the incremental sweeper.
15623
15624 Also changed to freeing individual blocks immediately instead of linking
15625 them into a list for later freeing. This makes the programming interface
15626 simpler, and it's slightly more efficient to boot.
15627
15628 (JSC::MarkedSpace::~MarkedSpace): Updated for rename.
15629
15630 (JSC::MarkedSpace::freeBlock):
15631 (JSC::MarkedSpace::freeOrShrinkBlock): New helper functions to share behavior
15632 with the incremental sweeper.
15633
15634 (JSC::MarkedSpace::shrink): Updated for new functor behavior.
15635
15636 * heap/MarkedSpace.h: Statically typed languages are awesome.
15637
156382012-06-20 Filip Pizlo <fpizlo@apple.com>
15639
15640 DFG should optimize ResolveGlobal
15641 https://bugs.webkit.org/show_bug.cgi?id=89617
15642
15643 Reviewed by Oliver Hunt.
15644
15645 This adds inlining of ResolveGlobal accesses that are known monomorphic. It also
15646 adds the specific function optimization to ResolveGlobal, when it is inlined. And,
15647 it makes internal functions act like specific functions, since that will be the
15648 most common use-case of this optimization.
15649
15650 This is only a slighy speed-up (sub 1%), since we don't yet do the obvious thing
15651 with this optimization, which is to completely inline common "globally resolved"
15652 function and constructor calls, like "new Array()".
15653
15654 * CMakeLists.txt:
15655 * GNUmakefile.list.am:
15656 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
15657 * JavaScriptCore.xcodeproj/project.pbxproj:
15658 * Target.pri:
15659 * bytecode/CodeBlock.cpp:
15660 (JSC::CodeBlock::globalResolveInfoForBytecodeOffset):
15661 * bytecode/CodeBlock.h:
15662 (CodeBlock):
15663 (JSC::CodeBlock::numberOfGlobalResolveInfos):
15664 * bytecode/GlobalResolveInfo.h:
15665 (JSC::getGlobalResolveInfoBytecodeOffset):
15666 (JSC):
15667 * bytecode/ResolveGlobalStatus.cpp: Added.
15668 (JSC):
15669 (JSC::computeForStructure):
15670 (JSC::computeForLLInt):
15671 (JSC::ResolveGlobalStatus::computeFor):
15672 * bytecode/ResolveGlobalStatus.h: Added.
15673 (JSC):
15674 (ResolveGlobalStatus):
15675 (JSC::ResolveGlobalStatus::ResolveGlobalStatus):
15676 (JSC::ResolveGlobalStatus::state):
15677 (JSC::ResolveGlobalStatus::isSet):
15678 (JSC::ResolveGlobalStatus::operator!):
15679 (JSC::ResolveGlobalStatus::isSimple):
15680 (JSC::ResolveGlobalStatus::takesSlowPath):
15681 (JSC::ResolveGlobalStatus::structure):
15682 (JSC::ResolveGlobalStatus::offset):
15683 (JSC::ResolveGlobalStatus::specificValue):
15684 * dfg/DFGByteCodeParser.cpp:
15685 (ByteCodeParser):
15686 (JSC::DFG::ByteCodeParser::handleGetByOffset):
15687 (DFG):
15688 (JSC::DFG::ByteCodeParser::handleGetById):
15689 (JSC::DFG::ByteCodeParser::parseBlock):
15690 * runtime/JSObject.cpp:
15691 (JSC::getCallableObjectSlow):
15692 (JSC):
15693 (JSC::JSObject::put):
15694 (JSC::JSObject::putDirectVirtual):
15695 (JSC::JSObject::putDirectAccessor):
15696 * runtime/JSObject.h:
15697 (JSC):
15698 (JSC::getCallableObject):
15699 (JSC::JSObject::putOwnDataProperty):
15700 (JSC::JSObject::putDirect):
15701 (JSC::JSObject::putDirectWithoutTransition):
15702
157032012-06-20 Filip Pizlo <fpizlo@apple.com>
15704
15705 Functions on global objects should be specializable
15706 https://bugs.webkit.org/show_bug.cgi?id=89615
15707
15708 Reviewed by Oliver Hunt.
15709
15710 I tested to see if this brought back the bug in https://bugs.webkit.org/show_bug.cgi?id=33343,
15711 and it didn't. Bug 33343 was the reason why we disabled global object function specialization
15712 to begin with. So I'm guessing this is safe.
15713
15714 * runtime/JSGlobalObject.cpp:
15715 (JSC::JSGlobalObject::init):
15716
157172012-06-20 Filip Pizlo <fpizlo@apple.com>
15718
15719 build-webkit failure due to illegal 32-bit integer constants in code
15720 generated by offlineasm
15721 https://bugs.webkit.org/show_bug.cgi?id=89347
15722
15723 Reviewed by Geoffrey Garen.
15724
15725 The offending constants are the magic numbers used by offlineasm to find
15726 offsets in the generated machine code. Added code to turn them into what
15727 the C++ compiler will believe to be valid 32-bit values.
15728
15729 * offlineasm/offsets.rb:
15730
157312012-06-19 Geoffrey Garen <ggaren@apple.com>
15732
15733 Made the incremental sweeper more aggressive
15734 https://bugs.webkit.org/show_bug.cgi?id=89527
15735
15736 Reviewed by Oliver Hunt.
15737
15738 This is a pre-requisite to getting rid of "berzerker GC" because we need
15739 the sweeper to reclaim memory in a timely fashion, or we'll see a memory
15740 footprint regression.
15741
15742 * heap/IncrementalSweeper.h:
15743 * heap/IncrementalSweeper.cpp:
15744 (JSC::IncrementalSweeper::scheduleTimer): Since the time slice is predictable,
15745 no need to use a data member to record it.
15746
15747 (JSC::IncrementalSweeper::doSweep): Sweep as many blocks as we can in a
15748 small time slice. This is better than sweeping only one block per timer
15749 fire because that strategy has a heavy timer overhead, and artificially
15750 delays memory reclamation.
15751
157522012-06-20 Filip Pizlo <fpizlo@apple.com>
15753
15754 DFG should be able to print disassembly interleaved with the IR
15755 https://bugs.webkit.org/show_bug.cgi?id=89551
15756
15757 Reviewed by Geoffrey Garen.
15758
15759 This change also removes running Dominators unconditionally on every DFG
15760 compile. Dominators are designed to be computed on-demand, and currently
15761 the only demand is graph dumps.
15762
15763 * CMakeLists.txt:
15764 * GNUmakefile.list.am:
15765 * JavaScriptCore.xcodeproj/project.pbxproj:
15766 * Target.pri:
15767 * assembler/ARMv7Assembler.h:
15768 (JSC::ARMv7Assembler::labelIgnoringWatchpoints):
15769 (ARMv7Assembler):
15770 * assembler/AbstractMacroAssembler.h:
15771 (AbstractMacroAssembler):
15772 (JSC::AbstractMacroAssembler::labelIgnoringWatchpoints):
15773 * assembler/X86Assembler.h:
15774 (X86Assembler):
15775 (JSC::X86Assembler::labelIgnoringWatchpoints):
15776 * dfg/DFGCommon.h:
15777 (JSC::DFG::shouldShowDisassembly):
15778 (DFG):
15779 * dfg/DFGDisassembler.cpp: Added.
15780 (DFG):
15781 (JSC::DFG::Disassembler::Disassembler):
15782 (JSC::DFG::Disassembler::dump):
15783 (JSC::DFG::Disassembler::dumpDisassembly):
15784 * dfg/DFGDisassembler.h: Added.
15785 (DFG):
15786 (Disassembler):
15787 (JSC::DFG::Disassembler::setStartOfCode):
15788 (JSC::DFG::Disassembler::setForBlock):
15789 (JSC::DFG::Disassembler::setForNode):
15790 (JSC::DFG::Disassembler::setEndOfMainPath):
15791 (JSC::DFG::Disassembler::setEndOfCode):
15792 * dfg/DFGDriver.cpp:
15793 (JSC::DFG::compile):
15794 * dfg/DFGGraph.cpp:
15795 (JSC::DFG::Graph::dumpCodeOrigin):
15796 (JSC::DFG::Graph::amountOfNodeWhiteSpace):
15797 (DFG):
15798 (JSC::DFG::Graph::printNodeWhiteSpace):
15799 (JSC::DFG::Graph::dump):
15800 (JSC::DFG::Graph::dumpBlockHeader):
15801 * dfg/DFGGraph.h:
15802 * dfg/DFGJITCompiler.cpp:
15803 (JSC::DFG::JITCompiler::JITCompiler):
15804 (DFG):
15805 (JSC::DFG::JITCompiler::compile):
15806 (JSC::DFG::JITCompiler::compileFunction):
15807 * dfg/DFGJITCompiler.h:
15808 (JITCompiler):
15809 (JSC::DFG::JITCompiler::setStartOfCode):
15810 (JSC::DFG::JITCompiler::setForBlock):
15811 (JSC::DFG::JITCompiler::setForNode):
15812 (JSC::DFG::JITCompiler::setEndOfMainPath):
15813 (JSC::DFG::JITCompiler::setEndOfCode):
15814 * dfg/DFGNode.h:
15815 (Node):
15816 (JSC::DFG::Node::willHaveCodeGen):
15817 * dfg/DFGNodeFlags.cpp:
15818 (JSC::DFG::nodeFlagsAsString):
15819 * dfg/DFGSpeculativeJIT.cpp:
15820 (JSC::DFG::SpeculativeJIT::compile):
15821 * dfg/DFGSpeculativeJIT.h:
15822 (SpeculativeJIT):
15823 * runtime/Options.cpp:
15824 (Options):
15825 (JSC::Options::initializeOptions):
15826 * runtime/Options.h:
15827 (Options):
15828
158292012-06-19 Filip Pizlo <fpizlo@apple.com>
15830
15831 JSC should be able to show disassembly for all generated JIT code
15832 https://bugs.webkit.org/show_bug.cgi?id=89536
15833
15834 Reviewed by Gavin Barraclough.
15835
15836 Now instead of doing linkBuffer.finalizeCode(), you do
15837 FINALIZE_CODE(linkBuffer, (... explanation ...)). FINALIZE_CODE() then
15838 prints your explanation and the disassembled code, if
15839 Options::showDisassembly is set to true.
15840
15841 * CMakeLists.txt:
15842 * GNUmakefile.list.am:
15843 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
15844 * JavaScriptCore.xcodeproj/project.pbxproj:
15845 * Target.pri:
15846 * assembler/LinkBuffer.cpp: Added.
15847 (JSC):
15848 (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
15849 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
15850 (JSC::LinkBuffer::linkCode):
15851 (JSC::LinkBuffer::performFinalization):
15852 (JSC::LinkBuffer::dumpLinkStatistics):
15853 (JSC::LinkBuffer::dumpCode):
15854 * assembler/LinkBuffer.h:
15855 (LinkBuffer):
15856 (JSC):
15857 * assembler/MacroAssemblerCodeRef.h:
15858 (JSC::MacroAssemblerCodeRef::tryToDisassemble):
15859 (MacroAssemblerCodeRef):
15860 * dfg/DFGJITCompiler.cpp:
15861 (JSC::DFG::JITCompiler::compile):
15862 (JSC::DFG::JITCompiler::compileFunction):
15863 * dfg/DFGOSRExitCompiler.cpp:
15864 * dfg/DFGRepatch.cpp:
15865 (JSC::DFG::generateProtoChainAccessStub):
15866 (JSC::DFG::tryCacheGetByID):
15867 (JSC::DFG::tryBuildGetByIDList):
15868 (JSC::DFG::emitPutReplaceStub):
15869 (JSC::DFG::emitPutTransitionStub):
15870 * dfg/DFGThunks.cpp:
15871 (JSC::DFG::osrExitGenerationThunkGenerator):
15872 * disassembler/Disassembler.h:
15873 (JSC):
15874 (JSC::tryToDisassemble):
15875 * disassembler/UDis86Disassembler.cpp:
15876 (JSC::tryToDisassemble):
15877 * jit/JIT.cpp:
15878 (JSC::JIT::privateCompile):
15879 * jit/JITCode.h:
15880 (JSC::JITCode::tryToDisassemble):
15881 * jit/JITOpcodes.cpp:
15882 (JSC::JIT::privateCompileCTIMachineTrampolines):
15883 * jit/JITOpcodes32_64.cpp:
15884 (JSC::JIT::privateCompileCTIMachineTrampolines):
15885 (JSC::JIT::privateCompileCTINativeCall):
15886 * jit/JITPropertyAccess.cpp:
15887 (JSC::JIT::stringGetByValStubGenerator):
15888 (JSC::JIT::privateCompilePutByIdTransition):
15889 (JSC::JIT::privateCompilePatchGetArrayLength):
15890 (JSC::JIT::privateCompileGetByIdProto):
15891 (JSC::JIT::privateCompileGetByIdSelfList):
15892 (JSC::JIT::privateCompileGetByIdProtoList):
15893 (JSC::JIT::privateCompileGetByIdChainList):
15894 (JSC::JIT::privateCompileGetByIdChain):
15895 * jit/JITPropertyAccess32_64.cpp:
15896 (JSC::JIT::stringGetByValStubGenerator):
15897 (JSC::JIT::privateCompilePutByIdTransition):
15898 (JSC::JIT::privateCompilePatchGetArrayLength):
15899 (JSC::JIT::privateCompileGetByIdProto):
15900 (JSC::JIT::privateCompileGetByIdSelfList):
15901 (JSC::JIT::privateCompileGetByIdProtoList):
15902 (JSC::JIT::privateCompileGetByIdChainList):
15903 (JSC::JIT::privateCompileGetByIdChain):
15904 * jit/SpecializedThunkJIT.h:
15905 (JSC::SpecializedThunkJIT::finalize):
15906 * jit/ThunkGenerators.cpp:
15907 (JSC::charCodeAtThunkGenerator):
15908 (JSC::charAtThunkGenerator):
15909 (JSC::fromCharCodeThunkGenerator):
15910 (JSC::sqrtThunkGenerator):
15911 (JSC::floorThunkGenerator):
15912 (JSC::ceilThunkGenerator):
15913 (JSC::roundThunkGenerator):
15914 (JSC::expThunkGenerator):
15915 (JSC::logThunkGenerator):
15916 (JSC::absThunkGenerator):
15917 (JSC::powThunkGenerator):
15918 * llint/LLIntThunks.cpp:
15919 (JSC::LLInt::generateThunkWithJumpTo):
15920 (JSC::LLInt::functionForCallEntryThunkGenerator):
15921 (JSC::LLInt::functionForConstructEntryThunkGenerator):
15922 (JSC::LLInt::functionForCallArityCheckThunkGenerator):
15923 (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
15924 (JSC::LLInt::evalEntryThunkGenerator):
15925 (JSC::LLInt::programEntryThunkGenerator):
15926 * runtime/Options.cpp:
15927 (Options):
15928 (JSC::Options::initializeOptions):
15929 * runtime/Options.h:
15930 (Options):
15931 * yarr/YarrJIT.cpp:
15932 (JSC::Yarr::YarrGenerator::compile):
15933
159342012-06-19 Mark Hahnenberg <mhahnenberg@apple.com>
15935
15936 [Qt][Mac] REGRESSION(r120742): It broke the build
15937 https://bugs.webkit.org/show_bug.cgi?id=89516
15938
15939 Reviewed by Geoffrey Garen.
15940
15941 Removing GCActivityCallbackCF.cpp because it doesn't mesh well with cross-platform
15942 code on Darwin (e.g. Qt). We now use plain ol' vanilla ifdefs to handle platforms
15943 without CF support. These if-defs will probably disappear in the future when we
15944 use cross-platform timers in HeapTimer.
15945
15946 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
15947 * JavaScriptCore.xcodeproj/project.pbxproj:
15948 * runtime/GCActivityCallback.cpp:
15949 (JSC):
15950 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
15951 (JSC::DefaultGCActivityCallback::doWork):
15952 (JSC::DefaultGCActivityCallback::scheduleTimer):
15953 (JSC::DefaultGCActivityCallback::cancelTimer):
15954 (JSC::DefaultGCActivityCallback::didAllocate):
15955 (JSC::DefaultGCActivityCallback::willCollect):
15956 (JSC::DefaultGCActivityCallback::cancel):
15957 * runtime/GCActivityCallbackCF.cpp: Removed.
15958
159592012-06-19 Filip Pizlo <fpizlo@apple.com>
15960
15961 DFG CFA forgets to notify subsequent phases of found constants if it proves LogicalNot to be a constant
15962 https://bugs.webkit.org/show_bug.cgi?id=89511
15963 <rdar://problem/11700089>
15964
15965 Reviewed by Geoffrey Garen.
15966
15967 * dfg/DFGAbstractState.cpp:
15968 (JSC::DFG::AbstractState::execute):
15969
159702012-06-19 Mark Lam <mark.lam@apple.com>
15971
15972 CodeBlock::needsCallReturnIndices() is no longer needed.
15973 https://bugs.webkit.org/show_bug.cgi?id=89490
15974
15975 Reviewed by Geoffrey Garen.
15976
15977 * bytecode/CodeBlock.h:
15978 (JSC::CodeBlock::needsCallReturnIndices): removed.
15979 * dfg/DFGJITCompiler.cpp:
15980 (JSC::DFG::JITCompiler::link):
15981 * jit/JIT.cpp:
15982 (JSC::JIT::privateCompile):
15983
159842012-06-19 Filip Pizlo <fpizlo@apple.com>
15985
15986 Unreviewed, try to fix Windows build.
15987
15988 * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
15989
159902012-06-17 Filip Pizlo <fpizlo@apple.com>
15991
15992 It should be possible to look at disassembly
15993 https://bugs.webkit.org/show_bug.cgi?id=89319
15994
15995 Reviewed by Sam Weinig.
15996
15997 This imports the udis86 disassembler library. The library is placed
15998 behind an abstraction in disassembler/Disassembler.h, so that we can
15999 in the future use other disassemblers (for other platforms) whenever
16000 appropriate. As a first step, the disassembler is being invoked for
16001 DFG verbose dumps.
16002
16003 If we ever want to merge a new version of udis86 in the future, I've
16004 made notes about changes I made to the library in
16005 disassembler/udis86/differences.txt.
16006
16007 * CMakeLists.txt:
16008 * DerivedSources.make:
16009 * GNUmakefile.list.am:
16010 * JavaScriptCore.pri:
16011 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
16012 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
16013 * JavaScriptCore.xcodeproj/project.pbxproj:
16014 * dfg/DFGJITCompiler.cpp:
16015 (JSC::DFG::JITCompiler::compile):
16016 (JSC::DFG::JITCompiler::compileFunction):
16017 * disassembler: Added.
16018 * disassembler/Disassembler.h: Added.
16019 (JSC):
16020 (JSC::tryToDisassemble):
16021 * disassembler/UDis86Disassembler.cpp: Added.
16022 (JSC):
16023 (JSC::tryToDisassemble):
16024 * disassembler/udis86: Added.
16025 * disassembler/udis86/differences.txt: Added.
16026 * disassembler/udis86/itab.py: Added.
16027 (UdItabGenerator):
16028 (UdItabGenerator.__init__):
16029 (UdItabGenerator.toGroupId):
16030 (UdItabGenerator.genLookupTable):
16031 (UdItabGenerator.genLookupTableList):
16032 (UdItabGenerator.genInsnTable):
16033 (genItabH):
16034 (genItabH.UD_ITAB_H):
16035 (genItabC):
16036 (genItab):
16037 (main):
16038 * disassembler/udis86/optable.xml: Added.
16039 * disassembler/udis86/ud_opcode.py: Added.
16040 (UdOpcodeTables):
16041 (UdOpcodeTables.sizeOfTable):
16042 (UdOpcodeTables.nameOfTable):
16043 (UdOpcodeTables.updateTable):
16044 (UdOpcodeTables.Insn):
16045 (UdOpcodeTables.Insn.__init__):
16046 (UdOpcodeTables.Insn.__init__.opcode):
16047 (UdOpcodeTables.parse):
16048 (UdOpcodeTables.addInsnDef):
16049 (UdOpcodeTables.print_table):
16050 (UdOpcodeTables.print_tree):
16051 * disassembler/udis86/ud_optable.py: Added.
16052 (UdOptableXmlParser):
16053 (UdOptableXmlParser.parseDef):
16054 (UdOptableXmlParser.parse):
16055 (printFn):
16056 (parse):
16057 (main):
16058 * disassembler/udis86/udis86.c: Added.
16059 (ud_init):
16060 (ud_disassemble):
16061 (ud_set_mode):
16062 (ud_set_vendor):
16063 (ud_set_pc):
16064 (ud):
16065 (ud_insn_asm):
16066 (ud_insn_off):
16067 (ud_insn_hex):
16068 (ud_insn_ptr):
16069 (ud_insn_len):
16070 * disassembler/udis86/udis86.h: Added.
16071 * disassembler/udis86/udis86_decode.c: Added.
16072 (eff_adr_mode):
16073 (ud_lookup_mnemonic):
16074 (decode_prefixes):
16075 (modrm):
16076 (resolve_operand_size):
16077 (resolve_mnemonic):
16078 (decode_a):
16079 (decode_gpr):
16080 (resolve_gpr64):
16081 (resolve_gpr32):
16082 (resolve_reg):
16083 (decode_imm):
16084 (decode_modrm_reg):
16085 (decode_modrm_rm):
16086 (decode_o):
16087 (decode_operand):
16088 (decode_operands):
16089 (clear_insn):
16090 (resolve_mode):
16091 (gen_hex):
16092 (decode_insn):
16093 (decode_3dnow):
16094 (decode_ssepfx):
16095 (decode_ext):
16096 (decode_opcode):
16097 (ud_decode):
16098 * disassembler/udis86/udis86_decode.h: Added.
16099 (ud_itab_entry_operand):
16100 (ud_itab_entry):
16101 (ud_lookup_table_list_entry):
16102 (sse_pfx_idx):
16103 (mode_idx):
16104 (modrm_mod_idx):
16105 (vendor_idx):
16106 (is_group_ptr):
16107 (group_idx):
16108 * disassembler/udis86/udis86_extern.h: Added.
16109 * disassembler/udis86/udis86_input.c: Added.
16110 (inp_buff_hook):
16111 (inp_file_hook):
16112 (ud):
16113 (ud_set_user_opaque_data):
16114 (ud_get_user_opaque_data):
16115 (ud_set_input_buffer):
16116 (ud_set_input_file):
16117 (ud_input_skip):
16118 (ud_input_end):
16119 (ud_inp_next):
16120 (ud_inp_back):
16121 (ud_inp_peek):
16122 (ud_inp_move):
16123 (ud_inp_uint8):
16124 (ud_inp_uint16):
16125 (ud_inp_uint32):
16126 (ud_inp_uint64):
16127 * disassembler/udis86/udis86_input.h: Added.
16128 * disassembler/udis86/udis86_itab_holder.c: Added.
16129 * disassembler/udis86/udis86_syn-att.c: Added.
16130 (opr_cast):
16131 (gen_operand):
16132 (ud_translate_att):
16133 * disassembler/udis86/udis86_syn-intel.c: Added.
16134 (opr_cast):
16135 (gen_operand):
16136 (ud_translate_intel):
16137 * disassembler/udis86/udis86_syn.c: Added.
16138 * disassembler/udis86/udis86_syn.h: Added.
16139 (mkasm):
16140 * disassembler/udis86/udis86_types.h: Added.
16141 (ud_operand):
16142 (ud):
16143 * jit/JITCode.h:
16144 (JITCode):
16145 (JSC::JITCode::tryToDisassemble):
16146
161472012-06-19 Mark Hahnenberg <mhahnenberg@apple.com>
16148
16149 GCActivityCallback and IncrementalSweeper should share code
16150 https://bugs.webkit.org/show_bug.cgi?id=89400
16151
16152 Reviewed by Geoffrey Garen.
16153
16154 A lot of functionality is duplicated between GCActivityCallback and IncrementalSweeper.
16155 We should extract the common functionality out into a separate class that both of them
16156 can inherit from. This refactoring will be an even greater boon when we add the ability
16157 to shut these two agents down in a thread-safe fashion
16158
16159 * CMakeLists.txt:
16160 * GNUmakefile.list.am:
16161 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
16162 * JavaScriptCore.xcodeproj/project.pbxproj:
16163 * Target.pri:
16164 * heap/Heap.cpp:
16165 (JSC::Heap::Heap): Move initialization down so that the JSGlobalData has a valid Heap when
16166 we're initializing the GCActivityCallback and the IncrementalSweeper.
16167 * heap/Heap.h:
16168 (Heap):
16169 * heap/HeapTimer.cpp: Added.
16170 (JSC):
16171 (JSC::HeapTimer::HeapTimer): Initialize the various base class data that
16172 DefaultGCActivityCallback::commonConstructor() used to do.
16173 (JSC::HeapTimer::~HeapTimer): Call to invalidate().
16174 (JSC::HeapTimer::synchronize): Same functionality as the old DefaultGCActivityCallback::synchronize().
16175 Virtual so that non-CF subclasses can override.
16176 (JSC::HeapTimer::invalidate): Tears down the runloop timer to prevent any future firing.
16177 (JSC::HeapTimer::timerDidFire): Callback to pass to the timer function. Casts and calls the virtual doWork().
16178 * heap/HeapTimer.h: Added. This is the class that serves as the common base class for
16179 both GCActivityCallback and IncrementalSweeper. It handles setting up and tearing down run loops and synchronizing
16180 across threads for its subclasses.
16181 (JSC):
16182 (HeapTimer):
16183 * heap/IncrementalSweeper.cpp: Changes to accomodate the extraction of common functionality
16184 between IncrementalSweeper and GCActivityCallback into a common ancestor.
16185 (JSC):
16186 (JSC::IncrementalSweeper::doWork):
16187 (JSC::IncrementalSweeper::IncrementalSweeper):
16188 (JSC::IncrementalSweeper::cancelTimer):
16189 (JSC::IncrementalSweeper::create):
16190 * heap/IncrementalSweeper.h:
16191 (IncrementalSweeper):
16192 * runtime/GCActivityCallback.cpp:
16193 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
16194 (JSC::DefaultGCActivityCallback::doWork):
16195 * runtime/GCActivityCallback.h:
16196 (GCActivityCallback):
16197 (JSC::GCActivityCallback::willCollect):
16198 (JSC::GCActivityCallback::GCActivityCallback):
16199 (JSC):
16200 (DefaultGCActivityCallback): Remove the platform data struct. The platform data should be kept in
16201 the class itself so as to be accessible by doWork(). Most of the platform data for CF is kept in
16202 HeapTimer anyways, so we only need the m_delay field now.
16203 * runtime/GCActivityCallbackBlackBerry.cpp:
16204 (JSC):
16205 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
16206 (JSC::DefaultGCActivityCallback::doWork):
16207 (JSC::DefaultGCActivityCallback::didAllocate):
16208 * runtime/GCActivityCallbackCF.cpp:
16209 (JSC):
16210 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
16211 (JSC::DefaultGCActivityCallback::doWork):
16212 (JSC::DefaultGCActivityCallback::scheduleTimer):
16213 (JSC::DefaultGCActivityCallback::cancelTimer):
16214 (JSC::DefaultGCActivityCallback::didAllocate):
16215 (JSC::DefaultGCActivityCallback::willCollect):
16216 (JSC::DefaultGCActivityCallback::cancel):
16217
16218
162192012-06-19 Mike West <mkwst@chromium.org>
16220
16221 Introduce ENABLE_CSP_NEXT configuration flag.
16222 https://bugs.webkit.org/show_bug.cgi?id=89300
16223
16224 Reviewed by Adam Barth.
16225
16226 The 1.0 draft of the Content Security Policy spec is just about to
16227 move to Last Call. We'll hide work on the upcoming 1.1 spec behind
16228 this ENABLE flag, disabled by default.
16229
16230 Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
16231
16232 * Configurations/FeatureDefines.xcconfig:
16233
162342012-06-18 Mark Lam <mark.lam@apple.com>
16235
16236 Changed JSC to always record line number information so that error.stack
16237 and window.onerror() can report proper line numbers.
16238 https://bugs.webkit.org/show_bug.cgi?id=89410
16239
16240 Reviewed by Geoffrey Garen.
16241
16242 * bytecode/CodeBlock.cpp:
16243 (JSC::CodeBlock::CodeBlock):
16244 (JSC::CodeBlock::lineNumberForBytecodeOffset):
16245 (JSC::CodeBlock::shrinkToFit): m_lineInfo is now available unconditionally.
16246
16247 * bytecode/CodeBlock.h:
16248 (JSC::CodeBlock::addLineInfo):
16249 (JSC::CodeBlock::hasLineInfo): Unused. Now removed.
16250 (JSC::CodeBlock::needsCallReturnIndices):
16251 (CodeBlock):
16252 (RareData): Hoisted m_lineInfo out of m_rareData. m_lineInfo is now
16253 filled in unconditionally.
16254
16255 * bytecompiler/BytecodeGenerator.h:
16256 (JSC::BytecodeGenerator::addLineInfo):
16257
162582012-06-18 Andy Estes <aestes@apple.com>
16259
16260 Fix r120663, which didn't land the change that was reviewed.
16261
162622012-06-18 Andy Estes <aestes@apple.com>
16263
16264 [JSC] In JSGlobalData.cpp, enableAssembler() sometimes leaks two CF objects
16265 https://bugs.webkit.org/show_bug.cgi?id=89415
16266
16267 Reviewed by Sam Weinig.
16268
16269 In the case where canUseJIT was a non-NULL CFBooleanRef,
16270 enableAssembler() would leak both canUseJITKey and canUseJIT by
16271 returning before calling CFRelease. Fix this by using RetainPtr.
16272
16273 * runtime/JSGlobalData.cpp:
16274 (JSC::enableAssembler):
16275
162762012-06-17 Geoffrey Garen <ggaren@apple.com>
16277
16278 GC copy phase spends needless cycles zero-filling blocks
16279 https://bugs.webkit.org/show_bug.cgi?id=89128
16280
16281 Reviewed by Gavin Barraclough.
16282
16283 We only need to zero-fill when we're allocating memory that might not
16284 get fully initialized before GC.
16285
16286 * heap/CopiedBlock.h:
16287 (JSC::CopiedBlock::createNoZeroFill):
16288 (JSC::CopiedBlock::create): Added a way to create without zero-filling.
16289 This is our optimization.
16290
16291 (JSC::CopiedBlock::zeroFillToEnd):
16292 (JSC::CopiedBlock::CopiedBlock): Split zero-filling out from creation,
16293 so we can sometimes create without zero-filling.
16294
16295 * heap/CopiedSpace.cpp:
16296 (JSC::CopiedSpace::init):
16297 (JSC::CopiedSpace::tryAllocateSlowCase):
16298 (JSC::CopiedSpace::doneCopying): Renamed addNewBlock to allocateBlock()
16299 to clarify that the new block is always newly-allocated.
16300
16301 (JSC::CopiedSpace::doneFillingBlock): Make sure to zero-fill to the end
16302 of a block that might be used in the future for allocation. (Most of the
16303 time, this is a no-op, since we've already filled the block completely.)
16304
16305 (JSC::CopiedSpace::getFreshBlock): Removed this function because the
16306 abstraction of "allocation must succeed" is no longer useful.
16307
16308 * heap/CopiedSpace.h: Updated declarations to match.
16309
16310 * heap/CopiedSpaceInlineMethods.h:
16311 (JSC::CopiedSpace::allocateBlockForCopyingPhase): New function, which
16312 knows that it can skip zero-filling.
16313
16314 Added tighter scoping to our lock, to improve parallelism.
16315
16316 (JSC::CopiedSpace::allocateBlock): Folded getFreshBlock functionality
16317 into this function, for simplicity.
16318
16319 * heap/MarkStack.cpp:
16320 (JSC::SlotVisitor::startCopying):
16321 (JSC::SlotVisitor::allocateNewSpace): Use our new zero-fill-free helper
16322 function for great good.
16323
163242012-06-17 Filip Pizlo <fpizlo@apple.com>
16325
16326 DFG should attempt to use structure watchpoints for all inlined get_by_id's and put_by_id's
16327 https://bugs.webkit.org/show_bug.cgi?id=89316
16328
16329 Reviewed by Oliver Hunt.
16330
16331 * dfg/DFGByteCodeParser.cpp:
16332 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
16333 (ByteCodeParser):
16334 (JSC::DFG::ByteCodeParser::handleGetById):
16335 (JSC::DFG::ByteCodeParser::parseBlock):
16336
163372012-06-15 Yong Li <yoli@rim.com>
16338
16339 [BlackBerry] Put platform-specific GC policy in GCActivityCallback
16340 https://bugs.webkit.org/show_bug.cgi?id=89236
16341
16342 Reviewed by Rob Buis.
16343
16344 Add GCActivityCallbackBlackBerry.cpp and implement platform-specific
16345 low memory GC policy there.
16346
16347 * PlatformBlackBerry.cmake:
16348 * heap/Heap.h:
16349 (JSC::Heap::isSafeToCollect): Added.
16350 * runtime/GCActivityCallbackBlackBerry.cpp: Added.
16351 (JSC):
16352 (JSC::DefaultGCActivityCallbackPlatformData::DefaultGCActivityCallbackPlatformData):
16353 (DefaultGCActivityCallbackPlatformData):
16354 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
16355 (JSC::DefaultGCActivityCallback::~DefaultGCActivityCallback):
16356 (JSC::DefaultGCActivityCallback::didAllocate):
16357 (JSC::DefaultGCActivityCallback::willCollect):
16358 (JSC::DefaultGCActivityCallback::synchronize):
16359 (JSC::DefaultGCActivityCallback::cancel):
16360
163612012-06-15 Filip Pizlo <fpizlo@apple.com>
16362
16363 DFG should be able to set watchpoints on structure transitions in the
16364 method check prototype chain
16365 https://bugs.webkit.org/show_bug.cgi?id=89058
16366
16367 Adding the same assertion to 32-bit that I added to 64-bit. This change
16368 does not affect correctness but it's a good thing for assertion coverage.
16369
16370 * dfg/DFGSpeculativeJIT32_64.cpp:
16371 (JSC::DFG::SpeculativeJIT::compile):
16372
163732012-06-13 Filip Pizlo <fpizlo@apple.com>
16374
16375 DFG should be able to set watchpoints on structure transitions in the
16376 method check prototype chain
16377 https://bugs.webkit.org/show_bug.cgi?id=89058
16378
16379 Reviewed by Gavin Barraclough.
16380
16381 This adds the ability to set watchpoints on Structures, and then does
16382 the most modest thing we can do with this ability: the DFG now sets
16383 watchpoints on structure transitions in the prototype chain of method
16384 checks.
16385
16386 This appears to be a >1% speed-up on V8.
16387
16388 * bytecode/PutByIdStatus.cpp:
16389 (JSC::PutByIdStatus::computeFromLLInt):
16390 (JSC::PutByIdStatus::computeFor):
16391 * bytecode/StructureSet.h:
16392 (JSC::StructureSet::containsOnly):
16393 (StructureSet):
16394 * bytecode/Watchpoint.cpp:
16395 (JSC::WatchpointSet::WatchpointSet):
16396 (JSC::InlineWatchpointSet::add):
16397 (JSC):
16398 (JSC::InlineWatchpointSet::inflateSlow):
16399 (JSC::InlineWatchpointSet::freeFat):
16400 * bytecode/Watchpoint.h:
16401 (WatchpointSet):
16402 (JSC):
16403 (InlineWatchpointSet):
16404 (JSC::InlineWatchpointSet::InlineWatchpointSet):
16405 (JSC::InlineWatchpointSet::~InlineWatchpointSet):
16406 (JSC::InlineWatchpointSet::hasBeenInvalidated):
16407 (JSC::InlineWatchpointSet::isStillValid):
16408 (JSC::InlineWatchpointSet::startWatching):
16409 (JSC::InlineWatchpointSet::notifyWrite):
16410 (JSC::InlineWatchpointSet::isFat):
16411 (JSC::InlineWatchpointSet::fat):
16412 (JSC::InlineWatchpointSet::inflate):
16413 * dfg/DFGAbstractState.cpp:
16414 (JSC::DFG::AbstractState::execute):
16415 * dfg/DFGByteCodeParser.cpp:
16416 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
16417 (ByteCodeParser):
16418 (JSC::DFG::ByteCodeParser::parseBlock):
16419 * dfg/DFGCSEPhase.cpp:
16420 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
16421 (CSEPhase):
16422 (JSC::DFG::CSEPhase::performNodeCSE):
16423 * dfg/DFGCommon.h:
16424 * dfg/DFGGraph.cpp:
16425 (JSC::DFG::Graph::dump):
16426 * dfg/DFGGraph.h:
16427 (JSC::DFG::Graph::isCellConstant):
16428 * dfg/DFGJITCompiler.h:
16429 (JSC::DFG::JITCompiler::addWeakReferences):
16430 (JITCompiler):
16431 * dfg/DFGNode.h:
16432 (JSC::DFG::Node::hasStructure):
16433 (Node):
16434 (JSC::DFG::Node::structure):
16435 * dfg/DFGNodeType.h:
16436 (DFG):
16437 * dfg/DFGPredictionPropagationPhase.cpp:
16438 (JSC::DFG::PredictionPropagationPhase::propagate):
16439 * dfg/DFGRepatch.cpp:
16440 (JSC::DFG::emitPutTransitionStub):
16441 * dfg/DFGSpeculativeJIT64.cpp:
16442 (JSC::DFG::SpeculativeJIT::compile):
16443 * jit/JITStubs.cpp:
16444 (JSC::JITThunks::tryCachePutByID):
16445 * llint/LLIntSlowPaths.cpp:
16446 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
16447 * runtime/Structure.cpp:
16448 (JSC::Structure::Structure):
16449 * runtime/Structure.h:
16450 (JSC::Structure::transitionWatchpointSetHasBeenInvalidated):
16451 (Structure):
16452 (JSC::Structure::transitionWatchpointSetIsStillValid):
16453 (JSC::Structure::addTransitionWatchpoint):
16454 (JSC::Structure::notifyTransitionFromThisStructure):
16455 (JSC::JSCell::setStructure):
16456 * runtime/SymbolTable.cpp:
16457 (JSC::SymbolTableEntry::attemptToWatch):
16458
164592012-06-13 Filip Pizlo <fpizlo@apple.com>
16460
16461 DFG should be able to set watchpoints on global variables
16462 https://bugs.webkit.org/show_bug.cgi?id=88692
16463
16464 Reviewed by Geoffrey Garen.
16465
16466 Rolling back in after fixing Windows build issues, and implementing
16467 branchTest8 for the Qt port's strange assemblers.
16468
16469 This implements global variable constant folding by allowing the optimizing
16470 compiler to set a "watchpoint" on globals that it wishes to constant fold.
16471 If the watchpoint fires, then an OSR exit is forced by overwriting the
16472 machine code that the optimizing compiler generated with a jump.
16473
16474 As such, this patch is adding quite a bit of stuff:
16475
16476 - Jump replacement on those hardware targets supported by the optimizing
16477 JIT. It is now possible to patch in a jump instruction over any recorded
16478 watchpoint label. The jump must be "local" in the sense that it must be
16479 within the range of the largest jump distance supported by a one
16480 instruction jump.
16481
16482 - WatchpointSets and Watchpoints. A Watchpoint is a doubly-linked list node
16483 that records the location where a jump must be inserted and the
16484 destination to which it should jump. Watchpoints can be added to a
16485 WatchpointSet. The WatchpointSet can be fired all at once, which plants
16486 all jumps. WatchpointSet also remembers if it had ever been invalidated,
16487 which allows for monotonicity: we typically don't want to optimize using
16488 watchpoints on something for which watchpoints had previously fired. The
16489 act of notifying a WatchpointSet has a trivial fast path in case no
16490 Watchpoints are registered (one-byte load+branch).
16491
16492 - SpeculativeJIT::speculationWatchpoint(). It's like speculationCheck(),
16493 except that you don't have to emit branches. But, you need to know what
16494 WatchpointSet to add the resulting Watchpoint to. Not everything that
16495 you could write a speculationCheck() for will have a WatchpointSet that
16496 would get notified if the condition you were speculating against became
16497 invalid.
16498
16499 - SymbolTableEntry now has the ability to refer to a WatchpointSet. It can
16500 do so without incurring any space overhead for those entries that don't
16501 have WatchpointSets.
16502
16503 - The bytecode generator infers all global function variables to be
16504 watchable, and makes all stores perform the WatchpointSet's write check,
16505 and marks all loads as being potentially watchable (i.e. you can compile
16506 them to a watchpoint and a constant).
16507
16508 Put together, this allows for fully sleazy inlining of calls to globally
16509 declared functions. The inline prologue will no longer contain the load of
16510 the function, or any checks of the function you're calling. I.e. it's
16511 pretty much like the kind of inlining you would see in Java or C++.
16512 Furthermore, the watchpointing functionality is built to be fairly general,
16513 and should allow setting watchpoints on all sorts of interesting things
16514 in the future.
16515
16516 The sleazy inlining means that we will now sometimes inline in code paths
16517 that have never executed. Previously, to inline we would have either had
16518 to have executed the call (to read the call's inline cache) or have
16519 executed the method check (to read the method check's inline cache). Now,
16520 we might inline when the callee is a watched global variable. This
16521 revealed some humorous bugs. First, constant folding disagreed with CFA
16522 over what kinds of operations can clobber (example: code path A is dead
16523 but stores a String into variable X, all other code paths store 0 into
16524 X, and then you do CompareEq(X, 0) - CFA will say that this is a non-
16525 clobbering constant, but constant folding thought it was clobbering
16526 because it saw the String prediction). Second, inlining would crash if
16527 the inline callee had not been compiled. This patch fixes both bugs,
16528 since otherwise run-javascriptcore-tests would report regressions.
16529
16530 * CMakeLists.txt:
16531 * GNUmakefile.list.am:
16532 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
16533 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
16534 * JavaScriptCore.xcodeproj/project.pbxproj:
16535 * Target.pri:
16536 * assembler/ARMv7Assembler.h:
16537 (ARMv7Assembler):
16538 (JSC::ARMv7Assembler::ARMv7Assembler):
16539 (JSC::ARMv7Assembler::labelForWatchpoint):
16540 (JSC::ARMv7Assembler::label):
16541 (JSC::ARMv7Assembler::replaceWithJump):
16542 (JSC::ARMv7Assembler::maxJumpReplacementSize):
16543 * assembler/AbstractMacroAssembler.h:
16544 (JSC):
16545 (AbstractMacroAssembler):
16546 (Label):
16547 (JSC::AbstractMacroAssembler::watchpointLabel):
16548 (JSC::AbstractMacroAssembler::readPointer):
16549 * assembler/AssemblerBuffer.h:
16550 * assembler/MacroAssemblerARM.h:
16551 (JSC::MacroAssemblerARM::branchTest8):
16552 (MacroAssemblerARM):
16553 (JSC::MacroAssemblerARM::replaceWithJump):
16554 (JSC::MacroAssemblerARM::maxJumpReplacementSize):
16555 * assembler/MacroAssemblerARMv7.h:
16556 (JSC::MacroAssemblerARMv7::load8Signed):
16557 (JSC::MacroAssemblerARMv7::load16Signed):
16558 (MacroAssemblerARMv7):
16559 (JSC::MacroAssemblerARMv7::replaceWithJump):
16560 (JSC::MacroAssemblerARMv7::maxJumpReplacementSize):
16561 (JSC::MacroAssemblerARMv7::branchTest8):
16562 (JSC::MacroAssemblerARMv7::jump):
16563 (JSC::MacroAssemblerARMv7::makeBranch):
16564 * assembler/MacroAssemblerMIPS.h:
16565 (JSC::MacroAssemblerMIPS::branchTest8):
16566 (MacroAssemblerMIPS):
16567 (JSC::MacroAssemblerMIPS::replaceWithJump):
16568 (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
16569 * assembler/MacroAssemblerSH4.h:
16570 (JSC::MacroAssemblerSH4::branchTest8):
16571 (MacroAssemblerSH4):
16572 (JSC::MacroAssemblerSH4::replaceWithJump):
16573 (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
16574 * assembler/MacroAssemblerX86.h:
16575 (MacroAssemblerX86):
16576 (JSC::MacroAssemblerX86::branchTest8):
16577 * assembler/MacroAssemblerX86Common.h:
16578 (JSC::MacroAssemblerX86Common::replaceWithJump):
16579 (MacroAssemblerX86Common):
16580 (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
16581 * assembler/MacroAssemblerX86_64.h:
16582 (MacroAssemblerX86_64):
16583 (JSC::MacroAssemblerX86_64::branchTest8):
16584 * assembler/X86Assembler.h:
16585 (JSC::X86Assembler::X86Assembler):
16586 (X86Assembler):
16587 (JSC::X86Assembler::cmpb_im):
16588 (JSC::X86Assembler::testb_im):
16589 (JSC::X86Assembler::labelForWatchpoint):
16590 (JSC::X86Assembler::label):
16591 (JSC::X86Assembler::replaceWithJump):
16592 (JSC::X86Assembler::maxJumpReplacementSize):
16593 (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
16594 * bytecode/CodeBlock.cpp:
16595 (JSC):
16596 (JSC::CodeBlock::printGetByIdCacheStatus):
16597 (JSC::CodeBlock::dump):
16598 * bytecode/CodeBlock.h:
16599 (JSC::CodeBlock::appendOSRExit):
16600 (JSC::CodeBlock::appendSpeculationRecovery):
16601 (CodeBlock):
16602 (JSC::CodeBlock::appendWatchpoint):
16603 (JSC::CodeBlock::numberOfWatchpoints):
16604 (JSC::CodeBlock::watchpoint):
16605 (DFGData):
16606 * bytecode/DFGExitProfile.h:
16607 (JSC::DFG::exitKindToString):
16608 (JSC::DFG::exitKindIsCountable):
16609 * bytecode/GetByIdStatus.cpp:
16610 (JSC::GetByIdStatus::computeForChain):
16611 * bytecode/Instruction.h:
16612 (Instruction):
16613 (JSC::Instruction::Instruction):
16614 * bytecode/Opcode.h:
16615 (JSC):
16616 (JSC::padOpcodeName):
16617 * bytecode/Watchpoint.cpp: Added.
16618 (JSC):
16619 (JSC::Watchpoint::~Watchpoint):
16620 (JSC::Watchpoint::correctLabels):
16621 (JSC::Watchpoint::fire):
16622 (JSC::WatchpointSet::WatchpointSet):
16623 (JSC::WatchpointSet::~WatchpointSet):
16624 (JSC::WatchpointSet::add):
16625 (JSC::WatchpointSet::notifyWriteSlow):
16626 (JSC::WatchpointSet::fireAllWatchpoints):
16627 * bytecode/Watchpoint.h: Added.
16628 (JSC):
16629 (Watchpoint):
16630 (JSC::Watchpoint::Watchpoint):
16631 (JSC::Watchpoint::setDestination):
16632 (WatchpointSet):
16633 (JSC::WatchpointSet::isStillValid):
16634 (JSC::WatchpointSet::hasBeenInvalidated):
16635 (JSC::WatchpointSet::startWatching):
16636 (JSC::WatchpointSet::notifyWrite):
16637 (JSC::WatchpointSet::addressOfIsWatched):
16638 * bytecompiler/BytecodeGenerator.cpp:
16639 (JSC::ResolveResult::checkValidity):
16640 (JSC::BytecodeGenerator::addGlobalVar):
16641 (JSC::BytecodeGenerator::BytecodeGenerator):
16642 (JSC::BytecodeGenerator::resolve):
16643 (JSC::BytecodeGenerator::emitResolve):
16644 (JSC::BytecodeGenerator::emitResolveWithBase):
16645 (JSC::BytecodeGenerator::emitResolveWithThis):
16646 (JSC::BytecodeGenerator::emitGetStaticVar):
16647 (JSC::BytecodeGenerator::emitPutStaticVar):
16648 * bytecompiler/BytecodeGenerator.h:
16649 (BytecodeGenerator):
16650 * bytecompiler/NodesCodegen.cpp:
16651 (JSC::FunctionCallResolveNode::emitBytecode):
16652 (JSC::PostfixResolveNode::emitBytecode):
16653 (JSC::PrefixResolveNode::emitBytecode):
16654 (JSC::ReadModifyResolveNode::emitBytecode):
16655 (JSC::AssignResolveNode::emitBytecode):
16656 (JSC::ConstDeclNode::emitCodeSingle):
16657 * dfg/DFGAbstractState.cpp:
16658 (JSC::DFG::AbstractState::execute):
16659 (JSC::DFG::AbstractState::clobberStructures):
16660 * dfg/DFGAbstractState.h:
16661 (AbstractState):
16662 (JSC::DFG::AbstractState::didClobber):
16663 * dfg/DFGByteCodeParser.cpp:
16664 (JSC::DFG::ByteCodeParser::handleInlining):
16665 (JSC::DFG::ByteCodeParser::parseBlock):
16666 * dfg/DFGCCallHelpers.h:
16667 (CCallHelpers):
16668 (JSC::DFG::CCallHelpers::setupArguments):
16669 * dfg/DFGCSEPhase.cpp:
16670 (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
16671 (CSEPhase):
16672 (JSC::DFG::CSEPhase::globalVarStoreElimination):
16673 (JSC::DFG::CSEPhase::performNodeCSE):
16674 * dfg/DFGCapabilities.h:
16675 (JSC::DFG::canCompileOpcode):
16676 * dfg/DFGConstantFoldingPhase.cpp:
16677 (JSC::DFG::ConstantFoldingPhase::run):
16678 * dfg/DFGCorrectableJumpPoint.h:
16679 (JSC::DFG::CorrectableJumpPoint::isSet):
16680 (CorrectableJumpPoint):
16681 * dfg/DFGJITCompiler.cpp:
16682 (JSC::DFG::JITCompiler::linkOSRExits):
16683 (JSC::DFG::JITCompiler::link):
16684 * dfg/DFGNode.h:
16685 (JSC::DFG::Node::hasIdentifierNumberForCheck):
16686 (Node):
16687 (JSC::DFG::Node::identifierNumberForCheck):
16688 (JSC::DFG::Node::hasRegisterPointer):
16689 * dfg/DFGNodeType.h:
16690 (DFG):
16691 * dfg/DFGOSRExit.cpp:
16692 (JSC::DFG::OSRExit::OSRExit):
16693 * dfg/DFGOSRExit.h:
16694 (OSRExit):
16695 * dfg/DFGOperations.cpp:
16696 * dfg/DFGOperations.h:
16697 * dfg/DFGPredictionPropagationPhase.cpp:
16698 (JSC::DFG::PredictionPropagationPhase::propagate):
16699 * dfg/DFGSpeculativeJIT.h:
16700 (JSC::DFG::SpeculativeJIT::callOperation):
16701 (JSC::DFG::SpeculativeJIT::appendCall):
16702 (SpeculativeJIT):
16703 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
16704 * dfg/DFGSpeculativeJIT32_64.cpp:
16705 (JSC::DFG::SpeculativeJIT::compile):
16706 * dfg/DFGSpeculativeJIT64.cpp:
16707 (JSC::DFG::SpeculativeJIT::compile):
16708 * interpreter/Interpreter.cpp:
16709 (JSC::Interpreter::privateExecute):
16710 * jit/JIT.cpp:
16711 (JSC::JIT::privateCompileMainPass):
16712 (JSC::JIT::privateCompileSlowCases):
16713 * jit/JIT.h:
16714 * jit/JITPropertyAccess.cpp:
16715 (JSC::JIT::emit_op_put_global_var_check):
16716 (JSC):
16717 (JSC::JIT::emitSlow_op_put_global_var_check):
16718 * jit/JITPropertyAccess32_64.cpp:
16719 (JSC::JIT::emit_op_put_global_var_check):
16720 (JSC):
16721 (JSC::JIT::emitSlow_op_put_global_var_check):
16722 * jit/JITStubs.cpp:
16723 (JSC::DEFINE_STUB_FUNCTION):
16724 (JSC):
16725 * jit/JITStubs.h:
16726 * llint/LLIntSlowPaths.cpp:
16727 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
16728 (LLInt):
16729 * llint/LLIntSlowPaths.h:
16730 (LLInt):
16731 * llint/LowLevelInterpreter32_64.asm:
16732 * llint/LowLevelInterpreter64.asm:
16733 * runtime/JSObject.cpp:
16734 (JSC::JSObject::removeDirect):
16735 * runtime/JSObject.h:
16736 (JSObject):
16737 * runtime/JSSymbolTableObject.h:
16738 (JSC::symbolTableGet):
16739 (JSC::symbolTablePut):
16740 (JSC::symbolTablePutWithAttributes):
16741 * runtime/SymbolTable.cpp: Added.
16742 (JSC):
16743 (JSC::SymbolTableEntry::copySlow):
16744 (JSC::SymbolTableEntry::freeFatEntrySlow):
16745 (JSC::SymbolTableEntry::couldBeWatched):
16746 (JSC::SymbolTableEntry::attemptToWatch):
16747 (JSC::SymbolTableEntry::addressOfIsWatched):
16748 (JSC::SymbolTableEntry::addWatchpoint):
16749 (JSC::SymbolTableEntry::notifyWriteSlow):
16750 (JSC::SymbolTableEntry::inflateSlow):
16751 * runtime/SymbolTable.h:
16752 (JSC):
16753 (SymbolTableEntry):
16754 (Fast):
16755 (JSC::SymbolTableEntry::Fast::Fast):
16756 (JSC::SymbolTableEntry::Fast::isNull):
16757 (JSC::SymbolTableEntry::Fast::getIndex):
16758 (JSC::SymbolTableEntry::Fast::isReadOnly):
16759 (JSC::SymbolTableEntry::Fast::getAttributes):
16760 (JSC::SymbolTableEntry::Fast::isFat):
16761 (JSC::SymbolTableEntry::SymbolTableEntry):
16762 (JSC::SymbolTableEntry::~SymbolTableEntry):
16763 (JSC::SymbolTableEntry::operator=):
16764 (JSC::SymbolTableEntry::isNull):
16765 (JSC::SymbolTableEntry::getIndex):
16766 (JSC::SymbolTableEntry::getFast):
16767 (JSC::SymbolTableEntry::getAttributes):
16768 (JSC::SymbolTableEntry::isReadOnly):
16769 (JSC::SymbolTableEntry::watchpointSet):
16770 (JSC::SymbolTableEntry::notifyWrite):
16771 (FatEntry):
16772 (JSC::SymbolTableEntry::FatEntry::FatEntry):
16773 (JSC::SymbolTableEntry::isFat):
16774 (JSC::SymbolTableEntry::fatEntry):
16775 (JSC::SymbolTableEntry::inflate):
16776 (JSC::SymbolTableEntry::bits):
16777 (JSC::SymbolTableEntry::freeFatEntry):
16778 (JSC::SymbolTableEntry::pack):
16779 (JSC::SymbolTableEntry::isValidIndex):
16780
167812012-06-13 Sheriff Bot <webkit.review.bot@gmail.com>
16782
16783 Unreviewed, rolling out r120172.
16784 http://trac.webkit.org/changeset/120172
16785 https://bugs.webkit.org/show_bug.cgi?id=88976
16786
16787 The patch causes compilation failures on Gtk, Qt and Apple Win
16788 bots (Requested by zdobersek on #webkit).
16789
16790 * CMakeLists.txt:
16791 * GNUmakefile.list.am:
16792 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
16793 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
16794 * JavaScriptCore.xcodeproj/project.pbxproj:
16795 * Target.pri:
16796 * assembler/ARMv7Assembler.h:
16797 (JSC::ARMv7Assembler::nop):
16798 (JSC::ARMv7Assembler::label):
16799 (JSC::ARMv7Assembler::readPointer):
16800 (ARMv7Assembler):
16801 * assembler/AbstractMacroAssembler.h:
16802 (JSC):
16803 (AbstractMacroAssembler):
16804 (Label):
16805 * assembler/AssemblerBuffer.h:
16806 * assembler/MacroAssemblerARM.h:
16807 * assembler/MacroAssemblerARMv7.h:
16808 (JSC::MacroAssemblerARMv7::nop):
16809 (JSC::MacroAssemblerARMv7::jump):
16810 (JSC::MacroAssemblerARMv7::makeBranch):
16811 * assembler/MacroAssemblerMIPS.h:
16812 * assembler/MacroAssemblerSH4.h:
16813 * assembler/MacroAssemblerX86.h:
16814 (MacroAssemblerX86):
16815 (JSC::MacroAssemblerX86::moveWithPatch):
16816 * assembler/MacroAssemblerX86Common.h:
16817 * assembler/MacroAssemblerX86_64.h:
16818 (JSC::MacroAssemblerX86_64::branchTest8):
16819 * assembler/X86Assembler.h:
16820 (JSC::X86Assembler::cmpb_im):
16821 (JSC::X86Assembler::codeSize):
16822 (JSC::X86Assembler::label):
16823 (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
16824 * bytecode/CodeBlock.cpp:
16825 (JSC::CodeBlock::dump):
16826 * bytecode/CodeBlock.h:
16827 (JSC::CodeBlock::appendOSRExit):
16828 (JSC::CodeBlock::appendSpeculationRecovery):
16829 (DFGData):
16830 * bytecode/DFGExitProfile.h:
16831 (JSC::DFG::exitKindToString):
16832 (JSC::DFG::exitKindIsCountable):
16833 * bytecode/Instruction.h:
16834 * bytecode/Opcode.h:
16835 (JSC):
16836 (JSC::padOpcodeName):
16837 * bytecode/Watchpoint.cpp: Removed.
16838 * bytecode/Watchpoint.h: Removed.
16839 * bytecompiler/BytecodeGenerator.cpp:
16840 (JSC::ResolveResult::checkValidity):
16841 (JSC::BytecodeGenerator::addGlobalVar):
16842 (JSC::BytecodeGenerator::BytecodeGenerator):
16843 (JSC::BytecodeGenerator::resolve):
16844 (JSC::BytecodeGenerator::emitResolve):
16845 (JSC::BytecodeGenerator::emitResolveWithBase):
16846 (JSC::BytecodeGenerator::emitResolveWithThis):
16847 (JSC::BytecodeGenerator::emitGetStaticVar):
16848 (JSC::BytecodeGenerator::emitPutStaticVar):
16849 * bytecompiler/BytecodeGenerator.h:
16850 (BytecodeGenerator):
16851 * bytecompiler/NodesCodegen.cpp:
16852 (JSC::FunctionCallResolveNode::emitBytecode):
16853 (JSC::PostfixResolveNode::emitBytecode):
16854 (JSC::PrefixResolveNode::emitBytecode):
16855 (JSC::ReadModifyResolveNode::emitBytecode):
16856 (JSC::AssignResolveNode::emitBytecode):
16857 (JSC::ConstDeclNode::emitCodeSingle):
16858 * dfg/DFGAbstractState.cpp:
16859 (JSC::DFG::AbstractState::execute):
16860 (JSC::DFG::AbstractState::clobberStructures):
16861 * dfg/DFGAbstractState.h:
16862 (AbstractState):
16863 * dfg/DFGByteCodeParser.cpp:
16864 (JSC::DFG::ByteCodeParser::handleInlining):
16865 (JSC::DFG::ByteCodeParser::parseBlock):
16866 * dfg/DFGCCallHelpers.h:
16867 (JSC::DFG::CCallHelpers::setupArguments):
16868 * dfg/DFGCSEPhase.cpp:
16869 (JSC::DFG::CSEPhase::globalVarStoreElimination):
16870 (JSC::DFG::CSEPhase::performNodeCSE):
16871 * dfg/DFGCapabilities.h:
16872 (JSC::DFG::canCompileOpcode):
16873 * dfg/DFGConstantFoldingPhase.cpp:
16874 (JSC::DFG::ConstantFoldingPhase::run):
16875 * dfg/DFGCorrectableJumpPoint.h:
16876 * dfg/DFGJITCompiler.cpp:
16877 (JSC::DFG::JITCompiler::linkOSRExits):
16878 (JSC::DFG::JITCompiler::link):
16879 * dfg/DFGNode.h:
16880 (JSC::DFG::Node::hasRegisterPointer):
16881 * dfg/DFGNodeType.h:
16882 (DFG):
16883 * dfg/DFGOSRExit.cpp:
16884 (JSC::DFG::OSRExit::OSRExit):
16885 * dfg/DFGOSRExit.h:
16886 (OSRExit):
16887 * dfg/DFGOperations.cpp:
16888 * dfg/DFGOperations.h:
16889 * dfg/DFGPredictionPropagationPhase.cpp:
16890 (JSC::DFG::PredictionPropagationPhase::propagate):
16891 * dfg/DFGSpeculativeJIT.h:
16892 (JSC::DFG::SpeculativeJIT::callOperation):
16893 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
16894 (JSC::DFG::SpeculativeJIT::speculationCheck):
16895 * dfg/DFGSpeculativeJIT32_64.cpp:
16896 (JSC::DFG::SpeculativeJIT::compile):
16897 * dfg/DFGSpeculativeJIT64.cpp:
16898 (JSC::DFG::SpeculativeJIT::compile):
16899 * jit/JIT.cpp:
16900 (JSC::JIT::privateCompileMainPass):
16901 (JSC::JIT::privateCompileSlowCases):
16902 * jit/JIT.h:
16903 * jit/JITPropertyAccess.cpp:
16904 * jit/JITPropertyAccess32_64.cpp:
16905 * jit/JITStubs.cpp:
16906 * jit/JITStubs.h:
16907 * llint/LLIntSlowPaths.cpp:
16908 * llint/LLIntSlowPaths.h:
16909 (LLInt):
16910 * llint/LowLevelInterpreter32_64.asm:
16911 * llint/LowLevelInterpreter64.asm:
16912 * runtime/JSObject.cpp:
16913 (JSC::JSObject::removeDirect):
16914 * runtime/JSObject.h:
16915 (JSObject):
16916 * runtime/JSSymbolTableObject.h:
16917 (JSC::symbolTableGet):
16918 (JSC::symbolTablePut):
16919 (JSC::symbolTablePutWithAttributes):
16920 * runtime/SymbolTable.cpp: Removed.
16921 * runtime/SymbolTable.h:
16922 (JSC):
16923 (JSC::SymbolTableEntry::isNull):
16924 (JSC::SymbolTableEntry::getIndex):
16925 (SymbolTableEntry):
16926 (JSC::SymbolTableEntry::getAttributes):
16927 (JSC::SymbolTableEntry::isReadOnly):
16928 (JSC::SymbolTableEntry::pack):
16929 (JSC::SymbolTableEntry::isValidIndex):
16930
169312012-06-12 Filip Pizlo <fpizlo@apple.com>
16932
16933 DFG should be able to set watchpoints on global variables
16934 https://bugs.webkit.org/show_bug.cgi?id=88692
16935
16936 Reviewed by Geoffrey Garen.
16937
16938 This implements global variable constant folding by allowing the optimizing
16939 compiler to set a "watchpoint" on globals that it wishes to constant fold.
16940 If the watchpoint fires, then an OSR exit is forced by overwriting the
16941 machine code that the optimizing compiler generated with a jump.
16942
16943 As such, this patch is adding quite a bit of stuff:
16944
16945 - Jump replacement on those hardware targets supported by the optimizing
16946 JIT. It is now possible to patch in a jump instruction over any recorded
16947 watchpoint label. The jump must be "local" in the sense that it must be
16948 within the range of the largest jump distance supported by a one
16949 instruction jump.
16950
16951 - WatchpointSets and Watchpoints. A Watchpoint is a doubly-linked list node
16952 that records the location where a jump must be inserted and the
16953 destination to which it should jump. Watchpoints can be added to a
16954 WatchpointSet. The WatchpointSet can be fired all at once, which plants
16955 all jumps. WatchpointSet also remembers if it had ever been invalidated,
16956 which allows for monotonicity: we typically don't want to optimize using
16957 watchpoints on something for which watchpoints had previously fired. The
16958 act of notifying a WatchpointSet has a trivial fast path in case no
16959 Watchpoints are registered (one-byte load+branch).
16960
16961 - SpeculativeJIT::speculationWatchpoint(). It's like speculationCheck(),
16962 except that you don't have to emit branches. But, you need to know what
16963 WatchpointSet to add the resulting Watchpoint to. Not everything that
16964 you could write a speculationCheck() for will have a WatchpointSet that
16965 would get notified if the condition you were speculating against became
16966 invalid.
16967
16968 - SymbolTableEntry now has the ability to refer to a WatchpointSet. It can
16969 do so without incurring any space overhead for those entries that don't
16970 have WatchpointSets.
16971
16972 - The bytecode generator infers all global function variables to be
16973 watchable, and makes all stores perform the WatchpointSet's write check,
16974 and marks all loads as being potentially watchable (i.e. you can compile
16975 them to a watchpoint and a constant).
16976
16977 Put together, this allows for fully sleazy inlining of calls to globally
16978 declared functions. The inline prologue will no longer contain the load of
16979 the function, or any checks of the function you're calling. I.e. it's
16980 pretty much like the kind of inlining you would see in Java or C++.
16981 Furthermore, the watchpointing functionality is built to be fairly general,
16982 and should allow setting watchpoints on all sorts of interesting things
16983 in the future.
16984
16985 The sleazy inlining means that we will now sometimes inline in code paths
16986 that have never executed. Previously, to inline we would have either had
16987 to have executed the call (to read the call's inline cache) or have
16988 executed the method check (to read the method check's inline cache). Now,
16989 we might inline when the callee is a watched global variable. This
16990 revealed some humorous bugs. First, constant folding disagreed with CFA
16991 over what kinds of operations can clobber (example: code path A is dead
16992 but stores a String into variable X, all other code paths store 0 into
16993 X, and then you do CompareEq(X, 0) - CFA will say that this is a non-
16994 clobbering constant, but constant folding thought it was clobbering
16995 because it saw the String prediction). Second, inlining would crash if
16996 the inline callee had not been compiled. This patch fixes both bugs,
16997 since otherwise run-javascriptcore-tests would report regressions.
16998
16999 * CMakeLists.txt:
17000 * GNUmakefile.list.am:
17001 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
17002 * JavaScriptCore.xcodeproj/project.pbxproj:
17003 * Target.pri:
17004 * assembler/ARMv7Assembler.h:
17005 (ARMv7Assembler):
17006 (JSC::ARMv7Assembler::ARMv7Assembler):
17007 (JSC::ARMv7Assembler::labelForWatchpoint):
17008 (JSC::ARMv7Assembler::label):
17009 (JSC::ARMv7Assembler::replaceWithJump):
17010 (JSC::ARMv7Assembler::maxJumpReplacementSize):
17011 * assembler/AbstractMacroAssembler.h:
17012 (JSC):
17013 (AbstractMacroAssembler):
17014 (Label):
17015 (JSC::AbstractMacroAssembler::watchpointLabel):
17016 * assembler/AssemblerBuffer.h:
17017 * assembler/MacroAssemblerARM.h:
17018 (JSC::MacroAssemblerARM::replaceWithJump):
17019 (MacroAssemblerARM):
17020 (JSC::MacroAssemblerARM::maxJumpReplacementSize):
17021 * assembler/MacroAssemblerARMv7.h:
17022 (MacroAssemblerARMv7):
17023 (JSC::MacroAssemblerARMv7::replaceWithJump):
17024 (JSC::MacroAssemblerARMv7::maxJumpReplacementSize):
17025 (JSC::MacroAssemblerARMv7::branchTest8):
17026 (JSC::MacroAssemblerARMv7::jump):
17027 (JSC::MacroAssemblerARMv7::makeBranch):
17028 * assembler/MacroAssemblerMIPS.h:
17029 (JSC::MacroAssemblerMIPS::replaceWithJump):
17030 (MacroAssemblerMIPS):
17031 (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
17032 * assembler/MacroAssemblerSH4.h:
17033 (JSC::MacroAssemblerSH4::replaceWithJump):
17034 (MacroAssemblerSH4):
17035 (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
17036 * assembler/MacroAssemblerX86.h:
17037 (MacroAssemblerX86):
17038 (JSC::MacroAssemblerX86::branchTest8):
17039 * assembler/MacroAssemblerX86Common.h:
17040 (JSC::MacroAssemblerX86Common::replaceWithJump):
17041 (MacroAssemblerX86Common):
17042 (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
17043 * assembler/MacroAssemblerX86_64.h:
17044 (MacroAssemblerX86_64):
17045 (JSC::MacroAssemblerX86_64::branchTest8):
17046 * assembler/X86Assembler.h:
17047 (JSC::X86Assembler::X86Assembler):
17048 (X86Assembler):
17049 (JSC::X86Assembler::cmpb_im):
17050 (JSC::X86Assembler::testb_im):
17051 (JSC::X86Assembler::labelForWatchpoint):
17052 (JSC::X86Assembler::label):
17053 (JSC::X86Assembler::replaceWithJump):
17054 (JSC::X86Assembler::maxJumpReplacementSize):
17055 (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
17056 * bytecode/CodeBlock.cpp:
17057 (JSC::CodeBlock::dump):
17058 * bytecode/CodeBlock.h:
17059 (JSC::CodeBlock::appendOSRExit):
17060 (JSC::CodeBlock::appendSpeculationRecovery):
17061 (CodeBlock):
17062 (JSC::CodeBlock::appendWatchpoint):
17063 (JSC::CodeBlock::numberOfWatchpoints):
17064 (JSC::CodeBlock::watchpoint):
17065 (DFGData):
17066 * bytecode/DFGExitProfile.h:
17067 (JSC::DFG::exitKindToString):
17068 (JSC::DFG::exitKindIsCountable):
17069 * bytecode/Instruction.h:
17070 (Instruction):
17071 (JSC::Instruction::Instruction):
17072 * bytecode/Opcode.h:
17073 (JSC):
17074 (JSC::padOpcodeName):
17075 * bytecode/Watchpoint.cpp: Added.
17076 (JSC):
17077 (JSC::Watchpoint::~Watchpoint):
17078 (JSC::Watchpoint::correctLabels):
17079 (JSC::Watchpoint::fire):
17080 (JSC::WatchpointSet::WatchpointSet):
17081 (JSC::WatchpointSet::~WatchpointSet):
17082 (JSC::WatchpointSet::add):
17083 (JSC::WatchpointSet::notifyWriteSlow):
17084 (JSC::WatchpointSet::fireAllWatchpoints):
17085 * bytecode/Watchpoint.h: Added.
17086 (JSC):
17087 (Watchpoint):
17088 (JSC::Watchpoint::Watchpoint):
17089 (JSC::Watchpoint::setDestination):
17090 (WatchpointSet):
17091 (JSC::WatchpointSet::isStillValid):
17092 (JSC::WatchpointSet::hasBeenInvalidated):
17093 (JSC::WatchpointSet::startWatching):
17094 (JSC::WatchpointSet::notifyWrite):
17095 (JSC::WatchpointSet::addressOfIsWatched):
17096 * bytecompiler/BytecodeGenerator.cpp:
17097 (JSC::ResolveResult::checkValidity):
17098 (JSC::BytecodeGenerator::addGlobalVar):
17099 (JSC::BytecodeGenerator::BytecodeGenerator):
17100 (JSC::BytecodeGenerator::resolve):
17101 (JSC::BytecodeGenerator::emitResolve):
17102 (JSC::BytecodeGenerator::emitResolveWithBase):
17103 (JSC::BytecodeGenerator::emitResolveWithThis):
17104 (JSC::BytecodeGenerator::emitGetStaticVar):
17105 (JSC::BytecodeGenerator::emitPutStaticVar):
17106 * bytecompiler/BytecodeGenerator.h:
17107 (BytecodeGenerator):
17108 * bytecompiler/NodesCodegen.cpp:
17109 (JSC::FunctionCallResolveNode::emitBytecode):
17110 (JSC::PostfixResolveNode::emitBytecode):
17111 (JSC::PrefixResolveNode::emitBytecode):
17112 (JSC::ReadModifyResolveNode::emitBytecode):
17113 (JSC::AssignResolveNode::emitBytecode):
17114 (JSC::ConstDeclNode::emitCodeSingle):
17115 * dfg/DFGAbstractState.cpp:
17116 (JSC::DFG::AbstractState::execute):
17117 (JSC::DFG::AbstractState::clobberStructures):
17118 * dfg/DFGAbstractState.h:
17119 (AbstractState):
17120 (JSC::DFG::AbstractState::didClobber):
17121 * dfg/DFGByteCodeParser.cpp:
17122 (JSC::DFG::ByteCodeParser::handleInlining):
17123 (JSC::DFG::ByteCodeParser::parseBlock):
17124 * dfg/DFGCCallHelpers.h:
17125 (CCallHelpers):
17126 (JSC::DFG::CCallHelpers::setupArguments):
17127 * dfg/DFGCSEPhase.cpp:
17128 (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
17129 (CSEPhase):
17130 (JSC::DFG::CSEPhase::globalVarStoreElimination):
17131 (JSC::DFG::CSEPhase::performNodeCSE):
17132 * dfg/DFGCapabilities.h:
17133 (JSC::DFG::canCompileOpcode):
17134 * dfg/DFGConstantFoldingPhase.cpp:
17135 (JSC::DFG::ConstantFoldingPhase::run):
17136 * dfg/DFGCorrectableJumpPoint.h:
17137 (JSC::DFG::CorrectableJumpPoint::isSet):
17138 (CorrectableJumpPoint):
17139 * dfg/DFGJITCompiler.cpp:
17140 (JSC::DFG::JITCompiler::linkOSRExits):
17141 (JSC::DFG::JITCompiler::link):
17142 * dfg/DFGNode.h:
17143 (JSC::DFG::Node::hasIdentifierNumberForCheck):
17144 (Node):
17145 (JSC::DFG::Node::identifierNumberForCheck):
17146 (JSC::DFG::Node::hasRegisterPointer):
17147 * dfg/DFGNodeType.h:
17148 (DFG):
17149 * dfg/DFGOSRExit.cpp:
17150 (JSC::DFG::OSRExit::OSRExit):
17151 * dfg/DFGOSRExit.h:
17152 (OSRExit):
17153 * dfg/DFGOperations.cpp:
17154 * dfg/DFGOperations.h:
17155 * dfg/DFGPredictionPropagationPhase.cpp:
17156 (JSC::DFG::PredictionPropagationPhase::propagate):
17157 * dfg/DFGSpeculativeJIT.h:
17158 (JSC::DFG::SpeculativeJIT::callOperation):
17159 (JSC::DFG::SpeculativeJIT::appendCall):
17160 (SpeculativeJIT):
17161 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
17162 * dfg/DFGSpeculativeJIT32_64.cpp:
17163 (JSC::DFG::SpeculativeJIT::compile):
17164 * dfg/DFGSpeculativeJIT64.cpp:
17165 (JSC::DFG::SpeculativeJIT::compile):
17166 * jit/JIT.cpp:
17167 (JSC::JIT::privateCompileMainPass):
17168 (JSC::JIT::privateCompileSlowCases):
17169 * jit/JIT.h:
17170 * jit/JITPropertyAccess.cpp:
17171 (JSC::JIT::emit_op_put_global_var_check):
17172 (JSC):
17173 (JSC::JIT::emitSlow_op_put_global_var_check):
17174 * jit/JITPropertyAccess32_64.cpp:
17175 (JSC::JIT::emit_op_put_global_var_check):
17176 (JSC):
17177 (JSC::JIT::emitSlow_op_put_global_var_check):
17178 * jit/JITStubs.cpp:
17179 (JSC::JITThunks::JITThunks):
17180 (JSC::DEFINE_STUB_FUNCTION):
17181 (JSC):
17182 * jit/JITStubs.h:
17183 * llint/LLIntSlowPaths.cpp:
17184 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
17185 (LLInt):
17186 * llint/LLIntSlowPaths.h:
17187 (LLInt):
17188 * llint/LowLevelInterpreter32_64.asm:
17189 * llint/LowLevelInterpreter64.asm:
17190 * runtime/JSObject.cpp:
17191 (JSC::JSObject::removeDirect):
17192 * runtime/JSObject.h:
17193 (JSObject):
17194 * runtime/JSSymbolTableObject.h:
17195 (JSC::symbolTableGet):
17196 (JSC::symbolTablePut):
17197 (JSC::symbolTablePutWithAttributes):
17198 * runtime/SymbolTable.cpp: Added.
17199 (JSC):
17200 (JSC::SymbolTableEntry::copySlow):
17201 (JSC::SymbolTableEntry::freeFatEntrySlow):
17202 (JSC::SymbolTableEntry::couldBeWatched):
17203 (JSC::SymbolTableEntry::attemptToWatch):
17204 (JSC::SymbolTableEntry::addressOfIsWatched):
17205 (JSC::SymbolTableEntry::addWatchpoint):
17206 (JSC::SymbolTableEntry::notifyWriteSlow):
17207 (JSC::SymbolTableEntry::inflateSlow):
17208 * runtime/SymbolTable.h:
17209 (JSC):
17210 (SymbolTableEntry):
17211 (Fast):
17212 (JSC::SymbolTableEntry::Fast::Fast):
17213 (JSC::SymbolTableEntry::Fast::isNull):
17214 (JSC::SymbolTableEntry::Fast::getIndex):
17215 (JSC::SymbolTableEntry::Fast::isReadOnly):
17216 (JSC::SymbolTableEntry::Fast::getAttributes):
17217 (JSC::SymbolTableEntry::Fast::isFat):
17218 (JSC::SymbolTableEntry::SymbolTableEntry):
17219 (JSC::SymbolTableEntry::~SymbolTableEntry):
17220 (JSC::SymbolTableEntry::operator=):
17221 (JSC::SymbolTableEntry::isNull):
17222 (JSC::SymbolTableEntry::getIndex):
17223 (JSC::SymbolTableEntry::getFast):
17224 (JSC::SymbolTableEntry::getAttributes):
17225 (JSC::SymbolTableEntry::isReadOnly):
17226 (JSC::SymbolTableEntry::watchpointSet):
17227 (JSC::SymbolTableEntry::notifyWrite):
17228 (FatEntry):
17229 (JSC::SymbolTableEntry::FatEntry::FatEntry):
17230 (JSC::SymbolTableEntry::isFat):
17231 (JSC::SymbolTableEntry::fatEntry):
17232 (JSC::SymbolTableEntry::inflate):
17233 (JSC::SymbolTableEntry::bits):
17234 (JSC::SymbolTableEntry::freeFatEntry):
17235 (JSC::SymbolTableEntry::pack):
17236 (JSC::SymbolTableEntry::isValidIndex):
17237
172382012-06-12 Filip Pizlo <fpizlo@apple.com>
17239
17240 Unreviewed build fix for ARMv7 debug builds.
17241
17242 * jit/JITStubs.cpp:
17243 (JSC::JITThunks::JITThunks):
17244
172452012-06-12 Geoffrey Garen <ggaren@apple.com>
17246
17247 Build fix for case-sensitive file systems: use the right case.
17248
17249 * heap/ListableHandler.h:
17250
172512012-06-11 Geoffrey Garen <ggaren@apple.com>
17252
17253 GC should be 1.7X faster
17254 https://bugs.webkit.org/show_bug.cgi?id=88840
17255
17256 Reviewed by Oliver Hunt.
17257
17258 I profiled, and removed anything that showed up as a concurrency
17259 bottleneck. Then, I added 3 threads to our max thread count, since we
17260 can scale up to more threads now.
17261
17262 * heap/BlockAllocator.cpp:
17263 (JSC::BlockAllocator::BlockAllocator):
17264 (JSC::BlockAllocator::~BlockAllocator):
17265 (JSC::BlockAllocator::releaseFreeBlocks):
17266 (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
17267 (JSC::BlockAllocator::waitForRelativeTime):
17268 (JSC::BlockAllocator::blockFreeingThreadMain):
17269 * heap/BlockAllocator.h:
17270 (BlockAllocator):
17271 (JSC::BlockAllocator::allocate):
17272 (JSC::BlockAllocator::deallocate): Use a spin lock for the common case
17273 where we're just popping a linked list. (A pthread mutex would sleep our
17274 thread even if the lock were only contended for a microsecond.)
17275
17276 Scope the lock to avoid holding it while allocating VM, since that's a
17277 slow activity and it doesn't modify any of our data structures.
17278
17279 We still use a pthread mutex to handle our condition variable since we
17280 have to, and it's not a hot path.
17281
17282 * heap/CopiedSpace.cpp:
17283 (JSC::CopiedSpace::CopiedSpace):
17284 (JSC::CopiedSpace::doneFillingBlock):
17285 * heap/CopiedSpace.h:
17286 (JSC::CopiedSpace::CopiedSpace): Use a spin lock for the to space lock,
17287 since it just guards linked list and hash table manipulation.
17288
17289 * heap/MarkStack.cpp:
17290 (JSC::MarkStackSegmentAllocator::MarkStackSegmentAllocator):
17291 (JSC::MarkStackSegmentAllocator::allocate):
17292 (JSC::MarkStackSegmentAllocator::release):
17293 (JSC::MarkStackSegmentAllocator::shrinkReserve): Use a spin lock, since
17294 we're just managing a linked list.
17295
17296 (JSC::MarkStackArray::donateSomeCellsTo): Changed donation to be proportional
17297 to our current stack size. This fixes cases where we used to donate too
17298 much. Interestingly, donating too much was starving the donor (when it
17299 ran out of work later) *and* the recipient (since it had to wait on a
17300 long donation operation to complete before it could acquire the lock).
17301
17302 In the worst case, we're still guaranteed to donate N cells in roughly log N time.
17303
17304 This change also fixes cases where we used to donate too little, since
17305 we would always keep a fixed minimum number of cells. In the worst case,
17306 with N marking threads, would could have N large object graph roots in
17307 our stack for the duration of GC, and scale to only 1 thread.
17308
17309 It's an interesting observation that a single object in the mark stack
17310 might represent an arbitrarily large object graph -- and only the act
17311 of marking can find out.
17312
17313 (JSC::MarkStackArray::stealSomeCellsFrom): Steal in proportion to idle
17314 threads. Once again, this fixes cases where constants could cause us
17315 to steal too much or too little.
17316
17317 (JSC::SlotVisitor::donateKnownParallel): Always wake up other threads
17318 if they're idle. We can afford to do this because we're conservative
17319 about when we donate.
17320
17321 (JSC::SlotVisitor::drainFromShared):
17322 * heap/MarkStack.h:
17323 (MarkStackSegmentAllocator):
17324 (MarkStackArray):
17325 (JSC):
17326 * heap/SlotVisitor.h: Merged the "should I donate?" decision into a
17327 single function, for simplicity.
17328
17329 * runtime/Options.cpp:
17330 (minimumNumberOfScansBetweenRebalance): Reduced the delay before donation
17331 a lot. We can afford to do this because, in the common case, donation is
17332 a single branch that decides not to donate.
17333
17334 (cpusToUse): Use more CPUs now, since we scale better now.
17335
17336 * runtime/Options.h:
17337 (Options): Removed now-unused variables.
17338
173392012-06-12 Filip Pizlo <fpizlo@apple.com>
17340
17341 REGRESSION(120121): inspector tests crash in DFG
17342 https://bugs.webkit.org/show_bug.cgi?id=88941
17343
17344 Reviewed by Geoffrey Garen.
17345
17346 The CFG simplifier has two different ways of fixing up GetLocal, Phantom, and Flush. If we've
17347 already fixed up the node one way, we shouldn't try the other way. The reason why we shouldn't
17348 is that the second way depends on the node referring to other nodes in the to-be-jettisoned
17349 block. After fixup they potentially will refer to nodes in the block being merged to.
17350
17351 * dfg/DFGCFGSimplificationPhase.cpp:
17352 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
17353 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
17354
173552012-06-12 Leo Yang <leo.yang@torchmobile.com.cn>
17356
17357 Dynamic hash table in DOMObjectHashTableMap is wrong in multiple threads
17358 https://bugs.webkit.org/show_bug.cgi?id=87334
17359
17360 Reviewed by Geoffrey Garen.
17361
17362 Add a copy member function to JSC::HasTable. This function will copy all data
17363 members except for *table* which contains thread specific data that prevents
17364 up copying it. When you want to copy a JSC::HashTable that was constructed
17365 on another thread you should call JSC::HashTable::copy().
17366
17367 * runtime/Lookup.h:
17368 (JSC::HashTable::copy):
17369 (HashTable):
17370
173712012-06-12 Filip Pizlo <fpizlo@apple.com>
17372
17373 DFG should not ASSERT if you have a double use of a variable that is not revealed to be a double
17374 until after CFG simplification
17375 https://bugs.webkit.org/show_bug.cgi?id=88927
17376 <rdar://problem/11513971>
17377
17378 Reviewed by Geoffrey Garen.
17379
17380 Speculation fixup needs to run if simplification did things, because simplification can change
17381 predictions - particularly if you had a control flow path that stored weird things into a
17382 variable, but that path got axed by the simplifier.
17383
17384 Running fixup in the fixpoint requires making it idempotent, which it previously wasn't. Only
17385 one place needed to be changed, namely the un-MustGenerate-ion of ValueToInt32.
17386
17387 * dfg/DFGDriver.cpp:
17388 (JSC::DFG::compile):
17389 * dfg/DFGFixupPhase.cpp:
17390 (JSC::DFG::FixupPhase::fixupNode):
17391
173922012-06-12 Filip Pizlo <fpizlo@apple.com>
17393
17394 REGRESSION (r119779): Javascript TypeError: 'undefined' is not an object
17395 https://bugs.webkit.org/show_bug.cgi?id=88783
17396 <rdar://problem/11640299>
17397
17398 Reviewed by Geoffrey Garen.
17399
17400 If you don't keep alive the base of an object access over the various checks
17401 you do for the prototype chain, you're going to have a bad time.
17402
17403 * dfg/DFGByteCodeParser.cpp:
17404 (JSC::DFG::ByteCodeParser::handleGetById):
17405
174062012-06-12 Hojong Han <hojong.han@samsung.com>
17407
17408 Property names of the built-in object cannot be retrieved
17409 after trying to delete one of its properties
17410 https://bugs.webkit.org/show_bug.cgi?id=86461
17411
17412 Reviewed by Gavin Barraclough.
17413
17414 * runtime/JSObject.cpp:
17415 (JSC::getClassPropertyNames):
17416 (JSC::JSObject::getOwnPropertyNames):
17417
174182012-06-11 Gyuyoung Kim <gyuyoung.kim@samsung.com>
17419
17420 [CMAKE][EFL] Remove duplicated executable output path
17421 https://bugs.webkit.org/show_bug.cgi?id=88765
17422
17423 Reviewed by Daniel Bates.
17424
17425 CMake files for EFL port have redefined executable output path. However, EFL port doesn't
17426 need to define again because it is already defined in top-level CMake file.
17427
17428 * shell/CMakeLists.txt:
17429
174302012-06-11 Carlos Garcia Campos <cgarcia@igalia.com>
17431
17432 Unreviewed. Fix make distcheck issues.
17433
17434 * GNUmakefile.list.am: Remove non existent header file.
17435
174362012-06-10 Patrick Gansterer <paroga@webkit.org>
17437
17438 Unreviewed. Build fix for !ENABLE(JIT) after r119844 and r119925.
17439
17440 * runtime/Executable.h:
17441 (ExecutableBase):
17442 (JSC::ExecutableBase::clearCodeVirtual):
17443
174442012-06-10 Patrick Gansterer <paroga@webkit.org>
17445
17446 Unreviewed. Build fix for !ENABLE(JIT) after r119844.
17447
17448 * runtime/Executable.h:
17449 (ExecutableBase):
17450 (JSC):
17451
174522012-06-09 Dominic Cooney <dominicc@chromium.org>
17453
17454 [Chromium] Remove JavaScriptCore dependencies from gyp
17455 https://bugs.webkit.org/show_bug.cgi?id=88510
17456
17457 Reviewed by Adam Barth.
17458
17459 Chromium doesn't support JSC any more and there doesn't seem to be
17460 a strong interest in using GYP as the common build system in other
17461 ports.
17462
17463 * JavaScriptCore.gyp/JavaScriptCore.gyp: WebCore still depends on YARR interpreter.
17464 * JavaScriptCore.gypi: Only include YARR source.
17465 * gyp/JavaScriptCore.gyp: Removed.
17466 * gyp/gtk.gyp: Removed.
17467
174682012-06-09 Geoffrey Garen <ggaren@apple.com>
17469
17470 Unreviewed, rolling back in part2 of r118646.
17471
17472 This patch removes eager finalization.
17473
17474 Weak pointer finalization should be lazy
17475 https://bugs.webkit.org/show_bug.cgi?id=87599
17476
17477 Reviewed by Sam Weinig.
17478
17479 * heap/Heap.cpp:
17480 (JSC::Heap::collect): Don't finalize eagerly -- we'll do it lazily.
17481
17482 * heap/MarkedBlock.cpp:
17483 (JSC::MarkedBlock::sweep): Do sweep weak sets when sweeping a block,
17484 since we won't get another chance.
17485
17486 * heap/MarkedBlock.h:
17487 (JSC::MarkedBlock::sweepWeakSet):
17488 * heap/MarkedSpace.cpp:
17489 (MarkedSpace::WeakSetSweep):
17490 * heap/MarkedSpace.h:
17491 (JSC::MarkedSpace::sweepWeakSets): Removed now-unused code.
17492
174932012-06-09 Sukolsak Sakshuwong <sukolsak@google.com>
17494
17495 Add UNDO_MANAGER flag
17496 https://bugs.webkit.org/show_bug.cgi?id=87908
17497
17498 Reviewed by Tony Chang.
17499
17500 * Configurations/FeatureDefines.xcconfig:
17501
175022012-06-08 Geoffrey Garen <ggaren@apple.com>
17503
17504 Unreviewed, rolling back in part1 of r118646.
17505
17506 This patch includes everything necessary for lazy finalization, but
17507 keeps eager finalization enabled for the time being.
17508
17509 Weak pointer finalization should be lazy
17510 https://bugs.webkit.org/show_bug.cgi?id=87599
17511
17512 Reviewed by Sam Weinig.
17513
17514 * heap/MarkedBlock.cpp:
17515 * heap/MarkedBlock.h:
17516 (JSC::MarkedBlock::resetAllocator):
17517 * heap/MarkedSpace.cpp:
17518 (JSC::MarkedSpace::resetAllocators):
17519 * heap/MarkedSpace.h:
17520 (JSC::MarkedSpace::resetAllocators): Don't force allocator reset anymore.
17521 It will happen automatically when a weak set is swept. It's simpler to
17522 have only one canonical way for this to happen, and it wasn't buying
17523 us anything to do it eagerly.
17524 * heap/WeakBlock.cpp:
17525 (JSC::WeakBlock::sweep): Don't short-circuit a sweep unless we know
17526 the sweep would be a no-op. If even one finalizer is pending, we need to
17527 run it, since we won't get another chance.
17528 * heap/WeakSet.cpp:
17529 (JSC::WeakSet::sweep): This loop can be simpler now that
17530 WeakBlock::sweep() does what we mean.
17531 Reset our allocator after a sweep because this is the optimal time to
17532 start trying to recycle old weak pointers.
17533 (JSC::WeakSet::tryFindAllocator): Don't sweep when searching for an
17534 allocator because we've swept already, and forcing a new sweep would be
17535 wasteful.
17536 * heap/WeakSet.h:
17537 (JSC::WeakSet::shrink): Be sure to reset our allocator after a shrink
17538 because the shrink may have removed the block the allocator was going to
17539 allocate out of.
17540
175412012-06-08 Gavin Barraclough <barraclough@apple.com>
17542
17543 Unreviewed roll out r119795.
17544
17545 This broke jquery/core.html
17546
17547 * dfg/DFGSpeculativeJIT.h:
17548 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
17549 * jit/JITInlineMethods.h:
17550 (JSC::JIT::emitAllocateBasicJSObject):
17551 * llint/LowLevelInterpreter.asm:
17552 * runtime/JSGlobalData.h:
17553 (JSGlobalData):
17554 * runtime/JSGlobalThis.cpp:
17555 (JSC::JSGlobalThis::setUnwrappedObject):
17556 * runtime/JSObject.cpp:
17557 (JSC::JSObject::visitChildren):
17558 (JSC::JSObject::createInheritorID):
17559 * runtime/JSObject.h:
17560 (JSObject):
17561 (JSC::JSObject::resetInheritorID):
17562 (JSC):
17563 (JSC::JSObject::offsetOfInheritorID):
17564 (JSC::JSObject::inheritorID):
17565
175662012-06-08 Filip Pizlo <fpizlo@apple.com>
17567
17568 PredictedType should be called SpeculatedType
17569 https://bugs.webkit.org/show_bug.cgi?id=88477
17570
17571 Unreviewed, fix a renaming goof from http://trac.webkit.org/changeset/119660.
17572 I accidentally renamed ByteCodeParser::getPrediction to
17573 ByteCodeParser::getSpeculation. That was not the intent. This changes it
17574 back.
17575
17576 * dfg/DFGByteCodeParser.cpp:
17577 (JSC::DFG::ByteCodeParser::addCall):
17578 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
17579 (JSC::DFG::ByteCodeParser::getPrediction):
17580 (JSC::DFG::ByteCodeParser::handleCall):
17581 (JSC::DFG::ByteCodeParser::parseBlock):
17582
175832012-06-08 Andy Wingo <wingo@igalia.com>
17584
17585 Explictly mark stubs called by JIT as being internal
17586 https://bugs.webkit.org/show_bug.cgi?id=88552
17587
17588 Reviewed by Filip Pizlo.
17589
17590 * dfg/DFGOSRExitCompiler.h:
17591 * dfg/DFGOperations.cpp:
17592 * dfg/DFGOperations.h:
17593 * jit/HostCallReturnValue.h:
17594 * jit/JITStubs.cpp:
17595 * jit/JITStubs.h:
17596 * jit/ThunkGenerators.cpp:
17597 * llint/LLIntSlowPaths.h: Mark a bunch of stubs as being
17598 WTF_INTERNAL. Change most calls to SYMBOL_STRING_RELOCATION to
17599 LOCAL_REFERENCE, or GLOBAL_REFERENCE in the case of the wrappers
17600 to truly global symbols.
17601 * offlineasm/asm.rb: Generate LOCAL_REFERENCE instead of
17602 SYMBOL_STRING_RELOCATION.
17603
176042012-06-08 Geoffrey Garen <ggaren@apple.com>
17605
17606 Don't rely on weak pointers for eager CodeBlock finalization
17607 https://bugs.webkit.org/show_bug.cgi?id=88465
17608
17609 Reviewed by Gavin Barraclough.
17610
17611 This is incompatible with lazy weak pointer finalization.
17612
17613 I considered just making CodeBlock finalization lazy-friendly, but it
17614 turns out that the heap is already way up in CodeBlock's business when
17615 it comes to finalization, so I decided to finish the job and move full
17616 responsibility for CodeBlock finalization into the heap.
17617
17618 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Maybe this
17619 will build.
17620
17621 * debugger/Debugger.cpp: Updated for rename.
17622
17623 * heap/Heap.cpp:
17624 (JSC::Heap::deleteAllCompiledCode): Renamed for consistency. Fixed a bug
17625 where we would not delete code for a code block that had been previously
17626 jettisoned. I don't know if this happens in practice -- I mostly did
17627 this to improve consistency with deleteUnmarkedCompiledCode.
17628
17629 (JSC::Heap::deleteUnmarkedCompiledCode): New function, responsible for
17630 eager finalization of unmarked code blocks.
17631
17632 (JSC::Heap::collect): Updated for rename. Updated to call
17633 deleteUnmarkedCompiledCode(), which takes care of jettisoned DFG code
17634 blocks too.
17635
17636 (JSC::Heap::addCompiledCode): Renamed, since this points to all code
17637 now, not just functions.
17638
17639 * heap/Heap.h:
17640 (Heap): Keep track of all user code, not just functions. This is a
17641 negligible additional overhead, since most code is function code.
17642
17643 * runtime/Executable.cpp:
17644 (JSC::*::finalize): Removed these functions, since we don't rely on
17645 weak pointer finalization anymore.
17646
17647 (JSC::FunctionExecutable::FunctionExecutable): Moved linked-list stuff
17648 into base class so all executables can be in the list.
17649
17650 (JSC::EvalExecutable::clearCode):
17651 (JSC::ProgramExecutable::clearCode):
17652 (JSC::FunctionExecutable::clearCode): All we need to do is delete our
17653 CodeBlock -- that will delete all of its internal data structures.
17654
17655 (JSC::FunctionExecutable::clearCodeIfNotCompiling): Factored out a helper
17656 function to improve clarity.
17657
17658 * runtime/Executable.h:
17659 (JSC::ExecutableBase): Moved linked-list stuff
17660 into base class so all executables can be in the list.
17661
17662 (JSC::NativeExecutable::create):
17663 (NativeExecutable):
17664 (ScriptExecutable):
17665 (JSC::ScriptExecutable::finishCreation):
17666 (JSC::EvalExecutable::create):
17667 (EvalExecutable):
17668 (JSC::ProgramExecutable::create):
17669 (ProgramExecutable):
17670 (FunctionExecutable):
17671 (JSC::FunctionExecutable::create): Don't use a finalizer -- the heap
17672 will call us back to destroy our code block.
17673
17674 (JSC::FunctionExecutable::discardCode): Renamed to clearCodeIfNotCompiling()
17675 for clarity.
17676
17677 (JSC::FunctionExecutable::isCompiling): New helper function, for clarity.
17678
17679 (JSC::ScriptExecutable::clearCodeVirtual): New helper function, since
17680 the heap needs to make polymorphic calls to clear code.
17681
17682 * runtime/JSGlobalData.cpp:
17683 (JSC::StackPreservingRecompiler::operator()):
17684 * runtime/JSGlobalObject.cpp:
17685 (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Updated for
17686 renames.
17687
176882012-06-07 Filip Pizlo <fpizlo@apple.com>
17689
17690 DFG should inline prototype chain accesses, and do the right things if the
17691 specific function optimization is available
17692 https://bugs.webkit.org/show_bug.cgi?id=88594
17693
17694 Reviewed by Gavin Barraclough.
17695
17696 Looks like a 3% win on V8.
17697
17698 * bytecode/CodeBlock.h:
17699 (JSC::Structure::prototypeForLookup):
17700 (JSC):
17701 * bytecode/GetByIdStatus.cpp:
17702 (JSC::GetByIdStatus::computeFromLLInt):
17703 (JSC):
17704 (JSC::GetByIdStatus::computeForChain):
17705 (JSC::GetByIdStatus::computeFor):
17706 * bytecode/GetByIdStatus.h:
17707 (JSC::GetByIdStatus::GetByIdStatus):
17708 (JSC::GetByIdStatus::isSimple):
17709 (JSC::GetByIdStatus::chain):
17710 (JSC::GetByIdStatus::specificValue):
17711 (GetByIdStatus):
17712 * bytecode/StructureSet.h:
17713 (StructureSet):
17714 (JSC::StructureSet::singletonStructure):
17715 * bytecode/StructureStubInfo.h:
17716 (JSC::StructureStubInfo::initGetByIdProto):
17717 (JSC::StructureStubInfo::initGetByIdChain):
17718 * dfg/DFGByteCodeParser.cpp:
17719 (JSC::DFG::ByteCodeParser::handleGetById):
17720 * dfg/DFGRepatch.cpp:
17721 (JSC::DFG::tryCacheGetByID):
17722 * jit/JITStubs.cpp:
17723 (JSC::JITThunks::tryCacheGetByID):
17724 * runtime/JSGlobalObject.h:
17725 (JSC::Structure::prototypeForLookup):
17726 (JSC):
17727 * runtime/Structure.h:
17728 (Structure):
17729
177302012-06-07 Gavin Barraclough <barraclough@apple.com>
17731
17732 Remove JSObject::m_inheritorID
17733 https://bugs.webkit.org/show_bug.cgi?id=88378
17734
17735 Reviewed by Geoff Garen.
17736
17737 This is rarely used, and not performance critical (the commonly accessed copy is cached on JSFunction),
17738 and most objects don't need an inheritorID (this value is only used if the object is used as a prototype).
17739 Instead use a private named value in the object's property storage.
17740
17741 * dfg/DFGSpeculativeJIT.h:
17742 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
17743 - No need m_inheritorID to initialize!
17744 * jit/JITInlineMethods.h:
17745 (JSC::JIT::emitAllocateBasicJSObject):
17746 - No need m_inheritorID to initialize!
17747 * llint/LowLevelInterpreter.asm:
17748 - No need m_inheritorID to initialize!
17749 * runtime/JSGlobalData.h:
17750 (JSGlobalData):
17751 - Added private name 'm_inheritorIDKey'.
17752 * runtime/JSGlobalThis.cpp:
17753 (JSC::JSGlobalThis::setUnwrappedObject):
17754 - resetInheritorID is now passed a JSGlobalData&.
17755 * runtime/JSObject.cpp:
17756 (JSC::JSObject::visitChildren):
17757 - No m_inheritorID to be marked.
17758 (JSC::JSObject::createInheritorID):
17759 - Store the newly created inheritorID in the property map.
17760 * runtime/JSObject.h:
17761 (JSC::JSObject::resetInheritorID):
17762 - Remove the inheritorID from property storage.
17763 (JSC::JSObject::inheritorID):
17764 - Read the inheritorID from property storage.
17765
177662012-06-07 Gavin Barraclough <barraclough@apple.com>
17767
17768 Math.pow on iOS does not support denormal numbers.
17769 https://bugs.webkit.org/show_bug.cgi?id=88592
17770
17771 Reviewed by Filip Pizlo.
17772
17773 Import an implementation from fdlibm, detect cases where it is safe to use the system
17774 implementation & where we should fall back to fdlibm.
17775
17776 * runtime/MathObject.cpp:
17777 (JSC::isDenormal):
17778 (JSC::isEdgeCase):
17779 (JSC::mathPow):
17780 - On iOS, detect cases where denormal support may be required & use fdlibm in these cases.
17781 (JSC::mathProtoFuncPow):
17782 - Changed to use mathPow.
17783 (JSC::fdlibmScalbn):
17784 (JSC::fdlibmPow):
17785 - These functions imported from fdlibm; original style retained to ease future merging.
17786
177872012-06-07 Patrick Gansterer <paroga@webkit.org>
17788
17789 Unreviewed. Build fix for !ENABLE(JIT) after r119441.
17790
17791 * interpreter/Interpreter.cpp:
17792 (JSC::Interpreter::privateExecute):
17793
177942012-06-07 Andy Wingo <wingo@igalia.com>
17795
17796 Unreviewed build fix after r119593.
17797
17798 * llint/LLIntOfflineAsmConfig.h (OFFLINE_ASM_GLOBAL_LABEL): Fix
17799 uses of "name" to be "label", the macro's parameter. Otherwise we
17800 serialize mentions of the literal symbol "name" into the objcode.
17801 Causes a build error using GNU ld (not gold).
17802
178032012-06-06 Ryosuke Niwa <rniwa@webkit.org>
17804
17805 Chromium build fix attempt. Why do we need to list these files in gyp!?
17806
17807 * JavaScriptCore.gypi:
17808
178092012-06-06 Filip Pizlo <fpizlo@apple.com>
17810
17811 PredictedType should be called SpeculatedType
17812 https://bugs.webkit.org/show_bug.cgi?id=88477
17813
17814 Rubber stamped by Gavin Barraclough.
17815
17816 * CMakeLists.txt:
17817 * GNUmakefile.list.am:
17818 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
17819 * JavaScriptCore.xcodeproj/project.pbxproj:
17820 * Target.pri:
17821 * bytecode/CodeBlock.cpp:
17822 (JSC::CodeBlock::shouldOptimizeNow):
17823 (JSC::CodeBlock::dumpValueProfiles):
17824 * bytecode/CodeBlock.h:
17825 (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
17826 * bytecode/LazyOperandValueProfile.cpp:
17827 (JSC::LazyOperandValueProfileParser::prediction):
17828 * bytecode/LazyOperandValueProfile.h:
17829 (LazyOperandValueProfileParser):
17830 * bytecode/PredictedType.cpp: Removed.
17831 * bytecode/PredictedType.h: Removed.
17832 * bytecode/SpeculatedType.cpp: Copied from Source/JavaScriptCore/bytecode/PredictedType.cpp.
17833 (JSC::speculationToString):
17834 (JSC::speculationToAbbreviatedString):
17835 (JSC::speculationFromClassInfo):
17836 (JSC::speculationFromStructure):
17837 (JSC::speculationFromCell):
17838 (JSC::speculationFromValue):
17839 * bytecode/SpeculatedType.h: Copied from Source/JavaScriptCore/bytecode/PredictedType.h.
17840 (JSC):
17841 (JSC::isAnySpeculation):
17842 (JSC::isCellSpeculation):
17843 (JSC::isObjectSpeculation):
17844 (JSC::isFinalObjectSpeculation):
17845 (JSC::isFinalObjectOrOtherSpeculation):
17846 (JSC::isFixedIndexedStorageObjectSpeculation):
17847 (JSC::isStringSpeculation):
17848 (JSC::isArraySpeculation):
17849 (JSC::isFunctionSpeculation):
17850 (JSC::isInt8ArraySpeculation):
17851 (JSC::isInt16ArraySpeculation):
17852 (JSC::isInt32ArraySpeculation):
17853 (JSC::isUint8ArraySpeculation):
17854 (JSC::isUint8ClampedArraySpeculation):
17855 (JSC::isUint16ArraySpeculation):
17856 (JSC::isUint32ArraySpeculation):
17857 (JSC::isFloat32ArraySpeculation):
17858 (JSC::isFloat64ArraySpeculation):
17859 (JSC::isArgumentsSpeculation):
17860 (JSC::isActionableIntMutableArraySpeculation):
17861 (JSC::isActionableFloatMutableArraySpeculation):
17862 (JSC::isActionableTypedMutableArraySpeculation):
17863 (JSC::isActionableMutableArraySpeculation):
17864 (JSC::isActionableArraySpeculation):
17865 (JSC::isArrayOrOtherSpeculation):
17866 (JSC::isMyArgumentsSpeculation):
17867 (JSC::isInt32Speculation):
17868 (JSC::isDoubleRealSpeculation):
17869 (JSC::isDoubleSpeculation):
17870 (JSC::isNumberSpeculation):
17871 (JSC::isBooleanSpeculation):
17872 (JSC::isOtherSpeculation):
17873 (JSC::isEmptySpeculation):
17874 (JSC::mergeSpeculations):
17875 (JSC::mergeSpeculation):
17876 * bytecode/StructureSet.h:
17877 (JSC::StructureSet::speculationFromStructures):
17878 * bytecode/ValueProfile.h:
17879 (JSC::ValueProfileBase::ValueProfileBase):
17880 (JSC::ValueProfileBase::dump):
17881 (JSC::ValueProfileBase::computeUpdatedPrediction):
17882 (ValueProfileBase):
17883 * dfg/DFGAbstractState.cpp:
17884 (JSC::DFG::AbstractState::initialize):
17885 (JSC::DFG::AbstractState::execute):
17886 (JSC::DFG::AbstractState::mergeStateAtTail):
17887 * dfg/DFGAbstractState.h:
17888 (JSC::DFG::AbstractState::speculateInt32Unary):
17889 (JSC::DFG::AbstractState::speculateNumberUnary):
17890 (JSC::DFG::AbstractState::speculateBooleanUnary):
17891 (JSC::DFG::AbstractState::speculateInt32Binary):
17892 (JSC::DFG::AbstractState::speculateNumberBinary):
17893 * dfg/DFGAbstractValue.h:
17894 (JSC::DFG::StructureAbstractValue::filter):
17895 (JSC::DFG::StructureAbstractValue::speculationFromStructures):
17896 (JSC::DFG::AbstractValue::AbstractValue):
17897 (JSC::DFG::AbstractValue::clear):
17898 (JSC::DFG::AbstractValue::isClear):
17899 (JSC::DFG::AbstractValue::makeTop):
17900 (JSC::DFG::AbstractValue::clobberStructures):
17901 (JSC::DFG::AbstractValue::isTop):
17902 (JSC::DFG::AbstractValue::set):
17903 (JSC::DFG::AbstractValue::merge):
17904 (JSC::DFG::AbstractValue::filter):
17905 (JSC::DFG::AbstractValue::validateIgnoringValue):
17906 (JSC::DFG::AbstractValue::validate):
17907 (JSC::DFG::AbstractValue::checkConsistency):
17908 (JSC::DFG::AbstractValue::dump):
17909 (AbstractValue):
17910 * dfg/DFGArgumentPosition.h:
17911 (JSC::DFG::ArgumentPosition::ArgumentPosition):
17912 (JSC::DFG::ArgumentPosition::mergeArgumentAwareness):
17913 (JSC::DFG::ArgumentPosition::prediction):
17914 (ArgumentPosition):
17915 * dfg/DFGArgumentsSimplificationPhase.cpp:
17916 (JSC::DFG::ArgumentsSimplificationPhase::run):
17917 * dfg/DFGByteCodeParser.cpp:
17918 (ByteCodeParser):
17919 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
17920 (JSC::DFG::ByteCodeParser::getLocal):
17921 (JSC::DFG::ByteCodeParser::getArgument):
17922 (JSC::DFG::ByteCodeParser::addCall):
17923 (JSC::DFG::ByteCodeParser::getSpeculationWithoutOSRExit):
17924 (JSC::DFG::ByteCodeParser::getSpeculation):
17925 (InlineStackEntry):
17926 (JSC::DFG::ByteCodeParser::handleCall):
17927 (JSC::DFG::ByteCodeParser::handleIntrinsic):
17928 (JSC::DFG::ByteCodeParser::handleGetById):
17929 (JSC::DFG::ByteCodeParser::parseBlock):
17930 (JSC::DFG::ByteCodeParser::fixVariableAccessSpeculations):
17931 (JSC::DFG::ByteCodeParser::parse):
17932 * dfg/DFGCSEPhase.cpp:
17933 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
17934 (JSC::DFG::CSEPhase::performNodeCSE):
17935 * dfg/DFGConstantFoldingPhase.cpp:
17936 (JSC::DFG::ConstantFoldingPhase::run):
17937 * dfg/DFGFixupPhase.cpp:
17938 (JSC::DFG::FixupPhase::fixupNode):
17939 (JSC::DFG::FixupPhase::fixDoubleEdge):
17940 * dfg/DFGGraph.cpp:
17941 (JSC::DFG::Graph::nameOfVariableAccessData):
17942 (JSC::DFG::Graph::dump):
17943 (JSC::DFG::Graph::predictArgumentTypes):
17944 * dfg/DFGGraph.h:
17945 (JSC::DFG::Graph::getJSConstantSpeculation):
17946 (JSC::DFG::Graph::isPredictedNumerical):
17947 (JSC::DFG::Graph::byValIsPure):
17948 * dfg/DFGJITCompiler.h:
17949 (JSC::DFG::JITCompiler::getSpeculation):
17950 * dfg/DFGNode.h:
17951 (JSC::DFG::Node::Node):
17952 (JSC::DFG::Node::getHeapPrediction):
17953 (JSC::DFG::Node::predictHeap):
17954 (JSC::DFG::Node::prediction):
17955 (JSC::DFG::Node::predict):
17956 (JSC::DFG::Node::shouldSpeculateInteger):
17957 (JSC::DFG::Node::shouldSpeculateDouble):
17958 (JSC::DFG::Node::shouldSpeculateNumber):
17959 (JSC::DFG::Node::shouldSpeculateBoolean):
17960 (JSC::DFG::Node::shouldSpeculateFinalObject):
17961 (JSC::DFG::Node::shouldSpeculateFinalObjectOrOther):
17962 (JSC::DFG::Node::shouldSpeculateArray):
17963 (JSC::DFG::Node::shouldSpeculateArguments):
17964 (JSC::DFG::Node::shouldSpeculateInt8Array):
17965 (JSC::DFG::Node::shouldSpeculateInt16Array):
17966 (JSC::DFG::Node::shouldSpeculateInt32Array):
17967 (JSC::DFG::Node::shouldSpeculateUint8Array):
17968 (JSC::DFG::Node::shouldSpeculateUint8ClampedArray):
17969 (JSC::DFG::Node::shouldSpeculateUint16Array):
17970 (JSC::DFG::Node::shouldSpeculateUint32Array):
17971 (JSC::DFG::Node::shouldSpeculateFloat32Array):
17972 (JSC::DFG::Node::shouldSpeculateFloat64Array):
17973 (JSC::DFG::Node::shouldSpeculateArrayOrOther):
17974 (JSC::DFG::Node::shouldSpeculateObject):
17975 (JSC::DFG::Node::shouldSpeculateCell):
17976 (Node):
17977 * dfg/DFGPredictionPropagationPhase.cpp:
17978 (JSC::DFG::PredictionPropagationPhase::setPrediction):
17979 (JSC::DFG::PredictionPropagationPhase::mergePrediction):
17980 (JSC::DFG::PredictionPropagationPhase::propagate):
17981 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
17982 * dfg/DFGSpeculativeJIT.cpp:
17983 (JSC::DFG::SpeculativeJIT::fillStorage):
17984 (JSC::DFG::SpeculativeJIT::writeBarrier):
17985 (JSC::DFG::GPRTemporary::GPRTemporary):
17986 (JSC::DFG::FPRTemporary::FPRTemporary):
17987 (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
17988 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
17989 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
17990 (JSC::DFG::SpeculativeJIT::compile):
17991 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
17992 (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
17993 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
17994 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
17995 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
17996 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
17997 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
17998 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
17999 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
18000 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
18001 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
18002 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
18003 (JSC::DFG::SpeculativeJIT::compileAdd):
18004 (JSC::DFG::SpeculativeJIT::compileArithSub):
18005 (JSC::DFG::SpeculativeJIT::compileArithNegate):
18006 (JSC::DFG::SpeculativeJIT::compileArithMul):
18007 (JSC::DFG::SpeculativeJIT::compileArithMod):
18008 (JSC::DFG::SpeculativeJIT::compare):
18009 (JSC::DFG::SpeculativeJIT::compileStrictEq):
18010 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
18011 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
18012 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
18013 (JSC::DFG::SpeculativeJIT::compileRegExpExec):
18014 * dfg/DFGSpeculativeJIT.h:
18015 (DFG):
18016 (JSC::DFG::ValueSource::forSpeculation):
18017 (SpeculativeJIT):
18018 (GPRTemporary):
18019 (FPRTemporary):
18020 (JSC::DFG::SpecDoubleOperand::SpecDoubleOperand):
18021 (JSC::DFG::SpecDoubleOperand::~SpecDoubleOperand):
18022 (JSC::DFG::SpecDoubleOperand::fpr):
18023 (JSC::DFG::SpecCellOperand::SpecCellOperand):
18024 (JSC::DFG::SpecCellOperand::~SpecCellOperand):
18025 (JSC::DFG::SpecCellOperand::gpr):
18026 (JSC::DFG::SpecBooleanOperand::SpecBooleanOperand):
18027 (JSC::DFG::SpecBooleanOperand::~SpecBooleanOperand):
18028 (JSC::DFG::SpecBooleanOperand::gpr):
18029 * dfg/DFGSpeculativeJIT32_64.cpp:
18030 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
18031 (JSC::DFG::SpeculativeJIT::fillSpecDouble):
18032 (JSC::DFG::SpeculativeJIT::fillSpecCell):
18033 (JSC::DFG::SpeculativeJIT::fillSpecBoolean):
18034 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
18035 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
18036 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
18037 (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
18038 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
18039 (JSC::DFG::SpeculativeJIT::emitBranch):
18040 (JSC::DFG::SpeculativeJIT::compile):
18041 * dfg/DFGSpeculativeJIT64.cpp:
18042 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
18043 (JSC::DFG::SpeculativeJIT::fillSpecDouble):
18044 (JSC::DFG::SpeculativeJIT::fillSpecCell):
18045 (JSC::DFG::SpeculativeJIT::fillSpecBoolean):
18046 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
18047 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
18048 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
18049 (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
18050 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
18051 (JSC::DFG::SpeculativeJIT::emitBranch):
18052 (JSC::DFG::SpeculativeJIT::compile):
18053 * dfg/DFGVariableAccessData.h:
18054 (JSC::DFG::VariableAccessData::VariableAccessData):
18055 (JSC::DFG::VariableAccessData::predict):
18056 (JSC::DFG::VariableAccessData::nonUnifiedPrediction):
18057 (JSC::DFG::VariableAccessData::prediction):
18058 (JSC::DFG::VariableAccessData::argumentAwarePrediction):
18059 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
18060 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
18061 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
18062 (VariableAccessData):
18063
180642012-06-06 Filip Pizlo <fpizlo@apple.com>
18065
18066 Global object variable accesses should not require an extra load
18067 https://bugs.webkit.org/show_bug.cgi?id=88385
18068
18069 Reviewed by Gavin Barraclough and Geoffrey Garen.
18070
18071 Previously, if you wanted to access a global variable, you'd first have
18072 to load the register array from the appropriate global object and then
18073 either load or store at an offset to the register array. This is because
18074 JSGlobalObject inherited from JSVariableObject, and JSVariableObject is
18075 designed with the pessimistic assumption that its register array may
18076 point into the call stack. This is never the case for global objects.
18077 Hence, even though the global object may add more registers at any time,
18078 it does not need to store them in a contiguous array. It can use a
18079 SegmentedVector or similar.
18080
18081 This patch refactors global objects and variable objects as follows:
18082
18083 - The functionality to track variables in an indexable array using a
18084 SymbolTable to map names to indices is moved into JSSymbolTableObject,
18085 which is now a supertype of JSVariableObject. JSVariableObject is now
18086 just a holder for a registers array and implements the registerAt()
18087 method that is left abstract in JSSymbolTableObject. Because all users
18088 of JSVariableObject know whether they are a JSStaticScopeObject,
18089 JSActivation, or JSGlobalObject, this "abstract" method is not virtual;
18090 instead the utility methods that would call registerAt() are now
18091 template functions that require you to know statically what subtype of
18092 JSSymbolTableObject you're using (JSVariableObject or something else),
18093 so that registerAt() can be statically bound.
18094
18095 - A new class is added called JSSegmentedVariableObject, which only
18096 differs from JSVariableObject in how it allocates registers. It uses a
18097 SegmentedVector instead of manually managing a pointer to a contiguous
18098 slab of registers. This changes the interface somewhat; for example
18099 with JSVariableObject if you wanted to add a register you had to do
18100 it yourself since the JSVariableObject didn't know how the registers
18101 array ought to be allocated. With JSSegmentedVariableObject you can
18102 just call addRegisters(). JSSegmentedVariableObject preserves the
18103 invariant that once you get a pointer into a register, that pointer
18104 will continue to be valid so long as the JSSegmentedVariableObject is
18105 alive. This allows the JITs and interpreters to skip the extra load.
18106
18107 - JSGlobalObject now inherits from JSSegmentedVariableObject. For now
18108 (and possibly forever) it is the only subtype of this new class.
18109
18110 - The bytecode format is changed so that get_global_var and
18111 put_global_var have a pointer to the register directly rather than
18112 having an index. A convenience method is provided in
18113 JSSegmentedVariableObject to get the index given a a pointer, which is
18114 used for assertions and debug dumps.
18115
18116 This appears to be a 1% across the board win.
18117
18118 * CMakeLists.txt:
18119 * GNUmakefile.list.am:
18120 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
18121 * JavaScriptCore.xcodeproj/project.pbxproj:
18122 * Target.pri:
18123 * bytecode/CodeBlock.cpp:
18124 (JSC::CodeBlock::dump):
18125 * bytecode/Instruction.h:
18126 (Instruction):
18127 (JSC::Instruction::Instruction):
18128 * bytecompiler/BytecodeGenerator.cpp:
18129 (JSC::ResolveResult::registerPointer):
18130 (JSC):
18131 (JSC::BytecodeGenerator::BytecodeGenerator):
18132 (JSC::BytecodeGenerator::retrieveLastUnaryOp):
18133 (JSC::BytecodeGenerator::resolve):
18134 (JSC::BytecodeGenerator::resolveConstDecl):
18135 (JSC::BytecodeGenerator::emitGetStaticVar):
18136 (JSC::BytecodeGenerator::emitPutStaticVar):
18137 * bytecompiler/BytecodeGenerator.h:
18138 (ResolveResult):
18139 (BytecodeGenerator):
18140 * dfg/DFGAssemblyHelpers.h:
18141 (AssemblyHelpers):
18142 * dfg/DFGByteCodeParser.cpp:
18143 (JSC::DFG::ByteCodeParser::parseBlock):
18144 * dfg/DFGCSEPhase.cpp:
18145 (JSC::DFG::CSEPhase::globalVarLoadElimination):
18146 (JSC::DFG::CSEPhase::globalVarStoreElimination):
18147 (JSC::DFG::CSEPhase::performNodeCSE):
18148 * dfg/DFGGraph.cpp:
18149 (JSC::DFG::Graph::dump):
18150 * dfg/DFGGraph.h:
18151 (JSC::DFG::Graph::globalObjectFor):
18152 (Graph):
18153 * dfg/DFGNode.h:
18154 (JSC::DFG::Node::hasVarNumber):
18155 (Node):
18156 (JSC::DFG::Node::hasRegisterPointer):
18157 (JSC::DFG::Node::registerPointer):
18158 * dfg/DFGSpeculativeJIT32_64.cpp:
18159 (JSC::DFG::SpeculativeJIT::compile):
18160 * dfg/DFGSpeculativeJIT64.cpp:
18161 (JSC::DFG::SpeculativeJIT::compile):
18162 * heap/Heap.h:
18163 (Heap):
18164 (JSC::Heap::isWriteBarrierEnabled):
18165 (JSC):
18166 * interpreter/Interpreter.cpp:
18167 (JSC::Interpreter::execute):
18168 (JSC::Interpreter::privateExecute):
18169 * jit/JITPropertyAccess.cpp:
18170 (JSC::JIT::emit_op_get_global_var):
18171 (JSC::JIT::emit_op_put_global_var):
18172 * jit/JITPropertyAccess32_64.cpp:
18173 (JSC::JIT::emit_op_get_global_var):
18174 (JSC::JIT::emit_op_put_global_var):
18175 * llint/LowLevelInterpreter32_64.asm:
18176 * llint/LowLevelInterpreter64.asm:
18177 * runtime/JSGlobalObject.cpp:
18178 (JSC):
18179 (JSC::JSGlobalObject::put):
18180 (JSC::JSGlobalObject::putDirectVirtual):
18181 (JSC::JSGlobalObject::defineOwnProperty):
18182 (JSC::JSGlobalObject::visitChildren):
18183 (JSC::JSGlobalObject::addStaticGlobals):
18184 (JSC::JSGlobalObject::getOwnPropertySlot):
18185 (JSC::JSGlobalObject::getOwnPropertyDescriptor):
18186 * runtime/JSGlobalObject.h:
18187 (JSGlobalObject):
18188 (JSC::JSGlobalObject::JSGlobalObject):
18189 (JSC):
18190 (JSC::JSGlobalObject::hasOwnPropertyForWrite):
18191 * runtime/JSSegmentedVariableObject.cpp: Added.
18192 (JSC):
18193 (JSC::JSSegmentedVariableObject::findRegisterIndex):
18194 (JSC::JSSegmentedVariableObject::addRegisters):
18195 (JSC::JSSegmentedVariableObject::visitChildren):
18196 * runtime/JSSegmentedVariableObject.h: Added.
18197 (JSC):
18198 (JSSegmentedVariableObject):
18199 (JSC::JSSegmentedVariableObject::registerAt):
18200 (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject):
18201 (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
18202 (JSC::JSSegmentedVariableObject::finishCreation):
18203 * runtime/JSStaticScopeObject.cpp:
18204 (JSC::JSStaticScopeObject::put):
18205 (JSC::JSStaticScopeObject::putDirectVirtual):
18206 (JSC::JSStaticScopeObject::getOwnPropertySlot):
18207 * runtime/JSSymbolTableObject.cpp: Added.
18208 (JSC):
18209 (JSC::JSSymbolTableObject::destroy):
18210 (JSC::JSSymbolTableObject::deleteProperty):
18211 (JSC::JSSymbolTableObject::getOwnPropertyNames):
18212 (JSC::JSSymbolTableObject::putDirectVirtual):
18213 (JSC::JSSymbolTableObject::isDynamicScope):
18214 * runtime/JSSymbolTableObject.h: Added.
18215 (JSC):
18216 (JSSymbolTableObject):
18217 (JSC::JSSymbolTableObject::symbolTable):
18218 (JSC::JSSymbolTableObject::JSSymbolTableObject):
18219 (JSC::JSSymbolTableObject::finishCreation):
18220 (JSC::symbolTableGet):
18221 (JSC::symbolTablePut):
18222 (JSC::symbolTablePutWithAttributes):
18223 * runtime/JSVariableObject.cpp:
18224 (JSC):
18225 * runtime/JSVariableObject.h:
18226 (JSVariableObject):
18227 (JSC::JSVariableObject::JSVariableObject):
18228 (JSC::JSVariableObject::finishCreation):
18229 (JSC):
18230 * runtime/WriteBarrier.h:
18231
182322012-06-06 Filip Pizlo <fpizlo@apple.com>
18233
18234 DFG arguments access slow path should not crash if the arguments haven't been created
18235 https://bugs.webkit.org/show_bug.cgi?id=88471
18236
18237 Reviewed by Gavin Barraclough.
18238
18239 * dfg/DFGCCallHelpers.h:
18240 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
18241 (CCallHelpers):
18242 * dfg/DFGOperations.cpp:
18243 * dfg/DFGOperations.h:
18244 * dfg/DFGSpeculativeJIT.h:
18245 (JSC::DFG::SpeculativeJIT::callOperation):
18246 * dfg/DFGSpeculativeJIT32_64.cpp:
18247 (JSC::DFG::SpeculativeJIT::compile):
18248 * dfg/DFGSpeculativeJIT64.cpp:
18249 (JSC::DFG::SpeculativeJIT::compile):
18250
182512012-06-06 Michael Saboff <msaboff@apple.com>
18252
18253 ENH: Add Logging to GC Marking Phase
18254 https://bugs.webkit.org/show_bug.cgi?id=88364
18255
18256 Reviewed by Filip Pizlo.
18257
18258 Log GC marking to stderr or a file. The logging in controlled
18259 with the define ENABLE_OBJECT_MARK_LOGGING in wtf/Platform.h.
18260 If DATA_LOG_TO_FILE in wtf/DataLog.cpp is set to 1, output is
18261 logged to a file otherwise it is logged to stderr.
18262
18263 When logging is enabled, the GC is built single threaded since the
18264 log output from the various threads isn't buffered and output in a
18265 thread safe manner.
18266
18267 * heap/Heap.cpp:
18268 (JSC::Heap::markRoots):
18269 * heap/MarkStack.cpp:
18270 (JSC::MarkStackThreadSharedData::resetChildren):
18271 (JSC::MarkStackThreadSharedData::childVisitCount):
18272 (JSC::MarkStackThreadSharedData::markingThreadMain):
18273 (JSC::MarkStackThreadSharedData::markingThreadStartFunc):
18274 (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
18275 (JSC::MarkStackThreadSharedData::reset):
18276 * heap/MarkStack.h:
18277 (MarkStackThreadSharedData):
18278 (MarkStack):
18279 (JSC::MarkStack::sharedData):
18280 (JSC::MarkStack::resetChildCount):
18281 (JSC::MarkStack::childCount):
18282 (JSC::MarkStack::incrementChildCount):
18283 * runtime/JSArray.cpp:
18284 (JSC::JSArray::visitChildren):
18285 * runtime/JSCell.cpp:
18286 (JSC::JSCell::className):
18287 * runtime/JSCell.h:
18288 (JSCell):
18289 (JSC::JSCell::visitChildren):
18290 * runtime/JSString.cpp:
18291 (JSC::JSString::visitChildren):
18292 * runtime/JSString.h:
18293 (JSString):
18294 * runtime/Structure.h:
18295 (JSC::MarkStack::internalAppend):
18296
182972012-06-06 Gavin Barraclough <barraclough@apple.com>
18298
18299 Assigning to a static property should not change iteration order
18300 https://bugs.webkit.org/show_bug.cgi?id=88401
18301
18302 Reviewed by Geoff Garen.
18303
18304 A specific iteration order is not defined by the spec, but test-262 somewhat tenuously
18305 requires that it is at least stable, e.g. ch10/10.4/10.4.2/S10.4.2_A1.1_T1.js
18306
18307 Whilst it is not clear that this behavior really arises from the specification, it
18308 would seem like common sense to conform to this.
18309
18310 The problem here is that we allow properties in the structure to shadow those in the
18311 static table, and we iterate the properties in the structure first - which means that
18312 as values of existing properties are modified, their iteration order changes too.
18313
18314 The easy fix is to iterate the properties from the static table first. This has a
18315 further benefit, since it will mean that user added properties will come after those
18316 present in the static table (respected the expected insertion-order).
18317
18318 * runtime/JSObject.cpp:
18319 (JSC::JSObject::getOwnPropertyNames):
18320 - Iterate static properties first.
18321
183222012-06-06 Andy Wingo <wingo@igalia.com>
18323
18324 Ensure consistent order of evaluation in LLInt slow paths
18325 https://bugs.webkit.org/show_bug.cgi?id=88409
18326
18327 Reviewed by Geoffrey Garen.
18328
18329 * llint/LLIntSlowPaths.cpp:
18330 (slow_path_mul)
18331 (slow_path_sub)
18332 (slow_path_div)
18333 (slow_path_mod)
18334 (slow_path_lshift)
18335 (slow_path_rshift)
18336 (slow_path_urshift)
18337 (slow_path_bitand)
18338 (slow_path_bitor)
18339 (slow_path_bitxor): Avoid calling toNumber, toInt32, or toUInt32
18340 multiple times without intervening sequence points. Fixes
18341 fast/js/exception-sequencing-binops.html with GCC 4.7 on x86-64
18342 Linux, which reordered evaluation of the arguments to fmod.
18343
183442012-06-06 Andy Wingo <wingo@igalia.com>
18345
18346 [GTK] Enable the LLInt
18347 https://bugs.webkit.org/show_bug.cgi?id=88315
18348
18349 Reviewed by Filip Pizlo.
18350
18351 * GNUmakefile.am: Add rules to generate LLIntDesiredOffsets.h and
18352 LLIntAssembly.h.
18353 * GNUmakefile.list.am: Add offlineasm and llint files to the
18354 dist. Add LLInt source files to the build.
18355 * llint/LowLevelInterpreter.asm (crash): Generate a store of
18356 0xbbadbeef to a register, not to a constant. Otherwise, gas was
18357 failing to assemble result.
18358 * offlineasm/asm.rb (labelReference): Generate a
18359 SYMBOL_STRING_RELOCATION instead of a SYMBOL_STRING, so that we go
18360 through the PLT on ELF systems.
18361
183622012-06-06 Andy Wingo <wingo@igalia.com>
18363
18364 REGRESSION (r106478): None of the Paper.js JavaScript examples work
18365 https://bugs.webkit.org/show_bug.cgi?id=87158
18366
18367 Reviewed by Michael Saboff.
18368
18369 * bytecompiler/BytecodeGenerator.cpp:
18370 (JSC::BytecodeGenerator::resolve): If we have to bail out to
18371 dynamicResolve(), only skip static scopes from the head of the
18372 scope chain. Before, we were also skipping activations with
18373 direct eval as well, which was incorrect.
18374
183752012-06-06 Dan Bernstein <mitz@apple.com>
18376
18377 Reverted r119567, the fix for <http://webkit.org/b/88378>, because it broke the 32-bit build.
18378
18379 * dfg/DFGSpeculativeJIT.h:
18380 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
18381 * jit/JITInlineMethods.h:
18382 (JSC::JIT::emitAllocateBasicJSObject):
18383 * llint/LowLevelInterpreter.asm:
18384 * runtime/JSGlobalData.h:
18385 (JSGlobalData):
18386 * runtime/JSGlobalThis.cpp:
18387 (JSC::JSGlobalThis::setUnwrappedObject):
18388 * runtime/JSObject.cpp:
18389 (JSC::JSObject::visitChildren):
18390 (JSC::JSObject::createInheritorID):
18391 * runtime/JSObject.h:
18392 (JSObject):
18393 (JSC::JSObject::resetInheritorID):
18394 (JSC):
18395 (JSC::JSObject::offsetOfInheritorID):
18396 (JSC::JSObject::inheritorID):
18397
183982012-06-05 Yuqiang Xian <yuqiang.xian@intel.com>
18399
18400 Improve Math.round and Math.floor intrinsic
18401 https://bugs.webkit.org/show_bug.cgi?id=88314
18402
18403 Reviewed by Filip Pizlo.
18404
18405 Currently we call a native function from the JIT code to complete the
18406 "round" and "floor" operations. We could inline some fast paths
18407 especially for those positive values on the platforms where floating
18408 point truncation is supported.
18409 This brings 3% gain on Kraken, especially 32% on audio-oscillator,
18410 and slight win on SunSpider, measured on IA32.
18411
18412 * jit/ThunkGenerators.cpp:
18413 (JSC::floorThunkGenerator):
18414 (JSC):
18415 (JSC::roundThunkGenerator):
18416
184172012-06-05 Gavin Barraclough <barraclough@apple.com>
18418
18419 Remove JSObject::m_inheritorID
18420 https://bugs.webkit.org/show_bug.cgi?id=88378
18421
18422 Reviewed by Geoff Garen.
18423
18424 This is rarely used, and not performance critical (the commonly accessed copy is cached on JSFunction),
18425 and most objects don't need an inheritorID (this value is only used if the object is used as a prototype).
18426 Instead use a private named value in the object's property storage.
18427
18428 * dfg/DFGSpeculativeJIT.h:
18429 (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
18430 - No need m_inheritorID to initialize!
18431 * jit/JITInlineMethods.h:
18432 (JSC::JIT::emitAllocateBasicJSObject):
18433 - No need m_inheritorID to initialize!
18434 * llint/LowLevelInterpreter.asm:
18435 - No need m_inheritorID to initialize!
18436 * runtime/JSGlobalData.h:
18437 (JSGlobalData):
18438 - Added private name 'm_inheritorIDKey'.
18439 * runtime/JSGlobalThis.cpp:
18440 (JSC::JSGlobalThis::setUnwrappedObject):
18441 - resetInheritorID is now passed a JSGlobalData&.
18442 * runtime/JSObject.cpp:
18443 (JSC::JSObject::visitChildren):
18444 - No m_inheritorID to be marked.
18445 (JSC::JSObject::createInheritorID):
18446 - Store the newly created inheritorID in the property map.
18447 * runtime/JSObject.h:
18448 (JSC::JSObject::resetInheritorID):
18449 - Remove the inheritorID from property storage.
18450 (JSC::JSObject::inheritorID):
18451 - Read the inheritorID from property storage.
18452
184532012-06-05 Filip Pizlo <fpizlo@apple.com>
18454
18455 DFG CFG simplification should not attempt to deref nodes inside of an unreachable subgraph
18456 https://bugs.webkit.org/show_bug.cgi?id=88362
18457
18458 Reviewed by Gavin Barraclough.
18459
18460 * dfg/DFGCFGSimplificationPhase.cpp:
18461 (JSC::DFG::CFGSimplificationPhase::fixPhis):
18462 (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
18463
184642012-06-05 Mark Hahnenberg <mhahnenberg@apple.com>
18465
18466 Entry into JSC should CRASH() if the Heap is busy
18467 https://bugs.webkit.org/show_bug.cgi?id=88355
18468
18469 Reviewed by Geoffrey Garen.
18470
18471 Interpreter::execute() returns jsNull() right now if we try to enter it while
18472 the Heap is busy (e.g. with a collection), which is okay, but some code paths
18473 that call Interpreter::execute() allocate objects before checking if the Heap
18474 is busy. Attempting to execute JS code while the Heap is busy should not be
18475 allowed and should be enforced by a release-mode CRASH() to prevent vague,
18476 unhelpful backtraces later on if somebody makes a mistake. Normally, recursively
18477 executing JS code is okay, e.g. for evals, but it should not occur during a
18478 Heap allocation or collection because the Heap is not guaranteed to be in a
18479 consistent state (especially during collections). We are protected from
18480 executing JS on the same Heap concurrently on two separate threads because
18481 they must each take a JSLock first. However, we are not protected from reentrant
18482 execution of JS on the same thread because JSLock allows reentrancy. Therefore,
18483 we should fail early if we detect an entrance into JS code while the Heap is busy.
18484
18485 * heap/Heap.cpp: Changed Heap::collect so that it sets the m_operationInProgress field
18486 at the beginning of collection and then unsets it at the end so that it is set at all
18487 times throughout the duration of a collection rather than sporadically during various
18488 phases. There is no reason to unset during a collection because our collector does
18489 not currently support running additional JS between the phases of a collection.
18490 (JSC::Heap::getConservativeRegisterRoots):
18491 (JSC::Heap::markRoots):
18492 (JSC::Heap::collect):
18493 * interpreter/Interpreter.cpp:
18494 (JSC::Interpreter::execute): Crash if the Heap is busy.
18495 * runtime/Completion.cpp: Crash if the Heap is busy. We do it here before we call
18496 Interpreter::execute() because we do some allocation prior to calling execute() which
18497 could cause Heap corruption if, for example, that allocation caused a collection.
18498 (JSC::evaluate):
18499
185002012-06-05 Dongwoo Im <dw.im@samsung.com>
18501
18502 Add 'isProtocolHandlerRegistered' and 'unregisterProtocolHandler'.
18503 https://bugs.webkit.org/show_bug.cgi?id=73176
18504
18505 Reviewed by Adam Barth.
18506
18507 Two more APIs are added in Custom Scheme Handler specification.
18508 http://dev.w3.org/html5/spec/Overview.html#custom-handlers
18509 One is 'isProtocolHandlerRegistered' to query whether the specific URL
18510 is registered or not.
18511 The other is 'unregisterProtocolHandler' to remove the registered URL.
18512
18513 * Configurations/FeatureDefines.xcconfig: Add a macro 'ENABLE_CUSTOM_SCHEME_HANDLER'.
18514
185152012-06-04 Filip Pizlo <fpizlo@apple.com>
18516
18517 DFG CFG simplification should correct the variables at the head of the predecessor block
18518 https://bugs.webkit.org/show_bug.cgi?id=88284
18519
18520 Reviewed by Geoffrey Garen.
18521
18522 * dfg/DFGCFGSimplificationPhase.cpp:
18523 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
18524
185252012-06-04 Geoffrey Garen <ggaren@apple.com>
18526
18527 Unreviewed.
18528
18529 Rolled out r119364 because it's still causing crashes (when running
18530 v8-earley in release builds of DRT)
18531
18532 This time for sure!
18533
18534 * heap/Heap.cpp:
18535 (JSC::Heap::collect):
18536 * heap/MarkedBlock.cpp:
18537 (JSC::MarkedBlock::sweep):
18538 * heap/MarkedBlock.h:
18539 (JSC::MarkedBlock::resetAllocator):
18540 (JSC):
18541 * heap/MarkedSpace.cpp:
18542 (JSC::ResetAllocator::operator()):
18543 (JSC):
18544 (JSC::MarkedSpace::resetAllocators):
18545 (JSC::MarkedSpace::sweepWeakSets):
18546 * heap/MarkedSpace.h:
18547 (MarkedSpace):
18548 * heap/WeakBlock.cpp:
18549 (JSC::WeakBlock::sweep):
18550 * heap/WeakSet.cpp:
18551 (JSC::WeakSet::sweep):
18552 (JSC::WeakSet::tryFindAllocator):
18553 * heap/WeakSet.h:
18554 (JSC::WeakSet::shrink):
18555
185562012-06-04 Filip Pizlo <fpizlo@apple.com>
18557
18558 DFG arguments simplification should have rationalized handling of TearOffArguments
18559 https://bugs.webkit.org/show_bug.cgi?id=88206
18560
18561 Reviewed by Geoffrey Garen.
18562
18563 - Accesses to the unmodified arguments register ought to have the same effect on
18564 alias/escape analysis of arguments as accesses to the mutable arguments register.
18565
18566 - The existence of TearOffArguments should not get in the way of arguments aliasing.
18567
18568 - TearOffArguments should be eliminated if CreateArguments is eliminated.
18569
18570 * dfg/DFGArgumentsSimplificationPhase.cpp:
18571 (JSC::DFG::ArgumentsSimplificationPhase::run):
18572 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
18573
185742012-06-04 Gavin Barraclough <barraclough@apple.com>
18575
18576 Remove enabledProfilerReference
18577 https://bugs.webkit.org/show_bug.cgi?id=88258
18578
18579 Reviewed by Michael Saboff.
18580
18581 Make the enabled profiler a member of JSGlobalData, and switch code that accesses it to do so directly
18582 via the JSGlobalData, rather than holding a Profiler** reference to it. Do not pass the Profiler**
18583 reference to JIT code. This patch does not change the stack layout on entry into JIT code (passing an
18584 unused void* instead), since this is an intrusive change better handled in a separate patch.
18585
18586 * interpreter/Interpreter.cpp:
18587 (JSC::Interpreter::throwException):
18588 (JSC::Interpreter::execute):
18589 (JSC::Interpreter::executeCall):
18590 (JSC::Interpreter::executeConstruct):
18591 (JSC::Interpreter::privateExecute):
18592 * jit/JITCode.h:
18593 (JSC::JITCode::execute):
18594 - Don't pass Profiler** to JIT code.
18595 * jit/JITOpcodes.cpp:
18596 (JSC::JIT::emit_op_profile_will_call):
18597 (JSC::JIT::emit_op_profile_did_call):
18598 * jit/JITOpcodes32_64.cpp:
18599 (JSC::JIT::emit_op_profile_will_call):
18600 (JSC::JIT::emit_op_profile_did_call):
18601 * jit/JITStubs.cpp:
18602 (JSC):
18603 (JSC::ctiTrampoline):
18604 (JSC::ctiVMThrowTrampoline):
18605 (JSC::ctiOpThrowNotCaught):
18606 (JSC::JITThunks::JITThunks):
18607 (JSC::DEFINE_STUB_FUNCTION):
18608 - For ARM_THUMB2, rename ENABLE_PROFILER_REFERENCE_OFFSET to FIRST_STACK_ARGUMENT (which is how it is being used).
18609 - For MIPS, remove ENABLE_PROFILER_REFERENCE_OFFSET.
18610 * jit/JITStubs.h:
18611 (JITStackFrame):
18612 (JSC):
18613 - Renamed enabledProfilerReference to unusedX.
18614 * llint/LLIntSlowPaths.cpp:
18615 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
18616 * llint/LowLevelInterpreter.asm:
18617 * profiler/Profiler.cpp:
18618 (JSC):
18619 (JSC::Profiler::startProfiling):
18620 (JSC::Profiler::stopProfiling):
18621 * profiler/Profiler.h:
18622 (Profiler):
18623 - Removed s_sharedEnabledProfilerReference, enabledProfilerReference().
18624 * runtime/JSGlobalData.cpp:
18625 (JSC::JSGlobalData::JSGlobalData):
18626 * runtime/JSGlobalData.h:
18627 (JSC):
18628 (JSC::JSGlobalData::enabledProfiler):
18629 (JSGlobalData):
18630 - Added m_enabledProfiler, enabledProfiler().
18631 * runtime/JSGlobalObject.cpp:
18632 (JSC::JSGlobalObject::~JSGlobalObject):
18633
186342012-06-04 Filip Pizlo <fpizlo@apple.com>
18635
18636 get_argument_by_val should be profiled everywhere
18637 https://bugs.webkit.org/show_bug.cgi?id=88205
18638
18639 Reviewed by Geoffrey Garen.
18640
18641 * jit/JITOpcodes32_64.cpp:
18642 (JSC::JIT::emitSlow_op_get_argument_by_val):
18643 * llint/LLIntSlowPaths.cpp:
18644 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
18645
186462012-06-04 Filip Pizlo <fpizlo@apple.com>
18647
18648 DFG arguments simplification takes unkindly to direct accesses to the arguments register
18649 https://bugs.webkit.org/show_bug.cgi?id=88261
18650
18651 Reviewed by Geoffrey Garen.
18652
18653 Fixed arguments simplification for direct accesses to the arguments register, which may
18654 arise if CSE had not run. Fixed CSE so that it does run prior to arguments simplification,
18655 by making it a full-fledged member of the fixpoint. Fixed other issues in arguments
18656 simplification, like realizing that it needs to bail if there is a direct assignment to
18657 the arguments register, and failing to turn CreateArguments into PhantomArguments. Also
18658 fixed CSE's handling of store elimination of captured locals in the presence of a
18659 GetMyArgumentByVal (or one of its friends), and fixed CSE to correctly fixup variables at
18660 tail if the Flush it removes is the last operation on a local in a basic block.
18661
18662 * bytecode/CodeBlock.cpp:
18663 (JSC::CodeBlock::dump):
18664 * dfg/DFGArgumentsSimplificationPhase.cpp:
18665 (JSC::DFG::ArgumentsSimplificationPhase::run):
18666 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
18667 * dfg/DFGCSEPhase.cpp:
18668 (JSC::DFG::CSEPhase::run):
18669 (JSC::DFG::CSEPhase::setLocalStoreElimination):
18670 (JSC::DFG::CSEPhase::performNodeCSE):
18671 (CSEPhase):
18672 * dfg/DFGDriver.cpp:
18673 (JSC::DFG::compile):
18674
186752012-06-04 Anders Carlsson <andersca@apple.com>
18676
18677 Fix a struct/class mismatch.
18678
18679 * heap/Handle.h:
18680 (Handle):
18681
186822012-06-04 David Kilzer <ddkilzer@apple.com>
18683
18684 BUILD FIX: FeatureDefines.xcconfig should match across projects
18685
18686 * Configurations/FeatureDefines.xcconfig:
18687 - Add missing ENABLE_LEGACY_CSS_VENDOR_PREFIXES.
18688
186892012-06-02 Geoffrey Garen <ggaren@apple.com>
18690
18691 Weak pointer finalization should be lazy
18692 https://bugs.webkit.org/show_bug.cgi?id=87599
18693
18694 Reviewed by Sam Weinig.
18695
18696 This time for sure!
18697
18698 * heap/Heap.cpp:
18699 (JSC::Heap::collect): Don't sweep eagerly -- we'll sweep lazily instead.
18700
18701 * heap/MarkedBlock.cpp:
18702 (JSC::MarkedBlock::sweep): Sweep our weak set before we sweep our other
18703 destructors -- this is our last chance to run weak set finalizers before
18704 we recycle our memory.
18705
18706 * heap/MarkedBlock.h:
18707 (JSC::MarkedBlock::resetAllocator):
18708 * heap/MarkedSpace.cpp:
18709 (JSC::MarkedSpace::resetAllocators):
18710 * heap/MarkedSpace.h:
18711 (JSC::MarkedSpace::resetAllocators): Don't force allocator reset anymore.
18712 It will happen automatically when a weak set is swept. It's simpler to
18713 have only one canonical way for this to happen, and it wasn't buying
18714 us anything to do it eagerly.
18715
18716 * heap/WeakBlock.cpp:
18717 (JSC::WeakBlock::sweep): Don't short-circuit a sweep unless we know
18718 the sweep would be a no-op. If even one finalizer is pending, we need to
18719 run it, since we won't get another chance.
18720
18721 * heap/WeakSet.cpp:
18722 (JSC::WeakSet::sweep): This loop can be simpler now that
18723 WeakBlock::sweep() does what we mean.
18724
18725 Reset our allocator after a sweep because this is the optimal time to
18726 start trying to recycle old weak pointers.
18727
18728 (JSC::WeakSet::tryFindAllocator): Don't sweep when searching for an
18729 allocator because we've swept already, and forcing a new sweep would be
18730 wasteful.
18731
18732 * heap/WeakSet.h:
18733 (JSC::WeakSet::shrink): Be sure to reset our allocator after a shrink
18734 because the shrink may have removed the block the allocator was going to
18735 allocate out of.
18736
187372012-06-02 Filip Pizlo <fpizlo@apple.com>
18738
18739 If the DFG bytecode parser detects that op_method_check has gone polymorphic, it
18740 shouldn't revert all the way to GetById/GetByIdFlush
18741 https://bugs.webkit.org/show_bug.cgi?id=88176
18742
18743 Reviewed by Geoffrey Garen.
18744
18745 Refactored the code so that the op_method_check case of the parser gracefully falls
18746 through to all of the goodness of the normal op_get_by_id case.
18747
18748 * dfg/DFGByteCodeParser.cpp:
18749 (ByteCodeParser):
18750 (JSC::DFG::ByteCodeParser::handleGetById):
18751 (DFG):
18752 (JSC::DFG::ByteCodeParser::parseBlock):
18753
187542012-06-02 Filip Pizlo <fpizlo@apple.com>
18755
18756 DFG CSE should be able to eliminate unnecessary flushes of arguments and captured variables
18757 https://bugs.webkit.org/show_bug.cgi?id=87929
18758
18759 Reviewed by Geoffrey Garen.
18760
18761 Slight speed-up on V8. Big win (up to 50%) on programs that inline very small functions.
18762
18763 This required a bunch of changes:
18764
18765 - The obvious change is making CSE essentially ignore whether or not the set of
18766 operations between the Flush and the SetLocal can exit, and instead focus on whether or
18767 not that set of operations can clobber the world or access local variables. This code
18768 is now refactored to return a set of flags indicating any of these events, and the CSE
18769 decides what to do based on those flags. If the set of operations is non-clobbering
18770 and non-accessing, then the Flush is turned into a Phantom on the child of the
18771 SetLocal. This expands the liveness of the relevant variable but virtually guarantees
18772 that it will be register allocated and not flushed to the stack. So, yeah, this patch
18773 is a lot of work to save a few stores to the stack.
18774
18775 - Previously, CheckArgumentsNotCreated was optimized "lazily" in that you only knew if
18776 it was a no-op if you were holding onto a CFA abstract state. But this would make the
18777 CSE act pessimistically, since it doesn't use the CFA. Hence, this patch changes the
18778 constant folding phase into something more broad; it now fixes up
18779 CheckArgumentsNotCreated nodes by turning them into phantoms if it knows that they are
18780 no-ops.
18781
18782 - Arguments simplification was previously relying on this very strange PhantomArguments
18783 node, which had two different meanings: for normal execution it meant the empty value
18784 but for OSR exit it meant that the arguments should be reified. This produces problems
18785 when set SetLocals to the captured arguments registers are CSE'd away, since we'd be
18786 triggering reification of arguments without having initialized the arguments registers
18787 to empty. The cleanest solution was to fix PhantomArguments to have one meaning:
18788 namely, arguments reification on OSR exit. Hence, this patch changes arguments
18789 simplification to change SetLocal of CreateArguments on the arguments registers to be
18790 a SetLocal of Empty.
18791
18792 - Argument value recoveries were previously derived from the value source of the
18793 arguments at the InlineStart. But that relies on all SetLocals to arguments having
18794 been flushed. It's possible that we could have elided the SetLocal to the arguments
18795 at the callsite because there were subsequent SetLocals to the arguments inside of the
18796 callee, in which case the InlineStart would get the wrong information. Hence, this
18797 patch changes argument value recovery computation to operate over the ArgumentPositions
18798 directly.
18799
18800 - But that doesn't actually work, because previously, there was no way to link an
18801 InlineStart back to the corresponding ArgumentPositions, at least not without some
18802 ugliness. So this patch instates the rule that the m_argumentPositions vector consists
18803 of disjoint subsequences such that each subsequence corresponds to an inline callsite
18804 and can be identified by its first index, and within each subsequence are the
18805 ArgumentPositions of all of the arguments ordered by argument index. This required
18806 flipping the order in which ArgumentPositions are added to the vector, and giving
18807 InlineStart an operand that indicates the start of that inline callsite's
18808 ArgumentPosition subsequence.
18809
18810 - This patch also revealed a nasty bug in the reification of arguments in inline call
18811 frames on OSR exit. Since the reification was happening after the values of virtual
18812 registers were recovered, the value recoveries of the inline arguments were wrong.
18813 Hence using operationCreateInlinedArguments is wrong. For example a value recovery
18814 might say that you have to box a double, but if we had already boxed it then boxing
18815 it a second time will result in garbage. The specific case of this bug was this patch
18816 uncovered was that now it is possible for an inline call frame to not have any valid
18817 value recoveries for any inline arguments, if the optimization elides all argument
18818 flushes, while at the same time optimizing away arguments creation. Then OSR exit
18819 would try to recover the arguments using the inline call frame, which had bogus
18820 information, and humorous crashes would ensue. This patch fixes this issue by moving
18821 arguments reification to after call frame reification, so that arguments reification
18822 can always use operationCreateArguments instead of operationCreateInlinedArguments.
18823
18824 - This patch may turn a Flush into a Phantom. That's kind of the whole point. But that
18825 broke forward speculation checks, which knew to look for a Flush prior to a SetLocal
18826 but didn't know that there could alternatively be a Phantom in place of the Flush.
18827 This patch fixes that by augmenting the forward speculation check logic.
18828
18829 - Finally, in the process of having fun with all of the above, I realized that my DFG
18830 validation was not actually running on every phase like I had originally designed it
18831 to. In fact it was only running just after bytecode parsing. I initially tried to
18832 make it run in every phase but found that this causes some tests to timeout
18833 (specifically the evil fuzzing ones), so I decided on a compromise where: (i) in
18834 release mode validation never runs, (ii) in debug mode validation will run just
18835 after parsing and just before the backend, and (iii) it's possible with a simple
18836 switch to enable validation to run on every phase.
18837
18838 Luckily all of the above issues were already covered by the 77 or so DFG-specific
18839 layout tests. Hence, this patch does not introduce any new tests despite being so
18840 meaty.
18841
18842 * dfg/DFGAbstractState.cpp:
18843 (JSC::DFG::AbstractState::execute):
18844 * dfg/DFGArgumentPosition.h:
18845 (JSC::DFG::ArgumentPosition::prediction):
18846 (JSC::DFG::ArgumentPosition::doubleFormatState):
18847 (JSC::DFG::ArgumentPosition::shouldUseDoubleFormat):
18848 (ArgumentPosition):
18849 * dfg/DFGArgumentsSimplificationPhase.cpp:
18850 (JSC::DFG::ArgumentsSimplificationPhase::run):
18851 * dfg/DFGByteCodeParser.cpp:
18852 (JSC::DFG::ByteCodeParser::handleInlining):
18853 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
18854 * dfg/DFGCSEPhase.cpp:
18855 (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult):
18856 (SetLocalStoreEliminationResult):
18857 (JSC::DFG::CSEPhase::setLocalStoreElimination):
18858 (JSC::DFG::CSEPhase::performNodeCSE):
18859 * dfg/DFGCommon.h:
18860 * dfg/DFGConstantFoldingPhase.cpp:
18861 (JSC::DFG::ConstantFoldingPhase::run):
18862 * dfg/DFGDriver.cpp:
18863 (JSC::DFG::compile):
18864 * dfg/DFGNode.h:
18865 (Node):
18866 (JSC::DFG::Node::hasArgumentPositionStart):
18867 (JSC::DFG::Node::argumentPositionStart):
18868 * dfg/DFGOSRExitCompiler32_64.cpp:
18869 (JSC::DFG::OSRExitCompiler::compileExit):
18870 * dfg/DFGOSRExitCompiler64.cpp:
18871 (JSC::DFG::OSRExitCompiler::compileExit):
18872 * dfg/DFGPhase.cpp:
18873 (DFG):
18874 * dfg/DFGPhase.h:
18875 (Phase):
18876 * dfg/DFGSpeculativeJIT.cpp:
18877 (JSC::DFG::SpeculativeJIT::compile):
18878 * dfg/DFGSpeculativeJIT.h:
18879 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
18880 * dfg/DFGSpeculativeJIT32_64.cpp:
18881 (JSC::DFG::SpeculativeJIT::compile):
18882 * dfg/DFGSpeculativeJIT64.cpp:
18883 (JSC::DFG::SpeculativeJIT::compile):
18884
188852012-06-02 Geoffrey Garen <ggaren@apple.com>
18886
18887 DOM string cache should hash pointers, not characters
18888 https://bugs.webkit.org/show_bug.cgi?id=88175
18889
18890 Reviewed by Phil Pizlo and Sam Weinig.
18891
18892 * heap/Weak.h:
18893 (JSC::weakAdd):
18894 (JSC::weakRemove): Made these function templates slightly more generic
18895 to accommodate new client types.
18896
188972012-06-01 Filip Pizlo <fpizlo@apple.com>
18898
18899 DFG CFA should know that PutByVal can clobber the world
18900 https://bugs.webkit.org/show_bug.cgi?id=88155
18901
18902 Reviewed by Gavin Barraclough.
18903
18904 * dfg/DFGAbstractState.cpp:
18905 (JSC::DFG::AbstractState::execute):
18906
189072012-06-01 Filip Pizlo <fpizlo@apple.com>
18908
18909 DFG CFA should mark basic blocks as having constants if local accesses yield constants
18910 https://bugs.webkit.org/show_bug.cgi?id=88153
18911
18912 Reviewed by Gavin Barraclough.
18913
18914 * dfg/DFGAbstractState.cpp:
18915 (JSC::DFG::AbstractState::execute):
18916
189172012-06-01 Filip Pizlo <fpizlo@apple.com>
18918
18919 DFG arguments simplification phase uses a node.codeOrigin after appending a node
18920 https://bugs.webkit.org/show_bug.cgi?id=88151
18921
18922 Reviewed by Geoffrey Garen.
18923
18924 The right thing to do is to save the CodeOrigin before appending to the graph.
18925
18926 * dfg/DFGArgumentsSimplificationPhase.cpp:
18927 (JSC::DFG::ArgumentsSimplificationPhase::run):
18928
189292012-06-01 Filip Pizlo <fpizlo@apple.com>
18930
18931 DFG should not emit unnecessary speculation checks when performing an int32 to double conversion on
18932 a value that is proved to be a number, predicted to be an int32, but not proved to be an int32
18933 https://bugs.webkit.org/show_bug.cgi?id=88146
18934
18935 Reviewed by Gavin Barraclough.
18936
18937 * dfg/DFGSpeculativeJIT.cpp:
18938 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
18939
189402012-06-01 Filip Pizlo <fpizlo@apple.com>
18941
18942 DFG constant folding search for the last local access skips the immediately previous local access
18943 https://bugs.webkit.org/show_bug.cgi?id=88141
18944
18945 Reviewed by Michael Saboff.
18946
18947 If you use a loop in the style of:
18948
18949 for (i = start; i--;)
18950
18951 then you need to remember that the first value of 'i' that the loop body will see is 'start - 1'.
18952 Hence the following is probably wrong:
18953
18954 for (i = start - 1; i--;)
18955
18956 * dfg/DFGConstantFoldingPhase.cpp:
18957 (JSC::DFG::ConstantFoldingPhase::run):
18958
189592012-06-01 Filip Pizlo <fpizlo@apple.com>
18960
18961 DFG constant folding should be OK with GetLocal of captured variables having a constant
18962 https://bugs.webkit.org/show_bug.cgi?id=88137
18963
18964 Reviewed by Gavin Barraclough.
18965
18966 * dfg/DFGConstantFoldingPhase.cpp:
18967 (JSC::DFG::ConstantFoldingPhase::run):
18968
189692012-05-31 Mark Hahnenberg <mhahnenberg@apple.com>
18970
18971 JSGlobalObject does not mark m_privateNameStructure
18972 https://bugs.webkit.org/show_bug.cgi?id=88023
18973
18974 Rubber stamped by Gavin Barraclough.
18975
18976 * runtime/JSGlobalObject.cpp:
18977 (JSC::JSGlobalObject::visitChildren): We need to mark this so it doesn't get
18978 inadvertently garbage collected.
18979
189802012-05-31 Erik Arvidsson <arv@chromium.org>
18981
18982 Make DOM Exceptions Errors
18983 https://bugs.webkit.org/show_bug.cgi?id=85078
18984
18985 Reviewed by Oliver Hunt.
18986
18987 WebIDL mandates that exceptions should have Error.prototype on its prototype chain.
18988
18989 For JSC we have access to the Error.prototype from the binding code.
18990
18991 For V8 we set a field in the WrapperTypeInfo and when the constructor function is created we
18992 set the prototype as needed.
18993
18994 Updated test: fast/dom/DOMException/prototype-object.html
18995
18996 * JavaScriptCore.xcodeproj/project.pbxproj:
18997 * runtime/JSGlobalObject.cpp:
18998 (JSC::JSGlobalObject::reset):
18999 * runtime/JSGlobalObject.h:
19000 (JSC):
19001 (JSGlobalObject):
19002 (JSC::JSGlobalObject::errorPrototype):
19003
190042012-05-31 Andy Wingo <wingo@igalia.com>
19005
19006 Fix reference to unset variable in debug mode
19007 https://bugs.webkit.org/show_bug.cgi?id=87981
19008
19009 Reviewed by Geoffrey Garen.
19010
19011 * runtime/JSONObject.cpp (Stringifier::Holder::Holder):
19012 Initialize m_size in debug mode, as we check it later in an assert.
19013
190142012-05-30 Mark Hahnenberg <mhahnenberg@apple.com>
19015
19016 Heap should sweep incrementally
19017 https://bugs.webkit.org/show_bug.cgi?id=85429
19018
19019 We shouldn't have to wait for the opportunistic GC timer to fire in order
19020 to call object destructors. Instead, we should incrementally sweep some
19021 subset of the blocks requiring sweeping periodically. We tie this sweeping
19022 to a timer rather than to collections because we want to reclaim this memory
19023 even if we stop allocating. This way, our memory usage scales smoothly with
19024 actual use, regardless of whether we've recently done an opportunistic GC or not.
19025
19026 Reviewed by Geoffrey Garen.
19027
19028 * CMakeLists.txt:
19029 * GNUmakefile.list.am:
19030 * JavaScriptCore.gypi:
19031 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
19032 * JavaScriptCore.xcodeproj/project.pbxproj:
19033 * Target.pri:
19034 * heap/Heap.cpp:
19035 (JSC::Heap::Heap):
19036 (JSC::Heap::collect): We no longer sweep during a full sweep. We only shrink now,
19037 which we will switch over to being done during incremental sweeping too as soon as
19038 all finalizers can be run lazily (and, by extension, incrementally).
19039 (JSC::Heap::sweeper):
19040 (JSC):
19041 * heap/Heap.h:
19042 (JSC):
19043 (Heap):
19044 * heap/IncrementalSweeper.cpp: Added.
19045 (JSC):
19046 (JSC::IncrementalSweeper::timerDidFire): The IncrementalSweeper works very similarly to
19047 GCActivityCallback. It is tied to a run-loop based timer that fires periodically based
19048 on how long the previous sweep increment took to run. The IncrementalSweeper doesn't do
19049 anything if the platform doesn't support CoreFoundation.
19050 (JSC::IncrementalSweeper::IncrementalSweeper):
19051 (JSC::IncrementalSweeper::~IncrementalSweeper):
19052 (JSC::IncrementalSweeper::create):
19053 (JSC::IncrementalSweeper::scheduleTimer):
19054 (JSC::IncrementalSweeper::cancelTimer):
19055 (JSC::IncrementalSweeper::doSweep): Iterates over the snapshot of the MarkedSpace taken
19056 during the last collection, checking to see which blocks need sweeping. If it successfully
19057 gets to the end of the blocks that need sweeping then it cancels the timer.
19058 (JSC::IncrementalSweeper::startSweeping): We take a snapshot of the Heap and store it in
19059 a Vector that the incremental sweep will iterate over. We also reset our index into this Vector.
19060 * heap/IncrementalSweeper.h: Added.
19061 (JSC):
19062 (IncrementalSweeper):
19063 * heap/MarkedBlock.h:
19064 (JSC::MarkedBlock::needsSweeping): If a block is in the Marked state it needs sweeping
19065 to be usable and to run any destructors that need to be run.
19066
190672012-05-30 Patrick Gansterer <paroga@webkit.org>
19068
19069 [WINCE] Fix JSString after r115516.
19070 https://bugs.webkit.org/show_bug.cgi?id=87892
19071
19072 Reviewed by Geoffrey Garen.
19073
19074 r115516 splitted JSString into two classes, with addition nested classes.
19075 Add a workaround for the WinCE compiler since it can't resolve the friend class
19076 declerations corretly and denies the access to protected members of JSString.
19077
19078 * runtime/JSString.h:
19079 (JSC::JSRopeString::RopeBuilder::append):
19080 (JSC::JSRopeString::append):
19081 (JSRopeString):
19082
190832012-05-30 Oliver Hunt <oliver@apple.com>
19084
19085 Really provide error information with the inspector disabled
19086 https://bugs.webkit.org/show_bug.cgi?id=87910
19087
19088 Reviewed by Filip Pizlo.
19089
19090 Don't bother checking for anything other than pre-existing error info.
19091 In the absence of complete line number information you'll only get the
19092 line a function starts on, but at least it's something.
19093
19094 * interpreter/Interpreter.cpp:
19095 (JSC::Interpreter::throwException):
19096
190972012-05-30 Filip Pizlo <fpizlo@apple.com>
19098
19099 LLInt broken on x86-32 with JIT turned off
19100 https://bugs.webkit.org/show_bug.cgi?id=87906
19101
19102 Reviewed by Geoffrey Garen.
19103
19104 Fixed the code to not clobber registers that contain important things, like the call frame.
19105
19106 * llint/LowLevelInterpreter32_64.asm:
19107
191082012-05-30 Filip Pizlo <fpizlo@apple.com>
19109
19110 ScriptDebugServer wants sourceIDs that are non-zero because that's what HashMaps want, so JSC should placate it
19111 https://bugs.webkit.org/show_bug.cgi?id=87887
19112
19113 Reviewed by Darin Adler.
19114
19115 Better fix - we now never call SourceProvider::asID() if SourceProvider* is 0.
19116
19117 * parser/Nodes.h:
19118 (JSC::ScopeNode::sourceID):
19119 * parser/SourceCode.h:
19120 (JSC::SourceCode::providerID):
19121 (SourceCode):
19122 * parser/SourceProvider.h:
19123 (SourceProvider):
19124 (JSC::SourceProvider::asID):
19125 * runtime/Executable.h:
19126 (JSC::ScriptExecutable::sourceID):
19127
191282012-05-30 Filip Pizlo <fpizlo@apple.com>
19129
19130 ScriptDebugServer wants sourceIDs that are non-zero because that's what HashMaps want, so JSC should placate it
19131 https://bugs.webkit.org/show_bug.cgi?id=87887
19132
19133 Reviewed by Geoffrey Garen.
19134
19135 * parser/SourceProvider.h:
19136 (JSC::SourceProvider::asID):
19137
191382012-05-30 Oliver Hunt <oliver@apple.com>
19139
19140 DFG does not correctly handle exceptions caught in the LLInt
19141 https://bugs.webkit.org/show_bug.cgi?id=87885
19142
19143 Reviewed by Filip Pizlo.
19144
19145 Make the DFG use genericThrow, rather than reimplementing a small portion of it.
19146 Also make the LLInt slow paths validate that their PC is correct.
19147
19148 * dfg/DFGOperations.cpp:
19149 * llint/LLIntSlowPaths.cpp:
19150 (LLInt):
19151
191522012-05-29 Filip Pizlo <fpizlo@apple.com>
19153
19154 DFG CFA should infer types and values of captured variables
19155 https://bugs.webkit.org/show_bug.cgi?id=87813
19156
19157 Reviewed by Gavin Barraclough.
19158
19159 Slight speed-up in V8/earley-boyer (~1%).
19160
19161 * bytecode/CodeBlock.h:
19162 (JSC::CodeBlock::argumentsAreCaptured):
19163 (JSC::CodeBlock::argumentIsCaptured):
19164 (CodeBlock):
19165 * dfg/DFGAbstractState.cpp:
19166 (DFG):
19167 (JSC::DFG::AbstractState::beginBasicBlock):
19168 (JSC::DFG::AbstractState::initialize):
19169 (JSC::DFG::AbstractState::endBasicBlock):
19170 (JSC::DFG::AbstractState::execute):
19171 (JSC::DFG::AbstractState::clobberWorld):
19172 (JSC::DFG::AbstractState::clobberStructures):
19173 (JSC::DFG::AbstractState::mergeStateAtTail):
19174 (JSC::DFG::AbstractState::merge):
19175 (JSC::DFG::AbstractState::mergeToSuccessors):
19176 * dfg/DFGAbstractState.h:
19177 (JSC::DFG::AbstractState::variables):
19178 (AbstractState):
19179 * dfg/DFGSpeculativeJIT32_64.cpp:
19180 (JSC::DFG::SpeculativeJIT::compile):
19181 * dfg/DFGSpeculativeJIT64.cpp:
19182 (JSC::DFG::SpeculativeJIT::compile):
19183
191842012-05-30 Patrick Gansterer <paroga@webkit.org>
19185
19186 Unreviewed. Build fix for !ENABLE(JIT) after r117823.
19187
19188 * bytecode/CodeBlock.cpp:
19189 (JSC::CodeBlock::dump):
19190
191912012-05-30 Sheriff Bot <webkit.review.bot@gmail.com>
19192
19193 Unreviewed, rolling out r118868.
19194 http://trac.webkit.org/changeset/118868
19195 https://bugs.webkit.org/show_bug.cgi?id=87828
19196
19197 introduced ~20 crashes on Mac and Qt bots (Requested by pizlo_
19198 on #webkit).
19199
19200 * heap/Heap.cpp:
19201 (JSC::Heap::collect):
19202 * heap/MarkedBlock.cpp:
19203 (JSC::MarkedBlock::sweep):
19204 * heap/MarkedBlock.h:
19205 (JSC::MarkedBlock::sweepWeakSet):
19206 (JSC):
19207 * heap/MarkedSpace.cpp:
19208 (JSC::SweepWeakSet::operator()):
19209 (JSC):
19210 (JSC::MarkedSpace::sweepWeakSets):
19211 * heap/MarkedSpace.h:
19212 (MarkedSpace):
19213
192142012-05-29 Geoffrey Garen <ggaren@apple.com>
19215
19216 Rolled back in r118646, now that
19217 https://bugs.webkit.org/show_bug.cgi?id=87784 is fixed.
19218
19219 http://trac.webkit.org/changeset/118646
19220 https://bugs.webkit.org/show_bug.cgi?id=87599
19221
19222 * heap/Heap.cpp:
19223 (JSC::Heap::collect):
19224 * heap/MarkedBlock.cpp:
19225 (JSC::MarkedBlock::sweep):
19226 * heap/MarkedBlock.h:
19227 (JSC):
19228 * heap/MarkedSpace.cpp:
19229 (JSC):
19230 * heap/MarkedSpace.h:
19231 (MarkedSpace):
19232
192332012-05-29 Filip Pizlo <fpizlo@apple.com>
19234
19235 DFG should keep captured variables alive until the (inline) return.
19236 https://bugs.webkit.org/show_bug.cgi?id=87205
19237
19238 Reviewed by Gavin Barraclough.
19239
19240 Changes the way we do flushing for captured variables and arguments. Instead of flushing
19241 each SetLocal immediately, we flush at kill points. So a SetLocal will cause a Flush of
19242 whatever was live in the variable previously, and a return will cause a Flush of all
19243 captured variables and all arguments.
19244
19245 * dfg/DFGByteCodeParser.cpp:
19246 (JSC::DFG::ByteCodeParser::setDirect):
19247 (JSC::DFG::ByteCodeParser::set):
19248 (JSC::DFG::ByteCodeParser::setLocal):
19249 (JSC::DFG::ByteCodeParser::getArgument):
19250 (JSC::DFG::ByteCodeParser::setArgument):
19251 (JSC::DFG::ByteCodeParser::findArgumentPositionForArgument):
19252 (ByteCodeParser):
19253 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
19254 (JSC::DFG::ByteCodeParser::findArgumentPosition):
19255 (JSC::DFG::ByteCodeParser::flush):
19256 (JSC::DFG::ByteCodeParser::flushDirect):
19257 (JSC::DFG::ByteCodeParser::flushArgumentsAndCapturedVariables):
19258 (JSC::DFG::ByteCodeParser::handleInlining):
19259 (JSC::DFG::ByteCodeParser::parseBlock):
19260 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
19261 * dfg/DFGCSEPhase.cpp:
19262 (JSC::DFG::CSEPhase::setLocalStoreElimination):
19263 (JSC::DFG::CSEPhase::performNodeCSE):
19264 * dfg/DFGSpeculativeJIT.cpp:
19265 (JSC::DFG::SpeculativeJIT::compile):
19266 * dfg/DFGSpeculativeJIT.h:
19267 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
19268
192692012-05-29 Geoffrey Garen <ggaren@apple.com>
19270
19271 WeakGCMap should be lazy-finalization-safe
19272 https://bugs.webkit.org/show_bug.cgi?id=87784
19273
19274 Reviewed by Darin Adler.
19275
19276 * runtime/WeakGCMap.h:
19277 (JSC::WeakGCMap::get): Since this is a map of raw WeakImpl pointers, and
19278 not Weak<T>, we need to verify manually that the WeakImpl is live before
19279 we return its payload.
19280
192812012-05-29 Mark Hahnenberg <mhahnenberg@apple.com>
19282
19283 CopiedSpace::doneCopying could start another collection
19284 https://bugs.webkit.org/show_bug.cgi?id=86538
19285
19286 Reviewed by Geoffrey Garen.
19287
19288 It's possible that if we don't have anything at the head of to-space
19289 after a collection and the BlockAllocator doesn't have any fresh blocks
19290 to give us right now we could start another collection while still in
19291 the middle of the first collection when we call CopiedSpace::addNewBlock().
19292
19293 One way to resolve this would be to have Heap::shouldCollect() check that
19294 m_operationInProgress is NoOperation. This would prevent the path in
19295 getFreshBlock() that starts the collection if we're already in the middle of one.
19296
19297 I could not come up with a test case to reproduce this crash on ToT.
19298
19299 * heap/Heap.h:
19300 (JSC::Heap::shouldCollect): We shouldn't collect if we're already in the middle
19301 of a collection, i.e. the current operation should be NoOperation.
19302
193032012-05-29 David Barr <davidbarr@chromium.org>
19304
19305 Introduce ENABLE_CSS_IMAGE_RESOLUTION compile flag
19306 https://bugs.webkit.org/show_bug.cgi?id=87685
19307
19308 Reviewed by Eric Seidel.
19309
19310 Add a configuration option for CSS image-resolution support, disabling it by default.
19311
19312 * Configurations/FeatureDefines.xcconfig:
19313
193142012-05-28 Sheriff Bot <webkit.review.bot@gmail.com>
19315
19316 Unreviewed, rolling out r118646.
19317 http://trac.webkit.org/changeset/118646
19318 https://bugs.webkit.org/show_bug.cgi?id=87691
19319
19320 broke V8 raytrace benchmark (Requested by pizlo_ on #webkit).
19321
19322 * heap/Heap.cpp:
19323 (JSC::Heap::collect):
19324 * heap/MarkedBlock.cpp:
19325 (JSC::MarkedBlock::sweep):
19326 * heap/MarkedBlock.h:
19327 (JSC::MarkedBlock::sweepWeakSet):
19328 (JSC):
19329 * heap/MarkedSpace.cpp:
19330 (JSC::SweepWeakSet::operator()):
19331 (JSC):
19332 (JSC::MarkedSpace::sweepWeakSets):
19333 * heap/MarkedSpace.h:
19334 (MarkedSpace):
19335
193362012-05-28 Filip Pizlo <fpizlo@apple.com>
19337
19338 DFG should not generate code for code that the CFA proves to be unreachable
19339 https://bugs.webkit.org/show_bug.cgi?id=87682
19340
19341 Reviewed by Sam Weinig.
19342
19343 This also fixes a small performance bug where CFA was not marking blocks
19344 as having constants (and hence not triggering constant folding) if the only
19345 constants were on GetLocals.
19346
19347 And fixing that bug revealed another bug: constant folding was assuming that
19348 a GetLocal must be the first access to a local in a basic block. This isn't
19349 true. The first access may be a Flush. This patch fixes that issue using the
19350 safest approach possible, since we don't need to be clever for something that
19351 only happens in one of our benchmarks.
19352
19353 * dfg/DFGAbstractState.cpp:
19354 (JSC::DFG::AbstractState::execute):
19355 * dfg/DFGConstantFoldingPhase.cpp:
19356 (JSC::DFG::ConstantFoldingPhase::run):
19357 * dfg/DFGJITCompiler.h:
19358 (JSC::DFG::JITCompiler::noticeOSREntry):
19359 * dfg/DFGSpeculativeJIT.cpp:
19360 (JSC::DFG::SpeculativeJIT::compile):
19361
193622012-05-28 Carlos Garcia Campos <cgarcia@igalia.com>
19363
19364 Unreviewed. Fix make distcheck.
19365
19366 * GNUmakefile.list.am: Add missing header file.
19367
193682012-05-27 Geoffrey Garen <ggaren@apple.com>
19369
19370 Weak pointer finalization should be lazy
19371 https://bugs.webkit.org/show_bug.cgi?id=87599
19372
19373 Reviewed by Darin Adler.
19374
19375 * heap/Heap.cpp:
19376 (JSC::Heap::collect): Don't force immediate finalization -- it will
19377 happen lazily.
19378
19379 * heap/MarkedBlock.cpp:
19380 (JSC::MarkedBlock::sweep): Sweep a block's weak set when sweeping the
19381 block. The weak set may not have been swept yet, and this is our last
19382 chance to run weak finalizers before we recycle the memory they reference.
19383
19384 * heap/MarkedBlock.h:
19385 * heap/MarkedSpace.cpp:
19386 (JSC::MarkedBlock::sweepWeakSets):
19387 * heap/MarkedSpace.h:
19388 (JSC::MarkedSpace::sweepWeakSets): Nixed sweepWeakSets because it's unused
19389 now.
19390
193912012-05-26 Geoffrey Garen <ggaren@apple.com>
19392
19393 WebKit should be lazy-finalization-safe (esp. the DOM) v2
19394 https://bugs.webkit.org/show_bug.cgi?id=87581
19395
19396 Reviewed by Oliver Hunt.
19397
19398 * heap/MarkedBlock.cpp:
19399 (JSC::MarkedBlock::callDestructor):
19400 * heap/WeakBlock.h:
19401 * heap/WeakSetInlines.h:
19402 (JSC::WeakBlock::finalize): Since we don't guarantee destruction order,
19403 it's not valid to access GC pointers like the Structure pointer during
19404 finalization. We NULL out the structure pointer in debug builds to try
19405 to make this programming mistake more obvious.
19406
19407 * API/JSCallbackConstructor.cpp:
19408 (JSC::JSCallbackConstructor::destroy):
19409 * API/JSCallbackObject.cpp:
19410 (JSC::::destroy):
19411 (JSC::JSCallbackObjectData::finalize):
19412 * runtime/Arguments.cpp:
19413 (JSC::Arguments::destroy):
19414 * runtime/DateInstance.cpp:
19415 (JSC::DateInstance::destroy):
19416 * runtime/Error.cpp:
19417 (JSC::StrictModeTypeErrorFunction::destroy):
19418 * runtime/Executable.cpp:
19419 (JSC::ExecutableBase::destroy):
19420 (JSC::NativeExecutable::destroy):
19421 (JSC::ScriptExecutable::destroy):
19422 (JSC::EvalExecutable::destroy):
19423 (JSC::ProgramExecutable::destroy):
19424 (JSC::FunctionExecutable::destroy):
19425 * runtime/JSGlobalObject.cpp:
19426 (JSC::JSGlobalObject::destroy):
19427 * runtime/JSPropertyNameIterator.cpp:
19428 (JSC::JSPropertyNameIterator::destroy):
19429 * runtime/JSStaticScopeObject.cpp:
19430 (JSC::JSStaticScopeObject::destroy):
19431 * runtime/JSString.cpp:
19432 (JSC::JSString::destroy):
19433 * runtime/JSVariableObject.cpp:
19434 (JSC::JSVariableObject::destroy):
19435 * runtime/NameInstance.cpp:
19436 (JSC::NameInstance::destroy):
19437 * runtime/RegExp.cpp:
19438 (JSC::RegExp::destroy):
19439 * runtime/RegExpConstructor.cpp:
19440 (JSC::RegExpConstructor::destroy):
19441 * runtime/Structure.cpp:
19442 (JSC::Structure::destroy):
19443 * runtime/StructureChain.cpp:
19444 (JSC::StructureChain::destroy): Use static_cast instead of jsCast because
19445 jsCast does Structure-based validation, and our Structure is not guaranteed
19446 to be alive when we get finalized.
19447
194482012-05-22 Filip Pizlo <fpizlo@apple.com>
19449
19450 DFG CSE should eliminate redundant WeakJSConstants
19451 https://bugs.webkit.org/show_bug.cgi?id=87179
19452
19453 Reviewed by Gavin Barraclough.
19454
19455 Merged r118141 from dfgopt.
19456
19457 * dfg/DFGCSEPhase.cpp:
19458 (JSC::DFG::CSEPhase::weakConstantCSE):
19459 (CSEPhase):
19460 (JSC::DFG::CSEPhase::performNodeCSE):
19461 * dfg/DFGNode.h:
19462 (JSC::DFG::Node::weakConstant):
19463
194642012-05-22 Filip Pizlo <fpizlo@apple.com>
19465
19466 DFG CSE should do redundant store elimination
19467 https://bugs.webkit.org/show_bug.cgi?id=87161
19468
19469 Reviewed by Oliver Hunt.
19470
19471 Merge r118138 from dfgopt.
19472
19473 This patch adds redundant store elimination. For example, consider this
19474 code:
19475
19476 o.x = 42;
19477 o.x = 84;
19478
19479 If o.x is speculated to be a well-behaved field, the first assignment is
19480 unnecessary, since the second just overwrites it. We would like to
19481 eliminate the first assignment in these cases. The need for this
19482 optimization arises mostly from stores that our runtime requires. For
19483 example:
19484
19485 o = {f:1, g:2, h:3};
19486
19487 This will have four assignments to the structure for the newly created
19488 object - one assignment for the empty structure, one for {f}, one for
19489 {f, g}, and one for {f, g, h}. We would like to only have the last of
19490 those assigments in this case.
19491
19492 Intriguingly, doing so for captured variables breaks the way arguments
19493 simplification used to work. Consider that prior to either arguments
19494 simplification or store elimination we will have IR that looks like:
19495
19496 a: SetLocal(r0, Empty)
19497 b: SetLocal(r1, Empty)
19498 c: GetLocal(r0)
19499 d: CreateArguments(@c)
19500 e: SetLocal(r0, @d)
19501 f: SetLocal(r1, @d)
19502
19503 Then redundant store elimination will eliminate the stores that
19504 initialize the arguments registers to Empty, but then arguments
19505 simplification eliminates the stores that initialize the arguments to
19506 the newly created arguments - and at this point we no longer have any
19507 stores to the arguments register, leading to hilarious crashes. This
19508 patch therefore changes arguments simplification to replace
19509 CreateArguments with JSConstant(Empty) rather than eliminating the
19510 SetLocals. But this revealed bugs where arguments simplification was
19511 being overzealous, so I fixed those bugs.
19512
19513 This is a minor speed-up on V8/early and a handful of other tests.
19514
19515 * bytecode/CodeBlock.h:
19516 (JSC::CodeBlock::uncheckedActivationRegister):
19517 * dfg/DFGAbstractState.cpp:
19518 (JSC::DFG::AbstractState::execute):
19519 * dfg/DFGArgumentsSimplificationPhase.cpp:
19520 (JSC::DFG::ArgumentsSimplificationPhase::run):
19521 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
19522 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
19523 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
19524 * dfg/DFGCSEPhase.cpp:
19525 (JSC::DFG::CSEPhase::globalVarStoreElimination):
19526 (CSEPhase):
19527 (JSC::DFG::CSEPhase::putStructureStoreElimination):
19528 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
19529 (JSC::DFG::CSEPhase::setLocalStoreElimination):
19530 (JSC::DFG::CSEPhase::setReplacement):
19531 (JSC::DFG::CSEPhase::eliminate):
19532 (JSC::DFG::CSEPhase::performNodeCSE):
19533 * dfg/DFGGraph.h:
19534 (JSC::DFG::Graph::uncheckedActivationRegisterFor):
19535 (Graph):
19536 * dfg/DFGNode.h:
19537 (JSC::DFG::Node::isPhantomArguments):
19538 (Node):
19539 (JSC::DFG::Node::hasConstant):
19540 (JSC::DFG::Node::valueOfJSConstant):
19541 (JSC::DFG::Node::hasStructureTransitionData):
19542 * dfg/DFGNodeType.h:
19543 (DFG):
19544 * dfg/DFGPredictionPropagationPhase.cpp:
19545 (JSC::DFG::PredictionPropagationPhase::propagate):
19546 * dfg/DFGSpeculativeJIT.cpp:
19547 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
19548 * dfg/DFGSpeculativeJIT32_64.cpp:
19549 (JSC::DFG::SpeculativeJIT::compile):
19550 * dfg/DFGSpeculativeJIT64.cpp:
19551 (JSC::DFG::SpeculativeJIT::compile):
19552
195532012-05-21 Filip Pizlo <fpizlo@apple.com>
19554
19555 DFG ConvertThis should just be a CheckStructure if the structure is known
19556 https://bugs.webkit.org/show_bug.cgi?id=87057
19557
19558 Reviewed by Gavin Barraclough.
19559
19560 Merged r118021 from dfgopt.
19561
19562 This gives ValueProfile the ability to track singleton values - i.e. profiling
19563 sites that always see the same value.
19564
19565 That is then used to profile the structure in op_convert_this.
19566
19567 This is then used to optimize op_convert_this into a CheckStructure if the
19568 structure is always the same.
19569
19570 That then results in better CSE in inlined code that uses 'this', since
19571 previously we couldn't CSE accesses on 'this' from different inline call frames.
19572
19573 Also fixed a bug where we were unnecessarily flushing 'this'.
19574
19575 * bytecode/CodeBlock.cpp:
19576 (JSC::CodeBlock::dump):
19577 (JSC::CodeBlock::stronglyVisitStrongReferences):
19578 * bytecode/LazyOperandValueProfile.cpp:
19579 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
19580 * bytecode/LazyOperandValueProfile.h:
19581 (CompressedLazyOperandValueProfileHolder):
19582 * bytecode/Opcode.h:
19583 (JSC):
19584 (JSC::padOpcodeName):
19585 * bytecode/ValueProfile.h:
19586 (JSC::ValueProfileBase::ValueProfileBase):
19587 (JSC::ValueProfileBase::dump):
19588 (JSC::ValueProfileBase::computeUpdatedPrediction):
19589 (ValueProfileBase):
19590 * bytecompiler/BytecodeGenerator.cpp:
19591 (JSC::BytecodeGenerator::BytecodeGenerator):
19592 * dfg/DFGByteCodeParser.cpp:
19593 (JSC::DFG::ByteCodeParser::setArgument):
19594 (JSC::DFG::ByteCodeParser::parseBlock):
19595 * jit/JITOpcodes.cpp:
19596 (JSC::JIT::emit_op_convert_this):
19597 (JSC::JIT::emitSlow_op_convert_this):
19598 * jit/JITOpcodes32_64.cpp:
19599 (JSC::JIT::emit_op_convert_this):
19600 (JSC::JIT::emitSlow_op_convert_this):
19601 * llint/LLIntSlowPaths.cpp:
19602 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
19603 * llint/LowLevelInterpreter32_64.asm:
19604 * llint/LowLevelInterpreter64.asm:
19605 * runtime/JSValue.h:
19606 (JSValue):
19607 * runtime/Structure.h:
19608 (JSC::JSValue::structureOrUndefined):
19609 (JSC):
19610
196112012-05-24 Tim Horton <timothy_horton@apple.com>
19612
19613 Add feature defines for web-facing parts of CSS Regions and Exclusions
19614 https://bugs.webkit.org/show_bug.cgi?id=87442
19615 <rdar://problem/10887709>
19616
19617 Reviewed by Dan Bernstein.
19618
19619 * Configurations/FeatureDefines.xcconfig:
19620
196212012-05-24 Geoffrey Garen <ggaren@apple.com>
19622
19623 WebKit should be lazy-finalization-safe (esp. the DOM)
19624 https://bugs.webkit.org/show_bug.cgi?id=87456
19625
19626 Reviewed by Filip Pizlo.
19627
19628 Lazy finalization adds one twist to weak pointer use:
19629
19630 A HashMap of weak pointers may contain logically null entries.
19631 (Weak pointers behave as-if null once their payloads die.)
19632 Insertion must not assume that a pre-existing entry is
19633 necessarily valid, and iteration must not assume that all
19634 entries can be dereferenced.
19635
19636 (Previously, I thought that it also added a second twist:
19637
19638 A demand-allocated weak pointer may replace a dead payload
19639 before the payload's finalizer runs. In that case, when the
19640 payload's finalizer runs, the payload has already been
19641 overwritten, and the finalizer should not clear the payload,
19642 which now points to something new.
19643
19644 But that's not the case here, since we cancel the old payload's
19645 finalizer when we over-write it. I've added ASSERTs to verify this
19646 assumption, in case it ever changes.)
19647
19648 * API/JSClassRef.cpp:
19649 (OpaqueJSClass::prototype): No need to specify null; that's the default.
19650
19651 * API/JSWeakObjectMapRefPrivate.cpp: Use remove, since take() is gone.
19652
19653 * heap/PassWeak.h:
19654 (WeakImplAccessor::was): This is no longer a debug-only function, since
19655 it's required to reason about lazily finalized pointers.
19656
19657 * heap/Weak.h:
19658 (JSC::weakAdd):
19659 (JSC::weakRemove):
19660 (JSC::weakClear): Added these helper functions for the common idioms of
19661 what clients want to do in their weak pointer finalizers.
19662
19663 * jit/JITStubs.cpp:
19664 (JSC::JITThunks::hostFunctionStub): Use the new idioms. Otherwise, we
19665 would return NULL for a "zombie" executable weak pointer that was waiting
19666 for finalization (item (2)), and finalizing a dead executable weak pointer
19667 would potentially destroy a new, live one (item (1)).
19668
19669 * runtime/RegExpCache.cpp:
19670 (JSC::RegExpCache::lookupOrCreate):
19671 (JSC::RegExpCache::finalize): Ditto.
19672
19673 (JSC::RegExpCache::invalidateCode): Check for null while iterating. (See
19674 item (2).)
19675
19676 * runtime/Structure.cpp:
19677 (JSC::StructureTransitionTable::contains):
19678 (JSC::StructureTransitionTable::add): Use get and set instead of add and
19679 contains, since add and contains are not compatible with lazy finalization.
19680
19681 * runtime/WeakGCMap.h:
19682 (WeakGCMap):
19683 (JSC::WeakGCMap::clear):
19684 (JSC::WeakGCMap::remove): Removed a bunch of code that was incompatible with
19685 lazy finalization because I didn't feel like making it compatible, and I had
19686 no way to test it.
19687
196882012-05-24 Filip Pizlo <fpizlo@apple.com>
19689
19690 REGRESSION (r118013-r118031): Loops/Reloads under www.yahoo.com, quits after three tries with error
19691 https://bugs.webkit.org/show_bug.cgi?id=87327
19692
19693 Reviewed by Geoffrey Garen.
19694
19695 If you use AbstractValue::filter(StructureSet) to test subset relationships between TOP and a
19696 set containing >=2 elements, you're going to have a bad time.
19697
19698 That's because AbstractValue considers a set with >=2 elements to be equivalent to TOP, in order
19699 to save space and speed up convergence. So filtering has no effect in this case, which made
19700 the code think that the abstract value was proving that the structure check was unnecessary.
19701 The correct thing to do is to use isSubsetOf() on the StructureAbstractValue, which does the
19702 right thingies for TOP and >=2 elements.
19703
19704 * dfg/DFGAbstractState.cpp:
19705 (JSC::DFG::AbstractState::execute):
19706 * dfg/DFGSpeculativeJIT32_64.cpp:
19707 (JSC::DFG::SpeculativeJIT::compile):
19708 * dfg/DFGSpeculativeJIT64.cpp:
19709 (JSC::DFG::SpeculativeJIT::compile):
19710
197112012-05-24 Filip Pizlo <fpizlo@apple.com>
19712
19713 new test fast/js/dfg-arguments-mixed-alias.html fails on JSVALUE32_64
19714 https://bugs.webkit.org/show_bug.cgi?id=87378
19715
19716 Reviewed by Gavin Barraclough.
19717
19718 - Captured variable tracking forgot did not consistently handle arguments, leading to OSR
19719 badness.
19720
19721 - Nodes capable of exiting were tracked in a non-monotonic way, leading to compiler errors.
19722
19723 * dfg/DFGByteCodeParser.cpp:
19724 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
19725 * dfg/DFGCSEPhase.cpp:
19726 (JSC::DFG::CSEPhase::CSEPhase):
19727 (CSEPhase):
19728 (JSC::DFG::performCSE):
19729 * dfg/DFGCSEPhase.h:
19730 (DFG):
19731 * dfg/DFGCommon.h:
19732 * dfg/DFGDriver.cpp:
19733 (JSC::DFG::compile):
19734 * dfg/DFGGraph.cpp:
19735 (JSC::DFG::Graph::resetExitStates):
19736 (DFG):
19737 * dfg/DFGGraph.h:
19738 (Graph):
19739 * dfg/DFGPhase.h:
19740 (DFG):
19741 (JSC::DFG::runPhase):
19742
197432012-05-24 Geoffrey Garen <ggaren@apple.com>
19744
19745 Made WeakSet per-block instead of per-heap
19746 https://bugs.webkit.org/show_bug.cgi?id=87401
19747
19748 Reviewed by Oliver Hunt.
19749
19750 This allows us fast access to the set of all weak pointers for a block,
19751 which is a step toward lazy finalization.
19752
19753 No performance change.
19754
19755 * heap/Heap.cpp:
19756 (JSC::Heap::Heap):
19757 (JSC::Heap::lastChanceToFinalize): Removed the per-heap weak set, since
19758 it's per-block now.
19759
19760 (JSC::Heap::markRoots): Delegate weak set visiting to the marked space,
19761 since it knows how to iterate all blocks.
19762
19763 (JSC::Heap::collect): Moved the reaping outside of markRoots, since it
19764 doesn't mark anything.
19765
19766 Make sure to reset allocators after shrinking, since shrinking may
19767 deallocate the current allocator.
19768
19769 * heap/Heap.h:
19770 (Heap): No more per-heap weak set, since it's per-block now.
19771
19772 * heap/MarkedBlock.cpp:
19773 (JSC::MarkedBlock::MarkedBlock):
19774 * heap/MarkedBlock.h:
19775 (MarkedBlock):
19776 (JSC::MarkedBlock::lastChanceToFinalize): Migrated finalization logic
19777 here from the heap, so the heap doesn't need to know about our internal
19778 data structures like our weak set.
19779
19780 (JSC::MarkedBlock::heap):
19781 (JSC::MarkedBlock::weakSet):
19782 (JSC::MarkedBlock::shrink):
19783 (JSC::MarkedBlock::resetAllocator):
19784 (JSC::MarkedBlock::visitWeakSet):
19785 (JSC::MarkedBlock::reapWeakSet):
19786 (JSC::MarkedBlock::sweepWeakSet):
19787 * heap/MarkedSpace.cpp:
19788 (JSC::VisitWeakSet::VisitWeakSet):
19789 (JSC::VisitWeakSet::operator()):
19790 (VisitWeakSet):
19791 (JSC):
19792 (JSC::ReapWeakSet::operator()):
19793 (JSC::SweepWeakSet::operator()):
19794 (JSC::LastChanceToFinalize::operator()):
19795 (JSC::MarkedSpace::lastChanceToFinalize):
19796 (JSC::ResetAllocator::operator()):
19797 (JSC::MarkedSpace::resetAllocators):
19798 (JSC::MarkedSpace::visitWeakSets):
19799 (JSC::MarkedSpace::reapWeakSets):
19800 (JSC::MarkedSpace::sweepWeakSets):
19801 (JSC::Shrink::operator()):
19802 (JSC::MarkedSpace::shrink):
19803 * heap/MarkedSpace.h:
19804 (MarkedSpace): Make sure to account for our weak sets when sweeping,
19805 shrinking, etc.
19806
19807 * heap/WeakSet.cpp:
19808 (JSC):
19809 * heap/WeakSet.h:
19810 (WeakSet):
19811 (JSC::WeakSet::heap):
19812 (JSC):
19813 (JSC::WeakSet::lastChanceToFinalize):
19814 (JSC::WeakSet::visit):
19815 (JSC::WeakSet::reap):
19816 (JSC::WeakSet::shrink):
19817 (JSC::WeakSet::resetAllocator): Inlined some things since they're called
19818 once per block now instead of once per heap.
19819
19820 * heap/WeakSetInlines.h:
19821 (JSC::WeakSet::allocate): Use the per-block weak set since there is no
19822 per-heap weak set anymore.
19823
198242012-05-24 Gavin Barraclough <barraclough@apple.com>
19825
19826 Fix arm build
19827
19828 Rubber stamped by Geoff Garen
19829
19830 * dfg/DFGGPRInfo.h:
19831 (GPRInfo):
19832
198332012-05-24 Gavin Barraclough <barraclough@apple.com>
19834
19835 Move cacheFlush from ExecutableAllocator to Assembler classes
19836 https://bugs.webkit.org/show_bug.cgi?id=87420
19837
19838 Reviewed by Oliver Hunt.
19839
19840 Makes more sense there, & remove a pile of #ifdefs.
19841
19842 * assembler/ARMAssembler.cpp:
19843 (JSC):
19844 (JSC::ARMAssembler::cacheFlush):
19845 * assembler/ARMAssembler.h:
19846 (ARMAssembler):
19847 (JSC::ARMAssembler::cacheFlush):
19848 * assembler/ARMv7Assembler.h:
19849 (JSC::ARMv7Assembler::relinkJump):
19850 (JSC::ARMv7Assembler::cacheFlush):
19851 (ARMv7Assembler):
19852 (JSC::ARMv7Assembler::setInt32):
19853 (JSC::ARMv7Assembler::setUInt7ForLoad):
19854 * assembler/AbstractMacroAssembler.h:
19855 (JSC::AbstractMacroAssembler::cacheFlush):
19856 * assembler/LinkBuffer.h:
19857 (JSC::LinkBuffer::performFinalization):
19858 * assembler/MIPSAssembler.h:
19859 (JSC::MIPSAssembler::relinkJump):
19860 (JSC::MIPSAssembler::relinkCall):
19861 (JSC::MIPSAssembler::repatchInt32):
19862 (JSC::MIPSAssembler::cacheFlush):
19863 (MIPSAssembler):
19864 * assembler/SH4Assembler.h:
19865 (JSC::SH4Assembler::repatchCompact):
19866 (JSC::SH4Assembler::cacheFlush):
19867 (SH4Assembler):
19868 * assembler/X86Assembler.h:
19869 (X86Assembler):
19870 (JSC::X86Assembler::cacheFlush):
19871 * jit/ExecutableAllocator.cpp:
19872 (JSC):
19873 * jit/ExecutableAllocator.h:
19874 (ExecutableAllocator):
19875
198762012-05-24 John Mellor <johnme@chromium.org>
19877
19878 Font Boosting: Add compile flag and runtime setting
19879 https://bugs.webkit.org/show_bug.cgi?id=87394
19880
19881 Reviewed by Adam Barth.
19882
19883 Add ENABLE_FONT_BOOSTING.
19884
19885 * Configurations/FeatureDefines.xcconfig:
19886
198872012-05-24 Allan Sandfeld Jensen <allan.jensen@nokia.com>
19888
19889 cti_vm_throw gets kicked out by gcc 4.6 -flto
19890 https://bugs.webkit.org/show_bug.cgi?id=56088
19891
19892 Reviewed by Darin Adler.
19893
19894 Add REFERENCED_FROM_ASM to functions only referenced from assembler.
19895
19896 * dfg/DFGOperations.cpp:
19897 * jit/HostCallReturnValue.h:
19898 * jit/JITStubs.h:
19899 * jit/ThunkGenerators.cpp:
19900
199012012-05-24 Filip Pizlo <fpizlo@apple.com>
19902
19903 Incorrect merge of r117542 from dfg opt branch in r118323 is leading to fast/js/dfg-arguments-osr-exit.html failing
19904 https://bugs.webkit.org/show_bug.cgi?id=87350
19905
19906 Reviewed by Maciej Stachowiak.
19907
19908 The dfgopt branch introduced the notion of a local variable being killed because it was aliased
19909 to the Arguments object as in cases like:
19910
19911 var a = arguments;
19912 return a.length;
19913
19914 This required changes to OSR exit handling - if the variable is dead but aliased to arguments, then
19915 OSR exit should reify the arguments. But meanwhile, in tip of tree we introduced special handling for
19916 dead variables on OSR exit. When the two were merged in r118323, the structure of the if/else branches
19917 ended up being such that we would treat dead arguments variables as totally dead as opposed to treating
19918 them as variables that need arguments reification.
19919
19920 This fixes the structure of the relevant if/else block so that variables that are dead-but-arguments
19921 end up being treated as reified arguments objects, while variables that are dead but not aliased to
19922 arguments are treated as tip of tree would have treated them (initialize to Undefined).
19923
19924 * dfg/DFGSpeculativeJIT.cpp:
19925 (JSC::DFG::SpeculativeJIT::compile):
19926
199272012-05-24 Csaba Osztrogonác <ossy@webkit.org>
19928
19929 Unreviewed 32 bit buildfix after r118325.
19930
19931 * dfg/DFGSpeculativeJIT32_64.cpp:
19932 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): Use ASSERT_UNUSED instead ASSERT.
19933
199342012-05-23 Filip Pizlo <fpizlo@apple.com>
19935
19936 DFG operationTearOffActivation should return after handling the null activation case
19937 https://bugs.webkit.org/show_bug.cgi?id=87348
19938 <rdar://problem/11522295>
19939
19940 Reviewed by Oliver Hunt.
19941
19942 * dfg/DFGOperations.cpp:
19943
199442012-05-23 Filip Pizlo <fpizlo@apple.com>
19945
19946 Unreviewed, merge the arguments fix in r118138 to get bots green.
19947
19948 * dfg/DFGArgumentsSimplificationPhase.cpp:
19949 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
19950
199512012-05-20 Filip Pizlo <fpizlo@apple.com>
19952
19953 DFG CFA should record if a node can OSR exit
19954 https://bugs.webkit.org/show_bug.cgi?id=86905
19955
19956 Reviewed by Oliver Hunt.
19957
19958 Merged r117931 from dfgopt.
19959
19960 Adds a NodeFlag that denotes nodes that are known to not have OSR exits.
19961 This ought to aid any backwards analyses that need to know when a
19962 backward flow merge might happen due to a side exit.
19963
19964 Also added assertions into speculationCheck() that ensure that we did not
19965 mark a node as non-exiting and then promptly compile in an exit. This
19966 helped catch some minor bugs where we were doing unnecessary speculation
19967 checks.
19968
19969 This is a perf-neutral change. The speculation checks that this removes
19970 were not on hot paths of major benchmarks.
19971
19972 * bytecode/PredictedType.h:
19973 (JSC):
19974 (JSC::isAnyPrediction):
19975 * dfg/DFGAbstractState.cpp:
19976 (JSC::DFG::AbstractState::execute):
19977 * dfg/DFGAbstractState.h:
19978 (JSC::DFG::AbstractState::speculateInt32Unary):
19979 (AbstractState):
19980 (JSC::DFG::AbstractState::speculateNumberUnary):
19981 (JSC::DFG::AbstractState::speculateBooleanUnary):
19982 (JSC::DFG::AbstractState::speculateInt32Binary):
19983 (JSC::DFG::AbstractState::speculateNumberBinary):
19984 * dfg/DFGNode.h:
19985 (JSC::DFG::Node::mergeFlags):
19986 (JSC::DFG::Node::filterFlags):
19987 (Node):
19988 (JSC::DFG::Node::setCanExit):
19989 (JSC::DFG::Node::canExit):
19990 * dfg/DFGNodeFlags.cpp:
19991 (JSC::DFG::nodeFlagsAsString):
19992 * dfg/DFGNodeFlags.h:
19993 (DFG):
19994 * dfg/DFGSpeculativeJIT.cpp:
19995 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
19996 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
19997 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
19998 * dfg/DFGSpeculativeJIT.h:
19999 (JSC::DFG::SpeculativeJIT::speculationCheck):
20000 (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
20001 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
20002 (SpeculativeJIT):
20003 * dfg/DFGSpeculativeJIT32_64.cpp:
20004 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
20005 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
20006 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
20007 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
20008 (JSC::DFG::SpeculativeJIT::compile):
20009 * dfg/DFGSpeculativeJIT64.cpp:
20010 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
20011 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
20012 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
20013 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
20014 (JSC::DFG::SpeculativeJIT::compile):
20015
200162012-05-20 Filip Pizlo <fpizlo@apple.com>
20017
20018 DFG should not do unnecessary indirections when storing to objects
20019 https://bugs.webkit.org/show_bug.cgi?id=86959
20020
20021 Reviewed by Oliver Hunt.
20022
20023 Merged r117819 from dfgopt.
20024
20025 * dfg/DFGByteCodeParser.cpp:
20026 (JSC::DFG::ByteCodeParser::parseBlock):
20027 * dfg/DFGCSEPhase.cpp:
20028 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
20029 * dfg/DFGSpeculativeJIT32_64.cpp:
20030 (JSC::DFG::SpeculativeJIT::compile):
20031 * dfg/DFGSpeculativeJIT64.cpp:
20032 (JSC::DFG::SpeculativeJIT::compile):
20033
200342012-05-17 Filip Pizlo <fpizlo@apple.com>
20035
20036 DFG should optimize aliased uses of the Arguments object of the current call frame
20037 https://bugs.webkit.org/show_bug.cgi?id=86552
20038
20039 Reviewed by Geoff Garen.
20040
20041 Merged r117542 and r117543 from dfgopt.
20042
20043 Performs must-alias and escape analysis on uses of CreateArguments, and if
20044 a variable is must-aliased to CreateArguments and does not escape, then we
20045 turn all uses of that variable into direct arguments accesses.
20046
20047 36% speed-up on V8/earley leading to a 2.3% speed-up overall in V8.
20048
20049 * bytecode/CodeBlock.h:
20050 (JSC::CodeBlock::uncheckedArgumentsRegister):
20051 * bytecode/ValueRecovery.h:
20052 (JSC::ValueRecovery::argumentsThatWereNotCreated):
20053 (ValueRecovery):
20054 (JSC::ValueRecovery::dump):
20055 * dfg/DFGAbstractState.cpp:
20056 (JSC::DFG::AbstractState::execute):
20057 * dfg/DFGAdjacencyList.h:
20058 (AdjacencyList):
20059 (JSC::DFG::AdjacencyList::removeEdgeFromBag):
20060 * dfg/DFGArgumentsSimplificationPhase.cpp:
20061 (JSC::DFG::ArgumentsSimplificationPhase::run):
20062 (ArgumentsSimplificationPhase):
20063 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
20064 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
20065 (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
20066 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
20067 (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
20068 * dfg/DFGAssemblyHelpers.h:
20069 (JSC::DFG::AssemblyHelpers::argumentsRegisterFor):
20070 (AssemblyHelpers):
20071 * dfg/DFGByteCodeParser.cpp:
20072 (JSC::DFG::ByteCodeParser::parseBlock):
20073 * dfg/DFGCFGSimplificationPhase.cpp:
20074 (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
20075 * dfg/DFGGPRInfo.h:
20076 (GPRInfo):
20077 * dfg/DFGGraph.cpp:
20078 (JSC::DFG::Graph::collectGarbage):
20079 (DFG):
20080 * dfg/DFGGraph.h:
20081 (Graph):
20082 (JSC::DFG::Graph::executableFor):
20083 (JSC::DFG::Graph::argumentsRegisterFor):
20084 (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
20085 (JSC::DFG::Graph::clobbersWorld):
20086 * dfg/DFGNode.h:
20087 (JSC::DFG::Node::hasHeapPrediction):
20088 * dfg/DFGNodeType.h:
20089 (DFG):
20090 * dfg/DFGOSRExitCompiler.cpp:
20091 * dfg/DFGOSRExitCompiler.h:
20092 (JSC::DFG::OSRExitCompiler::OSRExitCompiler):
20093 (OSRExitCompiler):
20094 * dfg/DFGOSRExitCompiler32_64.cpp:
20095 (JSC::DFG::OSRExitCompiler::compileExit):
20096 * dfg/DFGOSRExitCompiler64.cpp:
20097 (JSC::DFG::OSRExitCompiler::compileExit):
20098 * dfg/DFGOperations.cpp:
20099 * dfg/DFGPredictionPropagationPhase.cpp:
20100 (JSC::DFG::PredictionPropagationPhase::propagate):
20101 * dfg/DFGSpeculativeJIT.cpp:
20102 (JSC::DFG::ValueSource::dump):
20103 (JSC::DFG::SpeculativeJIT::compile):
20104 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
20105 * dfg/DFGSpeculativeJIT.h:
20106 * dfg/DFGSpeculativeJIT32_64.cpp:
20107 (JSC::DFG::SpeculativeJIT::compile):
20108 * dfg/DFGSpeculativeJIT64.cpp:
20109 (JSC::DFG::SpeculativeJIT::compile):
20110 * dfg/DFGVariableAccessData.h:
20111 (JSC::DFG::VariableAccessData::VariableAccessData):
20112 (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
20113 (VariableAccessData):
20114 (JSC::DFG::VariableAccessData::isArgumentsAlias):
20115 * jit/JITOpcodes.cpp:
20116 (JSC::JIT::emitSlow_op_get_argument_by_val):
20117
201182012-05-23 Filip Pizlo <fpizlo@apple.com>
20119
20120 DFGCapabilities should not try to get an arguments register from code blocks that don't have one
20121 https://bugs.webkit.org/show_bug.cgi?id=87332
20122
20123 Reviewed by Andy Estes.
20124
20125 * dfg/DFGCapabilities.h:
20126 (JSC::DFG::canInlineOpcode):
20127
201282012-05-23 Filip Pizlo <fpizlo@apple.com>
20129
20130 DFG should have sparse conditional constant propagation
20131 https://bugs.webkit.org/show_bug.cgi?id=86580
20132
20133 Reviewed by Oliver Hunt.
20134
20135 Merged r117370 from dfgopt.
20136
20137 This enhances CFA so that if it suspects at any point during the fixpoint that a
20138 branch will only go one way, then it only propagates in that one way.
20139
20140 This vastly increases the opportunities for CFG simplification. For example, it
20141 enables us to evaporate this loop:
20142
20143 for (var i = 0; i < 1; ++i) doThings(i);
20144
20145 As a result, it uncovered loads of bugs in the CFG simplifier. In particular:
20146
20147 - Phi fixup was assuming that all Phis worth fixing up are shouldGenerate().
20148 That's not true; we also fixup Phis that are dead.
20149
20150 - GetLocal fixup was assuming that it's only necessary to rewire links to a
20151 GetLocal, and that the GetLocal's own links don't need to be rewired. Untrue,
20152 because the GetLocal may not be rewirable (first block has no GetLocal for r42
20153 but second block does have a GetLocal), in which case it will refer to a Phi
20154 in the second block. We need it to refer to a Phi from the first block to
20155 ensure that subsequent transformations work.
20156
20157 - Tail operand fixup was ignoring the fact that Phis in successors may contain
20158 references to the children of our tail variables. Hence, successor Phi child
20159 substitution needs to use the original second block variable table as its
20160 prior, rather than trying to reconstruct the prior later (since by that point
20161 the children of the second block's tail variables will have been fixed up, so
20162 we will not know what the prior would have been).
20163
20164 * dfg/DFGAbstractState.cpp:
20165 (JSC::DFG::AbstractState::beginBasicBlock):
20166 (JSC::DFG::AbstractState::endBasicBlock):
20167 (JSC::DFG::AbstractState::reset):
20168 (JSC::DFG::AbstractState::execute):
20169 (JSC::DFG::AbstractState::mergeToSuccessors):
20170 * dfg/DFGAbstractState.h:
20171 (JSC::DFG::AbstractState::branchDirectionToString):
20172 (AbstractState):
20173 * dfg/DFGCFGSimplificationPhase.cpp:
20174 (JSC::DFG::CFGSimplificationPhase::run):
20175 (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
20176 (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
20177 (OperandSubstitution):
20178 (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
20179 (JSC::DFG::CFGSimplificationPhase::recordPossibleIncomingReference):
20180 (CFGSimplificationPhase):
20181 (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
20182 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
20183 * dfg/DFGGraph.h:
20184 (JSC::DFG::Graph::changeEdge):
20185
201862012-05-23 Ojan Vafai <ojan@chromium.org>
20187
20188 add back the ability to disable flexbox
20189 https://bugs.webkit.org/show_bug.cgi?id=87147
20190
20191 Reviewed by Tony Chang.
20192
20193 * Configurations/FeatureDefines.xcconfig:
20194
201952012-05-23 Filip Pizlo <fpizlo@apple.com>
20196
20197 Unreviewed, fix Windows build.
20198
20199 * bytecode/CodeBlock.h:
20200 * dfg/DFGCapabilities.h:
20201 (JSC::DFG::canCompileOpcode):
20202 (JSC::DFG::canCompileOpcodes):
20203 * dfg/DFGCommon.h:
20204 (DFG):
20205
202062012-05-23 Filip Pizlo <fpizlo@apple.com>
20207
20208 DFG should optimize inlined uses of arguments.length and arguments[i]
20209 https://bugs.webkit.org/show_bug.cgi?id=86327
20210
20211 Reviewed by Gavin Barraclough.
20212
20213 Merged r117017 from dfgopt.
20214
20215 Turns inlined uses of arguments.length into a constant.
20216
20217 Turns inlined uses of arguments[constant] into a direct reference to the
20218 argument.
20219
20220 Big win on micro-benchmarks. Not yet a win on V8 because the hot uses of
20221 arguments.length and arguments[i] are aliased. I'll leave the aliasing
20222 optimizations to a later patch.
20223
20224 * CMakeLists.txt:
20225 * GNUmakefile.list.am:
20226 * JavaScriptCore.xcodeproj/project.pbxproj:
20227 * Target.pri:
20228 * bytecode/DFGExitProfile.h:
20229 (FrequentExitSite):
20230 (JSC::DFG::FrequentExitSite::FrequentExitSite):
20231 (JSC::DFG::QueryableExitProfile::hasExitSite):
20232 (QueryableExitProfile):
20233 * dfg/DFGAbstractState.cpp:
20234 (JSC::DFG::AbstractState::execute):
20235 * dfg/DFGArgumentsSimplificationPhase.cpp: Added.
20236 (DFG):
20237 (ArgumentsSimplificationPhase):
20238 (JSC::DFG::ArgumentsSimplificationPhase::ArgumentsSimplificationPhase):
20239 (JSC::DFG::ArgumentsSimplificationPhase::run):
20240 (JSC::DFG::performArgumentsSimplification):
20241 * dfg/DFGArgumentsSimplificationPhase.h: Added.
20242 (DFG):
20243 * dfg/DFGAssemblyHelpers.cpp:
20244 (JSC::DFG::AssemblyHelpers::executableFor):
20245 (DFG):
20246 * dfg/DFGAssemblyHelpers.h:
20247 (AssemblyHelpers):
20248 * dfg/DFGByteCodeParser.cpp:
20249 (JSC::DFG::ByteCodeParser::parseBlock):
20250 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
20251 * dfg/DFGCSEPhase.cpp:
20252 (JSC::DFG::CSEPhase::getLocalLoadElimination):
20253 (JSC::DFG::CSEPhase::performNodeCSE):
20254 * dfg/DFGDriver.cpp:
20255 (JSC::DFG::compile):
20256 * dfg/DFGGraph.h:
20257 (JSC::DFG::Graph::Graph):
20258 (JSC::DFG::Graph::executableFor):
20259 (Graph):
20260 (JSC::DFG::Graph::clobbersWorld):
20261 * dfg/DFGNode.h:
20262 (JSC::DFG::Node::convertToConstant):
20263 (JSC::DFG::Node::convertToGetLocalUnlinked):
20264 (Node):
20265 (JSC::DFG::Node::unlinkedLocal):
20266 * dfg/DFGNodeType.h:
20267 (DFG):
20268 * dfg/DFGOSRExit.cpp:
20269 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
20270 * dfg/DFGPredictionPropagationPhase.cpp:
20271 (JSC::DFG::PredictionPropagationPhase::propagate):
20272 * dfg/DFGSpeculativeJIT32_64.cpp:
20273 (JSC::DFG::SpeculativeJIT::compile):
20274 * dfg/DFGSpeculativeJIT64.cpp:
20275 (JSC::DFG::SpeculativeJIT::compile):
20276
202772012-05-13 Filip Pizlo <fpizlo@apple.com>
20278
20279 DFG should be able to optimize foo.apply(bar, arguments)
20280 https://bugs.webkit.org/show_bug.cgi?id=86306
20281
20282 Reviewed by Gavin Barraclough.
20283
20284 Merge r116912 from dfgopt.
20285
20286 Enables compilation of op_jneq_ptr and some forms of op_call_varargs.
20287
20288 Also includes a bunch of bug fixes that were made necessary by the increased
20289 pressure on the CFG simplifier.
20290
20291 This is a 1-2% win on V8.
20292
20293 * bytecode/CodeBlock.cpp:
20294 (JSC::CodeBlock::printCallOp):
20295 (JSC::CodeBlock::CodeBlock):
20296 (JSC::ProgramCodeBlock::canCompileWithDFGInternal):
20297 (JSC::EvalCodeBlock::canCompileWithDFGInternal):
20298 (JSC::FunctionCodeBlock::canCompileWithDFGInternal):
20299 * bytecode/CodeBlock.h:
20300 (CodeBlock):
20301 (JSC::CodeBlock::canCompileWithDFG):
20302 (JSC::CodeBlock::canCompileWithDFGState):
20303 (ProgramCodeBlock):
20304 (EvalCodeBlock):
20305 (FunctionCodeBlock):
20306 * dfg/DFGAbstractState.cpp:
20307 (JSC::DFG::AbstractState::execute):
20308 * dfg/DFGByteCodeParser.cpp:
20309 (JSC::DFG::ByteCodeParser::parseBlock):
20310 (JSC::DFG::ByteCodeParser::processPhiStack):
20311 (JSC::DFG::ByteCodeParser::parse):
20312 * dfg/DFGCFGSimplificationPhase.cpp:
20313 (JSC::DFG::CFGSimplificationPhase::run):
20314 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
20315 (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
20316 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
20317 * dfg/DFGCSEPhase.cpp:
20318 (JSC::DFG::CSEPhase::getLocalLoadElimination):
20319 (CSEPhase):
20320 (JSC::DFG::CSEPhase::setReplacement):
20321 (JSC::DFG::CSEPhase::performNodeCSE):
20322 * dfg/DFGCapabilities.cpp:
20323 (JSC::DFG::debugFail):
20324 (DFG):
20325 (JSC::DFG::canHandleOpcodes):
20326 (JSC::DFG::canCompileOpcodes):
20327 (JSC::DFG::canInlineOpcodes):
20328 * dfg/DFGCapabilities.h:
20329 (JSC::DFG::canCompileOpcode):
20330 (JSC::DFG::canInlineOpcode):
20331 (DFG):
20332 (JSC::DFG::canCompileOpcodes):
20333 (JSC::DFG::canCompileEval):
20334 (JSC::DFG::canCompileProgram):
20335 (JSC::DFG::canCompileFunctionForCall):
20336 (JSC::DFG::canCompileFunctionForConstruct):
20337 * dfg/DFGCommon.h:
20338 * dfg/DFGGraph.cpp:
20339 (JSC::DFG::Graph::dump):
20340 * dfg/DFGNodeType.h:
20341 (DFG):
20342 * dfg/DFGPredictionPropagationPhase.cpp:
20343 (JSC::DFG::PredictionPropagationPhase::propagate):
20344 * dfg/DFGSpeculativeJIT32_64.cpp:
20345 (JSC::DFG::SpeculativeJIT::compile):
20346 * dfg/DFGSpeculativeJIT64.cpp:
20347 (JSC::DFG::SpeculativeJIT::emitCall):
20348 (JSC::DFG::SpeculativeJIT::compile):
20349 * dfg/DFGValidate.cpp:
20350 (Validate):
20351 (JSC::DFG::Validate::validate):
20352 (JSC::DFG::Validate::checkOperand):
20353 (JSC::DFG::Validate::reportValidationContext):
20354 * jit/JIT.cpp:
20355 (JSC::JIT::emitOptimizationCheck):
20356 (JSC::JIT::privateCompileSlowCases):
20357 (JSC::JIT::privateCompile):
20358 * jit/JIT.h:
20359 * jit/JITArithmetic.cpp:
20360 (JSC::JIT::compileBinaryArithOp):
20361 * jit/JITPropertyAccess.cpp:
20362 (JSC::JIT::privateCompilePutByIdTransition):
20363 * jit/JITPropertyAccess32_64.cpp:
20364 (JSC::JIT::privateCompilePutByIdTransition):
20365 * tools/CodeProfile.cpp:
20366 (JSC::CodeProfile::sample):
20367
203682012-05-23 Geoffrey Garen <ggaren@apple.com>
20369
20370 Refactored WeakBlock to use malloc, clarify behavior
20371 https://bugs.webkit.org/show_bug.cgi?id=87318
20372
20373 Reviewed by Filip Pizlo.
20374
20375 We want to use malloc so we can make these smaller than 4KB,
20376 since an individual MarkedBlock will usually have fewer than
20377 4KB worth of weak pointers.
20378
20379 * heap/Heap.cpp:
20380 (JSC::Heap::markRoots): Renamed visitLiveWeakImpls to visit, since
20381 we no longer need to distinguish from "visitDeadWeakImpls".
20382
20383 Renamed "visitDeadWeakImpls" to "reap" because we're not actually
20384 doing any visiting -- we're just tagging things as dead.
20385
20386 * heap/WeakBlock.cpp:
20387 (JSC::WeakBlock::create):
20388 (JSC::WeakBlock::destroy):
20389 (JSC::WeakBlock::WeakBlock): Malloc!
20390
20391 (JSC::WeakBlock::visit):
20392 (JSC::WeakBlock::reap): Renamed as above.
20393
20394 * heap/WeakBlock.h:
20395 (WeakBlock): Reduced to 3KB, as explained above.
20396
20397 * heap/WeakSet.cpp:
20398 (JSC::WeakSet::visit):
20399 (JSC::WeakSet::reap):
20400 * heap/WeakSet.h:
20401 (WeakSet): Updated for renames, and to match WebKit style.
20402
204032012-05-23 Filip Pizlo <fpizlo@apple.com>
20404
20405 Use after free in JSC::DFG::ByteCodeParser::processPhiStack
20406 https://bugs.webkit.org/show_bug.cgi?id=87312
20407 <rdar://problem/11518848>
20408
20409 Reviewed by Oliver Hunt.
20410
20411 * dfg/DFGByteCodeParser.cpp:
20412 (JSC::DFG::ByteCodeParser::processPhiStack):
20413 (JSC::DFG::ByteCodeParser::parse):
20414
204152012-05-23 Filip Pizlo <fpizlo@apple.com>
20416
20417 It should be possible to make C function calls from DFG code on ARM in debug mode
20418 https://bugs.webkit.org/show_bug.cgi?id=87313
20419
20420 Reviewed by Gavin Barraclough.
20421
20422 * dfg/DFGSpeculativeJIT.h:
20423 (SpeculativeJIT):
20424
204252012-05-11 Filip Pizlo <fpizlo@apple.com>
20426
20427 DFG should be able to inline functions that use arguments reflectively
20428 https://bugs.webkit.org/show_bug.cgi?id=86132
20429
20430 Reviewed by Oliver Hunt.
20431
20432 Merged r116838 from dfgopt.
20433
20434 This turns on inlining of functions that use arguments reflectively, but it
20435 does not do any of the obvious optimizations that this exposes. I'll save that
20436 for another patch - the important thing for now is that this contains all of
20437 the plumbing necessary to make this kind of inlining sound even in bizarro
20438 cases like an inline callee escaping the arguments object to parts of the
20439 inline caller where the arguments are otherwise dead. Or even more fun cases
20440 like where you've inlined to an inline stack that is three-deep, and the
20441 function on top of the inline stack reflectively accesses the arguments of a
20442 function that is in the middle of the inline stack. Any subsequent
20443 optimizations that we do for the obvious cases of arguments usage in inline
20444 functions will have to take care not to break the baseline functionality that
20445 this patch plumbs together.
20446
20447 * bytecode/CodeBlock.cpp:
20448 (JSC::CodeBlock::printCallOp):
20449 (JSC::CodeBlock::dump):
20450 * bytecode/CodeBlock.h:
20451 * dfg/DFGAssemblyHelpers.h:
20452 (JSC::DFG::AssemblyHelpers::argumentsRegisterFor):
20453 (AssemblyHelpers):
20454 * dfg/DFGByteCodeParser.cpp:
20455 (InlineStackEntry):
20456 (JSC::DFG::ByteCodeParser::handleCall):
20457 (JSC::DFG::ByteCodeParser::handleInlining):
20458 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
20459 (JSC::DFG::ByteCodeParser::parse):
20460 * dfg/DFGCCallHelpers.h:
20461 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
20462 (CCallHelpers):
20463 * dfg/DFGCapabilities.h:
20464 (JSC::DFG::canInlineOpcode):
20465 * dfg/DFGDriver.cpp:
20466 (JSC::DFG::compile):
20467 * dfg/DFGFixupPhase.cpp:
20468 (JSC::DFG::FixupPhase::fixupNode):
20469 * dfg/DFGOperations.cpp:
20470 * dfg/DFGOperations.h:
20471 * dfg/DFGSpeculativeJIT.h:
20472 (JSC::DFG::SpeculativeJIT::callOperation):
20473 * dfg/DFGSpeculativeJIT32_64.cpp:
20474 (JSC::DFG::SpeculativeJIT::compile):
20475 * dfg/DFGSpeculativeJIT64.cpp:
20476 (JSC::DFG::SpeculativeJIT::compile):
20477 * interpreter/CallFrame.cpp:
20478 (JSC):
20479 (JSC::CallFrame::someCodeBlockForPossiblyInlinedCode):
20480 * interpreter/CallFrame.h:
20481 (ExecState):
20482 (JSC::ExecState::someCodeBlockForPossiblyInlinedCode):
20483 * interpreter/Interpreter.cpp:
20484 (JSC::Interpreter::retrieveArgumentsFromVMCode):
20485 * runtime/Arguments.cpp:
20486 (JSC::Arguments::tearOff):
20487 (JSC):
20488 (JSC::Arguments::tearOffForInlineCallFrame):
20489 * runtime/Arguments.h:
20490 (Arguments):
20491 (JSC::Arguments::create):
20492 (JSC::Arguments::finishCreation):
20493 (JSC):
20494
204952012-05-23 Filip Pizlo <fpizlo@apple.com>
20496
20497 Every OSR exit on ARM results in a crash
20498 https://bugs.webkit.org/show_bug.cgi?id=87307
20499
20500 Reviewed by Geoffrey Garen.
20501
20502 * dfg/DFGThunks.cpp:
20503 (JSC::DFG::osrExitGenerationThunkGenerator):
20504
205052012-05-23 Geoffrey Garen <ggaren@apple.com>
20506
20507 Refactored heap tear-down to use normal value semantics (i.e., destructors)
20508 https://bugs.webkit.org/show_bug.cgi?id=87302
20509
20510 Reviewed by Oliver Hunt.
20511
20512 This is a step toward incremental DOM finalization.
20513
20514 * heap/CopiedSpace.cpp:
20515 (JSC::CopiedSpace::~CopiedSpace):
20516 * heap/CopiedSpace.h:
20517 (CopiedSpace): Just use our destructor, instead of relying on the heap
20518 to send us a special message at a special time.
20519
20520 * heap/Heap.cpp:
20521 (JSC::Heap::Heap): Use OwnPtr for m_markListSet because this is not Sparta.
20522
20523 (JSC::Heap::~Heap): No need for delete or freeAllBlocks because normal
20524 destructors do this work automatically now.
20525
20526 (JSC::Heap::lastChanceToFinalize): Just call lastChanceToFinalize on our
20527 sub-objects, and assume it does the right thing. This improves encapsulation,
20528 so we can add items requiring finalization to our sub-objects.
20529
20530 * heap/Heap.h: Moved m_blockAllocator to get the right destruction order.
20531
20532 * heap/MarkedSpace.cpp:
20533 (Take):
20534 (JSC):
20535 (JSC::Take::Take):
20536 (JSC::Take::operator()):
20537 (JSC::Take::returnValue): Moved to the top of the file so it can be used
20538 in another function.
20539
20540 (JSC::MarkedSpace::~MarkedSpace): Delete all outstanding memory, like a good
20541 destructor should.
20542
20543 (JSC::MarkedSpace::lastChanceToFinalize): Moved some code here from the heap,
20544 since it pertains to our internal implementation details.
20545
20546 * heap/MarkedSpace.h:
20547 (MarkedSpace):
20548 * heap/WeakBlock.cpp:
20549 (JSC::WeakBlock::lastChanceToFinalize):
20550 * heap/WeakBlock.h:
20551 (WeakBlock):
20552 * heap/WeakSet.cpp:
20553 (JSC::WeakSet::lastChanceToFinalize):
20554 * heap/WeakSet.h:
20555 (WeakSet): Stop using a special freeAllBlocks() callback and just implement
20556 lastChanceToFinalize.
20557
205582011-05-22 Geoffrey Garen <ggaren@apple.com>
20559
20560 Encapsulated some calculations for whether portions of the heap are empty
20561 https://bugs.webkit.org/show_bug.cgi?id=87210
20562
20563 Reviewed by Gavin Barraclough.
20564
20565 This is a step toward incremental DOM finalization.
20566
20567 * heap/Heap.cpp:
20568 (JSC::Heap::~Heap): Explicitly call freeAllBlocks() instead of relying
20569 implicitly on all blocks thinking they're empty. In future, we may
20570 choose to tear down the heap without first setting all data structures
20571 to "empty".
20572
20573 * heap/MarkedBlock.h:
20574 (JSC::MarkedBlock::isEmpty):
20575 (JSC::MarkedBlock::gatherDirtyCells): Renamed markCountIsZero to isEmpty,
20576 in preparation for making it check for outstanding finalizers in addition
20577 to marked cells.
20578
20579 * heap/MarkedSpace.cpp:
20580 (Take):
20581 (JSC::Take::Take):
20582 (JSC::Take::operator()):
20583 (JSC::Take::returnValue):
20584 (JSC::MarkedSpace::shrink):
20585 (JSC::MarkedSpace::freeAllBlocks): Refactored the "Take" functor to support
20586 a conditional isEmpty check, so it dould be shared by shrink() and freeAllBlocks().
20587
20588 * heap/WeakBlock.cpp:
20589 (JSC::WeakBlock::WeakBlock):
20590 (JSC::WeakBlock::visitLiveWeakImpls):
20591 (JSC::WeakBlock::visitDeadWeakImpls):
20592 * heap/WeakBlock.h:
20593 (WeakBlock):
20594 (JSC::WeakBlock::isEmpty):
20595 * heap/WeakSet.cpp:
20596 (JSC::WeakSet::sweep):
20597 (JSC::WeakSet::shrink): Use isEmpty(), in preparation for changes in
20598 its implementation.
20599
206002012-05-23 Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
20601
20602 [Qt] Remove references to $$QT_SOURCE_TREE
20603
20604 With a modularized Qt, it's ambigious. What we really want is qtbase,
20605 which qtcore is a proxy for (we assume it will always live in qtbase).
20606
20607 Reviewed by Tor Arne Vestbø.
20608
20609 * JavaScriptCore.pri:
20610 * Target.pri:
20611
206122012-05-09 Filip Pizlo <fpizlo@apple.com>
20613
20614 DFG should allow inlining in case of certain arity mismatches
20615 https://bugs.webkit.org/show_bug.cgi?id=86059
20616
20617 Reviewed by Geoff Garen.
20618
20619 Merge r116620 from dfgopt.
20620
20621 * dfg/DFGByteCodeParser.cpp:
20622 (JSC::DFG::ByteCodeParser::handleInlining):
20623
206242012-05-08 Filip Pizlo <fpizlo@apple.com>
20625
20626 DFG variable capture analysis should work even if the variables arose through inlining
20627 https://bugs.webkit.org/show_bug.cgi?id=85945
20628
20629 Reviewed by Oliver Hunt.
20630
20631 Merged r116555 from dfgopt.
20632
20633 This just changes how the DFG queries whether a variable is captured. It does not
20634 change any user-visible behavior.
20635
20636 As part of this change, I further solidified the policy that the CFA behaves in an
20637 undefined way for captured locals and queries about their values will not yield
20638 reliable results. This will likely be changed in the future, but for now it makes
20639 sense.
20640
20641 One fun part about this change is that it recognizes that the same variable may
20642 be both captured and not, at the same time, because their live interval spans
20643 inlining boundaries. This only happens in the case of arguments to functions that
20644 capture their arguments, and this change treats them with just the right touch of
20645 conservatism: they will be treated as if captured by the caller as well as the
20646 callee.
20647
20648 Finally, this also adds captured variable reasoning to the InlineCallFrame, which
20649 I thought might be useful for later tooling.
20650
20651 This is perf-neutral, since it does it does not make the DFG take advantage of this
20652 new functionality in any way. In particular, it is still the case that the DFG will
20653 not inline functions that use arguments reflectively or that create activations.
20654
20655 * bytecode/CodeBlock.h:
20656 (CodeBlock):
20657 (JSC::CodeBlock::needsActivation):
20658 (JSC::CodeBlock::argumentIsCaptured):
20659 (JSC::CodeBlock::localIsCaptured):
20660 (JSC::CodeBlock::isCaptured):
20661 * bytecode/CodeOrigin.h:
20662 (InlineCallFrame):
20663 * dfg/DFGAbstractState.cpp:
20664 (JSC::DFG::AbstractState::initialize):
20665 (JSC::DFG::AbstractState::endBasicBlock):
20666 (JSC::DFG::AbstractState::execute):
20667 (JSC::DFG::AbstractState::merge):
20668 * dfg/DFGByteCodeParser.cpp:
20669 (JSC::DFG::ByteCodeParser::newVariableAccessData):
20670 (JSC::DFG::ByteCodeParser::getLocal):
20671 (JSC::DFG::ByteCodeParser::setLocal):
20672 (JSC::DFG::ByteCodeParser::getArgument):
20673 (JSC::DFG::ByteCodeParser::setArgument):
20674 (JSC::DFG::ByteCodeParser::flushArgument):
20675 (JSC::DFG::ByteCodeParser::parseBlock):
20676 (JSC::DFG::ByteCodeParser::processPhiStack):
20677 (JSC::DFG::ByteCodeParser::fixVariableAccessPredictions):
20678 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
20679 * dfg/DFGCFGSimplificationPhase.cpp:
20680 (CFGSimplificationPhase):
20681 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
20682 (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
20683 (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
20684 * dfg/DFGCommon.h:
20685 * dfg/DFGFixupPhase.cpp:
20686 (JSC::DFG::FixupPhase::fixupNode):
20687 * dfg/DFGGraph.cpp:
20688 (JSC::DFG::Graph::nameOfVariableAccessData):
20689 * dfg/DFGGraph.h:
20690 (JSC::DFG::Graph::needsActivation):
20691 (JSC::DFG::Graph::usesArguments):
20692 * dfg/DFGPredictionPropagationPhase.cpp:
20693 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
20694 * dfg/DFGSpeculativeJIT.cpp:
20695 (JSC::DFG::SpeculativeJIT::compile):
20696 * dfg/DFGSpeculativeJIT32_64.cpp:
20697 (JSC::DFG::SpeculativeJIT::compile):
20698 * dfg/DFGSpeculativeJIT64.cpp:
20699 (JSC::DFG::SpeculativeJIT::compile):
20700 * dfg/DFGVariableAccessData.h:
20701 (JSC::DFG::VariableAccessData::VariableAccessData):
20702 (JSC::DFG::VariableAccessData::mergeIsCaptured):
20703 (VariableAccessData):
20704 (JSC::DFG::VariableAccessData::isCaptured):
20705
207062012-05-08 Filip Pizlo <fpizlo@apple.com>
20707
20708 DFG should support op_get_argument_by_val and op_get_arguments_length
20709 https://bugs.webkit.org/show_bug.cgi?id=85911
20710
20711 Reviewed by Oliver Hunt.
20712
20713 Merged r116467 from dfgopt.
20714
20715 This adds a simple and relatively conservative implementation of op_get_argument_by_val
20716 and op_get_arguments_length. We can optimize these later. For now it's great to have
20717 the additional coverage.
20718
20719 This patch appears to be perf-neutral.
20720
20721 * dfg/DFGAbstractState.cpp:
20722 (JSC::DFG::AbstractState::execute):
20723 * dfg/DFGAssemblyHelpers.h:
20724 (JSC::DFG::AssemblyHelpers::addressFor):
20725 (JSC::DFG::AssemblyHelpers::tagFor):
20726 (JSC::DFG::AssemblyHelpers::payloadFor):
20727 * dfg/DFGByteCodeParser.cpp:
20728 (JSC::DFG::ByteCodeParser::parseBlock):
20729 * dfg/DFGCapabilities.h:
20730 (JSC::DFG::canCompileOpcode):
20731 (JSC::DFG::canInlineOpcode):
20732 * dfg/DFGNode.h:
20733 (JSC::DFG::Node::hasHeapPrediction):
20734 * dfg/DFGNodeType.h:
20735 (DFG):
20736 * dfg/DFGOperations.cpp:
20737 * dfg/DFGOperations.h:
20738 * dfg/DFGPredictionPropagationPhase.cpp:
20739 (JSC::DFG::PredictionPropagationPhase::propagate):
20740 * dfg/DFGSpeculativeJIT.h:
20741 (JSC::DFG::SpeculativeJIT::callOperation):
20742 (SpeculativeJIT):
20743 * dfg/DFGSpeculativeJIT32_64.cpp:
20744 (JSC::DFG::SpeculativeJIT::compile):
20745 * dfg/DFGSpeculativeJIT64.cpp:
20746 (JSC::DFG::SpeculativeJIT::compile):
20747 * jit/JITOpcodes.cpp:
20748 (JSC::JIT::emit_op_get_argument_by_val):
20749 * jit/JITOpcodes32_64.cpp:
20750 (JSC::JIT::emit_op_get_argument_by_val):
20751 * llint/LowLevelInterpreter32_64.asm:
20752 * llint/LowLevelInterpreter64.asm:
20753
207542012-05-07 Filip Pizlo <fpizlo@apple.com>
20755
20756 DFG should support op_tear_off_arguments
20757 https://bugs.webkit.org/show_bug.cgi?id=85847
20758
20759 Reviewed by Michael Saboff.
20760
20761 Merged r116378 from dfgopt.
20762
20763 * dfg/DFGAbstractState.cpp:
20764 (JSC::DFG::AbstractState::execute):
20765 * dfg/DFGByteCodeParser.cpp:
20766 (JSC::DFG::ByteCodeParser::parseBlock):
20767 * dfg/DFGCapabilities.h:
20768 (JSC::DFG::canCompileOpcode):
20769 (JSC::DFG::canInlineOpcode):
20770 * dfg/DFGNodeType.h:
20771 (DFG):
20772 * dfg/DFGOperations.cpp:
20773 * dfg/DFGOperations.h:
20774 * dfg/DFGPredictionPropagationPhase.cpp:
20775 (JSC::DFG::PredictionPropagationPhase::propagate):
20776 * dfg/DFGSpeculativeJIT.h:
20777 (SpeculativeJIT):
20778 (JSC::DFG::SpeculativeJIT::callOperation):
20779 * dfg/DFGSpeculativeJIT32_64.cpp:
20780 (JSC::DFG::SpeculativeJIT::compile):
20781 * dfg/DFGSpeculativeJIT64.cpp:
20782 (JSC::DFG::SpeculativeJIT::compile):
20783
207842012-05-22 Mark Hahnenberg <mhahnenberg@apple.com>
20785
20786 CopiedSpace::contains doesn't check for oversize blocks
20787 https://bugs.webkit.org/show_bug.cgi?id=87180
20788
20789 Reviewed by Geoffrey Garen.
20790
20791 When doing a conservative scan we use CopiedSpace::contains to determine if a particular
20792 address points into the CopiedSpace. Currently contains() only checks if the address
20793 points to a block in to-space, which means that pointers to oversize blocks may not get scanned.
20794
20795 * heap/CopiedSpace.cpp:
20796 (JSC::CopiedSpace::tryAllocateOversize):
20797 (JSC::CopiedSpace::tryReallocateOversize):
20798 (JSC::CopiedSpace::doneFillingBlock):
20799 (JSC::CopiedSpace::doneCopying):
20800 * heap/CopiedSpace.h: Refactored CopiedSpace so that all blocks (oversize and to-space) are
20801 in a single hash set and bloom filter for membership testing.
20802 (CopiedSpace):
20803 * heap/CopiedSpaceInlineMethods.h:
20804 (JSC::CopiedSpace::contains): We check for the normal block first. Since the oversize blocks are
20805 only page aligned, rather than block aligned, we have to re-mask the ptr to check if it's in
20806 CopiedSpace. Also added a helper function of the same name that takes a CopiedBlock* and checks
20807 if it's in CopiedSpace so that check isn't typed out twice.
20808 (JSC):
20809 (JSC::CopiedSpace::startedCopying):
20810 (JSC::CopiedSpace::addNewBlock):
20811
208122012-05-22 Geoffrey Garen <ggaren@apple.com>
20813
20814 CopiedBlock and MarkedBlock should have proper value semantics (i.e., destructors)
20815 https://bugs.webkit.org/show_bug.cgi?id=87172
20816
20817 Reviewed by Oliver Hunt and Phil Pizlo.
20818
20819 This enables MarkedBlock to own non-trivial sub-objects that require
20820 destruction. It also fixes a FIXME about casting a CopiedBlock to a
20821 MarkedBlock at destroy time.
20822
20823 CopiedBlock and MarkedBlock now accept an allocation chunk at create
20824 time and return it at destroy time. Their client is expected to
20825 allocate, recycle, and destroy these chunks.
20826
20827 * heap/BlockAllocator.cpp:
20828 (JSC::BlockAllocator::releaseFreeBlocks):
20829 (JSC::BlockAllocator::blockFreeingThreadMain): Don't call MarkedBlock::destroy
20830 because we expect that to be called before a block is put on our free
20831 list now. Do manually deallocate our allocation chunk because that's
20832 our job now.
20833
20834 * heap/BlockAllocator.h:
20835 (BlockAllocator):
20836 (JSC::BlockAllocator::allocate): Allocate never fails now. This is a
20837 cleaner abstraction because only one object does all the VM allocation
20838 and deallocation. Caching is an implementation detail.
20839
20840 (JSC::BlockAllocator::deallocate): We take an allocation chunk argument
20841 instead of a block because we now expect the block to have been destroyed
20842 before we recycle its memory. For convenience, we still use the HeapBlock
20843 class as our linked list node. This is OK because HeapBlock is a POD type.
20844
20845 * heap/CopiedBlock.h:
20846 (CopiedBlock):
20847 (JSC::CopiedBlock::create):
20848 (JSC::CopiedBlock::destroy):
20849 (JSC::CopiedBlock::CopiedBlock): Added proper create and destroy functions,
20850 to match MarkedBlock.
20851
20852 * heap/CopiedSpace.cpp:
20853 (JSC::CopiedSpace::tryAllocateOversize):
20854 (JSC::CopiedSpace::tryReallocateOversize):
20855 (JSC::CopiedSpace::doneCopying):
20856 (JSC::CopiedSpace::getFreshBlock):
20857 (JSC::CopiedSpace::freeAllBlocks):
20858 * heap/CopiedSpaceInlineMethods.h:
20859 (JSC::CopiedSpace::recycleBlock): Make sure to call destroy before
20860 returning a block to the BlockAllocator. Otherwise, our destructors
20861 won't run. (If we get this wrong now, we'll get a compile error.)
20862
20863 * heap/HeapBlock.h:
20864 (JSC::HeapBlock::HeapBlock): const!
20865
20866 * heap/MarkedAllocator.cpp:
20867 (JSC::MarkedAllocator::allocateBlock): No need to distinguish between
20868 create and recycle -- MarkedBlock always accepts memory allocated by
20869 its client now.
20870
20871 * heap/MarkedBlock.cpp:
20872 (JSC::MarkedBlock::create): Don't allocate memory -- we assume that we're
20873 passed already-allocated memory, to clarify the responsibility for VM
20874 recycling.
20875
20876 (JSC::MarkedBlock::destroy): Do run our destructor before giving back
20877 our VM -- that is the whole point of this patch.
20878
20879 (JSC::MarkedBlock::MarkedBlock):
20880 * heap/MarkedBlock.h:
20881 (MarkedBlock):
20882 * heap/MarkedSpace.cpp: const!
20883
20884 (JSC::MarkedSpace::freeBlocks): Make sure to call destroy before
20885 returning a block to the BlockAllocator. Otherwise, our destructors
20886 won't run. (If we get this wrong now, we'll get a compile error.)
20887
20888== Rolled over to ChangeLog-2012-05-22 ==
mirror of JavaScriptCore